Recent headlines underscore the importance of agents having written security plans to protect the privacy of their clients’ personal information. In the first case, the Virginia Bureau of Insurance fined an agent $1,000 in September for not having a written security plan, as well as for other infractions. The second case occurred in October when the Oregon Commissioner fined a non-resident Washington agent $11,000 for failing to have a written security plan and discarding applications containing clients’ personal information in a dumpster without shredding them.
Just as a well-managed agency takes specific steps to protect against errors and omissions risk, it needs to have a written security plan, incorporate the plan into its procedures, train its employees to implement these procedures consistently, and monitor for compliance.
Agents need to be aware of the general business and insurance-specific security and privacy laws, regulations and administrative letters that apply to them in their resident states, as well as in states where they hold non-resident licenses or where individuals they insure are resident. The federal Gramm-Leach-Bliley Act (GLB Act) requires businesses to proactively implement administrative, technical and physical safeguards to protect customer non-public personal information. Many states have enacted laws and regulations to implement the GLB Act for the insurance industry in their state. Overlay onto these requirements the Security Breach Notification laws that have passed in 45 states and the District of Columbia.
State privacy laws are transitioning from the implementation of general safeguards to much more specific requirements. For example, the Nevada and Massachusetts specifically require that e-mail containing “personal information” be sent in an encrypted manner. This would include, for example, personal information submitted on commercial applications. Massachusetts also requires the encryption of personal information contained on laptops and mobile devices because of the higher risk that these devices will be lost or stolen.
Each agency should review how “personal information” is defined in various Security Breach Notification and privacy laws. A threshold question agencies should ask is: Do I even need or want to keep certain categories of personal information? Then it is important to limit access to it to only those employees who need to see it. Finally, what can I do to mask the information when it is viewed on my system, as well as to encrypt it?
Agents using credit reports and drivers license information must also be aware of the federal laws such as the Fair Credit Reporting Act, Fair & Accurate Credit Transactions Act, Drivers Privacy Protection Act and Identity Theft Red Flags Rule, which govern how credit reports may be used and properly disposed of, the limitations on the information contained on electronic credit/debit card receipts, how personal information on MVRs may be used, and who must have a written system to flag potential identity thefts.
A list of resources to help establish a security plan is available through the Big “I”‘s Agents Council for Technology, www.iiaba.net/act.
Topics Agencies
Was this article valuable?
Here are more articles you may enjoy.
The Battle Over J&J’s Bankruptcy Plan to End Talc Lawsuits 
AIG Files Amended Suit Against Former Execs, Dellwood Insurance 
Hurricane Beryl: Insurers See Minimal Impact, Brace for Active Season 
Wall Street Pushes Back After Activists Escalate Protests From This Issue
