Having faced a lot of “can’t be done” reactions to initiatives like increasing competition in the North Dakota’s health insurance market and changing a centuries-old life insurance reserving method—and proving the doubters wrong—Adam Hamm isn’t overwhelmed by 180 pages of comments raising concerns about a draft model law for cybersecurity.
In March 2016, state insurance regulators first exposed the Insurance Data Security Model Law for public comment, building on a consumer bill of rights (officially known as the Roadmap for Consumer Cybersecurity Protections) that was adopted by the NAIC last year. The NAIC’s Cybersecurity Task Force, which Hamm chairs, released a second draft for comment on Aug. 17. In the second draft, the need for compromise is evident at the very top of the document, which revises language related to the applicability of the law and coordination with other regulations.
The “purpose and intent” description previously said:
The purpose and intent of this Act is to establish the exclusive standards for data security and investigation and notification of a breach of data security applicable to licensees in this state.
It’s been revised to read:
Notwithstanding any other provision of law including [insert reference to state’s general data security breach notification law], the purpose and intent of this Act is to establish the exclusive standards in this state for data security and investigation and notification of a data breach applicable to licensees, as defined in Section 3G.
In addition, careful readers of the redlined version will notice deletions of sections prescribing the use of the Framework for Improving Critical Infrastructure Cybersecurity developed by the National Institute of Standards and Technology (NIST) for risk management and the use of an Information Sharing and Analysis Organization (ISAO) to stay current on threats and share information, among other changes.
We asked Hamm during an interview just about a week after comments on the second draft were delivered whether he was disappointed by compromises or frustrated by a new round of comments.
“My bottom line answer to that is we’ve done a lot of good work on the task force from the initial draft to this second draft. I know there are still areas and issues that we need to work on over the remainder of 2016, [and] we’re starting to winnow that list down from what are the remaining huge issues for the insurance companies, for insurance agents and for insurance regulators,” he said, referring to the stack of comment letters that comes in at 186 pages. “But at the end of the day, we have reached the stage of the proceedings where insurance regulators need to ask themselves, ‘What is in the best interest of consumers?'”
Referring to building blocks put in place in 2015 that included development of the consumer road map, a set of 12 guiding principles for regulators, and updated regulatory exam protocols, he said, “All of that was the appetizer for the main course this year.”
“In reality, we’ve been directly or indirectly working on the model for well over a year and a half now,” he said, referring to the fact that the task force actually came together in late 2014.
Is it now in consumers’ interests “to keep working on all of these issues past the end of this year and continue on into next year? Or to continue working on these issues, to try to find quality areas of consensus and compromise we can find, but finish the model in 2016 so it can start being introduced in legislatures in 2017?” Hamm asked.
Immediately offering his own answer in favor of the latter alternative, Hamm outlined two reasons. “First, these breaches are continuing to happen. It’s not like we have crested this wave and they are starting to slow down…They’re going to keep happening because the cyber bad guys know how much personally identifiable information the insurance sector has.”
In addition to that, Hamm worries that “at some point the other shoe is going to drop. We’re not just going to have Americans having their PII [personally identifiable information] compromised and taken, they’re going to start becoming real victims of fraud. Some of these folks are going to end up discovering that their PII was sold on the dark web and that their PII was used against them…”
“It behooves us, as insurance regulators, to have our comprehensive regulatory framework done before that other shoe drops.”