The Privacy Menu

1. The Privacy Menu Kathleen Jensen Sr. Counsel and Director Property Casualty Insurers Association of America

2. GLBA (Gramm Leach Blilie) • Distinguishes between “consumer” and “customer” • Requires an annual “Privacy Notice” • Requires an “Opt-out” if disclose non-public personal financial information to a non-affiliated third party outside of one of the exceptions

3. The FACT Act (The Fair and Accurate Credit Transactions Act) • Amended the FCRA (Fair Credit Reporting Act) – Did Not Replace • FCRA allows Consumer Reporting Agencies (Experian, Trans Union, Equifax) to give consumer report information to insurers for underwriting purposes • FCRA explicitly allows sharing transactional and experience information with an affiliate

4. The FACT Act (The Fair and Accurate Credit Transactions Act) • § 624 – Affiliate Sharing Any person that receives from an affiliate information that would be a consumer report but for clauses (i), (ii), and (iii) of section 603(d)(2)(A) may not use the information to make solicitation for marketing purposes to a consumer about its products unless:

5. The FACT Act (The Fair and Accurate Credit Transactions Act) • It is clearly and conspicuously disclosed to the consumer that the information may be communicated among such persons for purposes of making such solicitations to the consumer; and • The consumer is provided an opportunity and a simple method to prohibit the making of such solicitations to the consumer by such person.

6. Affiliate Sharing • FCRA - §624(b)(2) – No requirement or prohibition may be imposed under the laws of any state with respect to the exchange of information among affiliates. • CA SB1 – Prohibited sharing non-public personal information with an affiliate outside of the “silo” • 9th Circuit Decision SB1 pre-empted by FCRA

7. EDR (Event Data Recorders) • Tracks automobile mechanical information • Legislation prohibits companies from acquiring information without the permission of the “driver.”

8. Security Breach: Legislation OverviewAssociation of Insurance Compliance Professionals – Education DayApril 28, 2006 Rick Gubbels, Privacy Officer Principal Financial Group 515.248.8638 Gubbels.rick@principal.com

9. Security Breach Legislation Background: • Numerous highly published security breaches • Hackers / Lost CDs / Tapes / Stolen Computers & Laptops • California SB1386 Notification Requirements • Congress considering security breach legislation • State security breach laws

10. Security Breach Legislation Background: • February 2005, Choicepoint sold personal information of 145,000 people to a criminal enterprise. • First notified California residents, as required by California SB 1386. • Later disclosed that residents in other states may have been affected.

11. Federal Breach of Security Legislation – Senate Security Breach Bills

12. Federal Breach of Security Legislation – House Security Breach Bills

13. Four Core Features • National uniformity (Preemption of state laws) • Definitions • Breach of Security • Personal Information • Notification trigger • Administrative enforcement

14. HR 4127 – House Energy and Commerce Committee approved (March 28, 2006) the “Data Accountability and Trust Act” (DATA Act) HR 4127 would • Preempt state laws except those laws dealing with trespass, contracts, or tort to the extent those acts relate to fraud. • Require notifications when there is reasonable risk of identity theft, fraud or other unlawful conduct. • Require any entity that experiences a breach of security to notify all those in the United States whose information was acquired by an unauthorized person as a result of the breach. Conspicuous notice on the breached entity’s website is also required. The FTC must also be notified.

15. HR 4127 – House Energy and Commerce CommitteeCont’d. • Provide an FTC or independent audit of an information broker’s security practices following a breach of security. • Require entities notifying consumers of security breaches to provide, at no cost to each notified individual, quarterly consumer credit reports beginning no later than two months following discovery of a breach and continuing for a period of two years.

16. HR 3997 – House Financial Services Committee passed (March 16, 2006) the Financial Data Protection ActHR 3997 amends the Fair Credit Reporting Act to prescribed safeguards for data security HR 3997 would • Preempt state laws. • Require notification of those data breaches posing “harm or inconvenience” to consumers by being used to commit identity theft or fraud. • Applies to paper as well as electronic data.

17. HR 3997 – House Financial Services Committee Cont’d. • Require entities notifying consumers of security breaches to offer a nationwide credit monitoring service to each consumer free of charge and for at least a 6-month period (so long as such service is requested by a consumer within 90 days of being notified of the security breach).

18. State Security Breach Laws:CA Security Breach Law – SB 1386, effective July 1, 2003, served as a model for similar legislation Requirements: The California security breach statute requires public disclosure of computer security breaches in which unencrypted confidential information of any California resident may have been compromised. The law applies to any person or entity that does business in California, even if located out of state, and that owns or licenses computerized data that includes personal information.

19. CA Security Breach Law – SB 1386 Definitions - • Security Breach: A “breach of the security of the system” is defined by the law as the “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business.”

20. CA Security Breach Law – SB 1386 • Personal Information: The law defines “personal information” as an individual’s first name or initial and last name, in combination with either: the individual’s Social Security number; driver’s license or identification number; or account number, debit, or credit card number together with any required access code that would permit access to the individual’s financial account.

21. CA Security Breach Law – SB 1386 • Notification Requirements: A company that has a security breach in California must make the disclosure “in the most expedient time possible and without unreasonable delay.” Notice may be delayed when a law enforcement agency determines that the notification will impede a criminal investigation.

22. State Security Breach Laws • 2005 – 22 states enacted data breach notification laws. • 2006 – New data breach consumer measures introduced in 17 states that did not pass such laws in 2005.

23. Alaska Arizona Colorado Hawaii New Hampshire (failed to pass the House) South Carolina West Virginia State Security Breach LawsNew breach bills being considered in the following states:

24. Alabama Iowa Kansas Kentucky Maryland Massachusetts Missouri Vermont Virginia (delayed until 2007 legislation) State Security Breach LawsStates with Breach Bills in Committee

25. State Security Breach LawsAs of April 4, 2006, 26 states have passed legislation

26. State Security Breach LawsCont’d.

27. State Security Breach LawsCont’d.

28. State Security Breach LawsCont’d.

29. General Overview of State Security Breach Laws Compliance – Most laws extend the security breach notification obligations to any person or company that acquires, maintains, handles, collects, disseminates, owns, licenses, sells, or otherwise deals with nonpublic personal information.

30. General Overview Cont’d. Definition of Personal Information - The definition of “personal information” generally include the following: individual’s name in combination with at least one other data element (e.g., Social Security number, driver’s license number, credit or debit card number in combination with any required security code or password, medical information, etc.).

31. General OverviewCont’d. Covered Data - Most bills generally apply to computerized or electronic data. Notification Timing - Most of the states require that notice be made to the affected individuals in the most expedient time possible and without reasonable delay. (Florida has mandated that notification be made within a 45-day time period.) Law Enforcement Delay - All enacted legislation provides for a delay if the notification would impede a criminal investigation.

32. General Overview Cont’d. Substitute Notice - All enacted legislation permit the use of substitute notice. For the most part, substitute notice is permitted when the cost of providing notice exceeds $250,000 and the number of affected individuals is more than 500,000, but some legislation both raised and lowered the threshold amounts.

33. General Overview Cont’d. Notification Exemption - Some of the laws exempt a company from its notification requirements if, after appropriate investigation, the company reasonably determines that the breach has not resulted, and is not likely to result, in harm to the individuals whose personal information has been acquired. Additional Notification Requirements - Some of the security laws require a company to notify credit reporting agencies if the security breach affected a statutorily mandated number of people (ranging from 500 to 10,000).

34. Ways to Prevent Security Breaches • Promote awareness of security and privacy policies through ongoing employee training and communications. • Require third party service providers and business partners to follow specified security procedures. • Use data encryption that meets the National Institute of Standards and Technology’s Advanced Encryption Standard. • Dispose of records and equipment containing personal information in a secure manner.

35. Information Sharing Issues: Claims Payment and AffiliatesLori Geadelmann, Senior Counsel FBL Financial Group, Inc.

36. Claims Payment Several situations create unique privacy challenges in the life insurance claims settlement area.

37. Two Basic Rules (1) Information about the policy can always be released to the owner, except for medical information about the insured which was not on the application (such as records gathered during the underwriting process) in cases where the owner and insured are not the same individual;

38. (2) Information about the claims process, the proceeds payable, and other relevant facts can be released to the beneficiaries once the insured is deceased. Not all policy information should be shared with beneficiaries, however. In particular, you should be careful about sharing medical information about the insured, although this is sometimes necessary in contested cases.

39. Executors/Administrators/Personal Representative of the Estate Sometimes a request is received for information about a policy from the executor of the owner’s estate, especially in cases where the owner and insured are the same person.

40. In these cases, information can be released to the executor in the same manner as could have done so with the owner. The executor essentially stands in the shoes of the owner.

41. Attorneys/Lawyers If an attorney indicates that he or she represents a person who has the right to receive certain information, the information can be released to the attorney to the same extent as it could be released to the person who is represented, with a few caveats:

42. the attorney should request the information in writing, and should state in the written communication that he or she represents the individual who would have the right to receive the information; • you should not release medical information to the attorney without a written authorization from the person entitled to give such authorization, although, again, this may be acceptable in certain contested cases.

43. Attorneys-in-Fact General rule: You generally can release information to an attorney-in-fact under a Power of Attorney to the same extent as you could release the information to the grantor of the power while the grantor of the power is alive. Naturally, there are caveats:

44. 1. Read the POA document to make sure the right to receive information is included in the powers granted. 2. When the grantor of the power has died, the POA document is no longer effective and no information can be released under it.

45. Attorney-in-Fact Example An example would be a situation where an owner/insured has granted a POA to his wife. While the owner/insured is alive, the wife could receive information about the policy to the same extent as the owner/insured. Once the owner/insured has died, however, no more information can be released pursuant to the POA.

46. Sharing Information Among Beneficiaries It is acceptable to share certain information among a group of beneficiaries. What can be shared: (1) It is OK to tell a beneficiary who else is a beneficiary. (2) It is also OK to send all beneficiary statements to one beneficiary for distribution to the other beneficiaries.

47. What shouldn’t be shared: You should not share personal information about a beneficiary gathered during the claims process with other beneficiaries. Note that in the first two examples the information shared was not received from a beneficiary.

48. Funeral Homes Funeral homes which are beneficiaries (or assignees) can receive the same information as any other beneficiary. If the funeral home is not the beneficiary, but calls in the death claim, they should be informed that they are not the beneficiary and that no information about the policy can be released to them.

49. C/O Addresses If a person who has the right to receive information requests that information be sent to him or her “in care of” someone else, it is OK to send the information to the other person as long satisfactory evidence has been received that this is the desire of the person with the right to receive the information.

50. Affiliate Sharing