may 16 comment compilation 16, 20 by electron director r superinten ... tems, heir cy ic sed in page...

May 16 Comment Compilation

ABA Comments

May 16, 20 By electron Director RSuperintenCybersecuNational A1100 WalnKansas Cit Re: NAIC Dear Direc The Amerirevise versare affiliateregulations ABA thankits scope hInformatiorequest thaInformatio

I. B Since 2001designed torequiremendata securiso they roucustomers.those of thDrafting Gguidelines respect to t The InteragGuidelinesof the ComInformatioand for invaffiliates, bInteragenc

1 122 ThGuidelinespersonal inthe NAIC’3 In

017

nic delivery to:

Raymond G. Fandent Elizabethrity (EX) Work

Association of Inut Street, Suitety, MO 64106

C Insurance D

ctor Farmer and

ican Bankers Asion 4 of the Ined with banks s.

ks the Draftingas been limitedn Security Pro

at the Model Lan Security Pro

ACKGROUN

1, banks have bo maintain bannts. Many of Aity requirementutinely use a sin As describede Federal data

Group to add lanby an insurancthe requiremen

gency Guidelins”) – jointly issmptroller of the

n Security Provestigation andbut they expresy Guidelines a

2 CFR Part 30,he Interagency

s, App. B, § I.Cnformation, as s Privacy of C

nteragency Gui

:

rmer, Chair h Kelleher Dwyking Group’s DInsurance Come 1500 -2197

Data Security M

d Superintende

Association (“Ansurance Data Salready operate

g Group for thed primarily to rgram and to inaw be revised tgram to consti

ND

been required tnk safety and soABA’s memberts established bngle Informati

d below, the prisecurity guidenguage to the Mce agency affilints regarding an

nes Establishinsued by the Fede Currency1 – egram to protec

d reporting of a ssly do not appas issued by the

, Appendix B; y Guidelines apC.2.b.-e. “Custdefined in regu

Consumer Finanidelines, App.

yer, Vice ChairDrafting Group

mmissioners

Model Law

ent Dwyer:

ABA”) writes tSecurity Modele under the ban

e significant imrequire an insunvestigate and nto deem adhereitute complianc

to comply withoundness. Banr banks have aby the Model Lon System to mincipal requiremelines, differingModel Law thaiated with a ban Information

ng Standards foderal Reserve, establish requirct consumer inf

Cybersecurityply to “persons e Office of the

Part 208, Appepply to both cotomer informatulations issuedncial and HealB, § I.A.

r p

o ask the Cybel Law (“Modelnk’s Informatio

mprovements inurance licensee notify an insurence by an insuce with Section

h existing Federnks must compffiliated insura

Law. Banks anmanage data coments of the neg primarily in tat reflects that ank would consSecurity Progr

for SafeguardinFederal Depos

rements for theformation and y Event. The In

providing insuComptroller o

endix D-2; Parnsumer informtion” is defined

d pursuant to thlth Information

Senior Go

ersecurity Worl Law”) to recoon Security Pro

n the new versi to develop, im

rance regulatorurance agency ns 4 and 5 of th

ral data securitly with existin

ance agencies tnd their affiliatoncerning bothew draft of thethe level of detcompliance wistitute compliaram and investi

ng Customer Insit Insurance Ce development customer infornteragency Guurance.”3 We hf the Currency

rt 205, Appendmation and custd to mean any rhe Gramm-Leacn Regulation, N

vernment Rela

rking Group’s Dognize that insuogram, as dicta

ion of the Modmplement and ur of a Cybersecwith an affilia

he Model Law.

ty requirementng Federal datathat would neetes often have ch bank customee Model Law artail. Thereforeith the Federal

ance with the Migation of a Cy

nformation (theCorporation (FD

and implemenrmation2 and in

uidelines apply have attached a

y.

dix F; Part 364,tomer informatrecord that conch-Bliley Act –

No. 672.

Sarah Fations Represen

P: 202-663sferman@ab

Drafting Groupurance agencieated by Federa

del Law, given update an curity Event. Wated bank’s .

ts which are a security d to comply wcommon customers and insuranre very similar, we urge the data security

Model Law withybersecurity Ev

e “Interagency DIC), and the Otation of an nformation systo banks and t

a copy of the

, Appendix B. tion. Interagenntains nonpubl– a term also u

Ferman ntative 3-5510 ba.com

p to es that al

that

We

with the mers,

nce r to

h vent.

Office

stems, their

ncy ic

used in

2

The main requirements of the Interagency Guidelines are as follows, with footnote references to the relevant language in the attachment:

Information Security Program. Banks must establish a comprehensive written Information Security Program that includes administrative, technical and physical safeguards that are appropriate to the bank’s size.4 Program Objectives. The Information Security Program must be designed to ensure the security and confidentiality of customer information; protect against threats to the security and integrity of customer information; protect against unauthorized access to customer information that could result in substantial harm or inconvenience to a customer; and ensure proper disposal of customer information.5 Risk Assessment and Management. In developing an Information Security Program, banks are required to assess threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or of the bank’s Information System. Banks must evaluate whether existing policies are sufficient to control risks. Banks also must determine which of several security measures are appropriate for the bank, given its size, including controls to access Information Systems, physical safeguards, encryption, dual control procedures, monitoring systems, response programs, and measures to protect against destruction or loss of customer information.6 Training and Testing. A bank must train its staff on its Information Security Program and it must test the program’s controls, systems and procedures. Oversight of Third Party Service Providers. Banks must oversee third party service provider arrangements, including the exercise of due diligence in selecting service providers and monitoring a service provider’s compliance with the requirements of the bank’s Information Security Program.7 Program Adjustment. Banks must adjust the Information Security Program as technology changes.8 Oversight by Board of Directors. A bank’s board of directors must receive annual reports on the status for the bank’s Information Security Program.9 Investigation of a Cybersecurity Event. Banks must develop and be prepared to implement a program to respond to a Cybersecurity Event, including investigating the nature and scope of the event.10 Notification of a Cybersecurity Event. A bank must notify its primary Federal regulator “as soon as possible” after becoming aware of a Cybersecurity Event, and it must notify law enforcement via a Suspicious Activity Report, as required by Federal regulations.11 Notification to Customers. A bank is required to establish and implement a customer notification program.12 II. RECOMMENDATIONS All of these requirements of the Interagency Guidelines are also requirements of the Model Law, although the Model Law addresses some of the topics in more detail. But with respect to the contents and implementation of an

4 Id., § III. 5 Id., § II.B. 6 Id., § III.B.-C. 7 Id., § III.D. 8 Id., § III.E. 9 Id., § III.A., F. 10 Interagency Guidelines, App. B, Supp. A (Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice), § II.A.1.-2, III.A. 11 Id., § I.A.b.-c. 12 Id., § III.

3

Information Security Program, both banks, in the case of the Interagency Guidelines, and insurance licensees, in the case of the Model Law, are given some flexibility in program development and implementation. Accordingly, so that insurance agencies affiliated with a bank are able to comply with one set of requirements regarding cybersecurity, we urge the Drafting Group to modify the Model Law to read that compliance by a bank-affiliated insurance agency with Federal data security requirements, as adopted and implemented by the bank affiliate, shall constitute compliance with Section 4 of the Model Law (Information Security Program) and Section 5 (Investigation of a Cybersecurity Breach), and to provide additional time to report a Cybersecurity Event to an insurance regulator. We recommend the following specific revisions:

1. Add the following exception to Section 9(A) of the Model Law:

“A Licensee that is affiliated with a bank that is in compliance with the Federal Interagency Guidelines Establishing Standards for Safeguarding Customer Information and that has fully adopted and implemented the bank’s Information Security Program and the bank’s policies regarding breach is deemed to be in compliance with the requirements of Sections 4 and 5.”

2. Change the first paragraph of Section 6(A) to read as follows (incorporating the strikeout): “Each Licensee

shall notify the Commissioner as promptly as possible but in no event later than 72 hours from a determination that a Cybersecurity Event has occurred. . . .”

III. CONCLUSION Insurance agencies affiliated with a bank often use a common Information System to manage information about both banking customers and insurance customers. An insurance agency will rely on the Information Security Program developed by the affiliated bank to protect the Information System and the data it contains. As long as the bank’s Information Security Program complies with the Interagency Guidelines, an affiliated insurance agency should be able to rely on the bank’s program. The ABA urges the Drafting Group to consider an insurance agency to be in compliance with Sections 4 and 5 of the Model Law if it relies on an affiliated bank’s Information Security Program. We also urge the Drafting Group to give insurance licensees more time to report a Cybersecurity Event to an insurance regulator.

We thank the Drafting Group for the opportunity to comment on the new version of the draft Model Law

and look forward to discussing this comment letter with the Drafting Group on its next call. Sincerely,

1

Appendix B to Part 30 -- Interagency Guidelines Establishing Information Security Standards

• Table of Contents I. Introduction A. Scope B. Preservation of Existing Authority C. Definitions II. Standards for Information Security A. Information Security Program B. Objectives III. Development and Implementation of Customer Information Security Program A. Involve the Board of Directors B. Assess Risk C. Manage and Control Risk D. Oversee Service Provider Arrangements E. Adjust the Program F. Report to the Board G. Implement the Standards o I. Introduction

The Interagency Guidelines Establishing Information Security Standards (Guidelines) set forth standards pursuant to section 39 of the Federal Deposit Insurance Act (section 39, codified at 12 U.S.C. 1831p-1), and sections 501 and 505(b), codified at 15 U.S.C. 6801 and 6805(b) of the Gramm-Leach Bliley Act. These Guidelines address standards for developing and implementing administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information. These Guidelines also address standards with respect to the proper disposal of consumer information, pursuant to sections 621 and 628 of the Fair Credit Reporting Act (15 U.S.C. 1681s and 1681w).

§ A. Scope. The Guidelines apply to customer information maintained by or on behalf of entities over which the OCC has authority. Such entities, referred to as "the national bank or Federal savings association," are national banks, Federal savings associations, Federal branches and Federal agencies of foreign banks, and any subsidiaries of such entities (except brokers, dealers, persons providing insurance, investment companies, and investment advisers). The Guidelines also apply to the proper disposal of consumer information by or on behalf of such entities.

§ B. Preservation of Existing Authority. Neither section 39 nor these Guidelines in any way limit the authority of the OCC to address unsafe or unsound practices, violations of law, unsafe or unsound conditions, or other practices. The OCC may take action under section 39 and these Guidelines independently of, in conjunction with, or in addition to, any other enforcement action available to the OCC.

§ C. Definitions. § 1. Except as modified in the Guidelines, or unless the context otherwise requires, the

terms used in these Guidelines have the same meanings as set forth in sections 3 and 39 of the Federal Deposit Insurance Act (12 U.S.C. 1813 and 1831p-1).

§ 2. For purposes of the Guidelines, the following definitions apply: § a. Board of directors, in the case of a branch or agency of a foreign bank, means

the managing official in charge of the branch or agency. § b. Consumer information means any record about an individual, whether in paper,

electronic, or other form, that is a consumer report or is derived from a consumer report and that is maintained or otherwise possessed by or on behalf of the national bank or Federal savings association for a business purpose. Consumer information also means a compilation of such records. The term does not include any record that does not identify an individual. § i. Examples. (1) Consumer information includes:

§ (A) A consumer report that a national bank or Federal savings association obtains;

2

§ (B) Information from a consumer report that the national bank or Federal savings association obtains from its affiliate after the consumer has been given a notice and has elected not to opt out of that sharing;

§ (C) Information from a consumer report that the national bank or Federal savings association obtains about an individual who applies for but does not receive a loan, including any loan sought by an individual for a business purpose;

§ (D) Information from a consumer report that the national bank or Federal savings association obtains about an individual who guarantees a loan (including a loan to a business entity); or

§ (E) Information from a consumer report that the national bank or Federal savings association obtains about an employee or prospective employee. § (2) Consumer information does not include:

§ (A) Aggregate information, such as the mean credit score, derived from a group of consumer reports; or

§ (B) Blind data, such as payment history on accounts that are not personally identifiable, that may be used for developing credit scoring models or for other purposes.

§ c. Consumer report has the same meaning as set forth in the Fair Credit Reporting Act, 15 U.S.C. 1681a(d).

§ d. Customer means any customer of the national bank or Federal savings association as defined in 12 CFR 1016.3(i).

§ e. Customer information means any record containing nonpublic personal information, as defined in 12 CFR 1016.3(p), about a customer, whether in paper, electronic, or other form, that is maintained by or on behalf of the national bank or Federal savings association.

§ f. Customer information systems means any methods used to access, collect, store, use, transmit, protect, or dispose of customer information.

§ g. Service provider means any person or entity that maintains, processes, or otherwise is permitted access to customer information or consumer information through its provision of services directly to the national bank or Federal savings association.

o II. Standards for Information Security § A. Information Security Program. Each national bank or Federal savings association shall

implement a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the national bank or Federal savings association and the nature and scope of its activities. While all parts of the national bank or Federal savings association are not required to implement a uniform set of policies, all elements of the information security program must be coordinated.

§ B. Objectives. A national bank's or Federal savings association's or Federal savings association's information security program shall be designed to: § 1. Ensure the security and confidentiality of customer information; § 2. Protect against any anticipated threats or hazards to the security or integrity of such

information; § 3. Protect against unauthorized access to or use of such information that could result in

substantial harm or inconvenience to any customer; and; § 4. Ensure the proper disposal of customer information and consumer information.

o III. Development and Implementation of Information Security Program § A. Involve the Board of Directors. The board of directors or an appropriate committee of the

board of each national bank or Federal savings association shall: § 1. Approve the national bank's or Federal savings association's or Federal savings

association's written information security program; and § 2. Oversee the development, implementation, and maintenance of the national bank's or

Federal savings association's or Federal savings association's information security program, including assigning specific responsibility for its implementation and reviewing reports from management.

§ B. Assess Risk. Each national bank or Federal savings association shall:

3

§ 1. Identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems.

§ 2. Assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information.

§ 3. Assess the sufficiency of policies, procedures, customer information systems, and other arrangements in place to control risks.

§ C. Manage and Control Risk. Each national bank or Federal savings association shall: § 1. Design its information security program to control the identified risks, commensurate

with the sensitivity of the information as well as the complexity and scope of the national bank's or Federal savings association's or Federal savings association's activities. Each national bank or Federal savings association must consider whether the following security measures are appropriate for the national bank or Federal savings association and, if so, adopt those measures the national bank or Federal savings association concludes are appropriate: § a. Access controls on customer information systems, including controls to

authenticate and permit access only to authorized individuals and controls to prevent employees from providing customer information to unauthorized individuals who may seek to obtain this information through fraudulent means.

§ b. Access restrictions at physical locations containing customer information, such as buildings, computer facilities, and records storage facilities to permit access only to authorized individuals;

§ c. Encryption of electronic customer information, including while in transit or in storage on networks or systems to which unauthorized individuals may have access;

§ d. Procedures designed to ensure that customer information system modifications are consistent with the national bank's or Federal savings association's or Federal savings association's information security program;

§ e. Dual control procedures, segregation of duties, and employee background checks for employees with responsibilities for or access to customer information;

§ f. Monitoring systems and procedures to detect actual and attempted attacks on or intrusions into customer information systems;

§ g. Response programs that specify actions to be taken when the national bank or Federal savings association suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies; and

§ h. Measures to protect against destruction, loss, or damage of customer information due to potential environmental hazards, such as fire and water damage or technological failures.

§ 2. Train staff to implement the national bank's or Federal savings association's information security program.

§ 3. Regularly test the key controls, systems and procedures of the information security program. The frequency and nature of such tests should be determined by the national bank's or Federal savings association's risk assessment. Tests should be conducted or reviewed by independent third parties or staff independent of those that develop or maintain the security programs.

§ 4. Develop, implement, and maintain, as part of its information security program, appropriate measures to properly dispose of customer information and consumer information in accordance with each of the requirements of this paragraph III.

§ D. Oversee Service Provider Arrangements. Each national bank or Federal savings association shall: § 1. Exercise appropriate due diligence in selecting its service providers; § 2. Require its service providers by contract to implement appropriate measures designed

to meet the objectives of these Guidelines; and § 3. Where indicated by the national bank's or Federal savings association's risk

assessment, monitor its service providers to confirm that they have satisfied their obligations as required by section D.2. As part of this monitoring, a national bank or Federal savings association should review audits, summaries of test results, or other equivalent evaluations of its service providers.

§ E. Adjust the Program. Each national bank or Federal savings association shall monitor, evaluate, and adjust, as appropriate, the information security program in light of any relevant

4

changes in technology, the sensitivity of its customer information, internal or external threats to information, and the national bank's or Federal savings association's own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to customer information systems.

§ F. Report to the Board. Each national bank or Federal savings association shall report to its board or an appropriate committee of the board at least annually. This report should describe the overall status of the information security program and the national bank's or Federal savings association's compliance with these Guidelines. The reports should discuss material matters related to its program, addressing issues such as: risk assessment; risk management and control decisions; service provider arrangements; results of testing; security breaches or violations and management's responses; and recommendations for changes in the information security program.

§ G. Implement the Standards. § 1. Effective date. Each national bank or Federal savings association must implement an

information security program pursuant to these Guidelines by July 1, 2001. § 2. Two-year grandfathering of agreements with service providers. Until July 1, 2003, a

contract that a national bank or Federal savings association has entered into with a service provider to perform services for it or functions on its behalf satisfies the provisions of section III.D., even if the contract does not include a requirement that the servicer maintain the security and confidentiality of customer information, as long as the national bank or Federal savings association entered into the contract on or before March 5, 2001.

§ 3. Effective date for measures relating to the disposal of consumer information. Each national bank or Federal savings association must satisfy these Guidelines with respect to the proper disposal of consumer information by July 1, 2005.

§ 4. Exception for existing agreements with service providers relating to the disposal of consumer information. Notwithstanding the requirement in paragraph III.G.3., a national bank's or Federal savings association's contracts with its service providers that have access to consumer information and that may dispose of consumer information, entered into before July 1, 2005, must comply with the provisions of the Guidelines relating to the proper disposal of consumer information by July 1, 2006.

Supplement A to Appendix B to Part 60 -- Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice

§ I. Background

This Guidance n1 interprets section 501(b) of the Gramm-Leach-Bliley Act ("GLBA") and the Interagency Guidelines Establishing Information Security Standards (the "Security Guidelines") n2 and describes response programs, including customer notification procedures, that a financial institution should develop and implement to address unauthorized access to or use of customer information that could result in substantial harm or inconvenience to a customer. The scope of, and definitions of terms used in, this Guidance are identical to those of the Security Guidelines. For example, the term "customer information" is the same term used in the Security Guidelines, and means any record containing nonpublic personal information about a customer, whether in paper, electronic, or other form, maintained by or on behalf of the institution.

n1 This Guidance was jointly issued by the Board of Governors of the Federal Reserve System (Board), the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS). Pursuant to 12 U.S.C. 5412, the OTS is no longer a party to this Guidance.

n2 12 CFR part 30, app. B (OCC); 12 CFR part 208, app. D-2 and part 225, app. F (Board); and 12 CFR part 364, app. B and 12 CFR 391.5 (FDIC). The "Interagency Guidelines Establishing Information Security Standards" were formerly known as "The Interagency Guidelines Establishing Standards for Safeguarding Customer Information."

5

§ A. Interagency Security Guidelines

Section 501(b) of the GLBA required the Agencies to establish appropriate standards for financial institutions subject to their jurisdiction that include administrative, technical, and physical safeguards, to protect the security and confidentiality of customer information. Accordingly, the Agencies issued Security Guidelines requiring every financial institution to have an information security program designed to:

§ 1. Ensure the security and confidentiality of customer information; § 2. Protect against any anticipated threats or hazards to the security or

integrity of such information; and § 3. Protect against unauthorized access to or use of such information

that could result in substantial harm or inconvenience to any customer.

§ B. Risk Assessment and Controls § 1. The Security Guidelines direct every financial institution to assess

the following risks, among others, when developing its information security program: § a. Reasonably foreseeable internal and external threats that

could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems;

§ b. The likelihood and potential damage of threats, taking into consideration the sensitivity of customer information; and

§ c. The sufficiency of policies, procedures, customer information systems, and other arrangements in place to control risks. n3

n3 See Security Guidelines, III.B.

§ 2. Following the assessment of these risks, the Security Guidelines require a financial institution to design a program to address the identified risks. The particular security measures an institution should adopt will depend upon the risks presented by the complexity and scope of its business. At a minimum, the financial institution is required to consider the specific security measures enumerated in the Security Guidelines, n4 and adopt those that are appropriate for the institution, including:

n4 See Security Guidelines, III.C.

§ a. Access controls on customer information systems, including controls to authenticate and permit access only to authorized individuals and controls to prevent employees from providing customer information to unauthorized individuals who may seek to obtain this information through fraudulent means;

§ b. Background checks for employees with responsibilities for access to customer information; and

§ c. Response programs that specify actions to be taken when the financial institution suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies. n5

n5 See Security Guidelines, III.C.

6

§ C. Service Providers

The Security Guidelines direct every financial institution to require its service providers by contract to implement appropriate measures designed to protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer. n6

n6 See Security Guidelines, II.B. and III.D. Further, the Agencies note that, in addition to contractual obligations to a financial institution, a service provider may be required to implement its own comprehensive information security program in accordance with the Safeguards Rule promulgated by the Federal Trade Commission ("FTC"), 16 CFR part 314.

§ II. Response Program

Millions of Americans, throughout the country, have been victims of identity theft. n7 Identity thieves misuse personal information they obtain from a number of sources, including financial institutions, to perpetrate identity theft. Therefore, financial institutions should take preventative measures to safeguard customer information against attempts to gain unauthorized access to the information. For example, financial institutions should place access controls on customer information systems and conduct background checks for employees who are authorized to access customer information. n8 However, every financial institution should also develop and implement a risk-based response program to address incidents of unauthorized access to customer information in customer information systems n9 that occur nonetheless. A response program should be a key part of an institution's information security program. n10 The program should be appropriate to the size and complexity of the institution and the nature and scope of its activities.

n7 The FTC estimates that nearly 10 million Americans discovered they were victims of some form of identity theft in 2002. See The Federal Trade Commission, Identity Theft Survey Report, (September 2003), available at http://www.ftc.gov/os/2003/09/synovatereport.pdf.

n8 Institutions should also conduct background checks of employees to ensure that the institution does not violate 12 U.S.C. 1829, which prohibits an institution from hiring an individual convicted of certain criminal offenses or who is subject to a prohibition order under 12 U.S.C. 1818(e)(6).

n9 Under the Guidelines, an institution's customer information systems consist of all of the methods used to access, collect, store, use, transmit, protect, or dispose of customer information, including the systems maintained by its service providers. See Security Guidelines, I.C.2.d.

n10 See FFIEC Information Technology Examination Handbook, Information Security Booklet, Dec. 2002 available at http://www.ffiec.gov/ffiecinfobase/html-pages/infosec-book-frame.htm. Federal Reserve SR 97-32, Sound Practice Guidance for Information Security for Networks, Dec. 4, 1997; OCC Bulletin 2000-14, "Infrastructure Threats -- Intrusion Risks" (May 15, 2000), for additional guidance on preventing, detecting, and responding to intrusions into financial institution computer systems.

In addition, each institution should be able to address incidents of unauthorized access to customer information in customer information systems maintained by its domestic and foreign service providers. Therefore, consistent with the obligations in the Guidelines that relate to these arrangements, and with existing guidance on this topic issued by the Agencies, n11 an institution's contract with its service provider should require the service provider to take appropriate actions to address

7

incidents of unauthorized access to the financial institution's customer information, including notification to the institution as soon as possible of any such incident, to enable the institution to expeditiously implement its response program.

n11 See Federal Reserve SR Ltr. 13-19, Guidance on Managing Outsourcing Risk, Dec. 5, 2013; OCC Bulletin 2013-29, "Third-Party Relationships--Risk Management Guidance," Oct.30, 2013; and FDIC FIL 68-99, Risk Assessment Tools and Practices for Information System Security, July 7, 1999.

§ A. Components of a Response Program § 1. At a minimum, an institution's response program should contain

procedures for the following: § a. Assessing the nature and scope of an incident, and

identifying what customer information systems and types of customer information have been accessed or misused;

§ b. Notifying its primary Federal regulator as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information, as defined below;

§ c. Consistent with the Agencies' Suspicious Activity Report ("SAR") regulations, n12 notifying appropriate law enforcement authorities, in addition to filing a timely SAR in situations involving Federal criminal violations requiring immediate attention, such as when a reportable violation is ongoing;

n12 An institution's obligation to file a SAR is set out in the Agencies' SAR regulations and Agency guidance. See 12 CFR 21.11 (national banks, Federal branches and agencies); 12 CFR 163.180 (Federal savings associations); 12 CFR 208.62 (State member banks); 12 CFR 211.5(k) (Edge and agreement corporations); 12 CFR 211.24(f) (uninsured State branches and agencies of foreign banks); 12 CFR 225.4(f) (bank holding companies and their nonbank subsidiaries); 12 CFR part 353 (State non-member banks); and 12 CFR 390.355 (state savings associations). National banks and Federal savings associations must file SARs in connection with computer intrusions and other computer crimes. See OCC Bulletin 2000-14, Infrastructure Threats--Intrusion Risks" (May 15, 2000); see also Federal Reserve SR 01-11, Identity Theft and Pretext Calling, Apr. 26, 2001.

§ d. Taking appropriate steps to contain and control the incident to prevent further unauthorized access to or use of customer information, for example, by monitoring, freezing, or closing affected accounts, while preserving records and other evidence; n13 and

n13 See FFIEC Information Technology Examination Handbook, Information Security Booklet, Dec. 2002, pp. 68-74.

§ e. Notifying customers when warranted. § 2. Where an incident of unauthorized access to customer information

involves customer information systems maintained by an institution's service providers, it is the responsibility of the financial institution to notify the institution's customers and regulator. However, an institution may authorize or contract with its service provider to notify the institution's customers or regulator on its behalf.

8

§ III. Customer Notice

Financial institutions have an affirmative duty to protect their customers' information against unauthorized access or use. Notifying customers of a security incident involving the unauthorized access or use of the customer's information in accordance with the standard set forth below is a key part of that duty. Timely notification of customers is important to manage an institution's reputation risk. Effective notice also may reduce an institution's legal risk, assist in maintaining good customer relations, and enable the institution's customers to take steps to protect themselves against the consequences of identity theft. When customer notification is warranted, an institution may not forgo notifying its customers of an incident because the institution believes that it may be potentially embarrassed or inconvenienced by doing so.

§ A. Standard for Providing Notice

When a financial institution becomes aware of an incident of unauthorized access to sensitive customer information, the institution should conduct a reasonable investigation to promptly determine the likelihood that the information has been or will be misused. If the institution determines that misuse of its information about a customer has occurred or is reasonably possible, it should notify the affected customer as soon as possible. Customer notice may be delayed if an appropriate law enforcement agency determines that notification will interfere with a criminal investigation and provides the institution with a written request for the delay. However, the institution should notify its customers as soon as notification will no longer interfere with the investigation.

§ 1. Sensitive Customer Information

Under the Guidelines, an institution must protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer. Substantial harm or inconvenience is most likely to result from improper access to sensitive customer information because this type of information is most likely to be misused, as in the commission of identity theft. For purposes of this Guidance, sensitive customer information means a customer's name, address, or telephone number, in conjunction with the customer's social security number, driver's license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer's account. Sensitive customer information also includes any combination of components of customer information that would allow someone to log onto or access the customer's account, such as user name and password or password and account number.

§ 2. Affected Customers

If a financial institution, based upon its investigation, can determine from its logs or other data precisely which customers' information has been improperly accessed, it may limit notification to those customers with regard to whom the institution determines that misuse of their information has occurred or is reasonably possible. However, there may be situations where the institution determines that a group of files has been accessed improperly, but is unable to identify which specific customers' information has been accessed. If the circumstances of the unauthorized access lead the institution to

9

determine that misuse of the information is reasonably possible, it should notify all customers in the group.

§ B. Content of Customer Notice § 1. Customer notice should be given in a clear and conspicuous

manner. The notice should describe the incident in general terms and the type of customer information that was the subject of unauthorized access or use. It also should generally describe what the institution has done to protect the customers' information from further unauthorized access. In addition, it should include a telephone number that customers can call for further information and assistance. n14 The notice also should remind customers of the need to remain vigilant over the next twelve to twenty-four months, and to promptly report incidents of suspected identity theft to the institution. The notice should include the following additional items, when appropriate:

n14 The institution should, therefore, ensure that it has reasonable policies and procedures in place, including trained personnel, to respond appropriately to customer inquiries and requests for assistance.

§ a. A recommendation that the customer review account statements and immediately report any suspicious activity to the institution;

§ b. A description of fraud alerts and an explanation of how the customer may place a fraud alert in the customer's consumer reports to put the customer's creditors on notice that the customer may be a victim of fraud;

§ c. A recommendation that the customer periodically obtain credit reports from each nationwide credit reporting agency and have information relating to fraudulent transactions deleted;

§ d. An explanation of how the customer may obtain a credit report free of charge; and

§ e. Information about the availability of the FTC's online guidance regarding steps a consumer can take to protect against identity theft. The notice should encourage the customer to report any incidents of identity theft to the FTC, and should provide the FTC's Web site address and toll-free telephone number that customers may use to obtain the identity theft guidance and report suspected incidents of identity theft. n15

n15 Currently, the FTC Web site for the ID Theft brochure and the FTC Hotline phone number are http://www.consumer.gov/idtheft and 1-877-IDTHEFT. The institution may also refer customers to any materials developed pursuant to section 151(b) of the FACT Act (educational materials developed by the FTC to teach the public how to prevent identity theft).

§ 2. The Agencies encourage financial institutions to notify the nationwide consumer reporting agencies prior to sending notices to a large number of customers that include contact information for the reporting agencies.

§ C. Delivery of Customer Notice • Customer notice should be delivered in any manner designed to ensure that a customer can reasonably be

expected to receive it. For example, the institution may choose to contact all customers affected by telephone

10

or by mail, or by electronic mail for those customers for whom it has a valid e-mail address and who have agreed to receive communications electronically.

ACLI Comments

Roberta B. Meyer

Vice President & Associate General Counsel

May 16, 2017

The Honorable Raymond G. Farmer, Chair

The Honorable Elizabeth Kelleher Dwyer, Vice Chair

Cybersecurity Working Group

NAIC Central Office

1100 Walnut, Suite 1500

Kansas City, MO 64106-2197

Attn: Sara Robben, Statistical Advisor

VIA Electronic Mail: [email protected]

Re: Proposed NAIC Insurance Data Security Model Law – Version 4

Dear Director Farmer and Superintendent Dwyer:

ACLI is writing to follow up on our 5/8/17 comments to the Cybersecurity Working Group (“Working Group”)

relating to Version 4 of the proposed Insurance Data Security Model Law (“Model Law”). ACLI again commends

and thanks the Working Group for its efforts, reflected in Version 4, to develop a model that provides risk-based

security standards and seeks to promote necessary uniformity and consistency in security standards across the

country. ACLI believes Version 4 reflects significant improvements over previous drafts of the proposed Model

Law.

ACLI strongly concurs with remarks made during the 4/9/17 Working Group meeting and reflected in Version 4 of

the proposed Model Law relating to the need for consistency and uniformity in state security standards applicable

to insurance licensees. As more states adopt enhanced and more specific security requirements, the need for

consistency and uniformity in these standards will become increasingly important. Different security requirements

in different states would be particularly problematic, because life insurers’ and other insurance licensees’ security

programs, policies, and systems are typically company wide, and generally do not, and may not practicably, vary

from state to state. On the other hand, consistent, uniform, and risk-based security standards from state to state

will provide level protection of insurance consumers’ personal information across the country and enhance

insurance licensees’ ability to effectively protect the security of that information and the information systems on

which the information is stored.

Notwithstanding the Working Group’s considerable efforts, reflected in Version 4, to promote uniformity and

consistency in security requirements applicable to insurance licensees from state to state, ACLI has some

concerns with Version 4. As explained more fully below, ACLI’s key concerns generally relate to: (i) the absence of

a statement of intent for the security requirements set forth in the Model Law and in the Standards for

Safeguarding Customer Regulation (“Safeguards Model Regulation”) to constitute the exclusive security standards

applicable to insurance licensees in the enacting state; (ii) the workability of a number of the notice requirements

relating to Cybersecurity Events; (iii) the effective date; and (iv) other technical matters.

Key ACLI Concerns

Section 2. Purpose and Intent

Discussion

ACLI is concerned that Section 2 does not expressly provide that the Model Act and the Safeguards Model

Regulation establish the exclusive security standards applicable to insurance licensees in the state. This could

undercut the Working Group’s significant efforts to promote consistency and uniformity in state security standards

applicable to insurance licensees reflected in other sections of Version 4.

Not only is it fundamentally important for security standards applicable to insurance licensees to be consistent

and uniform from state to state, it also is important for insurance licensees to be subject to a single set of security

standards or exclusive security standards within a single state. Multiple and possibly inconsistent standards

applicable to insurance licensees in a single state are likely to undercut the goal of consistency and uniformity

from state to state and may be practicably unworkable.

As discussed more fully in Appendix A, in addition to the 36 state regulations tracking the NAIC Model Safeguards

Regulation, there are at least at 14 states that have general data security laws or regulations. The majority of

these laws and regulations subject covered persons and businesses to very general requirements to implement

and maintain reasonable security procedures and practices. Several provide for enforcement by the state

Attorneys General (“AG”). Several the laws and regulations provide exemptions or deemers of compliance for

financial institutions or covered persons subject to and in compliance with laws that require greater data security

protections.

ACLI submits that it would be both appropriate and defensible for the proposed new Model Law to expressly

provide that the security requirements in the Model Law and the Model Safeguards Regulation establish the

exclusive data security requirements applicable to insurance licensees in the enacting state for several reasons:

(i) As indicated above, multiple, possibly inconsistent data security standards applicable to insurance

licensees in individual states are likely to undercut the fundamental goal and benefits of uniform and

consistent standards from state to state, and may well be practicably unworkable;

(ii) The combination of the security requirements in the Model Law and the Model Safeguards Regulation

is likely to provide greater and more specific data security protections, more specifically tailored to

insurance licensees and the protection of their customers’ personal information and the systems on

which such information is stored, than most, if not all, of the existing or future general data security

laws; and

(iii) Notwithstanding state AG enforcement of several existing general state data security laws, several of

the existing laws provide exemptions or deemers of compliance for covered persons and businesses

that are financial institutions or subject to and in compliance with data security laws that provide more

protection, effectively providing for these laws to be superseded by other laws that provide greater and

more tailored requirements.

Proposed Modifications

In view of the above, ACLI urges the following modifications:

(1) The following sentence should be added at the end of Section 2.B:

“Notwithstanding any other provision of law, this Act and the Standards for Safeguarding Customer

Information Regulation establish the exclusive standards in this state for data security applicable to

Licensees.”

(2) Section 9.A. should be modified by adding the following new subsection (4) that reads as follows:

“(4) A Licensee that has established and maintains an Information Security Program pursuant to a state

or federal law that provides greater protection than the requirements of Section 4 are deemed in

compliance the requirements of Section 4. If a Licensee relies upon this provision it shall provide the

Commissioner, upon request, the specific state or federal statute or regulation upon which it relies and

the manner in which it asserts compliance.”

(3) Section 11., that provides for an optional provision that expressly grants the Commissioner the authority

to promulgate regulations, should eliminated in its entirety. Different regulations in different states would

undercut the fundamental goal of consistency and uniformity data security standards from state to state.

While a NAIC model regulation, if it were to be developed and adopted in the states, might provide for

uniformity, given the level of detail in the Model Law, no such regulation is necessary.

Section 3. Definitions

ACLI has a number of workability concerns with the notice requirements in Section 6, exacerbated by significant

concern with the current definition of “Cybersecurity Event,” in Section 3.C. ACLI also has some concerns with the

definition of “Consumer” in Section 3.B., and some technical concerns with the definition of “Nonpublic

Information,” in Section 3.I.

Section 3.C. “Cybersecurity Event”

The inclusion of unsuccessful attempts within the scope of this term gives rise to significant concern given the

thousands of daily unsuccessful attempts to access insurance licensees’ systems, and the unnecessary resource

strain to insurance departments and insurance licensees likely to result from a notice requirement relating to such

attempts. ACLI appreciated Superintendent Dwyer’s comments during the 5/9/17 Drafting Group call indicating

an understanding of this concern and plans to address it either in the definition of “Cybersecurity Event” or in the

notice requirements in Section 6. To make the Model Law as clear as possible, ACLI suggests modification both

to the definition and to Section 6.

ACLI suggests further clarification to the definition of “Cybersecurity Event” to add a materiality standard and to

substitute the reference to “information” with reference to “Nonpublic Information,” in line with the rest of the

Model Law.

According, ACLI urges modification of the first sentence of the definition to read as follows:

“C. ‘Cybersecurity Event’ means unauthorized, material access to, disruption, or misuse of an Information System

or Nonpublic Information stored on such Information System.

Section 3.B. “Consumer”

To clarify the definition of this term, ACLI urges modification to make it more consistent with the definition of

“Consumer” in the NAIC Privacy of Consumer Financial and Health Information Regulation (“Model Privacy

Regulation”). Accordingly, ACLI urges modification of the definition to read as follows: “’Consumer’ means an

individual who is a resident of this state who seeks to obtain, obtains, or has obtained an insurance product or

service from a licensee, that is to be used primarily for personal, family or household purposes, and about whom

the licensee has nonpublic personal information, or that individual’s legal representative.”

Section 3.I. “Nonpublic Information”

ACLI urges a couple of technical amendments to this definition: (i) in Section 3.I.(2)(c), to substitute “account

number” with “financial account number;” and (ii) in Section 3.I.(3), to add the phrase “concerning an individual”

after “data,” and before “except” and to make corresponding changes in subsections (a) – (c ) to substitute the

“any” with “the” before “individual.”

Section 3.K. “Third Party Service Provider”

ACLI urges a technical change to the definition of third party service provider. Specifically, to ensure consistency

with the New York Cybersecurity Requirements for Financial Services Companies (“New York Cybersecurity

Regulation”), we request the exemption for insurance affiliates.

Section 4. “Information Security Program”

ACLI suggests the following technical and clarifying modifications to Section 4:

(1) Section 4.B(3) We would urge the deletion of the term “inconvenience.” We believe that judging what

constitutes as inconvenience is entirely too vague. We believe that by deleting this term and tying the

objective of an information security program to minimize the likelihood of harm, is more appropriate.

(2) Section 4.D.(1)(b). The meaning and possible construction of the term “best practices” is unclear.

Accordingly, ACLI suggests the second sentence of this subsection be modified to read as follows:

“Licensees shall use cybersecurity protection, detection, and remediation, that is available, feasible, and

commensurate with its nature, scope, scale and complexity.”

(3) Section 4.D.(2). Given the breadth of the definition of “Information Systems” and the fact that many

insurance licensees are likely to have legacy systems for which certain security measure may simply not

be feasible, in line with the modification to Section 4.D.(1)(b), proposed above, ACLI urges modification to

the first sentence of Section 4.D.(2). to add the phrase “and feasible” after “appropriate” and before the

“:”.

(4) Section 4.D.(2)(b). It is likely to be very difficult if not impossible to “ensure” that data, personnel, devices,

systems, and facilities are identified and managed consistent with their relative importance. Accordingly,

ACLI urges modification to this section to read as follows: “Data, personnel, devices, systems, and facilities

that enable the organization to achieve business purposes should be identified and managed consistent

with their relative importance to business objectives and the organization’s risk strategy.” More broadly,

ACLI urges the removal of the term “ensure” from the entire model.

(5) Section 4.E.(1). There is concern the requirement for the Board or a Board Committee to “oversee”

development, implementation and maintenance of the Licensee’s Information Security Program may be

construed to mean that the Board or appropriate Board committee has direct responsibility for these roles.

However, these roles are likely to be more appropriate to executive or senior management than the Board.

Accordingly, ACLI urges modification to the first sentence of this section to read as follows: “If the Licensee

has a board of directors, the board, an appropriate committee of the board, or appropriate executive or

senior management chosen by the board shall, at a minimum:” ACLI also suggests deletion of Section

4.E.(3) because its meaning is unclear.

Section 5. Investigation of a Cybersecurity Event

Section 5.D.

ACLI urges modification to this section to expressly include a materiality standard to read as follows: “The Licensee

shall maintain records concerning all Cybersecurity Events that have a reasonable likelihood of materially harming

any material part of the normal operations of the Licensee.”

Section 6. Notification of a Cybersecurity Event

As indicated above, ACLI has several workability concerns with the notice requirements in Section 6. Also, several

the requirements in Section 6, such as those in Sections 6.A., 6.B. and 6.F., discussed below, differ from, or are

not included in, the requirements for notification of a Cybersecurity Event with which Licensees that do business

in New York already must comply under the New York Cybersecurity Regulation. This would undercut the apparent

efforts of the Cybersecurity Drafting Group to harmonize the requirements of the Model Law with the requirements

of the New York Cybersecurity Regulation.

Section 6.A. As discussed above, ACLI is concerned that “Cybersecurity Event,” as currently defined continues to

include unsuccessful attempts to access, disrupt or misuse a Licensee’s Information System. There is concern

about licensees’ ability to provide the required notice within 72 hours from determination that a Cybersecurity

Event has occurred, particularly if the 72 hours fall on a weekend or holiday. In addition, ACLI submits there

should be no distinction between the notice requirements of domestic and “nondomestic” Licensees; or, at a

minimum, there should be a materiality standard for notices required of domestic licensees.

In view of the above, ACLI urges modification to Section 6. as follows:

(1) The first sentence should be modified to read as follows: “Each licensee shall notify the Commissioner as

promptly as possible but in no event later than 3 business days from a determination that a successful

Cybersecurity Event has occurred if:”

(2) Section 6.A.(1) should be eliminated in its entirety and the numbering of Section 6.A. should be adjusted

accordingly. At a minimum, Section 6.A.(1) should be modified to provide that an insurer domiciled in the

state is only required to provide notice of Cybersecurity Events described in Sections 6.A.(2)(a) and (b).

(3) Section 6.B. In line with previous ACLI comments relating to similar provisions in previous NAIC drafts of

the Model Law, ACLI is concerned with the workability of the requirements to provide the extensive list of

information “as possible,” and to continually update and supplement notifications to the commissioner,

and with the possibility that these requirements will be interpreted and enforced differently by multiple

different commissioners in the event of a nationwide breach. Moreover, commissioners already have the

authority to request information they deem necessary after they receive notification of a Cybersecurity

Event as required in Section 6.A. Accordingly, ACLI urges deletion of Section 6.B. At a minimum, ACLI

urges modification to the first sentence of Section 6.B. to read as follows: “The Licensee shall provide as

much of the following information as possible and practicable as promptly as possible.”

(4) Section 6.C. It is unclear how the requirement to provide a copy of the notice sent to Consumers in this

section is intended to mesh with the requirement in Section 6.A.(2) to provide notice if the Licensee

reasonably believes that the Nonpublic Information of 250 or more residents is involved. ACLI suggests

there is no need to provide the commissioner a copy of the consumer notice if the commissioner does not

receive notice of the related Cybersecurity Event under Section 6.A. Accordingly, ACLI urges clarification

to Section 6.C. to read as follows: “Notification to Consumers. The Licensee shall comply with [insert

state’s data breach notification law] and provide a copy of the notice sent to Consumers under that statute

to the Commissioner, unless the Licensee is not required to provide notice to the Commissioner under

Section 6.A.”

(5) Section 6.E. We anticipate submitting input on this subsection shortly.

(6) Section 6.F. ACLI has several concerns with the requirements of this section, that are likely to be

unnecessarily burdensome on insurers, given the breadth of the current definition of “Cybersecurity

Event,” discussed above, and the fact that notice is required to be provided to all producers within 72

hours of determination that a Cybersecurity Event occurred. Not only should notices of Cybersecurity

Events between insurers and producers be governed by their contracts, the rationale for this requirement

is unclear, particularly since producers will generally be notified of Cybersecurity Events long before

consumers are informed as required under consumer breach notification laws. Accordingly, ACLI urges

deletion of this section in its entirety.

Section 9. Exemptions

Section 9.A.(3)

ACLI submits not only is there no reason for agents, that also are Licensees and that are covered by the Information

Security Program of the other Licensee, to be required to develop their own Information Security Programs. ACLI

believes there is no reason to subject these agents to any of the requirements of the Model Law, in with the

corresponding provision in the New York Cybersecurity Regulation. Accordingly, ACLI urges modification to this

section to read as follows:

“(3) An employee, agent, representative or designee of a Licensee, who also is a Licensee, is exempt from

this Act and need not develop its own Information Security Program to the extent that the employee, agent,

representative or designee is covered by the Information Security Program of the other Licensee.”

New Section 9.A.(4)

As discussed above, in the discussion relating to Section 2, and in line with the approach taken in a number

existing state general data security laws, that provide exemptions or deemers of compliance for covered persons

subject to and in compliance with data security laws that provide greater protection, Section 9.A. should be

modified by adding a new subsection (4) that reads as follows:

“(4) A Licensee that has established and maintains an Information Security Program pursuant to a state

or federal law that provides greater protection than the requirements of Section 4 are deemed in

compliance the requirements of Section 4. If a Licensee relies upon this provision it shall provide the

Commissioner, upon request, the specific state or federal statute or regulation upon which it relies and

the manner in which it asserts compliance.”

Section 11. Rules and Regulations [OPTIONAL]

As discussed above, in the discussion relating to Section 2 and need for uniformity and consistency in security

requirements from state to state, this section should be deleted in its entirety.

Section 13. Effective Date

There is concern that the general requirement to come into compliance with the Act within 180 days of its effective

date may not take allow adequate time to make necessary systems and other adjustments – particularly for

smaller companies not already to subject to the New York Cybersecurity Regulation. Accordingly, ACLI urges

modification to provide other transition periods, in addition to that provided for implementation of Section 4. (F),

to extend the deadline by which Licensees must come into compliance with other requirements of the Act.

Conclusion

Again, ACLI acknowledges and appreciates the positive movement reflected in Version 4 that we believe will lead

to a Model Law that will benefit consumers as well as insurance licensees. ACLI thanks the Working Group for the

opportunity to submit these comments and its continued consideration of our views.

Sincerely,

Roberta B. Meyer

APPENDIX A

Brief Overview of Existing State Data Security Laws

In addition to the 36 state regulations tracking the Model Safeguards Regulation, based on a recent compilation

of the National Conference of State Legislatures (NCSL) and to the best of ACLI’s knowledge, at 14 states have

general data security laws or regulations.1 Based on ACLI’s review of these laws and regulations, the majority

impose very general requirements on covered persons and businesses to implement and maintain reasonable

security procedures and practices. A law enacted in Connecticut (applicable to health insurers, including disability

income and long term care insurers only), an Oregon law, and a regulation adopted in Massachusetts impose

relatively detailed security requirements.2 Also, a law enacted in Nevada includes relatively detailed encryption

requirements in addition to a general requirement to implement and maintain reasonable security measures.3

At least 7 of the 14 general state data security laws or regulations, including those enacted or adopted in Arkansas,

Connecticut, Florida, Indiana, Kansas, Nevada, and Rhode Island, expressly provide for exclusive or some

enforcement by the Attorney General (“AG”).4 The Connecticut law, described above, that is applicable to health

insurers, including disability income and long term care insurers only, provides for enforcement by the Insurance

Commissioner, but grants the AG, as well as the Insurance Commissioner, authority to request a copy of and

changes to a covered company’s information security program. Another Connecticut law, that imposes general

security requirements, is enforced by the Department of Consumer Protection or other state agency with which

the covered entity is licensed. The Massachusetts regulation described above provides for enforcement by the

Department of Consumer Affairs and Business Regulation.

At least 6 of the laws or regulations, including those enacted or adopted in California, Connecticut, Indiana,

Oregon, Texas, and Utah, exempt or provide deemers of compliance for financial institutions or compliance with

GLBA requirements for security programs.5 At least 5 of the laws or regulations, including those enacted or

adopted in Arkansas, California, Kansas, Nevada and Oregon, exempt or provide deemers of compliance for

compliance with laws that provide more data security protection, though generally do not provide relief from the

duty to comply with other data security laws or regulations.6

1 Ark. Code Section 4-110-104(b); Cal Civ. Code Sections 198.81 & 1798.81.5; Conn. Gen. Stat Section 42-471 and

Substitute Senate Bill No 949 Public Act No. 15-142 (that includes Conn. Gen. Stat. Section 38a-999b); Fla. Stat. Section

501;171(2); Ind. Code Section 24-4.9-3-3.5; K.S. Section 50-6, 139b; Md. Code Com Law Sections 14-3501-3503; Mass.

Gen. Laws Ch. 93H Section 2(a) & 201 Mass. Code of Regs.17.00-17.04; Minn. Stat. Section 325M.05; Nev. Rev. Stat.

Sections 603A.210 & 603A.215(2); Or. Rev. Stat Section 646A.622; R.I. Gen. Laws Section 11-49.3.2; Tex. Bus & Com

Code Section 521.052; Utah Code Section 13-44-101, 201, 301. 2 Conn. Gen. Stat. Section 38a-999b; Or. Rev. Stat Section 646A.622; 201 Mass. Code of Regs.17.00-17.04 3 Nev. Rev. Stat. Sections 603A.210 & 603A.215(2) 4 Ark. Code Section 4-110-104(b); Conn. Gen.Stat. Sec. 38a-999b (provides for enforcement by Insurance Commissioner,

but permits either the Insurance Commissioner or the AG to request a copy of covered company’s information security

program; and if either the Insurance Commissioner or the AG determines that the program does not meet the requirements

of the law, the company shall make changes to bring the program into conformance to the satisfaction of the Insurance

Commissioner or AG); Fla. Stat. Section 501.171(2); Ind. Code Section 24-4.9-3-3.5; K.S. Section 50-6,139B; Nev. Rev.

Stat. Section 603A.210 & 63A.215(2); R.I. Gen. Laws Section 11-49.3.2 5 Cal Civ. Code Sections 198.81 & 1798.81.5; Conn. Gen. Stat Section 42-471; Ind. Code Section 24-4.9-3-3.5; Or. Rev.

Stat Section 646A.622; Tex. Bus & Com Code Section 521.052; Utah Code Section 13-44-101, 201, 301. 6 Ark. Code Section 4-110-104(b; Cal Civ. Code Sections 198.81 & 1798.81.5; K.S. Section 50-6, 139b; Nev. Rev. Stat.

Sections 603A.210 & 603A.215(2); Or. Rev. Stat Section 646A.622

AIA Comments

May 16, 2017 Director Raymond Farmer, Chair Superintendent Elizabeth Dwyer, Vice Chair Cybersecurity (EX) Working Group NAIC Central Office 1100 Walnut, Suite 1500 Kansas City, MO 64106-2197 Attn: Sara Robben, Statistical Advisor Jennifer M. McAdam, Legal Counsel VIA Electronic Mail: [email protected]; [email protected]

RE: Insurance Data Security Model Law – 4th draft Dear Director Farmer and Superintendent Dwyer: The American Insurance Association (AIA)1 appreciates the opportunity to provide comments on the 4th draft of the Insurance Data Security Model Law (Model). AIA is very encouraged by the risk-based approach reflected in the draft and the intent to create a Model that parallels the New York cyber regulation. The New York cyber regulation is a comprehensive solution that companies are already allocating resources to ensure compliance with. To that end, we have attached a mark-up of the 4th draft with suggestions to promote continued consistency with the New York cyber regulation and add clarity to the expectations as outlined in the Model. In addition, a brief description for some of the suggested changes is provided below. Uniformity Uniformity and consistency are critical for data security requirements as a company’s IT structure and the threats to data security are typically universally consistent across state, and global, boundaries and to implement an approach that promotes differing security requirements may have the unintended consequence of harming rather than increasing resiliency. In addition to uniformity and consistency across state and global borders, it is also important to promote uniformity within the state. For this reason, we would strongly support an additional sentence in the “Purpose and Intent” section to reflect this law along with GBLA and implementing regulations are the exclusive data security standards within a state for

1 The American Insurance Association (AIA) is the leading property-casualty insurance trade organization, representing approximately 320 insurers that write more than $125 billion in premium each year. AIA member companies offer all types of property-casualty insurance, including personal and commercial auto insurance, commercial property and liability coverage, specialty workers’ compensation, homeowners’ insurance, medical malpractice coverage, and product liability insurance.

mailto:[email protected]


insurance licensees. Such a statement would avoid the potential for duplicative, inconsistent, and conflicting requirements within a state. Similarly, the specific authority to adopt rules and regulations in Section 11 of the Model invites skepticism that a uniform set of state laws and regulations for insurance licensees is possible. At the same time, we recognize that some state regulators have broad authority to adopt implementing regulations while others do not. It is our respectful recommendation that Section 11 be deleted and, if necessary, include only a footnote advising that states without broad regulatory authority may wish to incorporate a rules and regulations paragraph in the event the NAIC adopts an implementing model regulation. Cybersecurity Event We welcome the comments on the May 9th conference call suggesting a narrowing of the New York definition of a cybersecurity event. As currently drafted the breadth of this definition would sweep within it thousands of daily intrusion attempts on company systems that neither present material weakness nor result in harm to companies. The broad definition is particularly concerning because it would drastically, and unnecessarily, trigger various notification requirements in the Model. Electronic Information Consistent with the New York cyber regulation, we urge consideration of limiting the Model to electronic information. Paper records are sufficiently covered by the Gramm-Leach-Bliley Act (GLBA) and implementing regulations such as the Standards for Safeguarding Customer Information. Further, paper records do not necessitate the enhanced standards proposed by this regulation, particularly those that are intended to protect IT systems. Nonpublic Information The definition of Nonpublic Information is not limited to consumer information, but also contains the licensee’s business information. This requirement is a concern with regards to the New York cyber regulation and remains a concern in the Model. It is our understanding that this is included in the Model because regulators are interested in financial solvency impacts on the licensee’s they regulate. This is a valid concern, but importantly it is one best monitored through the IT examination process rather than through statutory obligations such as those in this Model. Additionally, we have identified a change that would combine the account number and credit or debit card number with the security code, access code or password. This approach is consistent with many existing state data breach notification laws. Licensee We offer a revised definition of the term licensee to eliminate any ambiguity as to the scope of this regulation and its application to individuals and entities whose primary business operations are unrelated to insurance (e.g. self-storage facilities, veterinarians, extended warranty or service contract retailers, rental car agencies, portable electronics retailers, travel agents, etc.). In addition, we have suggested exemption language that reflects language adopted in the New York cyber regulation. Corporate Oversight Again, we would suggest an approach similar to New York that puts the oversight responsibilities of the information security program with a designated employee rather than the Board of Directors and Senior Management. The Board and Senior Management certainly have a role in cyber risk management, but this is reflected in the requirement that the Board or Senior Management be provided with the annual reports as outlined in the Model.

Information Security Program Our suggested changes to the Information Security Program also reflect an opportunity to be more consistent with the New York cyber regulation. For instance, the Model recommended that the Information Security Program be updated; however, the New York regulation suggests the Risk Assessment will be updated as reasonably necessary. This approach makes sense, because the risk assessment will trigger updates to the information security program, as necessary, and avoids inadvertently requiring an immediate update of technical solutions, which may not be practical. We also, respectfully recommend referencing authentication broadly and using multi-factor authentication as an example. This is consistent with the New York cyber regulation that recognizes there may be more effective authentication measures than multi-factor authentication. In addition, a requirement to obtain an employee background check and segregate duties are beyond what the New York cyber regulation requires. They also have practical implications such that not all states will permit the performance of a background check and while segregation of duties may be a good practice, how that is written into a statute would need more detailed explanation and clarification to convey what the true intent of this requirement is. Likewise, we suggest eliminating the requirements for restricting access to physical locations and implementing measures to prevent destruction. Investigation AIA believes the investigation section should be eliminated in its entirety for two reasons. First, this is a requirement that is not contained in the New York cyber regulation; and second, some state breach notification laws already address the issue of investigation as a threshold in their breach notification laws. If the drafters decide that removing investigation is not optimal, we would offer additional suggestions on important modifications to this section. For instance, the retention period should be narrowed to 6 months of data, but in no instance more than 3 years, and the information retained should be based on the risk assessment. Even three years is an enormous amount of data that the utility of the retention of such data is questionable given the difficulty to review it for relevant data. Additional modification suggestions are contingent on the definition of Cybersecurity Event that is ultimately adopted. Notification We strongly believe that the Model should be limited to notification to the Commissioner in the event 500 or more individuals are impacted by a security breach as defined by the state’s breach notification law. Such a requirement would fulfill the desired effect of identifying for insurance commissioners when their consumers are impacted by a breach and putting the domiciliary on alert that there is a large event that may raise solvency questions. Notifying the regulator more frequently, as outlined in the Model, creates a redundancy with the IT Examination. Alternatively, if the drafters do not agree with our approach we are prepared to suggest amendments to limit notification to the Commissioner in a manner more closely drafted to the New York language and based on a modified version of a Cybersecurity Event. In particular, we note that notice to the producer in the Model is problematic. The purpose of a notification requirement is to inform consumers that they may be at risk of harm. Providing notice to an insurance producer does not add to this consumer protection function, because notice will have been provided by the insurer. Undoubtedly, a producer will benefit from notice in the event they receive a call from the consumer and in fact many producers may receive notice for this very reason. However, the decision to send the producer notice should be a business decision not a statutory mandate. Further, this notification requirement is beyond that currently contained in the New York cyber regulation.

Effective Dates Consistent with the New York cyber regulation, we would also recommend a tiered approach to the effective dates of this Model. We appreciate the 2-year transitional period for the third-party service provider requirements and would recommend an 18-month transitional period for the Risk Management security measures identified in 4(D). Otherwise, we recommend dividing the 4(D) security requirements between a 1-year and 18-month transitional periods based on the schedule outlined in the New York cyber regulation. Safeharbor Comments on the May 9th drafting group call suggested the drafters’ intent to ensure that if a licensee is in compliance with the New York cyber regulation they would be in compliance with this model. Additionally, as we noted earlier, consistent and uniform data security requirements are important for maximizing the effectiveness of an information security program. For these reasons, we respectfully submit that the drafting group consider adding a safeharbor provision to the model. We have not yet perfected the statutory language necessary to achieve this, but we continue to think through this and request that the drafters consider this approach as well.

**** AIA appreciates the opportunity to provide feedback and remains committed to a constructive collaboration to develop a risk-based data security Model that outlines flexible minimum security expectations promoting an evolutionary approach that enhances efficiency, resiliency and consumer protections. Please let us know if you have any questions about these explanations or any additional amendments we have suggested.

Respectfully submitted,

Angela Gleason Senior Counsel

Draft: 4/26/2017 (proposed version 4)

A new model: Insurance Data Security Model Law

Cybersecurity (EX) Working Group

INSURANCE DATA SECURITY MODEL LAW

Table of Contents

Section 1. Title



Section 4. Information Security Program



Section 7. Power of Commissioner

Section 8. Confidentiality

Section 9. Exceptions

Section 10. Penalties


Section 12. Severability


Section 1. Title

This act shall be known and may be cited as the “Insurance Data Security Law.”


A. The purpose and intent of this Act is to establish standards for data security as well as for the investigation

of and notification to the Commissioner of a Cybersecurity Event applicable to Licensees, as defined in

Section 3.

B. The Standards for Safeguarding Customer Information Regulation identifies basic requirements that

Licensees must meet for a broadly defined universe of nonpublic personal information. This Act compliments

and expands on the existing Standards for Safeguarding Customer Information Regulation for a defined set

of nonpublic personal information, defined as Nonpublic Information, and Information Systems. The

Standards for Safeguarding Customer Information regulation and this law shall be exclusive and preempt any

law of this state that outlines data security and information security requirements for insurance licensees.

C. This Act may not be construed to create or imply a private cause of action for violation of its provisions nor may it be construed to curtail a private cause of action which would otherwise exist in the absence of this

Act.

Drafting Note: States that have not adopted the Standards for Safeguarding Customer Information Model Regulation should consider deleting Subsection B

and substituting the following language: Cyber threats have evolved since the adoption of the Gramm-Leach-Bliley Act (GLBA) and will continue to evolve

as our society becomes increasingly interconnected, bad actors adapt to new technology and defense measures, and industry adjusts its resiliency efforts. As

such, this Act builds upon the principles established by the GLBA and identifies additional risk-based regulatory expectations for a defined set of Nonpublic

Information. This law shall be exclusive and preempt any law of this state that outlines data security and information security requirements for insurance

licensees.


As used in this Act, the following terms shall have these meanings:

A. “Affiliate” means any Person that controls, is controlled by or is under common control with another Person.

For purposes of this subsection, control means the possession, direct or indirect, of the power to direct or

cause the direction of the management and polices of a Person, whether through the ownership of stock of

such Person otherwise.

A.B. “Commissioner” means the chief insurance regulatory official of the state.

B. “Consumer” means an individual, including but not limited to applicants, policyholders, insureds,

beneficiaries, claimants, certificate holders and others who is a resident of this state and whose Nonpublic

Information is in a Licensee’s possession, custody or control.

C. “Cybersecurity Event” means any act or attempt , successful or unsuccessful, to gain unauthorized access to,

disruption, or misuse of an Information System or unauthorized acquisition of Nonpublic Iinformation stored

on such Information System with the intent to misuse.

The term “Cybersecurity Event” does not include the unauthorized acquisition of Encrypted Nonpublic

Information stored on the Information System if the encryption, process or key is not also acquired by,

released to or used by the Person that acquired the Encrypted Nonpublic Information. without authorization.

Cybersecurity Event does not include an event with regard to which the Licensee has determined that the

Nonpublic Information stored on the Information System released to an unauthorized person has not been

used and has been returned or destroyed without further release.

D. “Encrypted” means the transformation of data into a form which results in a low probability of assigning

meaning without the use of a protective process or key.

E. “Information Security Program” means the administrative, technical, and physical safeguards that a Licensee

uses to in connection with its access, collection, distributione, processing, protection, storeage, use,

transmissiont, disposeal of, or otherwise handleing of Nonpublic Information.

F. “Information System” means a discrete set of electronic information resources that contain Nonpublic

Information and are organized for the collection, processing, maintenance, use, sharing, dissemination or

disposition of electronic information, as well as any specialized system such as industrial/process controls

systems, telephone switching and private branch exchange systems, and environmental control systems.

G. “Licensee” means any person or entityPerson licensed, authorized to operate, or registered, or required to be

licensed, authorized, or registered pursuant to the insurance laws of this state but shall not include a

purchasing group or a risk retention group chartered and licensed in a state other than this state and shall not

include any individual licensee or any Person selling service contracts or operating under a limited lines

license or the parent holding company that is not also an insurance licensee.

H. “Multi-Factor Authentication” means authentication through verification of at least two of the following

types of authentication factors:

(1) Knowledge factors, such as a password; or

(2) Possession factors, such as a token or text message on a mobile phone; or

(3) Inherence factors, such as a biometric characteristic.

I. “Nonpublic Information” means electronic information that is not Publicly Available Information and is:

(1) Business related information of a licensee the tampering with which, or unauthorized disclosure,

access or use of which, would cause a material adverse impact to the business, operations or security

of the licensee;

(2) Any information concerning an individual which because of name, number, personal mark, or other

identifier can be used to identify such individual, in combination with any one or more of the

following data elements:

(a) Social security number,

(b) Drivers’ license number or non-driver identification card number,

(c) Account number, credit or debit card number,

(d) Ain combination with any security code, access code or password that would permit access

to an individual’s financial account, or

(de) Biometric records;

(3) Any information or data, except age or gender, in any form or medium created by or derived from

a health care provider or an individual and that relates to

(a) The past, present or future physical, mental or behavioral health or condition of any

individual or a member of the individual's family,

(b) The provision of health care to any individual, or

(c) Payment for the provision of health care to any individual.

J. “Person” means any individual or any non-governmental entity, including but not limited to any non-

governmental partnership, corporation, branch, agency, or association.

JK. “Publicly Available Information” means any information that a Licensee has a reasonable basis to believe is

lawfully made available to the general public from: federal, state or local government records; widely

distributed media; or disclosures to the general public that are required to be made by federal, state or local

law.

For the purposes of this subsection, a Licensee has a reasonable basis to believe that information is lawfully

made available to the general public if the Licensee has taken steps to determine:

(1) That the information is of the type that is available to the general public; and

(2) Whether an individual can direct that the information not be made available to the general public

and, if so, that such individual has not done so.

LK. “Third-Party Service Provider” means a person or entityPerson, who is not otherwise defined as a Licensee,

that contracts with a Licensee to maintain, process, store or otherwise is permitted access to Nonpublic

Information through its provision of services to the Licensee.


A. Implementation of an Information Security Program

Commensurate with the size and complexity of the Licensee, the nature and scope of the Licensee’s activities

and the sensitivity of the Nonpublic Information used by the Licensee or in the Licensee’s possession, custody

or control, each Licensee shall develop, implement, and maintain a comprehensive risk-focused written

Information Security Program that contains administrative, technical, and physical safeguards for the

protection of Nonpublic Information and the Licensee’s Information Systems. The Licensee shall document,

on an annual basis, compliance with its Information Security Program. The Licensee shall make this

documentation available to the Commissioner upon request.

B. Objectives of Information Security Program

A Licensee’s Information Security Program shall be designed to:

(1) Protect the security and confidentiality of Nonpublic Information and Information Systems;

(2) Protect against any threats or hazards to the security or integrity of the informationNonpublic

Information and Information Systems; and

Formatted: Tab stops: Not at 1.19"

Formatted: List Paragraph, Numbered + Level: 1 +Numbering Style: A, B, C, … + Start at: 4 + Alignment: Left+ Aligned at: 1" + Indent at: 1.25"

Formatted: Font: 10 pt

(3) Protect against unauthorized access to or use of Nonpublic Information and Information Systems,

and minimize the likelihood of individual harm or inconvenience to any Consumer; and

(4) Define and periodically reevaluate a schedule for retention of Nonpublic Information and a

mechanism for its destruction when no longer needed.

C. Risk Assessment

The Licensee shall:

(1) Designate one or more employees or an outside vendor and/or service provider designated to act

on behalf of the Licensee who is responsible for the Information Security Program;

(2) Identify reasonably foreseeable internal or external threats that could result in unauthorized access,

transmission, disclosure, misuse, alteration or destruction of Nonpublic Information;

(3) Assess the likelihood and potential damage of these threats, taking into consideration the sensitivity

of the Nonpublic Information;

(4) Assess the sufficiency of policies, procedures, Information Systems and other safeguards in place

to manage these threats, including consideration of threats in each relevant area of the Licensee’s

operations, including:

(a) Employee training and management;

(b) Information Systems, including network and software design, as well as information

classification, governance, processing, storage, transmission, and disposal; and

(c) Detecting, preventing, and responding to attacks, intrusions, or other systems failures; and

(5) Implement information safeguards to manage the threats identified in its assessment, and regularly

assess the effectiveness of the safeguards’ key controls, systems, and procedures.

(6) The Licensee shall, as appropriate, review the Risk Assessment and update it as reasonably necessary to

address changes to the sensitivity of its Nonpublic Information, technological developments and

evolving threats, and the Licensee’s own changing business arrangements, such as mergers and

acquisitions, alliances and joint ventures, outsourcing arrangements and changes to Information

Systems.

(5)

D. Risk Management

Based on its Risk Assessment, the Licensee shall:

(1) (a) Design its Information Security Program to mitigate the identified risks, commensurate

with the sensitivity of the information, as well as the complexity and scope of the

Licensee’s activities, including consideration of whether implementing the security

measures listed in Section 4D(2) is appropriate.

(b) Determine appropriate security measures listed in Section 4D(2). Licensees shall use the

best practices for cybersecurity protection, detection, and remediation available

commensurate with its nature, scope, scale and complexity.

(2) (b)Implement the following security measures, as appropriate:

(a) Place Aaccess controls on Information Systems, including controls to authenticate and

permit access only to authorized individuals to protect against the unauthorized acquisition,

of Nonpublic Information;

Formatted: Font: 10 pt, Font color: Black

Formatted: List Paragraph, Numbered + Level: 1 +Numbering Style: 1, 2, 3, … + Start at: 1 + Alignment: Left+ Aligned at: 1" + Indent at: 1.25"


Formatted: Indent: Left: 1.5", No bullets or numbering

Formatted: Normal, Indent: Left: 1.5", Hanging: 0.5", Nobullets or numbering

(b) Ensure thatIdentify and manage, consistently, with their relative importance to business

objectives and the organizations risk strategy, the data, personnel, devices, systems, and

facilities that enable the organization to achieve business purposes. are identified and

managed consistent with their relative importance to business objectives and the

organization’s risk strategy;

(c) Restrict access at physical locations containing Nonpublic Information, only to authorized

individuals;

(d)(c) Protect by encryption or other appropriate means, all Nonpublic Information while being

transmitted wirelessly or on a public network and all Nonpublic Information stored on a

laptop computer or other portable computing or storage device or media;

(e)(d) Ensure the uUse of secure development practices for in-house developed applications

utilized by the Licensee and procedures for evaluating, assessing or testing the security of

externally developed applications utilized by the Licensee;

(f)(e) Ensure that Information System modifications are consistent with the Licensee’s

Information Security Program;

(f) Utilize multi-factor aAuthentication procedures, such as multi-factor authentication,

segregation of duties, and employee background checks for any individual assccessing

Nonpublic Information in the Licensees internal network from an external network;

(g)

(h)(g) Regularly test or monitor systems and procedures to detect actual and attempted attacks

on, or intrusions into, Information Systems;

(i)(h) Ensure the Information Security Program includes aAudit trails designed to detect

Cybersecurity Events;

(j)(i) Implement rResponse procedures that specify actions to be taken when the Licensee

suspects or detects that unauthorized individuals have gained access to Information

Systems;

(k)(j) Implement measures to protect against destruction, loss, or damage of Nonpublic

Information due to environmental hazards, such as fire and water damage or other

catastrophes or technological failures; and

(l)(k) Develop, implement, and maintain procedures for the secure disposal of Nonpublic

Information in any format.

(3)(2) Include cybersecurity risks in the Licensee’s enterprise risk management process; and

(4) Stay informed regarding emerging threats or vulnerabilities and utilize reasonable security measures

when sharing information relative to the character of the sharing and the type of information shared.

Provide cybersecurity awareness training, as appropriate, for personnel that is updated, as necessary,

to reflect risks identified by the Licensee in its risk assessment

E. Corporate Oversight by Board of Directors

If the Licensee has a board of directors, the board or an appropriate committee of the board shall, at a

minimum: The Board of Directors, appropriate committee of the Board, or Executive Management of the

Licensee shall:

(1) Designate a qualified individual responsible for Ooverseeing the development, implementation, and

maintenance of the Licensee’s Information Security Program. Such individual can be employed by


Formatted: Left, Indent: Left: 0.5", No bullets ornumbering

Formatted: Indent: Left: 1"

the Licensee, one of its Affiliates or a Third Party Service Provider. To the extent this requirement

is met using a Third Party Service Provider or an Affiliate, the Licensee shall: (a) retain

responsibility for compliance with this Part; (b) designate a senior member of Licensee’s personnel

responsible for direction and oversight of the Third Party Service Provider; and (c) require the Third

Party Service Provider to maintain a cybersecurity program that protects the Licensee in accordance

with the requirements of this Rule.

, including assigning specific responsibility for the plan to the Licensee’s executive management or its

delegates;

(2) Require the Licensee’s executive management or delegates thereofdesignated employee or Third

Party Service Provider responsible for the Information Security Program to report to the Board of

Directors, appropriate committee of the Board, or Executive Managementrt in writing at least

annually, the following information:

(a) The overall status of the Information Security Program and the Licensee’s compliance with

this Act; and

(b) Material matters related to the Information Security Program, addressing issues such as

risk assessment, risk management and control decisions, Third-Party Service Provider

arrangements, results of testing, Cybersecurity Events or violations and management’s

responses thereto, and recommendations for changes in the Information Security Program.

(3) If executive management delegates responsibilities under this section it shall oversee the

development, implementation and maintenance of the Licensee’s Information Security Program

prepared by the delegate(s) and shall receive a report from the delegate(s) complying with the

requirements of the report to the Board of Directors above.

F.E. Oversight of Third-Party Service Provider Arrangements

(1) Each Licensee shall implement written policies and procedures designed to ensure the security of

Information Systems and Nonpublic Information that are accessible to, or held by, Third-Party

Service Providers. Such policies and procedures shall be based on the Risk Assessment of the

Licensee and shall address to the extent applicable:

(a) The identification and risk assessment of Third-Party Service Providers;

(b) Minimum cybersecurity practices required to be met by such Third-Party Service Providers

in order for them to do business with the Licensee;

(c) Due diligence processes used to evaluate the adequacy of cybersecurity practices of such

Third-Party Service Providers; and

(d) Periodic assessment of such Third-Party Service Providers based on the risk they present

and the continued adequacy of their cybersecurity practices.

(2) Such policies and procedures shall include relevant guidelines for due diligence and/or contractual

protections relating to Third-Party Service Providers including, to the extent applicable, guidelines

addressing:

(a) The Third-Party Service Provider’s policies and procedures for access controls, including

its use of Multi-Factor Authentication, to limit access to relevant Information Systems and

Nonpublic Information;

(b) The Third-Party Service Provider’s policies and procedures for use of Encryption to protect

Nonpublic Information in transit and at rest;

(c) Notice to be provided to the Licensee in the event of a Cybersecurity Event directly

impacting the Licensee’s Information Systems or the Licensee’s Nonpublic Information

being held by the Third-Party Service Provider; and

(d) Representations and warranties addressing the Third-Party Service Provider’s

cybersecurity policies and procedures that relate to the security of the Licensee’s

Information Systems or Nonpublic Information.

G. Program Adjustments

The Licensee shall monitor, evaluate and adjust, as appropriate, the Information Security Program consistent

with any relevant changes in technology, the sensitivity of its Nonpublic Information, internal or external

threats to information, and the Licensee’s own changing business arrangements, such as mergers and

acquisitions, alliances and joint ventures, outsourcing arrangements and changes to Information Systems.


A. If the Licensee learns that a Cybersecurity Event has or may have occurred the Licensee, or an outside vendor and/or

service provider designated to act on behalf of the Licensee, shall conduct a prompt investigation.

B. During the investigation, the Licensee, or an outside vendor and/or service provider designated to act on behalf of

the Licensee, shall, at a minimum determine as much of the following information as possible:

(1) Determine whether a Cybersecurity Event has occurred;

(2) Assess the nature and scope of the Cybersecurity Event;

(3) Identify any Nonpublic Information that may have been involved in the Cybersecurity Event; and

(4) Perform or oversee reasonable measures to restore the security of the Information Systems compromised in the

Cybersecurity Event in order to prevent further unauthorized acquisition, release or use of Nonpublic Information in the

Licensee’s possession, custody or control.

C. If the Licensee learns that a Cybersecurity Event has or may have occurred in a system maintained by a Third-Party

Service Provider, the Licensee will confirm and document that the Third-Party Service Provider has completed the steps

listed in Section 5B above.

D. The Licensee shall maintain records concerning all Cybersecurity Events for a period of at least five years and shall

produce those records upon demand of the Commissioner.


A. Notification to the Commissioner

Each Licensee shall notify the Commissioner as promptly as possible but in no event later than 72 hours from

a determination that: (a) notice is required to be sent in accordance with [cite state’s data breach notification

law]; and (b) more than 500 residents of this state are impacted. a Cybersecurity Event has occurred if:

(1) The Licensee is an insurer domiciled in this state; or

(2) The Licensee reasonably believes that the Nonpublic Information involved is of 250 or more

residents of this state and that is either of the following:

(a) A Cybersecurity Event impacting the Licensee of which notice is required to be provided to any

government body, self-regulatory agency or any other supervisory body; or

(b) A Cybersecurity Event that has a reasonable likelihood of materially harming any material part of

the normal operation(s) of the Licensee.

Formatted: Left, Indent: Left: 0", First line: 0"

Formatted: Normal, Left, No bullets or numbering, Tabstops: Not at 1"

Formatted: Left, Tab stops: Not at 1"

Formatted: Left, Indent: Left: 0", First line: 0", Tab stops:Not at 1"

Formatted: Left, Indent: Left: 0", Tab stops: Not at 1"


Formatted: Normal, Left, Indent: Left: 0", First line: 0",Tab stops: Not at 1"






Formatted: Normal


Formatted: Indent: Left: 1", First line: 0"



[Alternative:

Each Licensee shall notify the Commissioner as promptly as possible but in no event later than 72 hours from

a determination that: (a) a Cybersecurity Event has a reasonable likelihood of materially harming any material

part of the normal operations of the licensee; and (b) the event involves 500 more impacted residents of this

state.

B. The Licensee shall provide the Commissioner with a copy of the notice being sent to consumers. as much

of the following information as possible. The Licensee shall provide the information in electronic form as

directed by the Commissioner. The Licensee shall have a continuing obligation to update and supplement

initial and subsequent notifications to the Commissioner concerning the Cybersecurity Event.

(1) Date of the Cybersecurity Event;

(2) Description of how the information was exposed, lost, stolen, or breached, including the specific roles and

responsibilities of Third-Party Service Providers;

(3) How the Cybersecurity Event was discovered;

(4) Whether any lost, stolen, or breached information has been recovered and if so, how this was done;

(5) The identity of the source of the Cybersecurity Event;

(6) Whether Licensee has filed a police report or has notified any regulatory, government or law enforcement

agencies and, if so, when such notification was provided;

(7) Description of the specific types of information acquired without authorization. Specific types of information

means particular data elements including, for example, types of medical information, types of financial

information or types of information allowing identification of the Consumer;

(8) The period during which the Information System was compromised by the Cybersecurity Event;

(9) The number of total Consumers in this state affected by the Cybersecurity Event. The Licensee shall provide

the best estimate in the initial report to the Commissioner and update this estimate with each subsequent

report to the Commissioner pursuant to this section;

(10) The results of any internal review identifying a lapse in either automated controls or internal procedures, or

confirming that all automated controls or internal procedures were followed;

(11) Description of efforts being undertaken to remediate the situation which permitted the Cybersecurity Event

to occur;

(12) A copy of the Licensee’s privacy policy and a statement outlining the steps the Licensee will take to

investigate and notify Consumers affected by the Cybersecurity Event; and

(13) Name of a contact person who is both familiar with the Cybersecurity Event and authorized to act for the

Licensee.

C. Notification to Consumers. The Licensee shall comply with [insert states’ data breach notification law] and

provide a copy of the notice sent to Consumers under that statute to the Commissioner.

D. Notice Regarding Cybersecurity Events of Third-Party Service Providers

(1) In the case of a Cybersecurity Event in a system maintained by a Third-Party Service Provider, for which the

Licensee has received notice, the Licensee shall treat such event as it would under Section 6A.

(2) The computation of Licensee’s deadlines shall begin on the day after the Third-Party Service Provider notifies

the Licensee of the Cybersecurity Event or the Licensee otherwise has actual knowledge of the Cybersecurity Event, whichever

is sooner.

Formatted: Indent: Left: 0.5", Hanging: 0.5"

Formatted: Indent: Left: 0.5"

Formatted: Normal, Indent: Left: 0", First line: 0.5"

Formatted: Normal, Indent: First line: 0.5", No bullets ornumbering

(3) Nothing in this Act shall prevent or abrogate an agreement between a Licensee and another Licensee, a Third-

Party Service Provider or any other party to fulfill any of the investigation requirements imposed under Section 5 or notice

requirements imposed under Section 6.

E. Notice Regarding Cybersecurity Events of Reinsurers to Insurers

(1) In the case of a Cybersecurity Event involving Nonpublic Information that is used by the Licensee

that is acting as an assuming insurer or in the possession, custody or control of a Licensee that is

acting as an assuming insurer and that does not have a direct contractual relationship with the

affected Consumers, the assuming insurer shall notify its affected ceding insurers and the

Commissioner of its state of domicile within 72 hours of making the determination that a

Cybersecurity Event has occurred; and

(2) In the case of a Cybersecurity Event involving Nonpublic Information that is in the possession,

custody or control of a Third-Party Service Provider of a Licensee that is an assuming insurer, the

assuming insurer shall notify its affected ceding insurers and the Commissioner of its state of

domicile within 72 hours of receiving notice from its Third-Party Service Provider that a

Cybersecurity Event has occurred.

F. Notice Regarding Cybersecurity Events of Insurers to Producers of Record

(1) In the case of a Cybersecurity Event involving Nonpublic Information that is in the possession,

custody or control of a Licensee that is an insurer or its Third-Party Service Provider and for which

a Consumer accessed the insurer’s services through an independent insurance producer, the insurer

shall notify the producers of record of all affected Consumers within 72 hours of making the

determination that a Cybersecurity Event has occurred.

(2) The insurer is excused from this obligation for those instances in which it does not have the current

producer of record information for any individual Consumer.

Formatted: Indent: Left: 0", First line: 0.5"


A. The Commissioner shall have power to examine and investigate into the affairs of any Licensee to determine

whether the Licensee has been or is engaged in any conduct in violation of this Act. This power is in addition

to the powers which the Commissioner has under [insert applicable statutes governing the investigation or

examination of insurers]. Any such investigation or examination shall be conducted pursuant to [insert

applicable statutes governing the investigation or examination of insurers].

B. Whenever the Commissioner has reason to believe that a Licensee has been or is engaged in conduct in this

state which violates this Act, the Commissioner may take action that is necessary or appropriate to enforce

the provisions of this Act.


A. Any documents, materials or other information in the control or possession of the department of insurance

that are furnished by a Licensee (or itsan employee or agent thereof acting on behalf of Licensee) pursuant

to Section 6B(2), (3), (4), (5), (8), (10), and (11), or that are obtained by the Commissioner in an investigation

or examination pursuant to Section 7 of this Act shall be confidential by law and privileged, shall not be

subject to [insert reference to state open records, freedom of information, sunshine or other appropriate law],

shall not be subject to subpoena, and shall not be subject to discovery or admissible in evidence in any private

civil action. However, the Commissioner is authorized to use the documents, materials or other information

in the furtherance of any regulatory or legal action brought as a part of the Commissioner’s duties.

B. Neither the Commissioner nor any person who received documents, materials or other information while

acting under the authority of the Commissioner shall be permitted or required to testify in any private civil

action concerning any confidential documents, materials, or information subject to Section 8A.

C. In order to assist in the performance of the Commissioner’s duties under this Act, the Commissioner:

(1) May share documents, materials or other information, including the confidential and privileged

documents, materials or information subject to Section 8A, with other state, federal, and

international regulatory agencies, with the National Association of Insurance Commissioners, its

affiliates or subsidiaries, and with state, federal, and international law enforcement authorities,

provided that the recipient agrees in writing to maintain the confidentiality and privileged status of

the document, material or other information;

(2) May receive documents, materials or information, including otherwise confidential and privileged

documents, materials or information, from the National Association of Insurance Commissioners,

its affiliates or subsidiaries and from regulatory and law enforcement officials of other foreign or

domestic jurisdictions, and shall maintain as confidential or privileged any document, material or

information received with notice or the understanding that it is confidential or privileged under the

laws of the jurisdiction that is the source of the document, material or information.

(2)(3) All information shared pursuant to this Subsection C shall be deemed confidential and subject to

disclosure only to those persons and entities identified in C (1) and then only if there is compelling

evidence that disclosure is in the best interest of the public and will not jeopardize the capacity of

the Licensee to protect the security of Nonpublic Information or Information Systems or cause

substantial injury to the competitive position of the Licensee; and

(3)(4) May enter into agreements governing sharing and use of information consistent with this subsection.

D. No waiver of any applicable privilege or claim of confidentiality in the documents, materials, or information

shall occur as a result of disclosure to the Commissioner under this section or as a result of sharing as

authorized in Section 8C.

E. Nothing in this Act shall prohibit the Commissioner from releasing final, adjudicated actions including for

cause terminations that are open to public inspection pursuant to [insert appropriate reference to state law] to


Formatted: Left, Indent: Left: 0.5", No bullets ornumbering

a database or other clearinghouse service maintained by the National Association of Insurance

Commissioners, its affiliates or subsidiaries.

Drafting Note: States conducting an investigation or examination under their examination law may apply the confidentiality protections of that law to such an investigation or examination.


A. The following exceptions shall apply to this Act:

(1) A Licensee with fewer than ten employees located in this state, including any independent

contractors is exempt from Section 4 of this Act;

(2) A Licensee subject to Pub.L. 104–191, 110 Stat. 1936, enacted August 21, 1996 (Health Insurance

Portability and Accountability Act) that has established and maintains an Information Security

Program pursuant to such statutes, or rules, regulations, procedures or guidelines established

thereunder, is deemed to be in compliance with the requirements of Section 4. If a Licensee relies

upon this provision it shall provide to the Commissioner, upon request, the specific federal statute

or regulation upon which it relies and the manner in which it asserts compliance;

(3) An employee, agent, affiliate, representative or designee of a Licensee, who is also a Licensee, is

exempt from Section 4 and need not develop its own Information Security Program to the extent

that the employee, agent, representative or designee is covered by the Information Security Program

of the other Licensee.

(4) A License that does not directly or indirectly operate, maintain, utilize or control any Information

Systems, and that does not and is not required to directly or indirectly control, own, access, generate,

receive or possess Nonpublic Information other than information relating to its corporate parent

company (or Affiliates) shall be exempt from this Act.

(5) Reinsurers shall be exempt from this Act.

(3)

B. In the event that a Licensee ceases to qualify for an exception, such Licensee shall have 180 days to comply

with this Act.


In the case of a violation of this Act, a Licensee may be penalized in accordance with [insert general penalty statute].


The Commissioner may, in accordance with [the state statute setting forth the ability of the Department to adopt regulations]

issue such regulations as shall be necessary to carry out the provisions of this Act.

Drafting Note: This provision is applicable only to states requiring this language.


If any provisions of this Act or the application thereof to any person or circumstance is for any reason held to be invalid, the

remainder of the Act and the application of such provision to other persons or circumstances shall not be affected thereby.


This Act shall take effect on [insert a date]. Licensees shall have 180 days from the effective date of this Act to implement

Section 4 of this Act and two years from the effective date of this Act to implement Section 4(F) of this Act.


Formatted: Left, Indent: Left: 0.5", Line spacing: single, No bullets or numbering, Tab stops: Not at 6.5"


Formatted: Left, Indent: Left: 0.5", Line spacing: single, No bullets or numbering, Tab stops: Not at 6.5"

Formatted: Indent: Left: 1.5", No bullets or numbering

California DOI Comments

May 12, 2017 VIA ELECTRONIC MAIL Director Raymond Farmer NAIC Cybersecurity (EX) Working Group 1100 Walnut Street, Ste. 1500 Kansas City, MO 64106

Attn: Sara Robben, Statistical Advisor [email protected]

SUBJECT: Insurance Data Security Model Law -

Comments on Fourth Draft Dear Director Farmer: Thank you for the opportunity to comment on the fourth draft of the Insurance Data Security Model Law. The California Department of Insurance (“Department”) is supportive of the Working Group’s efforts to design a Model based on the New York Department of Financial Services cybersecurity regulations. However, there are a few points which California regulators believe could benefit from clarification or alteration, as described below. The Department believes that the definition of “Cybersecurity Event” at Section 3C is too narrow. Currently, the definition excludes events where attackers have gained access to encrypted information. Any exfiltration of data from an insurer’s systems by unauthorized parties constitutes a serious breach in security and may indicate flaws in an insurer’s security architecture or its administration. Therefore, it is important that regulators be informed of system breaches, even if the affected data is not usable by the attackers. Because the current draft Model only involves notice to the regulator, rather than consumers, the Department believes the benefit of notifying the regulator far outweighs any potential negatives. Based on the foregoing, California suggests that the exception for encrypted data be removed from the Model. California would like clarification with respect to the definition of “Information System” at Section 3F. There is some concern that the term only encompasses network systems designed and maintained by the licensee. Given the trend towards the “Internet of Things” (“IoT”),

Department staff want to be sure that the Model encourages design and enforcement of security protocols addressing devices that employees, vendors, contractors, or third-parties might attach to a licensee’s network. These devices can include “smart appliances” like thermostats and refrigerators; “smart” televisions; video-streaming hardware like the AppleTV and Amazon FireStick; “bring-your-own” devices like tablets, smart phones, smart watches, FitBits, etc. Many of these IoT devices are not designed to withstand persistent hacking attempts and do not receive frequent software patches from the manufacturer, making them a tempting ingress point for hackers. Therefore, it is important that the definition of “Information System” encompass not only the insurer’s mainline IT systems, but also devices which might be attached to an insurer’s network. The definition of “Nonpublic Information” in Section 3I should be broadened. Specifically, Section 3I(2)(d) should be expanded to include “online” as well as “financial” accounts. While insurer web portals might not be considered “financial” accounts in all cases, such portals contain a great deal of information about the consumer. Moreover, many portals utilize a consumer’s e-mail address as a login; it can be expected that more than a few consumers will use the same password for both the portal and the e-mail account used as a login. Because consumers can be harmed by unauthorized access to accounts other than financial accounts, the definition of “Nonpublic Information” should include “online” as well as “financial accounts.” Other than the changes mentioned above, California believes that the current draft of the Model represents an acceptable compromise between regulator and insurer interests. In particular, California supports the current draft creating a minimum “floor” for cybersecurity and breach notification standards. Many states, including California, have existing legal standards requiring breach notice to law enforcement and attorneys-general; for that reason it is likely that any Model which affects those notice standards will be politically infeasible. Consequently, California supports the current “minimum standards” drafting, but will not be able to support revisions which prevent state regulators from adopting higher standards than those contained in the Model.1

1 California supports the provision of the Model which allows documented HIPPA compliance to satisfy the requirements of Section 4.

As always, California appreciates the opportunity to be involved in drafting the Model and looks forward to further participation in the process. Please contact me if you have any questions. Thank you for your consideration. Sincerely,

Damon Diederich Attorney / Assistant Privacy Officer CC: Susan Bernard, CDI Bryant Henley, CDI Susan Stapp, CDI

CEJ and Peter Kochenburger Comments

Comments of the Center for Economic Justice and Peter Kochenburger NAIC Cybersecurity Working Group

May 16, 2017

We have previously submitted comments relevant to version 4 and ask the Working Group to consider them as part of this submission.1 Our major points:

1. We do not object to the bifurcation reflected in version 4, but rather the possibility – now a significant likelihood – that at least some industry groups will never agree or compromise on a data notification section that would provide both consistency and a high level of consumer protection. Failing to do so is a significant loss to insurance consumers, regulators, and we believe the industry as well. Consumers have entrusted their personal and financial information to their insurers and producers (typically without knowing the breadth of information they have released), and once having done so, can only rely on the industry to protect their information. Regardless of the degree of fault a Licensee may have in not preventing a Cybersecurity Event, the consumer almost always has none. Yet they remain the one group that lies outside of version 4. Commissioners, insurers, producers and reinsurers receive notification; consumers, whose information has been stolen, do not (at least under this draft), and this lack of knowledge makes it difficult for them to take steps to protect themselves.

2. As does much of the industry, we believe that utilizing the New York DFS Cyber Regulations as a model or template has distinct advantages. However, we also agree with the California Department of Insurance’s caution in their April 17, 2017 comments: “California supports the New York framework only insofar as the Working Group pursues the adoption of minimum, rather than maximum, national cybersecurity standards for insurers and other insurance licensees.”

3. Having defeated the inclusion of a consumer notification and consumer rights section to the model, the industry still has a substantial number of comments and suggested “improvements.” We ask the WG to not weaken this model further. We list below several of the topics we have earlier addressed and that the next version should incorporate.

a. Establishing independent public performance measures assessing Licensee effectiveness in protecting consumer information and compliance with relevant state and federal laws (including the final version of this model).

11 Joint comments were submitted on April 17 and May 8, and the CEJ also submitted a separate set of comments on May 8, 2017.

b. Clarifying that licensees are responsible for failures of their third-party service providers to comply with this act, especially those related to notification requirements to the Commissioner (Section 6).

c. The Confidentiality provision should be modified to incorporate existing state confidentiality laws, and not unnecessarily expanded simply due to unsupported allegations that these laws do not adequately protect information. We will suggest specific language shortly.

Florida DOI Comments


Section 2.A. provides that the intent of the Act is to establish standards for data security, investigations and notice to the Commissioner of cybersecurity events. It is unclear how this new language would be harmonized with other, existing language under state law (or federal law) which provides definitions, data security requirements, notice requirements and enforcement provisions now applicable to Licensees as defined in this Act.


Sections 4.D and F. use the term “Risk Assessment” as a capitalized term without providing a definition.


Section 5. establishes requirements for investigation of “Cybersecurity Events,” which includes both successful and unsuccessful attempts, which makes sense because an investigation would be necessary to determine if Nonpublic Information was actually shared.

Section 6. Notification to the Commissioner

Section 6. however, establishes notification requirements for any Cybersecurity Event, including both successful and unsuccessful attempts. To limit notification to those Cybersecurity Events in which Nonpublic Information was shared, it may be appropriate to change the title of Section 6 to read: Notification of a Successful Cybersecurity Event so that all of the ensuing requirements of Section 6 are limited to those instances in which the intrusion was successful. If deemed necessary for clarity, each use of the term “Cybersecurity Event” in Section 6 could be preceded by the word “successful.”

Section 6. also imposes a requirement for notification by Licensees of a Cybersecurity Event to various parties. Multiple notices by various Licensees should be discouraged by providing that notice by one Licensee discharges the notice obligation of other Licensees. For example, if the insurer provides the notice to the Commissioner and Consumers, the agent Licensee need not make a separate notification.

Section 6. F.(1) and (2) could be simplified to read: A Licensee or its Third Party Service Provider must notify the producers of record, if known, of all affected Consumers within 72 hours of making the determination that a Cybersecurity Event has occurred.


The confidentiality language used here would be inconsistent with Florida’s broad Sunshine Law and would need to be modified.


Although it makes sense to have different standards for small firms who don’t have the capacity to develop a robust cybersecurity program, there should be some basic level of protection in place.

Draft: 2/274/26/2017 (proposed version 34) A new model: Insurance Data Security Model Law Cybersecurity (EX) Task ForceWorking Group

INSURANCE DATA SECURITY MODEL LAW

Table of Contents

Section 1. Title Section 2. Purpose and Intent Section 3. Definitions Section 4. Information Security Program Section 5. Investigation of a Cybersecurity Event Data Breach Section 6. Notification of a Cybersecurity Event Data Breach Section 7. Consumer Protections Following a Data Breach Section 78. Power of Commissioner Section 9. Enforcement Section 810. Confidentiality Section 9. Exceptions Section 1011. Penalties Section 1112. Rules and Regulations [OPTIONAL] Section 1213. Severability Section 1314. Effective Date

Section 1. Title

This act shall be known and may be cited as the “Insurance Data Security ActLaw.”


A. Notwithstanding any other provision of law including [insert reference to state’s general data security breach notification law], theThe purpose and intent of this Act is to establish the exclusive standards in this state for data security as well as for the and investigation of and notification to the Commissioner of a Data BreachCybersecurity Event applicable to Licensees, as defined in Section 3.

B. The Standards for Safeguarding Customer Information Regulation identifies basic requirements that Licensees must meet for a broadly defined universe of nonpublic personal information. This Act compleiments and expands on the existing Standards for Safeguarding Customer Information Regulation for a defined set of nonpublic personal information, defined as Nonpublic Information.

B. It is not the intent of this Act to require that a Licensee send notice to Consumers affected by a Data Breach when notice has been or is being sent to Consumers in accordance with a federal statute or regulation applicable to that Licensee that provides at least as much protection as this Act. It is also not the intent of this Act that a Licensee be required to set up a separate Information Security Program under Section 4 if that Licensee has established and maintained an Information Security Program in accordance with a federal statute or regulation applicable to that Licensee that provides at least as much protection as this Act. Therefore, a Licensee subject to Pub.L. 106–102, 113 Stat. 1338, enacted November 12, 1999, or to Pub.L. 104–191, 110 Stat. 1936, enacted August 21, 1996, that complies with the privacy and data breach notification requirements of such statutes, or rules, regulations, procedures or guidelines established thereunder, and a Licensee that complies with those statutes, rules, regulations, procedures, or guidelines pursuant to state law requirements, is deemed to be in compliance with the requirements of Sections 4, 5D and 6C of this Act. If a Licensee relies upon this provision it shall provide to the Commissioner, upon request, the specific federal statute or regulation upon which it relies and the manner in which it asserts compliance.

C. This Act may not be construed to create or imply a private cause of action for violation of its provisions nor may it be construed to curtail a private cause of action which would otherwise exist in the absence of this

Drafting Note: States that have not adopted the Standards for Safeguarding Customer Information Model Regulation should consider deleting Subsection B and substituting the following language: Cyber threats have evolved since the adoption of the Gramm-Leach-Bliley Act (GLBA) and will continue to evolve as our society becomes increasingly interconnected, bad actors adapt to new technology and defense measures, and industry adjusts its resiliency efforts. As such, this Act builds upon the principles established by the GLBA and identifies additional risk-based regulatory expectations for a defined set of Nonpublic Information.


As used in this Act, the following terms shall have these meanings:

A. “Commissioner” means the chief insurance regulatory official of the state.

B. “Consumer” means an individual, including but not limited to applicants, policyholders, insureds, beneficiaries, claimants, certificate holders and others who is a resident of this state and whose Nonpublic Personal Information is in a Licensee’s possession, custody or control.

C. “Consumer Reporting Agency” has the same meaning as “consumer reporting agency that compiles and maintains files on consumers on a nationwide basis” in section 603(p) of the Fair Credit Reporting Act (15 U.S.C. 1681a(p)).

C. “Cybersecurity Event” means any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System.

The term “Cybersecurity Event” does not include the unauthorized acquisition of Encrypted Nonpublic Information if the encryption, process or key is not also acquired, released or used without authorization.

Cybersecurity Event does not include an event with regard to which the Licensee has determined that the Nonpublic Information released to an unauthorized person has not been used and has been returned or destroyed without further release.

D. “Data Breach” means the acquisition of unencrypted Personally Identifiable Information by an unauthorized person.

The term “Data Breach” does not include the unauthorized acquisition of Encrypted Personally Identifiable Information if the encryption, process or key is not also acquired, released or used without authorization.

“Acquisition” does not include a Data Breach with regard to which the Licensee has determined with a very high degree of certainty that the Personally Identifiable Information released to an unauthorized person has not been used and has been returned or destroyed without further release.

The term “Data Breach” does not include “Data Breach Without Use of Personally Identifiable Information.”

E. “Data Breach Without Use of Personally Identifiable Information” means a Data Breach with regard to which the Licensee has determined with a very high degree of certainty that the Personally Identifiable Information acquired by the unauthorized person has not been used and has been returned or destroyed without further release or acquisition.

D. “Encrypted” means the transformation of data into a form which results in a low probability of assigning meaning without the use of a protective process or key.

E. “Information Security Program” means the administrative, technical, and physical safeguards that a

Licensee uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle Nonpublic Personal Information.

F. “Information System” means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental control systems.

Formatted: Highlight

Comment [MS1]: To whom is this meant to refer?

G. “Licensee” means any person or entity licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of this state but shall not include a purchasing group or a risk retention group chartered and licensed in a state other than this state.

H. “Multi-Factor Authentication” means authentication through verification of at least two of the following types of authentication factors:

(1)Knowledge factors, such as a password; or

(2) Possession factors, such as a token or text message on a mobile phone; or

(3)Inherence factors, such as a biometric characteristic.

H.I.“Nonpublic Personal Information” means information that is not Publicly Available Information and is:

(1) Business related information of a Llicensee the tampering with which, or unauthorized disclosure, access or use of which, cwould? cause a material adverse impact to the business, operations or security of the licensee;

(2) Any information concerning an individual which because of name, number, personal mark, or other identifier can be used to identify such individual, in combination with any one or more of the following data elements:

(a) Social security number,

(b) Drivers’ license number or non-driver identification card number,

(c)Account number, credit or debit card number,

(d) Any security code, access code or password that would permit access to an individual’s financial account, or

(e)Biometric records;

(3) Any information or data, except age or gender, in any form or medium created by or derived from a health care provider or an individual and that relates to

(a) The past, present or future physical, mental or behavioral health or condition of any individual or a member of the individual's family;y,

(b) The provision of health care to any individual, or member of the individual’s family; or

(c)Payment for the provision of health care to any individual or member of the individual’s family..

(1) A Consumer provides to a Licensee to obtain an insurance product or service from the Licensee;

(2) About a Consumer resulting from a transaction involving an insurance product or service between a Licensee and a Consumer;

(3) The Licensee otherwise obtains about a Consumer in connection with providing an insurance product or service to that Consumer;

(4) Account balance information and payment history;

(5) The fact that an individual is or has been one of the Licensee’s customers or has obtained an insurance product or service from the Licensee;





Comment [MS2]: Not certain if these subsections need to be the same and apply to both individuals and their families or not.

(6) Any information about the Licensee’s Consumer if it is disclosed in a manner that indicates that the individual is or has been the Licensee’s Consumer;

(7) Any information that a Consumer provides to a Licensee or that the Licensee or its agent otherwise obtains in connection with collecting on a loan or servicing a loan;

(8) Any information the Licensee collects through an Internet cookie (an information-collecting device from a web server); and

(9) Information from a Consumer report.

(10) Health information:

(a) That identifies an individual who is the subject of the information; or

(b) With respect to which there is a reasonable basis to believe that the information could be used to identify an individual.

(11) Nonpublic Personal Information does not include:

(a) Publicly available information; or

(b) Information that does not identify a Consumer, such as aggregate information or blind data that does not contain personal identifiers such as account numbers, names or addresses.

B. “Personally Identifiable Information” means Nonpublic Personal Information used by the Licensee or under the Licensees possession, custody or control or provided by a Licensee to a Third-Party Service Provider and includes:

(1) A financial account number relating to a Consumer, including a credit card number or debit card number, in combination with any security code, access code, password, or other personal identification information required to access the financial account; or

(2) The first name or first initial and last name of a Consumer in combination with:

(a) Three or more digits of the Consumer’s social security number;

(b) The Consumer’s driver’s license number, passport number, military identification number, or other similar number on a government-issued document;

(c) A user name or e-mail address, in combination with a password or security question and answer that would permit access to an online or financial account of the Consumer;

(d) Biometric data of the Consumer that would permit access to financial accounts of the Consumer;

(e) Any information of the Consumer that the Licensee has a legal or contractual duty to protect from unauthorized access or public disclosure;

(f) The Consumer’s date of birth;

(g) The insurance policy number or subscriber identification number; (h)

Any information or data except age or gender, that relates to:

(i) The past, present or future physical, mental or behavioral health or condition of a Consumer;

(ii)The provision of health care to a Consumer; or

(iii)Payment for the provision of health care to a Consumer; or

(i) Any other information that would be sufficient to permit the fraudulent assumption of the Consumer’s identity or unauthorized access to an account of the Consumer.

(3) Any of the data elements identified above when not in connection with the Consumer’s first name or initial and last name, if those elements would be sufficient to permit the fraudulent assumption of the Consumer’s identity or unauthorized access to an account of the Consumer.

The term “Personally Identifiable Information” does not include publicly available information that is lawfully made available to the general public and obtained from federal, state, or local government records; or widely distributed media.

J. “Publicly Available Information” means any information that a Licensee has a reasonable basis to believe is lawfully made available to the general public from: federal, state or local government records; widely distributed media; or disclosures to the general public that are required to be made by federal, state or local law.

For the purposes of this subsection, a Licensee has a reasonable basis to believe that information is lawfully made available to the general public if the Licensee has taken steps to determine:

(1) That the information is of the type that is available to the general public; and

(2) Whether an individual can direct that the information not be made available to the general public and, if so, that such individual has not done so.

K. “Third-Party Service Provider” means a person or entity, not otherwise defined as a Licensee, that contracts with a Licensee to maintain, process, store or otherwise have is permitted access to Nonpublic Personal Information through its provision of services to the Licensee.under the Licensee’s possession, custody or control.


A. Implementation of an Information Security Program

Commensurate with the size and complexity of the Licensee, the nature and scope of the Licensee’s activities and the sensitivity of the Nonpublic Personal Information used by the Licensee or in the Licensee’s possession, custody or control, each Licensee shall develop, implement, and maintain a comprehensive risk-focused written Information Security Program that contains administrative, technical, and physical safeguards for the protection of Nonpublic Personal Information. The Licensee shall document, on a t l e a s t an ongoing annual basis, compliance with its Information Security Program. This documentation shall occur whenever any substantive changes to the Information Security Program occur but no less than on an annual basis.The Licensee shall make this documentation available to the Commissioner upon request.

B. Objectives of Information Security Program

A Licensee’s Information Security Program shall be designed to:

(1) Protect the security and confidentiality of Nonpublic Personal Information;

(2) Protect against any threats or hazards to the security or integrity of the information;

(3) Protect against unauthorized access to or use of Nonpublic Personal Information, and minimize the likelihood of harm or inconvenience to any Consumer; and

(4) Define and periodically reevaluate a schedule for retention of Nonpublic Personal Information and a mechanism for its destruction when no longer needed.

C. Risk Assessment

The Licensee shall:

(1) Designate one or more employees or an outside vendor and/or service provider designated to act on behalf of the Licensee who is responsible for the Information Security Program;

(2) Identify reasonably foreseeable internal or external threats that could result in unauthorized access,

transmission, disclosure, misuse, alteration or destruction of Nonpublic Personal Information;

(3) Assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of the Nonpublic Personal Information;

(4) Assess the sufficiency of policies, procedures, iInformation sSystems and other safeguards in place to manage these threats, including consideration of threats in each relevant area of the Licensee’s operations, including:

(a) Employee training and management;

(b) Information sSystems, including network and software design, as well as information

classification, governance, processing, storage, transmission, and disposal; and

(c) Detecting, preventing, and responding to attacks, intrusions, or other systems failures; and

(5) Implement information safeguards to manage the threats identified in its assessment, and regularly

assess the effectiveness of the safeguards’ key controls, systems, and procedures.

D. Risk Management

Based on its Risk Assessment, )Tthe Licensee shall:

(1) (a) Design its Information Security Program to mitigate the identified risks, commensurate with the sensitivity of the information, as well as the complexity and scope of the Licensee’s activities, including consideration of whether implementing the security measures listed in Section 4D(2) is appropriate.

(b) Determine appropriate security measures listed in Section 4D(2). Licensees shall use the best practices for cybersecurity protection, detection, and remediation available at the time of the data breach and commensurate with the firm’s its nature, scope, scale and complexity.

(2) Implement the following security measures, as appropriate:

No (a) Place access controls on iInformation sSystems, including controls to authenticate and

permit access only to authorized individuals to protect against the unauthorized acquisition, of Nonpublic Personal Information;

(b) Ensure that the data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy; (?)

(b)(c) Restrict access at physical locations containing Nonpublic Personal Information, only to authorized individuals;

(d) Protect by encryption or other appropriate means, all Nonpublic Personal Information while being transmitted wirelessly or on a public internet network and all Nonpublic Personal Information stored on a laptop computer or other portable computing or storage device or media;

(c)(e) Ensure the use of secure development practices for in-house developed applications

utilized by the Licensee and procedures for evaluating, assessing or testing the security of externally developed applications utilized by the Licensee;

(d)(f) Ensure that iInformation sSystem modifications are consistent with the Licensee’s Information Security Program;

(e)(g) Utilize multi-factor authentication procedures, segregation of duties, and employee

background checks foremployees with responsibilities for, or access to, Nonpublic Personal Information; any individual accssessing Nonpublic Information in the Licensee’s internal network from an external network;

(h) Regularly test or monitor systems and procedures to detect actual and attempted attacks on, or intrusions into, iInformation sSystems;

(f)(i) Ensure the Information Security Program includes audit trails designed to detect Cybersecurity Events;

(g)(j) Implement response procedures that specify actions to be taken when the Licensee suspects or detects that unauthorized individuals have gained access to iInformation sSystems;

(h)(k) Implement measures to protect against destruction, loss, or damage of Nonpublic Personal Information due to environmental hazards, such as fire and water damage or other catastrophes or technological failures; and

(i)(l) Develop, implement, and maintain procedures for the secure disposal of Nonpublic

Personal Information in any format.

(3) Include cybersecurity risks in the Licensee’s enterprise risk management process; and

(4) Stay informed regarding emerging threats or vulnerabilities and utilize reasonable security measures when sharing information relative to the character of the sharing and the type of information shared.

E. Oversight by Board of Directors

If the Licensee has a board of directors, the board or an appropriate committee of the board shall, at a minimum:

(1) Oversee the development, implementation, and maintenance of the Licensee’s Information

Security Program, including assigning specific responsibility for the plan to the Licensee’s executive management or its delegates;

(2) Require the Licensee’s executive management or delegates thereof to report in writing at least

annually, the following information:

(a) The overall status of the Information Security Program and the Licensee’s compliance with this Act; and

(b) Material matters related to the Information Security Program, addressing issues such as

risk assessment, risk management and control decisions, Third-Party Service Provider


arrangements, results of testing, Data Breaches Cybersecurity Events or violations and management’s responses thereto, and recommendations for changes in the Information Security Program.

(3) If executive management delegates responsibilities under this section it shall oversee the

development, implementation and maintenance of the Licensee’s Information Security Program prepared by the delegate(s) and shall receive a report from the delegate(s) complying with the requirements of the report to the Board of Directors above.

F. Oversight of Third-Party Service Provider Arrangements

(1) The Licensee shall exercise due diligence in selecting its Third-Party Service Providers; and

(2) Require its Third Party Service Providers by contract to implement appropriate measures designed to meet the objectives of this section and take appropriate steps to confirm that its Third-Party Service Providers have satisfied these obligations.

(1) Each Licensee shall implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third-Party Service Providers. Such policies and procedures shall be based on the Risk Assessment of the Licensee and shall address to the extent applicable:

(a) The identification and risk assessment of Third-Party Service Providers;

(b) Minimum cybersecurity practices required to be met by such Third-Party Service Providers in order for them to do business with the Licensee;

(c) Due diligence processes used to evaluate the adequacy of cybersecurity practices of such Third-Party Service Providers; and

(d) Periodic assessment of such Third-Party Service Providers based on the risk they present and the continued adequacy of their cybersecurity practices.

(2) Such policies and procedures shall include relevant guidelines for due diligence and/or contractual protections relating to Third-Party Service Providers including, to the extent applicable, guidelines addressing:

(a) The Third-Party Service Provider’s policies and procedures for access controls, including its use of Multi-Factor Authentication, to limit access to relevant Information Systems and Nonpublic Information;

(b) The Third-Party Service Provider’s policies and procedures for use of Encryption to protect Nonpublic Information in transit and at rest;

(c) Notice to be provided to the Licensee in the event of a Cybersecurity Event directly impacting the Licensee’s Information Systems or the Licensee’s Nonpublic Information being held by the Third-Party Service Provider; and

(d) Representations and warranties addressing the Third-Party Service Provider’s cybersecurity policies and procedures that relate to the security of the Licensee’s Information Systems or Nonpublic Information.

G. Program Adjustments

The Licensee shall monitor, evaluate and adjust, as appropriate, itsthe Information Security Program consistent with any relevant changes in technology, the sensitivity of its Nonpublic Personal Information, internal or external threats to information, and the Licensee’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements and changes to iInformation sSystems.

Formatted: Font: 6.5 pt

Formatted: Body Text, Indent: Left: 2.21",Right: 0.08", Space Before: 0 pt, Tabstops: 2.21", Left

Section 5. Investigation of a Cybersecurity EventData Breach

A. If the Licensee learns that a Cybersecurity Event Data Breach of Personally Identifiable Information has or may have occurred the Licensee, or an outside vendor and/or service provider designated to act on behalf of the Licensee, shall conduct a prompt investigation.

B. During the investigation, the Licensee, or an outside vendor and/or service provider designated to act on

behalf of the Licensee, shall, at a minimum determine as much of the following information as possible:

(1) Determine whether a Cybersecurity Event has occurred; Assess the nature and scope of the Data Breach or potential Data Breach;

(2) Assess the nature and scope of the Cybersecurity EventIdentify any Personally Identifiable Information that may have been involved in the Data Breach;

(3) Identify any Nonpublic Information that may have been involved in the Cybersecurity EventDetermine whether a Data Breach or a Data Breach Without Use of Personally Identifiable Information has occurred; and

(4) Perform or oversee reasonable measures to restore the security of the iInformation sSystems compromised in the Cybersecurity Event Data Breach or Data Breach Without Use of Personally Identifiable Information in order to prevent further unauthorized acquisition, release or use of Personally IdentifiableNonpublic Information in the Licensee’s possession, custody or control.

C. If the Licensee learns that a Data BreachCybersecurity Event has or may have occurred in a system maintained by a Third-Party Service Provider, the Licensee will confirm and document that the Third-Party Service Provider has completed the steps listed in Section 5B above.

D. The Licensee shall maintain records concerning all Cybersecurity Events for a period of at least five years and shall produce those records upon demand of the Commissioner.

D.Notification to the Commissioner

As expediently as possible and without unreasonable delay but no later than three (3) business days after determining that a Data Breach or a Data Breach Without Use of Personally Identifiable Information may have occurred, the Licensee shall directly or through an outside vendor and/or service provider designated to act on behalf of the Licensee for that purpose notify the Commissioner that a Data Breach or a Data Breach Without Use of Personally Identifiable Information may have occurred. The Licensee shall provide as much of the following information as possible. The Licensee shall have a continuing obligation to update and supplement initial and subsequent notifications to the Commissioner concerning the Data Breach.

(1) Date of the Data Breach or a Data Breach Without Use of Personally Identifiable Information;

(2) Description of how the information was exposed, lost, stolen, or breached, including the specific roles and responsibilities of Third Party Service Providers;

(3) How the Data Breach or a Data Breach Without Use of Personally Identifiable Information was discovered;

(4) If the Licensee has determined the incident was a Data Breach Without Use of Personally Identifiable Information, the basis for this determination.

(5) In the event of a Data Breach, whether any lost, stolen, or breached information has been recovered and if so, how this was done;

(6) The identity of the source of the Data Breach;

(7) Whether Licensee has filed a police report or has notified any regulatory, government or law enforcement agencies and, if so, when such notification was provided;

(8) Description of the specific types of information acquired without authorization. Specific types of information means particular data elements including, for example, types of medical information, types of financial information or types of information allowing identification of the Consumer;

(9) If the information was Encrypted, the specific encryption, method used and whether the encryption, redaction or protection process or key was also acquired without authorization;

(10) The period during which the information system was compromised by the D ata Breach;

(11) The number of total Consumers and Consumers of each state affected by the Data Breach. The Licensee shall provide the best estimate in the initial report to the commissioner and states and update this estimate with each subsequent report to the Commissioner pursuant to this section;

(12) The results of any internal review identifying a lapse in e i t h e r a u t o m a t e d c o n t r o l s o r internal procedures, or confirming that all auto mated controls or inter nal procedures were followed;

(13) Description of efforts being undertaken to remediate the situation which permitted the Data Breach to occur;

(14) A copy of the Licensee’s privacy policy and a statement outlining the steps the Licensee will take to investigate and notify Consumers affected by the Data Breach; and

(15) Name of a contact person who is both familiar with the D ata B r each and authorized to act for the Licensee.

Section 6. Notification of a Cybersecurity Event Data Breach

A. Notification to the Commissioner

Each Licensee shall notify the Commissioner as promptly as possible but in no event later than 72 hours from a determination that a Cybersecurity Event has occurred if:

(1) The Licensee is an insurer domiciled in this state; or

(2) The Licensee reasonably believes that the Nonpublic Information involved is of 250 or more residents of this state and that is either of the following:

(a) A Cybersecurity Event impacting the Licensee of which notice is required to be provided to any government body, self-regulatory agency or any other supervisory body; or

(b) A Cybersecurity Event that has a reasonable likelihood of materially harming any material part of the normal operation(s) of the Licensee.

B. The Licensee shall provide as much of the following information as possible. The Licensee shall provide the information in electronic form as directed by the Commissioner. The Licensee shall have a continuing obligation to update and supplement initial and subsequent notifications to the Commissioner concerning the successful Cybersecurity Event.

(1) Date of the Cybersecurity Event;

(2) Description of how the information was exposed, lost, stolen, or breached, including the specific roles and responsibilities of Third-Party Service Providers;

(3)How the Cybersecurity Event was discovered;

(4) Whether any lost, stolen, or breached information has been recovered and if so, how this was done;

(5)The identity of the source of the Cybersecurity Event;

(6) Whether Licensee has filed a police report or has notified any regulatory, government or law enforcement agencies and, if so, when such notification was provided;

(7) Description of the specific types of information acquired without authorization. Specific types of information means particular data elements including, for example, types of medical information, types of financial information or types of information allowing identification of the Consumer;

(8) The period during which the Information System was compromised by the Cybersecurity Event;

(9) The number of total Consumers in this state affected by the Cybersecurity Event. The Licensee shall provide the best estimate in the initial report to the Commissioner and update this estimate with each subsequent report to the Commissioner pursuant to this section;

(10) The results of any internal review identifying a lapse in either automated controls or internal procedures, or confirming that all automated controls or internal procedures were followed;

(11) Description of efforts being undertaken to remediate the situation which permitted the Cybersecurity Event to occur;

(12) A copy of the Licensee’s privacy policy and a statement outlining the steps the Licensee will take to investigate and notify Consumers affected by the Cybersecurity Event; and

(13) Name of a contact person who is both familiar with the Cybersecurity Event and authorized to act for the Licensee.

C. Notification to Consumers. The Licensee shall comply with [insert states’ data breach notification law] and provide a copy of the notice sent to Consumers under that statute to the Commissioner.

A. If, during an investigation under Section 5, the Licensee determines that an unauthorized acquisition of Personally Identifiable Information involved in a Data Breach has occurred, the Licensee, or an outside vendor and/or service provider designated to act on behalf of the Licensee, shall notify the following within three (3) business days of making such a determination:

(1) The commissioners of all the states in which a Consumer whose Personally Identifiable Information was or may have been part of the Data Breach resides and the Licensee’s domiciliary commissioner;

(2) The relevant Federal and state law enforcement agencies, as appropriate; and

(3) Any relevant payment card network, if the Data Breach involves payment card numbers.

B. Notification to Consumer Reporting Agencies

The Licensee directly or through an outside vendor and/or service provider designated to act on behalf of the Licensee shall notify, as expediently as possible and without unreasonable delay, and in no case later than sixty (60) calendar days after determining that a Data Breach has occurred, each Consumer Reporting Agency, if the Data Breach involves Personally Identifiable Information relating to 500 or more Consumers. Notification must include the date of the Data Breach, an estimate of the number of persons affected by the Data Breach, if known, and the actual or anticipated date that persons were or will be notified of the Data Breach.

C.Notification to Consumers

(1) The Licensee directly or through an outside vendor and/or service provider designated to act on behalf of the Licensee for that purpose shall notify all Consumers whose Personally Identifiable Information was part of a Data Breach as soon as possible and without unreasonable delay, and in no case later than sixty (60) calendar days after determining that a Data Breach has occurred. Data Breach notice requirements do not apply to incidents of Data Breach Without Use of Personally Identifiable Information.

(2) If the Consumer is a resident of a state that requires the Licensee to provide notice of a Data Breach, the notice to the Consumer of the Data Breach required under this Section 6 may be provided under either that state’s law or under this Section 6.

(3) As soon as possible but in no event later than the date notice is sent to Consumers, the Licensee shall provide the Commissioner a copy of the communication to Consumers. The Licensee’s obligation under this section is limited to situations in which the Personally Identifiable Information of residents of this state is affected by the Data Breach.

As part of the Licensee’s data security program, the Licensee shall prepare a draft notice for pre- approval by the commissioner so that in the event of the Data Breach the licensee need only add the information specific to the Data Breach.

The notice must be written in plain language and include the following information:

(a) A description of the type of information involved in the Data Breach;

(b) A description of the action that the Licensee or Third-Party Service Provider has taken to safeguard the information;

(c) A summary of rights of victims of identity theft prepared under § 609(d) of the Fair Credit Reporting Act (15 U.S.C. 1681g(d));

(d) The steps Consumers can take to protect themselves from identity theft or fraud, which shall include an explanation that Consumers shall have a right to do the following:

(i) Place a 90-day initial fraud alert on their consumer reports;

(ii)Place a seven-year extended fraud alert on their consumer reports;

(iii)Place a credit freeze on their consumer reports;

(iv) Receive a free copy of their consumer report from each credit bureau;

(v) Receive fraudulent information related to the Data Breach removed (or “blocked”) from their consumer reports;

(vi) Dispute fraudulent or incorrect information on their consumer reports;

(vii) Stop creditors and debt collectors from reporting fraudulent accounts related to the Data Breach;

(viii)Receive copies of documents related to the identity theft; and

(ix) Stop contacts from debt collectors related to the Data Breach;

(e) Contact information for the nationwide Consumer Reporting Agencies;

(f) Contact information for the Licensee or its designated call center including email, internet and telephonic methods of contact; and

(g) An offer from the Licensee to the Consumer to provide appropriate identity theft protection services free of cost to the Consumer for an appropriate period of time or other consumer protections ordered by the Commissioner pursuant to Section 7 of this Act.

(4) The Licensee will provide the Consumer notification:

(a) In writing by first class mail sent to the last known address of the Consumer maintained in the records of the Licensee; or

(b) Electronically if the Consumer has agreed to be contacted through e-mail or other means pursuant to [insert reference to state Electronic Transactions Act.]; or

(c) By substitute notification on the Licensee’s publicly accessible website and in print and broadcast media statewide in the state or states where the affected Consumers reside, if providing written or electronic notification is not feasible due to:

(i) Insufficient contact information for the Consumers who must be notified;

(ii) Exigent circumstances providing a legitimate reason for substitute notice.

(d) Substantive notification must be communicated to the Commissioner along with an explanation of the basis for the substitute notification.

D. Notice Regarding Cybersecurity Events Data Breaches of Third-Party Service Providers

(1) In the event case of a Data BreachCybersecurity Event in a system maintained by a Third-Party Service Provider, for which the Licensee has received notice, the Licensee shall treat such event as it would under Section 6A. the Licensee shall comply with the notice requirement of Sections 6A through C unless the Third-Party Service Provider sends the notices on behalf of the Licensee. In the event that the Licensee relies upon the Third-Party Service Provider to send the notices, the Licensee will confirm and document that the notices were actually sent and that the notices satisfy the requirements of this Act. If the notices sent by the Third-Party Service Provider are not in compliance with these requirements, the Licensee will be responsible for the necessary corrections or additions to the notices.

(2) The computation of Licensee’s deadlines shall begin on the day after the Third-Party Service Provider notifies the Licensee of the Cybersecurity Event Data Breach or the Licensee otherwise has actual knowledge of the Cybersecurity EventData Breach, whichever is sooner.

(3) Nothing in this Act shall prevent or abrogate an agreement between a Licensee and another Licensee, a Third- Party Service Provider or any other party to fulfill any of the investigation requirements imposed under Section 5 or notice requirements imposed under Section 6.

E. Notice Regarding Cybersecurity Events Data Breaches of Insurers to ReinsurersReinsurers to Insurers

(1) In the event case of a Cybersecurity EventData Breach involving Personally IdentifiableNonpublic Information that is used by the Licensee that is acting as an assuming insurer or in the possession, custody or control of a Licensee that is acting as an assuming insurer and that does not have a direct contractual relationship with the affected Consumers:, Tthe assuming insurer shall notify its affected ceding insurers and the Commissioner of its state of domicile within 72 hours of making the determination that a Cybersecurity Event has occurred; and

(b) The ceding insurers that have a direct contractual relationship with the affected Consumers shall fulfill the notification requirements imposed under Section 6A through C.

(2) In the event case of a Cybersecurity EventData Breach involving Personally IdentifiableNonpublic Information that is used by the Licensee or in the possession, custody or control of a Third-Party Service Provider of a Licensee that is acting as an assuming insurer and does not have a direct contractual relationship with the affected Consumers, the assuming insurer shall notify its affected ceding insurers and the Commissioner of its state of domicile within 72 hours of receiving notice from its Third-Party Service Provider that a Cybersecurity Event has occurredthe Third-Party Service Provider shall notify the Licensee of the Data Breach immediately upon determination that a breach has occurred.

F. Notice Regarding Cybersecurity Events Data Breaches of Insurers to Producers of Record

(1) (1) In the event case of a Cybersecurity Event Data Breach involving Personally IdentifiableNonpublic Information that is used by the Licensee or in the possession, custody or control of a Licensee that is an insurer or its Third-Party Service Provider and for which thea Consumer accessed the insurer’s services through an independent insurance producer, the insurer shall, without unreasonable delay, notify the producers of record of all affected Consumers within 72 hours of making the determination that a Cybersecurity Event has occurred.

(1)(2) The insurer is excused from this obligation for those instances in which it does not have the current producer of record information for any individual Consumer.

(2) In the event of a Data Breach where two or more Licensees have notice obligations under Section 6 of this regulation, the Licensees may satisfy those obligations with a single notice to the affected Consumers. If a Licensee relies upon another Licensee to send the notices, the Licensee will confirm and document that the notices were actually sent and that the notices satisfy the requirements of this Act. If the notices sent are not in compliance with these requirements, the Licensee will be responsible for the necessary corrections or additions to the notices.

G. Notwithstanding the requirements of Section 6A, B, and C, notice may be delayed where requested by an appropriate state or federal law enforcement agency. The Commissioner shall be notified of any such request unless the Licensee is directed not to do so by an appropriate state or federal law enforcement agency.

Section 7. Consumer Protections Following a Data Breach

After reviewing the Licensee’s Data Breach notification, the Commissioner shall prescribe the appropriate level of consumer protection required following the Data Breach and how long that protection will be provided. The Commissioner may order the Licensee to offer to pay for an appropriate period of identity theft protection for affected Consumers, pay for a credit freeze, or take other action deemed necessary to protect Consumers. In exercising this authority, the Commissioner shall coordinate with commissioners of other states, to the extent appropriate.

Drafting Note: Many states have statutes providing that a Consumer Reporting Agency cannot charge a fee for a credit freeze on a consumer file when the consumer is a victim of identity theft, which is shown by providing a police report. For an example, see Tex. Bus. & Com. Code § 20.04(b). As an alternative to having the Licensee pay for the credit freeze, a state should consider referencing that law and providing that the credit freeze is free for consumers after the data breach is reported to law enforcement by the Licensee, by showing a data breach notification letter from the Licensee. The state may also need to amend its free credit freeze law to ensure this is covered.


A. The Commissioner shall have power to examine and investigate into the affairs of any Licensee to determine whether the Licensee has been or is engaged in any conduct in violation of this Act. This power is in addition to the powers which the Commissioner has under [insert applicable statutes governing the investigation or examination of insurers]. Any such investigation or examination shall be conducted pursuant to [insert applicable statutes governing the investigation or examination of insurers].

Section 9. Enforcement

B. Whenever the Commissioner has reason to believe that a Licensee has been or is engaged in conduct in this state which violates this Act, the Commissioner may take action that is necessary or appropriate to enforce the provisions of this Act.


A. Any documents, materials or other information in the control or possession of the department of insurance that are furnished by a Licensee or an employee or agent thereof acting on behalf of Licensee pursuant to Section 6B5D(2), (3), (4), (5), (8), (6), (9), (10), and (11) (12), or that are obtained by the Commissioner in an investigation or examination pursuant to Section 78 of this Act shall be confidential by law and privileged, shall not be subject to [insert reference to state open records, freedom of information, sunshine or other appropriate law], shall not be subject to subpoena, and shall not be subject to discovery or admissible in evidence in any private civil action. However, the Commissioner is authorized to use the documents, materials or other information in the furtherance of any regulatory or legal action brought as a part of the Commissioner’s duties.

B. Neither the Commissioner nor any person who received documents, materials or other information while

acting under the authority of the Commissioner shall be permitted or required to testify in any private civil action concerning any confidential documents, materials, or information subject to Section 10A8A.

C. In order to assist in the performance of the Commissioner’s duties under this Act, the Commissioner:

(1) May share documents, materials or other information, including the confidential and privileged documents, materials or information subject to Section 10A8A, with other state, federal, and international regulatory agencies, with the National Association of Insurance Commissioners, its affiliates or subsidiaries, and with state, federal, and international law enforcement authorities, provided that the recipient agrees in writing to maintain the confidentiality and privileged status of the document, material or other information;

(2) May receive documents, materials or information, including otherwise confidential and privileged

documents, materials or information, from the National Association of Insurance Commissioners, its affiliates or subsidiaries and from regulatory and law enforcement officials of other foreign or domestic jurisdictions, and shall maintain as confidential or privileged any document, material or information received with notice or the understanding that it is confidential or privileged under the laws of the jurisdiction that is the source of the document, material or information; and

(3) [OPTIONAL] May enter into agreements governing sharing and use of information consistent

with this subsection.

D. No waiver of any applicable privilege or claim of confidentiality in the documents, materials, or information shall occur as a result of disclosure to the Commissioner under this section or as a result of sharing as authorized in Section 10C8C.

E. Nothing in this Act shall prohibit the Commissioner from releasing final, adjudicated actions including for cause terminations that are open to public inspection pursuant to [insert appropriate reference to state law] to a database or other clearinghouse service maintained by the National Association of Insurance Commissioners, its affiliates or subsidiaries.

Drafting Note: States conducting an investigation or examination under their examination law may apply the confidentiality protections of that law to such an investigation or examination.


A. The following exceptions shall apply to this Act:

(1) A Licensee with fewer than ten employees, including any independent contractors is exempt from Section 4 of this Act;

(2) A Licensee subject to Pub.L. 104–191, 110 Stat. 1936, enacted August 21, 1996 (Health Insurance Portability and Accountability Act) that has established and maintains an Information Security Program pursuant to such statutes, or rules, regulations, procedures or guidelines established thereunder, is deemed to be in compliance with the requirements of Section 4. If a Licensee relies upon this provision it shall provide to the Commissioner, upon request, the specific federal statute or regulation upon which it relies and the manner in which it asserts compliance;

(3) An employee, agent, representative or designee of a Licensee, who is also a Licensee, is exempt from Section 4 and need not develop its own Information Security Program to the extent that the employee, agent, representative or designee is covered by the Information Security Program of the other Licensee.

B. In the event that a Licensee ceases to qualify for an exception, such Licensee shall have 180 days to comply with this Act.


In the case of a violation of this Act, a Licensee may be penalized in accordance with [insert general penalty statute].


The Commissioner may, in accordance with [the state statute setting forth the ability of the Department to adopt regulations] issue such regulations as shall be necessary to carry out the provisions of this Act.

Drafting Note: This provision is applicable only to states requiring this language.


If any provisions of this Act or the application thereof to any person or circumstance is for any reason held to be invalid, the remainder of the Act and the application of such provision to other persons or circumstances shall not be affected thereby.


This Act shall take effect on [insert a date which allows at least a one year interval between the date of enactment and the effective date]. Licensees shall have 180 days from the effective date of this Act to implement Section 4 of this Act and two years from the effective date of this Act to implement Section 4(F) of this Act.

Hemisphere Comments

Sara, I wanted to get this out last week but was unable to. It appears some solid forward progress was made on the latest version and the members on the call did not seem to be as "passionate" about their positions - meaning more consensus was evident. In Section 3(c), there were some issues raised on what qualifies as a security event. I would like to suggest the following: "For the purpose of this Section, a cybersecurity event is defined as an action (malicious or unintentional), initiated externally or internally, resulting in one of the following:

System disruption (including ransomware)

System damage or destruction

Unauthorized or unapproved disclosure of sensitive or otherwise protected data as required by statute or law

Unauthorized or unapproved access to funds

Impacting the integrity and accuracy of data as to financially benefit an individual or entity

" Section 4(a) "Commensurate with the size and complexity of the Licensee or as otherw ise defined by the applicable State Law where licensee is registered, the nature and scope of the Licensee’s activities and the sensitivity of the Nonpublic Personal Information used by the Licensee or in the Licensee’s possession, custody or control," In States where such laws are not available, the licensee shall document and notify the Board of Commissioners of the method or model intended for use to mitigate their risk of exposure to cyber risk, subject to approval. The word "Commensurate" is likely not a metric that can easily be measured (too subjective) and therefore unlikely to have any teeth in the face of a sanction imposed that would surely be overturned because the sanction and/or penalty would come under scrutiny and potentially fail to establish a prima fascia basis. On a side note, I wanted to see if we can start to move forward with facilitated introductions with NY, RI and SC as discussed in Denver. We will have the online portion of CYBER STANDARDS 2.0 ready for inclusion with these pilots in the next couple of weeks.

V/r, Carter Carter Schoenberg, CISSP President and Chief Executive Officer North American Operations HEMISPHERE Cyber Risk Management, LLC. [email protected] (703) 881-7785 www.hemispherecyber.com


http://www.hemispherecyber.com/

IIABA Comments

May 16, 2017 The Honorable Ray Farmer The Honorable Elizabeth Dwyer Director of Insurance Superintendent of Insurance State of South Carolina State of Rhode Island 1201 Main Street, Suite 1000 1511 Pontiac Avenue Columbia, SC 29202 Cranston, RI 02920 Dear Director Farmer and Superintendent Dwyer: On behalf of the Independent Insurance Agents and Brokers of America (IIABA), the largest insurance producer organization in the country, I write to offer our organization’s views concerning the fourth draft of the Insurance Data Security Model Law and the development of this proposal in general. We thank you for the opportunity to once again provide our perspective. The fourth draft is a dramatic and welcome improvement, and IIABA recognizes and appreciates the deliberative and thoughtful efforts of the working group. This comment letter does not focus in detail on the many noteworthy and very positive revisions, but it would be a mistake to overlook or downplay the considerable progress that has been made. The latest version of the model leaves only a small set of issues to be further addressed, and we are optimistic that the development of this proposal may soon come to a favorable conclusion. The pages that follow address these remaining issues – some are significant, but most are minor and technical – and IIABA looks forward to working with you in good faith in the days and weeks to come. Third Party Issues IIABA’s most significant remaining concern is the manner in which the proposal imposes excessive burdens and unrealistic duties on licensees in relation to their engagement with third-party service providers, and we would be compelled to oppose the model act unless these provisions are deleted or modified. Our views on these issues have been well-documented, and we have outlined our perspective and provided alternative text on numerous occasions. IIABA acknowledges that it may be appropriate to impose certain obligations on licensees vis-à-vis third parties, but it is inefficient, ineffective, and unreasonable to expect licensees to oversee and dictate the data security practices of much larger and geographically distant vendors. Most licensees lack the ability to prescribe business practices and contractual terms to large and sophisticated vendors, and the reality is that many service providers present contracts to licensees on a take-it-or-leave-it basis and without meaningful opportunity for negotiation. IIABA is especially troubled by the introduction of a new version of Section 4(F) in the latest draft. This subsection would require licensees to implement certain written policies and procedures concerning third parties, but it does specify what duties and obligations are established and how a particular entity would comply with these mandates. It suggests, among other requirements, that a licensee must somehow dictate the “[m]inimum cybersecurity practices required to be met” by the third parties and periodically assess the adequacy of vendor cybersecurity practices. The provision also requires the development of “relevant guidelines for due diligence and/or contractual

protections relating to Third-Party Service Providers” and makes reference to such measures as the use of encryption by vendors, representations and warranties, and third-party access controls. It is unclear, however, what all of this means and how licensees would comply. A fundamental problem with the NAIC’s approach to these issues is that it forces insurance licensees to police the actions of larger and more sophisticated vendors. If the working group wishes to address the conduct of third-party service providers, it is essential that you also impose appropriate requirements on these entities directly. The working group could easily establish objective and specific requirements for businesses that accept sensitive information from insurance entities, and this would be a far more effective way to achieve the desired outcomes. There is no downside to addressing third-party service provider conduct directly, and we urge you to do so. We are also concerned by Section 5(C). This provision requires licensees to “confirm and document” that a service provider has satisfied certain investigation requirements in the event that the vendor is the victim of a data breach. We question the public policy benefit of such a requirement, and we also wonder how a small licensee might satisfy this mandate. It is unclear what leverage a licensee has to compel a service provider to meet the specified obligations and what actions a licensee would take if a vendor is nonresponsive or noncompliant. Accordingly, we urge the working group to delete this provision. An alternative way to address this issue would be to impose these duties on third parties by statute or to require them to attest to licensees that they have satisfied these investigation requirements. The approach utilized in the model, however, is unrealistic. For the reasons noted above, modification of Sections 4(F) and 5(C) are essential. IIABA would welcome the opportunity to discuss these particular issues in greater detail with the working group, but one possible way to restructure Sections 4(F) and 5(C) follows below:

Section 4(F) Oversight of Third-Party Service Provider Arrangements (1) The Licensee shall exercise due diligence in selecting Third-Party Service

Providers; and

(2) A Third-Party Service Provider shall:

(a) Implement appropriate administrative, technical, and physical measures to protect and secure the Information Systems and Nonpublic Information that are accessible to, or held by, the Third-Party Service Provider;

(b) In the event of a Cybersecurity Event directly impacting the Licensee’s

Information Systems and Nonpublic Information being held by the Third-Party Service Provider, (i) identify any Nonpublic Information that may have been involved in the Cybersecurity Event, and (ii) perform or oversee reasonable measures to restore the security of the Information Systems compromised in the Cybersecurity Event;

(c) Provide notice to a Licensee in the event of a Cybersecurity Event directly

impacting the Licensee’s Information Systems and Nonpublic Information being held by the Third-Party Service Provider; and

(d) Upon request from a licensee, represent and warrant compliance with the

requirements of subparagraphs (a), (b), and (c) in writing.

Section 5(C)

If the Licensee learns that a Cybersecurity Event has or may have occurred in a system maintained by a Third-Party Service Provider, the Licensee will confirm and document that the Third-Party Service Provider has completed the steps listed in Section 5B above.

We also urge the working group to review Section 6(D), which requires licensees to notify regulators when a third-party service provider is the victim of a breach. While IIABA does not have strong concern with this new mandate, we wonder what would occur if a large vendor with hundreds or thousands of insurance industry clients is breached. In such a scenario, many licensees would be required to submit duplicative reports and information received secondhand to state insurance departments. This issue could be addressed more effectively by waiving the licensee’s notice obligations if the vendor that suffers the breach communicates the required information to regulators directly and notifies the licensee that this has occurred. It should also be noted that Section 6(D)(3) already implies that service providers are authorized to provided notice of cybersecurity events to regulators on behalf of licensees, and allowing third parties to do so is more appropriate and will lead to more meaningful disclosure since they will have firsthand knowledge of the cybersecurity breach and subsequent events. One possible way to address this issue is to revise Section 6(D)(1) in the following manner:

Section 6(D) Notice Regarding Cybersecurity Events of Third-Party Service Providers (1) In the case of a Cybersecurity Event in a system maintained by a Third-Party

Service Provider, for which the Licensee has received notice, the Licensee shall treat such event as it would under Section 6A unless the Third-Party Service Provider provides the notice to the Commissioner required under Section 6A.

Exceptions IIABA recently held its signature annual event in Washington, DC, and we used the meeting as an opportunity to brief our national and state association leaders on the progress made in the fourth draft and to solicit input on this latest version. There was universal recognition of the significant improvement, and the revision that received the most praise was the addition of Section 9. IIABA’s leadership believes the inclusion of such targeted exemptions is appropriate, but there is concern that the Section 9(A)(1) provision is crafted too narrowly. Many believe the threshold should be modestly increased so that it applies to licensees with 20 or fewer employees. Revising the proposal in this manner is warranted, especially in light of the ratcheting up of the information security program requirements in Section 4(D) and elsewhere. Such a change would also dramatically increase the likelihood that this model might be enacted on a consistent basis across the country. Definition of “Nonpublic Information” The model act now uses the term “nonpublic information” to identify the categories of sensitive information that are addressed by the proposal’s security requirements, and the new definition is an improvement over some utilized in the past. This definition is significant and determines the types of data that are subject to Section 4’s rigorous standards. It is important that this term is not too expansive and that it not require licensees to safeguard non-sensitive information in unnecessarily demanding ways. Although the new definition is an improvement, its scope remains too broad and includes categories of information that cannot be used to identify any particular individual. Information that

cannot be used to identify an individual poses no threat to insurance consumers or the public, and the data security requirements of this model act should not be applied to such material. Section 3(I)(1) sweeps certain types of business information within the definition, and this element should be deleted because it does not include material that could be used to identify a particular individual. Section 3(I)(3) makes clear that certain types of health-related information are included within the scope of the definition, but we urge the working group to refine this provision so that it only captures information or data that can identify a particular person. Specifically, IIABA proposes the following revisions to this important definition:

Section 3 Definitions (I) “Nonpublic information” means information that is not Publicly Available Information

and is:

(1) Business related information of a licensee the tampering with which, or unauthorized disclosure, access or use of which, would cause a material adverse impact to the business, operations or security of the licensee;

(12) Any information concerning an individual which because of name, number,

personal mark, or other identifier can be used to identify such individual, in combination with any one or more of the following data elements: (a) Social security number, (b) Drivers’ license number or non-driver identification card number, (c) Financial Aaccount number, credit or debit card number, (d) Any security code, access code or password that would permit

access to an individual’s financial account, or (e) Biometric records;

(23) Any information or data, except age or gender, in any form or medium

created by or derived from a health care provider or an individual, which can be used to identify a particular individual, and that relates to:

(a) The past, present or future physical, mental or behavioral health or

condition of any individual or a member of the individual's family, (b) The provision of health care to any individual, or (c) Payment for the provision of health care to any individual.

[Note – As indicated in the proposed revision above, we also urge the working group to revise Section 4(I)(2)(c) to indicate that the definition applies to “financial” account numbers. This distinction was made in earlier versions of the model (and inadvertently dropped in the fourth version), and this revision would make the provision consistent with Section 4(I)(2)(d) (which makes reference to “financial accounts”).]

Risk Management As we have noted in previous comment letters, IIABA is concerned by Section 4(D)(1) and proposes clarifying revisions that do not alter the intent or effect of the model act. First, we believe Section 4(D)(1) should more closely mirror Section 4(A). Section 4(A) would require certain licensees to develop data security programs that are commensurate with an entity’s size and complexity, the nature and scope of its activities, and the sensitivity of the personal information in

its possession, custody, or control. Section 4(D)(1) references some of these considerations, but others (including references to the size and complexity of the licensee) have been dropped. Second, we see no need for Section 4(D)(1)(b), which was added to the proposal in the third version. This unnecessary provision duplicates Section 4(D)(1)(a) in certain respects and, of greater concern, makes use of the ambiguous phrase “best practices.” No justification for Section 4(D)(1)(b) and the use of the “best practices” terminology has ever been provided, and we urge the working group to revise Section 4(D) in the following manner:

Section 4(D) Risk Management

Based on its Risk Assessment, the Licensee shall:

(1) (a) Design its Information Security Program to mitigate the identified risks, commensurate with the sensitivity of the information, as well as the size and complexity of the Licensee, and the nature and scope of the Licensee’s activities, including consideration of whether implementing the security measures listed in Section 4D(2) is appropriate.

(b) Determine appropriate security measures listed in Section 4D(2). Licensees shall use the best practices for cybersecurity protection, detection, and remediation available commensurate with its nature, scope, scale and complexity.

(2) Implement the following security measures, as appropriate:

(2) Consider whether the following security measures are appropriate for the licensee

and, if so, implement such measures: [ …] Notification of a Cybersecurity Event Section 6(A) requires a licensee to notify the commissioner of a cybersecurity event “as promptly as possible,” and we believe this requirement is somewhat unreasonable as currently drafted. If a licensee were to truly comply with such a mandate, it would be obligated to provide this notice as soon as it determines that a cybersecurity event has occurred. It would be more appropriate and reasonable to require notification without unreasonable delay and mandate initial disclosure of such events no later than 72 hours after a determination is made. Specifically, we propose that Section 6(A) be revised in the following manner:

Section 6(A) Notification to the Commissioner Each Licensee shall notify the Commissioner without unreasonable delay as promptly as possible but in no event later than 72 hours from a determination that a Cybersecurity Event has occurred if: [ … ]

Effective Date The revised proposal requires compliance with all aspects of Section 4 (except for subsection (F)) within 180 days of the effective date. Within that period, licensees subject to the requirements of Section 4 would be required to perform a risk assessment, implement an information security plan based on the findings of the assessment, potentially secure vendors to perform either or both services, revise existing business practices to come into compliance, obtain any necessary new technology, and take other related compliance measures. This is a significant amount of work to be performed, and six months is a fairly small window. For these reasons, we urge the working

group to consider providing licensees with a lengthier amount of time to achieve compliance. We would welcome a one year timeframe, but any greater period of time would be appreciated. Other Issues

• Section 2(B) utilizes the word “compliments” and should use “complements” instead.

• Section 4(D)(2)(c) would require certain licensees to consider whether to “[r]estrict access at physical locations concerning Nonpublic Information, only to authorized individuals.” Since insurance agencies and other small licensees will be open to the general public and will contain nonpublic information, we urge the NAIC to consider rephrasing the provision so that it cannot be interpreted as requiring licensees to close their premises to customers. Specifically, we propose that this provision be redrafted in the following or in some similar manner:

“At locations containing Nonpublic Information, restrict physical access to Nonpublic Information to authorized individuals only.”

• Section 4(D)(2)(e) would require certain licensees to evaluate, assess, and test the

security of externally developed applications used by the licensee. Most licensees will be unable to comply with such a sweeping mandate, and, for that reason, we urge the working group to eliminate this particular requirement.

• Section 4(D)(2)(g) has been revised so that it requires certain licensees to “[u]tilize multi-

factor authentication procedures, segregation of duties, and employee background checks for any individual assessing Nonpublic Information in the Licensees internal network from an external network.” This provision, which previously applied in connection with the employees of a licensee, now applies to individuals that are not employees of a licensee. Licensees will have little practical ability to know for certain that other entities utilize the authentication procedures and segregation of duties standards contemplated by this provision, and they will have no way to perform background checks on non-employees. Accordingly, we urge the working to return this provision to the version utilized in the third draft. That text follows below:

“Utilize multi-factor authentication procedures, segregation of duties, and employee background checks for employees with responsibilities for, or access to, Nonpublic Information.”

• In order to add some clarity and context, we propose that the first sentence of Section 6(B)

be revised in the following manner:

“The A Licensee making the notification required by subsection (A) shall provide as much of the following information as possible.”

• The inclusion of Section 6(F) is very important to our association, and we have discussed

the reasons why in detail in previous comment letters. During a recent call of the ad hoc drafting group, one of our insurer colleagues expressed concern about the subsection’s mandate to notify producers of record within 72 hours of a determination that a breach has occurred. IIABA would not oppose a modest liberalization of this timeframe or tying this provision in some manner to a state’s data breach notification law.

• The reference to “for cause terminations” in Section 8(E) seems misplaced and probably should be deleted.

• The new draft appropriately deleted several unnecessary references to “custody” and

“control,” and we urge the working group to delete the remaining references. Conclusion IIABA thanks you and the working group for your consideration of our views and looks forward to working with you as the model law development process moves toward completion. If we can provide either of you with any additional information or assistance, please feel free to contact me by phone at 202-302-1607 or via email at [email protected]. Very truly yours,

Wesley Bissett Senior Counsel, Government Affairs


IRI Comments

Insured Retirement Institute

1100 Vermont Avenue, NW | 10th Floor

Washington, DC 20005 t | 202.469.3000

f | 202.469.3030

May 16, 2017

Sara Robben

NAIC Central Office

1100 Walnut Street


Via email: [email protected]

Re: Comments on Insurance Data Security Model Law Version 4 Dear Ms. Robben:

On behalf of our members, the Insured Retirement Institute (“IRI”)1 respectfully submits these comments

regarding the fourth version of the Insurance Data Security Model Law (the “model”). IRI acknowledges

and appreciates the extraordinary effort the Cybersecurity Task Force has put towards a drafting a model

law. IRI and its members commend the decision to focus solely on data security provisions in this fourth

version of the model law. IRI believes this version provides a path towards our shared goal of protecting

consumers’ personal information against data security breaches.

Exclusivity and Uniformity

From the beginning of this process, the stated purpose of the model was to establish an exclusive standard

to replace the current patchwork of 47 different state laws regulating data security and breaches,

however, the model includes language that directly contradicts such a purpose.

For this reason, IRI recommends reinserting the word “exclusive” back into Section 2A that was included in

the third version but deleted from the fourth version of the model.

Definitions

Cybersecurity Event

As currently drafted, the definition of “Cybersecurity Event” in Section 3(C) would result in notification to

commissioners for every single attempt made to breach a licensee’s cybersecurity system, even

unsuccessful attempts. For large companies, there may be thousands of unsuccessful attempts per day,

which, under the current model draft, would warrant notifications for each one. These unnecessary

notifications would result in a tremendous waste of time and resources for both licensees and regulators.

1 IRI is the only national trade association that represents the entire supply chain of the retirement income

industry. IRI has more than 500 member companies, including major life insurance companies, broker-dealers, banks, and asset management companies. IRI member companies account for more than 95% of annuity assets in the United States, include the top 10 distributors of annuities ranked by assets under management, and are represented by more than 150,000 financial professionals serving over 22.5 million households in communities across the country.


IRI believes removing the words “attempt” and “unsuccessful” will result in a better, more workable

definition of cybersecurity event. IRI recommends revising Section 3C to read as follows:

Cybersecurity Event means the unauthorized access to, disruption of or misuse an Information

System or information stored on such Information System.

Nonpublic Information

As the nature of the model law pertains to cybersecurity, IRI believes it is important to clarify that the data

security measures required in the model pertain to electronic information. Inserting the word “electronic”

into the definition of “Nonpublic Information” Section 3(I) to read as following:

Any information or data, except age or gender, in any electronic form or medium created by or

derived from a health care provider or an individual and that relates to […]

Add Definition of Risk Assessment

The model contains many references of the term “Risk Assessment” in addition to a section titled “Risk

Assessment” (Section 4(C), however, there is no definition of this specific term. IRI recommends including a

definition of “Risk Assessment” as Section 3(L) to the model that mirrors the New York regulation as

follows:

“Risk Assessment” section means the risk assessment that each Licensee is required to conduct

under section 4(C).

Information Security Program Section 4

IRI has minor suggestions to the language of Section 4, Information Security Program, that would help

clarify the application of the section.

As suggested above for the addition of a definition of “Risk Assessment,” IRI suggests replacing the term

“risk focused” in Section 4(A) with “Risk Assessment” as follows:

Commensurate with the size and complexity of the Licensee, the nature and scope of the Licensee’s

activities and the sensitivity of the Nonpublic Information used by the Licensee or in the Licensee’s

possession, custody or control, each Licensee shall develop, implement, and maintain a

comprehensive risk-focused written Information Security Program based on the Licensee’s risk

assessment and that contains administrative, technical, and physical safeguards for the protection

of Nonpublic Information.

Section 4 (D)(1)(b) requires licensees to use “best practices” for cybersecurity protection and detection,

however, IRI suggests avoiding the term “best practices” and modify the language as follows:

Determine appropriate security measures listed in Section 4.D(2). Licensees shall use the best

practices reasonable and appropriate methods for cybersecurity protection, detection, and

remediation commensurate with its natures, scope, scale, and complexity.

IRI also suggests modifying the following in Section 4(D)(2)(d):

Protect by encryption or other appropriate means, all Nonpublic Information while being

transmitted wirelessly or on a public network over an external network and all Nonpublic

Information stored on a laptop computer or other portable computing or storage device or media;

IRI also suggests inserting the following in Section 4(D)(2)(g):

Utilize multi-factor authentication procedures, segregation of duties, and employee background

checks, as appropriate, for any individual assessing Nonpublic Information in the Licensees internal

network from an external network;

Add New York’s Limited Exception for Third Parties

IRI recommends incorporating the limited exception from the New York regulation (Section 500.11(c) Third

Party Service Provider Security Policy, Limited Exception) to provide an exception from the requirements of

Section 4 for third-party agents that are following the cybersecurity policy requirements of a Licensee that

is already compliant with the model requirements.

(c) Limited Exception. An agent, employee, representative or designee of a Licensee who is itself a

Licensee need not develop its own Third Party Information Security Policy pursuant to this section if

the agent, employee, representative or designee follows the policy of the Licensee that is required

to comply with this Part.

Section 5 Investigation of a Cybersecurity Event

As IRI’s suggests above, a cybersecurity event should only include successful unauthorized access to

information. For conformity throughout the model, IRI recommends removing references to unsuccessful

or attempted events, including the phrases “or may have” in Sections 5(A) and 5(C).

Section 6 Notification of a Cybersecurity Event

Section 6(A) would require notice to the commissioner within 72 hours of a cybersecurity event. Most

states appear to have no specific time frame in their various breach statutes, but usually refer to

notification to either the affected consumers or a government agency, or both, “in the most expeditious

time possible and without unreasonable delay.” An effective and reasonable solutions would be a

requirement to notify the commissioner “in the most expeditious time possible and without unreasonable

delay,” combined with the HIPAA standard of “no later than 60 days.”

Further, IRI recommends that in Section 6(A)(2)(a), notification only be required when the cybersecurity

event involves 500 or more residents, instead of only 250 residents.

IRI believes that Section 6(E) and 6(F) are unnecessary and should be removed from the model. The lack of

a harm trigger would necessitate a notice for every cybersecurity event and the benefit from notifying the

producer and reinsurers is unclear. IRI believes the appropriate method for such entities to be notified is

through the contractual provisions with the producers.

Section 8 Confidentiality

IRI supports the modifications made to Section 8 to specify which materials involved in a data breach

would be confidential. However, substantive variances from the so-called “ORSA protections” still exist.

We continue to maintain that highly confidential materials related to an entity’s information security

program and possible breach are just as deserving of strong protections as the highly confidential ORSA

related materials submitted to a commissioner. For these reasons, IRI recommends that the model contain

identical ORSA confidentiality language.

Add New York’s Exemptions

IRI suggests adding the following clarifying words to the first exception Section 9(A)(1):

A licensee with fewer than ten employees in this state, including independent contractors is

exempt from Section 4 of this Act.

Also, the New York regulation acknowledges the increased burden borne by smaller employers to comply

with the regulation by setting out seven exemptions to lighten that burden. IRI recommends adopting all

those exemptions into the model law.

Thank you for the opportunity to provide these comments. Please feel free to contact me at (202) 469-

3032 or [email protected] if you have any questions or to discuss this matter further.

Sincerely,

Chelsea Crucitti Vice President, State Affairs Insured Retirement Institute (IRI)

NCOIL Comments

May 15, 2017

NAIC Cybersecurity (EX) Working Group

National Association of Insurance Commissioners

1100 Walnut Street

Suite 1500


Via e-mail: [email protected]

Re: April 26, 2017 Revised Draft of Insurance Data Security Model Law

Dear NAIC Cybersecurity Working Group Members:

On behalf of the National Conference of Insurance Legislators (NCOIL), I thank you for

the opportunity to submit comments in response to the National Association of Insurance

Commissioners (NAIC) Cybersecurity Working Group’s Revised Draft of its Insurance

Data Security Model Law (Revised Draft).

We note the Working Group’s shift towards using the recently promulgated New York

Department of Financial Services (NY DFS) cybersecurity regulations as a template for

the Revised Draft. NCOIL continues to stand by its comments made on the Working

Group’s previous drafts of the Model Law, wherein we indicate that the manner in which

state legislatures are organized makes it impractical and inadvisable to pass a data

security law for the insurance industry only1.

1 NCOIL has previously noted “that over 70 of the 99 State legislative bodies across the country combine

insurance with other financial industries such as banking, commerce, and financial services. Accordingly,

NCOIL believes that limiting a Data Security Model Law to the insurance industry only, when the other

financial services industries also deal with very sensitive personal information that invites hacking and

merits special protection, will ultimately invite a conflict of laws within the States themselves. Indeed, we

believe such an approach could have the effect of inviting federal legislative intervention.” NCOIL

comment letters dated September 19, 2016 and March 14, 2017.

Moreover, we do note that New York has proceeded down a regulatory path regarding

cybersecurity, not legislative. Accordingly, moving forward, NCOIL urges the Working

Group to follow the path analogous to the one taken in New York, and pursue Model

Regulations on cybersecurity, not Model legislation. Following a regulatory path would

be appropriately within the province of the NAIC as the States’ national insurance

regulatory organization.

NCOIL appreciates the time and effort that the Working Group has given to these issues

and we look forward to working with you in the future. Please do not hesitate to contact

me if you have any questions.

With appreciation for your consideration and kind regards, I am,

Very truly yours,

Thomas B. Considine

NCOIL CEO

PCI Comments

VIA EMAIL

May 24, 2017 The Honorable Ray Farmer, Chair Cybersecurity (EX) Working Group National Association of Insurance Commissioners 2301 McGee Street, Suite 800 Kansas City, MO 64108 Dear Mr. Farmer: On behalf of PCI’s nearly one thousand members, we are pleased to submit the following comments on version 4 of the NAIC’s draft Insurance Data Security Model Law. We once again commend your work on this very important topic, and encourage you to continue your efforts in seeking to adopt a workable model.


We strongly oppose deletion of the word “exclusive” from subsection A. It need hardly be said that the benefit of model laws is that they bring a certain level of uniformity to the governance of certain issues. There is no reason why insurers’ data security standards cannot be governed by a model law. We fear that this may turn into a missed opportunity that leads to the adoption of 47 different standards like the industry faces on the data breach notification side. Section 3. Definitions

We recommend deleting “or unsuccessful” from the definition of Cybersecurity Event at subsection C. Corporate websites are daily subject to hundreds if not thousands of probes that seek to gain unauthorized access to information systems. The reporting of such probes benefits no one and imposes needless expense on insurers.

We object to language at subsection J(2) that excludes from the definition of Publicly Available Information any information that the “individual can direct…not be made available to the general public and, if so, that such individual has not done so.” We are unsure, to say the least, of how anyone subject to the model law will be able to make such a determination. We fear that Covered Entities may well be forced to treat all publicly available information as nonpublic information in order to ensure compliance. Accordingly, we recommend deleting this language.


Regarding subsection F, we question the efficacy of attempting to impose requirements on third-party service providers through Covered Entities. A much easier approach would be to include language in the model that applies the data security standards in the model law directly to third-party service providers.


The requirement to notify the Commissioner no later than 72 hours from a determination that a Cybersecurity Event has occurred is an extremely short timeline. It will impose additional pressure on a Covered Entity at the exact moment when resources would likely be better allocated to addressing any breach. We would extend that timeframe out to one week, with the understanding that Covered Entities are free to notify the Commissioner at any time they are able to within that time span.

We thank you for the opportunity to provide feedback on the draft. Should you have any questions regarding our comments, please do not hesitate to contact us.

Sincerely, Deirdre Manna Vice President, Political Engagement and Regulatory Affairs [email protected]

PIA Comments

Page 83

May 16, 2017

The Honorable Raymond G. Farmer

Chair, NAIC Cybersecurity (EX) Working Group

The Honorable Elizabeth Dwyer

Vice Chair, NAIC Cybersecurity (EX) Working Group


444 N. Capitol Street, NW, Suite 700

Washington, DC 20001

Submitted via email: Eric Nordman [email protected]

Sara Robben [email protected]

Re: Proposed Version 4 of Insurance Data Security Model Law

Dear Director Farmer and Superintendent Dwyer:

On behalf of the National Association of Professional Insurance Agents (PIA)1, I want to

again express our thanks for your patience as we have worked together to identify common

ground on the aforementioned draft model law. We appreciate having been included in the

Drafting Group and regulators’ engagement with members of industry throughout this

process. We appreciate the spirit of cooperation exhibited by the Drafting Group’s regulatory

members and by the National Association of Insurance Commissioners (NAIC) staff who

have worked so hard to produce a model that stakeholders with a variety of perspectives and

competing interests may support.

I hereby submit the following comments in response to the NAIC Cybersecurity Working

Group’s April 26, 2017 Draft of the Insurance Data Security Model Law (Draft #4) (herein

referred to as “Draft #4”).

First, we are particularly gratified to see the scope of the model has been substantially

narrowed in Draft #4 and that Section 9 of the draft exempts licensees with under 10

employees from compliance with Section 4; this exemption acknowledges the limited

resources available to the smallest of small insurance businesses. However, we remain

concerned about the definition of “Cybersecurity Event,” the licensees’ obligations as they

1 PIA is a national trade association founded in 1931 that represents member insurance agents in all 50 states,

Puerto Rico, Guam, and the District of Columbia. PIA members are small business owners and insurance

professionals who can be found across America.

Page 84



2

pertain to the activities and potential liabilities of third-party service providers, the timeframe

given in which to provide notification to the relevant commissioner of a “Cybersecurity

Event,” the limited scope of the aforementioned exemption, the effect of compliance with the

recently-issued New York State Department of Financial Services (NYSDFS) Part 500 of

Title 23 of the Official Compilation of Codes, Rules and Regulations of the State of New

York (23 NYCRR 500) on compliance with this model, and the scope of commissioner

authority granted by Draft #4.

PIA is pleased to be continuing our work with the NAIC on this important issue. However,

Draft #4 is not an improvement over the existing patchwork of state laws, and, as such,

without substantial revision, we will be unable to support Draft #4 within the NAIC process

or at the state legislative level. Having said that, if passage by the Working Group of Draft #4

or similar will be the inevitable conclusion of this process, we encourage the Working Group

to engage in a comprehensive evaluation of the specific provisions of Draft #4. In furtherance

of that effort, we offer the following comments and recommendations.

1. Definition of a “Cybersecurity Event”

The definition of “Cybersecurity Event” as set forth in Section 3C is overly broad and

therefore unworkable. It defines a “Cybersecurity Event” as “any act or attempt, successful or

unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or

information stored on such Information System.”

On its face, this definition would include receipt of communications like phishing emails,

irrespective of whether the recipient is taken in or any information is garnered by such emails.

Any licensee would be challenged by the logistics of reporting to commissioners every time

an employee receives a phishing email, and commissioners of insurance departments around

the country would be overwhelmed by the sheer volume of reports they would receive from

licensees if this broad a definition is approved. If the goal of the model is to provide

commissioners with notice when the information systems of licensees are or may be about to

be breached so that commissioners can react swiftly and effectively, that goal will be

completely unachievable using this definition.

This language has its origins in 23 NYCRR 500, and we have heard Superintendent Vullo of

the NYSDFS state verbally that her intent was not to require licensees to report receipt of

phishing emails or similar inconsequential events. However, the language of both the New

York law and Draft #4 imparts a requirement on licensees to do just that. To avoid further

confusion on this issue, we recommend that the definition of “Cybersecurity Event” be

modified to accurately require commissioner notification of the types of “Cybersecurity

Events” commissioners expect the law to cover.

Page 85

3

2. Licensees’ Obligations Regarding Activities and Potential Liabilities of Third-

Party Service Providers

Our biggest concern relates to the treatment of licensee relationships with third-party service

providers. This issue arises in a few different areas, beginning, most notably, with Section 4F,

Oversight of Third-Party Service Provider Arrangements.

To begin, it is unclear which Licensee will be responsible when a third-party provider

experiences a “Cybersecurity Event.” If an agent and a carrier pass consumer information

back and forth through a third-party agency management system, and that third-party system

is subjected to a “Cybersecurity Event,” it is unclear whether the agent, the carrier, or some

combination thereof will be responsible for communicating with the third-party service

provider in the aftermath of that event. This ambiguity could be resolved with a change to the

definition of “Licensee” and “third-party service provider” (found in Sections 3G and 3K,

respectively).

According to Section 4F, Licensees are required to exert extraordinary authority over third-

party service providers. For example, Section 4F(1)(b) requires Licensees to “[address]

[m]inimum cybersecurity practices required to be met by such Third-Party Service Providers

in order for them to do business with the Licensee.” We have a number of concerns about this

provision.

First, small-business Licensees in particular out of necessity frequently enter into what are

known as “contracts of adhesion.” Large companies serving as third-party service providers

are going to be reticent to change their cybersecurity practices to reflect compliance with laws

that only apply to Licensees. Small-business Licensees rarely have the opportunity to

negotiate the details of their relationships with relatively large third-party service providers.

Therefore, many Licensees will be subjected to whatever cybersecurity practices the third-

party service provider already offers, whether or not those practices meet the standards set

forth in Draft #4 applicable to Licensees.

Sections 4F(1)(c) and (d) are ambiguous and unnecessarily burdensome; Licensees do not

have a clear means by which to “evaluate the adequacy of cybersecurity practices of such

Third-Party Service Providers,” nor is it clear how they would carry out “[p]eriodic

assessment[s] of such Third-Party Service Providers based on the risk they present and the

continued adequacy of their cybersecurity practices.”

Additionally, Section 5C requires Licensees to enforce the provisions of Section 5B against

third-party service providers. This provision would be difficult to enforce because it requires

Licensees to ensure that a third-party service provider with which it does business not

contractually shift its obligations pursuant to Section 5B back to the Licensee. Again, our

concerns arise out of the likelihood that many such arrangements constitute contracts of

adhesion between small-business Licensees and large third-party service providers. One

alternative might be to require the Licensee to simply “document,” rather than “confirm and

document” that the third-party service provider has adhered to Section 5B.

Page 86

4

Finally, Section 6D(1) requires Licensees to treat “Cybersecurity Events” that occur in third-

party service provider systems the same way it would treat a “Cybersecurity Event” in its own

system, in accordance with Section 6A. This directive poses several problems, not least of

which is the fact that Section 6A requires the Licensee to notify the commissioner within 72

hours of determining that a “Cybersecurity Event” has occurred. It would also require a

Licensee to hazard what would, at best, be a guess of the number of consumers in the state

affected by the “Cybersecurity Event” that has occurred in a third-party service provider

system. That initial guess, likely to be inaccurate even if the “Cybersecurity Event” occurred

within the Licensee’s own system, would be due within 72 hours, as previously noted.

3. Timeframe in Which to Notify Relevant Commissioner

Pursuant to Section 6A, if a small-business Licensee experiences a “Cybersecurity Event,” it

must notify its commissioner within “72 hours from a determination that a Cybersecurity

Event has occurred…”, regardless of the resources available to the Licensee to do so. This

timeframe is even shorter than the three (3) business days provided for in the previous draft,

with which we also disagreed. Seventy-two hours, particularly without regard for when during

a seven-day week those hours occur, would pose an extreme hardship to a Licensee. The level

of detail sought to be provided to the commissioner in those 72 hours, as outlined in Section

6B(1)-(13), is burdensome and gives rise to substantial concerns about the practical

workability of these provisions.

Section 6B(9) is particularly burdensome; it requires the Licensee to provide the

Commissioner with “[t]he number of total Consumers in this state affected by the

Cybersecurity Event.” While generally Section 6B acknowledges that the provision of the

listed information will be an ongoing process as information becomes available, with regard

to Section 6B(9) specifically, the Licensee is directed to “provide the best estimate in the

initial report to the commissioner and update this estimate with each subsequent report to the

Commissioner pursuant to this section.” Requiring Licensees to hazard a guess as to how

many consumers are affected in a state within 72 hours of a “Cybersecurity Event” will prove

unworkable for small Licensees.

Many small insurance agencies do not have a full-time IT staff member. It could take

substantially longer than 72 hours for a part-time IT staff member to acquire sufficient

information about a “Cybersecurity Event” to provide a commissioner with even the most

minimal details (date, description, and means of discovery) of the “Cybersecurity Event.”

We urge the Working Group to adopt a timeframe of at least 60 days in which to notify the

commissioner and would welcome additional language that specifies that the Licensee must

act “as expeditiously as possible and without unreasonable delay.”

4. Scope of Small-Business Exemption

As noted above, we recognize and appreciate that Section 9 of Draft #4 exempts licensees

with under 10 employees from compliance with Section 4; this exemption acknowledges the

Page 87

5

limited resources available to small businesses. Having said that, we remain gravely

concerned about the burden our small member agencies will face pursuant to Draft #4, even

with the new language. We continue to be concerned about the overly broad definition of

“Licensee,” the potentially competing interests of licensees of different sizes and with

different business objectives, and the practicalities associated with such scalability issues.

Additionally, the definition of “Licensee” (Section 3G) groups into one category insurance

businesses of all sizes and purposes; a 10-person insurance agency would be treated the same

way as a multibillion dollar insurance carrier with an employee roster in the thousands. PIA’s

membership is largely made up of small agencies, which will be unfairly burdened by the

requirements of Draft #4. This encumbrance is exacerbated by the manner in which small

entities are grouped together with large ones, with the same draconian requirements imposed

on all. Insurance agencies, like carriers and other types of Licensees, come in all shapes and

sizes, with all levels of sophistication and resources, financial and otherwise.

A small business would be unduly burdened by the requirements set forth in Section 5. A

small-business insurance agency may not have sufficient resources to discover even that a

“Cybersecurity Event” may have occurred until months or years after its occurrence. It may

not have the resources to assess the scope of the incident, let alone identify the information

that may have been compromised or determine whether the information was taken without

authorization.

Section 4C, Risk Assessment, instructs Licensees to “[d]esignate one or more employees or

an outside vendor and/or service provider designated to act on behalf of the Licensee who is

responsible for the Information Security Program.” (See Section 4C[1].) Many Licensees may

have scarce resources to hire outside help to execute these directives. This problem also exists

with regard to Section 4D(3), which requires Licensees to “include cybersecurity risks” in

their enterprise risk management processes.

To help ease the burden on small insurance agencies, we urge the Working Group to enlarge

the exemption to include Licensees with fewer than 25 employees, those with less than $5m

in gross annual revenue, or those with less than $10m in year-end total assets.

5. Effect of Compliance with 23 NYCRR 500 on Compliance with Draft #4

The Drafting Group call on May 9 left us with the impression that the intent of the drafters is

for Licensees who are already subject to 23 NYCRR 500 to be compliant with the model law

without the need for additional steps to be taken. We encourage the Working Group to include

a drafting note to that end to alleviate concerns among Licensees subject to the already

burdensome New York law will not be further encumbered by new obligations pursuant to the

model.

Page 88

6

6. Commissioner Authority

Finally, Section 12 provides that the commissioner may issue whatever regulations are

necessary to carry out the provisions of the Act. This broad latitude to create other rules and

regulations as the commissioner deems necessary undermines the uniformity sought by the

Working Group. Moreover, the grant of such authority to commissioners will simply transfer

state-by-state inconsistencies from the statutory level to the regulatory level and reinforce the

patchwork of state laws and regulations this effort has been attempting to ameliorate.

PIA recognizes and appreciates the considerable thought and effort that the NAIC’s

Cybersecurity Working Group and attendant Drafting Group have given to this issue, and we

are grateful for the opportunity to again provide the independent agent perspective. Please

contact me at [email protected] or (703) 518-1344 with any questions or concerns. Thank

you for your time and consideration.

Sincerely,

Lauren G. Pachman

Counsel and Director of Regulatory Affairs

National Association of Professional Insurance Agents

CC: Eric Nordman & Sara Robben

Page 89


RAA Comments

Page 90

1445 New York Avenue, N.W., 7th Floor, Washington, D.C. 20005

May 16, 2017


Superintendent Elizabeth Dwyer, Drafting Group Chair

Cybersecurity (EX) Task Force

Attn: Sarah Robben

NAIC, Cybersecurity (EX) Task Force

([email protected])

RE: RAA Comments on Proposed Version 4 (dated 4/26/17) of Insurance Data Security

Model Law

Dear Superintendent Dwyer:

The Reinsurance Association of America (“RAA”) appreciates the opportunity to provide input into

the fourth revised draft (dated 4/26/17) of the NAIC’s Model Insurance Data Security Model Law.

The RAA is a national trade association representing reinsurance companies doing business in the

United States. RAA membership is diverse, including reinsurance underwriters and intermediaries

licensed in the U.S. and those that conduct business on a cross border basis. The RAA also has life

reinsurance company affiliates.

The RAA appreciates the efforts of the Cybersecurity Working Group, reflected in this revised

version, to develop a risk-based model law on cybersecurity standards and to promote uniformity in

security standards across the United States. We continue to support the efforts of the Working

Group and believe that substantial progress has been made. We generally agree with the comments

and concerns expressed by our ceding insurance colleagues, particularly the AIA, regarding

definitions, process and other technical aspects of the revised draft and will not repeat those points in

this letter. We do note, however, that we very much agree with the concerns expressed on the May 9

Working Call about the scope of the definition of “Cybersecurity Event” and its inclusion of both

“successful” and “unsuccessful” events and urge the Working Group to modify that definition to

remove reference to “unsuccessful” events.

This letter will focus on Section 6.E. entitled Notice Regarding Cybersecurity Events of Reinsurers

to Insurers. As previously discussed, the intended purpose of this language is to provide clarification

with respect to implementation of the reinsurer obligations under the model and to streamline the

process so that a consumer would receive notice of a Cybesecurity Event from the Licensee with

whom they have a direct contractual relationship. The separate notice requirements for reinsurers

(acting as assuming insurers) enhance the Working Group’s consumer protection policy objectives

by ensuring clarity for consumers and avoiding duplication of consumer notice by multiple Licensees

arising out of a single Cybersecurity Event. However, to achieve those objectives, the model must be

Telephone: (202) 638-3690

Facsimile: (202) 638-0936

http://www.reinsurance.org

Page 91


clear that a reinsurer (acting as an assuming insurer) complying with the notice requirements under

Section 6.E. is not also subject to the other notice requirements under Sections 6, including any

notice requirements under states’ data breach notification laws. This concept has been reflected in

earlier drafts of the Working Group providing that a Licensee acting as an assuming insurer should

have notice obligations only to its ceding insurers and domestic regulator. This approach also is

consistent with the expressed view of the primary insurers (our cedents) with respect to how

information flows to their policyholders.

In light of the above, we request the following change to Section 6.E. of the model as currently

drafted:

E. Notice Regarding Cybersecurity Events of Reinsurers to Insurers

(1) (a) In the case of a Cybersecurity Event involving Nonpublic information that is

used by the Licensee that is acting as an assuming insurer or in the possession,

custody or control of a Licensee that is acting as an assuming insurers and that does

not have a direct contractual relationship with affected Consumers, the assuming

insurer shall notify its affected ceding insurers and the Commissioner of its state of

domicile within 72 hours of making the determination that a Cybersecurity Event has

occurred; and

(b) The ceding insurers that have a direct contractual relationship with affected

Consumers shall fulfill the consumer notification requirements imposed under [insert

the state’s breach notification law] and any other notification requirements relating

to a Cybersecurity Event imposed under Section 6.

(2) (a) In the case of a Cybersecurity Event involving Nonpublic information that is in

the possession, custody or control of a Third-Party Service Provider of a Licensee

that is an assuming insurer, the assuming insurer shall notify its affected ceding

insurers and the Commissioner of its state of domicile within 72 hours of receiving

notice from its Third-Party Service Provider that a Cybersecurity Event has occurred.

(b) The ceding insurers that have a direct contractual relationship with affected

Consumers shall fulfill any consumer notification requirements imposed under [insert

the state’s breach notification law] and any other notification requirements relating

to the Cybersecurity Event imposed under Section 6.

A Licensee that is acting as an assuming insurer and subject to the notice requirements

under this section has no other notice obligations under Section 6 or any other law of this

state.

Page 92

We look forward to continuing to work with the drafting group as we move forward on the

development of the model.

Sincerely,

Karalee C. Morell

Vice President & Asst. General Counsel

Page 93

Wellcare Comments

Page 94

may 16 comment compilation 16, 20 by electron director r superinten ... tems, heir cy ic sed in page...

Documents