Insurance company-agency agreement wording for both property-casualty and group health agents requires unequivocal compliance with all current state and federal privacy and data breach response laws, including the following:
Agency agreements tend to be one-sided and typically require that “the agency hold the company harmless for any claim, demand, liability, dispute, damage, cost, expense or loss including reasonable attorney’s fees and cost of litigation arising as a direct result of the acts, errors & omissions and negligence of the agent.”
Following an extensive review of more than 100 company-agency agreements, most p-c and group health companies require agency compliance with all federal and state laws. For example, p-c agency agreements reference the GLBA, while group health agency agreements, both individual and agency, cite HIPAA and HITECH.
GLBA is a robust law and applies to most insurance agents. If an agency wants to protect itself from fines, penalties and the possible breach of contract provisions with insurance companies, it must comply with the agency agreement and, by extension, all other relevant laws.
Here are a few key compliance components to keep in mind.
Privacy plan: Privacy laws apply to personal information you collect, use and disclose with other organizations in the course of doing business. Personal information is information about an identifiable individual, including information that relates to a particular person and allows that person to be identified.
GLBA requires companies to give consumers privacy notices that explain the institution’s information-sharing practices and how they will protect the consumer’s non-public information. In turn, consumers have the right to limit some—but not all—sharing of their information.
Security plan: Information and information systems are assets which agents should protect from accidental or unauthorized access, disclosure, modification, destruction or denial. Security controls must be sufficient to ensure confidentiality, privacy, reliability, integrity, audit capability and availability of information.
You will need to identify potential threats and analyze and prioritize those threats, devise plans and strategies to reduce the likelihood of those threats occurring and maintain a contingency plan to address and mitigate any damage that might result from a breach.
Data breach response plan: More than 30 federal laws and regulations address privacy and security on nonpublic personal information. At a more local level, 47 states and the U.S. territories of Guam, Puerto Rico and the U.S. Virgin Islands have regulations and laws on what a business must do to respond to a known breach.
Defining “business associate” for insurance agents: Compliance with HIPAA is not an option for insurance agents who are considered business associates. Insurance agents involved in the sales and service of group health insurance coverage need only review any or all of these company-agency agreements to see that they are indeed business associates of the insurance companies represented.
Under HITECH, business associates are now directly “on the compliance hook” since they are required to comply with the safeguards the security rule contains. HITECH does not speak directly to the rationale, but even casual observers understand that a potentially massive expansion in the exchange of personal health information increases the privacy and security concerns of all stakeholders.
Summary of agency agreement: The hold harmless and indemnification sections in most p-c and group health agency agreements could require agencies to pay the following costs and expenses—in addition to the direct costs and expenses the agency incurs in defense of action:
- Costs of the company’s investigation of the agency as well as a national investigation, since the breach originated at the agency level
- Costs of the required company notifications
- Costs of attorney fees the company accrues
- Defense and liability costs the company accrues
- Additional costs the company accrues as a result of the agency’s signed agency agreement
Based on the insurance company language, if the agency is found to be the cause of a data breach through negligence or noncompliance, the expenses, fines and penalties could be a death wish. In any event, it will be a long, costly process—and the end result is likely going out of business.
Judi Newman is president of NetGenDataConsulting and Phaze II Consulting, Inc. Bill Larson is president of Profit Protection Risk Management Consulting and partnered with Newman to further NetGenDataSecurityConsulting.
