80 likes | 179 Views
Surviving a Privacy Exam. Barbara B. Fitch 2 nd VP–Market Conduct & Compliance National Life Insurance Company October 3, 2005. District of Columbia - Privacy Status Review – January 2002. DC was lead department 18 participating states Conducted by PricewaterhouseCoopers
E N D
Surviving a Privacy Exam Barbara B. Fitch 2nd VP–Market Conduct & Compliance National Life Insurance Company October 3, 2005
District of Columbia - Privacy Status Review – January 2002 • DC was lead department • 18 participating states • Conducted by PricewaterhouseCoopers • Over 200 companies involved • Initial billing of $30,000 per company
Scope of Exam • Privacy notice and customer notification • Data handling, due diligence and policies to protect information • Customer option preferences • Safeguarding of customer records and information • Other pertinent privacy regulations as determined by the Department
Rules Examined • NAIC Model 672 – Privacy of Consumer Financial and Health Information Regulation • NAIC Insurance Information and Privacy Protection Act (1982) • Gramm-Leach-Bliley Act – Section 501 • Standards for Safeguarding Customer Information Model Regulation • California 2689 Privacy Regulations
Response Approach • Read all documents carefully • Pull together appropriate parties • Look at IT certification programs your company might already have • Business areas most familiar with the process should write the response • Responses should be reviewed by a non-IT person outside of the unit • Be simple….but detailed!
Helpful Hints • Privacy Notices • Consolidate if possible • Keep a chart to document versions and distribution dates • Automate where possible • Safeguarding Info • Have a good general understanding of your company’s IT structure before an exam actually takes place
Helpful Hints • Allow ample time to develop your response • Expect a long wait for a draft report. Be prepared to respond quickly when it arrives • Check the report carefully for errors or information not acknowledged • Address areas you know may be a potential risk before an exam actually happens • Employee security breaches • E-mail – Is yours encrypted?