Investor Presentaiton
Data Protection Requirements Affecting
Insurance Industry before SCIDSA
Requirement
HIPAA (1996)
(PHI)
GLBA (1999)
(PII)
FACTA/FTC Act
Risk Assessment
Yes. HIPAA Security rule
Yes. GLBA requires
Yes. The Act does not specify security
16 CFR § 314.4(b) requires covered entities to companies to identify and standards, but has exercised jurisdiction
Information
Security Program
16 CFR § 314.3
conduct a risk analysis to
help covered entities
identify the most effective
and appropriate
administrative, physical
and technical safeguard to
secure electronic PHI. See
45 CFR 164.302-318
Yes. Covered entities are
required to implement data
protection policies and
safeguard including technical
safeguards, which include
automated processes designed
to protect data and control
access, such as using
authentication controls and
encryption technology
asses the risks to
customer information in
each area of its operation
and to evaluate the
effectiveness of current
standards in controlling
these risks.
Yes. ISP must be
appropriate for the
company's size and
complexity, the nature
and scope of its activities
and the sensitivity of the
information it handles
over data privacy and has taken the
position that inadequate data security is a
deceptive business practice. See In the
Matter of BJ's Wholesale Club, Inc., 140
FTC 465 (FTC Consent Order, Sept. 20,
2005).
FTC also requires reasonable security be
provided for certain data based on:
• the data's sensitivity;
⚫
the nature of the company's business
operations;
the types of a risks a company faces; and
⚫ reasonable protections that are available.
Retain data for only the time necessary to fulfill
a legitimate business or law enforcement need.View entire presentation