Data Breach Laws: Is Your Agency Compliant?

By: williamjones
July 1, 2016

By: Rachel Tuller & Ari Gardner

Personally identifiable information (PII) refers to a client’s name in combination with any other identifiable element, including but not limited to an address, social security number, policy number, driver’s license number and health or medical information. Protected health information (PHI), meanwhile, refers specifically to the latter.

If you handle either—and all independent agents do—you need to encrypt your emails.

The definition of “sensitive information” differs between the state and federal governments. Starting with California in 2003, 47 states now have existing state data breach notification laws that require encryption of any two or more PII factors. In other words, you are legally obligated to encrypt the information you handle on a daily basis via ACORD forms, carrier applications, declarations pages and ID cards.

Data breach laws are not unique to any single industry and cover every business entity. While fines vary from state to state, one rule remains constant: Notifying your entire client base in the event of a breach will have an enormous negative impact on the trust you’ve worked so hard to build with your clients.

Agencies selling life-health lines must also comply with HIPAA, the federal law that took effect in 1996, requiring encryption of all PHI.
The tiered fine assessment structure is no joke: A “willful neglect” fine—meaning you know you’re handling PHI but don’t encrypt your emails—comes with a hefty $50,000 price tag per infraction, capping out at $1.5 million annually.

Just because you have an IT guy or an agency management system doesn’t mean you’re covered. You specifically need an email encryption service. The good news is that cloud-based solutions exist today that are inexpensive and simple to use, making encryption a seamless part of daily workflow.

Cloud services are hosted, which means your agency’s data lives in a private, secure, encrypted environment a third party upholds. The hosting party will likely have more security measures in place than you could ever have on your own, while giving you the benefit of 99.999% uptime. Plus, the security technology behind the scenes is so advanced that you can even avoid cumbersome usernames and passwords.

Embrace the cloud—it’s a safe place.

Rachel Tuller leads strategic partnerships and integrations at Citrix. Ari Garner is sales director for Citrix’s ShareFile product.

Level Up

Here’s a three-step checklist to start taking your agency’s compliance to the next level:
1) Take a few minutes to poll your CSRs, account managers and producers about the content of their emails and attachments.
2) Take inventory of the type and amount of sensitive information your staff sends and receives—you might be surprised.
3) Find a cloud solution that makes email encryption simple, without usernames and passwords. Better yet, select one that bundles secure email with e-signature functionality to expedite your sales cycle while maintaining compliance. —R.T. & A.G.