Common questions about privacy notices w My carrier told me I didn’t need a privacy notice. True or false? w What can I tell car dealers who call and ask for information on customers who are buying a car? w What about lenders asking for information on customers who are buying or refinancing a house? w What if I share information with an MGA or broker? w I received a subpoena asking me for a copy of a client file. Can I share that? w I belong to a cluster. What’s permissible to share? w I own two separate agencies but operate them with the same staff. How can I share information between the agencies? w I’m in the process of selling my agency, and the prospective buyer wants a look-see. How should I handle this?
Turn to IA&B’s online Q&A for the answers: Pennsylvania – www.iabgroup.com/pa/privacy/qa Maryland – www.iabgroup.com/md/privacy/qa Delaware – www.iabgroup.com/de/privacy/qa
financial information you collect. Share it at the beginning of your relationship with the customer and then again annually. And if you have a Web site, post the notice online – and document any customer information you gather or store via the Web.
Q. Exactly what information does the regulation include?
A. Health information is selfexplanatory. The financial information in question includes any information given by or obtained about the consumer relating to the transaction. If the insurance product is used for personal, family or household purposes, the regulation applies.
Q. What should my privacy notice say?
A. So glad you asked. IA&B members have access to Web-based audits that determine if your notice can say that you don’t share information “other than as permitted by law” or if you must give more information based on your agency’s practices. And depending on those practices, the audits may prompt you to include an opt-out provision for clients to request that their information isn’t shared. No matter your audit results, in the end you’ll learn which of IA&B’s four sample notices fits your agency.
[ 16 ]
Create your notice: Pennsylvania – www.iabgroup.com/pa/ privacy_requirements Maryland – www.iabgroup.com/md/ privacy_requirements Delaware – www.iabgroup.com/de/ privacy_requirements Note: You also must have a privacy agreement in place with every service provider (i.e. IT provider, marketing firm) and fellow cluster agency that come in contact with your customers’ information. An addendum to your contracts can clarify their use of that information. Read up on information security addenda: Pennsylvania – www.iabgroup.com/pa/ privacy/service_provider Maryland – www.iabgroup.com/md/ privacy/service_provider Delaware – www.iabgroup.com/de/ privacy/service_provider
WRITTEN INFORMATION SECURITY PROGRAM As mentioned in the previous section, the GLBA labeled agencies as financial institutions – a lofty title that stipulates privacy obligations. Individual states oversee the privacy rules and standards. Pennsylvania and Delaware require agencies to create a written information security program. And while Maryland