Use this button to switch between dark and light mode.

Navigating Data Privacy Regulations in the Insurance Industry

July 28, 2023 (4 min read)

There has been a push for increased transparency and regulation in the insurance industry regarding consumer data privacy. With an increase in consumer data collection, the threat of ransomware attacks can open your company up to potential litigation or regulatory action if not handled properly.

Introduction of Model #674

On February 1, 2023, the National Association of Insurance Commissioners (NAIC) released Insurance Consumer Privacy Protection Model Law #674 to replace both Insurance Information and Privacy Protection Model Act #670 and the Privacy of Consumer Financial and Health Information Regulation #672.

The two previous models had been in place for over two decades with no changes made prior to the introduction of Model #674. This speaks directly to the increased focus that consumer data privacy has received in 2023 as the guidelines can change at almost any moment.

PPWG Considerations for Model #674

When drafting Model #674, the Privacy Protection Working Group (PPWG) attempted to bring up a few key issues with previous models. The first issue addressed was to enhance transparency of how consumer data is collected and when expressed consent from the consumer is required. This extends to not only the collection of consumer data, but also the sharing data with another entity inside or outside of the United States.

The second issue that was addressed was to ensure that the consumer held the right to have his or her personal information amended if necessary.

The third issue introduces a new record retention requirement instead of the previously accepted “right to be forgotten” provision. There are many additional issues brought up by PPWG when drafting Model #674, which you can see here.

What This Means for You

Model #674 tells us that the NAIC is currently in the process of reviewing its historical approaches to regulation of consumer data within the insurance industry and is taking a stricter stance. The new model along with current and future state data privacy laws will shape the way companies are able to handle and use consumer data, in addition to the litigation that they may face for failing to comply. It is of the utmost importance that you can stay up to date on your state’s privacy laws when attempting to draft a new data privacy policy for your company. The State Law Comparison Tool allows you to compare state laws on insurance data security with ease. This can make your life much easier when dealing with compliance issues across multiple states.  

Insurance Data Security Model Law

The NAIC enacted an additional model law that speaks directly to insurers. This is the Insurance Data Security Model Law, which establishes standards for both data security and for the investigation of cybersecurity events. Almost half of the states in the United States have already adopted this new model with more expected in the coming months.

The regulations impose a series of new requirements upon insurance companies. The first requirement is to conduct annual risk assessments to find any potential weak points that could be exploited. The second requirement is to maintain an information security program. The third requirement is to investigate any cybersecurity events that occur and notify the commissioner of cybersecurity events. In most states that have adopted this model, you are required to notify the commissioner within 3 days. The final requirement is to notify any consumers that were affected to let them know their data has been compromised.

If you would like a more detailed breakdown of the NAIC models, check out the NAIC Data Protection & Cybersecurity Models and Principles for Insurers Video.

Drafting Data Protection Policies and Procedures

Check out this video if you would like to see a breakdown of how data protection policies and procedures should be drafted. It goes into detail regarding the important steps insurance organizations must take to create effective data protection policies and procedures.

AI in the Insurance Industry

The introduction of artificial intelligence into the insurance industry could help assess risk at a higher level, make fraud easier to detect, and reduce human error within your company. A survey conducted by LexisNexis found that 4 in 10 lawyers are already utilizing generative AI to assist in their everyday tasks.  Artificial intelligence could change the insurance sector forever, but it does raise some data privacy concerns.

Addressing Data Privacy Concerns

Practical Guidance provides highly useful resources to aid you in drafting an effective insurance policy and procedure for your company. The Data Protection in the Insurance Industry Checklist serves as an outline of important steps that you will need to take to remain compliant. These steps will cover data collection practices, privacy policies, implementation of training, risk assessment, and vendor management.

The Impact of New York Insurance Laws and Regulations on Cybersecurity Video discusses the regulation of data protection for insurers in New York. New York’s unique approach will have lasting impacts on how the rest of the states follow suit with future regulation.

With Lexis+® General Counsel Suite, you can strengthen your work with specialized content through the Insurance practice area, plus leverage practice notes, automated templates, resource kits and more — all while monitoring industry shifts with breaking business and legal news. Try it out with a 7-day free trial.