Security Breach Laws Should Concern Insurers, NAMIC Says

July 8, 2005

Differences in the 19 security breach notification laws enacted so far this year should be of concern to insurers conducting business in multiple states, according to an analysis by the National Association of Mutual Insurance Companies (NAMIC).

The latest NAMIC Issue Brief “Security Breach Notification Laws: What
Threats Do They Pose for Insurers?” concludes that Florida lawmakers
enacted the most stringent notification law so far this year.

The Florida law makes businesses subject to specific timelines for reporting security breaches, regardless of whether the business owns the data or not.

It also requires businesses to maintain documentation for up to five years of any incidents where a security breach is investigated, but it’s determined the breach will not likely harm individuals. Failure to keep such documentation can result in a fine up to $50,000.

The analysis also found:

• Four states (Arkansas, Delaware, New Jersey and North Dakota)
added additional language to their definitions of “personal information,”
while the other states followed the definition adopted by California
when it enacted the country’s first notification law in 2002;

• Nine states (Florida, Georgia, Indiana, Minnesota, Nevada, New
Jersey, New York, Tennessee and Texas) require businesses to notify
consumer-reporting agencies of security breaches, but the threshold that
triggers the notice varies;

• Seven states (Arkansas, Delaware, Louisiana, Minnesota, Nevada,
North Dakota and Tennessee) have specific exemption provisions that go beyond the California law, which allowed businesses to follow their own disclosure procedures if they were consistent with its law; and

• Five states (Louisiana, Maine, Tennessee, Texas and Washington)
follow California’s example and allow individuals to bring a private
right of action against businesses over a security breach.

The analysis is intended to help insurers to closely monitor similar
bill introductions and to avoid certain provisions that would impose
unreasonable requirements on them.

Was this article valuable?

Here are more articles you may enjoy.