© 2024 Arizent. All rights reserved.
p19rqde7huofblmkog8pqjcl2e.jpg
The National Association of Insurance Commissioners recently released an update on its efforts to ensure data security at insurance carriers.One of the initiatives is a "Consumer Cybersecurity Bill of Rights," a draft of which includes the following:
p19rqde7huh7ml8u82bud5qu8i.jpg
1. Consumers have the right to know what type of personally identifiable information is being collected and how long that personally identifiable information is kept by an insurer, insurance producer, or other state-regulated entity.
p19rqde7hu10km1b6i1kh91cp9qrf6.jpg
2. Consumers should expect that an insurer, insurance producer, or other state-regulated entity that holds their personally identifiable information in connection with an insurance transaction or service is adequately protecting the personally identifiable information from disclosure to unauthorized persons.
p19rqde7humo91p481gf8hnt1p0e8.jpg
3. Policyholders should receive notice from an insurer, insurance producer, or other state-regulated entity if your personally identifiable information was, or is reasonably believed to have been, acquired by an unauthorized person and could result in identity theft or fraud.
p19rqde7hu1d7s1iemrttbpa99o7.jpg
4. Customers should receive notice from an insurer, insurance producer, or other state-regulated entity in the event of a data breach, by mail or e-mmail, and without "unreasonable delay" (never later than 60 days after a breach, unless a criminal investigation is potentially affected.)
p19rqde7hu1k441ta119tp1qnm1bi5c.jpg
5. Health insurers specifically should also send quick notification regarding a data breach of protected health information that is held by a health plan, under federal HIPAA laws.
p19rqde7hu1g69kub1vlhcs91o7fa.jpg
6. Also within 60 days, consumers should expect information on which specific payment methods or accounts may have been revealed.
p19rqde7huavpedsgn0kkf1r259.jpg
7. If a third party has been breached, insurance companies are obligated to report that to their customers.
p19rqde7huag914ubl9o5lps7gf.jpg
8. Consumers should receive a general description of the actions taken by the insurer, insurance producer, or other state-regulated entity to restore the security and confidentiality of the personally identifiable information involved in a data breach.
p19rqde7hulad1snnjg61cup1u92b.jpg
9. Consumers are entitled to two years of identity theft protection at the insurers' expense.
p19rqde7huhlo1oo1aigj6k1lsd.jpg
10. Insurers are also responsible for notifying policyholders of a summary of the as of victims of identity theft prepared under the Fair Credit Reporting Act.
p19rqde7hus4alaq1bgggir157sh.jpg
11. Credit reporting agencies should provide a security freeze at customers' request.
p19rqde7hubav1nih1vtm9ub1ocjg.jpg
12. Finally, insurers, insurance producers, or other regulated entities must provide a privacy policy regarding the data they collect. The regulated entity should provide a clear and conspicuous notice to you that accurately reflects its privacy policies and practices on an annual basis.
Security risk Data security Compliance Law and regulation