This article was originally published in the Jul/Aug 2006 edition of The Agent Newsline, a publication of Westfield Insurance.

State Laws Require Notification of Security Breach

States are aggressively requiring companies to tell consumers if there is a security breach affecting the consumers’ personal information. As of May 8, 2006, 28 states have enacted laws and another 17 have legislation pending. There are also several competing federal bills that require breach disclosure. You need to know how to keep your agency compliant with these new laws.

The Security Breach laws require notification anytime there is reasonable belief that a person’s private information is at risk of identity theft or fraud. Most of these laws are very similar to each other, though there are some state-to-state differences. Contact your local legal counsel for specifics.

What is a "security breach?"
The laws generally define a "security breach" as the unauthorized acquisition of computerized data that compromises the security or confidentiality of personal information. In most states, laws do not apply to employees or agents using personal information in good faith for a business purpose, as long as the information is not later used for an unlawful purpose or subject to unauthorized disclosure.

What is included in personal information?
Personal information includes an individual’s name (first name or initial plus last name) in combination with at least one of the following:

  • Social security number
  • Driver’s license number or state identification number
  • Account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account
    Note: In general, if the data elements are encrypted, or otherwise made unreadable, that would not constitute a breach.

What to do if your agency has a breach
Notify the people who may be affected as soon as possible. Some states, such as Ohio, require notification no later than 45 days after you discover or find out about the breach. Some specific exceptions to the 45 day requirement apply, such as a request by law enforcement.

You can provide notification in writing or by other means as specifically allowed in the law. The notification must include a description of the information which was potentially compromised and an explanation of the consumer’s rights. Most states also require you to provide a toll-free contact number for consumers to call for more details.

Working with Westfield

When you own and process all customer information yourself, this law is fairly straightforward. If you share information with a business partner or vendor, the responsibilities are more complicated. This has led to some misunderstandings. At least one news bulletin claimed that agents have no obligations under this law if the information systems of an insurance carrier are breached. In fact, the law requires that the company processing the data notify the company which "owns or licenses" the consumer information and that the "owning" company must notify the consumer. According to the Westfield Agency Agreement, the Independent Agency owns the relationship with the consumer and the consumer’s information.

This approach to notification is a result of lessons learned in the CardSystems breach. (CardSystems was a credit card processor for MasterCard, Visa, etc.) When CardSystems attempted to notify consumers, many threw the notice away unopened because they did not recognize the company and assumed it to be junk mail. Many legislators concluded that the notice must come from the company with which the consumer has the relationship in order to be effective.

If your agency has a breach, Westfield will work with you to determine who should notify the customer – the company or your agency. Often, it may make more sense for Westfield to notify the customer, and we will work with your agency to find the solution that is in the best interests of the customer if this situation arises. Westfield stands ready to assist in the notification to any Westfield consumers in the event of a breach either to Westfield’s systems or to your agency’s systems.

Westfield has also taken aggressive steps to safeguard all customer data. These days, an ounce of prevention is worth far more than a pound of cure.

Leave a Reply