One industry addressing privacy needs on the Internet is the insurance industry. This paper is focused on how the insurance industry has handled personal information prior to the development of the Internet, the impact of computerization, and the steps the industry is taking in its efforts to safeguard personal information in cyberspace. Also, the effectiveness of those steps will be examined and proposals made for the furtherance of the industries privacy goals.

II.

Traditional Regulation of Personal Information in the Insurance Industry

Just as the coming of the Information Agesignaled a change in the way things worked, so too does the approach of the "Cyber Age." However, before one can begin to understand how cyberspace is changing the way information is handled, one must understand how information is handled outside cyberspace. This section looks at the insurance industry's traditional methods and policies for collecting and disseminating personal information.

A.

Collection of Personal Information

The collection of personal information by the insurance industry is fairly straightforward. An individual gives an insurance company their basic information (name, address, phone number) when filling out insurance application forms. From that point forward, the company will maintain and update the individual's file, either with further information provided by the individual, or with information gathered in the course of business. For instance, whenever an individual makes an health insurance claim, the insurer must obtain medical and other records establishing the facts of the claim. Similarly, when an individual changes their automobile insurance, the insurer may check the individual's driving record for accidents or citations.

In each of these instances, individuals are consciously giving their information to the company and are aware the information is being collected by the insurance company. Since patients must sign a consent form before medical information can be released to insurance companies, each signing notifies the patient that their information is being gathered. Individual policyholders are also informed that information collected in the course of a claim investigation may be retained by the insurer, ostensibly to help provide better service to the customer.

B.

Dissemination of Personal Information

Whereas the collection of personal information is generally managed by industry regulations and/or policies, the dissemination of that information is generally subjected to state legislation. A look at legislation covering personal information in the insurance industry in a couple of states will demonstrate the variety and similarities in state regulation of personal information.

A Pennsylvania statute addressing customer privacy is quite vague in its requirements. The statute states that "banking institutions [selling annuities or insurance] should be sensitive to the privacy expectations of...customers regarding this information. This includes taking appropriate internal measures to safeguard the security of customer information." The statute makes no mention of what measures qualify as appropriate, but prescribes compliance with state laws and suggests consideration of the Fair Credit Reporting Act.

By contrast, Nevada state law deals specifically with the "practices for gathering information; retention and disclosure of certain information." The statute requires insurance institutions or their agents to provide customers with notice of the institution's personal information policies. Nevada also requires the notice to be in writing and outlines what information must be included in the notice.

III.

The Insurance Industry's Approach to Privacy Regulation in Cyberspace

The insurance industry recognizes its position as one of the largest collectors of personal information. Consequently, it is one of the firstindustries to address cyberspace in its information policies. One of the first steps for the insurance industry in trying to develop a body of cyberspace rules and regulations is to examine how the collection and dissemination of information in that medium differ from traditional industry practices. This section looks at two considerations in this analysis. First, how Internet technologies, such as cookies, alter the actual flow of information. Second, how the insurance industry should compensate for the absence of the human factor.

A.

Collection of Personal Information on the Internet

Obviously, some information collection on the Internet will be no different than information collection in an agent's office. An individual visits an insurer's web site, say the Bank of Montreal, to obtain insurance coverage. The individual enters information into an on-screen form virtually identical to the paper form an agent would use. In fact, when an insurer collects information pertinent to insurance claims and evaluations, the method of collection is mostly immaterial.

On the other hand, computers and the Internet allow insurance companies to collect information well beyond the scope of insurance data. Using technologies such as cookies (which allow web servers to store bits of information on a visitor's computer, such as how many times that individual has visited that web site), webmasters at insurance company sites can gain additional information about visitors to their site. When the individuals submit information to the insurance company, the web server may also be making a note of what kind of computer the individual is using, what operating system, and how many times they have visited that site, among other things.

B.

Dissemination of Personal Information on the Internet

As a result of available computing power and the far-flung reach of the Internet, an incredible amount of personal data is available in databases online today. For example, the American Insurance Services Group's (AISG) database will soon be merged with the National Insurance Crime Bureau's (NICB) database. This amalgamation of information will be available to AISG and NICB subscribers online following the consolidation. While this information will generally be used by trained investigative specialists, it will still be available to many levels of claims handlers, creating many opportunities for misuse.

This introduces the human factor. It is extremely difficult to program a computer to distinguish between proper and improper access to information by a valid user. If an insurance company employee has access to a particular database, but uses it for personal reasons (finding health information about a significant other, for example), the computer will not be able to tell the difference. It will maintain a record of the employee accessing the information, but the insured's privacy will have already been lost.

C.

How Does Other Businesses and Web Sites Have Chosen to Self-Regulate

While the government and individual industries have been hesitant to promulgate regulations on the flow of personal information and privacy, many individual companies and web sites have adopted clear policies in this regard. Examples of these include ESPN's SportsZone (explains use of cookies and warns that some areas of site may not work if cookies are turned off) , American Express (explains why cookies are used and that they are optional, but doesn't say what effect turning off cookies will have), Intel (will notify visitor of purpose for gathering information and will not provide information to third parties) and DoubleClick (a company dealing in web-based advertisements; claims complete anonymity for web visitors, and offers the ability to "opt-out" of cookie use). All but the Intel site try to explain cookie technology as positive and non-threatening. A collection of case studies on various corporations' privacy policies is contained in a U.S. Department of Commerce Report entitled "Privacy and Self-Regulation in the Information Age."

IV.

Proposal for Regulation

 

A.

Applying Old Rules in a New Medium

In many areas, privacy regulations outside of cyberspace would be effective and applicable inside cyberspace. In some instances, the laws could be applied without much modification. This is particularly true on the retention side. Rules regarding a company's ability to keep records it has properly gathered should not be affected by the presence of the Internet.

This is also true, to a lesser degree, when it comes to dissemination of personal information. While the Internet obviously does have an effect on a company's ability to gather information, many of the current rules outlining what information may be made available and under what circumstances it may be made available are applicable regardless of the medium of distribution.

On the other hand, many more avenues of data collection are available. Cyber technology allows businesses to collect information much faster, from more sources, and with less notice to consumers. Also, technological advances have helped businesses overcome information management problems that existed in the past. Twenty years ago, compiling a large database of information meant creating paper records which were placed in filing cabinets. The more information, the more filing cabinets. Entire rooms and, if a business was large enough, entire buildings were dedicated to storing these filing cabinets. Even if a company was able to gather a mountain of data, correlation and comparison of the data required employees to read the individual files, looking for pertinent information and indexing it by hand. Statistical tabulation and interpretation was all done by human hand.

Today, that same amount of information can be accessed by a personal computer, sorted, and indexed in mere fractions of the time. That information is more useful and, thus, more valuable. With these increased abilities, companies look to gather more information before. In the area of information collection, most current regulatory schemes do not take into consideration the technological capabilities of individual companies.

Prior to instituting any cyberspace privacy regulation, the insurance industry should first reexamine its general privacy policies. In addition to recognizing its role in protecting individual privacy, the insurance industry must also recognize that, unless the industry as a whole adopts measures to protect individual privacy, the insurance industry will likely be subjected to government regulations. Government regulation presents the risk that the legislative system might not protect "the legitimate information needs of insurance companies." This forces the insurance industry to attempt the delicate balancing act of protecting the privacy rights of individuals without compromising its own ability to function.

Insurance industry measures might be drawn from recommendations in a recent report by professors at the Oregon State College of Business entitled "Ethical Uses of Information in Insurance." The guidelines specified in this report reflect some of the same concerns addressed by the Department of Health and Human Services (DHHS) in making privacy recommendations to Congress. DHHS Secretary Donna Shalala stated that the chief considerations for her department's recommendations included making sure collected information is pertinent only to health care, security, consumer control, accountability, and public responsibility. This final principle of public responsibility addresses one notion frequently forgotten in privacy discussions. In recognizing consumer privacy as a very high priority, advocates must remember that insurers and health care providers have a strong need and right to collect certain information in order to properly deliver their services.

B.

New Rules for a New Frontier

While many current regulations are applicable to the movement of personal information in cyberspace, many of them have one common shortcoming--failure to address the problem of jurisdictional differences.

Does an insurance company in New Jersey only have to meet the requirements of that state, even though it is collecting information on its web site from people in California? Taken one step further, what if that company is collecting information from individuals in Europe? A privacy directive passed by the European Union (EU) will prohibit the transfer of personal information from an EU nation to a country with inadequate data protection when it takes effect in October 1998. Although this must be one of the first considerations in protecting privacy, it likely cannot be resolved until general cyberspace jurisdiction issues are resolved.

V.

Conclusion

It is more critical now than ever for effective privacy regulation to be adopted, given the ease with which personal information can be collected and disseminated on the Internet. While existing rules and regulations serve well as models and building blocks, special care must be taken to include the idiosyncrasies of the Internet within the scope of any privacy regulation. Specifically, privacy policies and regulations must make allowances for the flow of information across jurisdictional borders, whether it be state-to-state or United States to the European Union and back. For any privacy policies to be truly effective, they must be widely implemented and accepted.

The policies must also take into account the need of the insurance companies to be able to collect personal information. Without this information, insurers are unable to properly serve their clients. Individuals must realize that with greater service comes a greater surrender of privacy. This surrender should only be to the insurance company itself, however. The ability of insurance companies to sell or otherwise distribute personal information to third parties can be severely curtailed without any necessary reduction in service to clients.

In short, the insurance industry should adopt regulations to place control of personal information back in individual hands. Insurance clients should be able to determine how their information will be used. The insurance industry can establish guidelines for what information is necessary to conduct insurance transactions and other insurance-related business. Based on these, the individual makes an informed decision as to whether or not to become a customer. From there, it should be up to the customer to decide whether the insurance company may provide any personal information to outside parties, with penalties in place if the company violates the customer's instructions. With this, control of personal information privacy is where it belongs...with the source of the information.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

1. The definition of "personal information" varies by statute or regulation. The New York Code of Rules and Regulations defines it as "any data concerning a data subject which, because of name, number, symbol, mark or other identifier, can be used to identify that data subject." 9 NYCRR § 9951.2 (1998). The Nevada Administrative Code defines personal information (for insurance purposes) as:

[A]ny identifiable piece of information gathered in connection with an insurance transaction from which judgments can be made about a natural person's character, habits, avocations, finances, occupations, general reputation, credit, health or any other personal characteristics including, but not limited to, his name, address and medical record information. The term does not include privileged information."

2. Lawrence A. Ponemon, Privacy needs protection, J. Com., Mar. 23, 1998, at 7A (citing a 1997 survey conducted for the Center for Social and Legal Research showing "92 percent of the public concerned about threats to their personal privacy" and "64 percent very concerned."). The article also cites a 1996 privacy survey by Harris-Equifax finding that "67 percent of the public think consumer privacy issues are 'extremely important,'" with 83 percent saying "consumers no longer have control over how firms collect and use their personal information."

3. The amount of work and time needed to gather and sort through data prevented the data from being overly useful to the information holder. See infra Part IV.A.

4. At one time, information was simply considered necessary for ordinary business operation. As information became easier to manage, however, companies began to see information as a commodity to be bought and sold. This was the dawn of the Information Age.

5. More and more, individuals and businesses are looking to move into cyberspace. Electronic commerce and virtual communities are growing, and people are using the Internet extensively to communicate with others. Eventually, people will move about this virtual world as easily and often as they move about in the real world, perhaps more easily. This will be the Cyber Age.

6. While this may benefit the customer to some degree, insurers use this retained data in an effort to cut down on fraudulent insurance claims.

7. 31 Pa. Code § 38.64 (1997).

8. Id. (emphasis added)

9. Id.

10. NAC 679B.685 (1996).

11. NAC 679B.685(1).

12. NAC 679B.685(2). The written notice must state:

(a) Whether personal information may be collected from persons other than the natural person or natural persons proposed for coverage.

(b) The types of personal information that may be collected and the types of sources and investigative techniques that may be used to collect the information.

(c) The types of disclosures identified in subsections 2 to 6, inclusive, 9, 11, 12 and 14 of NAC 679B.730 and the circumstances under which those disclosures may be made without first obtaining authorization. Only circumstances which occur frequently enough to indicate a general business practice may be described.

(d) A description of the rights established under NAC 679B.705 and 679B.710 and the manner in which those rights may be exercised.

13. Insurers must take lead in debate over privacy, Nat'l Underwriter Life & Health-Fin. Services Edition, Oct. 27, 1997, at 68.

14. Bank of Montreal is not literally an insurer, but rather acting as an agent for various insurance companies. They do, however, provide access to insurance information and would be expected to follow guidelines established in this area by insurance companies. Finding insurance information on Bank of Montreal's site takes a bit of digging, but eventually leads to http://www.insurexplorer.com./. Legal notices, including security and privacy, are posted at http://www.insurexplorer.com./cebra_oie/ablg.html.

15. To see the form used at the Bank of Montreal site, visit https://www.insurexplorer.com/cgi-bin/ndCGI.exe/cebra_oie/expr

16. For an extensive explanation of cookie technology and the information it makes available, visit the Point Mudge Cookie Page at http://www.westsound.com/ptmudge/cookies.htm

17. For a demonstration of a website's ability to gather addition information surreptitiously, visit the Center for Democracy and Technology's Privacy Demonstration Page at http://www.13x.com/cgi-bin/cdt/snoop.pl

18. Id.

19. James Jones, Privacy concerns raise new exposures for insurer employees handling claims data, Nat'l Underwriter Prop. & Casualty-Risk & Benefits Mgmt, Nov. 10, 1997, at 17. The AISG database contains 55 million injury claims and more than eight million property claims, while the NICB database has over 300 million vehicle and claim records.

20. The information contained in these databases, unless covered specifically by laws affecting classes of information (such as medical records), is generally governed only by the rules established by the database companies themselves. Id.

21. Such as a subscriber's employee using others' information to commit fraud or reveal embarrassing or harmful information about an individual.

22. http://www.ntia.doc.gov/reports/privacy/selfreg6.htm. For the full text of this report, visit http://www.ntia.doc.gov/reports/privacy/privacy_rpt.htm.

23. One concern would be the ability of an unauthorized party to access the retained information through the Internet, but this problem falls more properly under security and dissemination policies.

24. For example, an individual with a typical desktop computer can open a database and, within seconds, come up with a list of all the individuals in the database who earn more then $50,000 per year, and which of those individuals have outstanding mortgage on their home.

25. Insurers must take lead in debate over privacy, Nat'l Underwriter Life & Health-Fin. Services Edition, Oct. 27, 1997, at 46.

26. Id.

27. Lee Ann Gjertsen, Insurers' data handling ethics explored; report commissioned by Institute for Applied Ethics in Insurance, Nat'l Underwriter Life & Health-Fin. Services Edition, Oct. 20, 1997, at 4. This report sets forth four guidelines for proper information usage and industry self-regulation:

*Relevance--Applicants should be able to question whether certain information is really necessary to divulge, and if the company cannot justify its need for that information, the request should be dropped.

*Accuracy--Companies need to make sure the information they gather is current and accurate.

*Notification of information gathering purposes, techniques and sources[--]Companies should explain the relevance of the questions and the need for accuracy to their subjects. While these disclosures do exist in application forms, the report notes, often the notification is in small print and written in confusing language.

*Prior consent--Insurers should get consent from applicants before gathering information. This means the individual must be aware of what kinds of data will be gathered and where it will come from, as well as how the information will be used.

28. Insurers must take lead in debate over privacy, Nat'l Underwriter Life & Health-Fin. Services Edition, Oct. 27, 1997.

29. Id. More specifically, Ms. Shalala's outlined principles were:

"[F]irst...boundaries. 'circ;With very few exceptions, a health care consumer's personal information should be disclosed for health care and health care only'...

Second is the principle of security. Third is 'consumer control.' Ms. Shalala said that Americans 'should have the power to find out who's looking in their records, what's in them, how to get them and what they can do to change incorrect information.'

The fourth principle of accountability is based on the assumption that if 'you are using information improperly, you should be severely punished.'

The final principle is public responsibility, or balancing the protection of privacy with the responsibility to support national priorities such as public health, research and the fight against fraud.

30. Regarding the disclosure of personal or privileged information, the New Jersey Administrative Code states: "No insurance producer or limited insurance representative shall disclose personal or privileged information about an individual collected or received in connection with an insurance transaction except in conformity with N.J.S.A. 17:23A-1 et seq." N.J.A.C. ¤ 11:17A-4.5. This section makes no reference to the manner of disclosure and should apply equally to disclosure made over the Internet. It makes no distinction, however, between a New Jersey-based insurance company and a New York insurance company with New Jersey clients. Does this section still apply if the New York company makes personal information about a New Jersey client available on its web site?

31. For the unofficial text of the EU's privacy directive, see http://www2.echo.lu/legal/en/dataprot/directiv/directiv.html

© 1998 This material is the property of Timothy J. Schemmel.