Privacy in the 21 st Century: An Oxymoron? Impacts and Implications for the Insurance Industry Home Office Life Underwriters Association Orlando, FL May

Privacy in the 21st Century:An Oxymoron?

Impacts and Implications for the Insurance Industry

Home Office Life Underwriters AssociationOrlando, FL

May 7, 2001

Download at:http://www.iii.org/media/privacy/index.htm

Robert P. Hartwig, Ph.D. Vice President & Chief EconomistInsurance Information Institute 110 William Street New York, NY 10038

Tel: (212) 346-5520 Fax: (212) 732-1916 [email protected] www.iii.org

Is America Worried About Privacy?

YOU BET!

Articles in Major Publications with “Privacy” in Headline

1,7052,255

3,739

5,030

6,639

9,324

11,500

0

2,000

4,000

6,000

8,000

10,000

12,000

1995 1996 1997 1998 1999 2000 2001**EstimateSources: Insurance Information Institute; Lexis/Nexis.

Who’s Very Concerned About Privacy?

60%

54%

64% 62%57%

46%

67%

57%

72%

40%

60%

80%

100%

All Am

erica

ns

Onlin

e

Not O

nline

Wom

enM

en

Age 18

-29

Age 50

-64

White

Africa

n Am

erica

n

Sources: Pew Internet & American Life Project.

Those not online, women, minorities and older people are more concerned about privacy

Who Said This?

“…I will prohibit genetic discrimination, criminalize identity theft, and guarantee

the privacy of medical and sensitive financial records. In addition, I will make it a criminal offense to sell a person’s Social Security number

without his or her express consent.”

--George W. Bush

Worried—But ApparentlyNot Too Worried

$5.198 $5.240$5.526

$6.393

$8.686

$5

$6

$7

$8

$9

$10

99:IV 00:I 00:II 00:III 00:IV

Source: US Department of Commerce, Insurance Information Institute

E-Commerce Retail Sales Trend($ Billions)

The Internet & Privacy:

An Oxymoron?

On-Line Worries

20% 21%

42%

27%31%

54%

0%

10%

20%

30%

40%

50%

60%

Worried e-mail read by others Might know which web sitesvisited

Might get computer virus

1998

2000

Sources: Pew Internet & American Life Project.

Reports of Identity Theft by Type

12,900

6,100

4,000

2,200 2,000

5,200

3,000

0

2,000

4,000

6,000

8,000

10,000

12,000

14,000

Credit CardFraud

Phone orUtilities

DepositoryAccounts

FraudulentLoans

GovernmentDocuments

Other Attempts

*Victims may be included in more than one category; categories are III approximations from FTC figures and charts.Sources: Federal Trade Commission; Insurance Information Institute.

Total Number of Victims = 25,845*

Identity Theft Per 100,000 People, 2000

Source: Federal Trade Commission

13 - 16

1 - 4

5 - 8

9 - 12

17+

Online Tracking: Is it Harmful?The Real Cookie-Monster

27%

36%

25%

23%

54%

47%

54%

56%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

All Internet Users Age 18-29 Age 30-49 Age 50-64

Helpful Harmful

Source: Pew Internet & American Life Project.

Would Like to “Opt-Out” When on a Web Site

56%

34%

4%6%

0%

10%

20%

30%

40%

50%

60%

Always Sometimes Rarely Never

Sources: BusinessWeek survey.

Insurance in the Online World:

A Tough Sell—So Far

How Americans Shop for Auto Insurance

67.6% 66.2% 68.2% 67.9% 67.4%

21.0% 21.7% 20.6% 21.1% 20.9%

10.5% 10.7% 10.5% 9.9% 10.9%

0.8%1.1%0.7%1.4%0.9%

0%

20%

40%

60%

80%

100%

Overall 18-34YearOlds

35-64YearOlds

Males Females

Online

Other

Phone

Local Agent

Source:Progressive Insurance; Survey of 31,500 consumer in 156 markets; Nov/Dec 2000.

Shifting Distribution Channels: Property/Casualty Insurers

Source: Datamonitor

20031998

Direct Response

10.0%Banks8.1%

Internet7.3%

Other2.5%

Independent Agents23.3%

Captive Agents48.8%

Direct Response

9.8%Banks2.8%

Internet0.9%

Other3.0%

Independent Agents27.0%

Captive Agents56.5%

Projected Online Sales of Auto, Home & Term Life Insurance

$0

$2,000

$4,000

$6,000

$8,000

$10,000

$12,000

$14,000

Auto Home Term Life Renters

20002001200220032004

Source: Forrester Research

$ Millions

Insurers: Tangled in the Web?

Distribution Channels Continue to Proliferate

Customer InsurerAgent Broker

Mail Telephone

Bank

Internet Dealerships Payroll Plans

Stock Exchanges

Online Auctions (e.g. Priceline.com)

????

PRIVACY PARADE

Too Many Privacy Cooks May Spoil the Soup

HIPAA GLB HHS NAIC…

Privacy TimelineG

LB

Ena

cted

Nov

.12,

199

9

Fede

ral m

edic

al p

riva

cy s

tand

ards

rel

ease

d D

ec. 2

0, 2

000

Feb.

200

1: F

eder

al m

edic

al p

riva

cy

reg

ulat

ions

del

ayed

Apr

il 14

, 20

01: F

eder

al m

edic

al p

riva

cy

reg

ulat

ions

take

eff

ect

July

1,

2001

: GL

B p

riva

cy d

iscl

osur

e

req

uire

men

t dea

dlin

e; A

lso

“uni

form

”

adop

tion

date

for

NA

IC m

odel

reg

s

1996

: Hea

lth I

nsur

ance

Por

tabi

lity

Act

Apr

il 14

, 20

03: F

eder

al m

edic

al p

riva

cy

com

plia

nce

dead

line

Source: Insurance Information Institute

The Gramm-Leach-Bliley Act and Implementing Regulations

• GLB Act enacted November 12, 1999

• Primary purpose is to permit affiliations between banks, securities firms and insurance companies

• Compliance required by July 1, 2001

Every financial institution has an affirmative and continuing obligation to :

respect customer privacy, and

protect the security and confidentiality customer information

Source: Schwartz & Ballen

Highlights of Title V andThe Agencies’ Regulations

• Financial institution safeguards

• Disclosure obligations

• Privacy obligation policy

• Privacy notice requirements

• Information to be included

• Opportunity to opt out


Highlights of Title V (continued)

• Reuse of information

• Exceptions

• Joint marketing

• Rulemaking and enforcement

• Applicability of State law


Safeguarding Customer Information

• Information Security Program• Involvement of Board of Directors• Assessment of Risk• Manage and Control Risk

Access rights to customer informationEncryption of informationContract provisions for service providers

• Oversee Outsourcing Arrangements


Disclosure Obligations (cont’d)

• Financial institutions may not disclose “nonpublic personal information” to “nonaffiliated third parties” without:

notice opportunity to “opt out”


What is Nonpublic Personal Information?

• Personally identifiable information collected from consumers

• Personally identifiable information collected about consumers

• Personally identifiable information resulting from a transaction with consumers


Redisclosure and Reuse of Information

• Anyone who receives information from a financial institution may disclose the

information to a nonaffiliated third party only to the extent such information could be disclosed by the provider

• The rules restrict reuse by third parties information can be used only for the

purpose for which it originally was provided


Rulemaking and Enforcement

• Federal agencies with rule writing and enforcement authority

- Federal Reserve Board - Comptroller of the Currency

- Federal Deposit Insurance Corporation - Office of Thrift Supervision - National Credit Union Administration - Securities and Exchange Commission - Federal Trade Commission

• Insurance companies and agents are subject to the jurisdiction of the state insurance authority


Applicability of State Law

• States may enact stronger measures

• Many States are considering Opt in Consumer access to information

and correction rights Affiliate sharing Limitations on disclosure of medical information


NAIC Model Rule

• Applies to financial and health information• The financial disclosure provisions closely follow the federal rules, with adjustments to deal with issues unique to insurance (e.g., group policies, workers compensation)• Health information cannot be disclosed to affiliates and nonaffiliates unless the consumer has provided consent


NAIC Model Rule (continued)• Consent is valid for no more than 24 months

• If the licensee complies with the HIPAA rules, it is not subject to the NAIC’s health information rule

• The NAIC’s health information rule does not affect other state laws regarding medical privacy of health records

• July 1, 2001 “adoption” date


Federal (HHS) Privacy Regulations

• Released by Clinton Administration November 2000

• Became effective April 14, 2001• April 14, 2003 compliance date• Focuses on health plans, health care

clearinghouses, health care providers

• P/C & Life Insurers not under HHS jurisdiction

Federal (HHS) Privacy Regulations (cont’d)

• HHS Secretary Thompson will make “common sense” changes to the rules.

• Some changes will happen quickly, others require a lengthy administrative review.

• There will be confusion as the GLB, HHS and various state privacy regulations take hold.

Hawaii: Confusion in Paradise

• Confusion on interpretation of state privacy law led to a near shutdown of the state’s workers compensation system

• Doctors—uncertain how to interpret new law—severely curtailed disclosure of routine medical info to insurers.Feared massive fines and criminal penalties (and no doubt lawsuits)

• State had to call special legislative session to delay implementation date

• State’s Medical Privacy Task Force will study far-reaching impact of law

California—Dreamin’ about Privacy in the Silicon Shadow

• Assembly Bill 435 led at least one workers comp insurer to believe that it could not disclose the reasons for a rate increase to policyholders (employers).

• Two employers actually had to sue the insurer to obtain the rationale. • CA law leads insurers and TPAs to believe that they cannot transmit

info to employer, such as:Medical infoRehab plansReturn-to-work dates to employer

Insurance Underwriting—It’s Not in the Genes

Genetic Testing—Uphill Battle • Effectively banned for underwriting purposes:

Approximately 20 states have banned insurers from using genetic testing in underwriting (health focused, life and non-life insurers could be next)

In February UK insurer Norwich-Union admitted using genetic testing to screen life insurance applicants for Alzheimer’s, breast and ovarian cancer.

In April, British government declared temporary ban on use of genetic screening by insurers

US railroad Burlington Northern Santa Fe faced suit from EEOC for screening carpal tunnel claimants to see if work-related or genetic predisposition.

American public (and president) favor very strong protection of genetic information

Outlook • Federal rules will go into place (GLB,

HHS) without a significant changePopular support extremely highIndustries are conflicted

• Confusion because of state regs and varying deadlines

• Hard to avoid “patchwork” of regs• Safe harbors for p/c lines likely• Litigiousness will emerge

Insurance Information Institute On-Line

If you would like a copy of this presentation, please give me your business card with e-mail address