NAIC Proposes New Privacy Model Law — Here's What You Need to Know
The following is a recap of PIMA's 2023 Spring Legislative & Regulatory Webinar. Also, it is important to note that the NAIC draft documents are always subject to input and change. For the latest updates and materials visit NAIC's website.
It’s no secret that insurance companies routinely leverage granular data. When you divide and subdivide a dataset to its lowest and most precise levels, actuarial risk projections, for instance, become much more accurate. The same can be said for the targeting capabilities of financial products, the underwriting of policies, and simply arriving at pricing structures for policies — among a host of other activities.
For all its benefits, however, data doesn’t come without risk. Many insurance carriers still run into challenges when managing privacy-related data collection, usage, and disclosure. The ever-evolving government regulations of the insurance industry certainly haven’t helped matters. It’s become nothing less than a dynamic process, but the NAIC’s Privacy Protections (H) Working Group hopes to change all that with the Insurance Consumer Privacy Protection Model Law, otherwise known as Model Law 674.
Intended to modernize and supersede certain laws and regulations, particularly the Insurance Information and Privacy Protection Model Act (Model Law 670) and the Privacy of Consumer Financial and Health Information Regulation (Model Law 672), the proposed new Model Law sets the stage for the industry to become more responsible stewards of data. It’s a refresh of previous standards, addressing not only various consumer privacy protections but also incorporating factors such as data practices, consumer consent, new technologies, safe harbor, and notification requirements into a single Model Law.
What the Proposed New Regulation in the Insurance Industry Means for Insurers and Consumers
As the Insurance Consumer Privacy Protection Model Law is still in draft form, with calls scheduled to discuss and refine many of its components, nothing has yet been set in stone. However, one thing is for certain: Carriers can expect new and heightened restrictions around the use and disclosure of data as well as expansions in consumer privacy rights — neither of which are bad developments. For one, Model Law 674 will call for greater transparency with consumers around how and why data will be collected, processed, shared, and retained. It also expands privacy disclosure requirements, the right to access or amend personal data, and even the definition of “personal information.” It will now include biometric data.
Other aspects covered in the new law include an end to the sale and use of personal data for marketing purposes (or just the sale of data in general). Regardless of consent, the practice will likely end. The way personal data is shared will likely also change, especially for entities outside the United States. Companies must first get consumer consent, even with affiliates. Additionally, record retention requirements will go so far as to impose a time limit on how long an insurer can retain data. If it’s no longer required, the information serves no actual purpose. So, the proposal is to delete that data. All of these changes are consistent with the broader regulatory community and various insurance data security laws.
Putting Transparency and Collaboration at the Forefront of Planning
Rest assured, NAIC hasn’t drafted the proposed law absent of input, and there are no signs that this will change in the future. The Privacy Protections (H) Working Group has used existing Model Laws as guides, such as the Insurance Information and Privacy Protection Act. They’ve also engaged in conversations with several parties, including consumer groups and insurance carriers, to help inform the direction of Model Law 674.
Going forward, the group still intends to engage stakeholders and consider their feedback and concerns as they refine the standards. Inclusion and collaboration are core to the development of the proposed law. Stakeholders are also welcome to join in meetings to discuss the various aspects of Model Law 674.
Though this should go without saying, drafting such a sizeable proposal takes time and attention. Model Law 674 is attempting to strike a balance between protecting consumers and allowing the insurance industry to continue conducting business. It’s not enough to simply make changes. The changes, including the verbiage, must make sense and incorporate all the needs of those involved.
Understanding the Brass Tacks of the H Working Group
Even though standards have already been set by the Insurance Data Security Model Law, cybersecurity is still a point of contention for regulators. As such, the Cybersecurity (H) Working Group has been busy drafting new cybersecurity response plans for regulated entities. The group has also been monitoring federal and international developments related to consumer protections in this regard.
With new technologies being part of Model Law 674, it shouldn’t come as much of a surprise that the Innovation in Technology and Regulation (H) Working Group has its sights on working more closely with regulators to better understand the technology they’re innovating and using. When a regulator relies on using new data call technology, for instance, the industry would like to be in a better position to respond by modernizing the tools available for insurance companies.
Of course, no discussion involving regulations of the insurance industry would be complete without some mention of the pandemic and its effect on how consumers shop and interact with insurers. The pandemic caused a major increase in e-commerce, and the E-Commerce (H) Working Group has been examining e-commerce laws and regulations related to claims, e-signatures, e-notices, and other hurdles inherent in the digital realm. Much of the business that was once paper-based is now virtual, so what does that mean for providers? Guidelines have been developed to help regulators determine where and when digital methods would apply, but discussions are still ongoing. It’s all in an effort to modernize the regulatory framework for this day and age.
With a number of NAIC committees and groups working on it, chances are that Model Law 674 will be finalized in the near future. The likelihood of it being adopted by each state is also high, which means all insurers will want to reevaluate their policies and procedures. Much like when the California Consumer Privacy Act went into effect, the advice is for all providers to reexamine their processes around consumer data collection and privacy to ensure compliance.
Published on Aug. 9, 2023.
PIMA® (Professional Insurance Marketing Association®) is a member-driven trade association focused exclusively on the affinity market.