Brokers Must Comply with FTC “Red Flags” Data Protection Rule starting November 1, 2009

By Louis H. Castoria 
Introduction
 
The Federal Trade Commission’s “Red Flags” Rule is designed to protect personally identifiable information from data thieves. Insurance brokerage firms and other service providers that receive payment after their services have been delivered are required to comply. The compliance deadline is November 1, 2009—data breaches on or after that day may be subject to penalties of up to $3,500 per violation, and could also result in prosecution for violation of state consumer protection or deceptive trade practices laws. Such laws may permit private individuals to sue and recover treble damages, attorney’s fees and/or litigation costs.
 
Red flags are signs of danger to brokerage firms and agencies, and also to their business customers. By learning about the new FTC Rule, agents and brokers can help business policyholders ensure that their risk management and insurance plans include protection against identity theft and similar losses caused by security breaches.
 
What is a Red Flag, and what does the new FTC rule require?
 
Circumstances when a customer’s “personally identifiable information” may be at a heightened risk of loss or theft are termed “red flags” by the FTC. The FTC requires a company’s senior management to adopt and implement a written “Red Flags Rule Compliance Plan” to identify potential data breaches that could occur in the normal course of operations, and specify procedures that are to be implemented when a red flag indicates that a possible data breach may have taken place. The Compliance Plan also needs to be regularly updated. 
 
It isn’t unusual for insurance professionals to carry or send customers’ identifying information in unsecure settings. Consider:
 
·        An account manager downloads the client’s information to a laptop or flash drive, for use in a renewal presentation
 
·        An agent collects data off-site for an insurance application, and sends that information, or perhaps a completed application form, by fax or e-mail to her office
 
·        A broker leaves one firm and becomes affiliated with a competing firm. He takes with him the contact information for his clients, although his agreement with the first firm prohibits doing so, and some account information is included in the copied materials.
 
Each of these events is fairly commonplace, but each also presents a risk of confidentiality being breached.
 
Should brokerage firms and other businesses stop using laptops, faxes, and e-mails? That’s hardly practical or desirable. Fortunately, it isn’t hard to comply with the Red Flags Rule. In many firms, a few individuals know how the business obtains and maintains personally identifiable information, and can quickly identify how an attempt at data theft might happen, and what warning signs would indicate that an actual data theft occurred. For example, if a laptop is missing or stolen, the firm’s procedure would be to block that laptop from accessing the company network, and to determine what information was on the laptop. The firm would then comply with applicable privacy laws, appropriately notifying law enforcement and potentially impacted people of the laptop theft. That phrase “applicable privacy laws” can be the catch—which laws apply? That is where a quick legal consultation can prevent or ease many regulatory and litigation headaches. For each red flag a company identifies, a written procedure must be developed and approved for addressing the red flag, including regular training of staff and periodic updates of the red flags and procedures.
 
Data security is more than a legal concern; it’s also an important customer satisfaction and public relations issue. Imagine having to sign letters to valued customers, telling them that their funds and privacy are at risk because of a missing flash drive. Some firms proactively work with potentially impacted customers after a data loss and contact credit bureaus to help protect against damage caused by identity theft.
 
Data breaches routinely result in lawsuits, and compliance with the Red Flags Rule is the first step in proving that a business was not negligent. Failure to comply, on the other hand, may be used as evidence that the business failed to meet established federal regulations for safekeeping personally identifiable data. Litigation outcomes may be strongly impacted by whether a business is, or is not, in compliance with the Red Flags Rule.
 
 
Louis H. Castoria is a partner in the law firm of Wilson Elser Moskowitz Edelman & Dicker LLP. For more information, please contact Louis H. Castoria at louis.castoria@wilsonelser.com, 415.433.0990; Lori S. Nugent at lori.nugent@wilsonelser.com, 312.704.0550; or Joshua M. Kantrow at joshua.kantrow@wilsonelser.com, 312.704.0550.

Meet The Experts

  • VIEW RATINGS FOR INSURERS
    Enter name of Insurance Company and press GO button.