Personal information security and breach notification requirements are topics that all independent insurance agencies need to be aware of and be prepared for operationally in the event of a loss of clients\' information.
IIAC Young Agents - Protecting Your Insureds\' Private Information
1. Client Confidentiality – Protecting Your Insureds’ Private Information IIAC Young Agents Jason Hoeppner, CIC
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15. Personal Information "Personal information" does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media. State Definition of Personal Information CT Individual’s first name (or first initial) and last name, in conjunction with one or more of the following: (1) Social Security Number (2) Driver’s (or motor vehicle operator’s) License number or other state/government ID number (3) (Financial) Account number or credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual's financial account.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
31.
32.
33.
34.
35.
36.
37.
38.
39.
40.
41.
42.
43.
44.
45.
46.
47.
48.
49.
50.
51.
52.
53.
54.
55.
56.
57.
58.
59.
60.
61.
62.
63.
64.
65.
66.
67.
68.
69. List of Some Encryption Software Whole-Disk Encryption: www.truecrypt.org www.pgp.com www.drivecrypt.com/ http://www.symantec.com/business/endpoint-encryption
70.
71.
72.
73.
74. Personal Information State Definition of Personal Information NJ, CT, & NH Individual’s first name (or first initial) and last name, in conjunction with one or more of the following: (1) Social Security Number (2) Driver’s (or motor vehicle operator’s) License number or other state/government ID number (3) (Financial) Account number or credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual's financial account. NY Any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person NJ Also: dissociated data that, if linked, would constitute personal information is personal information if the means to link the dissociated data were accessed in connection with access to the dissociated data. VT Account information in which the number could be used without additional identifying information; access codes, or passwords and account passwords or PINs are also included.
75.
76.
77.
78.
79.
80.
81.
82.
83.
84.
85.
86.
87.
88.
Notas del editor
8/18/2010
Conn. Gen. Stat. 38a., Chapter 700 Property and Casualty Insurance (e.g.) http://www.cga.ct.gov/2011/pub/title38a.htm §38a-8 “Duties of Commissioner…” §38a-41 “Authority to do business…”
Administrative Actions: To minimize that potential, licenses and registrants are urged to follow these procedures.
Sec. 36a-1. (Formerly Sec. 36-1). General statement. This title shall be known as the "Banking Law of Connecticut" and shall be applicable to all Connecticut banks, Connecticut credit unions, mortgage lenders, mortgage correspondent lenders, mortgage loan originators and mortgage brokers, money order and travelers check licensees, check cashing service licensees, trustees under mortgages or deeds of trust of real property securing certain investments, corporations exercising fiduciary powers, small loan licensees, sales finance companies, mortgage servicing companies, debt adjusters, and to such other persons as subject themselves to the provisions of this title or who, by violating any of its provisions, become subject to the penalties provided in this title. [This would apply because the breach section pertains to any “person” which is further defined as] (48) "Person" means an individual, company, including a company described in subparagraphs (A) and (B) of subdivision (11) of this section, or any other legal entity, including a federal, state or municipal government or agency or any political subdivision thereof;
One caveat, I am not a lawyer, and although we will take time to answer questions at the end, I do want to remind folks that if they have a specific question pertaining to the laws in their states (or laws that do apply to them regardless), they should consult a lawyer. § - section 46 States as of October 2010.
Each state directly addresses “unauthorized” access and both NJ & CT specify that the access (or acquisition) is not secured by encryption. In other words, if someone has access to PI that is encrypted, it is not a breach here. Slightly different than IC-25!
Notice that NY’s definition does not trigger a breach… we’ll see on the next slide what information would constitute a breach. Again, only slightly different than IC-25.
Added the note about IC-25. (5/11/11) If the determination is that misuse of the information has occurred or is reasonably likely to occur, or if a determination cannot be made, the person shall notify the affected individuals as soon as possible as required under this subdivision. (NH)
CT DOI – encryption doesn’t matter. And there is much more required in the notification, the other law doesn’t specify. (d)(1) Notice of a security breach pursuant to subsection (b) of this section is not required if the data collector establishes that misuse of personal information is not reasonably possible and the data collector provides notice of the determination that the misuse of the personal information is not reasonably possible pursuant to the requirements of this subsection. If the data collector establishes that misuse of the personal information is not reasonably possible, the data collector shall provide notice of its determination that misuse of the personal information is not reasonably possible and a detailed explanation for said determination to the Vermont attorney general or to the department of banking, insurance, securities, and health care administration in the event that the data collector is a person or entity licensed or registered with the department under Title 8 or this title. The data collector may designate its notice and detailed explanation to the Vermont attorney general or the department of banking, insurance, securities, and health care administration as "trade secret" if the notice and detailed explanation meet the definition of trade secret contained in subdivision 317(c)(9) of Title 1.
NY – electronic notice - provided that the person to whom notice is required has expressly consented to receiving said notice in electronic form and a log of each such notification is kept by the person or business who notifies affected persons in such form; provided further, however, that in no case shall any person or business require a person to consent to accepting said notice in said form as a condition of establishing any business relationship or engaging in any transaction. NH - Electronic notice, if the agency or business' primary means of communication with affected individuals is by electronic means.
This is not in the breach notification law (Sec. 36a-701b).
Enacted November 12, 1999 effective November 13, 2000 Compliance: July 1, 2001 http://ftc.gov/privacy/glbact/glboutline.htm
Enacted November 12, 1999 effective November 13, 2000 Compliance: July 1, 2001 http://ftc.gov/privacy/glbact/glboutline.htm http://business.ftc.gov/documents/bus53-brief-financial-privacy-requirements-gramm-leach-bliley-act The Federal Trade Commission has authority to enforce the law with respect to "financial institutions" that are not covered by the federal banking agencies, the Securities and Exchange Commission, the Commodity Futures Trading Commission, and state insurance authorities. http://www.ftc.gov/privacy/glbact/glbsub1.htm#6809 (5) Nonaffiliated third party The term ''nonaffiliated third party'' means any entity that is not an affiliate of, or related by common ownership or affiliated by corporate control with, the financial institution, but does not include a joint employee of such institution. (6) Affiliate The term ''affiliate'' means any company that controls, is controlled by, or is under common control with another company.
Enacted November 12, 1999 effective November 13, 2000 Compliance: July 1, 2001 http://ftc.gov/privacy/glbact/glboutline.htm
http://www.ftc.gov/privacy/glbact/glbsub1.htm#6803 There is more detail here. The disclosure required by subsection (a) of this section shall include - (1) the policies and practices of the institution with respect to disclosing nonpublic personal information to nonaffiliated third parties, other than agents of the institution, consistent with section 6802 of this title, and including - (A) the categories of persons to whom the information is or may be disclosed, other than the persons to whom the information may be provided pursuant to section 6802(e) of this title; and (B) the policies and practices of the institution with respect to disclosing of nonpublic personal information of persons who have ceased to be customers of the financial institution; (2) the categories of nonpublic personal information that are collected by the financial institution; (3) the policies that the institution maintains to protect the confidentiality and security of nonpublic personal information in accordance with section 6801 of this title; and (4) the disclosures required, if any, under section 1681a(d)(2)(A)(iii) of this title. (Pub. L. 106-102, title V, Sec. 503, Nov. 12, 1999, 113 Stat. 1439.)
Almost exactly the same as the other breach laws.
Think of a phone book…
As long as the risk of losing PI is determined to be low and the cost or resources needed to implement a solution to a compliance gap is prohibitive, you could say that your assessment is such that you will not need to do…
This is the one area that I think is a step back.
Each state directly addresses “unauthorized” access and both NJ & CT specify that the access (or acquisition) is not secured by encryption. In other words, if someone has access to PI that is encrypted, it is not a breach here.
As you will see, for the most part, the states we are discussing today are rather consistent in how they define a breach. NY – it is referred to as a “Breach of the security of the system”…
Note that CT does not have “good faith” language in its General Statute.
Notice that NY’s definition does not trigger a breach… we’ll see on the next slide what information would constitute a breach.
If the determination is that misuse of the information has occurred or is reasonably likely to occur, or if a determination cannot be made, the person shall notify the affected individuals as soon as possible as required under this subdivision. (NH)
So, say a breach does occur…
Careful if this is the determination that we make.
NY – electronic notice - provided that the person to whom notice is required has expressly consented to receiving said notice in electronic form and a log of each such notification is kept by the person or business who notifies affected persons in such form; provided further, however, that in no case shall any person or business require a person to consent to accepting said notice in said form as a condition of establishing any business relationship or engaging in any transaction. NH - Electronic notice, if the agency or business' primary means of communication with affected individuals is by electronic means.
Only the states of NH, NY (and later we’ll see MA) specify what the breach notifications must contain, information-wise.