Role of Employees in Cyber Security

The last presentation at the recent YAC Sales & Leadership Conference was on cyber security and it included a demonstration of just how vulnerable an insurance agency or any other business can be to a cyber attack.  One of the agents at the conference agreed to allow his agency to be the subject of a cyber attack by the presenters.

This attack did not involve a sophisticated attempt to penetrate the agency’s servers via their connection to the internet, as is seen most often in the movies and on TV.  Instead, the presenters sent e-mails from what appeared to be the agent’s e-mail address to 15 or so employees of the agency.  The e-mail contained only publicly available information about the agent and the agency.  It also contained a link that asked the recipient to provide certain information, which if provided would have allowed a true hacker to access to all the information on the agency’s computer system.  That link could have just as easily installed malware on the agency’s computer system with the same result.

Even though the e-mail was sent late at night and contained many typos, two of its recipients clicked on the link and one provided the information necessary to allow a hacker to gain access to the agency’s computer system.  This result is consistent with the fact that the majority of successful cyber attacks on businesses involve employees doing something they should not have done.  It also emphasizes the fact that cyber security is not just limited to having firewalls and detection software installed on an agency’s servers and desktops.  While important to do, it is even more important for an agency to train its employees on what not to do when receiving and responding to e-mails during the course of the work day.

Such training should involve what warning signs to look for in the e-mails they receive that may indicate the e-mails are really from hackers trying to gain access to the agency’s computer system.  Two of those signs were present in the e-mails sent to the above agent’s employees, late at night and many typos.  Mismatched URL’s and misleading domain names are two other such signs (click here for a list of ten such signs.)

The damage that can be done by a hacker who has gained access to an agency’s computer system is limited only by the imagination of the hacker.  Click here for an example of how the information in that system can be used to create fake e-mails to the agency’s customers that ask for money to be sent to a fake bank account.  Click here for an interesting video from Hewlett-Packard that explains how printing a coupon sent to an employee by a hacker can result in the hacker gaining access to a business’ computer system.

It’s not enough to protect an agency’s computer system with firewalls and detection software.  Its employees must also be trained to spot phishing e-mails, which training must be ongoing to keep up with the latest versions of such e-mails.

 

Payment of Referral Fees – Additional Considerations

In October of last year, I wrote a post that summarized my opinion on the question of when and how an insurance agent may pay a fee to an unlicensed person for the referral of a potential customer to the agent by that person.  That post was written from the perspective of whether and when the Georgia Insurance Code would permit the payment of such fees.  It did not take into consideration, any other laws or regulations that may be applicable to the person to whom the referral fee was to be paid.

A recent call to the Free Legal Service program that I run for the members of the Independent Insurance Agents of Georgia made me think about such other laws and regulations.  The caller mentioned that an agent he knew had been told that it was illegal to pay a referral fee to a real estate agent or mortgage broker under the Real Estate Settlement Procedures Act (“RESPA”).   That Act prohibits both the payment and the acceptance of “any fee, kickback, or Thing of Value” in connection with “business incident to or a part of a real estate settlement service involving a federally related mortgage loan.”  The criminal penalty for the violation of this prohibition is a fine of up to $10,000 and up to one year in prison, and the civil penalty is payment of three times the amount charged the borrower for the settlement service in question, plus attorney fees and other costs of litigation.  Both the payer and the recipient of a prohibited referral fee are subject to these penalties.

The RESPA prohibition on fees, kickbacks, and things of value applies only to residential mortgage loans for real property designed principally for “the occupancy of from one to four families.”  It also applies only to services that are “incident to or a part of” the settlement of such loans.  The statute refers specifically to title insurance and services performed by real estate agents or brokers as being covered by this prohibition.  Nothing is said in the statute or regulations about the provision of property and casualty or any other kind of insurance to the borrower of a covered loan.

However, if the existence of such other insurance coverage is required by the lender of a covered loan in order for the loan to be “settled”, a good argument can be made that the provision of such insurance is “incident to or a part of” the settlement of the loan.  If a charge for the cost of such insurance is included on the settlement statement for the loan, this good argument becomes a convincing argument.  For an agent who is considering paying a referral fee to real estate agents, mortgage brokers, or lenders for the names of home buyers who may need property and casualty or other insurance coverages to obtain a loan, it would be a good investment to pay an attorney for a legal opinion on whether the payment of such a fee is prohibited under RESPA.

For a referral fee arrangement with any other person, it would be a good idea to ask that person if their activities are subject to any laws or regulations that may prohibit the payment of such fees.  As the above makes clear, just because it may be legal under the Georgia Insurance Code to pay a referral fee does not mean it’s permissible under all other laws and regulations.

Privacy Notices May Still Be Required Under Georgia Law

In early December, I wrote a post about a change made to the Gramm-Leach-Bliley Act (the “GLBA”) by Congress at the end of 2015, which created an exemption under that Act from its requirement that notices of an insurance agency’s data sharing and privacy policies be given to its customers on an annual basis.  In preparing for a recent presentation to a group of insurance agents on this subject, I realized that, while my earlier post was correct, it did not take into account the fact that Georgia has a statute that took effect in 1982 that also governs the giving of such notices by insurance agents and companies.  Its provisions were not affected by the change made to the GLBA, and they impose notice requirements that are different from those found in the GLBA.

The Georgia data sharing and privacy policy statute is found in Chapter 39 of Title 33 of the Georgia code.  As with the GLBA, the Georgia statute requires the giving of a data sharing and privacy policy notice to customers and potential customers at the beginning of the relationship, but it does not impose an annual requirement for the giving of such notices thereafter.  Instead, such notices must be given “no later than the policy renewal date” and “no later than the time a request for a policy reinstatement or change in insurance benefits is received” by the agent, with some exceptions.  In both situations, no notice need be given if personal information about the policyholder in connection with the renewal, reinstatement, or change in benefits is obtained only from the policyholder or from public records.  In the case of a policy renewal, no notice need be given if a notice meeting the requirements of the statute was given to the policyholder within the prior 24 months, even if information about the policyholder is obtained from other sources.

Thus, it appears that for customers who have policy renewals, a notice meeting the requirements of the Georgia statute must be given to such customers at least every 24 months, unless information about the policyholder in connection with every renewal during that 24 month period is obtained only from the policyholder or public records.  Fortunately, as with the GLBA, the notice requirement only applies to products and services that are “primarily for personal, family, or household needs”, i.e.,  personal lines property and casualty and individual life, health, or disability insurance applicants and customers.  In determining whether, a particular renewal customer does or does not have to be given a privacy notice, it is important to remember that any previous notice given such customer must satisfy the requirements of Georgia law, which are not the same as the notice requirements under the GLBA.  Georgia law requires that more information be included in such a notice, including a description of the recipient’s right to submit a written request to the agent for access to their personal information collected by the agent and their right to request that corrections be made to such information and the way these rights may be exercised.

When I asked my audience how many of their agencies had been giving privacy notices to their customers, only a couple of hands went up.  Apparently, many of them assumed that this requirement was being satisfied by the insurance company.  That is possible under Georgia law if the insurance company is “authorized to act on” behalf of the agency, but it is possible under the GLBA only for entities that are affiliated with each other, i.e., under common ownership or control.

It would be a good idea for all Georgia insurance agents to check their agency agreements to see if those agreements authorize the insurance company to provide the privacy notices required by Georgia law on their behalf.  If not, such a provision should be added or the agency should be prepared to comply with that law, because the Insurance Commissioner has the authority to impose up to a $500 fine for each “knowing violation” of the law (i.e, for each privacy notice that was not sent or did not contain the required information) with a maximum penalty of $10,000.00.

 

 

 

Cyber Security and Agency Agreements

About this time last year I wrote a couple of posts on the perils and opportunities presented to insurance agencies by the increased hacking of computer systems that was taking place.  Since then, things have only gotten worse, with perhaps the most high-profile hacking being that of the Democratic National Committee, the repercussions of which are still unfolding.

If the prospect of paying significant sums of money or facing regulatory actions for the failure to properly protect an agency’s customers’ private data are not enough incentive, the contents of an agency’s agreements with its insurance carriers provide even more incentive to take action.  Two insurance consultants have prepared a white paper that explains in detail the obligations imposed on most agencies in the area of data protection by their agreements with their insurance carriers.

If an agency’s owners haven’t reviewed those agreements in a while, now is the time to do so.  The consultant’s review of over 100 different agency/carrier agreements revealed that almost all of them contained language that require the agency to comply with all applicable laws and regulations regarding the protection of the private data of their customers.  Such laws and regulations include the Gramm-Leach-Bliley Act (“GLBA”), which imposes privacy notice requirements on all insurance agencies, and the Health Insurance Technology for Economic and Clinical Health Act (“HITECH”), which imposes specific data protection requirements on any insurance agency that sells life, health, or disability insurance.  These are two of the more than 30 federal laws and regulations that address data privacy.  In addition, 47 states have enacted laws and regulations that impose data privacy and notice obligations on companies that have suffered a data breach.  An agency must be aware of these laws in each state in which its customers are located and be able to comply with their requirements with respect to those customers.

In addition to requiring compliance with all applicable laws and regulations, agency/carrier agreements require that the agency indemnify the carrier against any liability it may incur due to the failure of the agency to satisfy the requirements of those laws.  Thus, an agency will not only have to pay its costs in dealing with a data breach, it will have to pay any costs incurred by the affected carrier or carriers due to such a breach.  Since this obligation is a contractual one, an agency’s E&O and general liability insurance will not cover these costs.  Hence, the need for cyber insurance coverage, if an agency wants to survive a data breach.

For those agencies that want to know where they stand with their data protection policies and practices, NetGen Consulting has a survey that can be taken to show if and where extra work is required.  For those agencies who may not have done much yet in this area, the Center for Internet Security has developed a Critical Security Controls document and associated working aids to get you started on the development of good data protection policies and practices.

Given the ever increasing threat posed by hackers, the costs involved in a data breach, and the indemnity obligations imposed on agencies by their insurance carrier agreements, I don’t think it’s an overstatement to say that good data protection policies and practices, along with a good cyber insurance policy, are essential to the survival of an agency in today’s world.

Must An Agency Pay Its Employees If Its Offices are Closed?-Corrected

I have discovered that my post earlier this week on the above topic contained some incorrect information about the payment of exempt employees when an agency’s offices are closed.  Please see the corrected post below.  I regret the misinformation and hope that it did not cause anyone any problems.

Although most of the metro Atlanta area escaped the snow predicted for last weekend and thankfully, the icy conditions we did experience were not as bad as they could have been, I thought it a good time to make my annual post on the above question.  Some areas of North Georgia did get some significant snow and the school systems of many counties are still closed due to icy road conditions.  That creates some difficult child care decisions for employees of agencies in those areas; stay home with the kids or find someone to watch them so mom or dad can go to work.

As noted in my past posts on this topic, the answer to the above question depends for the most part on whether an employee is classified as an exempt or nonexempt employee for purposes of the Fair Labor Standards Act.  An exempt employee is one who does not have to be paid extra if they work more than 40 hours in any one work week.   A nonexempt employee is one that must be paid at a higher rate for any time worked in excess of 40 hours in any one work week.  I have addressed how to decide whether a particular employee is a nonexempt or exempt employee in posts last year about the proposed new overtime rule that has now been stayed.  Even though the new rule was stayed, it is still essential for classification as an exempt employee that the employee be paid on a salary basis in an amount that equals at least $455.00 per week.  Payment on a salary basis means the amount of an employee’s pay cannot be reduced based on the quality or quantity of the work performed by the employee during any one work week. The other requirements that must be met to be an exempt employee are explained in my earlier posts.  Nonexempt employees must be paid at least the minimum wage, but only for the time they actually perform services on behalf of the employer.

Thus, if an agency’s offices are closed for any reason and a nonexempt employee does not perform any services for the agency from home, such an employee need not be paid for the time period the offices are closed.  The same rule applies if the agency’s offices are open and a nonexempt employee does not come in or do any work from home.  This is true regardless of whether the nonexempt employee is being paid a salary or on an hourly basis by the agency. As noted above, if a nonexempt employee performs any work from home on a day when the agency’s offices are closed, they must be paid for the time they actually worked.

Whether an exempt employee’s salary may be reduced depends on whether the agency’s office were open or if closed, how long they remain closed.  An exempt employee’s salary may only be reduced if the agency’s offices are open, but the exempt employee does not come in due to any reason other than sickness or do any work from home.  Therefore, if an exempt employee decides to stay home to take care of children who are not in school or due to severe weather decides they just can’t get to work, their next paycheck may be reduced by an amount equal to the number of full days they did not perform any services for the agency, if the agency’s office was open for business during that time period.  If the agency’s offices were not open for business for less than a full workweek and an exempt employee performs any work during that workweek whether in the office or from home, they are entitled to be paid their full salary for that week.  But the agency can require such an employee to use any accrued vacation or other leave time for the time when its offices were closed.  The key is that an exempt employee must be paid their full salary for any week during which they performed any work, no matter how little.

Do You Know What a QSEHRA Is?

If you don’t know the answer to the above question, you should for it can be a benefit to both your agency and your small commercial lines customers.  QSEHRA stands for “Qualified Small Employer Health Reimbursement Arrangements”, which were created by the 21st Century Cures Act that was signed by President Obama just over three weeks ago.  Many of you may be familiar with Health Reimbursement Accounts (“HRA”), which permitted employers to give money tax-free to their employees for use in paying health care related expenses, including, but not limited to, premiums for health insurance.  Unlike Section 125 flexible spending accounts, any money left over in a HRA at the end of the year could be rolled over for use in later years.

Before the Affordable Care Act (“ACA”) was passed, HRAs were popular with employers who could not afford to provide group health insurance coverage to their employees, but wanted to offer some help with the payment of medical expenses.  With the passage of the ACA, contributions to a HRA could no longer be used to pay for health insurance premiums and the rules regarding for what such contributions could be used became so complex that HRAs fell out of favor.

Under the new law, HRAs that allow for the use of funds contributed to them to pay for health insurance premiums and other health care related expenses of employees are now permitted for some employers with added restrictions.  The first part of QSEHRA tells you who those employers are, Qualified Small Employers.  These are employers who are not subject to the mandates of the ACA (i.e., those with less than 50 full-time equivalent employees) and who do not offer group health insurance coverage to their employees.  As with HRAs, the employer must fund an account on the same terms and conditions for each eligible employee (anyone who has been employed for at least 90 days).  Also. like HRAs if the funds are used for covered health care related expenses, they are tax free to the employee, but now only if the employee has minimum essential health insurance coverage as defined by the ACA.  If not, any amounts paid out of the QSEHRA are taxable income to the employee.

Each employee must be given an annual notice informing them of the above fact and that if the employee applies for health insurance coverage on a federal or state exchange, they must disclose the amount of the benefit available to them under the QSEHRA, which amount will reduce the amount of any premium tax credit for which the employee may be eligible.  The annual notice must also state the amount of money the employer will make available for the employee’s use.  That amount is capped at $4,950 a year for the employee, but can go up to $10,000 if the employee can use the funds to pay for health care related expenses for family members.  These caps are subject to annual increases if the cost of living index used increases. (Click here for the presentation slides of a webinar that contain more detailed information on QSEHRAs.)

Many of you may be thinking why should I explore setting up a QSEHRA program if the ACA is going to be repealed by the incoming Congress.  That will most likely happen, but no one knows when that repeal will actually be effective and what parts of the ACA will be affected by it.  In the meantime, the existence of such a benefit would be helpful in keeping current employees and attracting qualified new ones.  Whenever ACA repeal actually occurs, an employer who has set up a QSEHRA program should be able to easily convert it to a pre-ACA HRA, as the requirements for the former are more restrictive than for the latter.

 

Do You RTFP?

I first heard about the above acronym when listening to Bill Wilson’s farewell webinar earlier this month.  For those of my readers who don’t know, Mr. Wilson was one of the founders of the IIABA’s Virtual University and has been largely responsible for its growth into one of the premier educational tools for independent insurance agents since its beginning around the turn of the century.  He is retiring from IIABA at the end of this year and for his last webinar, chose to speak about the six worst things to happen in the insurance industry during his almost 50 year involvement with it.  Mr Wilson has many interesting and thought provoking things to say about that and other subjects in his webinar, which lasts a little over an hour.  For those of you who don’t have the time for that, Mr. Wilson also wrote an article in the current IA Magazine that summarizes his thoughts about the main topic of his webinar.

The acronym RTFP recurs in many of Mr. Wilson’s observations as a cure for the bad things he sees happening in the insurance industry.  They range from the increasing belief that insurance is a commodity to the rise of disruptors who claim to have a better way to provide insurance to what he refers to as the “dumbing down” of the industry.  A response to these trends is to remind the consumer that what they are buying for their premium payment is not what appears on a TV ad or smart phone app, but what is contained in the language of the insurance policy itself.  With respect to the Farmer’s Insurance TV ad about dogs swimming in a flooded living room that was caused by a pet, Mr. Wilson made the point that after actually reading its basic homeowner’s policy, he could not find anything in the policy that would provide coverage for such an event.

By now, you have probably guessed what RTFP stands for, if you did not already know. Although it could be “Read the Fine Print”, that does not pertain specifically to the insurance industry.  The industry specific meaning is “Read the F***king Policy”, or for those who prefer a less vulgar interpretation, “Read the Freaking Policy.”  By doing so, both an agent and the consumer will realize that every insurance company’s policy is different in some way.  They may well find out that the policies of the so-called disruptors provide much less coverage than those of the established insurance companies.  What better way for an agent to convince a customer to buy a policy through him or her than to point that out and how that lack of coverage can come back to haunt the customer if the unexpected happens.

Discovering the differences in the coverage provided by both the policies that an agent sells and those of his or her competitors is at the heart of providing the “added value” that distinguishes the services of an independent insurance agent.  Providing all the coverage needed by a particular potential customer can only be done if the agent knows what coverages are provided by the policies offered by the companies he or she represents, which requires the agent to RTFP.  Being able to explain why such policies are better than those of a competitor or a disruptor also requires the agent to RTFP of those entities. (For those who would like a reminder of this essential fact, an agent in Missouri sells t-shirts with this logo here.)

BEST WISHES FOR A HAPPY AND PROSPEROUS NEW YEAR FOR ALL MY READERS.

 

Seasons Greetings (Do You RTFP?)

It’s almost Christmas and my plan to have a post up earlier this week that would not get lost in the holiday rush did not work out.  So, I decided to just say to all my readers BEST WISHES FOR A SAFE AND ENJOYABLE HOLIDAY SEASON FOR YOU AND YOUR FAMILIES and give you a heads up on the topic I was hoping to address earlier this week.  To find out what RTFP means and how it applies to insurance, stay tuned for my next post, which I hope to have up by the middle of next week.  Until then, enjoy time with your family and friends and try to experience the true spirit of the season for at least a little while.

Privacy Notices No Longer Required (in some cases)

On November 28, 2016, the Georgia Insurance Commissioner’s Office issued a Bulletin, 16-EX-2, that clarified the duty of insurance agencies in Georgia to give annual notices to their customers of their data sharing and privacy policies.  In that Bulletin, the Insurance Commissioner’s Office confirmed that it would adopt a change that had been made to the Gramm-Leach-Bliley Act (the “GLBA”) by Congress at the end of 2015. This change created an exemption from the requirement imposed by that Act for certain “financial institutions”, which include insurance agencies, to give their customers an annual notice of their policies on the sharing with other entities of nonpublic personal information they collected about their customers.  These notices are commonly referred to as privacy notices.

The giving of privacy notices under GLBA was a very hot topic back around the turn of the century when that law was first enacted.  I gave many seminars on who had to give those notices and what they had to contain, but since then I have not heard much about those notices from my clients.  Apparently, it has not been something the Insurance Commissioner’s Office and the federal regulatory agencies involved have been that concerned about.  I have sometimes wondered how many of my clients were actually giving the required notices every year.

In any event, there is now an exemption from the requirement for the giving of privacy notices.  That exemption applies to any insurance agency that only shares the nonpublic personal information they collect about their customers in ways that are explicitly permitted by the GLBA and that have not changed their data sharing policies since their “most recent disclosure sent to consumers in accordance with” the GLBA.  An agency that satisfies these two requirements is relieved of the obligation to provide annual privacy notices to their customers until they no longer meet both requirements, i.e., they begin to share nonpublic personal information about their customers in ways that are not explicitly permitted by the GLBA or they otherwise change their data sharing policies from what was said in the last notice sent to their customers.

The list of ways in which nonpublic personal information is explicitly permitted to be shared under the GLBA is a long one, but the permitted sharing of such information that is most relevant to insurance agencies involves three main areas:  marketing, the use of such information to perform the services requested by the customer, and the disclosure of such information to insurance rate advisory organizations or other state or federal regulatory bodies and the agency’s attorneys, accountants, and auditors.  Disclosing such information to consumer reporting agencies and in connection with the sale, merger, or other transfer of the ownership of all or a portion of an agency’s business is also permitted.  Of course, any such disclosure to which the customer consents is permitted.

The most likely situation where an insurance agency may step over the line, so to speak, and thus, be required to give a privacy notice is in connection with its marketing activities.  Under the GLBA, an agency can disclose the nonpublic personal information of its customers to parties affiliated with it and to a non-affiliated third party to perform marketing activities for its products or services, if the agency fully discloses that it is doing so to its customers and enters into a contract with the non-affiliated third party that requires the third party to maintain the confidentiality of the information provided to it.  If the full disclosure of such information sharing has previously been made by an agency to its customers in a privacy notice, it is no longer required to continue to give such notices every year, unless and until its data sharing practices in this regard or in other ways change.

 

 

 

FLSA Issues That All Agencies Should Be Aware Of

It has been over a week since a federal District Court Judge issued an injunction staying the implementation of the new overtime rule (click here for more information on the injunction), and it does not appear that the U.S. Department of Labor is going to try to have the injunction overturned on appeal, at least anytime soon.  So employers will not have to comply with the new overtime rule that was set to go into effect tomorrow, December 1.  However, that only relieves employers from having to pay their employees who they want to treat as exempt from the overtime pay requirements of the Fair Labor Standards Act (“FLSA”) under the administrative, executive, or professional exemptions a minimum salary of $913 a week, or $47,476 a year.  Employers will still have to pay their employees overtime for any hours they work in excess of 40 in any one work week, unless they qualify for one of the exemptions referred to above or another exemption. (Click here for a post that discusses those exemptions and others as they may apply to employees of insurance agencies.)

In determining whether the 40 hour threshold has been exceeded in any one work week, agency owners need to be aware of what is work time that must be included in making that determination.  The FLSA does not require an employer to give an employee any time off during the workday for any reason, even to eat.  It only requires that an employee be paid at least the minimum wage for all the time they are working and overtime pay if they work more than 40 hours in any one work week.  If an employer decides to give its employees a break from work, that break must be at least 30 minutes long and the employee must not be required to do any work during the break period before that time can be excluded from work time for which the employee must be paid.  With respect to breaks given so an employee may eat a meal, what this means is that an employee must not be on call or perform any other work related duties during the break.  If they do, they must be paid for that time, too.

For agency employees who are licensed or have another certification that they must have to perform their duties, any time taken by such an employee for the purpose of attending a class, a webinar, or any other event to obtain or keep their license or other certification is considered work time for which they must be paid.  The same thing is true for any class or other event an employee attends at the request of the agency.  If the agency owner does not want to have to pay overtime to a nonexempt employee in this situation, any such class or other event should be attended during the employee’s normal working hours.

If an employee attends such a class or other event outside of their normal working hours, the agency owner must also be aware of the FLSA’s rules regarding payment for time spent traveling by employees.  These rules are complex, but a good explanation of the basics, as well as other situations that may require payment, can be found here.

While the pressure is off for now on compliance with the new overtime rule, the existing rules still apply and can create problems for an agency that is not aware of what those rules require.