Print Print | Email Facebook Twitter Share ThisShareThis

Security Breach Notification Laws Should Concern Insurers, NAMIC Says

INDIANAPOLIS (July 7, 2005)—Differences in the 19 security breach notification laws enacted so far this year should be of concern to insurers conducting business in multiple states, according to an analysis by the National Association of Mutual Insurance Companies (NAMIC).

The latest NAMIC Issue Brief “Security Breach Notification Laws: What Threats Do They Pose for Insurers?” concludes that Florida lawmakers enacted the most stringent notification law so far this year.

The Florida law makes businesses subject to specific timelines for reporting security breaches, regardless of whether the business owns the data or not. It also requires businesses to maintain documentation for up to five years of any incidents where a security breach is investigated, but it’s determined the breach will not likely harm individuals. Failure to keep such documentation can result in a fine up to $50,000.

The analysis also found:

  • Four states (Arkansas, Delaware, New Jersey and North Dakota) added additional language to their definitions of “personal information,” while the other states followed the definition adopted by California when it enacted the country’s first notification law in 2002;
  • Nine states (Florida, Georgia, Indiana, Minnesota, Nevada, New Jersey, New York, Tennessee and Texas) require businesses to notify consumer-reporting agencies of security breaches, but the threshold that triggers the notice varies;
  • Seven states (Arkansas, Delaware, Louisiana, Minnesota, Nevada, North Dakota and Tennessee) have specific exemption provisions that go beyond the California law, which allowed businesses to follow their own disclosure procedures if they were consistent with its law; and
  • Five states (Louisiana, Maine, Tennessee, Texas and Washington) follow California’s example and allow individuals to bring a private right of action against businesses over a security breach.

The analysis is intended to help insurers to closely monitor similar bill introductions and to avoid certain provisions that would impose unreasonable requirements on them.

This Issue Brief is the latest in a series of briefs that NAMIC has published on topics of timely interest to the property/casualty industry. In May, NAMIC produced a brief entitled “Insurance Fraud: Most States Act to Curb the Abuses, But Adequate Statutory Remedies Still Lacking in a Few States.” It describes the formation and role of the Coalition Against Insurance Fraud, provides a synopsis of what states have done to curb fraud, and details some encouraging legislative developments. In June, a brief entitled “Evaluation of Costs and Benefits: The NAIC’s Proposed Internal Control Reporting Provisions” detailed the costs involved in Section 404 of the Sarbanes-Oxley Act of 2002 being applied to mutual insurers.

“Security Breach Notification Laws: What Threats Do They Pose for Insurers?” can be read at NAMIC Online.

All NAMIC Issue Briefs can be downloaded from NAMIC’s website, NAMIC Online.

Posted: Thursday, July 07, 2005 12:00:00 AM. Modified: Thursday, July 07, 2005 4:14:48 PM.

317.875.5250 - Indianapolis  |  202.628.1558 - Washington, D.C.

NAMIC | Where the future of insurance has its voice TM