How States Keep Insurers in Check: The NAIC’s Role in Insurance Privacy 2025
When we talk about privacy laws in the U.S., most people immediately think of big federal acts like the Gramm-Leach-Bliley Act (GLBA). But in the insurance world, privacy isn’t governed by one national rule; it’s largely a state-by-state system, coordinated through model laws from the National Association of Insurance Commissioners (NAIC).
The State Role in Insurance Privacy
Each state has its own Department of Insurance that enforces privacy and security requirements for insurers, agents, and related companies. Rather than reinventing the wheel, these departments rely heavily on the NAIC’s model laws that help ensure consistency while still letting states customize their own regulations.
Over time, all states have adopted the NAIC’s Privacy of Consumer Financial and Health Information Regulation (Model #672) to meet GLBA’s privacy standards. This model requires insurers to give consumers clear privacy notices, explain how they share personal information, and offer the option to opt out of certain types of data sharing much like financial institutions under GLBA.
The Key NAIC Models
The NAIC’s influence doesn’t stop there. Its suite of privacy and security models provides the backbone for most state insurance privacy laws. These include:
- The Insurance Information and Privacy Protection Model Act (#670), which governs how insurers collect, use, and disclose personal data.
- The Privacy of Consumer Financial and Health Information Regulation (#672), which brings insurers into compliance with GLBA.
- The Insurance Data Security Model Law (#668), which establishes cybersecurity requirements and breach notification standards.
Together, these models ensure that insurers protect sensitive information, notify consumers about their data practices, and maintain reasonable safeguards against breaches.
Going Beyond the Federal Minimum
An important point for privacy students to remember is that many state laws go beyond federal requirements. The NAIC has even noted that its models often provide stronger protections than GLBA’s baseline. States frequently build in stricter notice obligations, tougher breach reporting rules, or broader definitions of “personal information.”
This means that insurers often face a higher compliance bar than banks or other financial entities under the same federal framework.
Modern Updates for a Data-Driven Industry
As insurance companies increasingly rely on big data, predictive analytics, and artificial intelligence, state regulators are re-examining these model laws. Through NAIC working groups, they’re drafting updates to reflect modern privacy realities. For instance, expanding consumer rights, tightening consent standards, and placing new limits on data sales.
These changes aim to keep insurance privacy laws relevant in an era when data flows faster, deeper, and in far greater quantities than when the original models were written.
The Takeaway for Privacy Students
For anyone preparing for the CIPP/US, it’s essential to understand that insurance privacy in the U.S. is built on a patchwork of state laws, not one unified federal statute. Those laws are grounded in the NAIC’s model frameworks, which balance federal alignment (with GLBA) and state-level consumer protection.
Sources:
- https://content.naic.org/insurance-topics/data-privacy-and-insurance
- https://content.naic.org/sites/default/files/protectinginsuranceconsumerprivacysecurity.pdf
- https://www.nortonrosefulbright.com/-/media/files/nrf/nrfweb/knowledge-pdfs/glba—cybersecurity-governance-materials/relationship-of-glba-to-state-privacy-data-breach-and-insurance-laws.pdf
