Kentucky is the 21st state to pass an insurance company consumer data protection law


Kentucky is the latest state to sign in law model provisions drafted by the National Association of Insurance Commissioners (NAIC) to protect consumer data provided to insurance companies.

The Model Insurance Data Security Act was passed in 2017 by the NAIC after two years of “extensive deliberation and input.” It was created to address “several major data breaches involving large insurers that exposed and compromised the sensitive personal information of millions of insurance consumers” over the past few years, according to a summary of the NAIC.

“State adoption of the model is essential to ensure that state insurance regulators have the tools they need to better protect sensitive consumer information,” the NAIC states in the brief.

According to the association’s latest count, 21 states, including Kentucky, had adopted the model law as of April 25 – North Dakota, Minnesota, Iowa, Wisconsin, Michigan, Indiana, Ohio, Tennessee, Virginia, Maryland, Washington DC, South Carolina, Louisiana, Mississippi, Alabama, Delaware, Connecticut, New Hampshire, Maine, and Hawaii. Bills are pending in Illinois, Vermont, Rhode Island and Washington to enact the model law. New York has its own separate data privacy provisions in place, according to the NAIC.

Repairer Driven News asked the NAIC to comment on Kentucky’s adoption of the model law, but a spokesperson for the association declined.

In October 2017, the US Treasury Department recommended rapid adoption of the model by every state and said that if adoption and implementation does not result in uniform data security regulations within five years , the U.S. Congress “shall act by enacting legislation setting forth uniform requirements”. for Insurer Data Security,” according to the NAIC filing.

“The model requires insurers and other entities licensed by a state insurance department to develop, implement, and maintain an information security program based on its risk assessment, with a designated employee responsible for the program information security (section 4)”, the brief statement. “The model progressively integrates information security program compliance and oversight requirements from third-party service providers.”

The full model law is available hereon the NAIC website.

Kentucky Governor Andy Beshear signed into law HB 474 on April 8. Its effective date is January 1, 2023, but carriers have until January 1, 2024 to implement subsections one, three, five and seven of section 4 of the act. and until January 1, 2025 to implement subsection four of section 4, as required by law.

Carriers or licensees with fewer than 50 employees, including independent contractors, are exempt from the requirements of sections 1 through 10 of the act.

Each state insurer will be required to implement the following security measures “as appropriate:”

    • “Place access controls on information systems, including controls to authenticate and authorize access only to authorized individuals to protect against unauthorized acquisition of nonpublic information;
    • “Identify and manage the data, people, devices, systems and facilities that enable the organization to achieve its business objectives based on their materiality to the organization’s business objectives and risk strategy. organization ;
    • “Restrict physical access to non-public information to authorized persons only; and
    • “Protect, by encryption or other appropriate means, all non-public information when transmitted over an external network and stored on a laptop computer or other portable computing or storage device or media. »

Each insurer will also be required by law to “regularly test and monitor systems and procedures to detect actual attacks and attempted attacks or intrusions into information systems”.

The law also applies to third-party providers that carriers use, which they must “execute due diligence when selecting”.

The law also assigns responsibility to the state insurance commissioner, in certain cases, because carriers, all licensees, and insurance producers are required to notify the bureau of cybersecurity events if Kentucky is their State of origin, there is a “reasonable probability”. normal operations will be affected, or if nonpublic information involved in the event relates to 250 or more Kentucky residents.

The Commissioner, by statute, can review and investigate “the affairs of any licensee to determine whether the licensee has been or is engaging in conduct in violation of section 4, 5 or 6” of the law. The commissioner can put in place by-laws against those who violate any section of the act.

Data privacy is an obvious concern for everyone, according to Erica Eversman, who is a consumer liaison with the NAIC through the nonprofit Automotive Education & Policy Institute. “Particularly because insurers have so much information about us,” she said. “This is integral to the ‘Big Data’ push – which insurance regulators are considering, along with the accumulation of ‘Big Data’ by insurance companies, consumer advocates’ concerns about not only collecting quantities important pieces of data, but how insurers will use and protect it.

When talking about “Big Data,” Eversman said it refers to the large-scale collection of all personal and corporate information, whether it’s needed or not.

“There’s a big discussion going on right now about whether consumers should have to opt out – whether the onus should be on them – or whether the default should be the opt out and only if the consumer agrees, the insurer should be allowed to share this information,” she said.

This year, the NAIC created a new committee, called the Cybersecurity and Technology Innovation Committee (H), composed entirely of insurance regulators to address “Big Data” issues as well as preventing cybersecurity and data privacy threats, according to Eversman. She thinks the committee will likely become even more important as more insurance companies remove physical locations to offer online-only cloud-based services.

Eversman recommends that consumers ask their carriers with whom their personal information will be shared. She agrees with the model law that information provided to third parties by insurers should require liability of carriers to ensure data protection. For example, in the area of ​​collision repair, making sure stores have data protection systems in place, she said.

“All of this information could be hacked by the repairman,” Eversman said. “A lot of supposed [carrier] protections are ivory tower thought processes. That’s like saying, “I waved my wand at the front door – I don’t have a lock, but I waved my wand at the front door and told everything the world that they just weren’t allowed in if I don’t want them to. This is not a real meaningful protection, because there are no significant repercussions. …Consumers can’t do much. You can say “No, I don’t want to share this information”. And they say, ‘OK, okay. We cannot give you car insurance.

However, Eversman encourages consumers to raise issues with their members of Congress and to use consumer advocacy groups, like the Consumer Federation of America, as resources.


Featured Image: Capitol Building in Frankfort, Kentucky. (Photo credit: alexeys/iStock)

More information

State Farm recalls that Select Service stores sharing customer information are prohibited

UK study finds 17% of young drivers are concerned about telematics data security

Consumer Watchdog report accuses government, police, insurers, OEMs and third-party companies of ‘data mining’ connected car users’ personal information

Share this:


Comments are closed.