Insurance Privacy Compliance: NAIC Model Laws, Reform, and the Role of Data De-identification

What privacy laws govern the US insurance industry?

The US insurance industry operates under one of the more layered and jurisdiction-sensitive privacy frameworks in any regulated sector. Unlike healthcare, which has a single dominant federal standard in HIPAA, or financial services more broadly, which operates under the Gramm-Leach-Bliley Act (GLBA), insurance privacy compliance is shaped by a combination of NAIC model laws that individual states adopt, adapt, and enforce on their own timelines. That creates real compliance complexity for insurers operating across multiple states.

At the foundation of this framework are standards developed by the National Association of Insurance Commissioners (NAIC). Five model laws and regulations are particularly relevant to how insurers collect, handle, share, and protect consumer data. The Insurance Information and Privacy Protection Model Act (#670), developed in 1992, established baseline protections around information practices and consumer rights. The Health Information Privacy Model Act (#55) from 1998 addressed sensitive health data specifically. The Standards for Safeguarding Customer Information Model Regulation (#673) from 2002 introduced operational requirements for protecting customer information against unauthorized access. The Insurance Data Security Model Law (#668) from 2017 created cybersecurity program requirements and breach reporting obligations. And the Privacy of Consumer Financial and Health Information Regulation (#672), also from 2017, aligned state insurance privacy rules with GLBA requirements.

All states adopted Model #672 to meet GLBA compliance requirements. As of January 2024, 23 states have adopted the Insurance Data Security Model Law (#668). Because states can adapt these models before enacting them locally, insurers need to track not just the base NAIC standards but the specific variations each jurisdiction has put in place. That agility requirement is not going away, and the pace of regulatory activity suggests it will only intensify.

What happened to NAIC Model Law #674?

Understanding where insurance privacy reform stands today requires understanding what was proposed, why it stalled, and what replaced it.

In response to mounting criticism that the existing model laws were outdated relative to contemporary data privacy expectations, the NAIC's Privacy Protections Working Group (PPWG) drafted Model Law #674, the Insurance Consumer Privacy Protection Model Law. The ambition was significant. Model #674 aimed to modernize the standards governing how insurers and their third-party service providers handle consumer data. It would have introduced transparency obligations, explicit consumer rights around access and deletion, data retention limits, third-party accountability requirements, opt-in consent for the sale of personal information, and a meaningful data minimization principle, specifically requiring that the collection, processing, retention, and sharing of personal information be limited to what is reasonably necessary and proportionate to the purposes of the insurance transaction.

Despite several rounds of revision and public consultation, #674 met sustained resistance. States including Nebraska, South Dakota, and Kansas raised concerns about the model's scope and its potential effects on business practices and insurance accessibility. Independent agents and industry representatives flagged that certain provisions, particularly around data sharing, could conflict with established workflows. After public meetings to discuss those concerns failed to produce sufficient consensus, the NAIC confirmed in June 2024 that Model #674 would not move forward.

With #674 off the table, the PPWG pivoted back to revising Model #672, which is the existing regulation it will ultimately replace.

What are the proposed amendments to Model #672?

The draft amendments to Model #672 carry forward a number of the substantive privacy protections that #674 had originally introduced. For insurers, understanding what is changing in #672 is the most practically relevant question right now, even if a final timeline for adoption remains uncertain. A recent interview with the new NAIC President indicated that privacy reform is not currently among the organization's top priorities, which suggests that the window for preparation may be longer than some anticipated, but that does not reduce the importance of getting ahead of the changes.

The proposed amendments to #672 introduce several meaningful changes to how personal information is defined, handled, and protected.

The definition of "Nonpublic Personal Information" is being expanded to cover any information that is linked or reasonably linkable to an identified or identifiable individual. Critically, de-identified information, aggregated data, and pseudonymous data are explicitly excluded from this definition. That exclusion has a direct practical consequence: the obligations imposed on licensees, and the corresponding consumer rights, do not apply to data that has been properly de-identified or pseudonymized. This mirrors the logic in HIPAA, which similarly excludes de-identified data from the definition of protected health information. However, unlike HIPAA, the proposed #672 amendments do not specify the technical standards an insurer must meet to achieve qualifying de-identification. The draft defines de-identified data as data that "cannot reasonably be linked to an identified or identifiable natural person" and pseudonymous data as personal data that "cannot be attributed to a specific natural person without the use of additional information," provided that additional information is kept separately and subject to appropriate technical and organizational safeguards. The practical implication is that insurers will need to make defensible decisions about how they achieve and document de-identification without a clear regulatory standard to point to.

A new category of "Sensitive Personal Information" is also introduced under the amendments, covering personally identifiable nonpublic personal financial information that includes data on racial or ethnic origin, religious beliefs, sexual orientation, citizenship status, and genetic or biometric data used to uniquely identify an individual. This category attracts additional restrictions and notice requirements.

The amendments introduce new definitions for biometric data, genetic information, and third-party service providers. Licensees that share consumer nonpublic personal information with third parties are required to establish contracts with those providers that meet the model's requirements. Consumers must be given the ability to access, correct, and delete their nonpublic personal information. And licensees must obtain affirmative opt-in consent before selling personal information.

One notable gap in the amended #672, particularly when compared to the failed #674, is the absence of a general data minimization principle. #674 had proposed that collection, processing, retention, and sharing of personal information be limited to what is reasonably necessary and proportionate to the purposes of the insurance transaction. The draft #672 amendments take a narrower approach, permitting consumers to direct licensees to limit the use of their sensitive personal information. This means there is no affirmative obligation on the licensee to limit collection at the outset, which represents a weaker standard of protection from a consumer rights perspective.

It is also worth noting that while #672 will replace the outdated #670 from 1992, it is not intended to replace #668. The proposed amendments to #672 do not include the cyber incident and data breach reporting obligations that #668 already mandates. Insurers operating under #668 need to maintain both frameworks as distinct compliance obligations.

Viewed in broader context, the evolution from #670 to the proposed #672 does represent progress. The 1992 model contained no concept of de-identification or pseudonymization and only addressed minimization of personal information disclosure, not collection or use. The proposed amendments, despite their limitations, reflect a clear shift toward modern data governance principles, and toward technologies that reduce risk by shrinking the volume of personally identifiable data in circulation.

How does de-identification help insurers meet their compliance obligations?

The strategic value of data de-identification for insurance compliance is substantial, particularly given how the proposed #672 amendments treat de-identified and pseudonymized data. When personal information is de-identified to the point where it can no longer reasonably be linked to an individual, it falls outside the scope of the model act's obligations entirely. That means fewer consent requirements, fewer consumer access obligations, reduced data retention complexity, and a meaningfully smaller regulatory surface area for the data that does not need to remain identifiable for business purposes.

There is also a significant risk management dimension. In the event of a data breach, de-identified data limits the damage an attacker can do. It also reduces the cost and complexity of breach response and reporting. Model #668 requires licensees to report breach incidents and specify the types of medical and financial information that were compromised. For organizations handling large volumes of unstructured data, such as emails, claim documents, adjuster notes, and customer correspondence, that reporting requirement is operationally demanding. Knowing precisely what categories of personal data are present in a given system or dataset is a prerequisite for both accurate reporting and appropriate pre-breach risk assessment.

This is exactly the kind of problem that Limina's insurance privacy compliance solution is built to solve. If your organization is ready to start reducing its compliance exposure today, talk to an expert at Limina to see how de-identification fits into your data governance strategy.

How does Limina's technology support insurance compliance specifically?

Limina's advanced machine learning models are built by linguists, which means they understand language in context rather than relying on simple pattern matching. That distinction matters when working with the kind of unstructured, narrative-heavy data that insurance organizations generate at scale, including claims notes, underwriting assessments, correspondence, call transcripts, and internal reports.

The platform automatically identifies, categorizes, and redacts or replaces over 50 entities of personal data across large datasets, including unstructured formats. Most data points captured by the proposed definitions of "Nonpublic Personal Information" and "Sensitive Personal Information" under the draft #672 amendments are detectable and redactable by Limina's models. This includes financial identifiers, health-related information, and the categories of sensitive personal information that attract heightened obligations under the proposed amendments. Exceptions include certain forms of biometric and genetic data, though these represent a narrower subset of the overall personal information universe.

The high accuracy of Limina's data de-identification technology enables reliable, efficient processing of large-scale datasets without the manual overhead that makes de-identification impractical for most organizations when attempted at scale. When de-identified data no longer falls within the scope of the model act, the compliance burden for that data decreases substantially.

For breach response and reporting obligations under #668, Limina's technology also enables insurers to generate detailed reports on the entities present in a dataset or IT system, with granular classification of each type. That kind of structured visibility is directly useful when an insurer needs to report specifically on the "types of medical information, types of financial information or types of information allowing identification of the consumer" that were involved in a breach. Having that capability built into the data processing workflow, rather than assembled reactively in the aftermath of an incident, is a meaningful operational advantage.

Insurance organizations that handle data across multiple lines of business and jurisdictions, particularly those managing sensitive health and financial information alongside standard policyholder data, will find Limina's entity detection capabilities relevant across multiple regulatory obligations simultaneously. The same de-identification infrastructure that helps meet #672 compliance requirements can also support obligations under #668, GLBA, and any state-specific adaptations that apply to the insurer's operational footprint.

Limina also serves regulated industries beyond insurance, including healthcare, financial services, pharma and life sciences, and contact centers, which means organizations operating across sectors can apply a consistent data de-identification approach rather than maintaining separate tooling for each regulatory domain.

If you are evaluating how to build a more defensible, scalable approach to insurance privacy compliance, get in touch with Limina's team to discuss your specific data environment and compliance requirements.

What should insurance companies do now to prepare for upcoming privacy changes?

The regulatory situation is in a holding pattern, but that is not an argument for inaction. The PPWG's work on the #672 amendments continues, and the broader trend toward stronger consumer data rights, higher expectations for third-party accountability, and more explicit requirements around consent and data minimization is consistent across every major privacy framework in circulation globally. Insurers who wait for a final rule before beginning to assess their data environments will be in a significantly more difficult position than those who treat the draft amendments as an early signal.

A practical starting point is understanding where personal data lives within the organization. For most insurers, the most challenging data is unstructured: emails, documents, call recordings, claim narratives. These formats are harder to inventory, harder to audit, and harder to de-identify at scale using manual processes. Automating that detection and de-identification work is not just a compliance measure. It is a foundational data governance capability that reduces risk regardless of which specific regulation applies next.

The case for acting ahead of the final rule is straightforward. De-identified data is out of scope. A smaller regulatory footprint means lower compliance cost, lower breach exposure, and greater flexibility when future amendments or state-level variations create new obligations.

‍