Ann Young Black and Patricia Carreiro of Carlton Fields write:
In April and May, the NAIC Privacy Protections Working Group held the first three of its biweekly calls to discuss its recipe for a new privacy model, “Insurance Consumer Privacy Protection Model Law #674.” During the meetings, the working group considered whether the recipe needed to (a) include, as an ingredient, a private right of action; (b) clarify the HIPAA safe harbor; (c) leave more or less room for “secret sauce” (i.e., revise its confidentiality provisions); (d) revisit its kitchen cleanup processes (i.e., data retention and destruction requirements); and (e) locally source its ingredients (i.e., restrict cross-border data transfers).
Private Right of Action
The debate on whether to include a private right of action within the privacy model was similar to deciding whether a recipe should include cilantro — some love it, while for others it leaves a soapy aftertaste. As expected, consumer advocates sought to preserve a private right of action. They asserted that eliminating it would deprive consumers of any redress for the unwanted use of their personal information and make noncompliance a mere cost of doing business. The advocates alleged that this additional ingredient was necessary to counter insurers’ increased data use and “surveillance economy,” as regulators would not have the resources to enforce the draft model’s protections. Those against its inclusion countered that the ingredient merely preserves the status quo; removing the language does not take away any existing causes of action.
Read more at JDSupra.