Few things help to build trust between insurance agents and their clients more than showing care and sensitivity around personal information. And key to that is understanding the general legal principals states enacted around handling “personal information.”
Many states have passed laws setting standards for this hot-button issue. All states regulate personal information protection differently, but there is general similarity in the language and approach, largely modeled after California’s data security laws. Of course, it is very important for agencies to understand the state law provisions in their home states, as well as the federal laws. Following are general legal principals to help keep customer data secure — and to keep your agents in compliance.
Who is impacted?
State laws governing handling of personal information have a very broad application. They apply to “[a]ny person or business that conducts business” in the particular state that “owns or licenses computerized data that includes personal information.” Some are even broader, applying to any person or business that “acquires, owns or licenses” computerized data with personal information. By those definitions, the rules apply to insurance agents and brokers.
Which customer data is affected?
Customer data falls under these laws if it contains “personal information,” generally defined as a combination of an individual’s first name or first initial, middle name or middle initial with the individual’s last name, when also combined with one or more of the following unencrypted data elements: Social Security number; driver’s license number or identification card number; bank account number; credit card number or debit card number, in combination with any required security code, access code or password that would permit access.
For the most part, personal information does not include publicly available information that is lawfully available from government or widely distributed media.
Three areas of concern
State data protection laws regulate one or more of three possible aspects of the handling of computerized personal data: data security; notification of security breaches; and data destruction. Not all states have laws regarding all three of these aspects.
- Data Security – Several states have enacted laws that impose an obligation to secure data. These laws require businesses that possess unencrypted personal information to “maintain reasonable security procedures and practices appropriate to the nature of the information” and to “protect the personal information from unauthorized access, destruction, use, modification, or disclosure.” There is no consistent description of what constitutes “reasonable security.” A few states also mandate that the business impose that obligation by contract on any third party to which the business discloses personal information.
Without specific guidance from the law or from some state regulation, businesses are forced to guess at what meets the “reasonable security” standard. One safe approach is to comply with the more detailed federal guidelines under the closest applicable federal privacy laws. Some state laws exempt businesses from the state law if that business is required to comply with more stringent federal laws.
On the other hand, such compliance can be expensive and difficult. Agents will have to decide what to do after checking the legal requirements in their own state.
- Data Breach Notification – A majority of states require a business that acquires, owns, licenses or maintains personal information to disclose any breach of security to any person whose information was, or is reasonably believed to have been, accessed by an unauthorized person. Disclosure should be expedient, and without unreasonable delay following the discovery of the breach. The deadlines are typically subject to modification based on the need for law enforcement investigation. If the business does not own the data
that was accessed, it is required to notify the owner of the data.
“Breach of security” means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information. That does not apply to good faith access by an employee or agent of the business.
Notice may be provided by written notice, electronic notice or substitute notice. Telephone notice is allowed by some states. Substitute notice is allowed if the business can demonstrate that the cost of providing notice would exceed a certain level of expense, or that the affected group of persons that needs to be notified exceeds some particular quantity. Substitute notice can be through e-mail, conspicuous posting of the notice on the Web site of the person or business (if there is one), or notification to major statewide media.
- Data Destruction – Businesses are required to destroy customer records containing sensitive personal information that are not retained by the business. Generally accepted means of destruction include shredding, erasing, or otherwise modifying the sensitive data to make it unreadable or undecipherable through any means.
Generally, the definition of personal information for the data destruction sections of state laws is broader than the definition for the data security or data breach sections of those laws. For these purposes, the definition means any information that identifies, relates to, describes or is capable of being associated with a particular individual.
Examples of this include names; signatures; Social Security numbers; addresses; telephone numbers; passport numbers; driver’s licenses; insurance policy numbers; education; employment; bank account number or other financial information. It is important to note that the type of information considered protected under data destruction requirements goes well beyond what is normally considered confidential information.
Building goodwill
Successful client relationships involve seeing to customers’ immediate needs in emergencies, providing counsel on particular situations; being fair and honest; and keeping their private information private. Understanding the legal ramifications and requirements is an important first step.
Todd Nunn is a partner in the Seattle office of K&L Gates. His practice emphasizes insurance coverage, electronic discovery and data privacy law, and class action defense. Phone: 206-370-7616. E-mail: todd.nunn@klgates.com.
Was this article valuable?
Here are more articles you may enjoy.
Former Congressman Charged After Collision with State Trooper in Florida 
California Sees Two More Property Insurers Withdraw From Market 
Trump’s Bond Insurer Tells Judge Shortfall Is ‘Inconceivable’ 
Vintage Ferrari Owners’ Favorite Mechanic Charged With Theft, Fraud From This Issue
