Data breaches have increasingly affected every industry that collects consumer nonpublic personal information (NPI). Insurance consumers’ data has been subjected to breaches, too, even though sensitive health information is specially protected by safeguards set forth in the Health Insurance Portability Accountability Act (HIPAA), and other insurance data is protected by the Gramm-Leach-Bliley Act (GLBA) of 1999. Insurance agents and brokers are considered “financial institutions” by the GLBA, and the GLBA applies to all “financial institutions,” including independent agents, that share consumer NPI.
Over the past several decades, the National Association of Insurance Commissioners (NAIC) has produced several model laws and regulations to address the increasingly complex issues raised by the need to collect consumer information as a part of the business of insurance and the concurrent need to protect and secure that data. Two of the resulting models were the 1992 Insurance Information and Privacy Protection Model Act (MDL-670) and the Privacy of Consumer Financial and Health Information Regulation (MDL-672, which was promulgated specifically in response to the passage of the GLBA and the concomitant threat of federal oversight).
Late last year, the NAIC’s Privacy Protections (H) Working Group announced its intent to replace Models 670 and 672 with one new model that will be known as the Insurance Consumer Privacy Protection Model Law (MDL-674). The initial draft of MDL-674 was published on Feb. 1 and exposed for a 60-day public comment period, which ended just after its Spring National Meeting in Louisville. During the exposure period, at and following the Spring National Meeting, PIA met with the chair of the Privacy Protections Working Group for a comprehensive discussion of the independent agent-specific challenges posed by the draft.
PIA also submitted a comment letter and draft markup reflecting our comments and suggesting changes to the draft text. PIA raised concerns about the apparent differences between the expressed goals of the Working Group and the language contained in the draft. As we understand it, the Working Group seeks to allow agents to use and share consumer data to the extent needed to conduct insurance business. Its intent is to limit the sharing of consumer data for purposes other than engaging in insurance-related transactions. However, the language of the draft may be inconsistent with that goal.
While the Working Group may aim to limit the ability of insurance licensees to sell their clients’ data to noninsurance third parties or to sell such data without their clients’ consent, the language in the draft does not appear to reflect those goals. Similarly, the Working Group appreciates the unique position independent insurance agents are in compared to carriers or captive agents with respect to consumer data. However, the draft does not consistently reflect this understanding.
Because independent insurance agencies differ enormously in size, number of employees, annual revenue, etc., PIA also suggested that the model should explicitly provide that licensees’ duties as to consumer data be commensurate with their capacity to undertake such obligations. The new model should acknowledge that agency licensees vary widely in size, scope, and complexity, and the scope and complexity of their consumer data protection activities may vary in accordance therewith.
Later this month, PIA will participate in a private call with members of the Working Group to discuss these and other issues in greater detail, and we are eager to continue our conversation with the Working Group via its upcoming twice-monthly calls and interim meeting, the details of which are still being finalized. We look forward to future constructive discussions about how best to achieve a balance between the need for consumer data privacy and the protection of independent agents’ key role in the business of insurance.