NAIC Adopts New Cybersecurity “Roadmap”

In December, the NAIC’s Executive Committee/Plenary adopted a new consumer bill of rights document entitled, “NAIC Roadmap for Cybersecurity Consumer Protections”.  This new document is the latest version of the NAIC’s consumer bill of rights concerning cybersecurity and is intended to comprehensively describe, “the protections the NAIC believes consumers are entitled to from insurance companies, agents and other businesses when they collect, maintain and use (a consumer’s) personal information”.  Further, the new document states that it, “will be incorporated into NAIC model laws and regulations”.

According to the new “Roadmap”, a consumer has the right to:

  • Know the types of personal information collected and stored by companies, agents, and the businesses with which they contract (such as marketers and data warehouses);
  • Expect companies and agencies to post a privacy policy on their websites and to make the policy available in hard copy upon request;
  • Expect companies, agents, and the businesses with which they contract to take reasonable steps to keep unauthorized persons from viewing, using, or stealing his or her personal information;
  • Be notified if an unauthorized person has, or likely has, viewed, stolen, or used the consumer’s personal information;
  • At least one year of identity theft protection paid for by the company or agent involved in a data breach; and
  • If his or her identity is stolen,
    • put a 90-day initial fraud alert, a seven-year extended fraud alert, and a credit freeze on his or her credit reports,
    • obtain a free copy of his or her credit report from each credit bureau,
    • dispute fraudulent or incorrect information on his or her credit reports and have fraudulent information related to the security breach removed from those reports,
    • stop creditors and debt collectors from reporting fraudulent accounts related to the security breach and stop debt collectors from contacting him or her, and
    • obtain copies of documents related to the identity theft.

The Roadmap includes guidelines for what should be contained in a company’s or agent’s privacy policy and in notices sent to a consumer concerning a data security breach.  According to the document, data security breach notices should never be sent to the consumer more than 60 days after the breach is discovered.   Finally, the Roadmap contains definitions of terms used in the document as well as links a consumer can use to exercise the rights described in the document.

Complete information may be found in the Roadmap (below).♦

NAIC Roadmap for Cybersecurity Consumer Protections

Related Links:

NAIC News Release – NAIC Advances Priorities, Sets Stage for 2016 (12.18.15)

Preparing for a Data Security Breach

NAIC Cybersecurity Information Page

NAIC Cybersecurity (EX) Task Force Home Page

Contributor Profile and Legal Information:

Contributor Profile – Scott Lawson

© 2016. The Lawson Firm, LLC.

Leave a Reply

Your email address will not be published. Required fields are marked *