Questions & Answers
Managing Technology & Workflows
Is an email confidentiality statement required by law?
This is an interesting question. It is a fact that confidentiality statements such as the one below are becoming a staple in electronic mail:
Confidentiality Notice: The information contained in this transmission is confidential, proprietary or privileged and may be subject to protection under the law. The message is intended for the sole use of the individual or entity to whom it is addressed. If you are not the intended recipient, you are notified that any use, distribution or copying of the message is strictly prohibited and may subject you to criminal or civil penalties. If you received this transmission in error, please contact the sender immediately by replying to this email and delete the material from any computer.
To answer your question, this statement is not required by law. In fact, such language is not binding on the recipient of the email either. Trying to tell the unintended recipient that he is liable for divulging the information received is more of an intimidation practice than it is a legal recourse. It is not going to hurt you to have such a statement contained in your outgoing email, but you should not rely on it to seek redress if anything happens.
As a rule, your staff should be aware of the fact that email is not overall secure and that it is generally recommended not to provide sensitive information in email format when such email is not encrypted. Taking this one step further, we can't help but make the connection with "standards for safeguarding customer information," also known as the "written information security program." This federal and/or state mandate requires all insurance agencies to describe in a written document the specific measures they have taken to protect the information that they collect. It covers physical safeguards (such as locks on doors or file cabinets), procedures set up in the agency, and technological safeguards such as anti-virus, firewalls or even the use of electronic mail. If you have not developed your own information security program, that should be your priority rather than an innocuous statement in your outgoing email.
For further guidance on information protection, check out our privacy resources.
What do I need to consider in the debate between local retention of policies vs. electronic policy view on the carrier's website?
Many agencies have decided to retain commercial lines policies locally, even if they have a good download of policy data and electronic policy view in place, because they find they need to refer to these policies and endorsements frequently when coverage and claims issues arise. In contrast, many agencies with a good download in place have decided not to retain personal lines policies locally because they are able to handle the typical client inquiries without referring to the policies. Often these questions relate to billing and making a payment, and the agents are able to handle these inquiries efficiently by using real-time billing inquiry and make-a-payment functionality.
Each agency is different, however, so the following considerations can be used to assist agencies in deciding this question:
How frequently does the staff need to refer to the actual policies for the line of business and for what purposes? Does the amount of usage justify the amount of time it will take to attach them to the client file?
Is there a good download in place for the line of business, and is my database accurate? If there is not a good download for the business, then the agency will probably want to retain at least the dec page locally.
Does the agency use the dec page for policy checking and like to retain it as part of the documentation of the policy checking process?
Does the carrier provide links on the dec page to all of the actual policy forms and endorsements applicable to that risk – not just the latest editions of these forms – so that they are easy to access?
Has the carrier provided a contractual guarantee that the agency will continue to have access to its policy information in the event the carrier or the agency terminates the relationship? This commitment should be for the statutory period in which the agency must retain this information (usually seven years).
Do the applicable state laws require the agency to retain the policy documents locally or is access to them at the carrier website sufficient?
Agencies should go through the same analysis with regard to their E&S policies.
Since many agencies have made the decision to retain commercial lines policies locally, it is incumbent on carriers and agency management system providers to make it as simple as download for agencies to attach these policies to their client files. One approach would be to give the agency the option to have the carrier download PDFs of policies (new, renewal and endorsements) each evening using real-time activity notifications and alerts. An option could even be given to receive the dec pages with links to the actual policy forms or the complete policies. Agency management systems should have the capability to route these notifications to the appropriate person in the agency for checking and attachment to the client file. Using this real-time workflow would be an improvement over the e-mailing of these policies because of the added security and transmission directly into the agency management system.
Since some agencies use the personal lines dec pages to check policies for accuracy and then retain them, the same workflow should be made available to agencies for personal lines.
The Agents Council of Technology (ACT) supplied this answer. ACT is a partnership of independent agents, companies, technology vendors, user groups and associations dedicated to enhancing the use of technology and improved work flows within the Independent Agency System. For questions regarding this information, contact ACT at email@example.com.
Marketing & Social Media
Can we use online customer reviews to advertise? What if we reward the reviewers?
This question may be best answered with a “proceed with caution.”
There is nothing fundamentally wrong with touting customer satisfaction that has been properly measured. When the reviews have been obtained with the use of incentives, however, the impartiality of the answer can be called into question. Therefore, publication of the results would require some disclosure of the incentive or “material connection” between the person providing the review and your agency. When it comes down to it, it stands to reason that someone expecting a gift card is more likely to feel compelled to give you positive feedback.
Case in point, in April 2015, the Federal Trade Commission (FTC) issued a decision that has a direct bearing on the use of “incentivized reviews.” The case alleged that Amerifreight Inc. represented to consumers that its products were highly rated or top ranked based on its customers’ unbiased reviews, while the company failed to disclose that it paid consumers to post reviews. The FTC’s decision and order barred Amerifreight from “deceptively touting online consumer reviews and failing to disclose incentives it provided to reviewers.”
Bottom line: If you intend to use your customers’ online reviews to make certain advertising claims, it is better to use reviews that are provided without incentive. In addition, any material connection between the agency and the reviewer that could influence the review must be clearly and prominently disclosed. A material connection is something that affects the weight or credibility of the endorsement and that would not reasonably be expected by consumers, such as a free gift or other advantage, or the fact that the reviewer is employed with the agency.
Security & Identity Theft
Does IA&B have a sample privacy agreement to use with an IT provider?
Why it's needed
Insurance agencies, in the course of their business, regularly contract with service providers for a host of different services that they are not able or willing to perform themselves. In the process, the service provider may need to gain access to client information in order to perform those services. Examples include:
A marketing firm sending a mailer to your customers would access a client list
An Information Technology (IT) provider would access client information housed in your system
What exactly is required
All three states in which we operate – Delaware, Maryland and Pennsylvania (and, for that matter, many more) – have adopted privacy regulations which contain a provision relative to service providers. The regulations require the agency to enter into a contractual agreement prohibiting the service provider from using the information for any purpose other than the one for which the information was disclosed. Simple enough, but easily overlooked.
How to access the tool
Our privacy suite of resources houses various samples, including this sample service provider agreement. Better yet, this agreement may be needed to comply with other laws that have been enacted since (such as Maryland's data breach law or the HIPAA Security Rules). Using the sample will serve both purposes at once. Access our privacy suite for more information.
Your privacy notice should state separately that you are using service providers and confirm that you have entered into an agreement with them to protect your clients' information. If you used IA&B's sample privacy notice, language was included in the sample to account for this.
If you're not sure where you stand, check your privacy notice and check your contracts with service providers. If the language is missing, make sure you add it.
I noticed that one of my carriers is requiring me to notify them promptly when one of my staff is leaving: Is that standard?
During the more recent analyses of agency agreements that IA&B has completed, we have become aware that the above notification provision is becoming more and more standard. It likely has less to do with the appointment process, and more to do with information security and due diligence in preventing data breaches. It’s important to pay attention to this provision for various reasons:
1. YOUR BEST INTEREST -- Quite frankly, it’s in your customers’ and your best interest to manage passwords and access to company Web services (that include both company and customer information) in a timely fashion.
2. LEGAL REQUIREMENTS -- With more federal and state laws and regulations on the books, the web of legal requirements grows larger every year, and some of these requirements could easily be overlooked. You may have implemented training and procedures to protect your customer information, but failing to shut down password access to a departing employee, whether disgruntled or not, could be the famous “weakest link.”
For example: Under the HIPAA/HITECH Security rule, password management is one of various “standards” that have to be examined and for which a proper risk management technique must be applied. As part of their risk assessment, companies (and agencies as their business associates) must implement procedures for creating, changing and safeguarding passwords. You must also ensure that staff members are trained on how to safeguard the information and establish guidelines for changing passwords periodically. Your plan should include answers to the following questions:
- Are there policies in place that prevent staff members from sharing passwords with others?
- Is staff advised to commit their passwords to memory?
- Are commonsense precautions taken, such as not writing passwords down and leaving them in areas that are visible or accessible to others?
- Are guidelines established to change passwords periodically? What frequency or criteria determines change cycles?
Another standard that must be reviewed applies to terminated employees, and there again, it addresses password management. For example:
- Does the agency’s Security Program include the deletion of a terminated employee’s user name and password as part of the termination procedure, along with retrieving any office key or changing a door access code?
3. AVOIDING A BREACH OF CONTRACT -- Based on the increase in agency agreements containing such language, you could simply be in breach of contract when failing to address these requirements.
We have many resources on information security plans required under the Gramm-Leach-Bliley Act and under HIPAA/HITECH.
What do we need to consider if we want to offer quotes on our website?
Using your website in a more dynamic way is a good idea, and there are many options available to make for a more engaging experience. However, there are a number of items to address.
One of the first things that comes to mind is making sure that any page that collects personally identifiable information (PII) is secured. Information prospects enter for a quote would definitely qualify as PII. The proper method to secure web pages varies depending on your system. It is, however, generally simple to do. Your web developer should be able to point you in the right direction and help select the right protocol and security certificate.
- It is easy to know if your web page has been secured (the URL will show “https” instead of “http” and/or a Lock icon with embedded security details will be visible).
- It is not uncommon for E&O carriers to take a look at your website before providing coverage and place conditions if you failed to secure a page that gathers your customers’ personal information.
We focus here on securing a quote page. When building or rebuilding a website, other items should be carefully weighed, including finding the right balance between painting the agency in a positive light while not increasing an agency’s standard of care. Be engaging, but do not promise on something you cannot or will not deliver.
The Agents’ Council for Technology (ACT) has a myriad of resources to help you build a more effective website. Both marketing and E&O considerations are addressed. Feel free to consult their resources or contact us for more information.
How does a credit freeze impact my insureds and prospects?
Over the past several years, major data breaches (think: Target in 2013 and Yahoo in 2013 and 2014) have thrust cybersecurity into the spotlight and have compromised the personal and sensitive information of billions of people worldwide.
Most recently, in September 2017, the credit-monitoring agency Equifax was hacked. This breach compromised the personal information (names, names, Social Security Numbers, birth dates, addresses and driver’s license numbers) of approximately 145 million consumers – not to mention the credit card numbers of about 209,000 individuals.
HOW CREDIT FREEZES WORK
In response, many consumers froze their credit to prevent identity theft. A credit freeze precludes lenders and credit card issuers from accessing individual credit reports via the credit reporting agencies (primarily Equifax, Experian and TransUnion). That, in turn, prevents hackers from applying for and opening credit accounts without an individual’s knowledge.
Producers and consumers alike have questioned what effect credit freezes will have on the industry, such as whether consumers will be required to lift and then reinstate a credit freeze to purchase insurance.
IMPACT OF CREDIT FREEZES ON INSURANCE
The good news: Credit freezes don’t shut out inquiries from insurers. Nearly all states (including Delaware, Maryland and Pennsylvania) have “credit freeze laws” that specifically permit insurers to access credit reports for purposes of setting or adjusting a rate, issuing or underwriting a policy, or adjusting a claim, all without requiring an individual to temporarily lift the freeze with the credit agency.
This means that producers and insureds do not need to take any extra steps to allow a carrier to access credit information that the insured has placed a freeze on. Nor should initiating a credit freeze have any impact on an insured’s premium.
The following are references to each state’s credit-freeze provisions:
- Delaware: 6 Del.C. Section 2203(b)(12);
- Maryland: MD Code Annotated, Commercial Law Section 14-1212.1(b)(1)(x); and
- Pennsylvania: 73 P.S. Section 2503(e)(11).
Website & Internet
Are there any restrictions on what we can advertise on our website?
Yes and no. Here’s the reason: Web designers are there to make you look good. That’s what they’re paid to do, and there’s nothing wrong with that. However, between their zeal to paint you in the best light and their lack of knowledge of the industry, they may unwittingly weaken your E&O defense if a claim is filed against you. Why? The types of statements and promises made on some agencies’ websites can be used by plaintiffs’ attorneys to increase these agencies’ duty of care to their customers.
How it works:
- An agent’s “basic” responsibility is to procure insurance in accordance with a client’s instructions.
- When the agent claims he is highly skilled or an expert and the customer relies on that expertise, this set of facts can create “special circumstances” or a “special relationship.” So if your website is professing that you are “insurance experts,” “provide tailored coverage for each of your customers,” or “make sure that all your customers are properly covered,” your duty of care may now be higher than you think. Good rule of thumb: Do not overpromise!
This is not only true of your website; it also applies to other materials used to promote yourself to the general public (marketing brochures, ads, printed materials) and even verbal representations (e.g. “hold” messages on your phone system). You should expect all these communications to be scrutinized by the plaintiff’s attorney in a lawsuit.
Other important notes when building a website:
- Watch for misuse of a trademark, or use of copyrighted material without permission.
- Watch for accuracy of the content: If it is developed in-house, make sure that someone proof-reads the material. Vet the source if you are using an outside content developer.
- If you refer to other websites or vendors, request consent from the vendor, provide several options, and add a disclaimer relative to the services provided by the vendor.
- Add disclaimers that restrict the geographical areas for which content is provided (e.g. list the states where you operate/are licensed). If a response is only valid for one state, say so.
- If you make reference to your carriers in some of your advertising material, clear the advertising with the carrier. It’s often required in the agency contract.
- If you collect personally identifiable information for quoting, secure the page collecting that information (see last month’s Ask Our Experts answer on the subject, and talk to your IT provider).
- Include a Privacy Statement on your website (as required by federal and state law and regulation).
How can we mitigate our website-related E&O exposures?
Great question! What information you include or don’t include on your website – as well as what steps you do or don’t take to protect customer data – can be used to support or strengthen an E&O claim against the agency. Statements or information you might consider innocent or benign can unintentionally increase the agency’s duty of care to its customers and prospects, which can be harmful to and weaken your E&O defense in a claim situation.
With that in mind, the following are some do’s and don’ts to consider when creating, updating or reviewing your agency’s website:
- Accurately specify states in which the agency is licensed;
- Clearly state that both misstatements or omissions of relevant information provided by current and prospective customers can result in price variations, or declinations or rescissions of coverage;
- Clearly state that requesting coverage does not guarantee that coverage can or will be provided. Coverage can only be initiated/confirmed via a specific statement from a licensed member of the agency’s staff;
- Clearly state that information requested in order to provide a quote or policy revision will not be shared without the applicant’s permission;
- Clearly state via a disclaimer that information provided on the website is not a guarantee that insurance can or will be provided, or that the agency is obligated to procure insurance for website visitors;
- Include a Privacy Statement, and encrypt any and all pages which collect personally identifiable information provided by a customer or prospect, including online quote forms;
- Request and obtain written consent from carriers if you use their name and/or logo on your website.
- State that the agency does things or provides services it doesn’t do or provide;
- Include language that expressly states, or can be interpreted to suggest, that any claim will be fully covered;
- Include language such as “exceptionally skilled,” “expert,” “specialist” or “partner” to describe the agency and/or its staff, or language such as “fully covered” or “guarantee” to describe the product;
- Include language promising absolutes, such as “addressing all of your coverage needs,” “constantly reviewing” or “immediate response time”;
- Utilize a quote mechanism, and then fail to respond in a timely manner;
- Utilize open text boxes for customers and prospects to type messages, unless the information is adequately encrypted;
- Launch a website without carefully reviewing its content. Many template agency websites or web designers likely won’t consider or be aware of E&O ramifications specific to an insurance agency. It might not hurt to also contact your E&O carrier and request their input as well.