News & Events

The legal landscape in which insurance companies operate is constantly in flux, especially when technology is involved. There are core legal obligations that require insurance companies to play defense when dealing with cybersecurity issues; however, an insurance company can get ahead of these issues by being proactive. At a minimum, carriers must follow data security safeguard laws.

Consumer Information that Insurance Companies Possess

Insurance companies possess large amounts of private consumer data. Regardless of the type of insurance they provide, in their computer systems they could have a customer’s:

• Address
• Social security number
• Driver’s license number
• Health insurance details
• Income information
• Bank account number

As a result, insurance companies are attractive targets for hackers who want to obtain consumer information for nefarious reasons. Insurance companies must protect this information. If hackers gain access to it, they can commit insurance fraud and/or other types of illegal acts.

Financial Institutions (and Their Customers) Have Been the Victims of Large Hacks

There have been numerous high-profile incidents in which hackers breached an insurance company’s system and stole their data. In some cases, they have used the information they stole to commit fraud. These insurance companies were assessed fines for failing to comply with data protection laws.

For data protection, the relevant laws depend on the type of insurer and the information they possess. If they are a financial services organization, the Gramm Leach Bliley Act (GLBA) imposes obligations on them to protect customer information. GLBA governs companies that sell insurance to the public. The law was passed in 1999 to regulate financial institutions when Congress was changing laws to allow commercial banks, investment banks, and insurance companies to merge with each other.

Gramm Leach Bliley Act Requirements for Data Security

Some of the requirements of GLBA are:

• Companies must assess the risks to customer information in each area of their businesses
• They must test their existing safeguards and improve them or correct deficiencies if necessary
• Companies must design and monitor safeguard programs
• Insurance companies must also pay close attention to any service providers they hire, ensuring they can properly safeguard customer information
• Any time a company’s business changes, or it learns new information that could impact the security of customer information, it must evaluate and change its security program

In addition, companies must send consumers a privacy notice. This notice must make the company’s information sharing procedures clear to consumers. It must explain what information is collected and what is done with it.

Financial institutions can face fines of up to $100,000 for each violation of the Act. If companies share or post financial information without a customer’s consent, they can face significant penalties. Besides financial penalties, insurance companies can leave themselves open to customer lawsuits and suffer reputational damage if they fail to follow cyber laws.

Data privacy and protection is a big deal and is becoming even more crucial with the more sophisticated hackers get. This will require significant initial and ongoing investment on the part of insurance companies to continually update systems in light of changing conditions.

State Cyber Laws that Insurance Companies Must Follow

In addition to federal regulations, companies doing business in Florida must follow the Florida Information Protection Act of 2014. Businesses must take reasonable measures to safeguard customer information and notify customers of data breaches. Businesses must protect any kind of personal information they have, including:

• health insurance
• medical information
• financial information
• online account information, such as security questions and answers, email addresses, and passwords

Businesses that are found in violation of the law can face enforcement action from the Florida Attorney General under Florida’s Unfair and Deceptive Trade Practices Act. Florida, like other states, is stepping up its enforcement of privacy laws and instituting stricter procedural requirements.

But data security laws differ across states. Companies that do business in more than one state need to be familiar with the law in every jurisdiction because they could face regulatory scrutiny wherever they operate. For example, California passed a strict law that governs the collection, use, and sale of the personal information of California residents. National insurance companies need to be aware of this law.

Customers and The Government Are Focusing More Intently on Privacy

Insurance companies can expect greater customer awareness of privacy issues and laws. Customers have become far more focused on their own privacy and have been willing to take action or report misconduct they believe compromised it. In turn, insurance companies and other financial services businesses are being fined with increasing frequency.

Cybersecurity and information protection laws are an ever-changing area of the law. Regulators’ interpretations of these rules may evolve over time. In addition, a company’s obligations are dependent on its circumstances and require a constant reevaluation of its practices.

Cyber laws are an area where insurance companies can benefit from legal help. Breaching these obligations can lead to significant penalties. Consulting with a lawyer can be a wise investment of time and money to prevent far greater problems in the future.

In the meantime, insurance companies need to review Gramm Leach Bliley Act compliance checklists periodically and in response to specific incidents. Not only can a company avoid fines and lawsuits by doing so, but it will also build customer trust and loyalty. If a company has not focused on these requirements, it should begin an intensive effort today.