Will the NAIC Insurance Data Security Model Law Apply to Captives?
February 10, 2017
The National Association of Insurance Commissioners (NAIC) has established a working group to develop an Insurance Data Security Model Law for consideration by state regulators and legislators. The purpose of the law will be to protect the privacy of consumers by requiring insurers take steps to secure their personally identifiable information (PII). The current working and discussion draft (August 17, 2016—version 2) of the model law has a very broad definition of PII that would likely include claims data, among other items. This is a worthwhile goal. However, it will impose additional administrative burdens and possibly additional liability exposure on insurers. For example, the current draft of the law requires insurers to assure that any third-party service providers they retain (e.g., third-party administrators and captive managers) have reasonable safeguards in place.
While the law is being drafted to apply to traditional insurance companies, there is some concern that, as drafted, the language would also be deemed to apply to captive insurers domiciled in the states that enact it. Of course, this is generally contrary to the intent of the captive insurance laws that preempt most other insurance laws. This potential issue was raised during a panel discussion at the 2017 World Captive Forum by Steve Kinion, director of the Bureau of Captive and Financial Insurance Products, Delaware Insurance Department. Noting that most other insurance laws are preempted by the captive laws of most states, he asserted that "with the purpose of this model law being to protect the privacy of consumers there is a powerful public policy argument that it would not be preempted." As such, this will be a legislative development that captive professionals should watch.
February 10, 2017