House panel adopts data security notification bill despite NAIC oppositionReprints
The House Financial Services Committee adopted a bill that would direct federal financial regulatory agencies to establish a national standard for financial institutions regarding data security measures, as well as a notification system that responds to any breach or unauthorized access of customer information, despite the objections of state insurance regulators.
H.R. 6743, the Consumer Information Notification Requirement Act, was passed by the committee by a 32-20 vote on Thursday.
But the National Association of Insurance Commissioners sent a letter to committee leaders on Wednesday opposing the bill.
“While we appreciate the legislation’s goal of promoting effective cybersecurity risk management and data protection safeguards, we have serious concerns that the bill’s language would significantly limit state insurance regulators from protecting consumers in their states,” the NAIC said in its letter.
The bill would “broadly preempt all state laws and regulations and prohibit states, the primary regulators of the insurance sector, from imposing any stronger requirements for insurance consumer protection,” the NAIC said, citing its 2017 adoption of an Insurance Data Security Model Law to update state requirements relating to data security, the investigation of a cyber event and the notification to state insurance commissioners of cybersecurity events at regulated entities.
“H.R. 6743 disregards the existing state insurance regulatory framework and would inhibit ongoing efforts in the states to adopt data security laws and regulations in the best interest of insurance consumers,” the NAIC said in its letter.
“In addition to the explicit preemption of state laws, the legislation undercuts state insurance regulators’ authority to protect their own state’s residents when a data security breach occurs,” the NAIC continued. “The bill assigns enforcement of its federal data security requirements to an insurer’s state of domicile, which may be far removed from the location of consumers who are harmed by a data breach. Under current laws and regulations, if policyholders from one state are affected by a breach at an insurer domiciled in another state, both insurance departments work with the company to ensure all policyholders are appropriately protected moving forward, regardless of where they are located. Under this bill, only one regulator would have authority to require mitigation for policyholders from a breached insurer. This could leave consumers less protected.”
In May, South Carolina became the first state to have a cyber security law requiring insurers to establish a “strong and aggressive” program to protect companies and their consumers from a data breach.
“We recognize that consistent standards around the country are important, but because further cyber attacks and data breaches are inevitable, it is even more important for a regulator to have the power to act and help remedy the situation on behalf of his or her constituents and yours,” the NAIC stated.