Top Insurance Regulatory Developments of 2020: Part 1

This is the first installment of a two-part look at the top 10 insurance regulatory developments of 2020 by attorneys at Locke Lord. The first part covers COVID-19, Insurtechs, Data Privacy, Race Equality and Pharmacy Benefit Managers. The second installment on Jan. 26 will look at Antitrust, Captives, Service Contracts, Travel Insurance and Surplus Lines.


COVID–19 Pandemic Turmoil

The COVID-19 pandemic has had severe adverse consequences to virtually all U.S. businesses, including insurance. While the business interruption insurance coverage litigation dominated this year’s insurance news and impact on property and casualty insurers writing this type of coverage and their insured business customers, state insurance regulators also faced important challenges in the wake of the pandemic. Their responses included:

All-in-all, state insurance regulators reacted swiftly and adroitly to the pandemic spurred challenges facing the insurance industry and the insurance customers they protect.

On the federal side, the U.S. House of Representatives introduced in May the Pandemic Risk Insurance Act (“PRIA”), modeled after the Terrorism Risk Insurance Act of 2002, as amended (“TRIA”). PRIA has been characterized by Congresswoman Maxine Waters as “a reinsurance program similar to [TRIA] for pandemics, by capping the total insurance losses that insurance companies would face.” PRIA would require participating insurers to “make available” insurance coverage for a “covered public health emergency,” which includes “any outbreak of infectious ‎disease or pandemic” on terms that do not differ materially from the terms applicable to losses ‎arising from other events.‎ Like TRIA, participating insurers would need to satisfy individual and industry-wide deductibles before seeking federal reimbursement for losses. Critically, however, as currently contemplated, participation in the Pandemic Risk Insurance Program would be voluntary in nature, whereas TRIA is a mandatory program applicable to certain commercial property and casualty insurance policies.

InsurTech Growth and Regulatory Reaction

Despite, or perhaps because of, the COVID-19 pandemic, no area of tech was hotter than insurtech in 2020. With multiple companies going public through both SPAC transactions (Clover and Metromile) or direct listings (Lemonade, Root and OSCAR), as well as investments valuing others at well over a billion dollars (Hippo), insurtech went from niche to mainstream fast, fueled in part by the sector’s focus on automation, efficiency and digital platforms which allowed them to scale despite COVID-19 restrictions.

Recognizing the rapid development of technology enabled insurance platforms, the National Association of Insurance Commissioners (“NAIC”), reacted with both reforms to previously outdated laws inhibiting these insurtech business models and increased focus on the potential future regulation of big data, artificial intelligence, machine learning and accelerated underwriting in the insurance space.

On the reform side of things, the NAIC updated language in its Model Unfair Trade Practices Act regarding anti-rebating and inducement that previously restricted nearly all rebates and inducements to allow for the provision of certain services and items at reduced or no cost, if such items or services result in risk-mitigation, along with other accommodating revisions. This change has been the focus of insurtechs for a number years, and would allow, for example a commercial insurance carrier to offer its insureds a free water leak detection system, as a way of mitigating damage from burst pipe failures.

As far as increased regulation of insurtechs, while the NAIC has not adopted or recommended any specific model laws or regulations with respect to artificial intelligence and machine learning, the Big Data and Artificial Intelligence Working Group adopted the “Principles of AI”, outlining the five principles it will use in evaluating regulation of AI, namely that the insurance industry’s use of AI must be (i) fair and ethical, (ii) accountable, (iii) compliant, (iv) transparent and (v) secure, safe and robust. In addition, the NAIC’s Producer Licensing Task Force is in the process of finalizing a white paper on the role of chatbots and artificial intelligence (AI) in the distribution of insurance and the potential need for regulatory supervision of these technologies, something the insurtech industry will be keenly focused on in 2021, especially in light of the recent adoption of the B.O.T. Act by California. Similarly, the Casualty Actuarial and Statistical Task Force adopted a white paper on the regulatory review of predictive models, while the Accelerated Underwriting Working group continued its work on developing regulatory guidance regarding the use of external data and data analytics in accelerated life underwriting.

Data Privacy and Security Regulation Expansion

California Consumer Privacy Act

Like all other businesses that collect or receive consumer non-public information about California residents, the insurance industry will be affected by the California Privacy Rights Act (“CPRA”). The CPRA, which was adopted in November 2020 by way of voters’ passage of California ballot initiative Proposition 24, augments and strengthens consumer privacy protections under the California Consumer Privacy Act, the enforcement date for which occurred on July 1, 2020. The CPRA, among other newly created consumer privacy rights, gives consumers the right to limit the use and disclosure of a new category of “sensitive” personal information, including health, financial, racial and precise geolocation data. It also allows consumers to correct inaccurate data about them and establishes the California Privacy Protection Agency, a new state agency that will enforce the CCPA in lieu of the California attorney general.

National Association of Insurance Commissioners Data Security and Privacy Laws

The NAIC’s Data Security Model Act, which is a cybersecurity breach law applicable to most insurance industry licensees, has now been adopted in one form or another in eleven states. During 2020, Indiana, Louisiana and Virginia became a part of this list, which is likely to expand in 2021.

The NAIC’s Privacy Protections (D) Working Group, formed in late 2019, began its work in 2020 on reviewing the needs and area for modernizing the NAIC’s Insurance Information and Privacy Protection Model Act (created in 1982) and Privacy of Consumer Financial and Health Information Regulation (created in 2000 in the wake of the Gramm-Leach-Bliley Act). The potential upgrades to these two models may take the form of certain concepts from the CCPA and the European Union’s General Data Protection Regulation.

NY Department of Financial Services First Cybersecurity Regulation Enforcement

In July 2020, the New York Department of Financial Services brought its inaugural enforcement action under its cybersecurity regulation against First American Title Insurance Company for alleged unauthorized access to hundreds of millions of documents containing consumers’ non-public personal information, due to a known vulnerability in the company’s public-facing website making the data accessible without any login or authentication requirements. This case serves as a strong warning that the NYDFS will pursue other alleged violations of its cybersecurity regulation.

Race Equality and Insurance

‎In the wake of the national awakening regarding the impact of race on various institutions across the United States, the NAIC formed NAIC Special Committee on Race and Insurance (“Special ‎Committee”), and asked itself, “Does the disparate impact of risk-based pricing decisions constitute unfair ‎discrimination?” ‎

Nearly all states follow some version of the NAIC’s Unfair Trade Practice Act ‎‎(“Model Act”), which prohibits, generally, the “unfair discrimination” of “individuals ‎or risks of the same class and of essentially the same hazard” with respect to both ‎rates and insurability.” The Model Act further specifically prohibits taking into ‎account sex, marital status, race, religion, or national origin of the individual, ‎but only with respect to insurability, not as to the rates charged to such consumers ‎‎(except in the case of race, which was prohibited pursuant to the Civil Rights Act of ‎‎1964).‎ Notably, only a handful of states ‎have explicit laws limiting the use of certain of these factors in certain lines of ‎insurance (for instance, Michigan now prohibits all non-driving factors in the ‎determination of personal auto insurance rates and New York, through its Circular ‎Letter No. 1, now essentially requires life insurers to prove that all AI, machine learning and “alternative data” and their sources do ‎not have a prohibited discriminatory disparate impact on protected classes). Instead, most‎ states have not detailed with much specificity what constitutes unfair discrimination in their statutes or regulations

The NAIC, state insurance regulators, consumer advocates, and the insurance ‎industry as a whole are especially focused on the exponential growth of the ‎industry’s reliance on artificial intelligence, machine learning, and big data. Some observers have predicted the end of most risk-based underwriting ‎and pricing as we now know it for much of the insurance industry in light of these ‎issues, much in the same way health insurance underwriting was simplified via the ‎Affordable Care Act. However, it is more likely that regulations will focus on monitoring to ensure such disparate ‎impacts do not occur and will be promptly remedied when they do.‎

Pharmacy Benefit Managers Regulation

During the past few years, several states passed legislation aimed at regulating pharmacy benefit managers (“PBMs”) for the protection of small or mom-and-pop pharmacies that, in some cases, were receiving from PBMs reimbursements for prescription drugs covered by health plans less than the pharmacies’ costs of purchasing these drugs. In December 2020, the Supreme Court, in Rutledge v. Pharmaceutical Care Management Assn. (an 8 to 0 opinion), ruled that an Arkansas PBM statute was not preempted by ERISA.

The Arkansas law requires that PBMs (a) frequently publish their maximum allowable cost (“MAC”) lists for prescription drugs when their wholesale cost increases and (b) reimburse pharmacies for their purchases of prescription drugs at a price equal to or greater than their wholesale cost and allows pharmacies to refuse to sell a prescription drug if a PBM’s reimbursement rate is lower than a pharmacy’s purchase cost. The Court found that ERISA did not preempt the Arkansas PBM law because, while the law did have the effect of increasing the costs of an employee benefit plan, the law did not force employer-sponsored group health plans to adopt any substantive plan changes, noting that not all states laws that affect an ERISA plan and the Arkansas PBM law does not refer to ERISA, does not apply exclusively to ERISA plans and applies to PBMs regardless of whether they manage an ERISA plan. This decision overturns a 2018 case from the Eighth Circuit that held ERISA preempted a similar North Dakota law and should forestall an appeal pending in the Tenth Circuit of an Oklahoma District Court case upholding an Oklahoma PBM law against an ERISA preemption challenge.

Next: Antitrust, Captives, Service Contracts, Travel Insurance and Surplus Lines.