The NAIC’s version of a Data Security Breach Law
These state and federal data security breach bills to protect consumers’ personal information directly affect the insurance industry. In 2017, the National Association of Insurance Commissioners (NAIC) put forth its own version of a data security breach law titled: Insurance Data Security Model Law. Up to date, South Carolina is the only state to adopt a law that is substantially similar to the most recent version of the NAIC model.
The purpose of the NAIC model is to set standards for: data security, investigation, and notification to the commissioner (the chief insurance regulatory official of a state) of a cybersecurity event applicable to licensees (someone licensed pursuant to the insurance laws of a state). The NAIC defines a covered entity as an “authorized individual” or someone who has access to nonpublic information held by a licensee. The model also provides guidelines for the establishment of a comprehensive security program that provides administrative, technical, and physical safeguards for the protection of nonpublic information.
As well as setting forth procedures for investigation of a cybersecurity event, the model sets the notification deadline at 72 hours after a determination that an event has occurred. The event must have occurred in the state that is the licensee’s state of domicile or there must be a reasonable belief that the nonpublic information of 250 or more consumers was involved. The model provides for exemptions from these requirements as well as penalties for non-compliance in accordance with the licensee’s state data breach law. The Insurance Data Model Law can be found at www.naic.org under cybersecurity.
Colorado: “Concerning Strengthening Protection for Consumer Data Privacy”
Leading up to the 2018 legislative session in Colorado, the Attorney General sought to strengthen existing protections for consumers whose personal information had been compromised in a security breach. However, the proposed bill would have placed significant regulatory burden on Colorado businesses. After active participation by the business community, through negotiation and compromise with the bill’s sponsors, the Attorney General’s Office struck a balance between protecting consumer information and limiting the extent of these regulatory burdens with HB 1128: Protections for Consumer Data Privacy.
Under this law, businesses must notify the affected Colorado residents no later than 30 days after determination that a data breach has occurred. However, the law also provides that if a business regulated by state or federal law is in compliance with the guidelines established by that regulator, then that business is considered also in compliance with this. The Colorado statute also sets guidelines for the disposal of personal information that a covered entity maintains, and that covered entities must have a written policy for disposal. Similar to other state data breach bills and the NAIC model, the Colorado law required that business must maintain security procedures in order to protect personal identifying information of an individual residing in the state. The security procedures must be appropriate for the nature of the personal identifying information and the nature and size of the business.
Finally, a business must also notify the Colorado Attorney General’s Office of a security breach within 30 days after the date of determination that a security breach occurred if the security breach is reasonably believed to have affected at least 500 residents. Also, a breach of encrypted or secured personal information does not have to be disclosed to the Attorney General unless the means used to decipher the encrypted information was also acquired or was reasonably believed to have been acquired.
California: “California Consumer Privacy Act of 2018”
Assembly member Ed Chau introduced AB 375 in the California legislature to address provisions set forth in a ballot initiative that would have enacted a different and distinct consumer privacy statute. California Governor Edmund G. Brown Jr. signed into law AB 375, which will enact the “California Consumer Privacy Act of 2018” (“CCPA”) on January 1, 2020. The CCPA expands the generally understood definition of “personal information” in the United States. Also, the law’s broad scope means it will affect a large number of companies that operate in California and engage in data-driven advertising and marketing activities.
The CCPA broadly defines the term “personal information” as any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Additionally, the CCPA applies its requirements to any “business,” which it defines as any company that does business in California for a profit that collects personal information from a California resident; and that either: (1) has annual gross revenue over $25 million; (2) annually buys, sells, receives, or shares for a commercial purpose the personal information of 50,000 or more consumers, households, or devices; or (3) derives 50% or more of its annual revenues from selling consumers’ personal information. Additionally, the law states that it is not limited to information collected electronically or over the Internet, but applies to the collection and sale of all personal information. The law will not affect commercial conduct that takes place wholly outside of California, which is defined as when a business collected that information while the consumer was outside of California, no part of the sale of the consumer’s personal information occurred in California, and no personal information collected while the consumer was in California was sold.
The CCPA provides California residents with a broad range of consumer rights, including new access and opt-out rights. When responding to consumer requests, businesses cannot rely exclusively on general statements of applicability like those made in current privacy notices. The CCPA creates the following specific consumer rights: (1) right to data access; (2) right to deletion; (3) right to know where data is collected from to whom it is sold; (4) right to opt-out; and (5) right to equal service.
The CCPA provides certain exceptions to its requirements. These exceptions include allowances for sharing with law enforcement, service providers, and for activity taken wholly outside of California. Additionally, the law provides exceptions for compliance with sector specific laws such as health and banking regulations. Generally, the CCPA does not restrict the ability of a business to: (1) comply with federal, state, or local laws; (2) comply with a civil, criminal, or regulatory investigation; (3) cooperate with law enforcement where there is a reasonable good faith belief that activity may violate the law; (4) exercise or defend legal claims; (5) collect, use, retain, sell, or disclose personal information that is deidentified or in the aggregate; or (6) collect or sell personal information is all conduct takes place wholly outside California. Additionally, Sections 1798.110 to .135 do not apply if the business would violate an evidentiary privilege under California law. The law also does not apply to: (1) protected or health information by a covered entity covered by the Confidentiality of Medical Information Act or subject to Health Insurance Portability and Accountability Act; (2) to the sale of personal information to or from a consumer reporting agency that is used to create a consumer report; (3) to personal information collected, processed, sold, or disclosed pursuant to the Gramm-Leach-Bliley Act and its implementing regulations if it is in conflict with that law or regulation; or (4) to personal information collected or sold pursuant to the Driver's Privacy Protection Act. The Attorney General is also authorized by the CCPA to adopt additional regulations as necessary to further the purposes of the law.
As technology continues to evolve, the need to protect consumers’ personal information is sure to increase. Legislation regarding data breach security will continue to develop and compromises with the stakeholders, as part of the legislative process, will continue to ensure that the concerns of various interested parties are taken into account. The 2019 legislative year appears indicative of what we can continue to expect to see in 2020 and beyond. Data security and related issues will remain high visibility legislative and regulatory topics for the foreseeable future.
According to the NCSL all 50 states, DC, Guam, the Virgin Islands and Puerto Rico have enacted security breach notification laws. This year at least 19 states are considering, considered, have amended and or enacted security breach laws. At latest count, Connecticut, Mississippi, New Hampshire and Nevada introduced bills similar to the NAIC Model. Others are modeling their proposals on the California Consumer Privacy Act or a hybrid of various consumer or business trades recommendations. The NCSL observed four general trends in proposals introduced in 2019. There are bills aimed at expanding the definition of “ personal information”; bills to address time frames for reporting breach; bills requiring reporting of breach to the attorney general and consumer protection bills for victims of data breach.
As of July 1st 2019 states enacting or amending existing legislation this year include Arkansas, Florida, Illinois, Maryland, New Jersey, Oregon, Utah and Washington. Numerous bills remain pending in states currently in session.
 Pam Greenberg, Taking Aim at Data Breaches and Cyberattacks, National Conference of State Legislatures, Vol. 25, No. 43 (Nov. 2017), http://www.ncsl.org/research/telecommunications-and-information-technology/taking-aim-at-data-breaches-and-cyberattacks.aspx.
 Edward Holman et al., A Look Ahead at Privacy and Data Security in 2018, The Wilson Sonsini Goodrich & Rosati Data Advisor (Jan. 24, 2018), https://www.wsgrdataadvisor.com/2018/01/privacy-and-data-security-in-2018/.
 Data Security and Breach Notification Act, S. 2179, 115th Cong. (2017).
 Consumer Privacy Protection Act of 2017, H.R. 4081, 115th Cong. (2017).
 See HB 18-1128, enacting new Colo. Rev. Stat. 6-1-713.5.
 Colo. Rev. Stat. 6-1-713.5(4).
 Colo. Rev. Stat. 6-1-713.
 Colo. Rev. Stat. 6-1-713.5.
 Colo. Rev. Stat. 6-1-716(2)(f)(I).
 Colo. Rev. Stat. 6-1-716(2)(g).
 Cal. Civ. Code § 1798.140(o)(1).
 Cal. Civ. Code § 1798.140(c).
 Cal. Civ. Code § 1798.175
 Cal. Civ. Code § 1798.145(a)(6).
 Cal. Civ. Code §§ 1798.140(t)(1), 1798.105, 1798.115, 1798.120,1798.125.
 Cal. Civ. Code §§ 1798.130, 1798.135
 Cal. Civ. Code § 1798.150
 Cal. Civ. Code § 1798.145.
 Cal. Civ. Code § 1798.185.
 Digital Guardian: The Definitive Guide to U.S. State Data Breach Laws
 NCSL: 2019 Security Breach legislation 6/13/2019