The National Association of Insurance Commissioners (NAIC) Privacy Protection Working Group (PPWG) released Insurance Consumer Privacy Protection Model Law #674 (Model 674) on February 1, 2023. New Model 674 was expressly drafted with the objective to supersede NAIC Insurance Information and Privacy Protection Model Act #670 and the Privacy of Consumer Financial and Health Information Regulation #672, which have been in place for decades and widely adopted.

The PPWG attempted to address several objectives and cover various issues in drafting Model 674:

• Enhance transparency in terms of how a consumer’s data is collected, processed, shared, and retained. Section 4 is of particular interest in terms of the limits imposed on insurers in terms of when consent would be required.
• Address the issue of data minimization and broad sharing limitations.
• Require consumer consent before personal information is shared with other entities, or entities outside the U.S. where there may not be conforming privacy protections protecting the information. This could significantly impact even affiliate sharing practices in place in the industry.
• Definitively prohibit insurers from selling consumer’s personal information.
• Ensure that a consumer has the right to have his or her personal information amended or corrected, unless an insurer can show good cause for refusal to make said amendment or correction.
• Model 674 adds a record retention requirement rather than a “right to be forgotten” provision as has become common in recent state consumer data protection laws. This is due to the industry’s generally longer timeframe required to maintain consumer information. However, the model would impose a requirement on insurers to delete consumer data within a set period after it is no longer required by the insurer.
• Oversight of third-party service providers remains primarily the responsibility of the licensed insurer.
• There is a safe harbor provision for entities that comply with the Health Insurance Portability and Accountability Act (HIPAA).
• Many of the concepts in Model 674 are derived from recent state privacy laws, although the PPWG acknowledges that the model will likely require amendments following industry input.

You can read the draft Model Law here and the cover letter here. Comments on the draft must be submitted by April 3, 2023.

What this means to you

Model 674 demonstrates that the NAIC is continuing to reevaluate its historical approach to privacy compliance requirements and is taking an ever-stricter approach consistent with the broader regulatory community. What remains to be seen is how Model 674, as adopted by states, will affect insurers’ compliance obligations vis-à-vis the patchwork of state data compliance laws and regulations that have recently been adopted or are currently under consideration. To keep up-to-date on these general privacy developments, be sure to follow Husch Blackwell’s 2023 State Privacy Law Tracker and related resources.

[View source.]