The National Association of Insurance Commissioners (NAIC) created the bill of rights to guide insurers' response to data breaches as well as explain how consumers can seek help if they are affected by a breach. The NAIC also is evaluating whether insurers are doing enough to protect customers' sensitive information.
Yet the bill of rights' density is likely to discourage individuals from actually reading it, consumer advocates wrote in comments distributed at NAIC's Summer Meeting in Chicago, the article notes.
And insurance groups say customers and carriers may misunderstand the document, interpreting some of its provisions as granting consumers protections that exceed what individual state laws require. Furthermore, the bill of rights' critics say insurers' obligations to consumers may actually go beyond what's required by law.
Either way, the bill of rights is highly unlikely to become a binding document, as the NAIC lacks legislative or regulatory power, a fact that even one insurance regulator points out. Thus, "it may be that this broad and general Cybersecurity Bill of Rights will have limited utility," says Susanne K. Murphy, special deputy commissioner with the Florida Office of Insurance Regulation.
Cybersecurity remains a major area of concern among health insurers, however, especially in the wake of the historic Anthem breach that compromised the data of 80 million customers. In response, the company spent $65 million upgrading security in 2015 and it plans to spend another $65 million on the effort in the future, JD Supra Business Advisor reports.
The Blue Cross Blue Shield Association, of which Anthem is a member, also announced in July that it will offer identity protection to all of its 106 million members, though as one cybersecurity expert points out, insurers must do more to prevent attacks from happening in the first place.
Anthem hack compromises info for 80 million customers
BCBS Association's identity protection offer 'generous,' but does it go far enough?
Survey: 81 percent of C-suite execs have seen cyberattacks at their facilities
Why healthcare needs more cybersecurity personnel