The National Association of Insurance Commissioners (NAIC) Privacy Protections Working Group (the “Working Group”) released Insurance Consumer Privacy Protection Model Law #674 (“Model 674”) for comment on February 1, 2023. Model 674 is intended to modernize and replace the Insurance Information and Privacy Protection Model Act #670 (“Model 670”) and the Privacy of Consumer Financial and Health Information Regulation #672 (“Model 672”), which have been widely adopted nationwide but are approximately 30 to 40 years old. Unlike its predecessors, Model 674 notably includes a safe harbor for entities that comply with the Health Insurance Portability and Accountability Act (HIPAA). The proposed model law further does not impact the reporting obligations for cybersecurity events set forth under the NAIC Insurance Data Security Model Law.
Model 674 incorporates several key concepts from recent state consumer data protection laws. If finalized by the NAIC and adopted at the state level, the proposed model law would impose significant new restrictions on insurance licensees’ ability to use and share consumers personal information as well as expand the privacy rights afforded to insurance consumers. For example, Model 674 would:
- Expand the definition of “personal information” to include “sensitive personal information” and “biometric information,” terms which largely track the definitions from the California Privacy Rights Act (CPRA);
- Enhance transparency regarding how and why consumer data is collected, processed, shared, and retained;
- Expand privacy disclosure requirements to include (i) the specific purposes for which consumer personal information is collected, processed, retained, or shared and the approximate retention period; (ii) a summary of the licensee’s collection, processing, retention and sharing of personal information outside the United States; and (iii) a description of the certain circumstances in which consumer consent is required and how a consumer may provide and revoke consent;
- Provide consumers with the right to access, correct or amend their personal information;
- Prohibit licensees from selling a consumer’s personal information or using certain sensitive personal information for marketing purposes, regardless of consent;
- Require consumer consent prior to sharing personal information with entities outside the United States, which could significantly impact a licensee’s sharing practices with affiliates and its ability to use offshore service providers; and
- Require consumer consent prior to using personal information for actuarial studies, research, or an additional permitted transaction, unless such data is aggregated and de-identified.
Additional noteworthy provisions under Model 674 include:
- Requirements for Data Minimization and Retention. Similar to the CPRA, Model 674 would require licensees to only collect, process, retain, and share insurance consumers’ personal information as reasonably necessary and proportionate to achieve the purposes related to a requested insurance transaction or additional permitted transactions and not further process, retain, or share in a manner that is incompatible with those purposes. Notably, the Working Group opted to forgo the “right to be forgotten” principle, a common tenet of recent privacy legislation and an existing right under Model 670, in favor of a new record retention provision that requires licensees to delete any consumer personal information that is no longer necessary to perform certain enumerated purposes (such as servicing an insurance policy or for compliance with legal obligations) within 90 days.
- Third Party Oversight and Contractual Requirements. Licensees would now be required to oversee third-party service providers with access to consumer personal information and adhere to certain contractual requirements, such as requiring its service provider to comply with Model 674 and the licensee’s own privacy practices, and include a prohibition from further sharing information beyond the purpose specified in the agreement.
- New Optional Private Right of Action. Section 28 of Model 674 would further provide state insurance regulators with an optional private right of action that would allow consumers to pursue monetary damages – that is, actual damages plus costs and reasonable attorneys’ fees – resulting from a licensee’s or its third-party service provider’s failure to comply with the proposed model law. Notably, this proposed private right of action does not extend to permit class actions, which instead would be prohibited.
The Working Group acknowledges that the proposed model law is likely to be amended following input from the insurance industry. Notwithstanding, the foregoing provisions raise operational and practical considerations for insurers around data collection and retention policies and practices, sharing information across borders, obtaining consumer consent, and third-party service provider contracts.