by Kayla Magee, Government Affairs, ACORD
The state of New York has again been making headlines with multiple legislative and regulatory measures crafted with consumer protection in mind.
With the recent increase in high profile-security breaches, New York is the first state to implement new regulations relating to cybersecurity. The regulations, which went into effect on March 1, 2017, target state-chartered banks and foreign banks that are licensed to operate in the state, as well as any insurer or financial institution that does business in New York. The new regulation requires companies to take steps to protect their confidential business and customer data from hackers. The strict standards that are set by these new regulations require companies to: (1) create a written cybersecurity policy and submit an annual report; (2) disclose any cyber incidents to state regulators; (3) heighten security by requiring, among other things, full disclosure of data breaches of third-party vendors; and (4) educate and train all personnel.
The companies subject to the regulations will have 180 days to comply. While the regulations have received widespread criticism for being too strict and unattainable, Governor Cuomo says, “New York is the financial capital of the world…These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place in order to protect themselves and the New Yorkers they serve from the serious economic harm caused by these devastating cyber-crimes.” New York State Department of Financial Services Superintendent Maria T. Vullo calls it a “landmark regulation.”
In the near future, many other states will also likely regulate how the insurance industry protects consumer data from cyber threats. Potential differences in each state's approach could present a challenge for insurance companies trying to implement the requirements within their current cybersecurity programs. The National Association of Insurance Commissioners (NAIC) is working hard to develop a model law establishing standards for data security, which could bring consistency in approach among the various states.
New York has also proposed a new regulation that would restrict auto insurers in using education, occupation, and income for determining rates. Much of the law was based on a 2014 New York Public Interest Research Group study which found that drivers with no college degree or who worked in non-professional, non-managerial jobs could pay 19% to 41% more for identical policies, compared to those who are college-educated professionals. In addition, the study found that in some cases, a driver with a poor safety record, but a high-status profession, paid less for auto insurance than a safer driver with a less prestigious job. The study concluded that overall, poorer families are paying more for auto insurance than wealthier families.
Governor Cuomo believes this practice discriminates against the poor, and that education level and job status do not correlate with driving risk. But according to research by Sam Harper, Thomas J. Charters and Erin C. Strumpf, published in the American Journal of Epidemiology, insurance companies may be justified in using income and education as a means to predict driving risk. The study found that car accident deaths are highest among the low-income population and the least educated. While the national trend of car accident deaths has been decreasing over time, for people 25 and over and without a high school diploma, fatality rates have actually been increasing. In addition, a telephone survey conducted after a “Click it or Ticket” campaign in North Carolina found that college graduates were more likely to report driving belted than blue collar or service workers (University of North Carolina Highway Safety Research Center).
While many consumer advocates are optimistic about the proposed new regulation, some insurance professionals are concerned all New Yorkers could face higher rates due to the regulation, which is currently in a 45-day public comment period. The California Department of Insurance has also launched an investigation into the potentially discriminatory practices. Others may soon follow.