Privacy Protection 101: What Insurance Agents Need to Know About Safeguarding Client Data
As an insurance agent, there’s often nothing worse than dealing with an unhappy former customer. Or is there? What about dealing with the new agent representing your former customer? What do you do when the new agent asks you to provide information pertaining to that former customer? Before you respond, you need to know your legal duties and obligations concerning confidential information disclosed by your former client.
Protection of personal data is a concept with which we are faced everywhere we turn. Data breaches and other incidents involving the unauthorized access or misuse of personal data are frequently reported in the news media. We hear of data breaches in the news and on social media. Every online service we sign up for holds us hostage until we acknowledge a lengthy and often indecipherable privacy policy. Government agencies, private businesses, and consumer organizations constantly send out public service announcements on how to protect data. We are intimately familiar with the importance of staying informed about data privacy and security issues, and to take steps to protect our own personal data from unauthorized access and misuse.
But what is an insurance agent’s responsibility when it comes to a client’s information? If your instinct tells you to protect that information, you are correct. Insurance is a profession like many others, and is governed by laws and regulations. We know about the attorney- client privilege, the doctor-patient privilege, and the clergy-penitent privilege. Insurance agents, too, are bound by privilege regarding their clients’ nonpublic personal information. The obligation to maintain confidentiality is grounded in principles of trust, privacy, and protection of sensitive information. But it goes further than that.
Under Georgia law, insurance agents are required to maintain the confidentiality of all nonpublic information obtained from their clients, including information about their personal and financial affairs. This means you generally cannot disclose any information about a present or former client without the client’s express consent. Insurance agents are also governed by the Gramm-Leach-Bliley Act, a federal law that requires insurance companies and agents to protect the privacy of their customers personal and financial information. Georgia has generally adopted the National Association of Insurance Commissioners model laws and regulations related to privacy and confidentiality in the insurance industry. Your agency and its information technology professionals should, at a minimum, 1) monitor and train staff on hacking and phishing techniques, 2) make sure cloud storage or other storage of customer data is secure, 3) consider a policy restricting use of agency-issued computers, phones and other devices to agency business only; 4) implement a policy prohibiting transacting agency business or accessing agency data on a employee’s personal device.
You may have heard about the recent T-Mobile data breach exposing the personal information of over 37 million customers, the Capital One breach in 2019 that affected approximately 100 million customers, or the Equifax data breach in 2017 in which affected 147 million customers. These types of breaches can result in significant financial loss, regulatory fines, and reputational damage. But large companies aren’t the only ones who are vulnerable. Insurance agents bear the same legal and financial risks. For this reason, insurance agents should strongly consider purchasing cyber insurance for their own business and should encourage their business clients to do the same.
So, what should you do if someone asks you to disclose information related to a current or former client? Get the client’s permission in writing, and be specific about what information the client authorizes you to disclose. Also, train your staff on detecting and avoiding phishing or other computer hacking. If your systems are breached, seek counsel to help you comply with disclosure requirements and minimize risk. Keeping the personal information of insurance clients confidential is not only a legal and ethical responsibility, it’s also good business.
This article is not intended to provide “legal advice” on the issues discussed in it and does not create an attorney-client relationship. It is only for informational purposes. Please contact Slotkin Law Firm or another attorney who is knowledgeable in this area of the law about your specific situation before taking any action.