Life Insurance New York: Sharpening Focus on AI and Privacy The privacy landscape is also evolving in New York, directly impacting insurers: As we’ve reported before, several states have adopted the National Association of Insurance Commissioners’ (NAIC) model bulletin on the use of artificial intelligence in insurance. On July 11, 2024, the New York Department of Financial Services (NYDFS) finalized and issued Circular Letter No. 7, Use of Artificial Intelligence Systems and External Consumer Data and Information Sources in Insurance Underwriting and Pricing, which covers many of the same principles as the NAIC model bulletin but differs in some key respects. For example, it focuses only on underwriting and pricing, includes steps for a comprehensive assessment to ensure underwriting and pricing guidelines are not unfairly discriminatory, and includes a detailed notice requirement to potential insureds about the use of AI or external consumer data. Although Circular Letter No. 7 does not amend existing laws or regulations, we anticipate that the NYDFS will announce examination and enforcement plans under this interpretation of existing laws. Click here for a further discussion. On October 16, 2024, the NYDFS issued an industry letter containing guidance for assessing and responding to what it considers the most pressing cybersecurity risks in the use of AI. Recommended controls for combatting these risks include risk assessments, incident response and business continuity and disaster recovery plans, multi-factor authentication using forms of authentication that cannot be impersonated by deepfakes, cybersecurity training, and management of third-party service-provider agreements. Click here for a further discussion. On January 22, 2025, the New York state legislature passed the Health Information Privacy Act, which is now awaiting the governor’s signature. Like Washington’s My Health My Data Act of 2023, New York’s act would broadly regulate health data not already governed by HIPAA. Unlike Washington’s act, the New York Health Information Privacy Act does not exempt information subject to the Gramm–Leach–Bliley Act. Accordingly, insurers (other than health insurers already subject to HIPAA) may be required to comply with the act when processing health information linkable to an individual or device if the insurer or insured are in New York. Many insurers are likely already complying, such as by declining to sell health information to third parties and obtaining authorization before collecting health information beyond that necessary for providing the product requested by the consumer. But insurers should be aware of their obligations under the act, which will take effect one year after it is signed into law. Click here for a further discussion. Two recent amendments to New York’s data breach notification law should be considered in companies’ incident response plans. A December 2024 amendment, effective immediately, imposes a 30-day deadline for notifying affected state residents of a data breach—one of the shortest notification deadlines in the country. A February 2025 amendment clarifies that NYDFS-regulated entities must notify the NYDFS of a breach. Further, effective March 21, 2025, the law’s definition of “private information” was expanded to include medical and health insurance information, meaning that breaches involving medical and health insurance information now trigger not only HIPAA notification requirements but also notification obligations under New York law. n Eye on Privacy 5 4 Patrick Gennardo Mona Bhalla Adam Kaiser Alex Lorenzo Eric Kuwana Arianna Clark Steven Penaro Reade Seligmann Joanna Schorr Elizabeth Buckel Matthew Byers Meet our New York insurance team:
RkJQdWJsaXNoZXIy MTc0OTA5