Privacy Concerns For the Insurance Industry
by... Joseph P. Garin
Outline by Howard A. Lax
DISCLOSURE UNDER TREASURY CIRCULAR 230: The United States Federal tax advice, if any, contained in this document and its attachments may not be used or referred to in the promoting, marketing or recommending of any entity, investment plan or arrangement, nor is such advice intended or written to be used, and may not be used, by a taxpayer for the purpose of avoiding Federal tax penalties. Advice that complies with Treasury Circular 230's "covered opinion" requirements (and thus, may be relied on to avoid tax penalties) may be obtained by contacting the author of this document.
This article is for general information only and should not be used as a basis for specific action without obtaining further legal advice.
PRIVACY CONCERNS FOR THE INSURANCE INDUSTRY
I. Information security requirements under the Gramm Leach Bliley Act.
A. Section A of Article V of the Gramm Leach Bliley Act requires all financial institutions, securities related industries and reinsurance industry to keep nonpublic consumer information secure and to disclose to consumers the information that is collected and disseminated by each business. Under the McCarran-Ferguson Act 15 USC §1011 et. seq.), each state was required to enact legislation to implement federal law.
B. Chapter 5 of the Michigan Insurance Code is based on the model NAIC statute implementing Article V of the Gramm Leach Bliley Act (MCL 500.501 et. seq.). Under this chapter, insurance agents satisfy state requirements to provide privacy disclosures if they do not provide consumer information to any third party promises necessary to process a request for insurance or a claim, and the insurance agent provides a privacy disclosure promulgated by the agent's underwriter. Agents and underwriters that have a continuing customer relationship with a consumer must provide a privacy disclosure to the consumer annually
C. Standards for safeguarding consumer information were established by Office of Financial and Insurance Services rule, AACS R 500.501, et. seq. Each insurance business is required to perform the following:
1. Assess the risk for loss of information that must be protected under state law.
2. Design an information security program to address the risks identified by the insurance business.
3. Each insurance business must train employees to protect the confidentiality of nonpublic consumer information.
4. Each insurance business should require service providers to implement measures to protect information provided by the insurance business to allow the vendor to provide services.
5. Each insurance business must evaluate the effectiveness of their information security program and make adjustments as necessary to improve performance and address new risks identified by the business.
II. Fair Credit Reporting Act Requirements
A. The Fair Credit Reporting Act (FCRA) requires businesses to allow consumers to opt out of the sharing of non-experiential information with affiliates. "Non-experiential information" includes information related to the credit standing or credit worthiness of a consumer that is not directly about the relationship between the consumer and the business. The insurance company's own claims history would be experiential information. Claims histories from other insurance companies and information gathered in an application for insurance would be non-experiential information subject to this rule.
B. FCRA Identity Theft proposal: Customer Identification Programs. Section 114 of the FACT Act amends Section 615 of the FCRA and requires each of the federal banking regulators and the FTC (the "Agencies") to jointly issue guidelines for financial institutions and creditors regarding identity theft with respect to their account holders and customers. In developing the guidelines, the Agencies must identify patterns, practices, and specific forms of activity that indicate the possible existence of identity theft. Proposed "Red Flag Rules" were published at 71 FR 40786 (7/18/06). The centerpiece of the proposed rules is a list of "red flag" items that each financial institution (including mortgage brokers and mortgage lenders), and anyone who uses a consumer credit report, must examine for each consumer to help deter identity theft. Under the proposed Red Flag Regulations, financial institutions and creditors must have a written Program that is based upon the risk assessment of the financial institution or creditor and that includes controls to address the identity theft risks identified. This Program must be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities, and be flexible to address changing identity theft risks as they arise. A financial institution or creditor may wish to combine its program to prevent identity theft with its information security program, as these programs are complementary in many ways. The Program must include policies and procedures to prevent identity theft from occurring, including policies and procedures to:
C. FCRA requires businesses to dispose of documents containing consumer information in a manner that does not allow the information to fall into unauthorized hands. In other words, (i) documents should be shredded before they are thrown in the trash, and (ii) computer hard drives should be overwritten before the computer is disposed of or sold.
D. Litigation is pending in the Michigan Court of Appeals over the use of credit reports in underwriting insurance. A lower court decision overturning regulations that banned the use of credit scoring in underwriting hazard insurance has been appealed by the Office of Financial and Insurance Services to the Michigan Court of Appeals. According to Property Casualty Insurers Association of America, 18 states considered 48 bills dealing with insurance scoring in 2006. Of those, 27 would have completely banned the use of credit scoring by insurers.
III. Health Insurance Portability and Accountability Act (HIPAA)
A. HIPAA protects the unauthorized release of personal health information that is created or received by a "covered entity," and which relates to the past, present or future medical or mental condition of an individual and the provision or payment of that health condition.
B. HIPAA requires insurance companies that meet the HIPAA definition of "health plan" to provide a disclosure of what information is collected and how it is used, similar to the financial privacy disclosure required under the Gramm Leach Bliley Act (a Notice of Health Information Privacy Practices). Businesses that generate, use or maintain protected health information cannot use or disclose it without written authorization from the patient, except for purposes of providing treatment, obtaining payment, to manage its internal operations, or for certain public policy reasons specified in HIPAA. Health plans must establish internal safeguards to protect the information from unauthorized disclosure.
Other rights granted by HIPAA include:
The right to have access to designated records that contain
protected health information (PHI).
The right to request restrictions on the use and disclosure of PHI.
The right to receive confidential communications at an alternate
address or location.
The right to request an accounting of disclosures of PHI.
The right to request an amendment of PHI.
The right to file a complaint.
IV. Other State Laws
A. A package of bills (2004 PA 452 , 453 , 454 , 455 , 456 , 457 , 458 , 459 , 460 , 461 and 462 ) signed by the Michigan Governor at the end of 2004 provide protections to victims of identity theft above and beyond the protections afforded by FCRA. The bills prohibit a business displaying or requesting a customer's social security number, except when the customer is applying for a loan and in certain other circumstances. The bills prohibit merchants from including more than four digits of a customer's credit card number on a receipt. There was a grandfather period for replacing old equipment that prints the entire credit card number. Social security numbers cannot be utilized by a business as ID numbers or login numbers.
B. Employers are obligated to keep employee social security numbers secure, and are liable for damages resulting from the loss of this information. 2004 PA 254 states:
(a) Ensures to the extent practicable the confidentiality of the social security numbers.
(b) Prohibits unlawful disclosure of the social security numbers.
(c) Limits who has access to information or documents that contain the social security numbers.
(d) Describes how to properly dispose of documents that contain the social security numbers.
(3) This section does not apply to a person who possesses social security numbers in the ordinary course of business and in compliance with the fair credit reporting act, 15 USC 1681 to 1681v, or subtitle A of title V of the Gramm-Leach-Bliley act, 15 USC 6801 to 6809."
V. Administrative and Judicial Enforcement
A. The FTC has authority under the FTC Act to fine companies for deceptive trade practices. The FTC considers the failure to safeguard consumer information to be a deceptive trade practice. In December, 2005, shoe discounter DSW Inc. agreed to settle Federal Trade Commission charges that its failure to take reasonable security measures to protect sensitive customer data was an unfair practice that violated federal law. The FTC charges that until at least March 2005, DSW engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for sensitive customer information. Specifically, the agency alleges that DSW:
created unnecessary risks to sensitive information by storing it in multiple files when it no longer had a business need to keep the information;
failed to use readily available security measures to limit access to its computer networks through wireless access points on the networks;
stored the information in unencrypted files that could be easily accessed using a commonly known user ID and password;
failed to limit sufficiently the ability of computers on one in-store network to connect to computers on other in-store and corporate networks; and
failed to employ sufficient measures to detect unauthorized access.
According to the FTC, approximately 1.4 million credit and debit cards and 96,000 checking accounts were compromised, and that there have been fraudulent charges on some of these accounts. Further, some customers whose checking account information was compromised have incurred out-of-pocket expenses in connection with closing their accounts and ordering new checks. Some checking account customers have contacted DSW to request reimbursement for their expenses, and DSW has provided some amount of reimbursement to these customers. According to DSW's SEC filings, as of July 2005, the company's exposure for losses related to the breach ranges from $6.5 million to $9.5 million. The settlement will require DSW to implement a comprehensive information-security program and obtain audits by an independent third-party security professional every other year for 20 years.
B. In Bell v. Michigan Council 25 Of the American Federation of State, County, And Municipal Employees, Michigan Court of Appeals No. 246684 (Unpublished 2/15/05), the Court affirmed an award of $275,000 to 13 union members who were the victims of identity theft by the daughter of union treasurer. The treasurer was permitted to take her work home. The treasurer's daughter stole the names, social security numbers and other information from her mother and used this information to obtain money under false pretenses.
C. Superior Mortgage Corp., a lender with 40 branch offices in 10 states and multiple Web sites, agreed to settle FTC charges that it violated the Safeguards Rule by failing to provide reasonable security for sensitive customer data and falsely claiming that it encrypted data submitted online. The settlement bars future deceptive claims and requires the company to establish data security procedures that will be reviewed by independent third-party auditors for 10 years.
Joseph P. Garin is a partner in the firm of Lipson, Neilson, Cole, Seltzer & Garin, P.C.