Preparing for the National Association of Insurance Commissioners Model Law 674

Important changes insurers need to address

In August 2023, the National Association of Insurance Commissioners (NAIC) is scheduled to meet and vote on a finalized version of the proposed NAIC Model Law #674 (Model 674). The law is intended to modernize and replace the existing Insurance Information and Privacy Protection Model Act #670 (Model 670) and the Privacy of Consumer Financial and Health Information Regulation #672. Along with recently passed state legislation and international regulation such as the General Data Protection Regulation, the NAIC has adopted a more restrictive approach to the management of personal information. Model 674 establishes a framework for safeguarding consumer data within the insurance sector.



Model 674 applies to all insurance licensees and third-party providers that collect, process, retain, or share consumers’ personal information in connection with insurance transactions; engage in insurance transactions with consumers; or engage in additional permitted transactions involving consumers’ personal information.

Many of the requirements found in Model 674 are derived from privacy regulations in leading state publications, including in California and New York. The NAIC working group is expected to modify the February 2023 publication of the model law based on the industry input received during the open comment period in August of 2023.


Major Provisions

Data Minimization and Retention — Further restricts collection, processing, retention, and sharing of personal information to purposes related to insurance transactions, with a requirement to delete unnecessary information within 90 days. Notably, the NAIC removed the “right to be forgotten” principle as the industry has transitioned to more disposition-minded regulation.

Third-Party Oversight and Contractual Requirements Imposes oversight and contractual obligations on third-party service providers, including compliance with Model 674 and limitations on further information-sharing.

Data Management Transparency — Provides transparency by requiring the disclosures to consumers on how their data is collected, processed, shared, and retained.

Consumer Rights — Augments the consumer’s right to have personal information amended, corrected, or deleted unless an insurer can show good cause for refusal to take the requested action.

Definition Expansion — Expands the definition of "personal information" to cover "sensitive personal information," “health information,” and "biometric information." This change follows additions passed in California’s updated privacy legislation.

Privacy Disclosure Requirements — Requires privacy disclosures to include specific purposes, retention periods, international data practices, and consent mechanisms.

Prohibition of Sale and Marketing Use — Bolsters the language to further prohibit licensees from selling consumer personal information or marketing with certain sensitive information, irrespective of consent.

Consent for Cross-Border Transfers — Requires consumer consent before sharing personal information outside the U.S., impacting international operations, and restricting limitless data sharing with firms and service providers abroad. 

Optional Private Right of Action — Provides an optional private right of action for state insurance regulators, enabling consumers to seek monetary damages for noncompliance, excluding class actions.

Recently, the financial services industry has seen an increase in fines related to data retention and disposition. In 2022, a financial institution received a $35 million penalty for “failing to dispose of client data.” While the concept of protecting customer data isn’t new (Model 670 is more than 40 years old), regulators are increasing their interest with more than 15 states and international agencies placing relevant requirements on organizations. Proposed changes from Model 674 will add to that count and require an organization to further focus on data management, retention, and disposition.


How Guidehouse Can Help

Guidehouse is a leading provider of consulting services to the public sector and commercial markets, with broad capabilities in management, technology, and risk consulting. Our professionals work with industry leaders to build sustainable and effective data management, retention, and disposition functions that can withstand heightened regulatory oversight and evolving business stressors.

Eric Duelfer, Associate Director

Zachary Evans, Associate Director

John Robinson, Senior Consultant

Let Us Help Guide You

Complexity demands a trusted guide with the unique expertise and cross-sector versatility to deliver unwavering success. We work with organizations across regulated commercial and public sectors to catalyze transformation and pioneer new directions for the future.

Stay ahead of the curve with news, insights and updates from Guidehouse about issues relevant to your organization and its work.