Insurers have not been immune to the recent increase of cyberattacks on U.S. businesses. And while the government in general has attempted to pass legislation and adopt rules to guide businesses on their cyber practices, the number and diversity of rules that apply to insurers is dizzying. In addition, the rules are constantly evolving as new laws are passed, new bulletins are issued and new standards are adopted, especially regarding insurers’ duties in the event of a data security breach. But insurers are also looking for up-to-date guidance on the standards and duties that apply to the collection, use and maintenance of data in the absence of a breach. This article serves as a compendium of some of the most important rules that apply – and could apply – to insurers with respect to security standards for their cyber practices.
Federal and state governments both have struggled to create viable and current legal standards to deal with the security of consumers who conduct insurance transactions. The object is to secure information about consumers, including information that is provided by the consumers themselves as well as data created by insurers and their agents based on information from consumers. As a result, there is a patchwork of laws and regulations setting standards and governing the security designed to help prevent a data breach. Then there is an assortment of aspirational standards whose legal effect is uncertain. Collectively, these rules impose different requirements in different jurisdictions and for different lines of insurance business. The industry has responded with calls for uniformity and consistency in legislation. However, the current landscape is in a state of constant evolution with new rules and approaches proposed with great frequency. There are many rules dealing with required notifications and actions in the event of a breach, but this subject is beyond the scope of this article. This article identifies laws, regulations and standards that apply to insurers’ general security and breach readiness, and gives a brief description of each rule. The article is not exhaustive; for example, it does not consider the common law causes of action, like negligence, that could create liability and duties for an insurer, or laws that apply to any business holding certain sensitive information such as social security numbers. Instead, this article focuses on laws and rules that are explicitly focused on insurers’ cybersecurity.
Government and industry alike have struggled to develop ways to protect data security in the ever evolving and dramatically fluid world of cyberdata. Perhaps for this reason, regulators have found it helpful to refer to standards and aspirational objectives that do not contain the same granularity as some of the legislation. Of course, on their own, these standards do not have the force of law. However, given the importance of some of the standards discussed below, they are included here. While these standards are aspirational, they could be used as a benchmark to establish what a custom and practice standard for insurers should be.
NIST CyberSecurity Framework
The National Institute of Standards and Technology (NIST) is a part of the U.S. Department of Commerce that, among other things, sets standards for service providers operating their businesses within the United States. A 2013 Executive Order directed NIST to work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure. The resulting document, which may be revised periodically, consists of standards, guidelines, and best practices to promote the protection of critical infrastructure. The Framework is not directed at any particular industry, and the expectation is that each organization will use the Framework as guidance that is then customized to the organization’s individual risks, situation and needs. The U.S. Treasury Department (Treasury) encourages insurers to refer to the Framework as a guide for best practices.
Other Federal Activity and Anticipated Rules
Treasury serves as the federal interface for matters involving cyber threats and cybersecurity for many institutions, including insurers. Treasury then coordinates with other federal agencies and collaborates with state governments. Through its Federal Insurance Office (FIO), Treasury encourages insurers to participate in the Automated Indicator Sharing as part of its efforts to maintain security by enabling the exchange of cyber threat indicators between the federal government and the private sector in order to expose threats. More generally, the Department of Homeland Security has developed a Cybersecurity Workforce Toolkit designed to help U.S. businesses build a team of personnel to meet the organization’s needs related to addressing cybersecurity issues. Finally, numerous bills considered and passed by Congress regarding cybersecurity suggests that the federal legislature is likely to continue to be active on this issue, and it is quite possible that the federal implementing agencies will not be far behind in promulgating regulations.
The NAIC’s Cybersecurity Task Force was created in November 2014 to help coordinate insurance issues related to cybersecurity. Over the last couple years, the Task Force has concentrated on a three step process:
- The promulgation of Guiding Principles (aka the Roadmap): The Task Force adopted these Guiding Principles in April 2015. Consisting of twelve principles that apply to insurers, insurance producers and their employees, as well as insurance regulators, these principles are meant to serve as the foundation for protection of sensitive consumer information collected by insurers. These Principles state that it is vital for state insurance regulators to provide effective cybersecurity guidance regarding the protection of the insurance sector’s data security and infrastructure and also note that state insurance regulators look to the insurance industry to join forces in identifying risks and offering practical solutions. The Principles are intended to establish insurance regulatory guidance that promotes these relationships and protects consumers;
- The Cybersecurity Bill of Rights: The Task Force adopted the Bill of Rights in October 2015. The Bill of Rights is intended for use in updating a number of model laws, including many of the model laws referenced in this article. The Bill of Rights focuses on the protection of consumer data and advising consumers of certain rights and remedies they have; and
- The NAIC Insurance Data Security Model Law: Informed by the Guiding Principles and the Bill of Rights, the Cybersecurity Task Force is currently drafting a new model law that is intended to set expectations for insurers regarding their information security programs, their risk assessment, their risk management (including specific technical controls) and the required oversight by the insurer’s board of directors. As of this writing, the model law remains in draft form and under active discussion, having drawn criticism from a number of groups representing both consumers and industry.
In addition to the work of its Cybersecurity Task Force, the NAIC has also engaged in discussions with federal regulators on a variety of topics related to cybersecurity. For example, the NAIC participates in the White House’s Cybersecurity Forum for Independent and Executive Branch Regulators, whose objective is to identify and explore opportunities to align, leverage and deconflict cross-sector regulatory authorities’ approaches and promote cybersecurity protection.
II. State Laws & Rules
States have long been concerned about the privacy of insurance consumers’ most personal information. As discussed in more detail below, within the last fifteen years, a majority of states have passed laws that deal with general data security requirements. For the most part, these laws are administered and enforced by the state’s Department of Insurance. Some jurisdictions have also empowered their Attorneys General to bring actions to address violations of the privacy rules that do exist in the state. However, the bulk of the most recent legislative and regulatory activity has been focused on responding to breaches, leaving insurers with less updated and specific guidance for how to try to avoid a breach in the first place. The notable exception is the recently proposed regulation by the New York Department of Financial Services. If this regulation is promulgated, it will be the first regulatory activity in nearly a decade to re-visit the ins and outs of a compliant security program for insurers.
Requirements for a Security Program
In 2002, the NAIC developed its Standards for Safeguarding Customer Information Model Regulation (Model Reg. 673). The stated objectives of Model Reg. 673 are to ensure the security and confidentiality of customer information, protect against any anticipated threats or hazards to the security or integrity of the information; and protect against unauthorized access to or use of the information that could result in substantial harm or inconvenience to any customer. By 2005, thirty-four states had adopted some form of Model Reg. 673. However, there has been very little in the way of updates to the state law since then, despite the mushrooming incidences of cyber breach.Model Regulation 673 requires a licensee to do all of the following:
A. Design its information security program to control the identified risks, commensurate with the sensitivity of the information, as well as the complexity and scope of the licensee’s activities;
B. Train staff, as appropriate, to implement the licensee’s information security program; and
C. Regularly test or otherwise regularly monitor the key controls, systems and procedures of the information security program. The frequency and nature of these tests or other monitoring practices are determined by the licensee’s risk assessment.
The information security program must be written and include appropriate administrative, technical and physical safeguards. Moreover, this requirement is not static – the licensee must monitor and adjust its security program as suggested by changes in technology, the sensitivity of the information, threats to security and its own changing business arrangements.
The licensee must also oversee its service provider arrangements by exercising due diligence in selecting its service providers and then requiring those service providers to implement “appropriate measures” to meet the objectives of the regulation. Finally, the licensee must confirm that the service provider has satisfied its obligations. In addition, under the Model Regulation a failure to meet these obligations would constitute a violation of the state’s unfair trade practices act.
Other states have also spoken on this topic. Arkansas passed Act 1526 of 2005, the purpose of which was to ensure that sensitive personal information is protected. Section 38a-999b, Connecticut General Statutes, requires that, by October 1, 2017, each company must implement and maintain a comprehensive information security program to safeguard the personal information of insureds and enrollees that is compiled or maintained by such company. The security program must be in writing and contain administrative, technical and physical safeguards that are appropriate to (A) the size, scope and type of business of such company, (B) the amount of resources available to such company, (C) the amount of data compiled or maintained by such company, and (D) the need for security and confidentiality of such data. The company must update the program as often as necessary (but at least annually) and certify its compliance on an annual basis. The statute provides a detailed description of the necessary components of the program. Nevada, Rhode Island and Utah require business owners to maintain “reasonable security” from “unauthorized access, destruction, use, modification, or disclosure” of personal information. Massachusetts requires a comprehensive information security system, and goes on to specify a list of safeguards that the program must contain.
In California, the Confidentiality of Medical Information Act (CMIA) obligates health plans to preserve confidentiality, and penalizes plans for violations of the CMIA. The Knox-Keene Health Care Service Plan Act of 1975 (Knox-Keene Act), as amended, requires health plans to file with the Department of Managed Health Care (DMHC) their policies and procedures to protect the security of patient medical information to ensure compliance with the CMIA. The DMHC is specifically authorized to take disciplinary action against a health plan for violations of the CMIA pursuant to Health and Safety Code section 1386(b)(15). The DMHC (which generally regulates HMOs) issued Director’s Letter No. 6-K on April 7, 2011 directing health plans to take “all proactive measures necessary to ensure the security of enrollees’ medical and personal information.” The letter went on to note that the foreseeable nature of unintentional breaches and disclosures “requires that preventative measures be taken to ensure that enrollee information is protected.” Similarly, in Oregon, health insurers must file annual protection of health information reports.
Coordination with Federal Requirements and Other Standards
A number of states direct their regulators to adopt regulations to safeguard the personal information of residents in a way that is consistent with federal regulations. For example, in Massachusetts, the objectives of the regulations are to insure the security and confidentiality of customer information in a manner fully consistent with industry standards, protect against anticipated threats or hazards to the security or integrity of such information, and protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer.
In other cases, maintaining notice procedures as part of an information security policy may allow an insurer to demonstrate compliance with state notice requirements in the event of breach. However, the intracompany procedures must be otherwise consistent with state timing requirements for notices. Similarly, if a database is maintained with data security procedures developed under certain federal laws (such as HIPAA) some of the insurer’s duties may be ameliorated.
Requirements Around the Use of Vendors
As discussed earlier in this article, Model Reg. 673 already contains language concerning insurers’ oversight of service provider arrangements. Further, in the context of a breach, there is much discussion about the role of vendors, and rules regarding various parties’ liabilities may suggest a course of action for an insurer to follow when setting up a security protocol. Beyond that, Massachusetts imposes an actual duty to oversee service providers’ security measures and gives some detail concerning what steps must be taken to monitor the security of the information maintained by vendors. New Jersey law also creates specific duties as they pertain to provider agreements with HMOs.
Requirements Around the Disposal of Information
Several states have specified that maintaining the security of information does not necessarily stop when the insurer no longer wishes to maintain the information itself: State law can also govern the secure disposal of personal information. For example, Indiana law requires unencrypted and redacted personal information to be shredded, incinerated, mutilated, erased or otherwise rendered illegible or unusable. In Montana, the duty to destroy extends to all data within the “custody or control” of the business. The Arkansas statute requires all businesses to take all reasonable steps to destroy such information that is not be retained. The required destruction requires the business to shred, erase or otherwise modify the personal information in the records to make it unreadable or undecipherable through any means.
III. Federal Laws and Rules
The McCarran-Ferguson Act does not exempt insurance companies from federal agency jurisdiction, but rather exempts only those activities that constitute the business of insurance (regardless of who performs them) and then only to the extent that such activities are not regulated by state law. In Union Labor Life Insurance Co. v. Pireno, the Supreme Court laid out the three part test necessary to determine whether any particular activity constitutes the business of insurance. Whether an activity performed in the business of insurance is subject to state regulation further requires a determination not only whether the activity is “regulated by state law,” but also whether the state regulation was enacted for the purpose of regulating the “business of insurance.” Finally, where the interstate sale of insurance is involved, it is necessary to ascertain not only whether the practice in question is regulated by the states in which the practice has its impact but also whether such states are able to exert local control “through [their] own provisions, instrumentalities, and processes.”
For the purposes of this article, we have limited the discussion to the federal rules which could apply in circumstances where the McCarran-Ferguson exemption applies. It goes without saying that if the exemption did not apply to a particular activity, then any number of additional federal laws could come into play.
Gramm-Leach-Bliley Act (GLB)
The Gramm-Leach-Bliley Act requires financial institutions subject to Federal Trade Commission (FTC) regulation to explain their information-sharing practices to their customers and to safeguard sensitive data. As part of its implementation of the GLB, the FTC issued the Safeguards Rule, which requires financial institutions under FTC jurisdiction to have measures in place to keep customer information secure.
The Safeguards Rule requires companies to develop a written information security plan that describes their program to protect customer information. The plan must be appropriate to the company’s size and complexity, the nature and scope of its activities, and the sensitivity of the customer information it handles. As part of its plan, each company must:
A. Designate one or more employees to coordinate its information security program;
B. Identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of the current safeguards for controlling these risks;
C. Design and implement a safeguards program, and regularly monitor and test it;
D. Select service providers that can maintain appropriate safeguards, make sure its contract requires them to maintain safeguards, and oversee their handling of customer information; and
E. Evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring.
As explained by the FTC, the Safeguards Rule requires companies to assess and address the risks to customer information in all areas of their operation, including three areas that are particularly important to information security: Employee Management and Training; Information Systems; and Detecting and Managing System Failures.
Health Insurance Portability and Accountability Act of 1996 (HIPAA)and Other Rules for Health Insurers
HIPAA required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information. This resulted in two rules applicable to health insurers and health plans, generally known as the Privacy Rule and the Security Rule. The Security Rule extends the Privacy Rule to include electronic protected health information (ePHI). All ePHI must be properly secured from unauthorized access (a breach), whether the data is at rest or in transit. The rule was designed to be flexible enough to cover all aspects of security without requiring specific technologies or procedures to be implemented. Each organization is responsible for determining what their security needs are and how they will accomplish them.
Health plans that engage in electronic exchanges of health information must meet federal government standards, including safeguards to ensure the plan maintains reasonable and appropriate administrative, technical, and physical safeguards to ensure the integrity and confidentiality of the information, and to protect against any reasonably anticipated threats or hazards to the security or integrity of the information; and unauthorized uses or disclosures of the information as well as otherwise ensuring compliance by its officers and employees.
We also note that the HITECH Act strengthens the enforcement of violations of HIPAA. Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules. The HITECH Act also allows State Attorneys General to pursue civil actions for HIPAA violations.
Cybersecurity Information Sharing Act of 2015 (CISA)
CISA allows companies to monitor and implement defensive measures on their own information systems to counter cyber threats. Subject to certain requirements, a company is also authorized, notwithstanding any other provision of law, to “monitor” and “operate defensive measures” on its own information system—or, with written authorization, another party’s system—for cybersecurity purposes. CISA promotes the sharing of information on these threats between the private sector and the government. CISA also directs the federal government to develop and issue procedures to promote the sharing of information concerning cyber threats.
The healthcare industry was specifically addressed by the law, which required the HHS to establish a taskforce including healthcare industry stakeholders. In December 2016, the taskforce will report to Congress on the preparedness of HHS and the healthcare industry to respond to cybersecurity threats as well as industry-specific cybersecurity challenges. The task force will also develop voluntary guidelines and best practices on cybersecurity in the healthcare arena.