Text of an email recently sent to an IIABNY member:
I was asked to respond to your inquiry. As I understand it, you want to know whether your agency is required by law or regulation to encrypt certain customer information, such as when you prepare and email auto insurance I.D. cards. I apologize for the length of this response, but my conclusion is that the law and regulations do require an agency to encrypt such communications.
Certain sections of the federal Gramm-Leach-Bliley Act imposed requirements for the protection of customer information on insurance licensees. This law directed state insurance departments to implement and enforce the requirements. In New York, the Department of Financial Services enforces them by way of Insurance Regulations 169 and 173 (both are available for download from the Privacy page in the Member Answer Center of our Web site.) Regulation 169 pertains to privacy of consumer financial and health information; Regulation 173 pertains to standards for safeguarding that information. It is Regulation 173 that directly addresses your question.