Governo Law Firm attorneys David M. Governo and Corey M. Dennis published an article entitled "Staying Compliant Amid Escalating Cyber Threats: Insurers Must Address Data Privacy Vulnerabilities and Compliance Obligations" on PropertyCasualty360.com. The article discusses the growing cyber threats and heightened data privacy law compliance obligations impacting the insurance industry today.
Please contact David Governo (email@example.com) or Corey Dennis (firstname.lastname@example.org) for further information regarding mitigating cyber risks and complying with state and federal data privacy laws.
Staying Compliant Amid Escalating Cyber Threats
Insurers Must Address Data Privacy Vulnerabilities and Compliance Obligations
Data privacy breaches occur daily and are estimated to cost $5.5 million per breach, while the worldwide cost of cybercrime is estimated to be $388 billion annually. In addition to the risk of significant financial loss, cyber attacks can ruin a company's reputation virtually overnight.
Although companies in the health care, hospitality, and retail industries are considered the prime targets of cyber attacks, companies in the insurance industry share the same risks of financial and reputational loss. In fact, a recent report found that despite increased focus on data security, approximately 40 percent of the 46 major insurance organizations have experienced data breaches in the past 12 months.
The insurance industry has responded to the need for financial protection due to cyber risks by offering cyber liability insurance coverage. However, the insurance industry must recognize that it too is vulnerable to cyber attacks and subject to a myriad of data privacy laws and regulations. This article discusses the compliance obligations insurance companies face in the wake of these complex local, national, and international regulatory schemes.
The Gramm-Leach-Bliley Act
A federal law enacted in 1999 to reform the financial services industry and to address concerns relating to consumer financial privacy, The Gramm-Leach-Bliley Act established a Privacy Rule and a Safeguards Rule applicable to nonpublic consumer personal information held by any "financial institution," which is broadly defined to include insurers, as well as insurance agents and brokers. Under the Privacy Rule, these financial institutions must send their customers privacy notices describing their protections with respect to the customers' nonpublic consumer personal information, as well as "opt-out" notices before the customers' nonpublic personal information is shared with nonaffiliated third parties.
The Safeguards Rule requires financial institutions to develop a written information security plan to protect the security and confidentiality of customer information. Violations of the Act, which preempts weaker state laws, may be enforced by the Federal Trade Commission, state insurance authorities, and other federal agencies.
In 2000, the National Association of Insurance Commissioners (NAIC) adopted the Model Privacy of Consumer Financial and Health Information Regulation to implement the insurance industry privacy obligations under the Gramm-Leach-Bliley Act. The Model Regulation, which is similar to the Act, has been adopted in the vast majority of states.
HIPAA Privacy and Security Rules
The federal Health Insurance Portability and Accountability Act (HIPAA), enacted in 1996, established national health information privacy standards applicable to health care providers, health plans (including health insurance companies, HMOs, and company health plans), and health care clearinghouses holding individuals' "protected health information." The HIPAA Privacy Rule, promulgated in 2000, generally prohibits the unauthorized disclosure of protected health information. Covered entities must also require by contract any "business associates" to whom they disclose protected health information (e.g., insurance brokers and agents, third party administrators of health plans, accounting firms providing services to health care providers) to appropriately safeguard the information.
The HIPAA Security Rule, promulgated in 2003, requires covered entities to maintain "reasonable and appropriate" safeguards for protecting electronic health information, which must be documented in written policies and procedures. The HIPAA Privacy and Security rules, violations of which may result in civil and criminal penalties, generally preempt less stringent state laws.
The HITECH Act and Breach Notification Requirements
The Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted in 2009 to combat the privacy and security concerns associated with the electronic transmission of health information. The Act strengthens penalties for HIPAA violations, extends HIPAA violation liability to business associates (such as insurance brokers and agents), establishes an audit program mandate, and authorizes state attorneys general to bring civil enforcement actions for HIPAA violations. To implement the audit program mandate, the U.S. Department of Health and Human Services began a privacy and security audit pilot program in November 2011, and 115 audits will be conducted through December 2012.
The HITECH Act's breach notification regulations require HIPAA covered entities to report data breaches affecting 500 or more individuals to the affected individuals, the U.S. Department of Health and Human Services, as well as to "prominent media outlets serving a State or jurisdiction." Breaches affecting fewer than 500 individuals must be reported to the Department annually.  In addition, business associates must notify covered entities of any breaches.
State Data Privacy Laws
Over the past several years, 46 states have enacted laws governing data privacy and security. To comply with these laws and minimize the risk of a data breach, businesses, including those in the insurance industry, must adopt security measures to protect the personal information of both their customers and their employees.
Under the data privacy laws of California and Rhode Island, for example, businesses holding unencrypted personal information of state residents must implement "reasonable security procedures and practices," and must require by contract third parties to whom they disclose such information to implement those safeguards. Further, the laws of both states require notification to affected residents of any data security breaches "in the most expedient time possible."
The Massachusetts data privacy regulations, which became effective in March 2010, are among the most burdensome in the country. The regulations apply to every "person" or other entity, including companies both inside and outside of Massachusetts, holding personal information of Massachusetts residents.
They require such entities to establish physical, administrative, and technical information security measures to safeguard personal information and to develop a "written comprehensive information security program" outlining those measures. Covered entities must also require their third-party service providers (for example, payroll providers, outsourcers, contractors) to implement security measures by contract, and must ensure encryption of records containing personal information stored on portable devices or transmitted over wireless networks.
In the event of a data security breach, covered entities are required to give notice to any affected Massachusetts residents, as well as to the Massachusetts Attorney General's Office and the Massachusetts Office of Consumer Affairs and Business Regulations. The Massachusetts Attorney General is authorized to enforce the Massachusetts data privacy laws by bringing civil actions, which may result in substantial liability.
Under Connecticut's data privacy laws, any business holding personal information must safeguard it to prevent misuse by third parties, and any business that collects Social Security numbers in the course of its business must create a "privacy protection policy" establishing safeguards for those Social Security numbers. The laws also require those doing business in Connecticut to disclose any security breach involving unencrypted personal information to state residents and the state attorney general "without unreasonable delay." 
In August 2010, the State of Connecticut Insurance Department issued Bulletin IC-25 regarding information security incidents, which applies to all entities regulated by the Department, including insurance producers, property and casualty insurers, life and health insurers, public adjusters, casualty claim adjusters, and pharmacy benefit plans. The Bulletin requires regulated entities to notify the Connecticut Insurance Commissioner of any information security breach of a Connecticut insured, member, subscriber, policyholder, or provider, including those involving their business associates, within five days. The Departments of Insurance of several other states, including Rhode Island, Ohio, and Wisconsin, have issued similar bulletins and regulations requiring insurers to notify the state departments of insurance in the event of a data breach.
The Payment Card Industry Data Security Standard (PCI-DSS), an international information security standard established by the Payment Card Industry Security Standards Council, imposes a set of security requirements on organizations that handle cardholder information for major credit and debit cards, including protecting cardholder data as well as maintaining a secure network, a vulnerability management program, and an information security policy. Several states, including Nevada, have incorporated the PCI-DSS requirements into their data security laws.
International Data Privacy Laws
Insurers conducting business overseas must understand the compliance challenges posed by international data privacy laws. Significantly, the European Union Data Protection Directive (Directive 95/46/EC) represents one of the strictest data privacy frameworks in the world. The Directive governs the processing of personal data and the free movement of such data and applies to all companies processing data of European residents. It permits processing of personal data only under specified circumstances, such as when the data subject has given consent or it is necessary to fulfill a contract or meet another legal obligation.
Under the Directive, personal data must be processed in accordance with certain data protection principles, including the requirements that it be processed fairly and lawfully; collected only for specified, explicit, and legitimate purposes; as well as adequate, relevant, and not excessive in relation to the purposes for which it is processed. Further, covered entities are required to implement appropriate technical and organizational measures to safeguard the data.
The Directive prohibits the transfer of personal data to a non-EU country unless that country's level of protection is deemed adequate. U.S. data privacy laws have been deemed inadequate. As a result, the U.S. Department of Commerce and the European Commission negotiated the U.S.-EU Safe Harbor Framework in 2000, under which U.S. companies are permitted to receive personal data transfers from the EU if they certify that they will comply with requirements similar to those imposed by the EU Data Protection Directive. U.S. companies failing to comply with the Safe Harbor Framework have recently been subject to Federal Trade Commission enforcement actions.
In light of the growing risk of cyber threats to all businesses, including insurance companies, attorney-directed data risk assessments have become critical in detecting vulnerabilities and ensuring compliance with applicable laws. It is recommended that outside counsel be retained to preserve the attorney-client privilege applicable to any reports or other communications relating to the assessment. Such documents may also be protected by the work-product doctrine if they are prepared in anticipation of litigation, or by the "self-critical analysis privilege," which some courts have recognized in limited circumstances.
President Obama recently declared that "the cyber threat to our nation is one of the most serious economic and national security challenges we face." While companies in the insurance industry may recognize that other businesses face these cyber liability risks, they should not disregard their own vulnerabilities and compliance obligations. Complying with the complex web of data privacy laws is challenging, but necessary to mitigate the liability and reputational damage that often results from data breaches today.
2. See Elise Ackerman, Secretary of Homeland Security: cybercrime as big a threat as Al Qaeda, Forbes QUBITs Blog (June 3, 2012). Since 2005, over 3,300 data breaches, resulting in more than 563 million comprised records, have been reported in the United States. See Privacy Rights Clearinghouse, Chronology of Data Breaches. As the reported cyber attacks "represent only a small fraction of cyber attacks carried out," these figures may well be underestimates. See Bipartisan Policy Center, Too many cyber attacks hushed up, US panel says (July 19, 2012)
3. See Deloitte 2012 DTTL Global Financial Services Industry Security Study. The report also found that insurers are "bracing for the impact of more stringent consumer financial laws as well as the risks associated with newer technologies to meet the growing demand for virtual operations." Id.
4. See 15 U.S.C. § 6801 et seq.; 16 C.F.R. § 313.3(k)(1).
5. See 16 C.F.R. § 313.1 et seq.
6. See 16 C.F.R. § 314.1 et seq.
7. See 15 U.S.C. § 6807; 16 C.F.R § 313.17.
8. See 15 U.S.C. § 6805. Three credit report resellers recently settled FTC charges based on their failure to reasonably protect consumers' personal information in violation of the Act, which resulted in computer hackers accessing the information. The settlements required the companies to strengthen their data security procedures and submit to audits for 20 years. See Federal Trade Commission Press Release, Credit Report Resellers Settle FTC Charges; Security Failures Allowed Hackers to Access Consumers' Personal Information (February 3, 2011),
9. See 45 C.F.R. § 160.102; 45 C.F.R. § 160.103. "Protected health information" is defined as individually identifiable health information relating to the individual's physical or mental health conditions, or the provision of or payment for health care to the individual. See 45 C.F.R. § 160.103. This includes the individual's name, address, birth date, and social security number.
10. See 45 C.F.R. § § 164.500 et seq.
11. See 45 C.F.R. § 164.502(e); 45 C.F.R. § 160.103.
12. See 45 C.F.R. § § 164.302 et seq.
13. See 45 C.F.R. § 160.203.
14. See 42 U.S.C. § 17931 et seq.
15. See U.S. Department of Health and Human Services, HIPAA Privacy & Security Audit Program.
16. 42 U.S.C. § 17932.
17. See id.
18. 42 U.S.C. § 17932(b).
26. Cal. Civ. Code § 1798.81.5; R.I. Gen. Laws § 11-49.2-2.
27. Cal. Civ. Code § 1798.82; R.I. Gen. Laws 11-49.2-3.
28. See 201 CMR 17.02. "Personal information" is defined as a Massachusetts resident's first name (or initial) and last name, in combination with the resident's: (1) social security number; (2) driver's license number or state-issued ID card number; or (3) financial account number or credit/debit card number. See id.
29. See 201 CMR 17.03.
30. See 201 CMR 17.03 & 201 CMR 17.04.
31. See Mass. Gen. Laws ch. 93H § 3.
32. Recent Massachusetts data breach enforcement actions resulted in a $750,000 settlement with a Massachusetts hospital, a $110,000 settlement with a major Boston restaurant group, and a $15,000 settlement with a property management firm. See Massachusetts Attorney General Press Release, South Shore Hospital to Pay $750,000 to Settle Data Breach Allegations (May 24, 2012); Massachusetts Attorney General Press Release, Major Boston Restaurant Group That Failed to Secure Personal Data to Pay $110,000 Under Settlement with AG Coakley (March 28, 2011); Massachusetts Attorney General Press Release, Property Management Firm to Pay $15,000 in Civil Penalties Following Data Breach (March 21, 2012).
33. See Conn. Gen. Stat. § 42-471.
34. Conn. Gen. Stat. § 36a-701b.
35. See State of Connecticut Insurance Department, Bulletin IC-25. The Bulletin was issued pursuant to statutory authority.
36. See Rhode Island Insurance Regulation 107; Ohio Insurance Bulletin 2009-12; Wisconsin Office of the Commissioner of Insurance December 4, 2006 Bulletin.
37. See Nev. Rev. Stat. § 603A.215.
38. The Directive was promulgated in 1995 and later implemented, with some variation, by the EU member states. Other international data privacy laws include Canada's Personal Information Protection and Electronic Documents Act, the Asia-Pacific Economic Cooperation's Privacy Framework, Japan's Personal Information Protection Law, Australia's Federal Privacy Act, and Argentina's Law for the Protection of Personal Data.
39. "Personal data" is defined very broadly to include any information relating to a European resident that identifies the resident by reference to an identification number or by his or her "physical, physiological, mental, economic, cultural or social identity." See EU Directive 95/46/EC, Article 2.
40. See EU Directive 95/46/EC, Article 7.
41. See EU Directive 95/46/EC, Articles 6 & 17.
42. See EU Directive 95/46/EC, Article 25.
43. See U.S. Department of Commerce, U.S.-EU Safe Harbor Principles.
 See Federal Trade Commission Press Release, FTC Charges Deceptive Privacy Practices in Google's Rollout of Its Buzz Social Network (March 30, 2011), http://www.ftc.gov/opa/2011/03/google.shtm; Federal Trade Commission Press Release, Court Halts U.S. Internet Seller Deceptively Posing as U.K. Home Electronics Site (August 6, 2009), http://www.ftc.gov/opa/2009/08/bestpriced.shtm.
45. Communications with in-house counsel are often not protected by the attorney-client privilege, as in-house counsel typically hold dual roles, providing both business and legal advice. See Rossi v. Blue Cross & Blue Shield of Greater New York, 73 N.Y.2d 588, 592-93 (1989) (explaining privilege must be applied with particular caution to in-house counsel, given blurred roles); see also TVT Records v. Island Def Jam Music Group, 214 F.R.D. 143, 144 (S.D.N.Y. 2003) (explaining privilege issues complicated by fact that "in-house attorneys are more likely to mix legal and business functions"); In re Seroquel Products Liab. Litig., No. 606MD1769-ORL-22DAB, 2008 WL 1995058, a *8 (M.D. Fla. May 7, 2008) (holding "primary purpose" of communication must be to provide legal, rather than business, advice for privilege to apply).
46. See Fed. R. Civ. P. 26(b)(3)(A) (providing documents prepared "in anticipation of litigation" ordinarily not discoverable).
47. See Clark v. Pennsylvania Power & Light Co., Inc., No. 98-3017, 1999 WL 225888, at *2 (E.D. Pa. Apr. 14, 1999) (applying "critical self-analysis privilege" in employment discrimination case); In Re Crazy Eddie Securities Litigation, 792 F. Supp. 197, 205 (E.D.N.Y. 1992) (applying privilege to audit and peer review reports in securities law case); Hickman v. Whirlpool Corp., 186 F.R.D. 362, 364 (N.D. Ohio 1999) (holding company's minutes from safety meetings privileged in personal injury action). The self-critical analysis privilege has been defined as "a qualified privilege that protects from disclosure documents reflecting a party's own forthright evaluation of its compliance with regulatory, legal or professional standards." Robinson v. Troyan, No. CV 07-4846 ETB, 2011 WL 5416324, at *4 (E.D.N.Y. Nov. 8, 2011). Several states have enacted statutes codifying the privilege as applicable to insurance companies. See N.J. Stat. Ann. 17:23C-1 et seq.; D.C. Code Ann. § 31-853; 215 Ill. Comp. Stat. 5/155.35; Kan. Stat. Ann. § 60-3351; Or. Rev. Stat. § 731.761; N.D. Cent. Code § 26.1-51-02.
48. See Barack Obama, Taking the Cyberattack Threat Seriously, The Wall Street Journal (July 19, 2012).
About the Author
David M. Governo is the founding partner of Governo Law Firm LLC, an 18-attorney law firm in Boston, Mass. For more than three decades, he has advised companies on a range of risk management and compliance issues, and defended companies in complex litigation. He has attained Martindale-Hubbell's highest "AV" rating, is an active member of the Federation of Defense and Corporate Counsel, and has been voted a New England Super Lawyer for many years. Governo may be reached at email@example.com.
About the Author
Corey M. Dennis is an attorney at Governo Law Firm LLC, where he practices complex litigation and dispute resolution. He has counseled businesses on compliance with data privacy laws, is a Certified Information Privacy Professional (CIPP/US), and has published numerous legal articles in the areas of data privacy, civil litigation, social media, toxic tort, and employment law. Dennis may be reached at firstname.lastname@example.org.