Six months after adopting its Principles for Effective Cybersecurity Insurance Regulatory Guidance in order to guide insurers, producers, and other regulated entities to join forces in identifying risks and adopting practical solutions to protect information entrusted to them, the National Association of Insurance Commissioners' (NAIC) Cybersecurity Task Force has adopted a Cybersecurity Bill of Rights aimed at assisting consumers when their sensitive information is breached. The Cybersecurity Bill of Rights will be made available for state insurance departments to publish for local consumers (although the rights may vary depending on individual state laws or federal law), and is designed to describe to consumers what they can expect from insurance companies, agents, and other businesses when they collect, maintain, and use personal information. Those include the rights to:
- Know the types of personal information collected and stored by an insurance company, agent or business they contract with (such as marketers and data warehouses);
- Expect the insurance company, agent or any business they contract with to "take reasonable steps to keep authorized persons from seeing, stealing or using" personal information;
- Get a notice from the insurance company, agent or any business they contract with if an unauthorized person has (or it seems likely they have) seen, stolen or used personal information. The notice should, among other items: be sent as soon after a data breach, and never more than 60 days after the data breach is discovered; describe the type of information involved in a data breach and the steps that can be taken to protect the consumer from identify theft or fraud; describe the actions taken to keep personal information safe; include contact information for the three nationwide credit bureaus; and include contract information for the company or agent involved in the breach;
- Get at least one year of identity theft protection paid for by the company or agent involved in a data breach; and
- Other rights in the cases of identity theft, such as a 90-day initial fraud alert on credit reports (the first credit bureau contacted will alert the other two) and having fraudulent information related to a data breach removed or blocked from credit reports.
The Cybersecurity Bill of Rightscan be found here.