Consumer Data Privacy

Support for state-based protection of insurance consumers’ data privacy

PIA supports the state-based protection of insurance consumers’ data privacy and opposes the development of a prescriptive federal legislative regime addressing the insurance industry’s management of consumer data.


Over the past several years, data breaches involving corporate custody of consumers’ personally identifiable information (PII) have become commonplace, as has the reactive dissemination of consumer notifications that typically accompany corporate disclosures of such breaches.


Data breaches eventually ensnared just about every industry that collects consumer PII, including the insurance industry. The proliferation of such breaches, specifically among insurance businesses, has endangered PII of every variety. Even consumers’ sensitive health information  has been repeatedly compromised, despite the special protection afforded to it by the safeguards set forth in the Health Insurance Portability Accountability Act (HIPAA) and, more recently, the Gramm-Leach-Bliley Act (GLBA) of 1999.


State regulatory action


In 2017, with data breaches multiplying and threats of Congressional intervention looming, the National Association of Insurance Commissioners (NAIC) passed its Insurance Data Security model law (MDL-668), which was modeled on a similar cybersecurity regulation (23 N.Y.C.R.R. Part 500) in New York. Like the New York regulation, the NAIC model requires licensed insurance entities to create an information security program to protect nonpublic consumer information, perform a risk assessment to identify and implement other appropriate precautions, and report qualifying data security breaches to state insurance regulatory authorities within 72 hours.


With various state-specific changes, since 2017, the NAIC model has been adopted by over twenty states. In some states, carriers that are already subject to HIPAA’s consumer protection mechanisms are exempt from compliance with the corresponding provisions in the law. Some state versions make available partial exemptions to select licensees, based on factors like total annual revenue or number of full-time employees, from the law’s most burdensome requirements. For the most part, though, most of its provisions apply to all domiciliary licensees in states in which it has been passed.


In the process of developing the Insurance Data Security model, regulators considered but rejected a plan to draft one model that would fully address every issue related to consumer privacy and data security. Instead, they focused on establishing an industry standard for consumer data protection and breach notification. This decision was driven partly by the fact that existing NAIC model laws, including the Insurance Information and Privacy Protection Model Act (MDL-670), the Privacy of Consumer Financial and Health Information Regulation (MDL-672, promulgated in response to the 1999 passage of the GLBA), and the Standards for Safeguarding Customer Information Model Regulation (MDL-673) already address some of the related issues.  


Predictably, then, when read in conjunction with the NAIC’s three associated model laws, the Insurance Data Security model does not attend to every potential issue presented by corporate uses of consumer PII, particularly as those uses have evolved over time. Recently, the NAIC’s Privacy Protections (H) Working Group announced its intent to replace its 1992 Insurance Information and Privacy Protection model and its 2017 Privacy of Consumer Financial and Health Information Regulation model  with one new model that will be known as the Insurance Consumer Privacy Protection Model Law. Publication of its initial draft is anticipated in early 2023.


Role of the 118th Congress


The new Chairman of the House Financial Services Committee is Rep. Patrick McHenry (R-NC). McHenry has stated that his priorities include updating existing federal regulatory standards for data privacy, which he views as a potentially bipartisan issue. He has specifically expressed interest in updating and expanding the GLBA to account for the ways in which the financial services industry has evolved since its passage. McHenry has also indicated that he may consider creating a federal legislative data privacy standard that would preempt existing state law.


McHenry’s ambitious data privacy agenda is poised to collide with the NAIC’s existing stable of data privacy model laws and its efforts to consolidate its privacy protection and  consumer financial information models. In accordance with our longstanding support of the existing structure of state-based insurance oversight, PIA plans to support and assist the NAIC as it updates its privacy protection models.


PIA will also work to prevent Congress from passing intrusive federal law in this area; the development of a prescriptive federal legislative regime that would preempt existing state law would be disastrous for the state-based insurance regulatory structure. It would undermine existing state law, the NAIC’s existing and future models, and the entire state-based insurance regulatory structure, which has effectively protected insurance consumers and cultivated innovation for over a century.


For the most up-to-date information on federal efforts to legislate on the issue of data privacy and the rest of our advocacy issues, please be sure to visit and follow the PIA Advocacy blog, located at