IIAC Young Agents - Protecting Your Insureds\' Private Information

$: IIAC Young Agents - Protecting Your Insureds\' Private Information$
Client Confidentiality –Protecting Your Insureds’ Private

Information

IIAC Young Agents

Jason Hoeppner, CIC

Objectives• To bring awareness about the laws, regulations and

administrative letters concerning the protection of clients’ personal information.

• To understand the requirements of these laws and regulations as they pertain to insurance agencies and their operations.

• To describe how you can improve your ability to protect non-public personal information (PI) at your agency.

Agenda

• CT Laws– CT Insurance Bulleting IC-25– Breach Notification Laws

• Gramm-Leach-Bliley Act • Ways to better protect PI at your agency.

Time permitting:• MA 201 CMR 17.00• Federal Legislative Initiatives

CT Laws

• Bulletin IC-25– To “All regulated entities in CT”– Including:• Insurance Producers• Certified Insurance Consultants• Property and Casualty Insurers• Life and Health Insurers• Surplus Lines Companies• Casualty Claims Adjusters…

CT Laws

• Bulletin IC-25 (cont.)– The CT Insurance Department is requiring all

licensees and registrants notify the Department as soon as an incident is identified (but no later than 5 calendar days after) of any information security breach which affects any CT residents.

– Refers back to Title 38a (Insurance) and Title 42 (Conn. Gen. Stat. 42-471) Protection of Social Security Numbers and Personal Information for authority.

CT Laws

• Bulletin IC-25 (cont.)The Department considers an information security incident to be any unauthorized acquisition or transfer of, or access to, personal health, financial, or personal information, whether or not encrypted, of a Connecticut insured, member, subscriber, policyholder or provider, in whatever form the information is collected, used or stored, which is obtained or maintained by a licensee or registrant of the Insurance Department, the loss of which could compromise or put at risk the personal, financial, or physical well being of the affected insureds, members, subscribers, policyholders or providers.

CT Laws• Bulletin IC-25 (cont.)– Notification Procedures (See Breach Notification)– Vendors / Business Associates

The Department also specifies that an information security incident at or by a vendor or business associate of a licensee or registrant … should be reported by the licensee or registrant to the Department.

– Administrative ActionsEach incident will be evaluated on its own merits, and depending on the circumstances, some situations may warrant imposition of administrative penalties by the Department.

CT Laws

• The state statute that pertains to breaches of personal information is:Sec. 36a-701b. Breach of security re computerized data containing personal information.

Agenda



Time permitting:• MA 201 CMR 17.00• Federal Legislative Initiatives

National Conference of State Legislatures

• Links to all state breach notification laws can be found here: http://www.ncsl.org/default.aspx?tabid=13489

State Pertinent Law

NY New York General Business Law (GBS) Article 39-F, § 899-aa

NJ New Jersey Statute 56:8-163

CT Connecticut General Statute 36a-701(b)VT Vermont Statute Title 9

Chapter 62: Protection of Personal Information

NH New Hampshire Statute Chapter 359-C: Right to Privacy, Sections 359-C:19-21

What Is a Breach?

• According to current legislation in Connecticut, a breach is defined as:

“unauthorized access to or acquisition of electronic files, media, databases or computerized data containing personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable.”

What Is a Breach?

The bottom line is that any time someone who is not authorized to access personal information, an agency employee or not, obtains that information and has the opportunity to misuse that information, it is most likely a breach.

Personal InformationState

Definition of Personal Information

CT Individual’s first name (or first initial) and last name, in conjunction with one or more of the following:(1) Social Security Number(2) Driver’s (or motor vehicle operator’s) License number or other state/government ID number(3) (Financial) Account number or credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual's financial account.

"Personal information" does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media.

Breach Notification Requirements

State

Who needs to be notified? When?

CT - The owner or licensee of the breached PI.

- Residents of the state of CT whose PI was breached.

- Immediately following the discovery of the breach.

- Without unreasonable delay subject to a law enforcement agency determination that such notification will not impede a criminal investigation.Additionally, as we see with IC-25, the CT Insurance

Department must also be notified.

Additional Points on Notifications

• CT:– Such notification shall not be required if, after an appropriate

investigation and consultation with relevant federal, state and local agencies responsible for law enforcement, the person reasonably determines that the breach will not likely result in harm to the individuals whose personal information has been acquired and accessed.

As we can see, the requirements for reporting a breach are slightly higher for the CT Insurance Department than for the standard

breach notification requirements under the banking law.

Methods for Breach Notifications

Type of Notification NotesWrittenElectronic Provided such notice is consistent

with the provisions regarding electronic records and signatures set forth in 15 USC 7001.

TelephoneSubstitute- Email- Website- Major (statewide) media

In cases where notification costs are greater than $250,000 or more than 500,000 individuals have been affected.

Breach Notification ContentsWhat a notification should contain as outlined in Bulletin IC-25:– Date and description of incident (how information was lost, stolen,

breached)

– How (it was) discovered

– Whether lost, stolen, or breached information has been recovered, and if so, how

– Whether individuals involved in the incident (both internal and external) have been identified

– Whether a police report has been filed

– Type of information lost, stolen, or breached (equipment, paper, electronic, claims, applications, … etc.)

Breach Notification Contents

What a notification should contain (cont.)– Whether information was encrypted

– Period of time lost, stolen or breached information covered

– How many Connecticut residents affected

– Results of any internal review identifying either a lapse in internal procedures or confirmation that all procedures were followed

– Identification of remedial efforts being undertaken to cure the situation that permitted the information security incident to occur

– Copies of the licensee/registrants’ Privacy Policies and Data Breach Policy

Breach Notification Contents

What a notification should contain (cont.)– Regulated entity contact person with whom the Department can

communicate regarding the incident. (This should be someone who is both familiar with the details and able to authorize actions for the licensee or registrant.)

– Other regulatory or law enforcement agencies notified (who, when).

– For the Department’s review, a draft version of any communications proposed to be made to affected insureds, members, subscribers, policyholders or providers advising them of the incident. Depending on the type of incident and information involved, the Department will also want to have discussions regarding the level of credit monitoring and insurance protection that the Department will require to be offered to affected consumers and for what period of time.

Agenda



Time permitting:• MA 201 CMR 17.00

The Gramm-Leach-Bliley (GLB) Act

• The Gramm-Leach-Bliley Act contains “privacy provisions relating to consumers' financial information. Under these provisions, financial institutions have restrictions on when they may disclose a consumer's personal financial information to nonaffiliated third parties.”

The GLB Act also specifies that financial institutions provide consumers with a privacy notice as well as a way to “opt-out” of the sharing of their information.


• This law states that “a financial institution may not, directly or through any affiliate, disclose to a nonaffiliated third party any nonpublic personal information, unless such financial institution provides or has provided to the consumer a notice…” (Sec. 6802.)

What does this mean? You need to have a privacy notice that is available to your customers.

The Gramm-Leach-Bliley (GLB) Act• Before we get too far…a few definitions:– Financial Institution

“Companies that offer financial products or services to individuals, like loans, financial or investment advice, or insurance…” So YES, we are covered.

– Affiliate“Any company that controls, is controlled by or is under common control with another company.”

– Nonaffiliated third partyNot an affiliate; does not include joint employees.


• More definitions– Nonpublic personal informationPersonally identifiable financial information -(i) provided by a consumer to a financial institution;(ii) resulting from any transaction with the consumer or any service performed for the consumer; or(iii) otherwise obtained by the financial institution.

Also covers lists that contain publicly available information, and that are derived from, or grouped based on, nonpublic personal information.

The Gramm-Leach-Bliley (GLB) ActSo what does it mean to insurance agencies? – You need a Privacy Notice to provide your clients.– Part of the Privacy Notice should explain how to “opt-out” of

having personal information shared.– You “may not disclose nonpublic personal information to a

nonaffiliated third party” otherwise.There are exceptions, such as when disclosure is needed to

provide a service the consumer requests (think credit reports), with their consent or where required by law.

The Gramm-Leach-Bliley (GLB) Act• When do you need to share your agency’s Privacy Policy?– “At the time of establishing a customer relationship…”– “And not less than annually…”Renewals happen annually (or semi-annually!)

• What does this notice need to include?– “Policies and practices with respect to disclosing nonpublic

personal information (NPI)…”– The types of NPI you collect.

Agenda




How To Better Protect PI

• Try going paperless!! … Or at least reduce what you keep.– Networks are much easier to secure than paper files &

filing cabinets.– It might also make you more efficient.

• Update your management systems.– Newer versions & platforms often have additional

protective measures for fields that contain PI.– This will also help with streamlining work and

supporting paperless operations.

How To Better Protect PI

• Encrypt portable devices.– These items (laptops, thumb drives, CDs/DVDs) are

very easily lost or stolen. – And, any hacker with any amount of skill can get into

your data given a short amount of time.

• Secure your paper!– At the office…

• Done for the day?• Clients at your desk.

– Visiting clients.

References

CT Information Security Incidents Bulletin (IC-25)http://www.ct.gov/cid/lib/cid/Bulletin_IC_25_Data_Breach_Notification.pdf

CT Breach Notification Lawshttp://www.cga.ct.gov/2011/pub/chap669.htm#Sec36a-701b.htm

Gramm-Leach-Bliley Acthttp://www.ftc.gov/privacy/glbact/glbsub1.htm

Agenda




What is 201 CMR 17.00?

201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth, is the regulation that implements the provisions of MGL c. 93H relative to the standards to be met by persons who own or license personal information (PI) about a resident of the Commonwealth of Massachusetts.

A direct link to the regulation can be found here (on the MA OCABR web page):http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf

The Basics of 201 CMR 17.00

• As of March 1, 2010, all entities that own or license personal information about a resident of MA are required to comply with this law.

• Every agency (or entity) must designate a Security Officer & have a written information security program (WISP) in place.

• All employees must be trained on the security program.• The safeguarding of this information applies to physical security

as well as electronic security (paper & computer files as well).• If a breach occurs, it must be reported and the corrective

actions must be taken.

Conducting a Security Assessment

• Per 201 CMR 17.00, your security program must include “Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks…”

First – step out of your agency role… become a completely objective observer.

What is a WISP?

• As a reminder, 201 CMR 17.00 requires that “every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards…”

• This Written Information Security Program (WISP) is your agency’s policy document on how you handle, and ensure the security of, your clients’, prospects’, and employees’ PI.

42

What is a WISP?Your WISP will “include, but shall not be limited to:”

(a) Designating one or more employees to maintain the comprehensive information security program(b) Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, including but not limited to:

1. ongoing employee (including temporary & contract employee) training; 2. employee compliance with policies and procedures; and 3. means for detecting and preventing security system failures.

43

What is a WISP?

Your WISP will “include, but shall not be limited to:”

(c) Developing security policies for employees relating to the storage, access and transportation of records containing personal information outside of business premises.

(d) Imposing disciplinary measures for violations of the comprehensive information security program rules.

(e) Preventing terminated employees from accessing records containing personal information.

44


(f) Oversee service providers, by: 1. Taking reasonable steps to select and retain third-party service providers

that are capable of maintaining appropriate security measures to protect such personal information consistent with these regulations and any applicable federal regulations; and

2. Requiring such third-party service providers by contract to implement and maintain such appropriate security measures for personal information; provided, however, that until March 1, 2012, a contract a person has entered into with a third party service provider to perform services for said person or functions on said person’s behalf satisfies the provisions of 17.03(2)(f)(2) even if the contract does not include a requirement that the third party service provider maintain such appropriate safeguards, as long as said person entered into the contract no later than March 1, 2010.

45


(g) Reasonable restrictions upon physical access to records containing personal information, and storage of such records and data in locked facilities, storage areas or containers.

(h) Regular monitoring to ensure that the comprehensive information security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and upgrading information safeguards as necessary to limit risks.

46


(i) Reviewing the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information.

(j) Documenting responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information.

47

What About a Breach?A person or agency that owns or licenses data that includes PI about a resident of the commonwealth, shall provide notice, as soon as practicable and without unreasonable delay, when such person or agency

(1) knows or has reason to know of a breach of security or (2) when the person or agency knows or has reason to know that

the personal information of such resident was acquired or used by an unauthorized person or used for an unauthorized purpose,

to the attorney general, the director of consumer affairs and business regulation and to such resident, in accordance with… M.G.L. c 93H

(Chapter 93H: Section 3.)

48

What About a Breach?

• In addition, and in accordance with the WISP, the person or agency must:– Conduct an immediate, mandatory post-incident

review of events and actions taken, if any. – Determine whether any changes in security practices

are required to improve the security of personal information for which the person or agency is responsible.

These Requirements Apply Whether One or a Thousand Records Have Been Breached.

49

How Does This Affect Agency Operations?

• It is a fair assumption that these requirements will prompt changes in the way your agency operates.

• Employees need to be cognizant of what information is contained on the documents they are handling and treat them accordingly.

• This will most likely also mean some changes to the physical layout or storage areas at your agency.

You may find that you are operating more efficiently and effectively after implementing changes.

How Does This Affect Agency Operations?• Network security and password policies must be up-to-date and

enforced No yellow sticky notes with passwords!!!!!• Emails that contain personal information (PI) must be encrypted as

much as it is technically feasible and reasonable. • Any portable devices (e.g., laptops, thumb drives) that store PI

(even in a copy of an email or other document) must be encrypted.• Wireless networks must be encrypted.• Paper records must be stored in a secure, locked area and

accessible only to those employees who need access. • Ideally all files (even management system screens) should never be

visible to customers or personnel who do not work for the agency.

Assessing Risk

• Ultimately 201 CMR 17.00 specifies that the safeguards that should be in place and defined in the program “are appropriate to (a) the size, scope and type of business…”.

• The risk-based approach, as further discussed in the 201 CMR 17.00 FAQs, allows for some flexibility in the implementation of the requirements of the regulation based on the amount of PI stored.

• However, as insurance agencies, this is probably not applicable because we do have PI for every single client (and perhaps prospect) in our books.

Assessing Risk

• “Technically Feasible” is the term that is used to describe whether or not the specific elements outlined in the regulation need to be implemented in your program.

• “Technically Feasible” means that if there is a reasonable means through technology to accomplish a required result, then that reasonable means must be used.

• Must I encrypt my email if it contains personal information? If it is not technically feasible to do so, then no. However, you should implement best practices by not sending unencrypted personal information in an email. (From the FAQs)

Conducting a Security Assessment

• Per 201 CMR 17.00, your program must include “Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks…”

First – step out of your agency role… become a completely objective observer.

Creating Your WISP• Start with the template!

• Sections to include:

– Part 1 Objectives

– Part 2 Purpose & Scope

– Part 3 Designation of a Security Manager

Parts 1 & 2 are Legalese & the Example Template Wording Should Be Fine.

65

Creating Your WISP• Sections to include (cont.):

– Part 4 Risks Identified• What did we find during our assessment?• Where is the PI & how is it at risk?

– Part 5 Safeguards• What we are going to do at the agency to protect PI.• Operations, technology, and management practices.• This section shows how we have fixed any gaps or other

risks we identified!

66

What About a Breach?A person or agency that owns or licenses data that includes PI about a resident of the commonwealth, shall provide notice, as soon as practicable and without unreasonable delay, when such person or agency

(1) knows or has reason to know of a breach of security or (2) when the person or agency knows or has reason to know that

the personal information of such resident was acquired or used by an unauthorized person or used for an unauthorized purpose,

to the attorney general, the director of consumer affairs and business regulation and to such resident, in accordance with… M.G.L. c 93H

(Chapter 93H: Section 3.)

67

What About a Breach?

• In addition, and in accordance with the WISP you are creating, you must:– Conduct an immediate, mandatory post-incident

review of events and actions taken, if any. – Determine whether any changes in your security

practices are required to improve the security of personal information for which you are responsible.

It Does Not Matter if One or a Thousand Records that Are Breached.

68

IIAC Young Agents - Protecting Your Insureds\' Private Information

Economy & Finance

Transcript of IIAC Young Agents - Protecting Your Insureds\' Private Information