Handle customer data with care — it’s the law

Insurance agents and brokers constantly deal with customers’ personal information. Yet many in the industry may not be aware of the legal requirements for handling or storing this information.

How should agents and brokers collect and handle sensitive information? The easy answer is “carefully.” However, there also are specific and technical requirements imposed by federal and state laws that need to be followed.

Data protection laws have tended to focus on what is known as “personally identifiable information,” which links a person with his or her identifying or transactional information. That is precisely the type of information that consumers provide their insurance agent and broker professionals.

The transfer of knowledge is absolutely necessary if agents and brokers are to advise and counsel their clients. However, given the sensitive nature of the information, federal and state data privacy protection laws apply. Agents and brokers would be well advised to increase their knowledge of those laws or they could face potential lawsuits.

Several federal laws are potentially applicable to agents and brokers, including the: Gramm-Leach-Bliley Act (GLBA), which limits disclosure and use of customer information, and imposes a security rule for covered information by “financial institutions” and most insurance agents and brokers; Health Insurance Portability and Accountability Act (HIPPA), which controls the handling of customer medical records and information; and Fair Credit Reporting Act, which regulates the use and disclosure and disposal of information in “consumer reports.”

The Gramm-Leach-Bliley, in particular, is one of the most robust federal information privacy and security laws. In 1999, Congress enacted the GLBA, 15 USC 6801– 6827 (1999), which contains rules regarding the privacy of “nonpublic personal information” collected by financial institutions. In addition to the statute, there are extensive regulations promulgated by the Securities and Exchange Commission, banking regulators and the Federal Trade Commission. As for insurance companies, the GLBA is enforced under state insurance law, i.e., by state insurance authorities. The GLBA does not preempt state law that gives greater privacy protection, and several states have statutes going beyond the GLBA that are not preempted (California is an example).

Application of the GLBA
The GLBA applies to most, if not all, insurance agents and brokers. It applies to financial institutions, but that term is broadly defined, and the GLBA states that in general, a financial institution is “any institution the business of which is engaging in financial activities as described in section 1843(k) of title 12.” That section of title 12 states that one activity that is financial in nature is: “[i]nsuring, guaranteeing, or indemnifying against loss, harm, damage, illness, disability, or death, or providing and issuing annuities, and acting as principal, agent, or broker for purposes of the foregoing, in any State.” Additionally, federal regulation 12 CFR 225.28 lists “nonbanking activities” to which GLBA applies. That regulation lists “insurance agency and underwriting.” Although it goes on to limit that phrase with specific qualifications, once all are taken together, it is likely that most agencies would be included.

Customer information that is affected
The personal information covered by the GLBA is termed “nonpublic personal information,” which means “personally identifiable financial information — provided by a consumer to a financial institution; resulting from any transaction with the consumer or any service performed for the consumer; or otherwise obtained by the financial institution.” The term does not include publicly available information. Regulations issued under this statute define “personally identifiable financial information” as any information: “a consumer provides to you to obtain a financial product or service from you; about a consumer resulting from any transaction involving a financial product or service between you and a consumer; or you otherwise obtain about a consumer in connection with providing a financial product or service to that consumer.” Those definitions are important, because the way “nonpublic personal information” is defined includes just about all information provided by a consumer or customer that is nonpublic, whether or not it appears to be particularly sensitive or confidential.

Privacy and security programs
The GLBA requires the covered agency or broker, whichever has the covered relationship, to undertake several practices to notify consumers of how their information will be handled and how to protect that information. Those obligations include:

• The continuing delivery (e.g., annually) of privacy statements to consumers with whom a financial institution has an ongoing relationship. The statements must explain, in compliance with regulations, the institution’s information privacy practices and give consumers the right to opt-out of having their information shared with certain third parties.
• Assuring the security of information and restricting the sharing of information with third parties. One regulation that details the security measures, lists the following:

1. Access controls on customer information systems, including controls to authenticate and permit access only to authorized individuals and systems to prevent employees from providing customer information to unauthorized individuals who seek it through fraudulent means;

2. Access restrictions at physical locations containing customer information;

3. Encryption of electronic customer information, including when in transit or in storage on systems where unauthorized individuals may have access;

4. Procedures to ensure that customer information system modifications are consistent with an organization’s information security program;

5. Dual control procedures, segregation of duties and employee background checks for employees with access to customer information;

6. Monitoring of systems and procedures to detect actual and attempted attacks on or intrusion into customer information systems;

7. Response programs for when an organization suspects or detects that unauthorized individuals have gained access to customer information systems;

8. Measures to protect customer information from destruction, loss or damage by environmental hazards or technological failure;

9. Training for staff to implement the security program; and

10. Regular testing of the key controls, systems and procedures of the security program.

• Assuring the appropriate disposal of information, as does the federal Fair Credit Reporting Act for information that is, or is derived from consumer reports, such as a credit report.
• Covered companies must have contracts with service providers that handle covered information, which tends to be transactional and personally identifying data, but can also be unexpected items such as “cookie” information from Web sites and the mere fact of a customer relationship.

All of the obligations do not stand alone. In each case, they must be part of a comprehensive information security/privacy program that, depending upon the regulation, requires board approval. In other words, a GLBA-covered company may not simply have policies on particular subjects; those policies must result from a comprehensive review and overall policy and assessment.

Federal privacy laws and the Gramm-Leach-Bliley Act in particular, require specific actions by those organizations to which they apply. But states also have been active in the data privacy arena, going beyond the GLBA. In handling customer information, agents also need to be aware of their responsibilities under other state laws that may apply.

Trust is the cornerstone of successful relationships in the insurance sector. Nothing will help build trust between agents and their clients more than showing care and sensitivity around personal, private information. And there is no better way to accomplish that than knowing the legal requirements and how to meet them. Keeping personal client information safe is the right thing to do. It’s also the law.

Todd Nunn is a partner in the business litigation practice in the Seattle office of K&L Gates. Nunn’s practice emphasizes class action defense, complex document production and electronic discovery, insurance coverage and constitutional law. Phone: 206-623-7580. E-mail: todd.nunn@klgates.com.