Security Requirements in a Privacy World
June 2003
Legal security requirements are increasing
at a rapid pace, with Gramm-Leach-Bliley and the Health Information Portability
and Accountability Act as two recent examples. How can businesses comply with
these and other security exposures? Failure can be costly in the form of fines,
penalties, and negative media exposure. Investing in security safeguards that
not only ensure compliance but instill consumer trust are now a business imperative.
by Kara Spooner, CPA,
CISA
edited by Gary E. Clayton, CEO
www.privacycg.com
While many in the insurance industry have been focused on compliance with
legal requirements regarding the privacy of personal information, the priority
is moving to a more comprehensive approach to data protection by also emphasizing
the security of personal information. Legislation to enforce security safeguards
for personal information is currently limited; however, legal requirements for
data protection are going to be increasing at a rapid pace in the next few years.
Gramm-Leach-Bliley and the Health Insurance Portability and Accountability Act
are two pieces of legislation that will have an increasing impact on the security
practices of those in the insurance industry.
Security under Gramm-Leach-Bliley
Because the states are responsible for regulating the insurance industry,
Gramm-Leach-Bliley (GLB) stipulates that the states pass legislation to enforce
the requirements laid out in the law. Similar to these privacy requirements,
GLB requires security provisions to be enforced by the states for the insurance
industry. There is an exception in GLB that states that banks offering insurance
products will be subject to the requirements and deadlines of their regulatory
agency, as opposed to the state in which the institution resides.
Currently, four states have passed personal financial information security
laws, while several other states have proposed laws. It is important to note,
however, that implementing and enforcing laws for the security of personal information
is a requirement of GLB, and all states must eventually pass legislation for
the insurance carriers in their state. It is a matter of time before all states
have laws on the books implementing the security requirements of GLB. The deadline
for other financial entities, such as banks and brokerage houses that are regulated
by government agencies, was May 23, 2003.
The National Association of Insurance Commissioners (NAIC) has issued a security
model regulation for states to use in drafting their requirements for the insurance
companies in their states. This model is similar to the one developed for the
GLB privacy requirements. The model regulation requires insurers to establish
the administrative, technical, and physical safeguards outlined in GLB and is
similar to those established by regulatory bodies for other financial institutions.
The security requirements for GLB call for safeguards to protect customer
information from anticipated security threats and from unauthorized use or disclosure.
Safeguards must be outlined and documented as part of an information security
program and should include the following.
- The identification of threats that may result in unauthorized use or
disclosure
- The assessment of the likelihood and damage of those threats
- Regular monitoring of the information security program, including testing
- Training of staff responsible for implementing the program
- Overseeing the compliance of service providers
States have used the NAIC privacy model as a basis for their legislation
but have not replicated it word for word. Requirements vary from state to state
and it is anticipated that security legislation will also vary as it is passed.
Insurance companies doing business in multiple states are sure to find themselves
with a myriad of conditions to meet. However, unlike the privacy requirements,
the goal of each state's security requirements are essentially the same: to
assess the current risks and implement a comprehensive information security
program to protect personal information.
Security under the Health Information Portability and Accountability Act
Rules designed specifically for the privacy and security of protected health
information have been issued under the Health Information Portability and Accountability
Act (HIPAA). While the deadline for compliance with the security rule is not
until 2005, there are security requirements within the privacy rule that became
effective on April 14, 2003 for health insurers and most other covered entities.
Under the privacy rule, health insurers must maintain appropriate administrative,
technical, and physical safeguards, similar to those required under GLB, and
provide training for employees regarding privacy protection of health information.
The security requirements within the privacy rule are very broad, and health
insurance organizations may wish to examine the security rule to develop a proper
course of action to maintain compliance.
The recently released security rule under HIPAA sets baseline standards for
all protected health information that is maintained and transmitted electronically.
It also requires that certain policies and procedures are documented and followed.
Covered entities must only disclose the minimum amount of information necessary
for any given transaction.
All standards set in the HIPAA security rule must be implemented, and the
Department of Health and Human Services (HHS) has issued implementation specifications
that detail how to best address the standard. For some standards, there are
several options on implementation, and those are defined as “addressable,” which
means that the covered entity can select the best option given cost, size, complexity,
and potential security risks. While cost can be factored in to determine the
most effective addressable implementation, it cannot be used as a reason for
not complying with the standard.
Unlike the GLB requirements that are enforced at the state level, HHS enforces
HIPAA and accepts privacy complaints from consumers regarding misuse of their
personal health information. Despite the 2005 deadline for the security rule,
consumers may presently submit security complaints to the extent security is
covered in the privacy rule. In anticipation of the security rule deadline in
2005, HHS plans to issue models and guidelines to assist covered entities in
compliance.
While many non-health insurance organizations may not consider themselves
covered by HIPAA, an area of compliance that is frequently overlooked pertains
to employer-sponsored health plans. These plans are considered covered entities
under HIPAA and, depending on certain characteristics of the health plan, may
need to meet the same requirements as other covered entities. Non-health related
organizations are finding themselves covered by this comprehensive law and in
need of the appropriate policies, procedures, and security that are required
of those in the healthcare and health insurance sectors.
Other Security Exposures
In addition to legislation that has been passed to regulate privacy and security
in the insurance industry, federal agencies and other parties are taking an
extremely active interest in the business practices.
The Federal Trade Commission (FTC) has undertaken an aggressive agenda for
protecting consumers’ privacy and personal information. Several states’ attorneys
general have also undertaken initiatives to protect their citizens’ privacy
and prosecute those parties that violate it. In addition to privacy issues,
cases involving the security and confidentiality of consumer information and
organizations’ obligation to protect that information have prompted these parties
to investigate and levy fines and other penalties as they see necessary.
Identity theft was the number one consumer complaint to the FTC in 2002.
In today’s world, adequate security is considered more than a best practice
or a consumer relation’s venture; it is a necessity for any organization wishing
to collect and use personal information. Promises regarding security in a privacy
statement that are false or misleading can result in investigations, fines,
lawsuits, and negative publicity, to name a few. Companies that do business
online run an additional risk of potentially embarrassing security breaches
involving their Web sites.
Although the FTC may not necessarily regulate an organization, any business
practices determined to be false and/or deceptive may be investigated and punished
by the FTC. And state attorneys general may prosecute any company conducting
business in their state. What is important to note about cases is that the fines
and cost of investigation by the FTC and other parties do not affect organizations
and their products as much as the negative media attention and new consumer
views that develop because of the news coverage.
Organizations doing business outside the United States may be faced with
detailed privacy and security restrictions for each foreign country where customers
reside. Canada, Australia, and the countries of the European Union are just
some that have stringent requirements regarding the collection, use, and protection
of their citizens information. Security for personal information is considered
one of the basic practices of a privacy-aware organization, and some type of
security requirement is sure to be found in any legislation abroad regarding
privacy.
The Impact of Security on Your Organization
For insurers who find themselves in a position to comply with security requirements
or anticipate a need to comply in the future, the sheer number of state laws
and specific requirements can be daunting—especially for organizations based
in more than one state. Companies with self-funded health plans find themselves
in a position to comply both for their customers and their employees. Finding
a level of compliance that meets both HIPAA and GLB often results in additional
confusion.
Conducting regular assessments and implementing a security program that meets
the safeguards established both by law and best practices can help your organization
avoid costly fines and penalties, as well as negative media attention. Achieving
and remaining in compliance with privacy and security regulation requires a
constant vigilance and awareness of the legal environment.
The expectations for data protection by state and federal governments, as
well as consumers and employees, continue to increase, and numerous new legal
requirements for those in the insurance industry will soon be enforced. And
yet, organizations that make an investment into reasonable security safeguards
and procedures will likely find themselves in a position to gain consumer trust,
as opposed to merely avoiding fines and litigation.
Kara Spooner, CPA, CISA, is a
senior consultant with Privacy Council, an international privacy consulting
and technology firm, where she assists clients in a number of industries in
assessing privacy risks for legislative compliance and best practices and implementing
comprehensive solutions using web technologies and policy and procedure development.
She has also developed privacy focused client information management processes
such as privacy policy reviews, data information flows mapping and gap analysis.
A Certified Public Accountant and Certified Information Systems Auditor, she
is a graduate of Texas A&M University, College Station with a BS and MS in Accounting
Information Systems. Ms. Spooner can be reached at this .
Opinions expressed in Expert Commentary articles are those of the author and are
not necessarily held by the author's employer or IRMI. Expert Commentary articles
and other IRMI Online content do not purport to provide legal, accounting, or other
professional advice or opinion. If such advice is needed, consult with your attorney,
accountant, or other qualified adviser.