Search      Advanced Search | Browse By Topic
Magazine Content
Home
Features
Columnists
Industry Risk Reports
In-Depth Series
Special Reports
Point/Counterpoint
R&I One® Content
News & Analysis
Editor's Choice Stories
Resources and Tools
Power Broker® Directory
Risk InnovatorTM
Emerging Risks
Top Employee Benefits Consultant
Executives To Watch
Insights
Industry Events
WorkersComp Forum
Award Nominations
Webinars
RSS
R&I Information
Subscription Center
Advertiser Information
About Us
Contact Us
 

Newsletter Sign-up

Click on the name of the free newsletter below to preview:

R&I One®
WORKERSCOMP Forum TM Update
HTML Text
E-Mail Address:


Click here to unsubscribe
Privacy Policy
Preferences
 

Privacy Takes Center Stage

Insurers need to watch out for emerging privacy risks and tailor different privacy practices to different nations.

Print Email Add to Facebook Add to Twitter Add to LinkedIn Write to the Editor Reprints

By KATIE KUEHNER-HEBERT, a freelance veteran business journalist based in San Diego.

SAN DIEGO -- As privacy legislation spreads across the world, global companies need to make sure they tailor their practices for each country to satisfy differing perceptions of what privacy actually means, and differing levels of acceptance for the collection and sharing of personal data.

That's according to a panel of experts, who also discussed how insurance companies can better draft policies to cover emerging privacy risks last week at the Professional Liability Underwriting Society's annual conference here in San Diego.

"The concept of privacy is amazingly different in different areas of the world," said Tim Jaggs, executive director of specialty casualty at Towers Watson (Re)Insurance Brokers Ltd. "Global companies need to understand that there's no single understanding of privacy, and that there will be terrible liability and litigation for them if they don't."

Regarding the safeguarding of personal data stored on computer systems, people in the U.S. generally expect that the companies they do business with will have at least some of their personal information. As such, the concern revolves around how companies safeguard their personal information and how companies might be sharing that data with others, said John F. Mullen Sr., a partner at the law firm Nelson, Levine, de Luca & Horst LLC.

However, most state notification laws do not specify every kind of personal information that must be safeguarded, such as zipcodes, he said.

"Most laws are very gray," Mullen said.

Currently, there are 46 states with laws on notification, and there are now at least four different pieces of federal legislation on the issue introduced in Congress, Mullen said. As those bills move forward, he expects a fair amount of pre-emption fights and requests for "carve-outs" from industry sectors already complying with existing privacy laws such as the Gramm-Leach-Bliley Act.

"I do believe we are going to see something there, but this is an election year, so that 'something' may not be for some time," Mullen said.

People in many other countries care more about whether companies can actually collect personal customer information without informed consent, said Tom Allen, senior underwriter at Aspen Insurance UK. Moreover, many European countries, like Germany, are concerned not only about information that definitely identifies a person such as a tax identification number, but also about information that could potentially identify a person if there is enough information collected by the company for someone else to ascertain their identity, Allen said.

Asia-Pacific countries such as Japan, Korea and Taiwan have "prescriptive" rules on how companies can treat data, compared to state laws within the U.S. that tend to have more "standard-based" rules, he said.

"However, the emphasis in those countries is not so much on penalties" for breaches, "but on the assumption that you would just follow the rules," he said.

India's notification laws are "pretty robust," Allen said. "It's their national exercise in branding."

For many countries, the onus of enforcement is on their respective regulators, but in the U.S. and now South Korea and parts of Europe, the "overarching" stick is class-action lawsuits, Mullen said.

Insurance policies generally have been built around U.S. notification laws, and as such, they don't quite protect for breaches in other countries in the same way as they protect for breaches in the U.S., Allen said. Underwriters are now asking global companies more informed questions, to determine all of their various privacy exposures.

But Mullen said that can also depend on those companies' brokers; "some won't let them ask these questions."

Lori Bailey, senior vice president, head of professional liability at Zurich North America and the session's moderator, asked the panelists this question: how could insurance companies better address privacy issues?

Jaggs said that insurers need to be explicitly clear on whether or not their general liability policies cover the effects of breaches.

Jaggs' clients are also asking for "income damage" coverage that would span two to three years after a cyberattack.

"It can be in the billions," Jaggs said, "and we simply don't have the capacity to do it today, but that's what they are asking for."

November 7, 2011

Copyright 2011© LRP Publications
 
 
 
 
 
 
 
 
 
 
 
RISK logo
 

Back to top

Entire contents copyright © 2013 Risk and Insurance® All rights reserved. May not be reproduced in any form without written permission.