Insurance Agents Fined for Not Having Written Security Plans

Recent headlines underscore the importance of agents having written security plans to protect the privacy of their clients’ personal information. Not only could a breach of clients’ personal information devastate an agency’s reputation; it is likely to result in the agency’s having to undertake time consuming and costly actions on behalf of clients whose personal information is compromised. And now there is the very real possibility of incurring a fine. Just as a well-managed agency takes specific steps to protect against E&O risk, it needs to have a written security plan, incorporate the plan into its procedures, train its employees to implement these procedures consistently, and monitor for compliance.

In the first case, the Virginia Bureau of Insurance fined an agent $1,000 in September for not having a written security plan, as well as for other infractions. The second case occurred on the Pacific coast in October when the Oregon Commissioner fined a non-resident Washington agent $11,000 for failing to have a written security plan and discarding applications containing clients’ personal information in a dumpster without shredding them.

State & Federal Privacy Laws

Agents need to be aware of the general business and insurance specific security and privacy laws, regulations and administrative letters that apply to them in their resident states, as well as in states where they hold non-resident licenses or where individuals they insure are resident. For example, the new Massachusetts privacy law which goes into effect March 1, 2010, applies to “all persons that own, license, store or maintain personal information about a resident” of Massachusetts.

The federal Gramm-Leach-Bliley Act (GLB Act) requires businesses to proactively implement administrative, technical, and physical safeguards to protect customer non-public personal information. Many states have enacted laws and regulations to implement the GLB Act for the insurance industry in their state. Overlay onto these requirements the Security Breach Notification laws that have passed in 45 states and District of Columbia.

We are now starting to see state privacy laws move from the implementation of general safeguards to much more specific requirements. For example, the Nevada law and Massachusetts law specifically require that email containing “personal information” be sent in an encrypted manner. This would include, for example, personal information submitted on commercial applications. The Massachusetts law, in addition, would require the encryption of personal information contained on laptops and mobile devices because of the higher risk posed that these devices will be lost or stolen. In fact, this law provides a good checklist of specific issues agencies will want to include in their security plans.

What is Covered “Personal Information”?

Each agency should review how “personal information” is defined in its various Security Breach Notification and privacy laws. “Personal information” in the Massachusetts law includes first name and last name or first initial and last name in combination with any one or more of the following data elements: (a) Social Security number; (b) driver’s license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password. Some other states do not require “name” to be an element if identity can be stolen from possession of just the other elements.

A threshold question agencies should ask is: do I even need or want to keep certain categories of personal information? Then it is important to limit access to it to only those employees who need to see it. Finally, what can I do to mask the information when it is viewed on my system, as well as to encrypt it?

Agents using credit reports and drivers license information must also be aware of the federal laws governing them such as the Fair Credit Reporting Act, Fair & Accurate Credit Transactions Act, Drivers Privacy Protection Act and Identity Theft Red Flags Rule which govern how credit reports may be used and properly disposed of, the limitations on the information contained on electronic credit/debit card receipts, how personal information on MVRs may be used, and who must have a written system to flag potential identity thefts.

It is important for each agency to appoint a security champion charged with working with the agency’s employees to draft and implement a security plan that fits well with the agency’s particular practices and procedures and tracks the relevant state and federal laws that apply to the particular agency.

A list of resources to help establish a security plan is available through the Big “I”‘s Agents Council for Technology (ACT). Visit www.iiaba.net/act for more details.