By Louie Castoria and Lori S. Nugent
The Federal Trade Commission’s new red flags rule, designed to protect personally identifiable information from data thieves, goes into effect Nov. 1. The rule requires service providers who receive payment after their services have been delivered—including insurance agencies and brokerages and many of their business customers—to develop and implement written identity theft prevention programs by Nov. 1.
(UPDATE: At the request of Congress, FTC is delaying enforcement of the Red Flags Rule until June 1, 2010. -- Ed.)
This is great news- it gives us more time to reach our clients and help them be prepared to respond if/when they are victims of days theft.
Any data breaches that occur on or after the deadline may be subject to penalties as high as $3,500 per violation, and also could result in prosecution for violation of state consumer protection or deceptive trade practices laws. Such laws may permit private individuals to sue and recover treble damages, attorney’s fees and/or litigation costs.
Red flags are signs of danger to brokers and agents and their business customers. Fortunately, it isn’t hard to comply with the red flags rule. By learning about its requirements, agents and brokers can help their business customers ensure that their risk management and insurance plans include protection against identity theft and similar losses caused by security breaches.
The “red flag” term refers to circumstances when a customer’s “personally identifiable information” may be at a heightened risk of loss or theft. The FTC requires company senior management to adopt, implement and regularly update a written compliance plan to identify potential data breaches that could occur in the normal course of operations, and specify procedures to be implemented when a red flag indicates that a data breach may have taken place.
It isn’t unusual for insurance professionals to carry or send customers’ identifying information in unsecured settings. Consider:
• An account manager downloads the client’s information to a laptop or flash drive for use in a renewal presentation
• An agent collects data off-site for an insurance application, and sends that information, or perhaps a completed application form, by fax or e-mail to her office
• A broker leaves one firm and becomes affiliated with a competing firm. He takes with him the contact information for his clients, although his agreement with the first firm prohibits him from doing so, and some account information is included in the copied materials.
Each of these events is fairly commonplace, but also presents a risk of confidentiality being breached. However, expecting agents and other businesses to stop using laptops, faxes and e-mails is hardly practical or desirable.
Fortunately, it isn’t hard to comply with the red flags rule. In many firms, a few individuals know how the business obtains and maintains personally identifiable information, and can identify quickly how an attempted data theft might happen, and what warning signs would indicate that an actual data theft occurred. For example, if a laptop is missing or stolen, the firm’s procedure would be to block that laptop from accessing the company network, and determine what information was on the laptop. The firm would then comply with applicable privacy laws, appropriately notifying law enforcement and potentially impacted people of the laptop theft.
However, that phrase “applicable privacy laws” can be the catch—which laws apply? A quick legal consultation can prevent or ease many regulatory and litigation headaches. For each red flag a company identifies, a written procedure must be developed and approved for addressing the red flag, including regular staff training and periodic updates of the red flags and procedures.
Data breaches routinely result in lawsuits, and compliance with the red flags rule is the first step in proving that a business was not negligent. Failure to comply, on the other hand, may be used as evidence that the business failed to meet established federal regulations for safekeeping personally identifiable data. Litigation outcomes may be strongly impacted by whether a business is, or is not, in compliance with the red flags rule.
Data security is more than a legal concern; it’s also an important customer satisfaction and public relations issue. Imagine having to sign letters to valued customers, telling them that their funds and privacy are at risk because of a missing flash drive. Some firms proactively work with potentially impacted customers after a data loss and contact credit bureaus to help protect against damage caused by identity theft.
There will not be a "one size fits all" plan for brokers to comply with the red flag rule, but there are several questions that senior management can ask to start the process:
• When do our people remove any client data from our premises, including our computer system, for off-site use?
• When do our brokers gather client data from outside sources, such as face-to-face meetings, and how is that information transmitted to the office and secured?
• What security systems, other than simple passwords, do we use to secure laptops that are used by our people to remotely access their clients' data?
• What do our employment contracts and procedure manuals say about maintaining the confidentiality of client information? Do our contracts require employees to hold us harmless and pay for our defense if they leave the firm and take client data with them?
• What promises do we make to clients about confidentiality and privacy, and are our actual practices in securing sensitive information consistent with these promises?
Answering these questions is a good beginning to the process. The next steps may be expedited by getting some outside guidance. The important thing is to have a well-tailored red flags list that fits your business, and a written contingency plan for what to do if any of the red flag events becomes a reality.
###
Louie Castoria and Lori S. Nugent are partners in Wilson Elser Moskowitz Edelman & Dicker LLP. For more information, contact Castoria at louis.castoria@wilsonelser.com, 415-433-0990, or Nugent at lori.nugent@wilsonelser.com, 312-704-0550.