NAIC Ponders the Possibility of Federal Preemption on Cybersecurity

At the Fall National Meeting in San Francisco of the National Association of Insurance Commissioners (NAIC), regulators on the Innovation and Technology Task Force received a report from the NAIC’s Washington staff about Congressional moves to preempt one of the NAIC’s key initiatives, the Model Act on Data Security, which the organization adopted last October and which South Carolina enacted earlier this year. The NAIC based its initiative largely on the groundbreaking regulations issued by the New York Department of Financial Services requiring every New York licensee or permit holder to conduct a risk assessment and take detailed steps to minimize the risk of a data breach and to have procedures in place for reporting and managing any such incident.

The Financial Services Committee of the U.S. House of Representatives passed a bill in September, H.R. 6743, on a party-line 32 to 20 vote, called the Consumer information Notification Requirement Act sponsored by Rep. Blaine Luetkemeyer (R-Mo.). This bill would create a hybrid regime under which federal financial authorities such as the Federal Reserve and Comptroller of the Currency would establish standards for preventing data breaches and for notifying customers of a data breach, but state insurance regulators would be tasked with enforcing those federal standards on licensed insurance companies and insurance producers, unless they take advantage of a confusing preemption provision discussed below. H.R. 6743 expressly preempts any contrary state laws or rules, except that it permits state insurance regulators to set their own standards for insurers and producers, “provided the standards established by such State or political subdivision do not impose any requirement that is in addition to or different from those standards, except where necessary to effectuate the purposes of this subtitle.’’ (emphasis added). Presumably, this means the New York Superintendent and South Carolina Commissioner can invoke the exception and argue that the panoply of requirements imposed by their respective states all “effectuate the purposes” of the bill and are therefore not preempted.

The question may be academic in light of the Democrats taking control of the House in 2019 and installing a Democratic Chair of the Committee. The NAIC staff noted that incoming Chair Maxine Waters (D-Cal.) opposed H.R. 6743, and she may be more solicitous of state insurance regulators’ authority to oversee cybersecurity measures, even if that does not produce the kind of national uniformity which Rep. Luetkemeyer was seeking. It is also possible that influential Senators on the Banking Committee with jurisdiction over insurance-related bills will also defer to the NAIC and individual state commissioners. One scenario mentioned by NAIC staff was for Congress to set a “floor” of minimum data security standards applicable to all financial institutions, including insurers and producers, but allow individual states, like New York and South Carolina, to augment them.

Given all of these uncertainties, insurers and producers should not assume that Congress will broadly preempt state versions of the NAIC Insurer Data Security Model Act.