NAIC Picking Up Steam as it Drafts New Privacy Model

NAIC Picking Up Steam as it Drafts New Privacy Model

Since the NAIC Spring National Meeting in late March, the Privacy Protections (H) Working Group has continued its work to draft a new unitary privacy model. Over April, the Working Group met one-on-one with industry and interested parties. Since then, the Working Group met twice to receive public comments on discrete topics. The Working Group will ratchet up that level of activity with two full days of in-person public drafting sessions, starting this week. The Working Group plans to circulate a new full draft by the end of the month followed by three more meetings to receive public comments before the Summer National Meeting in August.

May Meetings

On May 2, the Working Group met to hear public comments pertaining to confidentiality (section 21), record retention (section 22), and deletion of consumer information (section 5). Confidentiality in this context regards information provided to regulators by licensees. Industry commenters communicated their preference for the confidentiality protections afforded in the ORSA (Own Risk and Solvency Assessment) model. The most contentious discussions centered on the retention of consumer information.

The current draft enumerates purposes for which licensees are permitted to retain consumer’s personal information. Once such a permitted purpose has expired, the licensee has 90-days to “completely delete” the consumer’s personal information. Industry vociferously opposes the 90-day time frame. In particular, many legacy systems will not be able to meet this requirement. Regulators were mixed in their sympathies related to legacy systems while consumer groups countered that legacy systems should not function to freeze consumer protections to the limitations of outdated systems.

See also  The US's flood insurance program is making more repeat payouts

On May 16, the Working Group met to hear public comments pertaining to cross-border information sharing. The draft provision requires prior consent from the consumer before personal information may be transferred beyond the jurisdiction of the United States. Industry commenters were unanimous in their opposition. Reinsurance complications in particular were communicated. One theme that resonated with the regulators as well as most of the industry commenters was that such restrictions may be contrary to international treaties to which the United States is a signatory.

What’s Next?

The upcoming in-person meetings are slated to cover many potentially contentious topics such as requirements for third-party service providers, joint-marketing agreements, consent to marketing (i.e., opt-in vs. opt-out), and consumer disclosures. These topics pertaining to the collection of consumer data for marketing purposes, sharing that data with affiliates or non-affiliated third parties, and the required degree of disclosure and consumer consent are among the topics for which regulators have expressed the most concern.

Locke Lord will continue to monitor developments in this quickly developing space. If you have questions, please contact ‎‎your Locke Lord relationship partner or the author.