Privacy Notices May Still Be Required Under Georgia Law

In early December, I wrote a post about a change made to the Gramm-Leach-Bliley Act (the “GLBA”) by Congress at the end of 2015, which created an exemption under that Act from its requirement that notices of an insurance agency’s data sharing and privacy policies be given to its customers on an annual basis.  In preparing for a recent presentation to a group of insurance agents on this subject, I realized that, while my earlier post was correct, it did not take into account the fact that Georgia has a statute that took effect in 1982 that also governs the giving of such notices by insurance agents and companies.  Its provisions were not affected by the change made to the GLBA, and they impose notice requirements that are different from those found in the GLBA.

The Georgia data sharing and privacy policy statute is found in Chapter 39 of Title 33 of the Georgia code.  As with the GLBA, the Georgia statute requires the giving of a data sharing and privacy policy notice to customers and potential customers at the beginning of the relationship, but it does not impose an annual requirement for the giving of such notices thereafter.  Instead, such notices must be given “no later than the policy renewal date” and “no later than the time a request for a policy reinstatement or change in insurance benefits is received” by the agent, with some exceptions.  In both situations, no notice need be given if personal information about the policyholder in connection with the renewal, reinstatement, or change in benefits is obtained only from the policyholder or from public records.  In the case of a policy renewal, no notice need be given if a notice meeting the requirements of the statute was given to the policyholder within the prior 24 months, even if information about the policyholder is obtained from other sources.

Thus, it appears that for customers who have policy renewals, a notice meeting the requirements of the Georgia statute must be given to such customers at least every 24 months, unless information about the policyholder in connection with every renewal during that 24 month period is obtained only from the policyholder or public records.  Fortunately, as with the GLBA, the notice requirement only applies to products and services that are “primarily for personal, family, or household needs”, i.e.,  personal lines property and casualty and individual life, health, or disability insurance applicants and customers.  In determining whether, a particular renewal customer does or does not have to be given a privacy notice, it is important to remember that any previous notice given such customer must satisfy the requirements of Georgia law, which are not the same as the notice requirements under the GLBA.  Georgia law requires that more information be included in such a notice, including a description of the recipient’s right to submit a written request to the agent for access to their personal information collected by the agent and their right to request that corrections be made to such information and the way these rights may be exercised.

When I asked my audience how many of their agencies had been giving privacy notices to their customers, only a couple of hands went up.  Apparently, many of them assumed that this requirement was being satisfied by the insurance company.  That is possible under Georgia law if the insurance company is “authorized to act on” behalf of the agency, but it is possible under the GLBA only for entities that are affiliated with each other, i.e., under common ownership or control.

It would be a good idea for all Georgia insurance agents to check their agency agreements to see if those agreements authorize the insurance company to provide the privacy notices required by Georgia law on their behalf.  If not, such a provision should be added or the agency should be prepared to comply with that law, because the Insurance Commissioner has the authority to impose up to a $500 fine for each “knowing violation” of the law (i.e, for each privacy notice that was not sent or did not contain the required information) with a maximum penalty of $10,000.00.

 

 

 

Cyber Security and Agency Agreements

About this time last year I wrote a couple of posts on the perils and opportunities presented to insurance agencies by the increased hacking of computer systems that was taking place.  Since then, things have only gotten worse, with perhaps the most high-profile hacking being that of the Democratic National Committee, the repercussions of which are still unfolding.

If the prospect of paying significant sums of money or facing regulatory actions for the failure to properly protect an agency’s customers’ private data are not enough incentive, the contents of an agency’s agreements with its insurance carriers provide even more incentive to take action.  Two insurance consultants have prepared a white paper that explains in detail the obligations imposed on most agencies in the area of data protection by their agreements with their insurance carriers.

If an agency’s owners haven’t reviewed those agreements in a while, now is the time to do so.  The consultant’s review of over 100 different agency/carrier agreements revealed that almost all of them contained language that require the agency to comply with all applicable laws and regulations regarding the protection of the private data of their customers.  Such laws and regulations include the Gramm-Leach-Bliley Act (“GLBA”), which imposes privacy notice requirements on all insurance agencies, and the Health Insurance Technology for Economic and Clinical Health Act (“HITECH”), which imposes specific data protection requirements on any insurance agency that sells life, health, or disability insurance.  These are two of the more than 30 federal laws and regulations that address data privacy.  In addition, 47 states have enacted laws and regulations that impose data privacy and notice obligations on companies that have suffered a data breach.  An agency must be aware of these laws in each state in which its customers are located and be able to comply with their requirements with respect to those customers.

In addition to requiring compliance with all applicable laws and regulations, agency/carrier agreements require that the agency indemnify the carrier against any liability it may incur due to the failure of the agency to satisfy the requirements of those laws.  Thus, an agency will not only have to pay its costs in dealing with a data breach, it will have to pay any costs incurred by the affected carrier or carriers due to such a breach.  Since this obligation is a contractual one, an agency’s E&O and general liability insurance will not cover these costs.  Hence, the need for cyber insurance coverage, if an agency wants to survive a data breach.

For those agencies that want to know where they stand with their data protection policies and practices, NetGen Consulting has a survey that can be taken to show if and where extra work is required.  For those agencies who may not have done much yet in this area, the Center for Internet Security has developed a Critical Security Controls document and associated working aids to get you started on the development of good data protection policies and practices.

Given the ever increasing threat posed by hackers, the costs involved in a data breach, and the indemnity obligations imposed on agencies by their insurance carrier agreements, I don’t think it’s an overstatement to say that good data protection policies and practices, along with a good cyber insurance policy, are essential to the survival of an agency in today’s world.

Must An Agency Pay Its Employees If Its Offices are Closed?-Corrected

I have discovered that my post earlier this week on the above topic contained some incorrect information about the payment of exempt employees when an agency’s offices are closed.  Please see the corrected post below.  I regret the misinformation and hope that it did not cause anyone any problems.

Although most of the metro Atlanta area escaped the snow predicted for last weekend and thankfully, the icy conditions we did experience were not as bad as they could have been, I thought it a good time to make my annual post on the above question.  Some areas of North Georgia did get some significant snow and the school systems of many counties are still closed due to icy road conditions.  That creates some difficult child care decisions for employees of agencies in those areas; stay home with the kids or find someone to watch them so mom or dad can go to work.

As noted in my past posts on this topic, the answer to the above question depends for the most part on whether an employee is classified as an exempt or nonexempt employee for purposes of the Fair Labor Standards Act.  An exempt employee is one who does not have to be paid extra if they work more than 40 hours in any one work week.   A nonexempt employee is one that must be paid at a higher rate for any time worked in excess of 40 hours in any one work week.  I have addressed how to decide whether a particular employee is a nonexempt or exempt employee in posts last year about the proposed new overtime rule that has now been stayed.  Even though the new rule was stayed, it is still essential for classification as an exempt employee that the employee be paid on a salary basis in an amount that equals at least $455.00 per week.  Payment on a salary basis means the amount of an employee’s pay cannot be reduced based on the quality or quantity of the work performed by the employee during any one work week. The other requirements that must be met to be an exempt employee are explained in my earlier posts.  Nonexempt employees must be paid at least the minimum wage, but only for the time they actually perform services on behalf of the employer.

Thus, if an agency’s offices are closed for any reason and a nonexempt employee does not perform any services for the agency from home, such an employee need not be paid for the time period the offices are closed.  The same rule applies if the agency’s offices are open and a nonexempt employee does not come in or do any work from home.  This is true regardless of whether the nonexempt employee is being paid a salary or on an hourly basis by the agency. As noted above, if a nonexempt employee performs any work from home on a day when the agency’s offices are closed, they must be paid for the time they actually worked.

Whether an exempt employee’s salary may be reduced depends on whether the agency’s office were open or if closed, how long they remain closed.  An exempt employee’s salary may only be reduced if the agency’s offices are open, but the exempt employee does not come in due to any reason other than sickness or do any work from home.  Therefore, if an exempt employee decides to stay home to take care of children who are not in school or due to severe weather decides they just can’t get to work, their next paycheck may be reduced by an amount equal to the number of full days they did not perform any services for the agency, if the agency’s office was open for business during that time period.  If the agency’s offices were not open for business for less than a full workweek and an exempt employee performs any work during that workweek whether in the office or from home, they are entitled to be paid their full salary for that week.  But the agency can require such an employee to use any accrued vacation or other leave time for the time when its offices were closed.  The key is that an exempt employee must be paid their full salary for any week during which they performed any work, no matter how little.

Do You Know What a QSEHRA Is?

If you don’t know the answer to the above question, you should for it can be a benefit to both your agency and your small commercial lines customers.  QSEHRA stands for “Qualified Small Employer Health Reimbursement Arrangements”, which were created by the 21st Century Cures Act that was signed by President Obama just over three weeks ago.  Many of you may be familiar with Health Reimbursement Accounts (“HRA”), which permitted employers to give money tax-free to their employees for use in paying health care related expenses, including, but not limited to, premiums for health insurance.  Unlike Section 125 flexible spending accounts, any money left over in a HRA at the end of the year could be rolled over for use in later years.

Before the Affordable Care Act (“ACA”) was passed, HRAs were popular with employers who could not afford to provide group health insurance coverage to their employees, but wanted to offer some help with the payment of medical expenses.  With the passage of the ACA, contributions to a HRA could no longer be used to pay for health insurance premiums and the rules regarding for what such contributions could be used became so complex that HRAs fell out of favor.

Under the new law, HRAs that allow for the use of funds contributed to them to pay for health insurance premiums and other health care related expenses of employees are now permitted for some employers with added restrictions.  The first part of QSEHRA tells you who those employers are, Qualified Small Employers.  These are employers who are not subject to the mandates of the ACA (i.e., those with less than 50 full-time equivalent employees) and who do not offer group health insurance coverage to their employees.  As with HRAs, the employer must fund an account on the same terms and conditions for each eligible employee (anyone who has been employed for at least 90 days).  Also. like HRAs if the funds are used for covered health care related expenses, they are tax free to the employee, but now only if the employee has minimum essential health insurance coverage as defined by the ACA.  If not, any amounts paid out of the QSEHRA are taxable income to the employee.

Each employee must be given an annual notice informing them of the above fact and that if the employee applies for health insurance coverage on a federal or state exchange, they must disclose the amount of the benefit available to them under the QSEHRA, which amount will reduce the amount of any premium tax credit for which the employee may be eligible.  The annual notice must also state the amount of money the employer will make available for the employee’s use.  That amount is capped at $4,950 a year for the employee, but can go up to $10,000 if the employee can use the funds to pay for health care related expenses for family members.  These caps are subject to annual increases if the cost of living index used increases. (Click here for the presentation slides of a webinar that contain more detailed information on QSEHRAs.)

Many of you may be thinking why should I explore setting up a QSEHRA program if the ACA is going to be repealed by the incoming Congress.  That will most likely happen, but no one knows when that repeal will actually be effective and what parts of the ACA will be affected by it.  In the meantime, the existence of such a benefit would be helpful in keeping current employees and attracting qualified new ones.  Whenever ACA repeal actually occurs, an employer who has set up a QSEHRA program should be able to easily convert it to a pre-ACA HRA, as the requirements for the former are more restrictive than for the latter.