The Virginia State Corporation Commission Bureau of Insurance (the “Bureau”) recently issued a bulletin to provide guidance on the development and implementation of privacy safeguards to all insurers, health service plans, health maintenance organizations, surplus lines brokers and other interested parties. Under section 38.2-613.2 of the Virginia insurance laws, each insurance institution, agent, and insurance support organization must implement a comprehensive written information security program that includes administrative, technical and physical safeguards for the protection of policyholder information. These safeguards must be tailored to the size and complexity of the insurance institution, agent, and insurance support organization. To comply with the statute, the information security program must be designed to do the following:
- Ensure the security and confidentiality of policyholder information;
- Protect against any anticipated threats or hazards to the security or integrity of policyholder information and
- Protect against unauthorized access to or use of policyholder information that could result in substantial harm or inconvenience to any policyholder.
Under Virginia law, “policyholder information” means the individual identifiable information about a policyholder, in electronic, paper or other form, gathered in connection with an insurance transaction from which judgments can be made about an individual's character, habits, avocations, finances, occupation, general reputation, credit, health, or any other personal characteristics.
The bulletin lists questions agents and agencies should consider in their evaluation of the physical and virtual security of policyholder information, including:
- Is your physical office secure in the evening?
- Do you dispose potentially sensitive information in the daily trash? Do you have a policy regarding shedder usage?
- Are visitors permitted in nonpublic areas of the office?
- Is access to files restricted to employees on a need-to-know basis?
- Do you have a password protected screensaver?
- Do you encrypt policyholder data, backup data, emails and removable media?
- Can employees access customer and policy data remotely from agency computers using a remote PC, home computer, laptop or public computer?