NAIC Adopts New Cybersecurity “Roadmap”

In December, the NAIC’s Executive Committee/Plenary adopted a new consumer bill of rights document entitled, “NAIC Roadmap for Cybersecurity Consumer Protections”.  This new document is the latest version of the NAIC’s consumer bill of rights concerning cybersecurity and is intended to comprehensively describe, “the protections the NAIC believes consumers are entitled to from insurance companies, agents and other businesses when they collect, maintain and use (a consumer’s) personal information”.  Further, the new document states that it, “will be incorporated into NAIC model laws and regulations”.

According to the new “Roadmap”, a consumer has the right to:

  • Know the types of personal information collected and stored by companies, agents, and the businesses with which they contract (such as marketers and data warehouses);
  • Expect companies and agencies to post a privacy policy on their websites and to make the policy available in hard copy upon request;
  • Expect companies, agents, and the businesses with which they contract to take reasonable steps to keep unauthorized persons from viewing, using, or stealing his or her personal information;
  • Be notified if an unauthorized person has, or likely has, viewed, stolen, or used the consumer’s personal information;
  • At least one year of identity theft protection paid for by the company or agent involved in a data breach; and
  • If his or her identity is stolen,
    • put a 90-day initial fraud alert, a seven-year extended fraud alert, and a credit freeze on his or her credit reports,
    • obtain a free copy of his or her credit report from each credit bureau,
    • dispute fraudulent or incorrect information on his or her credit reports and have fraudulent information related to the security breach removed from those reports,
    • stop creditors and debt collectors from reporting fraudulent accounts related to the security breach and stop debt collectors from contacting him or her, and
    • obtain copies of documents related to the identity theft.

The Roadmap includes guidelines for what should be contained in a company’s or agent’s privacy policy and in notices sent to a consumer concerning a data security breach.  According to the document, data security breach notices should never be sent to the consumer more than 60 days after the breach is discovered.   Finally, the Roadmap contains definitions of terms used in the document as well as links a consumer can use to exercise the rights described in the document.

Complete information may be found in the Roadmap (below).♦

NAIC Roadmap for Cybersecurity Consumer Protections

Profile – Scott Lawson

Attorney Advertising. The Lawson Firm, LLC (“TLF”) is a law firm providing legal counsel and value-added legal services to its business clients. Further information about TLF may be found at This article is intended to provide general information only and is not intended to provide solutions to specific issues. Readers are cautioned not to attempt to solve specific issues solely on the basis of the information contained in the article. TLF does not claim expertise in the laws of jurisdictions other than those in which our attorneys are licensed. Certification in any of the practice areas mentioned in this article is not available in Ohio.

© 2016. The Lawson Firm, LLC.