6 steps to safer client data

Privacy a big priority for insurance brokers

It was a simple mix-up–the garbage bag full of policyholder documents was meant for a shredder, not a public recycling bin–an easy mistake. But in handing down a $1,000 fine to the broker behind the error, the Insurance Council of British Columbia is hoping to highlight consumer privacy issues.

In making its decision–made public January 4–the council acknowledged that the breach was an accident, but stated that the fine would “balance the need to send a message to the industry about the importance of protecting the privacy of client information.”

Most businesses handle sensitive consumer data: 69% of those surveyed by the Office of the Privacy Commissioner of Canada last year said they collect personal information. And few handle as much private information as brokers. “For the insurance sector, it’s more of a priority,” says Corinne Pohlmann, vice president of national affairs at the Canadian Federation of Independent Business (CFIB).

What can brokers do? Both federal and provincial privacy commissioners have outlined steps to prevent breaches–and respond to them swiftly.

Putting consumers at ease

While small or mid-size businesses may not be the targets of sophisticated data breach efforts–due to their scale –and most already have privacy processes, reviewing those guidelines can help keep data secure.

1) Along with the regular safeguard–physical and electronic measures–to protect consumer information, businesses should have privacy policies in place that cover who has access to sensitive data, how it’s handled and how it’s disposed of,  according to Ontario’s Information and Privacy Commissioner (IPC). The guidelines should also cover how to share the policies with other staff members, and include a process to document any breaches.

At the Insurance Corporation of British Columbia (ICBC ), the insurer has “stringent privacy guidelines and safeguards in place to make sure all employees and contractors are aware of specific obligations to protect the privacy of our customers,” says Adam Grossman, ICBC spokesman.

The insurer offers privacy training and regular updates for brokers and also conducts privacy audits and site visits. When a breach occurs, “we move swiftly to remedy it working with the appropriate agencies and effected customers. We take immediate and substantial steps to help ensure such incidents do not repeat,” he told Canadian Insurance Top Broker via email.

2 ) The OPC also suggests creating a privacy statement for consumers and clients that outlines what kind of personal information is required, whether it will be shared, and how it will be used,  and give them contact information in case they have more questions.

A speedy response

In case of a data breach, the OPC advises businesses to:

3) Stop the breach–by either shutting down systems, or reclaiming documents. Appoint someone in your office to lead an investigation into how the breach happened, and how it can be prevented from happening again.

4) Assess the risks–the investigation should assess what kind of data was involved and how sensitive it is. Can it be used fraudulently?

5) Notifying consumers about the breach is a key step. “The last thing you want to do is try to hide something,” says Pohlmann. The OPC recommends telling the affected consumers even if the breach poses a small risk to them. That notification should also include additional advice for clients about contacting credit reporting services or government office contact information.

If necessary, the OPC also advises that their office be notified, along with police or insurers.

6) Prevention–the investigation’s findings should lay the groundwork for a privacy plan, or help close any gaps in an existing plan. Any breach should prompt a privacy audit, a review of processes and employee training and of partner practices, according to the OPC.

Most small businesses are hyper aware of data security issues–and most go beyond what’s required of them by law, says the CFIB’s Pohlmann, who notes that most small business owners know their customers personally and  that tie makes privacy intuitive.  But, “ultimately, it’s the business owner that’s responsible” for breaches and their fallout, she points out.  “It’s your business reputation on the line.”

Copyright © 2017 Transcontinental Media G.P.
Transcontinental Media G.P.