GDPR… sounds like a former communist country in Eastern Europe. But it is a recent development in cybersecurity that could impact us all; especially if your captive has European connections. And, as reported in Business Insurance in June, GDPR-like regulations could impact the US through a new California law.
The European Union’s General Data Protection Regulation, which took effect May 25, is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. It also addresses the export of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
The regulation contains provisions and requirements pertaining to the processing of personal data of individuals inside the European Union, and applies to an enterprise established in the EU or—regardless of its location and the data subjects’ citizenship—that is processing the personal data of people inside the EU. With the prominent cyber hacks of Facebook and others, this type of regulation is gaining traction in the US.
California recently passed the California Consumer Privacy Act, which reflects some of the GDPR’s provisions, and is likely to be followed by other states. To the extent firms do business in California, they would be subject to the proposition. While large companies that do business in Europe are already complying with the GDPR, passage of the California proposition would mean additional costs for smaller firms that do not operate internationally, as reported in Business Insurance.
Most experts say they do not anticipate there will be federal legislation on the issue, at least in the immediate future. And if this type of data protection policy is pursued, the hope is regulators in the United States will continue to follow what he views as the more effective partnership mode, with industry and the government working together on the issue of privacy, rather than following the GDPR’s model.
On a separate track, the NAIC’s Insurance Data Security Model Act is in the process of being adopted by states, albeit fairly slowly. The model law establishes standards for data security and investigation and notification of a data breach in the insurance industry and applies to licensees, which includes not just insurers, but agents, brokers and other parties.
Data security is no doubt a real issue – and one that demands strong measures. It is usually rated the number one or number two risk worrying most CEOs these days. Since most of the data from a captive insurance company is its owners, we need to make sure any data security measures are commensurate to the size and scope of the risk. VCIA takes this very seriously and will continue to champion the right balance for responsible security regulations – wherever they come from. That being said, everyone in our industry needs to take a hard look at data touchpoints and what they are doing to properly protect them.
Thank you and I look forward to hearing from you.