What Rights Do Customers Have to Information in Agency Files?

The above question was recently asked of me by a caller to the Free Legal Service program that I run for the members of the Independent Insurance Agents of Georgia.  In particular, the caller wanted to know if they could refuse to provide loss runs to a former customer whose policy had been cancelled for non-payment of premium.  This customer owed the agency money, and the caller wanted to condition delivery of the loss runs on payment of the money owed.

The short answer to the question depends on two things.  First, whether the information sought by the customer is related to a commercial or personal lines policy and second, if related to a personal lines policy, what type of information is being sought.  As you might suspect from the short answer, there is no law or regulation applicable to Georgia agents or agencies that requires them to provide a commercial lines customer with information or documents maintained by them about that customer or the policies issued to that customer.  Such information and documents belong to the agent or agency, and they can control the circumstances under which their commercial lines customers can have access to their files.  Of course, such a customer can always go to the insurance company that issued the policy in question and ask for information about it from the company.

If the customer is asking to have access to information and documents related to a personal lines policy, under Georgia law, they have a right to be given access to certain kinds of information about them that is kept in an agent or agency’s files.  This right is found in the same law that governs the giving of notices to customers about the information gathering and privacy policies of agents and agencies (click here for a post about that law).  Under it, a personal lines customer has the right to request access to “recorded personal information” about the customer in an agent or agency’s files.

The request must be made in writing and “reasonably describe” the information the customer wants to review.  If that information is “reasonably locatable and retrievable”, the agent or agency must do several things within 30 days after receiving the customer’s request.  One of those things is permit the customer to “see and copy, in person” the information requested or have a copy of that information mailed to the customer, whichever the customer wants.

The information that a personal lines customer has the right to “see and copy, in person” or obtain by mail is “any individually identifiable information gathered in connection with an insurance transaction from which judgments can be made about an individual’s character, habits, avocations, finances, occupation, general reputation, credit, health, or any other personal characteristics.”  This right even extends to persons who only submitted an application for insurance and never obtained a policy from the agent or agency.  There is an exception for “privileged information”, which is any information the relates to a claim for insurance benefits or a civil or criminal proceeding involving the customer that was “collected in connection with or in reasonable anticipation” of such a claim or proceeding.

If the caller to the Free Legal Service Program had been asking about the claims history of a personal lines customer, the answer to the above question would have been completely different from the one I gave that caller.

 

Has Your Website Been Hacked?

Mine has.  Some of my readers may have noticed that I have not posed anything for the past couple of weeks.  That is because I discovered about 10 days ago that this website had been hacked.  Anyone who clicked on a search result for it was being redirected to an online gambling website.  It is somewhat ironic that my last post before this discovery was about cyber security and the important role an agency’s employees play in protecting it from a data breach.

Unfortunately, I have no one to blame but myself for what happened to this website, but fortunately, there was no data breach as a result, just some embarrassment.  My mistakes were those of the kind I have been warning about in my cyber security posts.  I did not keep the software running my website, WordPress, or its plug-ins up to date and I did not monitor it for possible problems, by occasionally checking to make sure it could be found correctly using the various web search engines.

I also did not know that there is another way to access my website besides the way I do when I want to make a post or change something on it.  It is something called FTP access, which is what is used by programmers to change the code that runs the website.  I thought I was doing great by having a difficult to crack password (letters, numbers, & special characters) for my entry to the website, but failed to realize there was another way to access it.  That access point is apparently the way someone found to add code to my website that would result in people looking for it using search engines to end up at an online gambling website instead.

Please don’t get lazy like I did.  The consequences of doing so could be far greater than they were for me.  Keep the software running your agency’s website, as well as any of its special functions, up to date, and regularly check whether it can be found using the various web search engines.  Also, find out who has FTP access to your website and limit it to just one account for the people who are responsible for maintaining it.  Doing so will avoid some embarrassment, and potentially much more severe consequences.