On the wake of some of the largest data breaches to hit health insurance companies, the National Association of Insurance Commissioners (NAIC) has followed on the heels of the Securities and Exchange Commission and has issued a "guidance" on cyber security. In April, the Cybersecurity (EX) Task Force of the NAIC adopted the Principles for Effective Cybersecurity Insurance Regulatory Guidance.

The Principles for Effective Cybersecurity: Insurance Regulatory Guidance looks to state insurance regulators "to ensure that personally identifiable consumer information held by insurers, producers and other regulated entities is protected from cybersecurity risks." The guidance encourages insurers, agencies and producers to secure data and maintain security with nationally recognized efforts such as those embodied in the National Institute of Standards and Technology (NIST) framework. The NIST framework provides guidance on managing and reducing cybersecurity risk for organizations of all sizes, putting them in a much better position to identify and detect attacks, as well as to respond to them, minimizing damage and impact.

Producers, agencies and insurance companies could all be held liable for the loss of protected health information and personally identifiable information of prospects and clients, such as a person's full name, date of birth, address and Social Security numbers.