I was in New York City last week chairing the Novarica Security Special Interest Group. The largest topic by far was emerging regulations. We talked a lot about how carriers are dealing with the inconsistencies that have emerged between the original NAIC model law and the state regulations and laws that have gone into effect in New York, California, South Carolina, and Delaware since then. Only the South Carolina regulations are insurance-specific. New York covers financial services, and California and Delaware apply to all companies operating in the state. More state regulations are emerging every week, some insurance-specific and others more general.
On top of the state regulations are the new EU GDPR regulations. Initially, people thought that this did not apply to firms in the US. However, many insurers do business with EU citizens or have subsidiaries/home offices in EU countries. These regulations treat things differently than the US regulations. In addition, the UK has created its own set of regulations to kick in after the March 2019 Brexit date. Again, these regulations are similar but not the same.
Now things are even more complicated! Insurance Journal recently reported that two trade groups, the Internet Association (members include Google and Facebook) and BSA-The Software Alliance (members include Microsoft and Oracle) each released their own proposals for national consumer privacy regulations. The Internet Association has a 6-point proposal, including data portability. The BSA has a 10-point framework, which includes “affirmative express consent.”
The BSA proposal is of particular concern. It is similar to the GDPR in that people’s data will not be shared unless they explicitly opt in. In the CA regulations, however, people are assumed to be opted-in (which is normal in the US generally) unless they explicitly opt-out. The trade group proposals also include the right for consumers to modify their data, understand who has the data, and delete the data (not sure if this is similar to the right to be forgotten in GDPR).
The key concern is that these proposals suggest that there would be federal regulation that could supersede state regulation. Given the political climate, I’m not sure additional federal regulations would be passed by Congress. However, we are always one election away from that changing.
Many years ago, a senior technology executive told me that there are only two businesses in the world that call their customers “users”-IT and illegal drug dealers. It looks like the parallel may still be true-data privacy and security regulations could become similar to the way marijuana is treated in the US, with one set of federal regulations and numerous state regulations that treat data differently. Worse yet, there will be foreign regulations that impact regulatory compliance for data and security as well.
Party on, dudes!
Add new comment