The National Association of Insurance Commissioners ("NAIC"), a standards-setting organization comprised of insurance regulators from across all U.S. jurisdictions, has recently adopted twelve Principles for Effective Cybersecurity Insurance Regulatory Guidance (the "Principles"). The Principles arrive in in the wake of the prominent Anthem data breach, highlighting the importance of protecting sensitive personal data in the insurance sector. Addressing this challenge, the NAIC established the Principles to provide state insurance regulators and industry participants guidance regarding the protection of sensitive personal, financial, and healthcare data. The Principles broadly lay out the practices, guidelines, and measures that both regulators and the industry should take to protect personal information.
Importantly, in addressing the Principles to regulators in addition to the industry, the NAIC appears to seek to promote uniformity and risk-based approach in regulations promulgated by its member regulators. There are too many examples of data protection regulations that lack uniformity across states and industries and impose significant compliance costs on businesses, with state breach notification laws being a prime example.
Many of the Principles contain general, common-sense guidelines for the treatment of personal information. Principle 2, for example, states that "[c]onfidential and/or personally identifiable consumer information data that is collected, stored and transferred inside or outside of an insurer's, insurance producer's or other regulated entity's network should be appropriately safeguarded." Other principles are more narrowly tailored, addressing topics such as incident response (Principle 7), agreements with third parties that insurers authorize to access personal data (Principle 8), and cybersecurity training for employees (Principle 12).
Turning to Principles addressed toward regulators, Principle 1, for example, states that "[s]tate insurance regulators have a responsibility to ensure that personally identifiable consumer information held by insurers, producers and other regulated entities is protected from cybersecurity risks." The Principles further provide guidance to regulators regarding the substance of cybersecurity regulations, stating, for example, that "[c]ybersecurity regulatory guidance for insurers and insurance producers must be flexible, scalable, practical and consistent with nationally recognized efforts" and that "[r]egulatory guidance must be risk-based and must consider the resources of the insurer or insurance producer." (Principles 4 and 5, respectively).