On the insurance firms' own privacy front, the logical place to start is the Gramm-Leach-Bliley Act of 1999. That landmark law broke down the final barriers standing in the way of financial institutions getting into the insurance, banking and securities businesses. GLB also imposed privacy requirements on financial institutions.

As insurers are subject to state regulation, GLB provided that the states adopt electronic privacy laws governing the insurance industry's exchange of personal information with its customers, as well as between the insurers and other financial institutions.

At least that was the plan.

It is a plan that has not fulfilled the expectations of Congress, according to a new report by security consulting firm Zeichner Risk Analytics LLC of Falls, Church, Va. The report concluded that 36 states have so far failed to fully implement the cyber-security regulations required by GLB, despite the existence of a model regulation, developed by the Kansas City, Mo.-based National Association of Insurance Commissioners.

So insurers in these states are still without solid guidance regarding exactly what they are supposed to do to protect client privacy.

The NAIC model regulation, “Standards for Safeguarding Customer Information,” was developed to comply with GLB's mandate that insurers develop adequate non-public personal information security. The regulation requires a documented and comprehensive security plan, noted Hal Eckert, manager of the privacy management office of the law department of Zurich North America, based in Schaumburg, Ill.

Mr. Eckert explained that such a plan has three major components:

Physical security, such as keeping equipment behind locked doors, or having premises patrolled by guards.

Administrative security, such as having privacy policies, procedures and employee training.

Technical security, including encryption, firewalls, passwords and other measures built into data systems.

“Privacy law is highly fragmented,” Mr. Eckert said. “In Zurich's privacy law database, we have records of 700 to 800 federal and state privacy-related statutes that have been passed, and another 300 to 400 that are in the proposal stage.”

Mr. Eckert added: “GLB and the NAIC model regulations for the insurance industry have attempted to provide a standard framework for privacy and security laws. However, we have seen state and federal variations emerging, which makes it complex for insurance companies to comply. California privacy laws are a prime example.”

Bill Gausewitz of the Washington, D.C.-based American Insurance Association said, “There have been over 40 laws passed in California since 1999 dealing with workplace privacy, and quite a few of those relate to electronic privacy.” In addition, there are several electronic privacy-related bills now pending, according to Mr. Gausewitz.

“There is currently an Internet privacy law requiring that consumers be notified when company information is 'hacked' and those consumers may be affected. There is also an Internet privacy bill in the legislature mandating that companies establish a privacy policy and comply with it. This bill was vetoed last year, but is now back again.”

Mr. Gausewitz also pointed out that there has been an initiative filed in California on the financial privacy issue. “The initiative asks voters to enact a strict financial privacy statute without any involvement or consideration by the legislature. The initiative is currently under review by the attorney general. If proponents want to move ahead with it, they will start collecting signatures in May.”

The key to an effective electronic privacy policy is “giving the right people access to the right information for the right reasons,” said Steven Adler, market manager for IBM's Tivoli Privacy and Security Software, based in Somers, N.Y.

Mr. Adler's specialty is building privacy practices into business processes, and his firm has worked with insurers to implement GLB-related security measures. “You also have to know what the people who are given the data are going to do with it,” he added.

Lee Zeichner, president of Zeichner Risk Analytics, stresses that a privacy policy–whether of an insurance company or any other organization–must have high-level management support, starting with the board of directors.

“There must be executive-level leadership and support for a cyber-security system,” Mr. Zeichner said. “Senior managers must consult with the board on information security and obtain adequate funding for the program. It is also important that there be a single point of contact–a senior manager who is accountable for the 'cyber-hygiene' function.”

Mr. Zeichner noted that electronic privacy must be “injected into the corporate culture” and understood throughout the organization to be a pocketbook issue. “If customer information is lost or compromised, this can hit earnings, and do a lot of damage very quickly,” he warned.

While companies, even if not legally required to, may want to have electronic privacy systems in place for no other reason than to avoid potential liabilities and loss of business, the “damage” that Mr. Zeichner refers to isn't always monetary.

Failing to respect electronic privacy often takes its toll in corporate embarrassment and bad publicity.

For example, Hershey Foods and Mrs. Fields Cookies were recently fined $85,000 and $100,000, respectively, by the Federal Trade Commission for unlawfully collecting personally identifiable information about children who visited their Web sites. Brokers and agents with clients that market products or services to children through the Internet should advise clients of these special laws governing Web-based interaction with minors.

Parry Aftab, a New York and New Jersey attorney, explains that those companies violated the Children's Online Privacy Protection Act, which requires verifiable parental consent before obtaining personally identifiable information on children under age 13 via interactive communication technology such as chat rooms and discussion boards.

Ms. Aftab, known as the “Kids Internet Lawyer,” said “such parental consent must be more than an e-mail. It can be snail mail, an 800-number that the parent must call, a PIN code or a fax,” she said.

In addition to adverse publicity, electronic privacy snafus can cause reputational damage and loss of trust. Indianapolis, Ind.-based drug manufacturer Eli Lilly learned this bitter lesson after it unintentionally e-mailed messages to hundreds of users of its anti-depressant, Prozac.

The message's “to” line contained the e-mail addresses of all 669 users of a service it had developed to deliver auto-matic reminders to take the drug. In a settlement with the FTC, the company promised to extensively review and adjust its electronic privacy measures.

For both insurance and non-insurance organizations, customers' and employees' Social Security numbers top the list of privacy concerns, according to Chris Hoofnagle, deputy counsel of the Washington, D.C.-based Electronic Privacy Information Center. Not surprisingly, SSN usage has been the centerpiece of much of the proposed and passed privacy legislation.

“At the federal level, the proposed Social Security Number Misuse Prevention Act would prohibit the sale of SSNs among private individuals, but would allow business use,” Mr. Hoofnagle explained. He added that some states, including New York and California, have statutes regulating the commercial use and collection of SSNs. “No company should be using the SSN as a customer identification number, as it can too easily fall into the wrong hands,” Mr. Hoofnagle stressed.

Employee privacy is a concern of companies in every industry. Ms. Aftab, who in addition to her work for children advises companies on electronic privacy, cites Internet and e-mail usage as prime employer concerns. “Employers should have a written Internet and e-mail usage policy that states computers must be used for business purposes only and that reserves their right to monitor usage of all company-provided equipment,” she noted. “And all employees should sign the policy to prove they received and consented to it.”

While noting that employment privacy laws vary by state, Ms. Aftab urges employers in all states have to be aware of and comply with federal wiretapping laws, which may ban the interception of certain e-mails while in transit or storage. There are also federal and state search and seizure and other constitutional constraints that apply to government employers, she pointed out. “And if the workplace is unionized, electronic privacy is a collective bargaining issue and must be negotiated with the union,” said Ms. Aftab.

Electronic privacy concerns are rooted in the unease of consumers in trusting companies to be custodians of their personal information, IBM's Mr. Adler pointed out. That “unease” has led to the rigors of GLB, the NAIC model regulation, as well as the 800-plus state and federal privacy-specific laws in Mr. Eckert's Zurich privacy law database.

Reproduced from National Underwriter Edition, April 21, 2003. Copyright 2003 by The National Underwriter Company in the serial publication. All rights reserved. Copyright in this article as an independent work may be held by the author.