Editor's Note: David M. Governo and Corey M. Dennis, founding partner of and attorney at Governo Law Firm LLC (respectively) contributed this article.
Although companies in the health care, hospitality and retail industries are considered the prime targets of cyber attacks, companies in the insurance industry share the same risks of financial and reputational loss. In fact, a recent report found that despite increased focus on data security, approximately 40 percent of the 46 major insurance organizations have experienced data breaches in the past 12 months.
The federal Health Insurance Portability and Accountability Act (HIPAA), enacted in 1996, established national health information privacy standards applicable to health care providers, health plans (including health insurance companies, HMOs and company health plans) and health care clearinghouses holding individuals’ “protected health information.” The HIPAA Privacy Rule, promulgated in 2000, generally prohibits the unauthorized disclosure of protected health information. Covered entities must also require by contract any “business associates” to whom they disclose protected health information—for example, insurance brokers and agents, third-party administrators of health plans, accounting firms providing services to health care providers—to appropriately safeguard the information.
The HIPAA Security Rule, promulgated in 2003, requires covered entities to maintain “reasonable and appropriate” safeguards for protecting electronic health information, which must be documented in written policies and procedures. The HIPAA Privacy and Security rules, violations of which may result in civil and criminal penalties, generally preempt less stringent state laws.
Over the past several years, 46 states have enacted laws governing data privacy and security. To comply with these laws and minimize the risk of a data breach, businesses, including those in the insurance industry, must adopt security measures to protect the personal information of both their customers and their employees.
Under the data privacy laws of California and Rhode Island, for example, businesses holding unencrypted personal information of state residents must implement “reasonable security procedures and practices” and must require by contract third parties to whom they disclose such information to implement those safeguards. Further, the laws of both states require notification to affected residents of any data security breaches “in the most expedient time possible.”
Under Connecticut’s data privacy laws, any business holding personal information must safeguard it to prevent misuse by third parties, and any business that collects Social Security numbers in the course of its business must create a “privacy protection policy” establishing safeguards for those Social Security numbers. The laws also require those doing business in Connecticut to disclose any security breach involving unencrypted personal information to state residents and the state attorney general “without unreasonable delay.”
In August 2010, the State of Connecticut Insurance Department issued Bulletin IC-25 regarding information security incidents, which applies to all entities regulated by the department, including insurance producers, property and casualty insurers, life and health insurers, public adjusters, casualty claim adjusters, and pharmacy benefit plans. The bulletin requires regulated entities to notify the Connecticut insurance commissioner of any information security breach of a Connecticut insured, member, subscriber, policyholder or provider, including those involving their business associates, within five days. The departments of insurance of several other states, including Rhode Island, Ohio and Wisconsin, have issued similar bulletins and regulations requiring insurers to notify the departments in the event of a data breach.
The directive governs the processing of personal data and the free movement of such data and applies to all companies processing data of European residents. It permits processing of personal data only under specified circumstances, such as when the data subject has given consent or it is necessary to fulfill a contract or meet another legal obligation.
Under the directive, personal data must be processed in accordance with certain data protection principles, including the requirements that it be processed fairly and lawfully; collected only for specified, explicit and legitimate purposes; and be adequate, relevant and not excessive in relation to the purposes for which it is processed. Further, covered entities are required to implement appropriate technical and organizational measures to safeguard the data.