The Growing Privacy Risk and the Insurance Industry
February 2003
Privacy is a growing risk, given new legislation
and court decisions at both the federal and state levels. Businesses find they
need to revise their privacy policies to conform. The historical context and
legislative overview help firms understand why privacy management is a growing
imperative that cannot be ignored.
by Gary
E. Clayton
Privacy Compliance
Group, Inc.
Privacy is quickly becoming a growing concern to risk managers and the insurance
industry. Are you prepared to assess the risk?
While states bear primary responsibility for regulating the insurance industry,
including in matters related to privacy, the federal Gramm-Leach-Bliley Act
(GLB) requires states to issue privacy rules in accordance with or more stringent
than GLB. Other laws and court decisions, at both the federal and state levels,
also continue to play an important role in insurance privacy. In addition, new
regulations, damaging media episodes, costly litigation, and consumer demand
are fast making this an issue you may not be able to ignore.
Historical Context and Legislative Overview
Since its inception, the insurance industry in the United States has been
regulated by the states. In 1945, Congress gave official sanction to this regulatory
structure when it declared in the McCarran-Ferguson Act that it was in the public’s
best interest that states regulate the insurance industry.
In 1999, Congress altered the state of the financial and insurance industries
with the passage of the GLB. The law allows banks, insurance companies, and
investment firms to do business as single financial entities for the first time
since the Great Depression. GLB also imposed new privacy requirements on all
financial institutions, defined to include insurance companies. The new privacy
obligations govern the exchange of personal information between consumers and
financial institutions, as well as between financial institutions and other
companies. While insurers in some states were already bound by privacy requirements
prior to GLB, the new federal law imposed privacy obligations on insurance companies
and other financial institutions nationwide for the first time. However, with
the passage of GLB, Congress did not alter the traditional regulatory scheme
for the insurance industry. GLB explicitly allows states to remain in charge
of regulating almost all aspects of the insurance industry, including privacy.
GLB delegates enforcement and rulemaking authority to the states to ensure that
the Insurance industry complies with GLB's privacy provisions. State privacy
laws must be at least as strong as GLB, but may be more stringent. Other laws
also affect privacy in the insurance industry. Primary among these are the federal
privacy rules issued under the Health Insurance Portability and Accountability
Act (HIPAA), which will become mandatory for health insurers in April 2003.
A number of other federal laws protect consumer privacy interests in the insurance
industry, while a few federal laws, aimed at curbing money laundering and other
crimes, limit privacy. Judicial decisions also influence privacy in the insurance
industry.
Why Privacy Matters
During 2002, information management and privacy continued to be a primary
focus of the media, government, and businesses across the United States. New
privacy bills were drafted and introduced at the state and federal levels. Governments
across the globe worked on gathering and using information for security purposes
while struggling to balance perceived security needs with privacy interests.
During tight economic times, businesses found that access to personally identifiable
information was more important than ever to develop new customers and markets.
Privacy advocates found new supporters in their struggle to protect individual
privacy: state attorneys general and plaintiff lawyers. Furthermore, organizations
around the nation struggled to achieve compliance with a growing number of federal
privacy regulations, such as the HIPAA.
Overall, the events of 2002 proved that privacy is an issue that is here
to stay and one that has become important to the core functions of most businesses
and organizations. More than ever, businesses must find ways to successfully
face the challenges that come while attempting to collect and properly manage
information.
Why is collecting and managing personally identifiable information such a
challenge? There are a number of reasons. Until recently, most businesses had
given little thought to the true value, costs, and risks associated with processing
personally identifiable information. Additionally, there is friction between
businesses’ desire to self-regulate and the increasing trend for government
to regulate the collection and use of customer and employee information. Finally,
there are two potentially opposing forces at work: businesses' need for personally
identifiable information, on the one hand, and the individual's demand for controlling
the use of their personal data on the other.
During 2002, both the public and private sectors dealt with these forces.
During 2003, it is probable that these tensions will come into even greater
focus as technology and world events impact the privacy debate. More than ever,
the insurance industry will be affected and businesses will need to protect
themselves against these new risks.
Privacy Management Is a Growing Imperative
The year 2002 was no different than prior years: the media continued to focus
primarily on privacy failures rather than success stories. The media also focused
on the growing demand for legislation to regulate the collection and use of
personally identifiable information. These do not represent the entire story,
however. Privacy Council's work with a number of leading companies, organizations,
and government agencies reveals that the management of personally identifiable
information and privacy is becoming a core management issue. Businesses have
begun to understand the costs associated with the collection and use of personally
identifiable information, the potential risks, and the need to manage such information
as a fundamental asset of the organization. A few leading companies are working
to turn privacy into a profit center where they can provide privacy products
and services not only to their consumers, but to commercial customers as well.
Government Initiatives
The events of September 11, 2001, greatly influenced the state of privacy
in 2002 as concerns emerged from government surveillance initiatives such as
The U.K.'s Regulation of Investigatory Powers Act, the USA Patriot Act, the
Homeland Security Act, and Defense Advanced Research Projects Agency's Total
Information Awareness project.
While some governmental agencies worked on gathering, monitoring, and using
personal information in the name of security, other governmental organizations,
such as the Federal Trade Commission (FTC), worked on enforcing the modest number
of privacy laws that have been enacted. While for the most part, the federal
government avoided passing new privacy legislation, state legislatures were
busy introducing privacy bills and implementing state "do-not-call" lists. According
to the National Business Coalition on E-Commerce and Privacy, by September 2002,
548 privacy bills were introduced in state legislatures. Consumer privacy bills,
such as the one introduced by Florida Congressman Cliff Stearns, attempted to
adopt an opt-out approach, allowing consumers to remove their names, addresses,
and other personal information from commercial customer lists that are commonly
sold or rented to other companies.
Attempting to balance the need for information with privacy, President George
W. Bush signed the E-Government Act of 2002 on December 17, 2002. This bill
will require federal agencies to take privacy more seriously by requiring that
government information agencies publicly assess the effect on privacy before
collecting personally identifiable information from individuals. Therefore,
while federal agencies may implement programs or draft regulations that chip
away at privacy rights, those regulations must be reviewed to identify and address
privacy implications.
Organizations Revise Privacy Policies, Strategies
In the United States, many businesses continued to revise privacy policies
to make them more legalistic and less consumer-friendly. At the same time, 44
state attorneys general filed comments with the FTC, urging the Commission to
require financial institutions to shorten and simplify the confusing legal notices
that explain to customers how their personal and financial information is being
used.
Businesses continued to run into problems managing privacy concerns. For
example, in January 2002, Microsoft's chairman announced a strategy shift to
emphasize security and privacy throughout the company. In May 2002, the media
reported that Hotmail users posted complaints on Internet message boards after
discovering that their Web mail accounts had been configured to share their
e-mail addresses and other registration information with third-party sites that
use the Passport system.
In mid-2002, a California law went into effect prohibiting California employers
from using Social Security numbers for anything except internal administrative
functions or other uses required by law. In July, however, a survey by InformationWeek
Research reported that more than half of large firms, 38 percent of midsized
companies, and 20 percent of small companies use software to monitor all employee
Web use.
Privacy Issues a Global Concern
Reports from Canada, Australia, and the Member States of the European Union
demonstrated that the tension between legitimate use of personally identifiable
information and privacy is a global concern. In Canada, for example, the Privacy
Commissioner ruled that Air Canada's frequent flier program ran afoul of Canada's
opt-in privacy legislation by requiring users to opt-out of the airline sharing
personal information with external sources. In February, Canadian Customs announced
plans to start using IRIS scanners during the summer of 2002 to speed air travelers
through the country's busiest airports.
The difficulties in defining acceptable privacy practices and policies also
made the news during 2002. In Europe, European Union officials called U.S. financial
privacy rules inadequate while ruling that Argentina's privacy law meets adequate
standards. While a substantial number of U.S. organizations self-certified adherence
to the Safe Harbor, the European Commission issued a report concluding that
many of those U.S. organizations do not have the expected degree of transparency
with regard to their commitment or contents of their privacy policies.
Citizen Awareness and Participation
In June, North Dakota voters overwhelmingly rejected a law allowing banks
and other institutions to sell customer information without written permission.
It was the nation's first ballot on financial privacy. Some consumers launched
complaints to agencies and companies and some voiced concerns in surveys. However,
for the most part, the average U.S. citizen was conspicuously missing from the
privacy fight. In 2002, the average U.S. citizen continued to show a lack of
awareness or interest in protecting his or her individual privacy rights. As
recently stated by Lauren Weinstein, co-founder of People for Internet Responsibility,
"We've been doing a poor job of shepherding our liberties as we come to the
end of 2002. It's up to us, as citizens and consumers, to demand an appropriate
balance from government and business, both for privacy issues and for our other
precious freedoms, which once lost, we may never see the likes of again.”
Will we see the average citizen demand stronger privacy protections from
both governmental and commercial entities during 2003? It remains to be seen.
It does appear likely, however, that regulations such as HIPAA will raise privacy
awareness, at least in the healthcare industry. After April 13, 2003, patients
and participants in health plans will be handed privacy notices that explain
their new rights with regard to health information. As individuals become more
aware of how their information is collected and used, they will likely become
more active in voicing their concerns and pushing the government and business
community to make the privacy of information a priority.
2003: The Privacy Saga Continues
Privacy will continue to be front and center in the political arena during
2003. Congress will continue to debate privacy as the federal government continues
to conduct surveillance in the name of national security and homeland defense.
Privacy concerns will arise as the government works toward a paperless e-government
where individuals can easily access government services online. As important
provisions of the Fair Credit Reporting Act (FCRA) expire at the end of 2003,
discussion surrounding their renewal will make issues of financial privacy a
priority for debate. Indeed, forces on both sides of the issue are already preparing
for the battle.
One issue that will likely continue is the rise of privacy litigation—particularly
in the healthcare and employment arenas. Plaintiff lawyers discovered privacy
causes of action in 2002. Much like the tobacco litigation, lawyers will learn
what causes of action to plead and how to present and prove their cases. Unlike
the tobacco cases, however, privacy plaintiffs may make much more sympathetic
juries likely to find liability for defendants who violate privacy expectations.
Conclusion
The privacy saga will only heat up, litigation will be on the rise, enforcement
actions will begin to make an impact, and your customers may be hit hard. Will
you be prepared to help them asses the risks involved with privacy?
Opinions expressed in Expert Commentary articles are those of the author and are
not necessarily held by the author's employer or IRMI. Expert Commentary articles
and other IRMI Online content do not purport to provide legal, accounting, or other
professional advice or opinion. If such advice is needed, consult with your attorney,
accountant, or other qualified adviser.