Roberta Meyer Vice President & Associate General Counsel October 9, 2015 The Honorable Adam Hamm Chair, NAIC Cybersecurity (EX) Task Force North Dakota Insurance Department 600 E. Boulevard Avenue Bismarck, North Dakota 58505-0320 The Honorable Ray Farmer Vice Chair, NAIC Cybersecurity (EX) Task Force P.O. Box 100105 Columbia, South Carolina 29202 Attn: Sara Robben Via E-mail: srobben@naic.org Re: Updated Cybersecurity Bill of Rights Dear Commissioner Hamm and Director Farmer: These comments regarding the proposed updated Cybersecurity Bill of Rights (Bill of Rights) are submitted to the NAIC Cybersecurity (EX) Task Force (Task Force) on behalf of the American Council of Life Insurers (ACLI). The ACLI is a Washington D.C. based trade association with approximately 284 member companies operating in the United States and abroad. ACLI advocates in federal, state, and international forums for public policy that supports the industry marketplace and the 75 million American families that rely on life insurers products for financial and retirement security. ACLI members offer life insurance, annuities, retirement plans, long-term care and disability income insurance and reinsurance, representing 90% of industry assets and premiums. ACLI appreciates and thanks you for the opportunity to comment on the updated Bill of Rights. At the same time, ACLI has some concerns with the Bill of Rights, as currently proposed, as described below. Overview ACLI recognizes and appreciates that the proposed updated Bill of Rights reflects significant streamlining. At the same time, ACLI continues to be concerned that the updated Bill of Rights, like the proposed original Bill of Rights, includes a number of provisions we fear will lead consumers to American Council of Life Insurers 101 Constitution Avenue, NW, Washington, DC 20001-2133 (202) 624-2184 t (866) 953-4096 f robbiemeyer@acli.com www.acli.com
Commissioner Hamm and Director Farmer August 10, 2015 Page 2 of 11 mistakenly believe they have protections that differ from, or go beyond, the protections provided under the laws of the states in which particular consumers live. ACLI is concerned this not only will confuse consumers as to their actual rights, but is likely to also cause confusion for insurers, in the event a customer seeks protections based on the Bill of Rights that go beyond, or conflict with, the insurer s legal obligations under applicable law. Given the differing protections provided under the existing 47 state breach notification laws, ACLI respectfully submits that a Bill of Rights that will most benefit consumers, without confusing them as to their actual legal rights, would describe the protections to which consumers are entitled as generically as possible. It also would expressly state that: (i) it is intended to provide a general summary of consumers rights relating to cybersecurity; (ii) it is provided for informational purposes only; and (iii) an individual s actual specific rights are based on and subject to applicable state and federal law. ACLI s comments and proposed modifications to specific provisions of the proposed updated Bill of Rights are below. Comments on Specific Provisions Preamble. ACLI urges that a preamble be added directly under the title Cybersecurity Bill of Rights to reads as follows: This Bill of Rights is intended to provide a general summary of insurance consumers rights relating to cybersecurity. It is provided for informational purposes only. Your specific rights are based on and subject to state and federal law. Explanation Insertion of this preamble is important to avoid confusion, and to clarify the purpose of the Bill of Rights, what it is intended to be and that it does not grant consumers any rights or protections that are not provided under existing federal or state law. Insertion of the preamble at the beginning of the Bill of Rights is important to ensure consumers see it. We recognize that, at the bottom of the first page of the updated Bill of Rights, there is a sentence stating that a consumer s specific rights may vary based on state and federal law. However, there is concern that, given its placement, consumers may overlook this sentence, or not understand it in view of the preceding statement: This Cybersecurity Bill of Rights describes what you can expect from your insurance company Introductory Sentence. As an insurance consumer, you have the right to: ACLI urges modification to this provision to read as follows (Language proposed to be added is underlined. Language proposed to be deleted is stricken.): As an insurance consumer, you generally have the right to:
Commissioner Hamm and Director Farmer August 10, 2015 Page 3 of 11 Explanation: As currently written, this sentence is likely to set a clear expectation by consumers that they have the rights that follow. As discussed above, while there is a statement at the bottom of the first page of the updated Bill of Rights that provides Your specific rights may vary based on state and federal law, there is concern that it may not be seen by consumers. There also is concern that that this sentence will not be understood or will be undermined by the preceding sentence that reads in pertinent part: This Cybersecurity Bill of Rights describes what you can expect from insurance companies Accordingly, insertion of the word generally to the introductory sentence, as reflected above, is urged to avoid setting expectations and leading consumers to believe they are legally entitled to all of the protections that follow, since the protections provided under the existing 47 state breach notification laws vary widely and three states do not have breach notification statutes. 1. Know what type of personal information is being collected and stored by your insurance company, agent, or any business they contract with (such as marketers and data warehouses). ACLI urges modification to this provision to read as follows (Language proposed to be added is underlined. Language proposed to be deleted is stricken.): 1. Know what types of personal information is being collected and stored by your insurance company., agent, or any business they contract with (such as marketers and data warehouses). Explanation The NAIC Privacy of Consumer Financial and Health Information Regulation (Model Privacy Regulation), adopted in the majority of the states, in Section 7, lists the information that is required to be included in privacy notices. Under the Model Privacy Regulation, insurance agents generally are not required to provide privacy notices if the notices are provided by the insurer. Moreover, for a variety of reasons, insurers generally believe it most prudent for the insurer to make the determination about whether a breach in the security of their customers personal information has occurred, and to provide, or to direct the provision of, any required notification of a breach to their customers. Accordingly, ACLI urges modification to this provision and throughout the proposed updated Bill of Rights to eliminate any reference to agents. ACLI also urges modification to provision #1 and throughout the updated Bill of Rights to eliminate the phrase any business they contract with. This phrase is subject to broad interpretation. The parenthetical refers only to marketers and data warehouses, does not define the latter term, and does not include reference to service providers that perform essential ordinary insurance business functions for insurers. Perhaps most importantly, unless they otherwise are licensees subject to the Model Privacy Regulation, businesses with which insurers or agents do business are not required to provide privacy notices under the Model Privacy Regulation.
Commissioner Hamm and Director Farmer August 10, 2015 Page 4 of 11 2. Expect insurance companies/agencies to have a privacy policy posted on their websites and available in hard copy if you ask. The privacy policy should explain: what personal information they collect, what choices consumers have about their data, how consumers can see and change/correct their data if needed, how the data is stored/protected, and what consumers can do if the company/agency doesn t follow its privacy policy. ACLI urges modification to this provision to read as follows (Language proposed to be added is underlined. Language proposed to be deleted is stricken.): 2. Expect an insurance company companies/agencies to have a privacy policy, that is available in hard copy or posted on their its website. s and available in hard copy if you ask. The privacy policy should explain: what types of personal information they the insurance company collects and the insurance company s policies and practices with respect to protecting the confidentiality and security of personal information, what choices consumers have about their data, how consumers can see and change/correct their data if needed, how the data is stored/protected, and what consumers can do if the company/agency doesn t follow its privacy policy. Explanation This provision gives rise to particular concern that it may lead consumers to believe they have the right to obtain certain information about insurers information practices to which they are not entitled under the law in the vast majority of the states. The modifications reflected above and discussed below are designed to address this concern. Deletion of the reference to agencies is urged because, as discussed in connection with provision #1, agents generally are not required to provide notice of their privacy policies if the insurer provides the privacy notice. The other proposed changes to this provision #2 are urged to make the provision better reflect pertinent requirements for information to be included in privacy notices, set forth in Section 7 of the Model Privacy Regulation, adopted in the majority of the states. Accordingly, we urge modification to provision #2 to provide that an insurer s privacy policy should explain what types of personal information the insurance company collects and the company s policies and practices to protect the confidentiality and security of the information. We urge deletion of the phrase what choices consumers have about their data. Section 7 of the Model Privacy Regulation requires a privacy notice to include an explanation of a consumer s right to opt-out of disclosures of nonpublic personal information to non-affiliated third parties for purposes other than ordinary business purposes. However, it does not require explanation of what choices consumers have about their data. Nor does information about consumers right to opt out of certain disclosures of their nonpublic personal information seem pertinent to the other issues addressed in the updated Bill of Rights.
Commissioner Hamm and Director Farmer August 10, 2015 Page 5 of 11 We urge deletion of the phrase how consumers can see and change/correct their data if needed, While the NAIC Insurance Information and Privacy Protection Model Act (Model Privacy Act) requires privacy notices to include a description of individuals right to access and correct their personal information, the Model Privacy Act has only been adopted in 17 states. There is no such requirement under Section 7 of the Model Privacy Regulation. Finally, we urge deletion of the phrases how the data is stored/protected, and what consumers can do if the company/agency doesn t follow its privacy policy. Neither the Model Privacy Regulation nor the Model Privacy Act require privacy notices to include this information. 3. Expect your insurance company, agent, or any business they contract with to take reasonable steps to keep unauthorized persons from seeing, stealing, or using your personal information. ACLI urges modification to this provision to read as follows (Language proposed to be added is underlined. Language proposed to be deleted is stricken.): 3. Expect your insurance company, agent, or any business they contract with to take reasonable steps to protect the confidentiality and the security of your personal information. keep unauthorized persons from seeing, stealing, or using your personal information While modification as urged immediately above is preferable, alternatively, ACLI urges modification of the provision to read as follows (Language proposed to be added is underlined. Language proposed to be deleted is stricken.): 3. Expect your insurance company, agent, or any business they contract with to take reasonable steps to keep unauthorized persons from acquiring seeing, stealing, or using your personal information and creating a likelihood of identity theft or fraud to you. Explanation Provision #3 gives rise to concern because it does not include any reference to a likelihood of harm that could result from an unauthorized person seeing a consumer s personal information. There are instances where an unauthorized person may see a consumer s personal information which result in little to no risk of harm to the individual. For example, there may be a situation where an insurance company employee, who does not have authority to view personal information, sees an individual s personal information, without there being any risk of the information being stolen or misused. Similarly, a letter, that includes a consumer s personal information, may be misaddressed or inadvertently sent to another individual, but there has been confirmation that the information has been retrieved or destroyed. In both instances, the possibility of identity theft or fraud is small to non-existent. In view of the above, we urge modification to this provision to make it more general, to reflect insurers broad responsibility to protect the confidentiality and security of consumers personal information, more
Commissioner Hamm and Director Farmer August 10, 2015 Page 6 of 11 specifically, to provide for a consumer to expect an insurer to take reasonable steps to protect the confidentiality and security of personal information. If it is not possible to modify the provision in the manner just described, at minimum, we urge modification to add a reference to a likelihood of identity theft or fraud. 4. Get a notice from your insurance company, agent, or any business they contract with if an unauthorized person has (or it seems likely they have) seen, stolen, or used your personal information. This is called a data breach. This notice should: Be sent in writing by first-class mail, or by e-mail if you ve agreed to that; Be sent after a data breach, and never more than 60 days after a data breach is discovered; Describe the type of information involved in the breach, and the steps you can take to protect yourself from identity theft or fraud; Describe the action(s) the insurance company, agent, or business they contract with has taken to keep your personal information safe; Include contact information for the three nationwide credit bureaus; Include contact information for the company or agent involved in a data breach. ACLI urges modification to this provision to read as follows (Language proposed to be added is underlined. Language proposed to be deleted is stricken.): 4. Get a notice from your insurance company, agent, or any business they contract with if an unauthorized person has (or it seems likely they to have) seen, stolen, or used acquired your personal information and there is a likelihood of identity theft or fraud to you. This is called a data breach. This notice should: Explanation Be sent in writing by first-class mail, or by e-mail if you ve agreed to that; Be sent without unreasonable delay after a data breach, and never more than 60 days after discovery of the unauthorized acquisition of your personal information, unless a delay is requested by law enforcement; a data breach is discovered; Generally describe Describe the types of information involved in the breach, and the steps you can take to protect yourself from identity theft or fraud; Generally describe Describe the action(s) the insurance company, agent, or business they contract with has taken to keep your personal information safe; Include contact information for the three nationwide credit bureaus; Include contact information for the company providing the notification. or agent involved in a data breach. This provision #4 gives rise to significant concern that it may lead consumers to mistakenly believe they are entitled to notice under circumstances under which they would not be entitled to notice under the
Commissioner Hamm and Director Farmer August 10, 2015 Page 7 of 11 law in many states. This is the case because many, if not the majority, of the state breach notification laws only require notice to be provided to consumers when a breach creates a likelihood of harm to the consumers. Of significant concern, this provision would require provision of notice if an unauthorized person sees or uses a consumer s personal information even if there is no resulting likelihood of harm. As discussed above, there are likely to be one off events or instances where an unauthorized person sees a consumer s personal information which are unlikely to subject the consumer to a risk of harm. To require the provision of notice under such circumstances not only would lead to the provision of notices that will needlessly alarm consumers, but, again, is not required in many, if not the majority, of states. Because the term data breach underlies the obligation to provide notice, its definition is fundamentally important. The definition of this term in this provision as a situation where an unauthorized person has (or it seems likely they have) seen, stolen, or used your personal information gives rise to significant concern for a number of reasons. The definition does not take into account that an unauthorized person seeing or acquiring a consumer s personal information may not necessarily subject the consumer to a risk of identity theft or harm, as discussed above. The definition does not include any requirement for there to have been compromise of the security, confidentiality or integrity of the information or any resulting likelihood of harm. It does not take into account that personal information may be encrypted or otherwise rendered unreadable or unusable, so that even if the information is somehow seen or even stolen by an unauthorized person, it would not give rise to a risk of harm. Given the variability of the definition of data breach from state to state, providing any definition of this term in this document is likely to give rise to consumer confusion. In view of the above, we respectfully urge that provision #4 be modified as follows: (i) the phrase agent, or any business they contract with and the word agent should be deleted for the reasons discussed above connection with provision #1; (ii) the description of the circumstances under which a consumer may expect to get notice should be modified: (a) to delete the language providing for notice if an unauthorized person has seen, stolen, or used a consumer s personal information; and (b) to insert in lieu thereof language providing for notice if an unauthorized person has acquired (or seems likely to have acquired) a consumer s personal information and there is a likelihood of identity theft or fraud, in line with the law in many, if not most, states; (iii) the sentence This is a data breach. should be deleted because the definition of this term in state breach notification statutes varies; (iv) the second bullet should be modified to provide for provision of notice without unreasonable delay, subject to delay requested by law enforcement, in line with requirements in many of the states (Timing for provision of notice may be an appropriate issue for discussion in the context of the NAIC Cybersecurity Task Force s modeling efforts. Our proposed modification to this bullet is urged to avoid setting consumer expectations in the Bill of Rights of receipt of notice within a specified time period that is not required under current law in many states.); (v) the third and fourth bullets should be modified to provide for general description of the specified information, since all state breach notification laws do not require notices to include this information; and (vi) the sixth bullet should be modified to require the notice to include contact information for the company that provides the notice.
Commissioner Hamm and Director Farmer August 10, 2015 Page 8 of 11 5. Get at least one (1) year of identity theft protection paid for by the company or the agent involved in a data breach. ACLI urges deletion of this provision. Explanation This provision also gives rise to significant concern that it may lead consumers to a mistaken expectation that they have a right to this protection when it currently is required to be provided in only a very few states. Again, while discussion of such a requirement may be appropriate in connection with the Cybersecurity Task Force s modeling efforts, we urge deletion of this provision from the updated Bill of Rights to avoid confusing consumers as to their current legal rights to such protection, since it is not required to be provided under the vast majority of the state breach notification laws. 6. If someone steals your identity, you have a right to: Put a 90-day initial fraud alert on your credit report (the first credit bureau you contact will alert the other two); Put a seven-year extended fraud alert on your credit reports; Get a free copy of your credit report from each credit bureau; Get fraudulent information related to the data breach removed (or blocked ) from your credit reports; Dispute fraudulent or wrong information on your credit reports; Stop creditors and debt collectors from reporting fraudulent accounts related to the data breach; Get copies of documents related to the identity theft; Stop a debt collectors from contacting you. ACLI urges modification to this provision to read in pertinent part as follows (Language proposed to be added is underlined. Language proposed to be deleted is stricken.): 6. If someone steals your identity, you have a right to: Ask each of the 3 nationwide credit bureaus to put Put a 90-day initial fraud alert on your credit report (the first credit bureau you contact will alert the other two); Ask the nationwide credit bureaus to put Put a seven-year extended fraud alert on your credit reports; Get a free copy of your credit report from each credit bureau; Get Ask the nationwide credit bureaus to remove or block fraudulent information related to the data breach removed (or blocked ) from your credit reports;
Commissioner Hamm and Director Farmer August 10, 2015 Page 9 of 11 Dispute fraudulent or wrong information on your credit reports with each of the nationwide credit bureaus; Request the nationwide credit bureaus to place a security freeze on your credit reports, to limit the bureaus from releasing your credit report or any information from your credit report without your authorization. Stop creditors and debt collectors from reporting fraudulent accounts related to the data breach; Get copies of documents related to the identity theft; Stop a debt collectors from contacting you. To learn more about your rights as a victim of identity theft, you may contact the Federal Trade Commission at http://www.consumer.ftc.gov/sites/default/files/articles/pdf/pdf-0111-faircredit-reporting-act.pdf. Explanation The modifications to provision #6 reflected above are urged to clarify that the rights described relate to actions to be taken by credit bureaus, as opposed insurance companies, to streamline the list, and to make it clear that further information may be obtained from the Federal Trade Commission. This Cybersecurity Bill of Rights describes what you can expect from insurance companies, agents and other businesses when they collect, maintain, and use your personal information. These include your rights as an insurance consumer when you get notice that your personal information was involved in a data breach. Your specific data rights may vary based on state and federal law. ACLI urges modification to this provision to read as follows (Language proposed to be added is underlined. Language proposed to be deleted is stricken.): This Cybersecurity Bill of Rights is intended to provide a general summary of consumers rights relating to cybersecurity. It is provided for information purposes only. describes what you can expect from insurance companies, agents and other businesses when they collect, maintain, and use your personal information. These include your rights as an insurance consumer when you get notice that your personal information was involved in a data breach. Your specific data rights may vary are based on and subject to state and federal law. Explanation We urge modification to this provision, as reflected above and discussed at the outset of this letter, to make the updated Bill of Rights as clear as possible, to avoid setting consumer expectations of protections and rights to which they may not be entitled under the law of the states in which they live. ACLI believes it important to provide this statement, modified as described above, at the beginning of the Bill of Rights, as a preamble, so that consumers are not likely to overlook it. Given its importance, we
Commissioner Hamm and Director Farmer August 10, 2015 Page 10 of 11 also think it a good idea to repeat the statement at bottom of the first page. Standard Definitions under this Bill of Rights ACLI urges deletion of these definitions. Explanation As discussed above the definitions of key terms in the 47 state breach notification laws vary from state to state. The definitions of data breach and personal information (or personally identifiable information ) are fundamentally important because they underlie the requirement to provide notice. Accordingly, to avoid consumer confusion and expectations that the Bill of Rights grants consumers rights or protections that differ from, or go beyond, the protections provided under the law of the states in which they live, ACLI urges that the updated Bill of Rights include no definitions. This also will make it so that the Bill of Rights appears more like a summary of consumers general rights, rather than a statute, While urging deletion of all the definitions, ACLI notes that the proposed definitions of data breach and personal information give rise to particular concern. As discussed above in connection with provision #4, the definition of data breach gives rise to significant concern for a number of reasons. It generally does not take into account that the definition of this term varies from state to state. It does not take into account that an unauthorized person seeing or acquiring a consumer s personal information may not necessarily subject the consumer to a risk a identity theft or harm. It does not include any requirement for there to have been compromise of the security, confidentiality or integrity of the information or resulting likelihood of harm. It also fails to reflect the fact personal information may be encrypted or otherwise rendered unreadable or unusable so that even if the information is somehow seen or even stolen by an unauthorized person, it would not give rise to a risk of harm. It also does not take into account the fact that the definition of personal information, that typically underlies the definition of data breach, also varies from state to state and most states definition of this term are very precise and do not include health information. The proposed definition of personal information also gives rise to concern generally because it does not take into account the variations in the definitions of this term from state to state. It does not reflect the fact that the definition of this term in most states does not include: (i) paper information; (ii) the individual s date and place of birth; or the individual s full name. (Typically the definition includes the individual s first name or initial and last name.) Also, many states definitions of personal information do not include information where either the name or the specified data elements are encrypted.
Commissioner Hamm and Director Farmer August 10, 2015 Page 11 of 11 Again we thank the Task Force for the opportunity to submit and for its consideration of these comments. We would be glad to answer questions regarding any of the above. Sincerely, Roberta B. Meyer cc: Sara Robben Eric Nordman
DRAFT Insurance Consumers Bill of Rights relating to Security Breach Notification and Identity Theft The following is a general summary of insurance consumers rights under state law to notification of breaches in the security of their personally identifiable information maintained by an insurer. It is important to note that consumers rights to breach notification vary from state to state and are based on and subject to the specifics of each state s law and federal law as described below. This Bill of Rights does not provide any rights that are not provided by state or federal law. As an insurance consumer, you generally have the right to: (1) Expect an insurer that has your personally identifiable information in connection with an insurance product or service to safeguard the information; (2) Receive notice from an insurer if your unencrypted personally identifiable information was, or is reasonably believed to have been, acquired by an unauthorized person and it appears that such unauthorized acquisition is likely to result in a substantial risk of identity theft or fraud; (3) Receive notice from an insurer of a security breach, described in (2), without unreasonable delay; (4) Receive notice from an insurer of a security breach, described in (2), that provides: (i) contact information of the insurer; (ii) a general description of the information subject to, or believed to be subject to, the breach; and (iii) toll free phone numbers for the major consumer reporting agencies. (5) Receive notice from an insurer of a security breach, described in (2), through: (i) written notice; (ii) electronic notice; or (iii) substitute notice through email, posting on the insurer s website or notice in the media, depending on the circumstances. In addition to the above, state law may grant you the right to request a consumer reporting agency to place a security freeze on your credit report, which will limit the consumer reporting agency from releasing your credit report or any information from the report without your authorization To ascertain your rights to breach notification under the law of your state, you should contact your state insurance department. Under federal law, under the HIPAA Administrative Simplification Regulations, consumers also have the right to receive notification, from insurers that are health plans, of a breach in the security of their unsecured protected health information maintained by a health plan. To ascertain your rights under these federal regulations, you should contact the U. S. Department of Health and Human Services. 1
The following is a summary of some of the rights of victims of identity theft under federal law and steps you may take to protect yourself if you are, or believe you are about to become, a victim of identity theft, (1) You have the right to request a free copy of your credit report from each of the three nationwide consumer reporting agencies once during any 12 month period. (2) If you have suspicion that you have been or are about to become a victim of identity theft, you have the right to ask each of the nationwide consumer reporting agencies to place a 90- day initial fraud alert on your credit report. (3) If you submit appropriate documentation, you have the right to request each of the nationwide consumer reporting agencies to: (i) place a seven-year extended fraud alert on your credit report, to inform potential creditors they must contact you before issuing credit in your name; and (ii) have fraudulent information blocked from appearing in your credit report. (4) If you believe information in your credit report with a consumer reporting agency is fraudulent or inaccurate, you have the right to dispute the information with the consumer reporting agency and to have your credit report amended if you are right. (5) If you ask for it in writing, and subject to certain other requirements, you also may have the right to receive from a creditor or other business, including an insurer, copies of applications and other business records relating to any transactions alleged to be the result of identity theft. To learn more about the rights described above and other rights you may have under federal law if you are, or believe you are about to become, a victim of identity theft, you should contact the Federal Trade Commission. 2
2101 L Street NW Suite 400 Washington, DC 20037 202-828-7100 Fax 202-293-1219 October 9, 2015 www.aiadc.org Commissioner Adam Hamm, Chair Director Raymond Farmer, Vice Chair Cybersecurity (EX) Task Force NAIC Central Office 1100 Walnut, Suite 1500 Kansas City, MO 64106-2197 Attn: Sara Robben, Statistical Advisor Eric Nordman, Director of Regulatory Services and CIPR VIA Electronic Mail: srobben@naic.org RE: Updated Draft Cybersecurity Bill of Rights Dear Commissioner Hamm and Director Farmer: The American Insurance Association (AIA) appreciates the opportunity to comment on the updated draft Cybersecurity Bill of Rights (Bill of Rights). AIA represents approximately 325 major U.S. and non-u.s. insurance companies that write more than $127 billion in premium each year and provide all lines of property-casualty insurance to U.S. consumers and businesses. We appreciate the thoughtful consideration of industry and consumer comments. There has been meaningful progress in the development of this document, but we respectfully submit that the updated draft continues to raise significant concerns, goes beyond many obligations in applicable state law, and would suggest inconsistent application of statutory requirements generally applicable across many different industry groups. In order to provide consumers with a useful multistate tool, the Bill of Rights must take into account the variations in state laws. o For example, the definitions of data breach and personal information must better align with how such terms are defined across state laws and the timing of the notification must accurately manage expectations by avoiding any specific time limitations. Elements of the Bill of Rights that are not a true reflection of the existing multistate legal framework are better addressed during the model law process. o As such, we respectfully submit that any reference to providing identity theft protection be removed from the document and discussions and collaboration regarding this concept as a right be left for collaboration on the model laws. We provide additional commentary and suggestions for these statements below.
Breach of Security We strongly urge that the definition of data breach align with how this term is defined across the state laws and as such it should include an element of harm. As currently drafted the Bill of Rights would suggest that notification obligations are triggered by an unauthorized person simply seeing a consumer s full name, even in the absence of any risk of identity theft or other harm to the consumer whose name was viewed. Without an element of harm we risk unnecessarily over notifying consumers and potentially having the unwarranted negative consequence of diminishing consumer trust. For these reasons we recommend removing the term seeing from the definition and adding a phrase to reflect the likelihood of substantial risk of identity theft or fraud. Further, we note that the term data breach appears to be defined differently in two places. Paragraph 4 states, Get a notice from your insurance company, agent, or any business they contract with if an unauthorized person has (or it seems likely they have) seen, stolen, or used your personal information. This is called a data breach. However, in the definition section on the 2 nd page data breach is defined as When an unauthorized individual or organization sees, steals, or uses sensitive, protected, or confidential information, usually personal, financial and/or health information. Respectfully, we believe both sections should be consistent and read as follows: Paragraph 4: Get a notice from your insurance company, agent or any business they contract with if an unauthorized person has stolen or used your personal information and the theft or use will likely result in a substantial risk of identity theft or fraud to you. Definition Section: When an unauthorized person has stolen or used your personal information and the theft or use will likely result in a substantial risk of identity theft or fraud to you. Personal Information The definition of Personal Information in the Bill of Rights is also broader than state law definitions. It includes any information about a consumer maintained by an insurer in any form, including electronic or paper, while most state laws are limited to electronic information only. The proposed definition of Personal Information includes full name alone. Generally, the state data breach notification statutes define personal information as first name or first initial and last name in combination with a more sensitive data element: e.g., Social Security Number or driver s license number. In addition, we note that the text of the Bill of Rights uses personal information throughout, but the definition includes personally identifiable information. For consistency, we would propose that the document use only one term and we would prefer personally identifiable information as that is the one referenced in state data breach laws. We recommend that the definition be amended to read: Personally Identifiable Information: An individual s first name or first initial and last name in combination with one or more data elements. These additional data elements are determined by state law, but commonly include: Social Security Number Date of birth Mother s maiden name Biometric records Driver s license number. 2
Notification Requirements Timing Paragraph 4 states that the notification should be sent soon after a data breach, and never more than 60 days after a data breach is discovered. This requirements sets consumer expectations beyond what is legally required and, at times, practicably possible. For example, it does not carve out a period of delay for law enforcement activity. Importantly, many states do not set specific time frames but rather incorporate a standard that calls for in the most expedient time possible or without unreasonable delay. Any timing element should be general to accommodate existing state variations and discussions for any specific time limitations should take place during the upcoming model law process. Delivery Section 4 also suggests that first-class mail or email are the only methods of delivery, but this is not accurate. Telephonic notice may be an option under state law. Many states allow for so-called Substitute Notice in certain circumstances, such as where large numbers of consumers are involved or the cost of mailing would be prohibitive. Substitute notice may consist of major media notification or posting on the company s website. Identity Theft Protection Respectfully, we recommend that paragraph 5 be deleted entirely. This highlights an obligation that exists in only a couple of states. Furthermore, because the term identity theft protection is not defined, it is unclear what exactly is being required. The states that do have such a requirement use different terms ( appropriate identity theft prevention and mitigation services in the California law and appropriate identity theft prevention services and, if applicable, identity theft mitigation services in the Connecticut law). The Bill of Rights requirement does not account for the contingency that, depending on which elements of personal information are compromised, certain services may not be appropriate (for example, credit monitoring does nothing to remediate the compromise of biometric data). Consequently, following the requirements of this Bill of Rights would require an insurer to provide such services in a wide range of circumstances with significant associated costs and conceivably no appreciable benefit. Accordingly, AIA strongly advocates that paragraph 5 should be deleted and discussions and collaboration regarding identity theft protection should be reserved for the model law process. Credit Bureau Rights The items in paragraph 6 are rights that a consumer may have after contacting the consumer reporting agencies. Therefore, to clearly direct consumers so that they can take swift action following a breach, we recommend that the introduction to the bullets in paragraph 6 read: If someone steals your identity, you should contact one of the 3 credit bureaus to: Additionally, it is unclear what it means to get copies of documents related to the identity theft. There needs to be more clarification as to the intent for this bullet. 3
Consumer Expectations Specifics should be avoided to prevent consumer confusion and to accurately manage expectations. Again, we respectfully recommend that conversations related to specifics wait until the model law process. In addition, it is important for consumers to understand, up front, that their rights will vary from state to state; hence, the disclaimer language should be placed at the very top of the page. The disclaimer should also be edited to read that: The Cybersecurity Bill of Rights is for informational purposes only and describes what you can generally expect... Similarly the leading sentence of the Bill of Rights should read As an insurance consumer, you may generally have the right to: Privacy Policies Not all insurance companies/agencies provide customer service online and it is possible some may not have a website. As written, it seems there is an expectation for a customer service website. For those that do not maintain a customer service website, the state privacy laws enacting GLBA (as well as the laws of several states that adopted the 1982 model privacy act) and HIPAA provisions governing privacy notices, when HIPAA is applicable, are the only laws that will apply. Those that do provide online customer service are subject to online privacy notice requirements as well as applicable state and, if applicable, HIPAA requirements. To our knowledge none of these laws governing privacy notices require an explanation of "how" the data is stored/protected. The intent here is not clear. Existing privacy notices may not meet this test. In fact, while the model NAIC privacy regulation requires licensees to describe their policies and practices with respect to protecting the confidentiality and security of nonpublic personal information, it says that "The licensee is not required to describe technical information about the safeguards it uses." Also, existing laws generally do not require an explanation of what consumers can do if the company/agency doesn't follow its privacy policy. The intent is not clear here either. I believe it would be reasonable to instead say there should be contact information in the privacy notices. Helpful Links We appreciate that the updated Bill of Rights has limited the links primarily to helpful government websites. We do note the addition of one private webpage entitled World s Biggest Data Breaches from the Information is Beautiful website. Since most breaches on this website are not insurance related, the inclusion could be misleading. We recommend removing this link and continuing to limit all references to government websites. **** AIA sincerely appreciates the edits made to date and your consideration of our comments for the updated draft. We look forward to continuing to work with you on this document and the model law process to come. We politely urge that the Task Force release a final draft to reflect the conversations and any changes made on the October 14 th call for a brief comment period. Respectfully submitted, Angela Gleason Associate Counsel 4
October 9, 2015 Commissioner Adam Hamm, Chair Cybersecurity (EX) Task Force National Association of Insurance Commissioners 1100 Walnut Street Suite 1500 Kansas City, MO 64106-2197 Attn: Via e-mail: Sara Robben, Statistical Advisor srobben@naic.org Re: Cybersecurity (EX) Task Force Comments on Updated Cybersecurity Bill of Rights Dear Commissioner Hamm: On behalf of America s Health Insurance Plans (AHIP) and the Blue Cross Blue Shield Association (BCBSA), we thank you and the Cybersecurity (EX) Task Force ( the Task Force ) for this opportunity to comment on the updated Cybersecurity Bill of Rights proposal. Cyber terrorism continues to be a national security issue that requires strong collaboration between both the public and private sectors to accurately assess emerging threats and prevent future breaches. Health plans, financial entities, retailers, and even state and governmental agencies have been victimized by data breaches. Health plans will continue our commitment to work in partnership with government and other stakeholders to protect consumers, identify potential threats and secure member information. With that in mind, we offer our comments on the updated draft Cybersecurity Bill of Rights released on September 30, 2015. Overall, this updated draft is much improved over the original version. Some redundancies have been removed, and the language used is generally simpler, shorter, and easier for consumers to understand. However, we are mindful that we live in a litigious culture, and the insurance industry and insurance regulation are largely based on enforceable promises made in insurance policies and other documents. As stated in our earlier comment letter and those of others, the multiple variances in states and federal laws makes it difficult, if not impossible, to provide an accurate statement of broadlyapplicable rights, and we remain very concerned that the NAIC would consider distributing any information which was not unassailably accurate, including only broadly applicable terms accompanied by provisos and qualifiers where appropriate. With that foundation, we d suggest the Task Force consider an alternate approach to this Bill of Rights. A document of this type could be titled Cybersecurity Insurance Consumer Information, and begin with a clear, brief
statement indicating laws vary from state to state and in various federal laws. The document could include a series of statements advising consumers, Depending on your state of residence and the type of insurance policy involved, you may be entitled to some or all of the following:, and Some companies may be willing and able to provide more information or services than are required by law. It might also include a statement indicating that the type of policy involved can determine the extent to which federal laws and their requirements are involved, such as HIPAA, HITECH and GLBA. The purpose of such a document would be to alert consumers generally of the assistance they may receive, while judiciously avoiding any misleading or confusing statements which might lead them to believe they are entitled to certain relief which is not offered or required under the laws of their state. In the event the Task Force decides, instead, to continue to try to develop a Bill of Rights, we submit there are improvements to be made to enhance the updated Bill s usefulness and accuracy. 1. Since there are at least 47 different state laws dealing with cybersecurity, as well as various federal laws, it is difficult to set out a brief statement of a consumer s rights which would be universally applicable in all states. Therefore, we propose moving the italicized cautionary language, now found at the bottom of page 1, to a more prominent position at the top of the page, or to take other steps to make it more noticeable, such as bold or different colored font. 2. We propose Right No. 1 be modified to read: Know the general types of personal information collected and stored by your insurance company, agent or any business with which they contract (such as marketers and data warehouses) relating to an insurance transaction. 3. In Right No. 2, the phrase how the data is stored should be deleted, as this is apparently not set out in any state or federal law. 4. In Right No. 4, we would propose to modify the first sentence, so the sentence would read: Get a notice from your insurance company if an unauthorized person has (or it seems likely they have) accessed your personal information, and it is likely to result in identity theft or fraud. This modification is needed to acknowledge that the breach notification is incumbent upon the entity that owns the information. Parties that maintain personally identifiable information (agents, businesses an entity may contract with, etc.) are obligated to notify the owner of the information. Also, the first bullet point should be modified to read, Be sent in writing by first-class mail, e-mail, or substitute notice as legally applicable; 2
The second bullet point should be modified to read, Be sent without unreasonable delay after a data breach and not more than 60 days after a date breach is discovered unless otherwise permitted by applicable law; This modification is intended to acknowledge the so-called law enforcement exception. In the third bullet point, the word the before steps should be deleted, to avoid the indication that the notice will exhaustively describe all the possible steps. The fourth bullet point should be modified to read, Receive a general description of the actions the entity is taking to restore the security and confidentiality of the personally identifiable information involved in a data breach; This modification makes it more clear that entities are continuously engaged in ongoing cybersecurity processes. The sixth bullet point should be modified to read, Include contact information for the business making the notification, including the business' address, telephone number, and toll-free telephone number if one is maintained. 5. As the updated draft Bill of Rights now reads, Right No. 5 is accurate in fewer than five states, perhaps only one. Therefore, in order to maintain the document s status as a broadly accurate statement of legal rights, Right No. 5 should be either deleted, or it should be moved to the bottom of the document, and rephrased to read: In addition to these rights, many entities offer their affected consumers a period of paid identity theft protection. In the definitions, we suggest deleting Data Breach and Personal Information (Personally Identifiable Information). As proposed, the disclaimer on page 1 indicates the rights may vary, based on state and federal law. Following that with a series of definitions which are labeled as standard is potentially misleading, especially since these terms are, in fact, defined differently among the states and federal laws. We thank you for the opportunity to provide these comments, and we look forward to working with the Task Force and the NAIC on this important issue. Respectfully submitted, America s Health Insurance Plans Bob Ridgeway Blue Cross Blue Shield Association Kim Holland 3
For Electronic Delivery May 20, 2015 The Honorable Adam Hamm Chair, NAIC Cybersecurity (EX) Task Force North Dakota Insurance Department 600 E. Boulevard Avenue Bismarck, North Dakota 58505-0320 The Honorable Raymond G. Farmer Vice Chair, NAIC Cybersecurity (EX) Task Force P.O. Box 100105 Columbia, South Carolina 29202 Re: Insurance Consumers Bill of Rights Dear Commissioner Hamm and Director Farmer: In anticipation of the NAIC Cybersecurity Task Force s consideration and development of an insurance consumers bill of rights relating to security breach notification, the undersigned interested parties have crafted a possible initial draft of such a document, a copy of which is attached. The draft reflects a general summary of consumers rights under existing state and federal law relating to security breach notification and identity theft protection. We share the draft with you in the hope it might be helpful and further the Task Force s efforts. We look forward to working with the Task Force in connection with this important project and would be glad to answer any questions regarding the attached. Organization Name Phone Number E-mail Address American Council of Life Insurers Robbie Meyer 202-624-2184 robbiemeyer@acli.com America's Health Insurance Plans Bob Ridgeway 501-333-2621 bridgeway@ahip.org American Insurance Association Angela Gleason 202-828-7181 agleason@aiadc.org Blue Cross Blue Shield Association Kim Holland 202-626-4810 Kim.Holland@bcbsa.com Cc: Eric Nordman
October 9, 2015 The Honorable Adam Hamm Chairman, Cybersecurity Task Force National Association of Insurance Commissioners 1100 Walnut Street, Suite 1500 Kansas City, MO 64106-2197 Dear Commissioner Hamm: On behalf of the Independent Insurance Agents and Brokers of America (IIABA), the largest insurance agent and broker organization in the country, I write to offer our association s latest comments regarding the revised Cybersecurity Bill of Rights draft. We submitted comments concerning the initial draft in August, and we thank you again for considering our perspective on these important issues. General Comments Although valuable and helpful revisions have been made to the Bill of Rights document, IIABA remains concerned about the most recent version and reluctantly opposes its adoption in this current form. The most notable problem with the document is that it continues to suggest the existence of industry requirements and consumer rights that simply do not exist in most jurisdictions, and we are troubled that many Americans who might receive and rely on this document will be confused and misinformed about their actual rights. It is important to provide accurate and objective information and relevant and meaningful guidance to consumers potentially harmed by data breaches, but it is in no one s interest to develop a consumer tool that is inaccurate and misleading to those who are already concerned and vulnerable. For these reasons, IIABA again urges the task force to revise the document so that it only contains statements of fact that reflect the current state of the law. We focus our remaining comments on two of the provisions that are of particular concern to our members. Statement 4 Statement 4 suggests that a consumer has a right to receive notice from a victim of a data breach when an unauthorized person has (or it seems likely they have) seen, stolen, or used [the consumer s] personal information. This statement is misleading to consumers because it does not accurately reflect the protections and requirements that have been put into place by policymakers in many jurisdictions. State law typically requires the delivery of such notices only when unencrypted personally identifiable information has been obtained by an unauthorized person and there is risk of identity theft or fraud to a consumer as a result. In instances where there is no reasonable threat or harm posed to the consumer or the compromised information is in a format that prevents it from being misused, many states have recognized that there is no
need for post-breach notices. In addition, state laws generally define data breach in a similar manner and make clear that the term does not include instances in which personal information secured by encryption or similar technology has been accessed. IIABA urges the task force to modify Statement 4 and the definition of data breach to ensure that they more accurately reflect the requirements and rights that generally exist under federal and state law today. We have provided specific recommendations below: Statement 5 4. Get a notice from your insurance company, agent, or any business they contract with if an unauthorized person has (or it seems likely they have) seen, stolen, or used your unencrypted personal information and this unauthorized access is likely to result in identity theft or fraud. This is called a data breach. This notice should: [... ] Data Breach: When an unauthorized individual or organization sees, steals, or uses sensitive, protected, or confidential information, usually personal, financial and/or health information, and this unauthorized access is likely to result in identity theft or fraud. IIABA is especially concerned with Statement 5, and we urge the task force to eliminate this provision. This statement leaves readers with the mistaken impression that most Americans are entitled to at least one year of identity theft protection paid for by the company or agent involved in a data breach. Very few states have even considered the enactment of a postbreach credit monitoring or identity theft protection services requirement of any nature, so the suggestion that there is a national across-the-board right to such services is simply inaccurate. The statement also includes no definition of identity theft protection, so it is unclear what types of services are contemplated, how widely available they may be, and how costly they might be. In addition to questions about cost (which are of particular concern to small businesses), there are also serious concerns about the benefits of such services and the vendors who offer them. Many of these protections are directly available and accessible to consumers on their own and at no cost (e.g. fraud alerts), and a diverse group that includes the Federal Trade Commission, Members of Congress, consumer advocates, and security experts have all raised questions about the merit and usefulness of vendor-provided, post-breach identity theft protection. Some of the vendors in this arena have also been charged with false advertising, deceptive marketing practices and, ironically, for failing to protect the personal information that they maintain. Conclusion IIABA thanks the task force for the opportunity to submit these comments and for your consideration of our recommendations. Our association looks forward to working with you on these and related issues in the months to come. If we can provide you with additional information or assistance, please contact me at 202-302-1607 or via email at wes.bissett@iiaba.net. Very truly yours, Wesley Bissett Senior Counsel, Government Affairs
Insured Retirement Institute 1100 Vermont Avenue, NW 10 th Floor Washington, DC 20005 t 202.469.3000 f 202.469.3030 www.irionline.org www.myirionline.org October 9, 2015 The Honorable Adam Hamm The Honorable Raymond G. Farmer Chair, NAIC Cybersecurity (EX) Task Force Vice Chair, NAIC Cybersecurity (EX) Task Force North Dakota Insurance Department P.O. Box 100105 600 E. Boulevard Avenue Columbia, South Carolina 29202 Bismarck, North Dakota 58505-0320 Attention: Sara Robben Via E-Mail: srobben@naic.org Re: Updated Draft Cybersecurity Bill of Rights Dear Commissioner Hamm and Director Farmer: On behalf of our members, the Insured Retirement Institute ( IRI ) 1 appreciates the opportunity to comment on the proposed Cybersecurity Bill of Rights for insurance consumers. We commend the National Association of Insurance Commissioners ( NAIC ) for forming the Cybersecurity Task Force and for developing the Cybersecurity Bill of Rights to further protect the integrity of consumer data. Given that cybersecurity threats are a relatively recent phenomenon, it is not surprising that different legislative and regulatory bodies have taken a variety of approaches to protecting consumers. Federal and state laws across the country have different definitions of personally 1 The Insured Retirement Institute (IRI) is the leading association for the retirement income industry. IRI proudly leads a national consumer coalition of more than 30 organizations, and is the only association that represents the entire supply chain of insured retirement strategies. IRI members are the major insurers, asset managers, brokerdealers/distributors, and 150,000 financial professionals. As a not-for-profit organization, IRI provides an objective forum for communication and education, and advocates for the sustainable retirement solutions Americans need to help achieve a secure and dignified retirement. Learn more at www.irionline.org.
Letter to Commissioner Adam Hamm October 9, 2015 and Director Raymond Farmer Page 2 identifiable information, use different triggers for breach notification obligations, and impose differing requirements with respect to the content of breach notifications and remedies such as identity theft protection. We believe the Cybersecurity Bill of Rights can be an extremely valuable resource to help consumers understand the types of cybersecurity and breach notification protections to which they may be entitled, and the circumstances under which those protections are provided. However, it should not purport to provide new rights to consumers, or impose new obligations on insurance companies, agents or agencies (including financial advisors and broker-dealers), beyond the rights and obligations imposed under applicable federal and state laws. As such, we respectfully request that the draft be more clearly characterized as a general description of existing protections, and more prominently state that the actual rights and protections available to particular consumers are based on the laws and rules in effect where they live. Again, IRI appreciates the opportunity to comment on the proposed Cybersecurity Bill of Rights for insurance consumers. We would welcome the opportunity to talk through each of these suggestions and areas of concern addressed in this letter with you and your staff. Thank you again for the opportunity to provide these comments. Please feel free to contact me at (202) 469-3014 if you have any questions or would like to discuss this matter further. Sincerely, Jason Berkowitz Vice President & Counsel, Regulatory Affairs Insured Retirement Institute (IRI)
October 9, 2015 The Honorable Adam Hamm Chair, NAIC Cybersecurity (EX) Task Force North Dakota Insurance Department 600 E. Boulevard Avenue Bismarck, North Dakota 58505-0320 The Honorable Raymond G. Farmer Vice Chair, NAIC Cybersecurity (EX) Task Force P.O. Box 100105 Columbia, South Carolina 29202 Attn: Sara Robben Via E-mail: srobben@naic.org Re: Updated Cybersecurity Bill of Rights Dear Commissioner Hamm and Director Farmer: The undersigned trade associations appreciate the opportunity to comment on the proposed updated Cybersecurity Bill of Rights (Bill of Rights). Many of the undersigned submitted written comments on the proposed original Bill of Rights prior to the August 16 th meeting of the Cybersecurity (EX) Task Force (Task Force). On August 31 st, many of the undersigned also jointly submitted a draft of a possible alternative version of the Bill of Rights in response to comments on the original Bill of Rights included in the materials for the August 16 th Task Force meeting and discussion during the meeting. In the August 31 joint trades draft Bill of Rights, we sought to address concerns that the original Bill of Rights was likely to give rise to confusion because: (i) it was not written in a manner likely to be easily understood by consumers; and (ii) it included a number of provisions that could be misunderstood by consumers to grant them rights to certain protections that differ from, or conflict with, the protections granted under applicable federal and state law. While we acknowledge that the updated Bill of Rights reflects significant streamlining, we respectfully submit that, like the original, the proposed updated Bill of Rights will leave consumers with the mistaken impression they have rights or protections that are not provided under existing laws. Of particular concern in this regard are its provisions relating to privacy policies, notice, and identity theft protection, coupled with its proposed definitions of Data Breach and Personal Information (Personally Identifiable information). Relatedly, the proposed updated Bill of Rights does not make it clear it is intended to provide a general summary of insurance consumers rights relating to cybersecurity and breach notification and that the actual specific rights and protections to which a consumer is legally entitled are based on and subject to applicable federal and state law. The following provisions are of particular concern: (i) As an insurance consumer, you have the right to: ; and (ii) This Cybersecurity Bill of Rights describes what you can expect from insurance 1
companies, agents and other businesses when they collect, maintain, and use your personal information. We respectfully urge modification to the updated Bill of Rights to address the concerns raised above. To avoid confusing consumers as to their actual legal rights, we urge that rights be described in the Bill of Rights as generically as possible. We urge that the updated Bill of Rights be modified to expressly state that: (i) it is intended to provide a general summary of consumers rights; (ii) it is provided for informational purposes only; and (iii) consumers actual legal rights are based on and subject to applicable state and federal law. Further specific suggestions to accomplish the above are provided in individual trade association letters relating to the proposed updated Bill of Rights. We very much appreciate and thank you for your continued consideration of our views in connection with this important project and would be glad to answer questions regarding any of the above. Organization Name Phone Number E-mail Address American Council of Life Robbie Meyer 202-624-2184 robbiemeyer@acli.com Insurers (ACLI) American Insurance Angela Gleason 202-828-7181 agleason@aiadc.org Association (AIA) America's Health Insurance Bob Ridgeway 501-333-2621 bridgeway@ahip.org Plans (AHIP) Council of Insurance Agents John Fielding 202-429-6296 jfielding@steptoe.com & Brokers Independent Insurance Wesley Bissett 202-302-1607 wes.bissett@iiaba.net Agents and Brokers of America (IIABA) Insured Retirement Institute (IRI) Jason Berkowitz 202-469-3014 jberkowitz@irionline.org National Association of Health Underwriters (NAHU) National Association of Insurance and Financial Advisors (NAIFA) National Association of Mutual Insurance Companies (NAMIC) National Association of Professional Insurance Agents (PIA) Property Casualty Insurers Association of America (PCI) Reinsurance Association of America (RAA) Marcy Buckner 202-595-7589 mbuckner@nahu.org Gary Sanders 703-770-8192 gsanders@naifa.org Paul Tetrault 978-969-1046 ptetrault@namic.org Jennifer M. Webb 703-518-1344 jennwe@pianet.org Alex Hageli 847-553-3656 alex.hageli@pciaa.net Karalee C. Morell 202-783-8380 morell@reinsurance.org CC: Sara Robben & Eric Nordman 2
October 9, 2015 The Honorable Adam Hamm Chair, NAIC Cybersecurity (EX) Task Force North Dakota Insurance Department 600 E. Boulevard Avenue Bismarck, North Dakota 58505-0320 The Honorable Raymond G. Farmer Vice Chair, NAIC Cybersecurity (EX) Task Force P.O. Box 100105 Columbia, South Carolina 29202 Attn: Pamela Simpson Via E-mail: psimpson@naic.org Re: Updated Cybersecurity Bill of Rights Dear Commissioner Hamm and Director Farmer: I am writing on behalf of the National Association of Health Underwriters (NAHU), a professional association representing more than 100,000 licensed health insurance agents, brokers, consultants and employee benefit specialists nationally. Our members service the health insurance policies of millions of Americans and work on a daily basis to help individuals and employers purchase, administer and utilize health insurance coverage that best fits their needs and budgets.. We are writing to offer comments on the National Association of Insurance Commissioners updated draft proposal of the Cybersecurity Bill of Rights. Although we have submitted comments in a joint letter with the Council of Insurance Agents & Brokers (CIAB), the National Association of Insurance and Financial Advisors (NAIFA) and the National Association of Professional Insurance Agents (PIA), we would like to offer comments specifically addressing health insurance agents and brokers and their role in the proposed Cybersecurity Bill of Rights. Overall, we are concerned that the document title Cybersecurity Bill of Rights may represent these actions as actual rights all insurance consumers have under state and federal law in all jurisdictions. Although NAHU supports protections for insurance consumers, unfortunately the actions listed in the Cybersecurity Bill of Rights have not been universally adopted across the country and should not be represented as such. In addition, NAHU believes many of the terms used are vague, and even though provided with a definition, should be explained further. For example, the use of data breach in item 4 seems all-encompassing, and the
standard definition provided for the term does not offer much guidance on specifying exactly what consumer exposure would lead to the execution of these rights. Similarly, the right to identity-theft protection in item 5 should also be further explained. Although a list of rights following the event of stolen identity follows in item 6, these are more generic and do not indicate whether some or all must be given. We would also suggest that item 5 amends the wording so that identity-theft protection must be offered, not that the consumer must get one year of identity-theft protection. Finally, we would like to echo our previous concern regarding the lumping together of different entities in several of the listed rights. Although this draft has been edited so that insurer, insurance producer or other state-regulated entity now reads insurance company, agent or any business they contract with, these entities are repeatedly treated as one and the same. This is particularly confusing in regards to which entity could be responsible for the collection, storage, security and notification of a possible breach in a consumer s personally identifiable information. Many of the individual Bill of Rights in which these entities are grouped would be incredibly burdensome to agents and brokers, and may subject them to significant liability should they be responsible for such rights. In addition, the listing of multiple entities may create confusion on the part of the consumer as to who is responsible should the consumer encounter such a breach. We believe it would be suitable to identify specifically in the Bill of Rights which of these entities would be responsible for each item. We appreciate the considerable effort that has gone into drafting the Cybersecurity Bill of Rights and we are grateful for the opportunity to provide our perspective on this important issue. We are happy to work with the NAIC on further specific language changes and suggestions should you so desire. If you have any questions, or if NAHU can be of further assistance to you, please feel free to contact me at 202-595-7589 or mbuckner@nahu.org. Sincerely, Marcy M. Buckner Vice President of Government Affairs National Association of Health Underwriters
National Association of Insurance and Financial Advisors October 7, 2015 The Honorable Adam Hamm Chair, NAIC Cybersecurity (EX) Task Force North Dakota Insurance Department 600 E. Boulevard Avenue Bismarck, North Dakota 58505-0320 The Honorable Raymond G. Farmer Vice Chair, NAIC Cybersecurity (EX) Task Force South Carolina Department of Insurance P.O. Box 100105 Columbia, South Carolina 29202 Attn: Sara Robben Via E-mail: srobben@naic.org Re: Second Draft of NAIC Cybersecurity Bill of Rights Dear Commissioner Hamm and Director Farmer: The National Association of Insurance and Financial Advisors (NAIFA) appreciates the opportunity to comment on the latest draft of the NAIC Cybersecurity Bill of Rights (BoR). Founded in 1890 as The National Association of Life Underwriters (NALU), NAIFA is one of the nation s oldest and largest associations representing the interests of insurance professionals from every Congressional district in the United States. NAIFA members assist consumers by focusing their practices on one or more of the following: life insurance and annuities, health insurance and employee benefits, multiline, and financial advising and investments. NAIFA s mission is to advocate for a positive legislative and regulatory environment, enhance business and professional skills, and promote the ethical conduct of its members. NAIFA supports the NAIC s efforts to protect consumers in the event of an unauthorized access to the consumer s sensitive personal information, and commends the NAIC for being proactively engaged on cybersecurity issues. NAIFA believes the latest draft of the BoR does improve upon the initial version in several important ways. However, we continue to have numerous concerns, both general and specific, about the latest draft BoR. Our concerns are as follows: 1. Current existing rights and protections differ from state to state. Despite the improvements over the previous draft, the current BoR may still unnecessarily create confusion among consumers over which rights and obligations exist in their specific jurisdiction. In addition, 1