Implications of Calif. privacy law for insurers
Though California's recently passed digital-privacy law is not specific to financial services or insurance, carriers will need to proactively respond to new laws as they emerge and stay up to date on changes as they take place over time.
Under the terms of the law, which was rushed through in the last week of June in order to head off an even stricter referendum that was due to be on the ballot in November, firms must let consumers know what data is being collected on them, how it is used, where is it being shared, with whom and why. Notably, it gives consumers the right to tell companies not to sell or share their data and additionally gives people the right to ask for their data to be deleted. This point is similar to the European Union’s "right to be forgotten" from the General Data Protection Regulation, and is very difficult for firms to comply with. The California law also places restrictions on data for people under the age of 16.
There is a proliferation of these types of laws being enacted across jurisdictions.In addition to the GDPR -- which potentially (although this is being debated) covers carriers that operate in those respective states and operate in the EU or interact with EU citizens -- at the end of May, South Carolina passed its own cybersecurity regulation, specific to insurance, based on both the NIST framework and the NAIC model law. Laws have also been enacted that are more broadly targeted than South Carolina's in New York and Delaware.
We have mentioned frequently over the past year that other states are sure to follow in the footsteps of California, New York, and South Carolina, and begin to develop their own laws. Notably, many of these laws are not insurance- or financial services-specific. However, given that it typically takes about three years from adoption of a NAIC model law to full adoption of regulations/laws on a state-by-state basis, we can expect to see many more states expand or adopt new laws covering data and cybersecurity for insurers between now and 2020. We can also expect other non-insurance specific cybersecurity laws to overlap with insurance cybersecurity regulations with differing legal requirements across states and possibly even within states.
As we have seen, cybersecurity regulations will differ from state to state, and in those states considering insurance-specific regulations, some are looking to re-introduce concepts that were eliminated in the final NAIC model law. A handful of states are also adopting data protection regulations (i.e. the Delaware Data Breach Notification Law) that apply to any firm capturing consumer data, including insurance carriers.
Cybersecurity regulation for carriers in the US is turning into a many-sizes, many-models scenario, with overlapping and variable regulatory requirements. Security has never been a part-time job and the stakes for non-compliance are only getting higher, one regulation and one state at a time. This may be prudent given the fact that the security threats are growing faster than the regulations around them!
Do you have a CISO? If not, why not? It's never been more crucial.