New national guidelines indicate health insurers will face tougher regulatory scrutiny over how they protect customers from data breaches. But the guidance likely won't do much to prevent cyberattacks in the first place.
The National Association of Insurance Commissioners on April 16 adopted a dozen principles for “effective cybersecurity insurance regulatory guidance.” The guidelines were issued in response to the massive data breaches that burned health insurers this year, including at Anthem and Premera Blue Cross, involving data on more than 90 million people.
The NAIC's guidelines are meant to help state regulators hold insurers accountable and ensure companies have the right defenses to guard against attacks. For example, one principle recommends cybersecurity audits and “market conduct examinations,” which are investigations that evaluate whether insurers are complying with laws.
That means more red tape for health insurers, as well as higher costs and potential fines. But it also could force companies to practice what they preach in terms of protecting consumer data, said Cynthia Borrelli, a lawyer at Bressler, Amery & Ross in New Jersey who works with health insurers. “The companies are going to have to actually adopt policies and procedures and probably conduct internal audits to ensure they are satisfying the regulatory obligations,” she said.
Daniel Marvin, a cybersecurity attorney at Stern & Montana in New York City, said a major problem that goes beyond the NAIC's framework is that many insurers are not educated about what they need to do if a data breach occurs. “You'd be amazed at the companies that don't have an incident-response plan in place,” he said.
The NAIC's guidelines also don't affect federal regulations that may fall short. The Health Insurance Portability and Accountability Act, for example, still doesn't require healthcare companies to encrypt electronic health information. Some say even encryption would not prevent the next Anthem- or Premera-sized breach.
“There is no way to stop a data breach,” Marvin said. “Hackers are smart, they are well-funded and they are relentless. You really can't build a firewall high enough to keep them out.”
Last week, the U.S. House of Representatives passed the Data Security and Breach Notification Act of 2015. It would require all companies to notify consumers if their personal information has been hacked—but only if there is a “reasonable risk” of “identity theft, economic loss or economic harm, or financial fraud.” Several states have stricter laws.