Property Chapter 4 Part 5

Part 5: Information Privacy

Protecting Customer Information

This is a brief section covering the key privacy requirement for insurers. While short, this concept may appear on your exam!

Information Security Program Requirement

To protect customer information, insurers are required to implement and maintain a comprehensive written information security program.

The Three Required Safeguards

Administrative Safeguards

Policies, procedures, and training programs that govern how employees handle customer data

Examples: Employee training, access controls, background checks, written policies

Technical Safeguards

Technology-based protections for electronic data and systems

Examples: Encryption, firewalls, passwords, secure networks, antivirus software

Physical Safeguards

Physical measures to protect facilities, equipment, and paper records

Examples: Locked file cabinets, secure offices, document shredding, visitor logs

Department Access Requirement

The Department of Insurance must have access to the insurer's records that demonstrate compliance with this requirement.

This means insurers must be able to show proof that they have implemented all three types of safeguards.

Real-World Scenario: Why This Matters

The Setup: ABC Insurance Company collects sensitive customer data including Social Security numbers, health information, and financial records from policy applications.

What's Required: ABC must have a written security program that includes:

  • • Employee training on handling sensitive data (Administrative)
  • • Encrypted databases and secure login systems (Technical)
  • • Locked filing rooms and shredding protocols (Physical)

The Result: If the Department audits ABC, they must be able to produce documentation showing these safeguards are in place and functioning.

Memory Trick: A-T-P

Remember the three safeguards with A-T-P:

A

Administrative

Policies & People

T

Technical

Technology & Systems

P

Physical

Places & Paper

Exam Trap Alert

All THREE Safeguards Required

The exam may try to trick you by suggesting that only one or two types of safeguards are needed. Remember: insurers must implement ALL THREE - Administrative, Technical, AND Physical. Having just one or two is not sufficient for compliance.

Quick Reference Summary

Requirement

Comprehensive WRITTEN information security program

Safeguards

Administrative + Technical + Physical (all three required)

Oversight

Department of Insurance has access to compliance records