{"id":16418,"date":"2019-09-25T15:20:29","date_gmt":"2019-09-25T23:20:29","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2019\/09\/25\/news-10158\/"},"modified":"2019-09-25T15:20:29","modified_gmt":"2019-09-25T23:20:29","slug":"news-10158","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/09\/25\/news-10158\/","title":{"rendered":"Insurance data security laws skirt political turmoil"},"content":{"rendered":"

Credit to Author: David Ruiz| Date: Wed, 25 Sep 2019 22:44:47 +0000<\/strong><\/p>\n

Across the United States, a unique approach to lawmaking has proved radically successful in making data security stronger for one industry\u2014insurance providers. <\/p>\n

The singular approach has entirely sidestepped the prolonged, political arguments that have become commonplace when trying to pass federal and state data privacy laws today. <\/p>\n

In California, for example, Big Tech lobbying groups have repeatedly supported legislative attempts to defang and diminish the consumer protections<\/a> afforded by the state\u2019s landmark data privacy law, the California Consumer Privacy Act. <\/p>\n

In Maine, the state\u2019s Chamber of Commerce published narrowly-defined statistics in an attempt to dissuade public favor for the state\u2019s ISP privacy bill, one of several maneuvers that the ACLU of Maine labeled as \u201cgaslighting\u201d<\/a>\u2014the surreptitious act of purposefully feeding someone false information to destabilize their notions of truth and fact. <\/p>\n

Yet, in Michigan, no immediate opposition rose to combat a law that will tighten the cybersecurity protections of insurance providers like Geico, Prudential, Progressive, AAA, Allstate, and Farmers. <\/p>\n

The same peace washed over Mississippi earlier this year, when a similar insurance cybersecurity bill, cycling through the state\u2019s legislature, received no comments in the public record, either for or against. <\/p>\n

And in just eight days that spanned between July and August, the legislatures in Connecticut, Delaware, and New Hampshire passed similar cybersecurity laws, all aimed at improving the internal cybersecurity controls and processes for most workers that are licensed to sell insurance. Included in the laws are requirements to perform internal risk assessments and to maintain response plans in case of a cybersecurity incident, like a data breach.<\/p>\n

While data privacy laws in the US have sparked repeated skirmishes, data security laws for insurance providers are enjoying a summertime ease: A bill gets introduced, is supported, and often receives an unanimous vote in passage. <\/p>\n

This isn\u2019t the product of sudden, benevolent bipartisanship across multiple states, though. Instead, it is the product of years-long forward planning and collaboration in the insurance industry, punctuated by a close-to-home data breach.  <\/p>\n

It is the story of a different kind of lawmaking.  <\/p>\n

Insurance and regulation\u2014a backgrounder<\/strong><\/h3>\n

Insurance regulation in the United States is, to put it lightly, strange. <\/p>\n

In 1945, following a thorny Supreme Court case about whether or not the sale of insurance services could be labeled as \u201ccommerce,\u201d Congress passed the McCarran Ferguson Act. The law, which still applies today, requires that \u201cno Act of Congress shall be construed to invalidate, impair, or supersede any law enacted by any state for the purpose of regulating the business of insurance.\u201d<\/p>\n

What that means in practice is that the insurance industry is regulated almost entirely by individual states. <\/p>\n

The same cannot be said for nearly any other industry in the United States, from healthcare to finance, both of which have national information security laws that apply to their sectors. <\/p>\n

If that isn\u2019t complicated enough, another wrinkle in the insurance industry is who can actually sell it. <\/p>\n

In the United States, selling insurance isn\u2019t like selling a used record player on Craigslist\u2014selling insurance requires a license, and, depending on the type of insurance sold, there are different types of licenses. In California, for example, there are licenses for selling life insurance, property and casualty insurance, and accident and health insurance. <\/p>\n

The requirements to get licensed also differ from state to state. In Georgia, Hawaii, and Idaho, for example, \u201clicensees\u201d\u2014who are the people required to obtain a license\u2014must get fingerprinted, while the same is not true in Indiana, Kansas, and Nebraska. The number of hours required for pre-exam training also varies, from zero hours required in Alaska to 200 hours in Florida for those who want to sell property and casualty insurance. <\/p>\n

Jeffrey Taft, a partner at the law firm Mayer Brown who works in the firm\u2019s financial services regulatory and enforcement group and its cybersecurity and data privacy practice, said that, for decades, insurance companies have simply put up with the state-by-state regulations. But, Taft added, these companies can rely on the help of a group called the National Association of Insurance Commissioners (NAIC) to make sure that every state law comes from an agreed-upon place. <\/p>\n

\u201cHistorically, how it\u2019s been, every state has its own insurance department, and every insurance company has to deal with 50 states if they\u2019re a national business,\u201d Taft said. \u201cIt\u2019s somewhat cumbersome, as you might imagine, but NAIC tries to make it a more streamlined process to make state laws consistent.\u201d <\/p>\n

NAIC, which dates back to 1871 (for perspective, Ulysses S. Grant was president), is the association of the chief insurance regulators from each of the 50 states, plus Washington, DC, and five US territories. The regulators routinely work together to establish standards and best practices and to write what are called \u201cmodel laws,\u201d which are, essentially, draft pieces of legislation which the group publishes and leaves for individual states to adopt as they choose. <\/p>\n

These model laws often address a certain need or threat for the insurance industry, from military sales practices to insider trading to corporate governance disclosures. <\/p>\n

In 2014, that need was cybersecurity. That year, the NAIC Executive Committee established a \u201cCybersecurity Task Force\u201d to review the association\u2019s current model laws that touched on information security and consumer privacy protections, and to make a call on how to best address cybersecurity concerns through the association\u2019s own model law process. <\/p>\n

Jennifer McAdam, senior counsel for the NAIC, said that, because of the various kinds of important, private data that insurers collect, cybersecurity is a top concern. <\/p>\n

\u201cFor NAIC members, it was important to address the unique issues insurers face regarding cybersecurity,\u201d McAdam said. \u201cInsurers collect sensitive consumer data including social security numbers, financial account information, and health care data. Because they collect and maintain this kind of data, insurers are at a high risk of being breached.\u201d<\/p>\n

One year later, that risk became an unavoidable reality. <\/p>\n

The Anthem data breach and the Insurance Data Security Model Law<\/strong><\/h3>\n

On February 4, 2015, the health insurance company Anthem disclosed that hackers had stolen the records of 37.5 million people. Names, birthdays, Social Security numbers, physical and email addresses, medical IDs, and employment and income information had all been harvested in the attack<\/a>. Twenty days later, Anthem readjusted its victim estimate. It wasn\u2019t 37.5 million, it was 78.8 million. <\/p>\n

In 2016, in continuing its work on cybersecurity concerns, the NAIC task force began drafting its Insurance Data Security Model Law. <\/p>\n

\u201cDrafting started a year after Anthem disclosed its massive health care data breach,\u201d McAdam said. \u201cAs insurance commissioners from across the country collaborated to address the Anthem breach, they began discussing what kind of model legislation would help them perform their jobs better in the event of future similar breaches.\u201d<\/p>\n

The model law took 18 months to draft, during which six versions were shared and opened to comment for a period of about 30\u201345 days each. <\/p>\n

McAdam said that, after the second version of the model law received comments, six priorities were identified: <\/p>\n

    \n
  1. State uniformity and exclusivity of the law<\/li>\n
  2. Potential exemptions for licensees that are subject to current federal information security laws<\/li>\n
  3. Whether to include a \u201charm trigger\u201d in the definition of a \u201cdata breach\u201d <\/li>\n
  4. The definition of \u201cpersonal information\u201d <\/li>\n
  5. Scalability of data protection requirements for smaller insurance licensees <\/li>\n
  6. The oversight of third-party service providers that can access some of the data held by licensees <\/li>\n<\/ol>\n

    Starting in November 2016, a smaller \u201cdrafting group\u201d\u2014which included regulators from seven states, representatives from nine industry groups, a representative from one consumer group, and a professor of law at University of Connecticut\u2014began ironing out these six priorities. <\/p>\n

    In February 2017, the drafting group found help in looking to New York. That month, the New York Department of Financial Services released its own rules on cybersecurity, called the NYDFS Cybersecurity Regulation<\/a>. <\/p>\n

    The New York regulation addressed some of the very same priorities that the NAIC drafting group was set to solve, including when and how to notify consumers of a data breach, and what type of information to protect, which the NYDFS regulation described as \u201cnon-public information.\u201d <\/p>\n

    After implementing a few ideas from the New York regulation, the NAIC Insurance Data Security Model Law reached a concrete shape. <\/p>\n

    The model law, in its final version<\/a>, requires that licensees protect \u201cnon-public information,\u201d which is defined as any information that belongs to a consumer which, because of their \u201cname, number, personal mark, or other identifier\u201d can reveal a consumer\u2019s identity when combined with another part of their data, including their Social Security number, driver\u2019s license number, credit or debit card number, and any security code, access code, or password that would permit access to a consumer\u2019s financial account, along with their biometric records. <\/p>\n

    The model law mandates that licensees perform risk assessments to determine how to best protect their non-public information. Following the risk assessment, licensees should use what they\u2019ve learned to develop on \u201cInformation Security Program\u201d that comprises of administrative, technical, and physical safeguards to protect non-public information. Licensees can pick from a variety of measures to protect non-public information, from placing controls on who can access that information, to using encryption, to using multi-factor authentication, to developing procedures for securely disposing of non-public information.  <\/p>\n

    While the above mitigation and protection methods are suggestions, the model law requires that licensees provide cybersecurity awareness training to their personnel, and to \u201cstay informed regarding emerging threats or vulnerabilities.\u201d <\/p>\n

    Insurance licensees must also practice \u201cdue diligence\u201d when hiring third party service providers that can access the insurance licensees\u2019 non-public information. <\/p>\n

    Further, the model law makes exceptions for companies that are already subject to the Health Insurance Portability and Accountability Act (HIPAA)<\/a>.<\/p>\n

    In October 2017, the full NAIC membership and plenary adopted the Insurance Data Security Model Law. <\/p>\n

    The model law proved immediately popular with several states. <\/p>\n

    States take action<\/strong><\/h3>\n

    On January 23, 2018, two South Carolina lawmakers introduced<\/a> the South Carolina Insurance Data Security Act<\/a> into the state\u2019s House of Representatives. In April, the state\u2019s Senate voted unanimously in favor of the law, and on May 3, Governor Henry McMaster signed the act into law<\/a>. <\/p>\n

    Ohio adopted its insurance data security law<\/a> on December 19, 2018. Michigan did the same nine days later<\/a>, following a legislative process in which several insurance trade associations\u2014all of which represented the businesses that would be subject to new regulations\u2014spoke in favor of the bill. In fact, Michigan\u2019s bill received no industry group opposition<\/a>; only the Department of Insurance and Financial Services demurred, in testifying \u201cwith concerns,\u201d but without opposition. <\/p>\n

    Mississippi\u2019s governor signed the state\u2019s insurance data security law on April 3, 2019, after the state\u2019s Senate voted unanimously in favor of it. And from July 26 through August 2, Connecticut<\/a>, Delaware, and New Hampshire<\/a> adopted their own insurance data security laws. <\/p>\n

    The state laws differ in small ways, but all of them, except for the Connecticut law, are modeled directly after the NAIC Insurance Data Security Model Law. Connecticut, instead, modeled its law after the New York Department of Financial Services Regulation. <\/p>\n

    Care to take this outside (of insurance)?<\/strong><\/h3>\n

    The NAIC\u2019s model law, while successful, is the product of a one-of-a-kind framework. Because of a Supreme Court case that flipped the switch on how insurance could be regulated, Congress decided to pass a law to preserve the way it had always been regulated\u2014by the states.  <\/p>\n

    Because those states each have a Department of Insurance and elected Insurance Commissioners, those commissioners can work together to draft laws that can then be taken to their state legislatures. Because industry insiders are involved in the drafting process, there is rarely a case when those insiders oppose a bill based on their own ideas. <\/p>\n

    All of those ingredients, this time, added up to make better data security laws for one industry. Those same ingredients cannot be added up to make a comprehensive data privacy law in the United States, unfortunately.<\/p>\n

    If anything, privacy advocates would likely balk at the idea of Big Tech insiders working together to write a bill that regulates their own activities.<\/p>\n

    In fact, that process has already happened. Earlier this month, some of the largest companies in America published a framework for what they wanted to see in a federal consumer privacy law. Included in their recommendations was the proposal that no private individual could sue them for violating the future law. <\/p>\n

    How predictable. Who wants to place a bet on whether Congress would unanimously approve such a bill?<\/p>\n

    So while the model for creating and passing insurance data privacy and cybersecurity laws results in consistent frameworks adopted across individual states, lawmakers cannot heed to the same process for other industries. Instead, they might consider using a different model law, the GDPR<\/a>, to provide a framework for federal data privacy legislation.<\/p>\n

    Until then, expect plenty more opposition to data privacy and cybersecurity laws passed in any other states for any other industries.<\/p>\n

    The post Insurance data security laws skirt political turmoil<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n

    https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

    Credit to Author: David Ruiz| Date: Wed, 25 Sep 2019 22:44:47 +0000<\/strong><\/p>\n\n\n\n
    <\/a><\/td>\n<\/tr>\n
    Across the United States, a unique approach to lawmaking has seen radical success in making data security a little bit stronger for one industry\u2014insurance providers. <\/p>\n

    Categories: <\/p>\n