Weathering the privacy legislation blizzard

With a flurry of personal information protection legislation in the works on Capitol Hill, PIA

By Nancy Doucette

“What bank robbery was to the Depression Era, identity theft is to the Information Age.”
—U.S. Sen. Charles E. Schumer (D-N.Y.)

The above observation by Senator Schumer was part of his prepared statement to the Senate Banking Committee last March. At that point, he was commenting on the known breaches or misappropriations of personal information from ChoicePoint, LexisNexis, and DSW, which left thousands of consumers vulnerable to identity theft. By mid-July, more organizations had “oopsed” personal information—among them were CitiFinancial, Bank of America, and CardSystems Solutions.

Schumer and other members of the House and Senate have introduced numerous pieces of legislation that address safeguarding consumer information—everything from tightening the rules governing corporate protection of consumer data, to quicker disclosure of breaches when personal information is compromised, to establishing penalties—including jail time—for violations. At the time of this writing, eight Congressional committees had offered bills or resolutions. And depending on whom you ask, the resulting bill may or may not reach President Bush for signature this year.

And, there’s no shortage of attention to this subject by those outside the legislative branch. The Wall Street Journal produced a 12-page special section, “Where the Dangers Are,” in its July 18, 2005, edition. While the section looked at threats to information security from a number of perspectives, the message was clear: Cyber thieves are a clever bunch, and getting smarter.

The U.S. Chamber of Commerce and Visa USA recently launched a nationwide data security campaign intended to help businesses protect customer data and reduce fraud. (See the sidebar on page 180 for highlights of the campaign.)

According to a survey by the Better Business Bureau, 9.3 million Americans were victims of identity theft in 2004. That number tracks with surveys by the Federal Trade Commission. Identity theft has topped the FTC’s annual complaints list for the past five years.

Consumers are understandably in an uproar about the security of their personal information and have been making their concerns known to their state legislators. So far, some 19 states have enacted legislation to protect individuals from identity theft and clarify security breach notification requirements. Seven other states have legislation pending. But the solutions at the state level have resulted in a patchwork of legislation with different states approaching the issues in slightly different ways.

“There are a variety of proposals currently ‘in play’ on Capitol Hill, and our industry needs to be better informed about them. The key question is: What kind of effect and cost burden will the current legislation impose on the insurance industry?”

—Len Brevik, Executive Vice President & CEO, PIA National

Some of those differences were examined by The National Association of Mutual Insurance Companies (NAMIC) in an Issue Brief titled “Security Breach Notification Laws: What Threats Do They Pose for Insurers?” released in July. The document noted that most laws have followed the California security breach notification law that was enacted in 2002. However, some new laws deviate from the California law and therefore could disrupt how insurers (and by extension, agents) conduct their business. (The full Issue Brief is available at the NAMIC Web site:

Schumer, in addition to others at the federal level, wants to replace that patchwork protection with what Schumer described as “a real security blanket—one that protects privacy, keeps Social Security numbers private, and prevents fraud and identity theft.” Federal legislation would likely preempt state laws where there are inconsistencies in the provisions.

What that will translate to, in the minds of some, is a one-size-fits-all solution that won’t take into consideration the unique features of the various industries it seeks to regulate. On one level that makes sense, given that identity theft cuts across so many types of businesses.

But the insurance industry has had to bear the brunt of one-size-fits-all federal legislation in the past and the National Association of Professional Insurance Agents is working on behalf of its agent constituents, and their carrier and vendor partners, to be sure they receive good information about the implications of the latest round of legislation at the federal level relating to fraud and identity theft.

So, in late July, the PIA held a special half-day meeting of its Insurance Technology Coalition (ITC) to get that effort underway. PIA National Executive Vice President and CEO Len Brevik opened the meeting by noting, “By coming together through the PIA ITC, we can achieve both an understanding of the issues as well as a coordinated understanding of the needs and obligations that we all have individually, share collectively, and also owe each other.

“Technology has the potential to create serious federal regulatory burdens for our industry,” he continued. “There are a variety of proposals currently ‘in play’ on Capitol Hill, and our industry needs to be better informed about them—anticipating their effect—not just responding after legislation is passed and it’s too late. The key question is: What kind of effect and cost burden will the current legislation impose on the insurance industry?”

Attendees at the meeting learned that the type of personal information being defined in current legislation is the type of information that agents collect and carriers use for identification, identity verification, driving record checks, claims history, and financial background.

The U.S. Chamber of Commerce Data Security Campaign

The data security campaign, launched by The U.S. Chamber of Commerce and Visa USA in July, recommends that businesses follow these steps to achieve better data security.
1. Know if your processing software or your processor is storing data, what kind of data, and how it’s being stored.
2. Understand the law and payment industry requirements for protecting cardholder information; do business only with vendors that are compliant with the industry’s security requirements.
3. Limit employee access to cardholder information.
Additional information to help businesses protect customer data is available at the U.S. Chamber of Commerce Web site:

Speakers at the meeting included Congressional staffers and legislative experts. One Congressional staff person noted that the final legislation would probably resemble HIPAA in the respect that it would require businesses that handle personal information to (1) establish a security plan, (2) limit the amount of information they keep (and properly dispose of data they don’t need), (3) build barriers and safeguards within the organization to limit access to data within the firm, and limit access to data from outside the firm, and (4) appoint a security officer.

He confirmed that databases will be included in the legislation. At a carrier level, he said carriers would be responsible for protection of personal information. But because agents have access to that data as well, they too will be expected to take steps to protect it. As for paper documents, he again pointed to HIPAA, where paper documents are regulated and protected. Assuming current privacy legislation tracks with HIPAA, he said that it’s likely that it too will include information “in any form or format.”

This Congressional staffer reminded those in attendance of the importance of speaking to Congress with a unified voice. Protecting personal information is part of a public policy debate, he noted, and the insurance industry, through the PIA ITC, has an opportunity to educate Congress on how the insurance industry uses personal information.

A senior policy analyst for the Minority Staff of the House Financial Services Committee also emphasized the importance of input from the insurance industry. He acknowledged that there was a gap in the past with respect to insurance industry input into legislation relating to technology. Given that the House Financial Services Committee’s primary expertise is banking, he said the Committee is “still learning” but is working more with insurance associations in an effort to get more involved with insurance.

This special ITC meeting in Washington was designed to educate those members of the insurance community in attendance with evolving laws and regulations affecting the insurance industry and technology. More broadly, association representatives noted, the PIA ITC serves as a resource organization which works in cooperation with other insurance industry participants who are on the front line representing the insurance industry to Congress. ITC founder Sandy Clark pointed out that the ITC provides a central focus for the insurance industry and Congress on how the insurance industry uses technology in its day-to-day business practices.

By doing so, Len Brevik noted, “we can prevent unintended mischief from the legislature.” *

For more information:
PIA Insurance Technology Coalition
Contact: Bill Jenkins Vice President, Business Development & Marketing National Association of Professional Insurance Agents
Phone: (703) 518-1363