by Jeff Yates, ACT Executive Director
Recent headlines have underscored the importance of agents having written security plans to protect the privacy of their clients’ personal information. Not only could a breach of clients’ personal information devastate an agency’s reputation; it is likely to result in the agency’s having to undertake time consuming and costly actions on behalf of clients whose personal information is compromised. And now there is the very real possibility of incurring a fine. Just as a well managed agency takes specific steps to protect against E&O risk, it needs to have a written security plan, incorporate the plan into its procedures, train its employees to implement these procedures consistently, and monitor for compliance.
In the first case, the Virginia Bureau of Insurance fined an agent $1,000 on September 22, 2009 for not having a written security plan as well as for other infractions. The second case occurred on the Pacific coast when the Oregon Commissioner fined a non-resident Washington agent $11,000 on October 23, 2009 for failing to have a written security plan and discarding applications containing clients’ personal information in a dumpster without shredding them.
State & Federal Privacy Laws
Agents need to be aware of the general business and insurance specific security and privacy laws, regulations and administrative letters that apply to them in their resident states, as well as in states where they hold non-resident licenses or where individuals they insure are resident. For example, the new Massachusetts privacy law which goes into effect March 1, 2010, applies to “all persons that own, license, store or maintain personal information about a resident” of Massachusetts.
The federal
Gramm-Leach-Bliley Act (GLB Act) requires businesses to proactively implement administrative, technical, and physical safeguards to protect customer non-public personal information. Many states have enacted laws and regulations to implement the GLB Act for the insurance industry in their state. Overlay onto these requirements the
Security Breach Notification laws that have passed in 45 states and the District of Coulmbia.
We are now starting to see state privacy laws move from the implementation of general safeguards to much more specific requirements. For example, the
Nevada law and Massachusetts law (March 1, 2010) specifically require that email containing “personal information” be sent in an encrypted manner. This would include, for example, personal information submitted on commercial applications. The Massachusetts law in addition would require the encryption of personal information contained on laptops and mobile devices because of the higher risk posed that these devices will be lost or stolen. In fact, this law provides a good check list of specific issues agencies will want to include in their security plans.
What is Covered "Personal Information"?
Each agency should review how “personal information” is defined in its various Security Breach Notification and privacy laws. “Personal information” in the Massachusetts law includes first name and last name or first initial and last name in combination with any one or more of the following data elements: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password. Some other states do not require “name” to be an element if identity can be stolen from possession of just the other elements.
A threshold question agencies need to ask is: do I even need or want to keep certain categories of personal information? Then it is important to limit access to it to only those employees who need to see it. Finally, what can I do to mask the information when it is viewed on my system, as well as to encrypt it?
Other Relevant Federal LawsAgents using credit reports and drivers license information must also be aware of the federal laws governing them such as the Fair Credit Reporting Act, Fair & Accurate Credit Transactions (FACT) Act, Drivers Privacy Protection Act and Identity Theft Red Flags Rule which govern how credit reports may be used and properly disposed of, the limitations on the information contained on electronic credit/debit card receipts, how personal information on MVRs may be used, and who must have a written system to flag potential identity thefts. IIABA members can logon to
www.iiaba.net (Legal Advocacy tab, "Memoranda & FAQs") for a good overview of these laws, as well as Gramm-Leach-Bliley.
Similarly, if agents are handling personal medical information they should be very familiar with the strict privacy protections required by HIPAA for that information. Agents should consult their professional advisors as to how new HIPAA requirements for "Business Associates" will affect them when they go into effect on February 17, 2010. They should also be familiar with the new HIPAA Breach Notification Rule (See Legal Advocacy tab, "Memoranda & FAQs").
Resources Available to Assist Agencies
The Massachusetts Association of Insurance Agents has prepared an excellent prototype Security Information Plan to assist agencies in formulating their written plans in anticipation of their new privacy law, which they have given ACT permission to make available nationally. While this document provides a great starting point, it is important for each agency to appoint a security champion charged with working with the agency’s employees to draft and implement a security plan that fits well with the agency’s particular practices and procedures and tracks the relevant state and federal laws that apply to the particular agency.
The Virginia Bureau of Insurance has produced an excellent
checklist of questions agencies should ask when developing a security plan. Also of interest is a list of categories of
confidential information that agencies may want to include in their plans.
Agents will find some very helpful resources at the “Security & Privacy” quick link on the ACT site (
www.iiaba.net/act) as well:
- “Protecting Agency Customer Information from Identity Theft” (2006) provides a great overview of the major security risks that agencies face that need to be incorporated into an agency’s security plan.
- “Independent Agent’s Guide to Systems Security” (2005) includes a self-assessment security checklist and sample security plan. This plan contains a lot of helpful detail in assuring the security of an agency’s systems, but it will need to be updated to track the most recent state privacy laws applying to the agency.
- Guidance for using TLS email encryption for sending secure email includes articles, FAQs, a list of carriers supporting TLS, as well as recorded webinars and PowerPoints with detailed TLS implementation notes.
ACT’s work to assist agencies in implementing appropriate security measures is ongoing. Currently, its Agency Security Best Practices Work Group is identifying recommended security practices and procedures for agencies to consider in areas such as password management. We expect the group’s report to be published in the first quarter of 2010.
Editor’s note (to include if this article is published without links): Please visit
www.iiaba.net/act at the “Security & Privacy” quick link to access this article electronically for links to the mentioned resources.
Jeff Yates is Executive Director of the Agents Council for Technology (ACT) which is part of the Independent Insurance Agents & Brokers of America. Jeff can be reached here. ACT’s website is www.iiaba.net/act. This article reflects the views of the author and should not be construed as an official statement by ACT.