Get updates by email

Select Specific Blog Updates

Paul Zimmerman
pzimmerman@mrllp.com
310.299.5500

Photo of M&R Blog

ginasanders © 123RF.com

Sensitive Information: How Insurance Producers Can Protect Consumer Privacy

Presented at the Independent Insurance Agents & Brokers of California (IIABCal) Blue Ribbon Conference on May 3, 2016.

Introduction.  Insurance sales may be conducted using entirely impersonal tools. An insurance consumer may fill out a form on an internet web site, and through automated systems have a policy of insurance issued without any personal involvement by any human being on the insurer side of the transaction. 

Impersonal though this may appear, insurance transactions are intimate.  In order to obtain insurance, consumers must disclose personal information that they would not willingly disclose to close personal friends – Social Security Number, personal financial information, health information, and lifestyle information.  

Insurance producers[1] provide added value to consumers in this impersonal but intimate transaction by using their knowledge of the business of insurance to help consumers obtain the insurance coverage that will best serve their needs from the most appropriate insurance companies at the lowest price.  In providing this assistance, insurance producers obtain, and become custodians of, the intimate personal information that is required for the insurance transaction.  Proper collection and protection of this information is one of the most important professional responsibilities faced by the modern insurance producer. 

The business of insurance sales has changed profoundly in the past three decades.  Thirty years ago the most important tools in insurance sales were the telephone, the U.S. Postal Service, filing cabinets, pre-printed paper forms, the typewriter, and the ballpoint pen.  Today nearly all of these tools, with the possible exception of the telephone, have been largely replaced by the technology of computers and the internet.  Computer technology allows insurance transactions that recently took days to complete to be completed instead within minutes.  An insurance application used to take several days to prepare, submit to the insurer, be reviewed, and have the policy issued.  Today the same process can be completed while a customer sits in the producer’s office during his or her initial visit. 

This same technology, however, has created serious new challenges for protecting the intimate consumer information involving insurance transactions.  The information that thirty years ago could be stored only in several large, and hopefully locked, file cabinets in the producer’s office can be stored instead on a computer flash drive no larger than the producer’s thumb.  Furthermore, depending upon the level of security on the producer’s computer system, this information can be accessed, and potentially stolen, by a computer hacker who doesn’t even have to be on the same continent as the producer. 

While computers allow much more efficient storage and transmission of intimate customer information, they also create risks that simply did not exist in the earlier, less efficient, days of paper and ink insurance transactions. 

Laws which protected insurance information reasonably well in the paper and ink days are often completely inadequate to protect the same information when a producer’s entire “file cabinet” is stored on an easily-lost laptop computer, and when all of that information can be easily transmitted around the world electronically by a single mistake or through the efforts of a single computer hacker pursuing criminal ends. 

Lawmakers have responded to this technological revolution with a host of new laws intended to protect this consumer information.  The old laws often still exist, sometimes updated and sometimes not, but a broad array of new and often overlapping laws have been enacted in the past 30 years intended to address the many information security problems that have arisen as a result of modern computer technology.  The result is a convoluted legal scheme which is nearly impossible for a modern insurance producer even to understand. 

State and federal governments have also enacted extensive regulation of direct marketing practices using electronic means such as telephone, facsimile, and email.  These laws do not protect confidential information.  Rather, they are intended to restrict the degree to which individuals are contacted directly by commercial advertisers. 

The purpose of this paper is to provide general guidance to insurance producers seeking to conduct their businesses lawfully and safely. 

Disclaimers.  This paper is intended only to provide general guidance to insurance producers.  It is not, and it does not purport to be, a comprehensive survey of all insurance privacy laws to which a particular insurance producer may be subject.  Legal questions specific to a producer’s personal business practice should be submitted to that producer’s own attorney for answer and guidance. 

This paper will not and cannot provide technical advice about computer security.  Questions relating to computer security on issues such as computer hardware, firewalls, encryption, and password protocols, must be considered and answered in consultation with qualified computer information technology professionals. 

Because the business of insurance is generally regulated in the United States by the separate states, producers must be aware of the individual state laws to which they may be subject.  Some of the federal laws governing this issue will be discussed in this paper, but most states also have applicable laws and producers must evaluate those laws separately to determine the legal scheme applicable in their states of operation.  This paper will discuss the laws of the state of California as an example of how state and federal regulation overlap, but the paper does not provide a summary of all of the state laws, including the laws of California, which may govern producer obligations to protect consumers’ personal information. 

Overview of Legal Structures.  Laws governing protection of personal information generally fall into four categories: 

  • Security: Laws which define categories of personal information which must be protected and which impose an obligation upon businesses in possession of such information to keep it secure.  Such laws generally include penalties for any business which permits personal information to be released, except as the release is permitted by the law. 
  • Disclosure: Laws which require a business obtaining personal information to provide consumers with a statement outlining the type of information that the business collects and the purposes for which that information is employed. 
  • Breach Disclosure: Laws which require a business in possession of personal information to notify a designated government agency if the business discovers that personal information in its possession has been improperly disclosed. 
  • Direct Electronic Marketing.  Laws which regulate the manner in which commercial advertisements are delivered to individuals by fax, email, or telephone. 

The Gramm-Leach-Bliley Act.  The most far-reaching privacy law which will affect insurance producers is the federal Gramm-Leach-Bliley Act (GLBA), enacted in 1999.  The GLBA repealed part of the Glass–Steagall Act of 1933, removing many legal barriers that previously separated banking, securities, and insurance businesses.  However, since the new law would allow greatly increased sharing of information among businesses that were previously separated by law, a significant portion of the GLBA is devoted to privacy protection. 

The GLBA governs privacy of “Nonpublic Personal Information[2]” (NPI) held by “financial institutions”.  The GLBA only applies to information related to a “customer” or a “consumer[3].  The legal difference between a “customer” and a “consumer” is that a “customer” generally has an ongoing business relationship with the financial institution.  A person who makes an inquiry about obtaining insurance will generally be a “consumer”; a person who actually buys insurance through the producer will become a “customer”.  For a producer seeking to comply with the GLBA requirements, the difference is not fundamental[4].  If the producer has obtained NPI, it must be protected whether it is obtained from a customer or a consumer. 

“Nonpublic Personal Information” generally means any information that is specific to an individual – information such as name, address, Social Security Number, account numbers, financial information specific to the individual, and any information provided on an application for insurance.  Even the fact that a particular individual is a customer of the producer is considered to be NPI.  As a general rule, producers should consider any information that they obtain from a consumer or a customer to be NPI and subject to protection under the GLBA. 

The GLBA protections do not extend to public information.  Public information includes information from federal, state, or local government records made available to the public, such as the fact that an individual has a mortgage with a particular financial institution.  Public information also includes information that is in widely distributed media like telephone books, newspapers, and websites that are available to the general public on an unrestricted basis, even if the site requires a password or fee for access.  If a producer obtains information from these sources, to use for example in a marketing effort, such information is not subject the GLBA privacy protection requirements. 

GLBA PRIVACY REQUIREMENTS.  The GLBA generally requires all financial institutions to adopt privacy policies which protect the NPI in their possession, to notify their customers and consumers of these policies, and with some limitations to allow the customers to opt-out of the exchange of NPI between the financial institution and its affiliates. 

Since insurance producers generally operate as intermediaries between customers and insurers, the NPI which producers hold is also going to be in the possession of one or more insurers.  This does not mean that producers may simply rely upon insurers for compliance with GLBA and other privacy laws.  An insurance producer is responsible for complying with privacy laws independently of the actions of the insurers with which the producer conducts business

GLBA AND STATE LAW.  Compliance with privacy laws is particularly complicated in the insurance industry.  Pursuant to the federal McCarran-Ferguson Act[5] the business of insurance is regulated by the states rather than by the federal government.  This regulatory separation is retained in the GLBA, which provides that the states are responsible for enforcing the GLBA within the business of insurance[6].  With respect to insurance producers, authority to enforce the privacy GLBA law is vested in the insurance commissioner of the state in which the producer lives. 

The overlap between federal and state law is not limited to saying that state regulators are responsible for enforcing the federal privacy law.  If it were, there would still be a uniform national privacy law which, in the case of insurance, was simply enforced by state regulators instead of by federal agencies.  It isn’t that simple.  The GLBA also includes an extensive section[7] on the relationship between GLBA requirements and state law requirements which may overlap.  This section generally provides that a state may adopt privacy laws in the insurance industry which are equal to or stronger than the GLBA requirements.  Thus, with respect to insurance, the GLBA establishes a minimum set of privacy requirements but individual states may adopt and have adopted state laws setting standards that must meet or exceed the GLBA requirements. 

There are many resources, including well-designed federal government internet web sites, providing information about GLBA compliance.   In the business of insurance, however, these sites may be misleading.  Insurance producers must be aware that in the business of insurance, the GLBA is enforced by state insurance regulators and that the applicable state law may be different from the GLBA. 

Many states have adopted insurance privacy laws which are separate from the GLBA requirements.  In many cases these state statutes are based upon the model “Insurance Information and Privacy Protection Act” adopted by the National Association of Insurance Commissioners in 1992.  Not all states have adopted the NAIC model.  The insurance regulator in the state of domicile of any insurance producer is a good starting point for obtaining specific information about the insurance privacy requirements of that state.   In some states the GLBA standards may apply without modification, in others, there will be different and unique rules. 

INSURANCE PRIVACY IN CALIFORNIA.  As with many other states, California has a specific insurance privacy law[8], which is based upon the NAIC model act.  This state statute, and the GLBA have together been implemented through regulations[9] adopted by the Department of Insurance.   The regulations implement both the GLBA and the state Insurance Information and Privacy Protection Act[10].  They apply to “all licensees of the California Department of Insurance subject to California Insurance Code Sections 791 et seq., namely insurance institutions, agents, and insurance support organizations[11].” 

The privacy notice does not need to be provided by “an employee or agent” of an insurer if the insurer provides the privacy notice to the agent’s customers.  For purposes of this regulation the term “agent” also includes a broker[12].

In summary, the California regulations provide as follows.  (Code sections identified in the following list refer to Title 10 of the California Code of Regulations).   

  • NPI may not be released except as specifically permitted in the law (§ 2689.3). 
  • Licensees, including insurance producers, are required to provide privacy notices to customers and consumers (§ 2689.5) at the beginning of the relationship with the customer or consumer. 
  • Notices of the licensee’s privacy practices shall be provided annually (§ 2689.6). 
  • The privacy notices must be in a specified form (§ 2689.6), and must include specified information (§ 2689.7).  Among the information that must be provided are the categories of NPI that the licensee collects and discloses, the types of nonaffiliated third parties to whom the NPI is disclosed, and an explanation of the consumer's right to opt out of the disclosure of nonpublic personal financial information to nonaffiliated third parties.  There are several other technical requirements for privacy notices.
  • Nonpublic personal medical record information about a consumer may not be disclosed to affiliated or nonaffiliated third parties without the consumer's prior written authorization except as specifically allowed by section 791.13 of the Insurance Code  (§ 2689.11).  
  • Licensees shall “implement a comprehensive written information security program that includes administrative, technical and physical safeguards for the protection of customer information” (§ 2689.14).  In practice this means that producers are responsible for the physical security of NPI in their offices and are required to have technical systems in place to prevent hacking of their computer systems[13]
  • The Insurance Commissioner has broad authority to enforce these regulations, including potentially the power to order a licensee to take specific actions and in appropriate cases to order payment of penalties (§ 2689.20).  
  • A licensee is prohibited from discriminating between people who exercise their opt-out rights for information sharing and those who do not (§ 2689.22). 

A NOTE ABOUT PRIVACY STATEMENTS.  Both GLBA and most state laws require insurance entities to adopt privacy policies which are provided to consumers and customers.  Insurance producers should also be careful to comply with these policies.  Written policies should be reviewed regularly and producers should document that they are followed.  Information practices can change over time.  Producers should review their privacy policies annually to ensure that the stated policies reflect current practice.

For example, a privacy statement may say “we do not share NPI with third parties for marketing purposes”.  At some point after this statement is adopted and employed, the producer provides his customer list to an information processing company to do a data analysis and tell the producer which customers are most likely to need additional coverage.  Even though this use of the information would be entirely legal, since the data analyst is an agent of the producer, the producer has still technically violated the privacy statement because the NPI has been disclosed to a third party for marketing purposes. 

Failure to operate as described in the privacy statement would be a violation of law even if the privacy practices actually employed are entirely legal.  In order to comply with the privacy notice requirements, a producer’s privacy practices must both be legal and be the practices that are stated in the policy.  Producers should therefore review their privacy statements regularly to ensure that they reflect the actual privacy practices that the producer follows. 

The Independent Insurance Agents and Brokers of California (IIABCal) has drafted a variety of sample privacy policies and a sample written information security plans for insurance producers intended to comply with GLBA and corresponding state privacy laws.  These forms and documents are available to IIABCal members.

SUMMARY: NPI PRIVACY CONTROLS.  Insurance producers are subject to federal laws (GLBA) governing the disclosure of NPI.  Insurance is regulated by states and therefore the GLBA allows states to adopt additional privacy controls applicable to insurance producers who reside in that state.  In general terms, all insurance producers will be subject to the following requirements: 

  • Customers and consumers must be given statements regarding practices for collecting and disclosing NPI, at the beginning of the commercial relationship;
  • Customers must be given privacy statements annually. 
  • Privacy statements must explain the producers’ practices about collecting, using, and sharing NPI. 
  • Producers are prohibited from disclosing NPI to nonaffiliated third parties except as permitted by law. 
  • In most cases the person who is the subject of the NPI must be provided an opportunity to opt out of the information exchange with nonaffiliated third parties;
  • Producers must adopt and maintain security procedures to prevent the unauthorized disclosure of NPI.  The procedures apply both to physical security of the producers’ physical offices, and to systems to prevent disclosure of information maintained in computer systems. 

A NOTE ON HEALTH INFORMATION PROTECTION AND DISCLOSURE.  Personal health information is as sensitive under the law as is the type of Nonpublic Personal Information discussed above.  The federal Health Insurance Portability and Accountability Act of 1996[14] (HIPAA) contains extensive restrictions on the disclosure of covered medical information relating to specific individuals. 

In the normal course of business, most insurance producers will not be subject to the HIPAA restrictions, which apply only to “covered entities”.  “Covered entities[15]” include (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.  In other words, HIPAA is directed at the health care industry, not the insurance industry. 

However, producers may find themselves in possession of medical information subject to HIPAA, in connection with health insurance, life insurance, or even in connection with a bodily injury claim under a liability insurance or workers compensation policy.  Producers should be aware that there are severe civil and criminal penalties[16] for wrongfully obtaining or disclosing medical information covered by HIPAA. 

In general the safest rule for an insurance producer who finds himself or herself in possession of medical information relating to a specific individual is to treat it with absolute confidence and disclose it to no outside person.  Medical information is extremely sensitive.  Mishandling medical information can land a producer in serious legal trouble. 

If a producer’s practice happens to involve regularly obtaining and transmitting medical information, this will certainly be through the producer’s regular correspondence with a HIPAA covered entity.  In that case the producer will be required to follow the HIPAA compliance procedures adopted by that covered entity. 

On the other hand, an insurance producer who incidentally obtains confidential medical information should be aware that the information is toxic.  Unless and until a producer obtains should not transmit such information to any third party without proof that the transmission is clearly and affirmatively authorized by the person who is the subject of the information. 

INFORMATION SECURITY AND BREACH NOTIFICATION LAWS.  Privacy laws are not limited to governing how NPI is gathered and disclosed.  The federal government and many states also require businesses that possess NPI to maintain security standards at a level adequate to protect that information.   Regulations[17] adopted by the Federal Trade Commission, under the authority of the GLBA financial privacy provisions, requires all entities subject to the GLBA, including insurance producers, to establish “reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.”  This FTC “Safeguard Rule” does not contain specific penalties for violation.  However, failure to comply with the Safeguard Rule would be a violation of the GLBA and potentially subject a producer to enforcement action from his or her state Insurance Commissioner. 

Information security requirements are not limited to mandating that security systems be adopted.  Nearly all states have enacted laws requiring private, governmental or educational entities to notify individuals of security breaches of information involving personally identifiable information[18].  

When data breaches happens on a large scale it can be national news[19], but it can be a significant problem even for a single insurance producer whose data is compromised.  Such a compromise does not have to come from an online hacker.  A producer who loses a laptop computer containing unencrypted customer information has probably suffered a data breach, even if there is no evidence that the data has actually been disclosed to an unauthorized third party.  In this case the producer is almost certainly required by law to notify each person whose NPI was compromised.  There may be additional actions required of the entity whose data was lost. 

Again, employing California law as an example, when a data breach is discovered, the entity that lost the data is required to notify any person whose data is disclosed[20].  The entity which lost the information may be subject to civil penalties and to lawsuits for damages[21].  If the entity disclosed the information to a third party for marketing purposes, as opposed to simply losing it or being hacked, the California law provides an additional array of duties and penalties[22]

The disclosure law in California is not applicable if the data lost was encrypted.  Thus adequate technological protection for the NPI in insurance producers’ possession is not only important for protecting the information.  Under the various data security laws, the fact that such security exists can also minimize the legal exposure of the producers should a breach occur. 

UNSOLICITED ADVERTISEMENT:  A related category of privacy laws govern unsolicited commercial advertising.  Unlike the privacy laws previously discussed, these laws do not deal with producers’ duty to protect the NPI that they obtain in the normal course of business.  Rather, these laws restrict the ability of producers to contact individuals in order to solicit business. 

The issue of concern here is with electronic solicitations that go directly to individuals via telephone, facsimile, or email.  There are comparatively few laws governing truthful[23] mass market advertising by means such as television, radio, magazines, internet web sites, and traditional postal mail.  The legal restrictions arise when an advertisement is directed at a specific individual by electronic means. 

Junk Fax.  In the 1980s and 1990s the fax machine was a primary means of electronic communication.  As fax technology developed, more sophisticated fax machines and computer programs which transmitted documents to fax machines soon came along with the ability to send fax messages to a list of recipients.  No longer did each recipient’s fax number need to be entered individually into the sender’s machine.  Thus the “junk fax” was born.  A business could prepare a single advertising document and, with the push of only a few buttons, send that document to a nearly unlimited number of recipients. 

This created immediate pressure for legal controls on junk fax advertising, not least because it imposed a cost involuntarily upon the recipients.  The federal government and most states responded by enacting laws to regulate the use of unsolicited commercial advertising through fax technology. 

The federal Junk Fax Prevention Act of 2005[24] limits the use of fax technology to deliver "any material advertising the commercial availability or quality of any property, goods or services which is transmitted to any person without that person's prior express invitation or permission, in writing or otherwise."  This law generally prohibits such advertisements to be sent without the prior consent (opt-in) of the recipient.  The federal law does not apply to unsolicited faxes sent to a person with whom the sender has an “established business relationship[25].  Violation of the federal law may subject the violator to civil and criminal penalties[26]

The federal law, however, provides only a baseline standard.  Most states have also enacted their own junk fax laws.  California state law, for example, also prohibits the sending of unsolicited fax advertisements without opt-in consent, and it does not include the exemption for established business relationships[27]

Under federal and many state laws, there is a private right of action for violations of the unsolicited fax advertising laws.  A person who violates the many restrictions on unsolicited fax advertising could easily end up on the wrong side of a class action lawsuit. 

The best general practice for insurance producers is probably to avoid the use of unsolicited fax advertising in all cases.  A producer who intends to employ unsolicited fax advertising should do so only after obtaining reliable advice from an attorney has to the legality of the intended program. 

Unsolicited Email Advertising.  Email has become ubiquitous, and for most people a substantial portion of email received is commercial advertising, ranging from legitimate advertising sent by legitimate businesses to illegal get rich quick schemes sent from purported Nigerian princes.  Such email is universally referred to as spam.  We each receive so much spam email that the logical conclusion is that it is legal.  This conclusion is wrong.

Spam email is so widespread, not because it is legal, but because it is nearly impossible to regulate.  It may, and often does, originate outside the United States.  The difficulty in enforcing laws against unsolicited email advertising, however, does not mean that law-abiding businesses can ignore them. 

The federal Controlling the Assault of Non–Solicited Pornography and Marketing Act of 2003[28] restricts the use of unsolicited email advertising.  The primary restrictions[29] are:

  • The email message, including the heading identifying the sender, cannot be “materially false or materially misleading.”
  • The message must allow the recipient to request to be removed from the senders list of email recipients.  It is illegal to send a subsequent email advertisement to a recipient who requests to be removed from the mailing list. 
  • The message must contain a “clear and conspicuous” notice that the message is an advertisement.
  • The message must contain “a valid physical postal address of the sender.”

These restrictions generally do not apply if a person has given the sender affirmative consent to receive email messages from the sender.  Violation of the federal CAN-SPAM law is a crime, punishable by up to five years imprisonment.

As with other privacy laws, restrictions on unsolicited email advertising is also subject to regulation by the states.  The California law on this topic[30] is both simpler and more restrictive than the federal law.  It makes it illegal to “initiate or advertise in an unsolicited commercial e-mail advertisement” sent to or from California. 

Given the difficulty of regulating email, which is not constrained by state or national borders, the risk of being punished for violating the laws may appear to be low.  However, the laws remain on the books and can be employed by government law enforcement agencies, or by plaintiffs in lawsuits, in individual cases in which a business is found to have employed spam advertising. 

The only sure way to avoid running afoul of the anti-spam federal and state laws is to refrain from sending unsolicited email advertisement altogether. 

Unsolicited Telephone Advertising.  The Federal Communications Commission has adopted exhaustive regulations[31] governing telephone advertising (telemarketing).  In broad terms these regulations:

  • Require anyone making a telephone solicitation call to a residence to provide his or her name, the name of the person or entity on whose behalf the call is being made, and a telephone number or address at which that person or entity can be contacted.
  • Prohibit telephone solicitation calls to residences before 8 am or after 9 pm.
  • Require telemarketers to comply immediately with any do-not-call request made during a call.
  • Prohibit unsolicited prerecorded telemarketing calls (“robocalls” to landline home telephones, and all autodialed or prerecorded calls or text messages to wireless numbers, emergency numbers, and patient rooms at health care facilities without prior consent of the recipient.

The Federal Trade Commission has adopted extensive regulations[32] to implement the Telemarketing and Consumer Fraud and Abuse Prevention law[33].  In general terms, the FCC regulations dictate the practices of telemarketers, the FCC regulations focus upon preventing advertisements that are false or deceptive. 

The federal law establishes a “do not call list” by which individuals may register their telephone number if they do not want to receive unsolicited telephone advertisements.  It is illegal to place a telemarketing call to any number on the do not call list. 

Telephone solicitation is also subject to a variety of state laws.  A producer engaged in telemarketing must be aware of both state and federal laws as, depending upon the content of the state law, it is possible to engage in telemarketing that complies with federal requirements but still violates state law. 

Again using California as an example, telemarketing in California is subject to substantial state regulation[34].  This law, however, does not apply to insurance producers[35] “when the solicited transaction is governed” by the Insurance Code. 

Thus a California insurance producer engaged in telemarketing is subject to the requirements of the federal telemarketing law and the requirements of the Insurance Code.  Other states have different laws which may overlap with federal requirements.  Any insurance producer engaged in telemarketing must ensure that he or she is obeying the requirements of both state and federal law. 

CONCLUSION:  It is inevitable that insurance producers will obtain nonpublic personal information from consumers and customers.  It is therefore also inevitable that producers will be subject to the laws governing protection and disclosure of this information.  These laws generally require the producer to protect the information, to disclose it to other people only under specifically-defined circumstances, to notify customers and consumers of their rights with respect to the information and to tell them of the producer’s information practices, and in most cases to notify individuals if information about them has been lost by the producer. 

The range of laws is wide.  Different states and the federal government have separate and occasionally inconsistent privacy laws.  An overview such as that provided here can only provide guidance; it cannot provide precise answers.

Insurance producers should always be aware that a simple error, such as a lost smartphone, can cause disclosure of information that will result in huge practical and legal problems.  Producers cannot avoid the legal responsibilities that accompany possession of customer or consumer information, and must address the issue directly and aggressively. 

Since the GLBA retained state regulation with respect to enforcement of the privacy laws, standards will vary from state to state.  Producers with questions on this topic should begin by consulting with the Insurance Commissioner in the state in which the producers lives.  If the Commissioner cannot provide guidance which satisfies the producer, he or she should consult with an attorney familiar with the insurance privacy laws applicable in the producer’s state of domicile. 

Producers should also be aware of and meet the affirmative duty placed upon them to protect the data under their care.  This involves taking care of the physical security of their offices and the technical security of their computer systems.  Encryption can protect the security of data and may limit the producer’s liability in the event of a data breach.  Producers should consult with information technology professionals to ensure that they are employing the best means to protect their data. 

Producers should also be aware that technological issues are not the sole means to protect data.  Adoption and use of mundane computer security practices – matters as simple as password protecting computers and smartphones – is a fundamental means of protecting sensitive data. 

Information security laws and responsibilities are inevitable and complex.  An insurance producer may be frustrated about having to devote the necessary effort to this issue, which is ultimately related to protecting the business rather than growing it.  These concerns, however, should not be discouragements.  All insurance agents and brokers face the same legal and technological challenges.  The producers who will ultimately suffer the most under these challenges are the ones who don’t address them up front and, instead, have to deal with the problems that result when important and sensitive financial information is lost. 

Insurance producers employing fax, telephone, and email advertising need to be aware of the requirements of both state and federal laws governing these practices.  These laws are complex and not necessarily consistent with each other.  As a broad general rule, a producer may communicate electronically with his or her own customers if that customer has consented to electronic communication.  Electronic communication with customers who have not consented to communication by these means may raise legal problems.  Electronic communications with individuals who are not customers of the producer almost inevitably present complex legal issues. 


[1] Except when specifically stated otherwise, in this paper insurance agents and insurance brokers will be referred to collectively as “producers”.  With respect to the application of the various privacy laws, the legal distinction between agents and brokers is generally irrelevant. 

[2] The term “nonpublic personal information” means personally identifiable financial information--(i) provided by a consumer to a financial institution;(ii) resulting from any transaction with the consumer or any service performed for the consumer; or(iii) otherwise obtained by the financial institution.

15 U.S.C.A. § 6809.

[3] The term “consumer” means an individual who obtains, from a financial institution, financial products or services which are to be used primarily for personal, family, or household purposes, and also means the legal representative of such an individual. 15 U.S.C.A. § 6809.

[4] The differences generally relate to the nature of the notices which must be provided and to whether the information may be shared with affiliates of the financial institution. 

[5] 15 U.S.C.A. § 1011 et seq.

[6] 15 U.S.C.A. § 6805

[7] 15 U.S.C.A. § 6701

[8] California Insurance Code §§ 791-791.29

[9] Title 10, Cal. Code Regs, §§ 2689.1-2689.24

[10] Title 10, Cal. Code Regs, § 2689.1

[11] Title 10, Cal. Code Regs, § 2689.2

[12] “A licensee is not subject to the notice and opt out requirements for nonpublic personal financial information if the licensee is an employee or agent of another licensee (“the principal”) and: (1) The principal otherwise complies with, and provides the required notices; and (2) The licensee does not disclose any nonpublic personal financial information to any person other than the principal or its affiliates in a manner permitted by California Insurance Code Sections 791-791.27 or these regulations. For purposes of these regulations, “agent” is defined in California Insurance Code Section 791.02(c) to include any person licensed pursuant to Chapters 5, 5A, 6, 7, or 8 and thus includes an insurance broker.

Cal. Code Regs, Title 10, § 2689.8.

[13] While, as noted above, this paper will not address the specifics of computer security systems, it is important to note that information security systems are not limited to electronic break-ins by outside computer hackers.  Security procedures must also recognize and deal with security within the producer’s office, ensuring for example that only appropriately-authorized personnel have access to sensitive information.  A producer will be just as liable legally if one of his or her employees steals NPI and sells it to a competitor, as if a hacker operating from Russia performs the same act. 

[14] Public Law 104-191

[15] 45 C.F.R. § 160.310

[16] 42 U.S.C.A. § 1320d-6

[17] 16 C.F.R., Part 314 “Standards for Safeguarding Customer Information”.

[18] According to the National Conference of State Legislatures, 47 states and the District of Columbia have data breach notification laws. http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx

[19] In 2013 a breach of the Target stores database by a computer hacker resulted in the loss of credit card information of nearly 40 million Target customers.  Target eventually paid over $100 million to settle various lawsuits resulting from the breach. 

[20] California Civil Code 1798.82. 

[21] California Civil Code 1798.84.

[22] California Civil Code 1798.83.

[23] While it is not a privacy law, producers should be aware that nearly every state has adopted some version of the Unfair Insurance Practices Act, which prohibits false advertising in the business of insurance.  False statements in advertisements could subject producers to enforcement actions by the state insurance commissioner and, in some cases, to civil lawsuits. 

[24] Pub.L. 109–21, July 9, 2005, 119 Stat. 359

[25] 47 U.S.C.A. § 227

[26] 47 U.S.C.A. § 227

[27] Cal. Bus. & Prof. Code § 17538.43

[28] 15 U.S.C.A. §§ 7701-7713.  Commonly known as CAN-SPAM, a name clearly derived from the Congresses desire for a cool acronym. 

[29] 15 U.S.C.A. § 7704

[30] Cal. Bus. & Prof. Code §§ 17529-7529.9

[31] 47 C.F.R. § 64.1200

[32] 16 C.F.R. §§ 310.1-310.9

[33] 15 U.S.C.A. §§ 6101-6108

[34] Cal. Bus. & Prof. Code §§ 17511-17514

[35] “For purposes of this article, “telephonic seller” or “seller” does not include any of the following: . . .

A person licensed or certificated pursuant to Part 2 (commencing with Section 680) of Division 1 of the Insurance Code, including a person licensed pursuant to Chapter 5 (commencing with Section 1621) thereof, when the solicited transaction is governed by [the Insurance Code]”

Bus. & Prof. Code, § 17511.1(e)(4).