State insurance regulators have developed a set of 12 principles that could shape their efforts to promote data security.
The National Association of Insurance Commissioners (NAIC) recently posted a copy of the document on its website.
The NAIC’s Cybersecurity Task Force exposed a draft of the document in March, a few weeks after Anthem Inc. (NYSE:ANTM) reported suffering an attack that could have affected the security of records on about 79 million people.
Commenters who reviewed the draft suggested that some proposed principles were too specific, and that others suggested that state regulators would try to play a role beyond their capabilities.
In the March draft, for example, the principles called for insurers to join the Financial Services Information Sharing and Analysis Center (FSISAC) and declared that, “Insurance regulators have a significant role and responsibility regarding the insurer’s efforts to protect sensitive customer health and financial information.”
In the final version, the NAIC says that, “State insurance regulators have a responsibility to ensure” personally identifiable information held by insurers, producers and other regulated entities be protected.
State insurance regulators should “collaborate with insurers, insurance producers and the federal government to achieve a consistent, coordinated approach,” the NAIC says.
In the provision about information-sharing, the NAIC now says insurers and insurance producers should use an information-sharing and analysis organization to keep up-to-date on data security matters, but it does not say which organization insurers should join.