AAI Urges 3 States to Modify Approach for Safeguarding Consumer Information

June 4, 2002

Regulations being proposed in three states aimed at safeguarding consumer information should be modified so as not to encourage private lawsuits against insurers, according to the Alliance of American Insurers.

The three states, Arkansas, Oregon and Utah are considering regulations that closely track the recently adopted 2002 National Association of Insurance Commissioners’ Standards for Safeguarding Customer Information Model Regulation. They are the first to consider the model regulation. Eventually, all states will have to adopt standards to comply with provisions in the federal Gramm-Leach-Bliley (GLB) Act. The GLB provisions require regulators to establish standards to protect the confidentiality and security of customer records, protect against threats to security or integrity of the information and to protect against unauthorized access to customer records.

“While we commend the regulators for addressing the important issue of customer information security, the regulations being considered by these three states could create additional red tape and exposure for insurers while not providing a corresponding benefit to policyholders,” Patrick Watts, Alliance assistant vice president of regulation, commented.

The proposed state regulations require insurers to implement a comprehensive written information security program that includes administrative, technical, and physical safeguards for the protection of customer information. The program must be appropriate to the size and complexity of the insurer and the nature and scope of its activities. The regulations give examples of methods of developing and implementing an information security program. These include steps to assess risk, manage and control risk, oversee service provider arrangements, and adjust the program. Violations would be considered unfair trade practices.

Hearings will be held in the near future on the above-states’ regulations and the Alliance plans to submit comments at each.

“We are concerned that the regulations create new trade practice violations that will encourage private lawsuits,” Watts said. “States generally have the power to address regulatory violations without promoting costly, time-consuming litigation.” The rules also contain an unreasonably short timeframe for compliance. “As we told the NAIC during its model-making process, insurers need adequate time to deal with compliance provisions, especially for service provider contracts in existence before the regulation’s effective date,” Watts commented. “Analogous federal regulations provide two years to bring these types of contracts into compliance. While this time period might be too lengthy at this point, more than the month-and-a-half allowed by two of these state rules is needed to implement a proper compliance program.”

Finally, Watts said that the Arkansas regulation goes farther than GLB intended, and should be changed to more closely track the intent of GLB, which narrowly defines whose information needs protecting to ‘customer’ rather than the broader term consumers. “Insurers only should be required to implement protections for persons with which a customer relationship has been established,” Watts added.

Was this article valuable?

Here are more articles you may enjoy.