Skip to Content
Cyber and Privacy Risk and Insurance

The Growing Privacy Risk and the Insurance Industry

Gary Clayton | February 1, 2003

On This Page
Strings of vertical binary code with words cyber attacks in red

Privacy is a growing risk, given new legislation and court decisions at both the federal and state levels. Businesses find they need to revise their privacy policies to conform. The historical context and legislative overview help firms understand why privacy management is a growing imperative that cannot be ignored.

Privacy is quickly becoming a growing concern to risk managers and the insurance industry. Are you prepared to assess the risk?

While states bear primary responsibility for regulating the insurance industry, including in matters related to privacy, the federal Gramm-Leach-Bliley Act (GLB) requires states to issue privacy rules in accordance with or more stringent than GLB. Other laws and court decisions, at both the federal and state levels, also continue to play an important role in insurance privacy. In addition, new regulations, damaging media episodes, costly litigation, and consumer demand are fast making this an issue you may not be able to ignore.

Historical Context and Legislative Overview

Since its inception, the insurance industry in the aUnited States has been regulated by the states. In 1945, Congress gave official sanction to this regulatory structure when it declared in the McCarran-Ferguson Act that it was in the public's best interest that states regulate the insurance industry.

In 1999, Congress altered the state of the financial and insurance industries with the passage of the GLB. The law allows banks, insurance companies, and investment firms to do business as single financial entities for the first time since the Great Depression. GLB also imposed new privacy requirements on all financial institutions, defined to include insurance companies. The new privacy obligations govern the exchange of personal information between consumers and financial institutions, as well as between financial institutions and other companies. While insurers in some states were already bound by privacy requirements prior to GLB, the new federal law imposed privacy obligations on insurance companies and other financial institutions nationwide for the first time. However, with the passage of GLB, Congress did not alter the traditional regulatory scheme for the insurance industry. GLB explicitly allows states to remain in charge of regulating almost all aspects of the insurance industry, including privacy. GLB delegates enforcement and rulemaking authority to the states to ensure that the Insurance industry complies with GLB's privacy provisions. State privacy laws must be at least as strong as GLB, but may be more stringent. Other laws also affect privacy in the insurance industry. Primary among these are the federal privacy rules issued under the Health Insurance Portability and Accountability Act (HIPAA), which will become mandatory for health insurers in April 2003. A number of other federal laws protect consumer privacy interests in the insurance industry, while a few federal laws, aimed at curbing money laundering and other crimes, limit privacy. Judicial decisions also influence privacy in the insurance industry.

Why Privacy Matters

During 2002, information management and privacy continued to be a primary focus of the media, government, and businesses across the United States. New privacy bills were drafted and introduced at the state and federal levels. Governments across the globe worked on gathering and using information for security purposes while struggling to balance perceived security needs with privacy interests. During tight economic times, businesses found that access to personally identifiable information was more important than ever to develop new customers and markets. Privacy advocates found new supporters in their struggle to protect individual privacy: state attorneys general and plaintiff lawyers. Furthermore, organizations around the nation struggled to achieve compliance with a growing number of federal privacy regulations, such as the HIPAA.

Overall, the events of 2002 proved that privacy is an issue that is here to stay and one that has become important to the core functions of most businesses and organizations. More than ever, businesses must find ways to successfully face the challenges that come while attempting to collect and properly manage information.

Why is collecting and managing personally identifiable information such a challenge? There are a number of reasons. Until recently, most businesses had given little thought to the true value, costs, and risks associated with processing personally identifiable information. Additionally, there is friction between businesses' desire to self-regulate and the increasing trend for government to regulate the collection and use of customer and employee information. Finally, there are two potentially opposing forces at work: businesses' need for personally identifiable information, on the one hand, and the individual's demand for controlling the use of their personal data on the other.

During 2002, both the public and private sectors dealt with these forces. During 2003, it is probable that these tensions will come into even greater focus as technology and world events impact the privacy debate. More than ever, the insurance industry will be affected and businesses will need to protect themselves against these new risks.

Privacy Management Is a Growing Imperative

The year 2002 was no different than prior years: the media continued to focus primarily on privacy failures rather than success stories. The media also focused on the growing demand for legislation to regulate the collection and use of personally identifiable information. These do not represent the entire story, however. Privacy Council's work with a number of leading companies, organizations, and government agencies reveals that the management of personally identifiable information and privacy is becoming a core management issue. Businesses have begun to understand the costs associated with the collection and use of personally identifiable information, the potential risks, and the need to manage such information as a fundamental asset of the organization. A few leading companies are working to turn privacy into a profit center where they can provide privacy products and services not only to their consumers, but to commercial customers as well.

Government Initiatives

The events of September 11, 2001, greatly influenced the state of privacy in 2002 as concerns emerged from government surveillance initiatives such as The U.K.'s Regulation of Investigatory Powers Act, the USA Patriot Act, the Homeland Security Act, and Defense Advanced Research Projects Agency's Total Information Awareness project.

While some governmental agencies worked on gathering, monitoring, and using personal information in the name of security, other governmental organizations, such as the Federal Trade Commission (FTC), worked on enforcing the modest number of privacy laws that have been enacted. While for the most part, the federal government avoided passing new privacy legislation, state legislatures were busy introducing privacy bills and implementing state "do-not-call" lists. According to the National Business Coalition on E-Commerce and Privacy, by September 2002, 548 privacy bills were introduced in state legislatures. Consumer privacy bills, such as the one introduced by Florida Congressman Cliff Stearns, attempted to adopt an opt-out approach, allowing consumers to remove their names, addresses, and other personal information from commercial customer lists that are commonly sold or rented to other companies.

Attempting to balance the need for information with privacy, President George W. Bush signed the E-Government Act of 2002 on December 17, 2002. This bill will require federal agencies to take privacy more seriously by requiring that government information agencies publicly assess the effect on privacy before collecting personally identifiable information from individuals. Therefore, while federal agencies may implement programs or draft regulations that chip away at privacy rights, those regulations must be reviewed to identify and address privacy implications.

Organizations Revise Privacy Policies, Strategies

In the United States, many businesses continued to revise privacy policies to make them more legalistic and less consumer-friendly. At the same time, 44 state attorneys general filed comments with the FTC, urging the Commission to require financial institutions to shorten and simplify the confusing legal notices that explain to customers how their personal and financial information is being used.

Businesses continued to run into problems managing privacy concerns. For example, in January 2002, Microsoft's chairman announced a strategy shift to emphasize security and privacy throughout the company. In May 2002, the media reported that Hotmail users posted complaints on Internet message boards after discovering that their Web mail accounts had been configured to share their email addresses and other registration information with third-party sites that use the Passport system.

In mid-2002, a California law went into effect prohibiting California employers from using Social Security numbers for anything except internal administrative functions or other uses required by law. In July, however, a survey by InformationWeek Research reported that more than half of large firms, 38 percent of midsized companies, and 20 percent of small companies use software to monitor all employee Web use.

Privacy Issues a Global Concern

Reports from Canada, Australia, and the Member States of the European Union demonstrated that the tension between legitimate use of personally identifiable information and privacy is a global concern. In Canada, for example, the Privacy Commissioner ruled that Air Canada's frequent flier program ran afoul of Canada's opt-in privacy legislation by requiring users to opt-out of the airline sharing personal information with external sources. In February, Canadian Customs announced plans to start using IRIS scanners during the summer of 2002 to speed air travelers through the country's busiest airports.

The difficulties in defining acceptable privacy practices and policies also made the news during 2002. In Europe, European Union officials called U.S. financial privacy rules inadequate while ruling that Argentina's privacy law meets adequate standards. While a substantial number of U.S. organizations self-certified adherence to the Safe Harbor, the European Commission issued a report concluding that many of those U.S. organizations do not have the expected degree of transparency with regard to their commitment or contents of their privacy policies.

Citizen Awareness and Participation

In June, North Dakota voters overwhelmingly rejected a law allowing banks and other institutions to sell customer information without written permission. It was the nation's first ballot on financial privacy. Some consumers launched complaints to agencies and companies and some voiced concerns in surveys. However, for the most part, the average U.S. citizen was conspicuously missing from the privacy fight. In 2002, the average U.S. citizen continued to show a lack of awareness or interest in protecting his or her individual privacy rights. As recently stated by Lauren Weinstein, co-founder of People for Internet Responsibility, "We've been doing a poor job of shepherding our liberties as we come to the end of 2002. It's up to us, as citizens and consumers, to demand an appropriate balance from government and business, both for privacy issues and for our other precious freedoms, which once lost, we may never see the likes of again."

Will we see the average citizen demand stronger privacy protections from both governmental and commercial entities during 2003? It remains to be seen. It does appear likely, however, that regulations such as HIPAA will raise privacy awareness, at least in the healthcare industry. After April 13, 2003, patients and participants in health plans will be handed privacy notices that explain their new rights with regard to health information. As individuals become more aware of how their information is collected and used, they will likely become more active in voicing their concerns and pushing the government and business community to make the privacy of information a priority.

2003: The Privacy Saga Continues

Privacy will continue to be front and center in the political arena during 2003. Congress will continue to debate privacy as the federal government continues to conduct surveillance in the name of national security and homeland defense. Privacy concerns will arise as the government works toward a paperless e-government where individuals can easily access government services online. As important provisions of the Fair Credit Reporting Act (FCRA) expire at the end of 2003, discussion surrounding their renewal will make issues of financial privacy a priority for debate. Indeed, forces on both sides of the issue are already preparing for the battle.

One issue that will likely continue is the rise of privacy litigation—particularly in the healthcare and employment arenas. Plaintiff lawyers discovered privacy causes of action in 2002. Much like the tobacco litigation, lawyers will learn what causes of action to plead and how to present and prove their cases. Unlike the tobacco cases, however, privacy plaintiffs may make much more sympathetic juries likely to find liability for defendants who violate privacy expectations.


The privacy saga will only heat up, litigation will be on the rise, enforcement actions will begin to make an impact, and your customers may be hit hard. Will you be prepared to help them assess the risks involved with privacy?

Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.