Through Privacy Compliance Central, you can obtain information on both federal and state-specific rules that require action by insurance professionals to ensure proper compliance. Please be sure to consult the resources applicable to your state and contact PIA’s Industry Resource Center if you need further information. Compliance isn’t always easy, but it can be done!
Contents
General
Protect your agency from being a victim of recent ransomware WannaCry attack
More than 200,000 organizations in 150 countries have been affected by the WannaCry ransomware attack. The U.S. Department of Homeland Security defines ransomware as “a type of malicious software that infects a computer and restricts users’ access to it until a ransom is paid to unlock it.” Protect your agency by updating your systems and software with the latest patches; backing up your data; and not downloading or clicking on unfamiliar links or files. For more information, see the Microsoft Malware Protection Center or the DHS statement on ongoing ransomware attacks.
Privacy primer, QS90469
A comprehensive tool kit to the privacy issues that are crucial to insurance producers to ensure their compliance with the various statutes and regulations.
Cybersecurity regulation
PIANY has been diligently working on your behalf regarding this issue and will continue to assist members in complying with this new regulation.
PIA step-by-step analysis of the proposed cyber security changes (7/23)
Final second amendment to Regulation 23 NYCRR 500 (links to actual regulation) (10/23)
DFS frequently asked questions regarding 23 NYCRR Part 500 (select Cybersecurity FAQs from the menu at the left)
NYDFS form: Notice of exemption (online secure portal)
Cybersecurity Ask PIA documents
Ask PIA 310411—Cybersecurity regulation—risk assessment
Ask PIA 310412—Cybersecurity regulation—no agency management system
Ask PIA 310415—Cybersecurity regulation—who is subject?
Ask PIA 310416—Cybersecurity regulation—limited exemption
Ask PIA 310417—Cybersecurity regulation—compliance with limited exemption
Ask PIA 310419—Cybersecurity regulation—where to start
Ask PIA 310420—Cybersecurity regulation—noncompliance penalty
Ask PIA 310421—Cybersecurity regulation—notices
Ask PIA 310422—Cybersecurity regulation—covered entity
Ask PIA 310424—Cybersecurity regulation—multi-factor authentication
Ask PIA 310429—Cybersecurity regulation—third-party service providers
Ask PIA 310434—Cybersecurity regulation—reportable events
Ask PIA 310435—Cybersecurity regulation—encryption
Ask PIA 310436—Cybersecurity regulation—submitting limited exemption
Ask PIA 310437—Cybersecurity regulation—limited exemption form required for employees?
Ask PIA 310463—Cybersecurity regulation—what am I exempt from?
Ask PIA 310474—Cybersecurity regulation—retired licensee
Ask PIA 310481—Cybersecurity regulation—1099 independent contractor
Ask PIA 310482—Notification of data breach
Cybersecurity QuickSource documents
QS31400—New York cybersecurity regulation compliance checklist
QS90970—Establishing your data-retention policy
QS90982—Creating a third-party service provider security policy—how to comply with Section 500.11 of New York’s cyber security regulation
QS90970—Establishing your data-retention policy
QS28039—New Hampshire record retention requirements
QS29185—New Jersey rules on management of funds and recordkeeping
QS31027—New York state’s insurance record retention requirements/electronic recordkeeping
Third-party provider security policy
Connecticut cyber security requirements
Connnecticut cyber incident reporting—a guide for CT partners
CID Bulletin IC-25: Information security incidents
The Break
The Break: New York Cybersecurity Compliance
The Break: New York Cybersecurity Certification of Compliance
Winning@Cybersecurity Defense
PIA National Winning@Cybersecurity Defense
Cyber insurance/cyberliability
QS90630—Cyber insurance
QS90785—TRIA: age of cyberliability
Ask PIA 900285-00—Cyberbullying
Ask PIA 900255-00—Cyberliability coverage defined
Surveys—privacy tools
Privacy survey
A short questionnaire to help you ensure you’re meeting all your privacy obligations.
Risk assessment survey
A tool to help you develop an appropriate written information security program.
Red Flag Rules
QS90588—Do the red flag rules affect me?
Overviews what the red flag rules are and what producers need to know to comply.
Gramm-Leach-Bliley Act
Federal Trade Commission Privacy Initiatives
The Federal Trade Commission Privacy Initiatives website contains additional links to the text of the Gramm-Leach-Bliley Act and additional privacy-related information.
Privacy notices
Below are links to the appropriate state statutes and regulations that govern privacy notices.
Written information security programs
Below are links to the appropriate state regulations that govern an agency’s internal information security program.
QS90347—How to develop your information security program
A multi-state resource kit discussing agent/broker requirements to maintain a comprehensive written information security program as evidence of their compliance with the Gramm-Leach-Bliley Act.
Health Insurance Portability and Accountability Act
United States Department of Health & Human Services Office of Civil Rights
Offers links to the Health Insurance Portability and Accountability Act statute, rules and additional information.
QS90320—What insurance producers need to know about HIPAA
A comprehensive resource kit that explains the Health Insurance Portability and Accountability Act and its impact on producers.
Fair Credit Reporting Act and Driver’s Privacy Protection Act
Insurance scoring resource kits
The following state-specific resource kits offer an overview of insurance scoring and how it is legally used to aid insurers in underwriting acceptability, as well as how to comply with the requirements of documentation and privacy issues.
Fair Credit Reporting Act
Complete text of the Fair Credit Reporting Act.
Driver’s Privacy Protection Act
Complete text of the Driver’s Privacy Protection Act.
Sharing MVRs with commercial clients
QS90989—Sharing MVRS with commercial client
Fair and Accurate Credit Transactions Act
Fair and Accurate Credit Transactions Act
QS90347—How to develop your information security program
A multi-state resource kit discussing agent/broker requirements to maintain a comprehensive written information security program of their own as evidence of their compliance with the Gramm-Leach-Bliley Act.
Security Freezes and Breaches
QS90559—Security breaches and the agent’s responsibility
Offers links to the Health Insurance Portability and Accountability Act statute, rules and additional information.
QS06096—Connecticut security freeze and security breach law
A comprehensive resource kit that explains the Health Insurance Portability and Accountability Act and its impact on producers.
QS29198—New Jersey Identity Theft Prevention Act
A comprehensive summary of the New Jersey Identity Theft Prevention Act including security breaches and freezes, document destruction and use of Social Security numbers.
QS31364—Summary of the New York Information Security Breach and Notification Act Summarizes the requirements that went into effect Dec. 7, 2006, that business and state agencies have to provide notification to consumers of a security breach in their electronic databases.
Do-not-call rules
QS90340—Federal and state do-not-call rules: a guide for PIA members
Provides specific advice about individual legal, business or other questions relating to do-not-call rules.
Miscellaneous
QS90462—Workplace privacy: strategies for employers
Considerations for employers faced with the challenge of obtaining necessary information from employees, while protecting employees’ privacy rights.
QS31246—New York State Social Security Number Protection Act
On Jan. 1, 2008, Section 399-dd of the General Business Law took effect. Also known as the Social Security Number Protection Act, Section 399-dd contains a number of requirements on how businesses and individuals collect, transmit and use a person’s Social Security number, or a number derived from a Social Security number.