Printer Friendly
The Free Library
14,787,278 articles and books
Member login
User name  
Password 
 
Join us Forgot password?

Data breach a growing concern for insurance application process.


The recent theft of a file server at American International Group
"AIG" redirects here. For other uses, see AIG (disambiguation).


American International Group, Inc. (AIG) (NYSE: AIG; TYO: 8685 ) is a major American insurance corporation based in New York City.  Inc. containing personal information of 930,000 people raises new questions about data breach liability.

Where does liability begin and end for an insurance carrier in data breach incidents where the persons whose identities are exposed are not yet policyholders or customers? Is it the insurer or intermediary that is ultimately responsible and liable for confidential client information misplaced mis·place  
tr.v. mis·placed, mis·plac·ing, mis·plac·es
1.
a. To put into a wrong place: misplace punctuation in a sentence.

b.  during the initial application process?

Experts say the answers to these questions may depend on a number of factors, including who held the data and for how long; what type of information was contained in the application; the terms of agreement between the prospective customer and intermediary; the source of the application; and the technology contract, if any, between the carrier and the intermediary.

Certain federal laws designed to safeguard customers' non-public personal information already apply to insurance practices. Confidential medical information, for example, is governed by the Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996.

According to the Centers for Medicare and Medicaid Services (CMS) website, Title I of HIPAA protects health insurance coverage for workers and their families when , while the Gramm-Leach-Bliley Act The Gramm-Leach-Bliley Act, also known as the Gramm-Leach-Bliley Financial Services Modernization Act, Pub. L. No. 106-102, 113 Stat. 1338 (November 12, 1999), is an Act of the United States Congress which repealed the Glass-Steagall Act, opening up competition  and Fair Credit Reporting Act The Fair Credit Reporting Act (FCRA) is legislation embodied in title VI of the Consumer Credit Protection Act (15 U.S.C.A. § 1681 et seq. [1968]), which was enacted by Congress in 1970 to ensure that reporting activities relating to various consumer transactions are conducted in a  protect the use and dissemination of other non-public personal information.

But Jeff Junkas of the American Insurance Institute said these laws deal typically with companies that are owners of the data at risk, which leaves some gray areas in how and when they are applied.

Currently there are 31 state security breach notification laws Security Breach Notification Laws have been enacted in most U.S. states since 2002. These laws were enacted in response to an escalating number of breaches of consumer databases containing personally identifiable information. , with California's being the one most often mimicked, said Lisa Sotto, head of the privacy practice at law firm Hunton & Williams and vice-chair of the U.S. Department of Homeland Security's Privacy Advisory Committee.

"The California law California Law consists of 29 codes, covering various subject areas, the State Constitution and Statutes. See also
  • Statute
  • Bill (proposed law)
  • California State Legislature
External links
  • http://www.leginfo.ca.
 says it is the responsibility of the data owner or licensor to make notification to individuals when there has been a compromise. And there is another provision that says any person or business that maintains computerized data that has been subject to unauthorized acquisition needs to notify the data owner or licensor," Sotto said.

But according to according to
prep.
1. As stated or indicated by; on the authority of: according to historians.

2. In keeping with: according to instructions.

3.  Sotto, the tricky part is identifying who should be considered the data owner or licensor.

"We do not have in these laws definitions for 'owner' or 'licensor,'" Sotto said.

In AIG's case, the personal information on the file server was contained in requests for quotes submitted by a total of 690 brokers to AIG AIG addressee indicator group (US DoD)
AIG American International Group, Inc
AiG Answers in Genesis (religious group in defense of Scripture)
AIG Artificial Intelligence Group
AIG Australian Industry Group . The brokers were working on behalf of employers looking to purchase excess medical coverage for their employees, some suffering from catastrophic illnesses catastrophic illness A morbid condition that results in health care costs that exceed a person's income, or which compromise financial independence, reducing him/her to subsistence or near-poverty levels; CIs are usually life-threatening and may leave significant .

"This wasn't a database of our policyholders, where we had collected the data and formatted it and were directly responsible for it," spokesman Chris Winans said.

There's no question, Winans added, that AIG is responsible for keeping people from stealing from its offices, "but who's actually and ultimately responsible for the integrity of the data--we're not even trying to answer that question."

Jeff Yates, executive director of the Agents Council for Technology, said barring a technology agreement between the agent and the carrier, "it would be crazy to suggest that the agent would have the responsibility to protect information once it gets into the carriers' system."

A common sense solution would be that the entity that has the information or application is responsible until it transfers that information along to another party, Junkas said.

That also leads to another issue: Who is responsible for application data breached during transit?

Etti Baranoff, assistant professor of insurance and finance at Virginia Commonwealth University's Risk Management and Insurance Studies Center, said while data in transit "is in no man's land," liability ultimately would rest with the agents since they are the only connection to the data.

Indeed, the process by which most agents send applications to carriers is vulnerable to security breaches, Yates said. "What happens quite often in commercial lines is the agent sends the application as an attachment to the e-mail, and because e-mail is open and not encrypted en·crypt  
tr.v. en·crypt·ed, en·crypt·ing, en·crypts
1. To put into code or cipher.

2. Computer Science , the information is not secure," said Yates.

DATA SECURITY: Veteran Affairs Secretary Jim Nicholson James Nicholson or Jim Nicholson could be
  • James Nicholson (naval officer), an United States navy captain
  • Jim Nicholson (U.S. politician), former United States Secretary of Veterans Affairs, and chairman of the Republican National Committee
 testified before the House Committee on Government Reform in Washington, D.C., in June and accepted responsibility for the theft of personal information for 26.5 million military personnel and veterans. Nicholson told Congress that improving security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising"
security  won't happen overnight. 
Data Breaches

Date Made                                                  Number
Public           Company                                 Affected

June 14, 2006    American International Group (AIG)       930,000

April 26, 2006   Aetna                                     38,000

April 6, 2006    Progressive Casualty Insurance                13

Feb. 16, 2006    Blue Cross and Blue Shield of Florida     27,000

Feb. 1, 2006     Blue Cross and Blue Shield of N.C.           600

Source: Privacy Rights Clearinghouse
COPYRIGHT 2006 A.M. Best Company, Inc.
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2006, Gale Group. All rights reserved. Gale Group is a Thomson Corporation Company.

 Reader Opinion

Title:

Comment:



 

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:Highlights From BestWeek: Briefing
Comment:Data breach a growing concern for insurance application process.(Highlights From BestWeek: Briefing)
Author:Dankwa, David
Publication:Best's Review
Geographic Code:1USA
Date:Aug 1, 2006
Words:748
Previous Article:Correction.(Comment)(Correction notice)
Next Article:Brokers see surplus of rules in excess and surplus market.(Highlights From BestWeek: Briefing)
Topics:



Related Articles
Cologne Re Letter Cites "Unforeseen" Growth In Unicover Pool, BestWire Reports.
In the spotlight*.(Comment)(Brief Article)
Security breach adds fuel to fire over credit-based insurance scoring.(Technology: Technology Notes)
BestWeek: Feds Could Change Coverage for U.S. Workers in Iraq.
BestWeek: Brokers See Surplus of Rules in Nonadmitted Market.
BestWeek: Katrina Haunts Reinsurance Renewals in Hurricane-Prone Areas.
Statement From Scott & Scott, LLP In Response To Recent Data Security Breaches.
Identity theft policies go corporate.(insurance)
BestWeek: Florida Reforms May Cause Market Storm.
BestWeek: Romney, Dodd Lead White House Contenders in Insurance Contributions.

Terms of use | Copyright © 2010 Farlex, Inc. | Feedback | For webmasters | Submit articles