In an increasingly complex regulatory landscape, insurance companies face multiple — and often overlapping — privacy and security regulations.
In this article, get an in-depth analysis of the newest, most up-to-date measures and regulatory trends that apply — or may soon apply — to insurers.
These include the California Consumer Privacy Act (CCPA), its amended California Privacy Rights Act (CPRA), the Gramm Leach Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), state laws like (NYDFS) and New York SHIELD, NAIC’s Model Security Law and its upcoming changes — and many other measures that are both currently in place and on the horizon.
In addition, learn how CCPA and CPRA provide exemptions for insurers adhering to GLBA, HIPAA, and other existing regulations — and what you can do right now to build a comprehensive data program that ensures regulatory compliance.
How CCPA Affects Insurance Organizations
The CCPA — in addition to its amended California Privacy Rights Act (CPRA), which passed by referendum in November 2020 — is the first comprehensive state privacy legislation to govern the collection, use, sale, and sharing of consumers’ personal information (PI).
Under CCPA, PI is broadly defined as any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be directly or indirectly linked to a particular individual or household.
The upcoming CPRA adds the new definition of sensitive personal information (SPI). SPI is a subset of PI and includes data like government identifiers, account and login information, genetic data, biometric information, and more — all of which are subject to a stricter set of transparency, sharing requirements, and risk-mitigation responsibilities.
CCPA applies to “businesses” — defined as for-profit entities that determine the purpose and means of processing consumers’ data — that do business in California and meet certain applicability thresholds. Insurers that operate in California and meet these thresholds are subject to a number of obligations, including requirements related to disclosure and data rights.
GLBA, HIPAA, and State Privacy Laws that Apply to Insurers
Insurers providing products or services to individuals for their personal, family, or household purposes may be subject to the Health Information Portability & Accountability Act (HIPAA) and the Gramm Leach Bliley Act (GLBA) at the federal and state levels.
State insurance privacy laws can also present a challenge for insurers trying to comply with similar but subtly different obligations and restrictions across multiple states.
Many of these state laws are based on the National Association of Insurance Commissioners (NAIC) Privacy of Consumer Financial and Health Information Model Regulation (Model 670). However, some state laws place restrictions beyond GLBA or Model 670.
Obligations imposed on insurers by GLBA and state laws include, among others, notice obligations and requirements related to sharing personal information with third parties. Some state laws also provide for access, correction, and deletion rights for data the insurer collects.
Exemptions Under CCPA for Insurance Companies
The vast majority of data that many insurers collect, process, and retain may fall under an exemption in the CCPA. The CCPA includes exemptions for:
- PI that is collected, processed, sold, or disclosed pursuant to the Gramm-Leach-Bliley Act (GLBA)
- PI that is collected, processed, sold, or disclosed pursuant to the California Financial Information Privacy Act (CalFIPA)
- Personal health information collected by a covered entity or a business associate as defined in the Health Insurance Portability and Accountability Act (HIPAA)
- Medical information collected by a covered entity or a business associate as defined in the California Confidentiality of Medical Information Act (CCMIA)
- Covered entities (as defined in HIPAA), to the extent that the entity maintains patient information in the same manner as personal health information
Start by Knowing Your Data
The first challenge that insurers subject to CCPA and other state insurance privacy laws face is determining the scope of their obligations. That involves categorizing all the data they have collected, processed, and disclosed.
For insurers to determine their applicability requirements, it is critical that they compile a comprehensive data inventory that assesses the categories, sources, and uses of the information they collect — as well as the categories of data they share with third parties.
Without a comprehensive data inventory, it may be almost impossible for an insurer to determine whether PI falls under a CCPA exemption.
Determine Which Data Is Subject to CCPA — and CPRA
In categorizing data, insurers must pay close attention to identify the types of data that are not covered by GLBA, CalFIPA, HIPAA, or CCMIA — and are therefore subject to CCPA.
For example, the PI or SPI of job applicants, employees, and independent contractors — and the PI of website visitors — will likely be subject to CCPA. Looking ahead to CPRA, the new “sharing” behavioral advertising opt-out requirements may apply. If insurers are obtaining leads or prospects, this information may also be subject to CCPA regulations.
Determine Data Rights Obligations Beyond CCPA
CCPA introduces new consumer privacy rights for California residents, such as:
- the right to access and obtain a copy of their data
- the right to request deletion of their data
- the right to opt-out of the sale or sharing of their data
While an insurer may be exempt from fulfilling certain requests for CCPA, they’re still obligated to comply with data rights that are ensured by GLBA, CalFIPA, HIPAA, and CCMIA.
In addition, insurers will likely face obligations to fulfill access, correction, and deletion rights under state laws outside California. It is therefore essential that insurers implement a method to track and respond to these requests in accordance with the various state law requirements — not just CCPA.
The Need for Data Flow Reviews
The California law includes steep regulations relating to the “sale” or “sharing” of PI and SPI.
For any information subject to CCPA, insurers must review the data flows they share with third parties and, as necessary, revise their contracts in order to avoid the data being deemed a “sale” or “share” under the law.
Insurers should also be aware that the upcoming CPRA requires new contractual provisions with service providers. This means that insurance companies subject to CPRA must ensure that the parties they work with also have appropriate security measures in place to comply with GLBA, state laws implementing GLBA, and any new data security laws specific to the insurance industry.
Data Retention Requirements
The forthcoming CPRA includes new requirements around data minimization and data retention, so insurers should adopt a records management program that defines how long data is to be kept.
To comply with CPRA — as well as other state regulatory requirements for how long certain records should be kept — insurers will be obligated to disclose how long they keep data and ensure that the timeline is only as long as is “reasonably necessary.”
Given the various types of coverage insurance providers may offer their consumers, the type of policy or plan becomes crucial when determining what can be saved and what can be tossed. For example, “occurrence-based policies,” which offer long-term protections and cover any loss that occurs during the policy term — no matter when the claim is made — may need to be kept indefinitely.
On the other hand, “claim-made policies,” which cover claims made or filed while the policy is active — and may include a “tail” extending coverage after the policy expires — are less likely to have long-term implications and can be set with an adequate retention period once the policy is no longer active.
Data Security Requirements Beyond CCPA
In addition to privacy requirements, insurers must comply with, there are a growing number of state data security laws and regulations directed at the insurance industry.
The New York Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies (Part 500), which fully took effect on March 1, 2019, is one of the first cybersecurity regulations directed at financial services companies — including insurance companies — to, among other things, adopt written information security programs that address the protection of nonpublic information and information systems.
The New York SHIELD Act also includes a broad scope of applicable businesses, plus an extraterritoriality dimension, meaning that most insurance companies would be subject to the prescriptive security requirements of the law. These security requirements include administrative, technical, and physical safeguards.
The National Association of Insurance Commissioners (NAIC), which had separately been preparing a model cybersecurity law, has adopted the Insurance Data Security Model Law (Model Security Law), which closely resembles NYDFS. While NYFDS is more prescriptive than the Model Security Law, both establish standards for data security in the insurance industry — including investigation and notification obligations in the event of a data security incident.
In addition to state laws and regulations specific to the insurance industry, insurers are also subject to general data security laws in the states where they operate. These measures cover data insurers collect outside of the insurance context — such as employee personal information.
So far, 13 states have adopted the Model Security Law — and each state is tailoring the model law to their own specifications. Although there are some differences among NYFDS, the Model Security Law, and the state versions of the Model Security Law, they are all substantively similar.
All of these measures require insurers to:
- conduct a risk assessment
- implement and maintain a cybersecurity program that is based on identified risks
- develop, implement, and maintain a breach incident response plan
- provide oversight of third-party service providers
- investigate and report data security incidents
- certify compliance with the respective law/model regulation
NAIC and the Upcoming Model Privacy Law
In the past year, NAIC has been working to update a model privacy law that is meant to align with current privacy approaches reflected in the Security Model Law, the CCPA, and the EU’s General Data Protection Regulation (GDPR).
The working group responsible for the updates has been charged with recommending whether — and to what extent — “freshening up” is needed. Five key areas being reviewed include:
- types of data collection, sharing, and usage specific to insurers
- how privacy risk affects insurance consumers
- gaps in federal and state law
- obligations insurers should have to consumers
- what rights consumers should have to control their personal information
As of the most recent meeting, the group discussed an initial draft gap analysis of consumer issues that includes:
While a deadline for comments and updates to the Model Privacy Law has not been established, the recent meeting goes to show that the insurance industry must be ready to be compliant with whatever the working group ultimately puts out.
What Insurance Companies Can Do Now to Stay Compliant
Insurance companies face complex challenges when it comes to securing data and achieving regulatory compliance.
Insurers need to take concrete steps to build a comprehensive data program that leaves no data unturned and enables full visibility into their organization’s personal and sensitive information — across all data systems and sources. Here are some boxes companies in the insurance industry should be able to check off:
- Know your data: Combine the identification of personal data and the classification of sensitive data.
- Define PI and SPI: Automate the discovery, identification, and mapping of all your PI and SPI, wherever it lives — on-prem, in the cloud, and hybrid.
- Tag and label data for legal purposes: Ensure that data is identified and labeled appropriately in accordance with various regulations that apply to insurers.
- Prioritize vulnerable data: Highlight vulnerable, overexposed, and high-risk regulated data at a glance.
- Streamline breach response and notifications: Accurately determine impacted users following a data breach and simplify incident response
- Define and enforce data retention rules: Enact automated workflows, and uncover duplicate, derivative, and similar data for privacy, governance, and effective reporting.
- Automate data access rights fulfillment: Automate manual fulfillment of individual data access and deletion requests.
- Detect out-of-policy, cross-border data transfers: Track data access, usage, and transfer violations across the organization for immediate action.
Learn how insurance organizations can leverage BigID to build a comprehensive data inventory that provides full visibility into the PI and SPI you have — and take action to manage the risks associated with it across the entire organization.