Privacy in the Spotlight Once Again
The NAIC spring meeting began with an unexpected announcement that Mike Consedine was stepping down as CEO effective April 30.
Consedine has served in that role since January 2017. NAIC general counsel and chief operating officer Andy Beal will serve as the interim CEO as the NAIC searches for Consedine’s replacement.
The announcement did not alter the trajectory of the Council’s advocacy efforts, however, as we continued to engage on several issues of importance to Council members. For example, we actively participated in and supported passage of an update to the NAIC’s Nonadmitted Model Act, closely monitored efforts to regulate healthcare lead generators and third-party administrators, and educated regulators on the importance of getting the National Association of Registered Agents and Brokers (NARAB) up and running to further streamline the licensing of non-resident producers and agencies.
The most significant work of late, however, has been participating in the NAIC’s Privacy Protections Working Group, which is evaluating the modernization of the NAIC’s consumer privacy protection model laws. These reforms could significantly impact the way brokers and agents collect and use customer and prospect data.
Since the last significant consumer data-related reform (the 2018 Insurance Data Security Model Law #680), it was only a matter of time before state regulators turned their attention back to this issue. In addition to expressing their intent to address unresolved issues in the cybersecurity model, regulators spent all last year vowing to update the existing consumer privacy models (#670 and #672). In December, however, they changed course and decided to draft a new consumer privacy and protections model law to replace both of the existing models.
The proposed new model (#674) would impose a far broader and more comprehensive regime than anyone initially anticipated, and it draws heavily from recently enacted state privacy laws. It also includes an ambitious timeline to get it across the finish line before year-end. The current draft of model #674 would:
- Expand the definition of “consumer” to any individual applicant or policyholder whose personal information is used in connection with an insurance transaction broadly, rather than the existing limitation to personal or household insurance transactions
- Expand the definition of “personal information” to also include “sensitive information” and “biometric information”
- Introduce new obligations and revise existing requirements for licensees regarding the collection, retention, processing and sharing of consumers’ personal information
- Impose primary responsibility on licensees to ensure the compliance of their third-party service providers
- Require licensees to notify consumers of certain information about the collection and use of their personal data and to obtain express written consent to collect or share information for certain purposes
- Create new consumer rights to access, correct or amend their personal information.
Last November, NAIC president Chlora Lindley-Myers said publicly that she wants the data privacy model finalized during her 2023 tenure. That goal may, however, be unattainable, as the year is almost half over and the industry is just beginning to digest the proposal and suggest changes.
Historically, the process for adopting new and amended model laws has included open comment periods and line-by-line review sessions that have led to endless debates on every word and potential outcome. Even less controversial NAIC models, like the recently adopted pet insurance model, took regulators over two and a half years to complete.
For this privacy model, the regulators have tried to change the process to expedite finalization of the update. They initially met in closed-door, regulator-only sessions to draft the first version. When they released that draft in January, they claimed to have intentionally written it to be as broad and far-reaching as possible in an effort to bring the industry to the table.
They have succeeded in igniting industry interest in the update, as the model includes a number of provisions that are sparking controversy. Key concerns include:
- The application of compliance requirements on all licensees, regardless of their role in the data collection/sharing cycle
- The imposition of significant burdens on licensees who collect data but who have no direct relationship with the consumer
- Unrealistic consumer notice, deletion and reporting requirements
- Unnecessary complexity of introducing these additional rules to the existing web of complex privacy requirements.
One commenter went as far as to say that the draft proves that state regulators are not equipped to regulate privacy and demonstrates the need for a uniform federal solution and for federal oversight.
But the prospects for enactment of a preemptive federal solution in the near or medium term are uncertain at best. The late February markup of House Financial Services Committee Chairman Patrick McHenry’s (R-N.C.) Data Privacy Act, for example, was dominated by debate on the preemption question, with Democratic members of the committee seeking to secure their state’s right to go beyond the federal floor and Republicans emphasizing the need for a national standard to avoid a patchwork of state-level laws. The bill ultimately passed out of committee on a straight party line vote (with one Republican voting against the proposal with all of the committee Democrats), which likely dooms further progress on this initiative for the year.
The Council has been very engaged in advocating for a federal solution that will ensure that each Council member is subject to a single set of privacy laws—either the laws of their state of domicile or a national standard.
We also will continue to advocate vociferously for improvements to the NAIC’s proposed updated privacy model act to make it as viable and least burdensome as possible. If Lindley-Myers is successful in her quest to finalize that model by year-end, however, that model likely will lack sufficient industry input, which will mean that the debates will continue during the state-by-state enactment process. As always, stay tuned, as there is (always) more to come.