Investor Presentaiton slide image

Investor Presentaiton

Data Protection Requirements Affecting Insurance Industry before SCIDSA Requirement HIPAA (1996) (PHI) GLBA (1999) (PII) FACTA/FTC Act Risk Assessment Yes. HIPAA Security rule Yes. GLBA requires Yes. The Act does not specify security 16 CFR § 314.4(b) requires covered entities to companies to identify and standards, but has exercised jurisdiction Information Security Program 16 CFR § 314.3 conduct a risk analysis to help covered entities identify the most effective and appropriate administrative, physical and technical safeguard to secure electronic PHI. See 45 CFR 164.302-318 Yes. Covered entities are required to implement data protection policies and safeguard including technical safeguards, which include automated processes designed to protect data and control access, such as using authentication controls and encryption technology asses the risks to customer information in each area of its operation and to evaluate the effectiveness of current standards in controlling these risks. Yes. ISP must be appropriate for the company's size and complexity, the nature and scope of its activities and the sensitivity of the information it handles over data privacy and has taken the position that inadequate data security is a deceptive business practice. See In the Matter of BJ's Wholesale Club, Inc., 140 FTC 465 (FTC Consent Order, Sept. 20, 2005). FTC also requires reasonable security be provided for certain data based on: • the data's sensitivity; ⚫ the nature of the company's business operations; the types of a risks a company faces; and ⚫ reasonable protections that are available. Retain data for only the time necessary to fulfill a legitimate business or law enforcement need.
View entire presentation