Don’t Become a Target
Globalization of the insurance marketplace presents some promising opportunities for insurance brokers to expand around the world. But, as Spider-Man will attest, with great power comes great responsibility.
And in the area of data security, that responsibility compels brokers to comply with the data security requirements in effect in any jurisdiction in which they operate.
In the United States, HIPAA and the Gramm-Leach-Bliley Act impose privacy and data protection requirements on insurers and the agents and brokers through the carrier with which they place coverage. European Union nations have enacted stringent data protection requirements based on the EU Data Protection Directive of 1995. More recently, the EU has been considering updating—and strengthening—the directive by adopting a proposed regulation that would be effective in all EU countries. Although the European Parliament approved the proposal last October, it still must resolve a number of additional hurdles before the regulation is formally adopted. Nonetheless, observers expect the regulation’s adoption before the EU’s parliamentary elections in May.
Whether or not the proposed regulation is adopted, U.S. insurance brokers doing business in Europe should comply with existing data privacy laws in the nations where they do business. The 28 EU nations (as well as some non-EU European countries) have laws and regulations based on the 1995 directive that apply to all entities that have EU locations or process customer data in an EU member nation. The laws of the EU countries are similar because they use the directive as a framework. (Note that while a safe harbor agreement between the EU and the United States allows some U.S. companies to avoid complying with the EU requirements, the insurance industry is not excepted.)
Applying the directive’s requirements to U.S. brokers depends on a number of factors, including the country or countries in which the broker operates, the data protection laws of those countries, the data that is being collected by the broker and how that data is being used and stored. Your firm’s legal counsel should determine whether your firm must comply, and how to do so.
In the meantime, here’s a general overview of the directive’s requirements:
Trigger: A broker that has an office in an EU nation or processes data in an EU nation will be subject to the law. The broker will need to determine which nation’s laws apply and whether the broker must comply with more than one nation’s requirements. For example, a broker with an office in London might need to comply with German or French requirements, depending on the broker’s activity in those countries (and their specific laws). Finally, a broker must determine if the information it collects is subject to the data protection requirements.
The type of information covered by the directive is very broad, covering any personal information relating to an identified or identifiable natural person (called a “data subject”). An “identifiable person” is one who can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to the person’s physical, physiological, mental, economic, cultural or social identity.
Data is considered “personal” when it enables anyone to link information to a specific person, even if the person or entity holding that data cannot make that link. Examples of this include addresses, bank statements and credit card numbers.
“Processing” is also broadly defined as involving any manual or automatic operation on personal data, including its collection, recording, organization, storage, modification, retrieval, use, transmission, dissemination or publication, and blocking, erasure or destruction of information.
Requirements: The directive sets forth six basic requirements for protecting personal data. They are:
- Notice: An individual has the right to know that his personal data is being collected. The personal data must be “collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.”
- Choice: An individual has the right to choose not to have personal data collected.
- Use: An individual has the right to know how personal data will be used and to restrict its use. Personal data may only be used for “legitimate processing” as described by the directive.
- Security: An individual has the right to know the extent to which the personal data will be protected. Organizations must implement appropriate technical and organizational measures to protect personal data. The measures must be “appropriate to the risks represented by the processing and the nature of the data be protected.”
- Correction: An individual has the right to challenge the accuracy of the data and to provide corrected information. Personal data collected and maintained by organizations must be up to date and reasonable steps must be taken to ensure that inaccurate or incomplete data is corrected.
- Enforcement: An individual has the right to seek legal relief through appropriate channels to protect privacy rights.
Brokers who take advantage of the global marketplace will encounter these requirements in EU countries and in other European nations that base their laws on the EU data privacy directive.
In the wake of the National Security Agency tracking our phone calls and hackers stealing credit card information from Target and other retailers, data security will only get more public attention. The new European regulation will renew focus on businesses collecting data, so U.S. brokers who are active in Europe would be wise to avoid becoming a target of ambitious European regulators and prosecutors.