Here is a summary of legislative and regulatory developments and challenges for the fourth quarter of 2022 and their practical implications:
Major State Privacy Legislation: On January 2, 2023, the Wall Street Journal reported that many new state laws in the coming year would focus on consumer data privacy. Nearly two years ago we noted that California and Virginia had enacted new and comprehensive privacy statutes, both becoming effective on January 1, 2023.
The California Privacy Rights and Enforcement Act (CPRA) expands upon the current California privacy statute, the California Consumer Privacy Act (CCPA), by regulating not only the buying and selling of consumer information, but also its “sharing.” This term, while appearing to be broad, actually is narrowly defined as targeted advertising based on the consumer’s personal information. The focus of California’s privacy protection measures was and continues to be on commercial use of consumers’ personal information for sales and marketing purposes.
The Virginia Consumer Data Protection Act (CDPA) takes a different approach to consumer privacy, following many of the concepts found in the European Union’s General Data Protection Regulation (GDPR). A business that determines the purpose and means of processing personal data (a “controller”) may collect and use this information for only specific purposes, must allow a consumer to access and in many cases to delete the data, and is responsible for compliance of third party “processors” acting on its behalf.
There are a number of thresholds and exemptions that will relieve most workers’ compensation payers and their service providers from CDPA compliance obligations. Of more relevance to the workers’ compensation industry is the NAIC Insurance Data Security Model Law, which has now been enacted, in whole or part, in 21 jurisdictions.
Similar in many ways to the New York’s Cybersecurity Requirements for Financial Services Companies (NYCCR §500), the Model Law establishes a comprehensive regulatory framework applying to claim payers and protecting the non-public data of insurance “consumers,” including claimants. Key features of the Model Law include the following:
- Defines “consumers” to include claimants as well as applicants, policyholders and insureds.
- Defines a “cybersecurity event” to include both data loss or misuse and access to, disruption or misuse of, an information system.
- Defines “licensees” subject to the law to include all entities licensed or registered under the state’s insurance laws.
- Defines protected “nonpublic information” to include both personally identifiable information and licensees’ sensitive business information.
- Requires licensees to develop and implement a comprehensive information security program, including a written incident response plan, which identifies and mitigates against reasonably foreseeable internal or external threats.
- Requires licensees to annually certify their compliance to their domiciliary insurance regulator.
- Requires licensees to promptly investigate and, if confirmed, remediate any suspected cybersecurity event, notifying regulatory authorities within 72 hours of discovery.
- Requires licensees to follow applicable state data breach laws notifying consumers of an incident.
- Requires licensees to oversee their third party service providers’ compliance with information security laws and to take responsibility for managing their third party service providers’ cybersecurity events.
Implications: All business entities participating in adopting states’ workers’ compensation systems are either directly or indirectly subject to the Model Law, so it is important that payers and their trading partners establish a comprehensive information security program complying with the Model Law. Further, because the Model Law has not been enacted in every jurisdiction and has been enacted with important revisions in others, it is important to review the relevant statute for key variances. For example, the Maryland statute, effective October 1, 2022, applies specifically to third party administrators as well as insurers, but this clarifying provision does not appear in the NAIC Model Law.