Investor Presentaiton
Data Protection Requirements Affecting Insurance
Industry before SCIDSA
Requirement
Third Party Service Providers
16 CFR Section §314.4(d)
HIPAA (1996)
(PHI)
Yes. HIPAA applies to business
associates as well.
Employees must be trained
GLBA (1999)
(PII)
Select service providers that are able
to maintain appropriate safeguards,
contractually require service
providers to maintain safeguards, and
oversee service providers' handling of
customer information
Yes.
Employee Training
16 CFR § 314.4(b)(1)
Investigation
16 CFR §314.4(b)(3)
Notifications
Interagency Guidance issued by
the FTC and Federal Financial
Institutions Examinations
Council (FFEIC).
Designate employees to
implement ISP
16 CFR § 314.4(a)
Yes.
HHS also requires covered entities to
notify individuals when their unsecured
PHI has been breached
Covered entities are required to assign
responsibility to the ISP to appropriate
individuals
Yes.
OCC and FRB requires financial
institutions to notify the regulator,
affected customers, etc., when there
has been unauthorized access to
sensitive information.
Yes.View entire presentation