On October 14th, 2015, the National Association of Insurance Commissioners (co-developer of the Model Audit Rule) has adopted the Cybersecurity Bill of Rights
The Cybersecurity Bill of Rights describes what you can expect from insurance companies, agents, and other businesses when they collect, maintain, and use your personal information. These include your rights as an insurance consumer when you get a notice that your personal information was involved in a data breach. Specific rights may vary based on state and federal law.
The Cybersecurity Bill of Rights vests insurance consumers with the following rights:
- To know the types of personal information collected and stored by an insurance company, agent, or other business that the insurance company contracts with;
- To expect that the insurance company will maintain a privacy policy on its website, and provide a hard copy upon request, that describes the collection, storage, and protections practices of the insurance companies and consumers’ choices regarding the use and protections of their data;
- To expect that the insurance company, agent, or other business that the insurance company contracts with takes reasonable steps to secure consumer data;
- To expect to receive written notification of a data breach from an insurance company, agent, or other business that the insurance company contracts, within 60 days of discovery of the data breach;
- To expect at least one year of identity theft protection paid for by the insurance company or agent involved in the data breach; and
- To take steps to protect and minimize any damage to the consumer’s identity, including fraud alerts, credit freezes, obtaining credit reports, and managing fraudulent charges and debt collection efforts.