New Cybersecurity Bill of Rights Announced by NAIC

Share this article on:

The National Association of Insurance Commissioners (NAIC) has chosen National Cybersecurity Awareness month to announce a new bill of rights aimed at protecting consumers, which sets new standards for insurers to follow, and protects subscribers whose personal information is exposed in an insurance data breach.

The new cybersecurity bill of rights has been summarized in a PDF file which is available for viewing and download on the NAIC website. The document outlines the rights of consumers following a data breach that exposes personal information. While the new bill of rights has now been made available, how it is applied may actually vary depending on where insurance consumers live, as consumer rights will still be governed by data breach laws in each state.

Monica J. Lindeen, the Montana Insurance Commissioner and current NAIC president, spoke of the new bill of rights earlier this month. “Cybersecurity is one of the biggest challenges facing businesses today and this is one of our association’s key priorities,” she went on to say, “Our commitment to strengthening the NAIC’s technical and information services infrastructure and our security environment is demonstrated in our current budget, as well as strategic planning for the next few years.”

Last week, the Cybersecurity (EX) Task Force adopted the new standards laid down in the Cybersecurity Bill of Rights in an effort to ensure consumers are better protected, although the new bill of rights is currently still being reviewed. A final discussion on the bill is due to take place later this year, after which the NAIC Executive (EX) Committee/Plenary will decide whether to formally give its approval.

The new bill stipulates 6 rights that are granted to consumers, while it also helps insurers reduce the impact of cybersecurity risks and helps them develop an efficient data breach response plan.

Key Elements of the Cybersecurity Bill of Rights


  1. Consumers to be informed of the type of information collected and stored by insurers and their contracted business associates
  2. Insurance companies should post a privacy policy on their websites, which must explain how data is collected, used, stored and protected, and what rights consumers have regarding that data
  3. Insurance companies must take reasonable steps to ensure stored data remains private
  4. Following a breach of data, consumers must be informed within 60 days. The nature of the breach must be explained along with the information exposed. Standards also dictate the content of breach notifications
  5. Consumers must be provided with identity theft protection services for a year if their data has been exposed
  6. The rights of consumers following a breach of personal information are to be explained, including the actions that can be taken to protect credit following data breach, how fraudulent activity can be identified and other rights, such the prevention of debt collectors attempting to recover funds that have been fraudulently obtained by criminals who have used stolen consumer data

Adam Hamm, North Dakota Insurance Commissioner and NAIC Cybersecurity Task Force Chair, explained the need for the new bill of rights, saying ““[Consumers] also deserve to know when a breach occurs so they can safeguard themselves against identity theft or other types of fraud. This Bill of Rights is designed to assist consumers when sensitive information is breached.”

Additionally, the NAIC Cybersecurity Task Force will be working with state regulators and is expected to start auditing covered entities to ensure that appropriate measures are being implemented to both protect the privacy of consumers, and ensure they are notified in a timely manner should a data breach actually be suffered.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On