The US insurance industry operates under a complex landscape of privacy laws and regulations designed to protect consumers’ personal information. At the heart of this regulatory framework are standards developed by the National Association of Insurance Commissioners (NAIC), alongside federal and state laws like the Gramm-Leach-Bliley Act (GLBA).
Key NAIC model laws addressing privacy in the insurance sector include:
- • the Insurance Information and Privacy Protection Model Act (#670) from 1992,
- • the Health Information Privacy Model Act (#55) from 1998,
- • the Standards for Safeguarding Customer Information Model Regulation (#673) from 2002,
- • the Insurance Data Security Model Law (#668) from 2017, and
- • the Privacy of Consumer Financial and Health Information Regulation (#672) also from 2017.
Additional requirements apply under state-adopted versions. All states adopted #672 to be in compliance with Gramm-Leach-Bliley Act (1999) requirements, and 23 states have adopted the #668 Model Law as of January 2024. Since states can adapt these models, insurers must be agile in responding to variations across jurisdictions and be prepared for upcoming amendments that have been in the works for years.
This article explores the planned privacy reform, existing privacy obligations, and how Private AI’s privacy-preserving technology can assist insurers in maintaining compliance, enhancing data security, and supporting a proactive approach to data protection.
Background on Privacy Reform
The NAIC has undertaken an initiative to modernize its outdated privacy protection models for consumer data, resulting in the development of Model Law #674, the Insurance Consumer Privacy Protection Model Law. This model, drafted by the Privacy Protections Working Group (PPWG), aimed to provide updated standards for the handling of consumer data by insurers and third-party service providers, addressing issues such as transparency, consumer rights, data retention, and third-party accountability. It sought to ensure that consumer data protection remained robust and aligned with contemporary privacy needs, including establishing limits on data sharing, requiring explicit consumer consent, and instituting clear consumer notification requirements.
However, despite several revisions and consultations with relevant stakeholders #674 faced significant resistance from various states, including Nebraska, South Dakota, and Kansas. Concerns were raised over the model’s broad scope, potentially restrictive data-sharing regulations, and its effects on insurance policy accessibility. Additionally, some states and industry representatives noted that Version 1.2’s provisions could conflict with business practices, particularly for independent agents.
In light of this feedback, the PPWG held several public meetings to discuss concerns and refine the draft but ultimately encountered difficulty gaining sufficient support for adoption. In June 2024, it was confirmed that Model #674 would not move forward, leading the NAIC to resume work on revising the previous Privacy of Consumer Financial and Health Information Regulation (#672) instead. This pivot signals a continuation of the effort to update privacy standards, though with an approach that may better accommodate varying state and industry positions. The PPWG now focuses on enhancing #672, aiming to refine guidelines around third-party data handling while preserving a level of flexibility conducive to state adoption and industry practice alignment. #672 is proposed to be renamed from Regulation to Act, but it seems not to be intended to replace #668. This is quite relevant as the proposed amendments to #672 do not include, for example, cyber incident or data breach reporting obligations, whereas #668 does.
A timeline for the completion is currently uncertain. A recent interview with the new NCAI President indicated that privacy reform is not among the top priorities.
Understanding Privacy Obligations in the Insurance Sector
The draft revisions to Model #672 incorporate several of the enhanced privacy protections initially proposed in Model #674. Key elements include:
- • Expanded Definition of “Nonpublic Personal Information”: This term now includes any information that is linked or reasonably linkable to an identified or identifiable individual. Excluded from this definition are de-identified information, aggregated data, and pseudonymous data. This exclusion means that the obligations imposed on licensees and the rights of consumers to not apply with regard to de-identified and pseudonymized information. This is in a sense similar to the privacy rule of the Health Insurance Portability and Accountability Act (HIPAA), which also excludes de-identified data from the definition of personal information, however, #672 falls considerably short of HIPAA in that it does not set specific standards for how data needs to be de-identified to meet the threshold of no longer being identifiable:
- “De-identified data” means data that cannot reasonably be linked to an identified or identifiable natural persona or a device linked to such a person.
- “Pseudonymous data” means personal data that cannot be attributed to a specific natural person without the use of additional information, provided that such additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.
- • Definition of Sensitive Personal Information: This category includes personally identifiable “nonpublic personal financial information” about a consumer that encompasses data on racial or ethnic origin, religious beliefs, sexual orientation, citizenship, or citizenship status, and genetic information or biometric data used for uniquely identifying an individual.
- • New Definitions Added: Aside from de-identified and pseudonymized data, the revisions introduce specific definitions for (1) biometric data, (2) genetic information, and (3) third-party service providers.
- • Third-Party Service Provider Contracts: Licensees that share a consumer’s nonpublic personal information with third-party service providers must establish contracts with those providers that meet the requirements specified in the model.
- • Consumer Access and Control: Licensees must allow consumers the ability to access, correct, and delete their nonpublic personal information.
- • Opt-In Requirement for Sale of Personal Information: Licensees are required to obtain affirmative opt-in consent from consumers before selling their nonpublic personal information.
- • Restrictions and Notice Requirements: There are now additional restrictions and notice obligations regarding licensees’ use and disclosure of consumers’ sensitive personal information.
An interesting and worrisome difference between the initially considered #674 and #672 is that the latter does not include a general data minimization principle, at least not pertaining to the collection of nonpublic personal information. #674 stated in section 4 that the collection, processing, retention, and sharing of personal information shall be limited to what is reasonably necessary and proportionate to achieve the purposes related to the requested insurance transaction or additional activities and not further processed, retained, or shared in a manner that is incompatible with those purposes. This provision is already not very restrictive given the inclusion of “additional activities” that are not further defined. However, #672 is even less restrictive in that it permits consumers to direct the licensee to limit its use of the consumer’s sensitive personal information. This implies that there is no general obligation applicable to the licensee to limit the collection of personal information.
Especially when viewed together with the broad exclusions of what constitutes personal information discussed above, i.e., the fact that de-identified and pseudonymized information is not considered personal information while it remains unclear how de-identification or pseudonymization should be achieved, it appears that #672 falls notably behind the standard of protection awarded to personal information in other sectors.
Yet, compared to the 1992 #670, which #672 will replace, there certainly is an improvement. #670 did not contain the concept of de-identification and pseudonymization and only required the minimization of personal information disclosure, not use.
To that extent, the recent albeit failed focus on Model #674 and the proposed amendments to #672 reflect a shift towards modern data governance, emphasizing technologies that reduce risks associated with large-scale data processing.
Private AI’s technology is well suited to aid insurers in meeting these standards by enabling precise identification, classification, and redaction of personal information across their systems.
How Private AI’s Technology Supports Compliance
Private AI’s advanced machine learning models automatically identify, categorize, and redact or replace over 50 entities of personal data within large datasets, including unstructured data formats like emails, claim documents, and reports. Most data points captured by the definitions of “Nonpublic Personal Information” and “Sensitive Personal Information” are among those that Private AI’s models are able to detect, classify and redact. Exceptions include certain biometric data and genetic data.
The high accuracy with which these models operate allows for reliable and efficient de-identification of large-scale datasets. As we have seen, the benefit of undertaking data de-identification or pseudonymization is that such data no longer fall within the scope of the model act, significantly reducing applicable compliance requirements. In addition, the removal of identifiers that are not necessary for any business purposes also means that in the event of a data breach, the damage an attacker can do is reduced as well as the associated cost of dealing with the breach.
Breach mitigation and reporting, mandated by the existing #668, can also be facilitated with Private AI’s technology. Knowing what personal data is located where helps assess the risk and implement appropriate safeguards. Having to report the specific types of information that were breached can be laborious, especially when unstructured data is involved. Private AI can generate a report on the entities present in a dataset or IT system and provide detailed classification of each, helping to comply with the requirement to detail the “types of medical information, types of financial information or types of information allowing identification of the Consumer.”
Conclusion
Private AI’s technology offers the insurance industry robust support for navigating complex US privacy laws and regulations by automatically identifying, classifying, and redacting data across systems, enhancing both compliance and data security. This helps insurers efficiently meet their privacy obligations and prepare for evolving standards; and preparation is strongly advisable considering the expected changes to the NAIC’s model law.
To see the tech in action, try our web demo, or get an API key to try it yourself on your own data.