Text of an email recently sent to an IIABNY member:
I was asked to respond to your inquiry. As I understand it, you want to know whether your agency is required by law or regulation to encrypt certain customer information, such as when you prepare and email auto insurance I.D. cards. I apologize for the length of this response, but my conclusion is that the law and regulations do require an agency to encrypt such communications.
Certain sections of the federal Gramm-Leach-Bliley Act imposed requirements for the protection of customer information on insurance licensees. This law directed state insurance departments to implement and enforce the requirements. In New York, the Department of Financial Services enforces them by way of Insurance Regulations 169 and 173 (both are available for download from the Privacy page in the Member Answer Center of our Web site.) Regulation 169 pertains to privacy of consumer financial and health information; Regulation 173 pertains to standards for safeguarding that information. It is Regulation 173 that directly addresses your question.
The core requirement of Regulation 173 states simply:
“Each licensee shall implement a comprehensive written information security program that includes administrative, technical and physical safeguards for the protection of customer information. The administrative, technical, and physical safeguards included in the information security program shall be appropriate to the size and complexity of the licensee and the nature and scope of its activities.”
I think this paragraph can be found in the dictionary as an example of the word “vague”. It does include some defined terms, however. A customer is someone who is seeking, or obtains, or has obtained in the past personal lines insurance from a carrier or agency that has “nonpublic personal information” about him, if he has a continuing relationship with that carrier or agency. If I bought insurance from you last year and still have that insurance through you, and you have information on me that people cannot find in a public database, then I am your customer within the regulation’s meaning.
The term “nonpublic personal information” includes “nonpublic personal financial information” and “nonpublic personal health information.” I’ll focus on the financial side here. The term “nonpublic personal financial information” includes:
- Any information: 1) a consumer provides to the carrier or agency to obtain an insurance product or service from it; 2) about a consumer resulting from the insurance transaction; or 3) that the carrier/agent otherwise obtains about him in connection with providing an insurance product or service to him.
- Any list, description or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information other than publicly available information.
It does not include health information; publicly available information (other than that included in the list described above); or any list, description or other grouping of consumers (and publicly available information pertaining to them) that is created using only publicly available information.
For example, a list of cars that a consumer owns is “nonpublic personal information” because that falls under the first bullet point. A list of consumers who have registered cars with model years 2013 and later is also “nonpublic personal information” because it is compiled using information not publicly available. A list of all households on a particular street is not nonpublic personal information because street addresses are easily available from public sources.
In my opinion, an auto insurance I.D. card is a document that contains nonpublic personal financial information because it contains the name of my insurance company; my policy number; and the year, make, model and VIN of my car. None of these pieces of information are available from public sources. By law, the DMV would provide this information only to a person who has a use for it permitted by that law.
So, if I am your customer and you have nonpublic personal information about me, then Regulation 173 requires you to safeguard it. The regulation requires you to implement an information security program designed to accomplish three things:
- Ensure the security and confidentiality of customer information
- Protect against any anticipated threats or hazards to the security or integrity of such information; and
- Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.
Encrypting an email that contains my auto insurance I.D. card would appear to fall within all three of these requirements. It is designed to keep my information confidential, to protect against the omnipresent threat from hackers, and to keep it from being stolen. Theft of the information about my cars could cause me harm, as someone could conceivably borrow money in my name and list my cars on the loan application as assets. Conversely, failure to protect emailed communications could be construed as failure to implement the information security program because the three objectives are not met.
The Agents Council for Technology Web site has a wealth of information about ways to accomplish the regulation’s objectives, including information about TLS encryption technology. You may find some of that information helpful.
To summarize, I believe the Gramm-Leach-Bliley Act and the regulations that implement it require insurance agents and brokers to encrypt email messages that contain customers’ nonpublic personal financial information. This would include auto insurance I.D. cards and other documents that contain information not readily available to the public.