2101 L Street NW
Suite 400
Washington, DC 20037
202-828-7100
Fax 202-293-1219
www.aiadc.org
August 10, 2015
Commissioner Adam Hamm, Chair
Director Raymond Farmer, Vice Chair
Cybersecurity (EX) Task Force
NAIC Central Office
1100 Walnut, Suite 1500
Kansas City, MO 64106-2197
Attn: Pamela Simpson, Senior Administrative Assistant
VIA Electronic Mail: [email protected]
RE:
Draft Cybersecurity Bill of Rights
Dear Commissioner Hamm and Director Farmer:
The American Insurance Association (AIA) appreciates the opportunity to comment on the draft Cybersecurity Bill
of Rights (Bill of Rights). AIA represents approximately 325 major U.S. and non-U.S. insurance companies that
write more than $127 billion in premium each year and provide all lines of property-casualty insurance to U.S.
consumers and businesses. We appreciate the effort that went into developing this Bill of Rights, but have a few
primary concerns:

What is the intended purpose of the Consumer Bill of Rights and what is the Task Force’s recommended
use for the Bill of Rights? An understanding of the regulators’ goals and objectives with regards to this
document will help guide meaningful future revisions.

As currently drafted, the Bill of Rights does not account for the variations in state laws and will
ultimately create consumer confusion and frustration. When the consumer’s expectations as
established by this Bill of Rights do not match with state or federal law and as such perhaps general
industry responses, there is an increased risk of consumer confusion and frustration. Consumers are
rightfully frustrated when a breach occurs and when their misinformed expectations are not met that
frustration and confusion will only be heightened.

The bill of rights should not create new rights, but rather inform consumers of their legal rights that
currently exist.
Enclosed for your consideration is a mark-up of the proposed Bill of Rights. Our recommended changes are
explained in detail below, but the overarching rationale for our comments is compliance with the current
multistate requirements and preventing consumer confusion and frustration.
Format/Readability
AIA believes that the Bill of Rights should be a concise document that accurately informs consumers of their
existing legal rights as they relate to their personally identifiable information. Accordingly, we have made several
recommendations to promote the clear and logical formatting and organization of this document. For instance,
we have reorganized and combined some of the bullets to provide a sequential understanding of existing rights
beginning with generally identifying the privacy policy contents, expectations with regards to safeguards, and what
can be expected should a breach occur.
In addition, it is important for consumers to understand, up front, that their rights will vary from state to state;
therefore, we moved the “Note” to the top of the page. Similarly, we added clarifying language to the definitions
section.
Notification Requirements
In keeping with the theme of a concise notice in a readable format we have combined rights 3, 4, 5, 6 and 7 into
one right to avoid redundancy. We recognize the significant interest that consumers may have with regards to
their health and payment card information; however, this importance can be expressed by including them as
examples in the notification right. Further, notification requirements as they relate to a breach by a third party can
become complicated and explaining this in a Bill of Rights is overly burdensome and likely confusing for consumers.
Timing and substance of notice also varies amongst the states and to avoid any unnecessary confusion, we
suggest: (a) a generic statement that highlights the key issues the consumer should be aware of following a breach;
and (b) reference to a timely notice without any specific timing requirement. Generally, an entity may include
relevant information in its notice such as: what happened, what personally identifiable information is at risk, what
steps the consumer can take to protect themselves, and any relevant contact information. Again, specifics should
be avoided to prevent consumer confusion and to accurately manage expectations.
Insurer, Insurance Producer, or other State-Regulated Entity
Throughout the document there are references to obligations of the “insurer, insurance producer or other state
regulated entity.” We strongly believe that this adds unnecessary confusion to the document. For instance, who
provides the breach notification is dictated by state and federal law and will differ depending on the circumstances
of the breach. This is also true in relation to a breach by a third party. Trying to adopt language in a “Bill of Rights”
to adequately describe who they will receive notice from will require additional language that will be of no benefit
to the consumer. In addition, “state-regulated entity” is a very broad term, which industry finds complex to
determine in this context and we would argue that consumers will have an equally, if not more, difficult time
determining a “state-regulated entity.” If the main purpose of the Bill of Rights is to educate consumers on what
they may expect with relation to their personally identifiable information and how to protect themselves following
a breach, we urge the Task Force to avoid including the reference to “insurer, insurance producer, or other stateregulated entity.”
Data Retention
The 1st right in the Bill of Rights indicates the privacy policy will identify how long personally identifiable
information is kept. This is a very difficult requirement for insurers to comply with and we are not aware of any
state or federal privacy notice law that requires this. There are many reasons that may require an insurer to
maintain information longer than expected such as a litigation hold or the nature of the claim may require a longer
period of retention. AIA has suggested language that deletes the reference to the length of time information will
be kept and replaces that with how the information will be safeguarded.
Privacy Policy
th
st
We merged the 12 right into the 1 right, because we felt they both dealt with the insurer’s rights to a privacy
policy and it made logical sense for these to be included in Principle 1.
2
Adequate Protection
We recommend deletion of the term adequate from the 2nd right. Whether or not something is adequate is a
subjective determination and including this term may only create unnecessary friction. The insurance industry
places a significant amount of importance on protecting consumer data; nevertheless, no matter how many
security measures an entity employs, no system will ever be 100% secure.
Fair Credit Reporting Act (FCRA) Rights
It is our recommendation to delete the detailed bullet points outlining a consumer’s rights under the FCRA. The
rights explained in the bullets are rights provided by the consumer reporting agencies and the link provided in the
document should fully explain any questions the consumer may have. More importantly, providing the link helps
condense the document so that a consumer does not become overwhelmed by the abundance of information
presented in the Bill of Rights.
Credit Monitoring
We strongly urge that the reference to 2 years of credit monitoring should be deleted from the document. This
highlights an obligation that does not currently exist in any state law. Further, eliminating the right on credit
monitoring is also consistent with the “Principles for Effective Cybersecurity: Insurance Regulatory Guidance,”
because this will allow flexibility to use any future technology or service that may be developed to accommodate
or replace credit monitoring to assist consumers following a breach.
Definitions
AIA suggests a few changes to the definition section of the Bill of Rights. First, we recommend that a clause be
added to the end of the definition of “Data Breach” to clarify that for the purposes of this act it means a breach for
which notification is required under applicable privacy laws. Next, we urge the Task Force to eliminate the
reference to business from the definition of insurance. The federal and state regulatory schemes regarding
insurance information and privacy protections all focus on personal lines types of insurance transactions. In
addition, generally state data security breach laws focus on personal information. Using the reference to
“business” blurs the lines between these distinctions and applies privacy protection concepts that are historically
reserved for personal insurance transactions to commercial lines transactions. Third, the definition of “Insurance
Producer” will no longer be needed if the Bill of Rights avoids explaining the complicated nature of what regulated
insurance entity will be providing notice. Finally, we have amended the definition of “Personally Identifiable
Information” to reflect a definition that is as consistent with state data breach laws as possible. Our approach is to
identify those data elements that are commonly referred to as personally identifiable information in a majority of
states.
Helpful Links
The links presented in the document should be limited to government websites to avoid the appearance of
endorsing one commercial website over another.
AIA appreciates your consideration of our comments and look forward to working with you on this important
issue. We firmly believe that a back and forth collaboration on this issue can lead to a meaningful document and
as such we respectfully urge the Task Force to release an updated Consumer Bill of Rights for consideration and
additional comment.
Respectfully submitted,
Angela Gleason
Associate Counsel
3