Authored by: Russell Sommers
During the Jan. 24, 2017 conference call of the NAIC Cybersecurity (EX) Task Force, there was a lengthy discussion around the use of third parties, contracting with third parties and breach notification requirements of licensed insurers when a third party service organization has been breached. The discussion focused on specific actionable items arising from Section 4(f) of the draft model law, which states:
“The licensee shall contract only with third-party service providers that are capable of maintaining appropriate safeguards, as required by the state laws in which the licensee is located or other statutory authority, to protect for personal information in the licensee’s possession, custody or control, and the licensee shall be responsible for any failure by such third-party service providers to protect personal information provided by the licensee to the third-party service providers consistent with this Act.”
Requirements of carriers in contracting third parties
Comments from interested parties and regulators centered on the requirements of carriers in contracting with third parties, specifically:
- Contract provisions outlining protocols for breach notification;
- Carrier responsibilities in vetting the information provided in notices by third party vendors;
- Licensee requirements in notifying consumers of data breaches at third party service providers; and
- The concept of the “harm” trigger being used to reduce a deluge of notices to consumers and how many notifications are too many.
Authority of state insurance regulators over industry service providers
Conversation transitioned to the authority of individual state insurance regulators to govern insurance industry service providers and the onus of individual companies to mandate compliance requirements on service providers. Challenges associated with third party service provider compliance with insurance regulations were also discussed. Specific conversation was given to very large service providers which service across industries, for which compliance would be a magnanimous effort, and small boutique service organizations, for which compliance would be cost prohibitive.
A significant volume of interested party comments on the NAIC Data Security Model Act are targeted to be addressed in subsequent bi-weekly conference calls.
What to do now
In lieu of the authoritative guidance of state adoption of a final version of the Data Security Model Act, there are things insurers can do now to prepare that represent current corporate governance and information security best practices:
- Map data flow for your organization, including:
- what data is captured;
- how that data is processed;
- where the data goes internally/externally;
- how/if data is encrypted;
- how data is transmitted to and from the company; and
- inventorying what data is transmitted to outside parties including third party service providers, regulators, related parties, etc.
- Include contract language which outlines protocols for breach notifications and specific data requirements.
- Test incident response and breach notification protocols.
While the final language of the Data Security Model Act remains to be seen, the general context of the provisions of that act relating to third party service providers are clear: “Licensee’s can assign authority, but not responsibility. Insurance companies are responsible for all transactions performed on their behalf.”
For more information on this topic, or to learn how Baker Tilly insurance specialists can help, contact our team.