NAIC’s Proposed Cyber Bill of Rights for Insurance Customers

The National Association of Insurance Commissioners (NAIC) has issued a proposed Cybersecurity Bill of Rights. Here’s their draft proposal:

As an insurance consumer, you generally have the right to:

1. Know what type of personally identifiable information is being collected and how long that personally identifiable information is kept by an insurer, insurance producer, or other state-regulated entity.
2. Expect that an insurer, insurance producer, or other state-regulated entity that holds your personally identifiable information in connection with an insurance transaction or service is adequately protecting the personally identifiable information from disclosure to unauthorized persons.
3. Receive notice from an insurer, insurance producer, or other state-regulated entity if your personally identifiable information was, or is reasonably believed to have been, acquired by an unauthorized person and could result in identity theft or fraud to you.
4. Receive notice from an insurer, insurance producer, or other state-regulated entity in the event of a data breach that provides:
   • Notice in written form by first-class mail, or alternatively, by e-mail if you have agreed to receive such notices electronically;
   • The notification without unreasonable delay and in no case later than 60 days following the discovery of a breach. This notice within 60 days may be delayed in the event that the release of the breach information obstructs a criminal investigation or jeopardizes national security;
   • A description of the types of information that were involved in the breach, and the steps you can take to protect yourself from potential harm;
   • Contact information for the three nationwide consumer reporting agencies;
   • Contact information for the regulated entity that suffered the breach.
5. Receive notification, from health insurers regarding a data breach of protected health information that is held by a health plan, under federal HIPAA laws.
6. Receive notice from an insurer, insurance producer, or other state-regulated entity without unreasonable delay, and in no case later than 60 days, information on any relevant payment card/bank account number breach, if the breach involves a breach of the payment card/bank account numbers. This notice within 60 days may be delayed in the event that the release of the breach information obstructs a criminal investigation or jeopardizes national security.
7. Receive notice from an insurer, insurance producer, or other state-regulated entity in the event of a data breach of their security system, maintained by a third-party service provider that has been contracted to maintain, store, or process personally identifiable information in electronic or paper form.
8. Receive a general description of the actions taken by the insurer, insurance producer, or other state-regulated entity to restore the security and confidentiality of the personally identifiable information involved in a data breach.
9. Receive a minimum of two years of identity theft protection from the insurer, insurance producer, or other state-regulated entity in the event of a data breach.
10. Receive a summary of the rights of victims of identity theft prepared under the Fair Credit Reporting Act, http://www.consumer.ftc.gov/sites/default/files/articles/pdf/pdf-0111-fair-credit-reporting-act.pdf, in the event of a data breach that involves personally identifiable information. Your rights under the Fair Credit Reporting Act include:
    • The right to ask the t h r e e nationwide consumer reporting agencies to place “fraud alerts” in your file to let potential creditors and others know that you may be a victim of identity theft.
      • An initial “fraud alert” remains in your file for at least 90 days;
      • An extended “fraud alert” remains in your file for seven years;
    • The right to obtain free copies of your credit report;
      • An initial “fraud alert” entitles you to a copy of all information in your file for each of the three nationwide consumer reporting agencies: Equifax; Experian; and TransUnion;
      • An extended “fraud alert” entitles you to two free copies of the information in your files for each of the three nationwide consumer reporting agencies: Equifax; Experian; and TransUnion;
    • The right to have fraudulent information removed (or “blocked”) from your credit report;
    • The right to dispute fraudulent or inaccurate information on your credit report;
    • The right to obtain information from debt collectors regarding collections for fraudulent accounts and to stop the debt collector from contacting you;
    • The right to obtain copies of the documents relating to fraudulent transactions made or accounts opened using your personal information;
      • You will have to ask for these documents in writing
      • You may be asked for proof of your identity

      Note: you will need to create an identity theft report to take advantage of some of these rights. This can be done online at the Federal Trade Commission’s (FTC) website: www.ftc.gov/complaint or by calling the FTC at: 1-877-438-4338 or 1-866-653-4261 (TTY)

11. Request all three nationwide consumer reporting agencies to place a “security freeze” on your credit report (http://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs). A “security freeze” will limit the consumer reporting agency from releasing your credit report or any information from your credit report without your authorization.
12. Receive an insurer, insurance producer, or other regulated entity’s privacy policy regarding the data they collect on you.The regulated entity should provide a clear and conspicuous notice to you that accurately reflects its privacy policies and practices on an annual basis.Note: Your specific data rights are based on and subject to state and federal law. For more details regarding protections in your state, contact your state insurance department. The contact information can be found on the NAIC’s web page, http://www.naic.org/state_web_map.htm.