Presentation is loading. Please wait.

Presentation is loading. Please wait.

An Agent's Guide to Understanding and Complying with Privacy Requirements By Patricia A. Borowski Senior Vice President PIA National.

Published byEarl Hunter Modified over 8 years ago

Similar presentations

Presentation on theme: "An Agent's Guide to Understanding and Complying with Privacy Requirements By Patricia A. Borowski Senior Vice President PIA National."— Presentation transcript:

1 An Agent's Guide to Understanding and Complying with Privacy Requirements By Patricia A. Borowski Senior Vice President PIA National

2 2 Summary of Presentation I. Remembering this is Round Two II. Purpose of the Privacy Requirements in GLBA III. Requirements imposed upon independent agents under GLBA IV. How to Comply V. Questions

3 3 2 nd Round Be There, Done That TRADITIONALLY – as practice in insurance: Privacy/Confidentiality - been/is recognized Some common law case on point 1986 NAIC Privacy Protection & Information Model Act - 17 states adopted. Inculcated as industry-wide practice. Balance insurance common law expectations

4 4 Purpose of Privacy Requirements in GLBA What is GLBA? What is GLBA? I. In 1999, Congress passed the Gramm-Leach-Bliley Act (GLBA). II. GLBA’s purpose was to legally create a federal financial services industry with insurance, banking and securities under it. III. Was to tear down legal barriers that prevented affiliations between banks, insurance companies, and securities firms and allow the creation of “financial supermarkets.”

5 5 Purpose of Privacy Requirements in GLBA What’s the connection between GLBA and Privacy? What’s the connection between GLBA and Privacy? I. GLBA’s passage was seen by consumer advocates as a vehicle to finally impose privacy practices on banks – efforts which had failed in the past. II. It also coincided with improvements in communications technology like e-mail and the Internet.

6 6 Purpose of Privacy Requirements in GLBA III. Quick and effortless dissemination of information between and within these financial supermarkets could hurt consumers or at the very least “tick ‘em off.” IV. Congress was pressured to include privacy standards in GLBA to ensure that consumer information was protected from rampant sharing IV. Enter Title V of GLBA—Title V is the section dealing with “privacy” in the law

7 7 Purpose of Privacy Requirements in GLBA What does Title V accomplish? What does Title V accomplish? I. Title V establishes minimum federal privacy standards. Who enforces Title V privacy requirements? Who enforces Title V privacy requirements? I. GLBA’s privacy requirements are “functionally regulated” which means the governmental entity that normally regulates the particular business sector will be charged with interpreting and enforcing GLBA’s standards

8 8 Purpose of Privacy Requirements in GLBA For insurance the regulating governmental entity is NAIC and The States. a. This means NAIC develops model for the minimum privacy standards imposed by GLBA, and The States must adopt. b. However, since these were minimum standards, the states were free to pass tougher privacy requirements

9 9 Purpose of Privacy Requirements in GLBA Whose information is protected by Title V of GLBA? Whose information is protected by Title V of GLBA? I. GLBA’s privacy standards protect an individual’s information for auto, home and other personal insurance use, and not a business entity’s

10 10 Summary of GLBA’s Title V Privacy Requirements I. Written Privacy Policy II. Privacy Notice to Customers which may need to include an opportunity for customers to opt-out of or opt-into information sharing III. Information Security Program in place at the agency to protect customer information IV. Access to carriers and governmental entities to audit compliance

11 11 Particular Challenges for Insurance Under GLBA Section VI Section VI – written in bank law, practice, structure, regulation & federal perspective -- not insurance & translation has been tough. Coordinating with existing state insurance law & court decisions on privacy and practices – some differences among the states on this. Nature of “licensee”, “consumer” and “data” may change per nature of insurance transaction. Captive vs. independent insurance agency/agent to insurer & consumer

12 12 Requirements Imposed Upon Insurance, Affecting PIA members Under GLBA Three things necessary to understanding GLBA’s privacy requirements Three things necessary to understanding GLBA’s privacy requirements Look to each state’s insurance privacy laws for specific details. Look to each state’s insurance privacy laws for specific details. What type of information is protected? The different terms defined by GLBA or “The GLBA Cast of Characters”?

13 13 Requirements Imposed Upon Insurance, Affecting PIA members Under GLBA Requirements Imposed Upon Insurance, Affecting PIA members Under GLBA I. What type of information is protected? I. Non-public personal information (as in not commercial information) II. GLBA defines Non-Public Personal Information as: “Personally identifiable financial information provided by a consumer to a financial institution or personally identifiable financial information resulting from any transaction with the consumer.”

14 14 Requirements Imposed Upon Insurance, Affecting PIA members Under GLBA Examples of Non-Public Personal Information (NPI) Can be: Examples of Non-Public Personal Information (NPI) Can be: -UNLISTED Names, address, telephone numbers* - Consumer financial information -The fact that a person is or was a customer or has obtained a financial product from you -Claims history or payment history -Other information about the individual that is provided in connection with obtaining an insurance product or service.

15 15 Requirements Imposed Upon Independent Insurance Agents Under GLBA PIA recommends that you treat ALL customer information as Non-Public Personal Information because: PIA recommends that you treat ALL customer information as Non-Public Personal Information because:OWNERSHIP Compliance Control Coordination with other privacy- related laws, i.e. HIPAA, D-N-C etc.

16 16 Requirements Imposed Upon Insurance, Affecting PIA members Under GLBA Requirements Imposed Upon Insurance, Affecting PIA members Under GLBA II. Cast of characters under GLBA I. Financial Institution : “Any institution the business of which is engaging in financial activities like, underwriting, securities, or providing financial investment or economic advisory services.”

17 17 Requirements Imposed Upon Insurance, Affecting PIA members Under GLBA Requirements Imposed Upon Insurance, Affecting PIA members Under GLBA Terms Continued… An insurance carrier is a “financial institution” under GLBA since it underwrites An insurance carrier is a “financial institution” under GLBA since it underwrites Per The Fed opinion, an independent insurance agency is a “financial institution” under GLBA since it is involved in underwriting and multi- markets. Per The Fed opinion, an independent insurance agency is a “financial institution” under GLBA since it is involved in underwriting and multi- markets.

18 18 Requirements Imposed Upon Insurance, Affecting PIA members Under GLBA Terms Continued… II. Consumer (potential business): an individual who obtains a financial product or services from a financial institution = prospect. III. Customer (actual business): Any person to whom a financial institution provides a product or service. Most of GLBA’s requirements are owed to an agent’s customers, but applicants, claimants, beneficiaries, employees of group benefits can be included. IV. Affiliate: Any company that controls, is controlled by, or under common control with another company. Generally, an agent can share information with its affiliates (if it has any) without giving the customer an opportunity to opt-out. Insurers and IAs are not per se “affiliates” – but issues of control matter.

19 19 Requirements Imposed Upon Insurance, Affecting PIA members Under GLBA Requirements Imposed Upon Insurance, Affecting PIA members Under GLBA V. Non-Affiliated 3 rd Party: Any entity that is not an affiliate of or related by common ownership VI. Joint marketing arrangement: An arrangement where a financial institution provides non-public personal information to a non-affiliated 3 rd party in order for that non-affiliated 3 rd party to perform services on behalf of the financial institution, like the marketing of the financial institution’s products and services. **Insurers-IAs.

20 20 Requirements Imposed Upon Insurance, Affecting PIA members Under GLBA Requirements Imposed Upon Insurance, Affecting PIA members Under GLBA EXAMPLE of a Joint Marketing Arrangement: Independent agency sharing client information with an equity firm to produce a securities solicitation of the agency’s client. *** Independent agency providing underwriting information to its carriers to shop, place, affect or renew for one of its customers…. NO. Per GLBA both agency & carrier are financial institutions & unaffiliated 3 rd parties with respect to each other. Not so under insurance law for purposes of co-joined action.

21 21 Requirements Imposed Upon Insurance, Affecting PIA members Under GLBA What does GLBA say about sharing Non-Public Personal Information? 1. The agent is NOT sharing the information to service or process insurance coverage requested or authorized by the customer OR 2. The information is NOT being shared as part of a joint marketing arrangement between an affiliated and non-affiliated 3 rd party

22 22 Requirements Imposed Upon Insurance, Affecting PIA members Under GLBA What does GLBA say about sharing Non- Public Personal Information? What does GLBA say about sharing Non- Public Personal Information? I. An agency (or financial institution) CANNOT share NPI with a non-affiliated 3rd party UNLESS: 1. The Agency creates a written privacy policy 2. The Agency has an information security program

23 23 Requirements Imposed Upon Insurance, Affecting PIA members Under GLBA 3. The Agency provides their customers with a privacy policy notice. I. The notice must be given at the initiation of the customer relationship AND annually thereafter. 4. The privacy policy notice must give customers the option of opting out of sharing their information with non-affiliated 3 rd parties if:

24 24 Requirements Imposed Upon Insurance, Affecting PIA members Under GLBA Once an agency has given its customers a notice of its privacy policy, non-public personal information CAN be shared if: Once an agency has given its customers a notice of its privacy policy, non-public personal information CAN be shared if: 1. The agency has in place a written privacy policy and an information security program which protects the confidentiality of customer records AND 2. The information is being shared in connection with the servicing or processing of a financial product or service requested or authorized by the customer OR 3. The information is being shared as a part of a joint marketing arrangement where the parties to the arrangement have signed a contract promising to protect NPI

25 25 Requirements Imposed Upon Insurance, Affecting PIA members Under GLBA Nutshell statement of what GLBA’s privacy requirements say for independent insurance agents Nutshell statement of what GLBA’s privacy requirements say for independent insurance agents “Don’t share information about your customer without: (1) having an information security program in-place that protects the confidentiality of that customer’s info., (2) having a written privacy policy that explains the ways in which that customer’s info. is shared, protected, and gathered, (3) you’ve given your customers notice of the fact that you will share their information AND the opportunity to opt-out of sharing their info. if you share their information with a party who is: (1) unrelated to your agency and (2) unrelated to the placement or service of that customer’s insurance.”

26 26 Complying with GLBA’s Privacy Requirement This compliance advice is NOT comprehensive, because there are 4 potential sources of privacy obligations This compliance advice is NOT comprehensive, because there are 4 potential sources of privacy obligations 1. State privacy and related statutes 2. Case law or common law in each state 3. Other Federal laws like HIPAA 4. Carrier-issued or vendor issued agreements which agents have signed

27 27 Complying with GLBA’s Privacy Requirement Minimum steps independent agencies should consider in order to comply with GLBA Minimum steps independent agencies should consider in order to comply with GLBA Remember this advice does NOT to serve as a substitute for the advice of legal counsel, but is a suggested prudent course of action independent agencies should consider to assist them in complying with their various privacy obligations Remember this advice does NOT to serve as a substitute for the advice of legal counsel, but is a suggested prudent course of action independent agencies should consider to assist them in complying with their various privacy obligations

28 28 Complying with GLBA’s Privacy Requirement #1. In most cases independent Agencies should create & send a general disclosure notice of their privacy policy/practices to their customers: The notice must be sent at the initiation of the relationship and then annually thereafter The notice must be sent at the initiation of the relationship and then annually thereafter

29 29 Complying with GLBA’s Privacy Requirement How to Create a Privacy Notice How to Create a Privacy Notice Step 1: Use the privacy notice as an opportunity to thank your customers for their business and a “time to share with them the importance your agency holds the privacy and confidentiality of their personal information.” Step 2:State the fact that your agency is a member of the financial services industry which is subject to federal and state privacy laws regarding the collection and exchange of customer information

30 30 Complying with GLBA’s Privacy Requirement Step 3: State that “in order to execute the insurance market search and placement for the insurance coverages your needs/risk exposures require, our agency must gather the necessary information.” Step 3: State that “in order to execute the insurance market search and placement for the insurance coverages your needs/risk exposures require, our agency must gather the necessary information.” Step 4: List the sources your agency uses to collect information about the customer like: Step 4: List the sources your agency uses to collect information about the customer like: Information or other we receive from you on applications or other forms; Information or other we receive from you on applications or other forms; Information about your transactions with us, our affiliates or others; Information about your transactions with us, our affiliates or others; Information we receive from a consumer reporting agency Information we receive from a consumer reporting agency

31 31 Complying with GLBA’s Privacy Requirement Step 5: To provide the insurance service or product requested our agency will have to share the personal information gathered from these sources with other insurance related parties that are similarly obligated under state and federal privacy laws to keep all treatments and exchanges of your information within the requirements of these laws Step 5: To provide the insurance service or product requested our agency will have to share the personal information gathered from these sources with other insurance related parties that are similarly obligated under state and federal privacy laws to keep all treatments and exchanges of your information within the requirements of these laws

32 32 Complying with GLBA’s Privacy Requirement Step 6: List the kinds of non-public personal information that may need to be shared: -Information we receive form you on applications or other forms, such as your name, address social security number, assets, incomes, and beneficiary information -Information about your transactions with us, our affiliates or others, such as your policy coverage, premiums and payment history -Information we receive from a consumer reporting agency, such as your insurance score, MVR and/or claims history

33 33 Complying with GLBA’s Privacy Requirement Step 7: Explain your information security program. Step 7: Explain your information security program. “As we place your insurance with these insurance entities, both them & our agency work together as well as individually to retain your information only for those activities required to underwrite, issue, & service your policy of insurance & conduct claims & related service activities on your behalf. We restrict information access to nonpublic personal information about you to those employees who need to know that information to provide products or service to you. In a reasonable & prudent manner, we maintain the physical,electronic and procedural safeguards that comply with federal regulations to guard your nonpublic personal information.”

34 34 Complying with GLBA’s Privacy Requirement Step 8: Give Customer’s the option to opt-out of information sharing with those non-affiliated 3 rd parties with whom you are sharing customer information for purposes OTHER than insurance purposes: Step 8: Give Customer’s the option to opt-out of information sharing with those non-affiliated 3 rd parties with whom you are sharing customer information for purposes OTHER than insurance purposes: “If you prefer that we not disclose personal information about you (other than those permitted disclosures) to non-affiliated third parties, you may opt-out of those disclosure, that is, you may direct us not to make those disclosures. If you wish to opt of disclosure to non-affiliated third parties, please sign and return the attached statement.” “If you prefer that we not disclose personal information about you (other than those permitted disclosures) to non-affiliated third parties, you may opt-out of those disclosure, that is, you may direct us not to make those disclosures. If you wish to opt of disclosure to non-affiliated third parties, please sign and return the attached statement.”

35 35 Complying with GLBA’s Privacy Requirement # 2. Independent Agencies need to create a Written Privacy Policy & Establish an Information Security Program - These two requirements go hand-in-hand because the “security program”is really just the implementation of the agency’s written privacy policy.

36 36 Complying with GLBA’s Privacy Requirement How to Create a Written Privacy Policy and Implement an Information Security Program How to Create a Written Privacy Policy and Implement an Information Security Program *The following steps relate to creating the written Privacy Policy* written Privacy Policy* Step 1: Examine the different types of information your agency receives and the ways your agency receives such information from your customer and DOCUMENT THIS EXAMINATION Step 1: Examine the different types of information your agency receives and the ways your agency receives such information from your customer and DOCUMENT THIS EXAMINATION Step 2: Examine the entities your agency exchanges client information with and note the purpose for the exchange and the type of information exchanged DOCUMENT THIS EXAMINTION Step 2: Examine the entities your agency exchanges client information with and note the purpose for the exchange and the type of information exchanged DOCUMENT THIS EXAMINTION

37 37 Complying with GLBA’s Privacy Requirement - Step 3: Examine the language relating to “protection of information” contained in the different agreements your agency has signed DOCUMENT THIS EXAMINATION -Step 4: Draft a written privacy policy for your agency which addresses the type of information which your agency protects and the way in which your agency will protect such information

38 38 Complying with GLBA’s Privacy Requirement *The following steps relate to the areas the privacy policy should address* Step 1: Your privacy policy must protect the confidentiality of information as it is collected and received Step 1: Your privacy policy must protect the confidentiality of information as it is collected and received Train employees to protect client information as its received Train employees to protect client information as its received FAX machines are regularly checked, you use a secure e-mail provider, etc FAX machines are regularly checked, you use a secure e-mail provider, etc Step 2: If information is processed into your agency’s computer system via laptops, desktops, the Internet please check to make sure that such systems are secure and mention the ways the system will be kept secure by your policy Step 2: If information is processed into your agency’s computer system via laptops, desktops, the Internet please check to make sure that such systems are secure and mention the ways the system will be kept secure by your policy

39 39 Complying with GLBA’s Privacy Requirement Step 3: Your policy states a goal that your agencies computer systems will keep reasonable pace with technological developments in protecting customer information - Agency should update virus and firewall protections accordingly and need to regularly budget annual expenditures for technology upgrades

40 40 Complying with GLBA’s Privacy Requirement Step 4: Your policy must address what steps your agency is taking to protect information it shares with outside entities, like carriers or vendors -Consider having these vendors sign an agreement where these entities promise to request the minimal amount of information necessary to complete the transaction and promise not to share or use the information for purposes beyond the immediate transaction.

41 41 Complying with GLBA’s Privacy Requirement Step 5: Policy should state that it will only collect information that is necessary for the insurance being secured Step 5: Policy should state that it will only collect information that is necessary for the insurance being secured Step 6: Policy should state that data (whether paper, files, screen, tapes, etc.) should not be left unattended and/or open to public view Step 6: Policy should state that data (whether paper, files, screen, tapes, etc.) should not be left unattended and/or open to public view Step 7: Policy should state that staff will be educated on the duty to protect information and the agency will oversee that staff protects information Step 7: Policy should state that staff will be educated on the duty to protect information and the agency will oversee that staff protects information Needs to be language in the employee handbook and the position descriptions of employees which identifies what information is protected and how the employees must behave to keep that information private. Needs to be language in the employee handbook and the position descriptions of employees which identifies what information is protected and how the employees must behave to keep that information private.

42 42 Complying with GLBA’s Privacy Requirement Step 8: The policy must address that information will not be shared if a client has “opted-out” of sharing such information or if it is health information and the client has failed to “opt-in” Step 8: The policy must address that information will not be shared if a client has “opted-out” of sharing such information or if it is health information and the client has failed to “opt-in” Step 9: Privacy policy must state that access to protected information will be granted to those governmental entities and certain business entities who require access to audit your agency’s compliance Step 9: Privacy policy must state that access to protected information will be granted to those governmental entities and certain business entities who require access to audit your agency’s compliance

43 43 Complying with GLBA’s Privacy Requirement #3. Implement the policy and monitor its effectiveness #3. Implement the policy and monitor its effectiveness

44 44 WHY - ? – Consider These Suggestions OWNERSHIPOWNERSHIPOWNERSHIP Compliance Control Coordination with other privacy-related laws, i.e. HIPAA, D-N-C etc.

45 45 Requirements Imposed Upon Independent Insurance Agents Under GLBA Questions? Questions? Thank you for being a PIA member, and attending this session! Pat Borowski patbo@pianet.org 1-703-528-1360

Download ppt "An Agent's Guide to Understanding and Complying with Privacy Requirements By Patricia A. Borowski Senior Vice President PIA National."

Similar presentations

H OGAN & H ARTSON, L.L.P.

H OGAN & H ARTSON, L.L.P.
FERPA - Sharing Student Information

FERPA - Sharing Student Information
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.

Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
HIPAA Privacy Training Your Name Here. © 2004 MHM Resources Inc.2 HIPAA Background Health Insurance Portability and Accountability Act of 1996.

HIPAA Privacy Training Your Name Here. © 2004 MHM Resources Inc.2 HIPAA Background Health Insurance Portability and Accountability Act of 1996.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.

TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
Are you ready for HIPPO??? Welcome to HIPAA

Are you ready for HIPPO??? Welcome to HIPAA
HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.

HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.
© 2004 Property Casualty Insurers Association of America The Alphabet of Federal Legislation Kathleen Jensen Property and Casualty Insurers Association.

© 2004 Property Casualty Insurers Association of America The Alphabet of Federal Legislation Kathleen Jensen Property and Casualty Insurers Association.
The Advisers Act Custody Rule

The Advisers Act Custody Rule
Congress and Contractor Personal Conflicts of Interest May 21, 2008 Jon Etherton Etherton and Associates, Inc.

Congress and Contractor Personal Conflicts of Interest May 21, 2008 Jon Etherton Etherton and Associates, Inc.
Version 6.0 Approved by HIPAA Implementation Team April 14, 2003 1 HIPAA Learning Module The following is an educational Powerpoint presentation on the.

Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
SEMINAR NAIC/ASSAL/SVS REGULATION & SUPERVISION OF MARKET CONDUCT © 2014 National Association of Insurance Commissioners Complaint Handling.

SEMINAR NAIC/ASSAL/SVS REGULATION & SUPERVISION OF MARKET CONDUCT © 2014 National Association of Insurance Commissioners Complaint Handling.
Inspecting A Hedge Fund 2010 NASAA IA Training. Preparing for the Inspection  Getting over your fears  Treat as any other advisor  Preparation  Obtain.

Inspecting A Hedge Fund 2010 NASAA IA Training. Preparing for the Inspection  Getting over your fears  Treat as any other advisor  Preparation  Obtain.

Similar presentations

Ads by Google