Privacy Concerns For the Insurance Industry

DISCLOSURE UNDER TREASURY CIRCULAR 230: The United States Federal tax advice, if any, contained in this document and its attachments may not be used or referred to in the promoting, marketing or recommending of any entity, investment plan or arrangement, nor is such advice intended or written to be used, and may not be used, by a taxpayer for the purpose of avoiding Federal tax penalties. Advice that complies with Treasury Circular 230's "covered opinion" requirements (and thus, may be relied on to avoid tax penalties) may be obtained by contacting the author of this document. This article is for general information only and should not be used as a basis for specific action without obtaining further legal advice. PRIVACY CONCERNS FOR THE INSURANCE INDUSTRY I. Information security requirements under the Gramm Leach Bliley Act. A. Section A of Article V of the Gramm Leach Bliley Act requires all financial institutions, securities related industries and reinsurance industry to keep nonpublic consumer information secure and to disclose to consumers the information that is collected and disseminated by each business. Under the McCarran-Ferguson Act 15 USC A,?1011 et. seq.), each state was required to enact legislation to implement federal law. B. Chapter 5 of the Michigan Insurance Code is based on the model NAIC statute implementing Article V of the Gramm Leach Bliley Act (MCL 500.501 et. seq.). Under this chapter, insurance agents satisfy state requirements to provide privacy disclosures if they do not provide consumer information to any third party promises necessary to process a request for insurance or a claim, and the insurance agent provides a privacy disclosure promulgated by the agent's underwriter. Agents and underwriters that have a continuing customer relationship with a consumer must provide a privacy disclosure to the consumer annually. C. Standards for safeguarding consumer information were established by Office of Financial and Insurance Services rule, AACS R 500.501, et. seq. Each insurance business is required to perform the following: 1. Assess the risk for loss of information that must be protected under state law. 2. Design an information security program to address the risks identified by the insurance business. 3. Each insurance business must train employees to protect the confidentiality of nonpublic consumer information. 4. Each insurance business should require service providers to implement measures to protect information provided by the insurance business to allow the vendor to provide services. 5. Each insurance business must evaluate the effectiveness of their information security program and make adjustments as necessary to improve performance and address new risks identified by the business. II. Fair Credit Reporting Act Requirements A. The Fair Credit Reporting Act (FCRA) requires businesses to allow consumers to opt out of the sharing of non-experiential information with affiliates. "Non-experiential information" includes information related to the credit standing or credit worthiness of a consumer that is not directly about the relationship between the consumer and the business. The insurance companyAca,!a,,cs own claims history would be experiential information. Claims histories from other insurance companies and information gathered in an application for insurance would be non-experiential information subject to this rule. B. FCRA Identity Theft proposal: Customer Identification Programs. Section 114 of the FACT Act amends Section 615 of the FCRA and requires each of the federal banking regulators and the FTC (the "Agencies") to jointly issue guidelines for financial institutions and creditors regarding identity theft with respect to their account holders and customers. In developing the guidelines, the Agencies must identify patterns, practices, and specific forms of activity that indicate the possible existence of identity theft. Proposed "Red Flag Rules" were published at 71 FR 40786 (7/18/06). The centerpiece of the proposed rules is a list of "red flag" items that each financial institution (including mortgage brokers and mortgage lenders), and anyone who uses a consumer credit report, must examine for each consumer to help deter identity theft. Under the proposed Red Flag Regulations, financial institutions and creditors must have a written Program that is based upon the risk assessment of the financial institution or creditor and that includes controls to address the identity theft risks identified. This Program must be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities, and be flexible to address changing identity theft risks as they arise. A financial institution or creditor may wish to combine its program to prevent identity theft with its information security program, as these programs are complementary in many ways. The Program must include policies and procedures to prevent identity theft from occurring, including policies and procedures to: C. FCRA requires businesses to dispose of documents containing consumer information in a manner that does not allow the information to fall into unauthorized hands. In other words, (i) documents should be shredded before they are thrown in the trash, and (ii) computer hard drives should be overwritten before the computer is disposed of or sold.

Meet The Experts

  • VIEW RATINGS FOR INSURERS
    Enter name of Insurance Company and press GO button.