Legislation requiring notice to consumers of security breaches has topped the list of insurance-related bills enacted during the 2005 legislative season, according to an insurance trade group.
As of the week ending Oct. 21, 19 states have enacted security breach laws and others may soon follow suit, according to the National Association of Mutual Insurance Companies.
David Reddick, NAMIC state affairs manager, said that most new laws use legislation enacted in California in 2002 as a model.
The California law defines "personal information" as a person's name used in conjunction with his Social Security number, driver's license or California Identification Card number.
While California law applies to breaches by government agencies, as well as private individuals and businesses, some states have chosen to exclude state agencies, while others have limited the law to state agencies only, Mr. Reddick said.
Red flags for the property-casualty industry include definitional expansion of "personal information" beyond the California model that will make it more difficult for multistate insurers to comply, NAMIC said.
While most states don't set a specific deadline for compliance after a security breach, Florida has put a 45-day time limit and requires documentation be maintained for up to five years.
Nine states now require agencies or business to report breaches to consumer-reporting agencies, but the threshold that triggers that further notice varies. "When new bill introductions are proposed, the threshold should be as high as possible to avoid further exposures for insurers," Mr. Reddick said.
Meanwhile, Congress is considering legislation that would set federal rules for companies' consumer data security but would leave state regulators in charge of enforcing adherence by insurance companies.
© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.