HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

New Cybersecurity Bill of Rights Announced by NAIC

The National Association of Insurance Commissioners (NAIC) has chosen National Cybersecurity Awareness month to announce a new bill of rights aimed at protecting consumers, which sets new standards for insurers to follow, and protects subscribers whose personal information is exposed in an insurance data breach.

The new cybersecurity bill of rights has been summarized in a PDF file which is available for viewing and download on the NAIC website. The document outlines the rights of consumers following a data breach that exposes personal information. While the new bill of rights has now been made available, how it is applied may actually vary depending on where insurance consumers live, as consumer rights will still be governed by data breach laws in each state.

Monica J. Lindeen, the Montana Insurance Commissioner and current NAIC president, spoke of the new bill of rights earlier this month. “Cybersecurity is one of the biggest challenges facing businesses today and this is one of our association’s key priorities,” she went on to say, “Our commitment to strengthening the NAIC’s technical and information services infrastructure and our security environment is demonstrated in our current budget, as well as strategic planning for the next few years.”

Last week, the Cybersecurity (EX) Task Force adopted the new standards laid down in the Cybersecurity Bill of Rights in an effort to ensure consumers are better protected, although the new bill of rights is currently still being reviewed. A final discussion on the bill is due to take place later this year, after which the NAIC Executive (EX) Committee/Plenary will decide whether to formally give its approval.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The new bill stipulates 6 rights that are granted to consumers, while it also helps insurers reduce the impact of cybersecurity risks and helps them develop an efficient data breach response plan.

Key Elements of the Cybersecurity Bill of Rights


  1. Consumers to be informed of the type of information collected and stored by insurers and their contracted business associates
  2. Insurance companies should post a privacy policy on their websites, which must explain how data is collected, used, stored and protected, and what rights consumers have regarding that data
  3. Insurance companies must take reasonable steps to ensure stored data remains private
  4. Following a breach of data, consumers must be informed within 60 days. The nature of the breach must be explained along with the information exposed. Standards also dictate the content of breach notifications
  5. Consumers must be provided with identity theft protection services for a year if their data has been exposed
  6. The rights of consumers following a breach of personal information are to be explained, including the actions that can be taken to protect credit following data breach, how fraudulent activity can be identified and other rights, such the prevention of debt collectors attempting to recover funds that have been fraudulently obtained by criminals who have used stolen consumer data

Adam Hamm, North Dakota Insurance Commissioner and NAIC Cybersecurity Task Force Chair, explained the need for the new bill of rights, saying ““[Consumers] also deserve to know when a breach occurs so they can safeguard themselves against identity theft or other types of fraud. This Bill of Rights is designed to assist consumers when sensitive information is breached.”

Additionally, the NAIC Cybersecurity Task Force will be working with state regulators and is expected to start auditing covered entities to ensure that appropriate measures are being implemented to both protect the privacy of consumers, and ensure they are notified in a timely manner should a data breach actually be suffered.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.