Chapter 20: Managing Privacy

Previous page
Table of content
Next page

W. Riker Purcell

Task 1: Making the Privacy Program Work

Gramm-Leach-Bliley (GLB) put tremendous pressure on financial institutions to get their privacy statements written and to start delivery to customers by July 1, 2001. To create an effective privacy program in such a short period of time, most people in the insurance industry knew it was vital to put a workable program into place with the intention of tinkering with it after the initial frenzy. As this company started to comply with GLB, there was a lot of mailing and passing of information as we tried to figure out how we do business, what the risks are, and how we would get the rules of the game and the policy statements themselves distributed through our branches, as well as through our agents who issue our insurance policies. We then had to make sure our own internal audit department put our program onto their list of things to check for when they conduct their audits. These and other early actions were aimed at making the program satisfy at least the minimum requirements. As soon as that was done, though, we began to get solid, practical questions from the field; we spotted some gaps to fill and delivered some clarifying instructions.

In the title insurance industry, in the early stages, every company was on its own. Everyone thought the best way to do things was to read the rules, make a plan, survey the field, talk to management, and make a good-faith effort to comply. When I give anyone else advice, it is to make your very best effort to come up with a genuine good-faith plan. Sometimes we seek expert advice, and sometimes we make critical determinations ourselves. But we always try, in good faith, to comply with all of the requirements. The privacy officer has to be diligent in asking difficult questions and making sure that the company's answers will hold water.

My impression is that the regulators are going to look for good-faith compliance. They won't look for perfect compliance, and they will not be too critical of small deviations and errors. Instead, companies that seem to have thought the issues through and seem to be making a continuing effort should be okay. Companies that fall under GLB have to understand the entire picture as completely as possible, try to put a good-faith program in place, and keep it working.

The privacy officer must know the rules and the reasons for these rules, and know how to distribute these rules and reasons to the people who can implement. In a company like ours, with about 8,000 employees, I think this means literally keeping a list of names of people in the field who are willing to be concerned about privacy compliance. Again, we should aim for instinctive compliance. People must know the reasoning for the law.

There is an important detail in the care and feeding of insurance privacy compliance programs. Although most state legislatures and insurance departments wound up with laws and regulations that are close to the federal standard, some states have adopted laws and regulations that take a different turn. For instance, a couple of states have adopted, and other states are considering, an opt-in standard instead of the more conventional opt-out standard, so that an insurer or insurance agent would need affirmative permission for certain types of sharing. When managers pose questions about a new plan or program, the privacy officer has to slow down and resist the temptation to give the answer based on the prevalent standard. Instead, the privacy officer should look at the sections of any state privacy laws that could govern the particular issue raised. The statutory and regulatory language differs, and because of this, it's easy to make a mistake.

In the end, I think that continuing, good faith efforts will satisfy regulators. We are not as concerned about private lawsuits because GLB and most of the state laws that follow GLB do not provide a private cause of action for violations - that is, only the state can prosecute a failure to comply. There is some risk of private lawsuits, especially class actions suits, based upon the theory that violations of privacy laws are unfair trade practices under state insurance law. However, as long as companies exercise caution, the potential plaintiffs should have trouble proving they have suffered any damages.



Previous page
Table of content
Next page
The CTO Handbook. The Indispensable Technology Leadership Resource for Chief Technology Officers
The CTO Handbook/Job Manual: A Wealth of Reference Material and Thought Leadership on What Every Manager Needs to Know to Lead Their Technology Team
ISBN: 1587623676
EAN: 2147483647
Year: 2003
Pages: 213
Authors: Mark D. Minevich
BUY ON AMAZON
CISSP Exam Cram 2
Java How to Program (6th Edition) (How to Program (Deitel))
Introduction to 80x86 Assembly Language and Computer Architecture
Oracle SQL*Plus: The Definitive Guide (Definitive Guides)
Visual Studio Tools for Office(c) Using C# with Excel, Word, Outlook, and InfoPath
DNS & BIND Cookbook
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy