450 likes | 461 Views
This guide explains the privacy requirements imposed upon independent insurance agents under the Gramm-Leach-Bliley Act (GLBA) and provides guidance on how to comply. It covers the purpose of privacy requirements in GLBA, the connection between GLBA and privacy, the enforcement of GLBA's privacy requirements, and the protection of individuals' information. It also discusses the particular challenges for insurance under GLBA, including coordinating with state insurance laws and court decisions on privacy and practices.
E N D
An Agent's Guide to Understanding and Complying with Privacy Requirements By Patricia A. Borowski Senior Vice President PIA National
Summary of Presentation • Remembering this is Round Two • Purpose of the Privacy Requirements in GLBA • Requirements imposed upon independent agents under GLBA • How to Comply • Questions
2nd RoundBe There, Done That TRADITIONALLY – as practice in insurance: Privacy/Confidentiality - been/is recognized Some common law case on point 1986 NAIC Privacy Protection & Information Model Act - 17 states adopted. Inculcated as industry-wide practice. Balance insurance common law expectations
Purpose of Privacy Requirements in GLBA • What is GLBA? I. In 1999, Congress passed the Gramm-Leach-Bliley Act (GLBA). II. GLBA’s purpose was to legally create a federal financial services industry with insurance, banking and securities under it. III. Was to tear down legal barriers that prevented affiliations between banks, insurance companies, and securities firms and allow the creation of “financial supermarkets.”
Purpose of Privacy Requirements in GLBA • What’s the connection between GLBA and Privacy? • GLBA’s passage was seen by consumer advocates as a vehicle to finally impose privacy practices on banks – efforts which had failed in the past. • It also coincided with improvements in communications technology like e-mail and the Internet.
Purpose of Privacy Requirements in GLBA III. Quick and effortless dissemination of information between and within these financial supermarkets could hurt consumers or at the very least “tick ‘em off.” IV. Congress was pressured to include privacy standards in GLBA to ensure that consumer information was protected from rampant sharing IV. Enter Title V of GLBA—Title V is the section dealing with “privacy” in the law
Purpose of Privacy Requirements in GLBA • What does Title V accomplish? I. Title V establishes minimum federal privacy standards. • Who enforces Title V privacy requirements? I. GLBA’s privacy requirements are “functionally regulated” which means the governmental entity that normally regulates the particular business sector will be charged with interpreting and enforcing GLBA’s standards
Purpose of Privacy Requirements in GLBA For insurance the regulating governmental entity is NAIC and The States. a. This means NAIC develops model for the minimum privacy standards imposed by GLBA, and The States must adopt. b. However, since these were minimum standards, the states were free to pass tougher privacy requirements
Purpose of Privacy Requirements in GLBA • Whose information is protected by Title V of GLBA? I. GLBA’s privacy standards protect an individual’s information for auto, home and other personal insurance use, and not a business entity’s
Summary of GLBA’s Title V Privacy Requirements • Written Privacy Policy • Privacy Notice to Customers which may need to include an opportunity for customers to opt-out of or opt-into information sharing • Information Security Program in place at the agency to protect customer information IV. Access to carriers and governmental entities to audit compliance
Particular Challenges for Insurance Under GLBA Section VI Section VI – written in bank law, practice, structure, regulation & federal perspective -- not insurance & translation has been tough. Coordinating with existing state insurance law & court decisions on privacy and practices – some differences among the states on this. Nature of “licensee”, “consumer” and “data” may change per nature of insurance transaction. Captive vs. independent insurance agency/agent to insurer & consumer
Requirements Imposed Upon Insurance, Affecting PIA members Under GLBA • Three things necessary to understanding GLBA’s privacy requirements • Look to each state’s insurance privacy laws for specific details. What type of information is protected? The different terms defined by GLBA or “The GLBA Cast of Characters”?
Requirements Imposed Upon Insurance, Affecting PIA members Under GLBA I. What type of information is protected? • Non-public personal information (as in not commercial information) • GLBA defines Non-Public Personal Information as: “Personally identifiable financial information provided by a consumer to a financial institution or personally identifiable financial information resulting from any transaction with the consumer.”
Requirements Imposed Upon Insurance, Affecting PIA members Under GLBA • Examples of Non-Public Personal Information (NPI) Can be: -UNLISTED Names, address, telephone numbers* - Consumer financial information -The fact that a person is or was a customer or has obtained a financial product from you -Claims history or payment history -Other information about the individual that is provided in connection with obtaining an insurance product or service.
Requirements Imposed Upon Independent Insurance Agents Under GLBA • PIA recommends that you treat ALL customer information as Non-Public Personal Information because: OWNERSHIP Compliance Control Coordination with other privacy-related laws, i.e. HIPAA, D-N-C etc.
Requirements Imposed Upon Insurance, Affecting PIA members Under GLBA II. Cast of characters under GLBA I. Financial Institution:“Any institution the business of which is engaging in financial activities like, underwriting, securities, or providing financial investment or economic advisory services.”
Requirements Imposed Upon Insurance, Affecting PIA members Under GLBA Terms Continued… • An insurance carrier is a “financial institution” under GLBA since it underwrites • Per The Fed opinion, an independent insurance agency is a “financial institution” under GLBA since it is involved in underwriting and multi-markets.
Requirements Imposed Upon Insurance, Affecting PIA members Under GLBA Terms Continued… II. Consumer (potential business): an individual who obtains a financial product or services from a financial institution = prospect. III. Customer (actual business): Any person to whom a financial institution provides a product or service. Most of GLBA’s requirements are owed to an agent’s customers, but applicants, claimants, beneficiaries, employees of group benefits can be included. IV. Affiliate: Any company that controls, is controlled by, or under common control with another company. Generally, an agent can share information with its affiliates (if it has any) without giving the customer an opportunity to opt-out. Insurers and IAs are not per se “affiliates” – but issues of control matter.
Requirements Imposed Upon Insurance, Affecting PIA members Under GLBA V. Non-Affiliated 3rd Party:Any entity that is not an affiliate of or related by common ownership VI. Joint marketing arrangement: An arrangement where a financial institution provides non-public personal information to a non-affiliated 3rd party in order for that non-affiliated 3rd party to perform services on behalf of the financial institution, like the marketing of the financial institution’s products and services. **Insurers-IAs.
Requirements Imposed Upon Insurance, Affecting PIA members Under GLBA EXAMPLE of a Joint Marketing Arrangement: Independent agency sharing client information with an equity firm to produce a securities solicitation of the agency’s client. *** Independent agency providing underwriting information to its carriers to shop, place, affect or renew for one of its customers…. NO. Per GLBA both agency & carrier are financial institutions & unaffiliated 3rd parties with respect to each other. Not so under insurance law for purposes of co-joined action.
Requirements Imposed Upon Insurance, Affecting PIA members Under GLBA What does GLBA say about sharing Non-Public Personal Information? • The agent is NOT sharing the information to service or process insurance coverage requested or authorized by the customer OR • The information is NOT being shared as part of a joint marketing arrangement between an affiliated and non-affiliated 3rd party
Requirements Imposed Upon Insurance, Affecting PIA members Under GLBA • What does GLBA say about sharing Non-Public Personal Information? • An agency (or financial institution) CANNOT share NPI with a non-affiliated 3rd party UNLESS: 1. The Agency creates a written privacy policy 2. The Agency has an information security program
Requirements Imposed Upon Insurance, Affecting PIA members Under GLBA 3. The Agency provides their customers with a privacy policy notice. I. The notice must be given at the initiation of the customer relationship AND annually thereafter. 4. The privacy policy notice must give customers the option of opting out of sharing their information with non-affiliated 3rd parties if:
Requirements Imposed Upon Insurance, Affecting PIA members Under GLBA • Once an agency has given its customers a notice of its privacy policy, non-public personal information CAN be shared if: 1. The agency has in place a written privacy policy and an information security program which protects the confidentiality of customer records AND 2. The information is being shared in connection with the servicing or processing of a financial product or service requested or authorized by the customer OR 3. The information is being shared as a part of a joint marketing arrangement where the parties to the arrangement have signed a contract promising to protect NPI
Requirements Imposed Upon Insurance, Affecting PIA members Under GLBA • Nutshell statement of what GLBA’s privacy requirements say for independent insurance agents “Don’t share information about your customer without: (1) having an information security program in-place that protects the confidentiality of that customer’s info., (2) having a written privacy policy that explains the ways in which that customer’s info. is shared, protected, and gathered, (3) you’ve given your customers notice of the fact that you will share their information AND the opportunity to opt-out of sharing their info. if you share their information with a party who is: (1) unrelated to your agency and (2) unrelated to the placement or service of that customer’s insurance.”
Complying with GLBA’s Privacy Requirement • This compliance advice is NOT comprehensive, because there are 4 potential sources of privacy obligations 1. State privacy and related statutes 2. Case law or common law in each state 3. Other Federal laws like HIPAA 4. Carrier-issued or vendor issued agreements which agents have signed
Complying with GLBA’s Privacy Requirement • Minimum steps independent agencies should consider in order to comply with GLBA • Remember this advice does NOT to serve as a substitute for the advice of legal counsel, but is a suggested prudent course of action independent agencies should consider to assist them in complying with their various privacy obligations
Complying with GLBA’s Privacy Requirement #1. In most cases independent Agencies should create & send a general disclosure notice of their privacy policy/practices to their customers: • The notice must be sent at the initiation of the relationship and then annually thereafter
Complying with GLBA’s Privacy Requirement • How to Create a Privacy Notice Step 1:Use the privacy notice as an opportunity to thank your customers for their business and a “time to share with them the importance your agency holds the privacy and confidentiality of their personal information.” Step 2:State the fact that your agency is a member of the financial services industry which is subject to federal and state privacy laws regarding the collection and exchange of customer information
Complying with GLBA’s Privacy Requirement • Step 3: State that “in order to execute the insurance market search and placement for the insurance coverages your needs/risk exposures require, our agency must gather the necessary information.” • Step 4: List the sources your agency uses to collect information about the customer like: • Information or other we receive from you on applications or other forms; • Information about your transactions with us, our affiliates or others; • Information we receive from a consumer reporting agency
Complying with GLBA’s Privacy Requirement • Step 5: To provide the insurance service or product requested our agency will have to share the personal information gathered from these sources with other insurance related parties that are similarly obligated under state and federal privacy laws to keep all treatments and exchanges of your information within the requirements of these laws
Complying with GLBA’s Privacy Requirement Step 6: List the kinds of non-public personal information that may need to be shared: -Information we receive form you on applications or other forms, such as your name, address social security number, assets, incomes, and beneficiary information -Information about your transactions with us, our affiliates or others, such as your policy coverage, premiums and payment history -Information we receive from a consumer reporting agency, such as your insurance score, MVR and/or claims history
Complying with GLBA’s Privacy Requirement • Step 7: Explain your information security program. “As we place your insurance with these insurance entities, both them & our agency work together as well as individually to retain your information only for those activities required to underwrite, issue, & service your policy of insurance & conduct claims & related service activities on your behalf. We restrict information access to nonpublic personal information about you to those employees who need to know that information to provide products or service to you. In a reasonable & prudent manner, we maintain the physical,electronic and procedural safeguards that comply with federal regulations to guard your nonpublic personal information.”
Complying with GLBA’s Privacy Requirement • Step 8: Give Customer’s the option to opt-out of information sharing with those non-affiliated 3rd parties with whom you are sharing customer information for purposes OTHER than insurance purposes: • “If you prefer that we not disclose personal information about you (other than those permitted disclosures) to non-affiliated third parties, you may opt-out of those disclosure, that is, you may direct us not to make those disclosures. If you wish to opt of disclosure to non-affiliated third parties, please sign and return the attached statement.”
Complying with GLBA’s Privacy Requirement #2. Independent Agencies need to create a Written Privacy Policy & Establish an Information Security Program -These two requirements go hand-in-hand because the “security program”is really just the implementation of the agency’s written privacy policy.
Complying with GLBA’s Privacy Requirement • How to Create a Written Privacy Policy and Implement an Information Security Program *The following steps relate to creating the written Privacy Policy* • Step 1: Examine the different types of information your agency receives and the ways your agency receives such information from your customer and DOCUMENT THIS EXAMINATION • Step 2: Examine the entities your agency exchanges client information with and note the purpose for the exchange and the type of information exchanged DOCUMENT THIS EXAMINTION
Complying with GLBA’s Privacy Requirement -Step 3:Examine the language relating to “protection of information” contained in the different agreements your agency has signed DOCUMENT THIS EXAMINATION -Step 4: Draft a written privacy policy for your agency which addresses the type of information which your agency protects and the way in which your agency will protect such information
Complying with GLBA’s Privacy Requirement *The following steps relate to the areas the privacy policy should address* • Step 1: Your privacy policy must protect the confidentiality of information as it is collected and received • Train employees to protect client information as its received • FAX machines are regularly checked, you use a secure e-mail provider, etc • Step 2: If information is processed into your agency’s computer system via laptops, desktops, the Internet please check to make sure that such systems are secure and mention the ways the system will be kept secure by your policy
Complying with GLBA’s Privacy Requirement Step 3: Your policy states a goal that your agencies computer systems will keep reasonable pace with technological developments in protecting customer information -Agency should update virus and firewall protections accordingly and need to regularly budget annual expenditures for technology upgrades
Complying with GLBA’s Privacy Requirement Step 4: Your policy must address what steps your agency is taking to protect information it shares with outside entities, like carriers or vendors -Consider having these vendors sign an agreement where these entities promise to request the minimal amount of information necessary to complete the transaction and promise not to share or use the information for purposes beyond the immediate transaction.
Complying with GLBA’s Privacy Requirement • Step 5: Policy should state that it will only collect information that is necessary for the insurance being secured • Step 6: Policy should state that data (whether paper, files, screen, tapes, etc.) should not be left unattended and/or open to public view • Step 7: Policy should state that staff will be educated on the duty to protect information and the agency will oversee that staff protects information • Needs to be language in the employee handbook and the position descriptions of employees which identifies what information is protected and how the employees must behave to keep that information private.
Complying with GLBA’s Privacy Requirement • Step 8: The policy must address that information will not be shared if a client has “opted-out” of sharing such information or if it is health information and the client has failed to “opt-in” • Step 9: Privacy policy must state that access to protected information will be granted to those governmental entities and certain business entities who require access to audit your agency’s compliance
Complying with GLBA’s Privacy Requirement • #3. Implement the policy and monitor its effectiveness
WHY - ? – Consider These Suggestions OWNERSHIP OWNERSHIP OWNERSHIP Compliance Control Coordination with other privacy-related laws, i.e. HIPAA, D-N-C etc.
Requirements Imposed Upon Independent Insurance Agents Under GLBA • Questions? Thank you for being a PIA member, and attending this session! Pat Borowski patbo@pianet.org 1-703-528-1360