New Cybersecurity Legislation for Insurers Now Open for Public Comment

Insurance companies are often prime targets for hackers due to the massive amount of sensitive — and thus valuable — information that flows through their servers every day. Moreover, outdated or ineffective cybersecurity measures throughout the industry make it even easier for thieves to access company data structures.

Why Insurance Companies Need Cybersecurity

Stolen credit card information is the typical currency of darknet trading, but personal details are far longer-lasting and more valuable. A “kited” credit card can simply be canceled, but it’s not so easy to obtain a new Social Security number, permanent address, or date of birth. Depending on the type of coverage, insurance files can contain anything from banking details to property floor plans to home security system information — and much more. Unsurprisingly, this information is in high demand: unscrupulous data miners can sell it for prices that go as high as the value of its potential exploitation.


In early 2015, American health insurer Anthem, Inc. found themselves subject to the largest data breach in the history of the Internet. The identities of over 80 million Americans were compromised, and the affected individuals will potentially deal with identity theft issues for the rest of their lives. Moreover, Anthem had only $100 million in insurance funds against the possibility of digital attacks — money that, one report suggests, could be used up by customer notifications alone.

New NAIC Legislation

The Anthem breach spurred a whole new conversation around insurance data security, particularly among the National Association of Insurance Commissioners (NAIC), who promptly formed a Cybersecurity Task Force around the issue. The Task Force drafted and presented model legislation regulating consumer data protection in March 2016; after revisions, the newest version was released for public comment in September.


The model law’s stated intent is to establish firm data standards for insurance organizations, including customer notifications, security measures, investigations and more. The newest version includes provisions for what constitutes a “breach” (insurers who have employed satisfactory encryption methods, for example, may be exempt from liability). It also defines the insurer’s duty as protecting clients from “harm or inconvenience,” rather than the vaguer “reasonable likelihood of harm” wording seen in previous versions.

What Insurers Can Do

Investing in top-to-bottom security is the simplest and most effective method for insurers to avoid the financial and public relations damage of a cyberattack. With MicroEncryption® and MicroTokenezation®, CertainSafe breaks sensitive data down into encrypted file elements, converts them into unique ‘tokens’, and then hide individually segmented pieces of the encrypted data in different physical locations—eliminating the possibility of a mass data breach. For ease of access, our Digital Safety Deposit Box provides real-time file retrieval from an easy-to-use data storage system.


For more information, please visit our homepage or contact us today.