The last presentation at the recent YAC Sales & Leadership Conference was on cyber security and it included a demonstration of just how vulnerable an insurance agency or any other business can be to a cyber attack. One of the agents at the conference agreed to allow his agency to be the subject of a cyber attack by the presenters.
This attack did not involve a sophisticated attempt to penetrate the agency’s servers via their connection to the internet, as is seen most often in the movies and on TV. Instead, the presenters sent e-mails from what appeared to be the agent’s e-mail address to 15 or so employees of the agency. The e-mail contained only publicly available information about the agent and the agency. It also contained a link that asked the recipient to provide certain information, which if provided would have allowed a true hacker to access to all the information on the agency’s computer system. That link could have just as easily installed malware on the agency’s computer system with the same result.
Even though the e-mail was sent late at night and contained many typos, two of its recipients clicked on the link and one provided the information necessary to allow a hacker to gain access to the agency’s computer system. This result is consistent with the fact that the majority of successful cyber attacks on businesses involve employees doing something they should not have done. It also emphasizes the fact that cyber security is not just limited to having firewalls and detection software installed on an agency’s servers and desktops. While important to do, it is even more important for an agency to train its employees on what not to do when receiving and responding to e-mails during the course of the work day.
Such training should involve what warning signs to look for in the e-mails they receive that may indicate the e-mails are really from hackers trying to gain access to the agency’s computer system. Two of those signs were present in the e-mails sent to the above agent’s employees, late at night and many typos. Mismatched URL’s and misleading domain names are two other such signs (click here for a list of ten such signs.)
The damage that can be done by a hacker who has gained access to an agency’s computer system is limited only by the imagination of the hacker. Click here for an example of how the information in that system can be used to create fake e-mails to the agency’s customers that ask for money to be sent to a fake bank account. Click here for an interesting video from Hewlett-Packard that explains how printing a coupon sent to an employee by a hacker can result in the hacker gaining access to a business’ computer system.
It’s not enough to protect an agency’s computer system with firewalls and detection software. Its employees must also be trained to spot phishing e-mails, which training must be ongoing to keep up with the latest versions of such e-mails.
It’s almost Christmas and my plan to have a post up earlier this week that would not get lost in the holiday rush did not work out. So, I decided to just say to all my readers BEST WISHES FOR A SAFE AND ENJOYABLE HOLIDAY SEASON FOR YOU AND YOUR FAMILIES and give you a heads up on the topic I was hoping to address earlier this week. To find out what RTFP means and how it applies to insurance, stay tuned for my next post, which I hope to have up by the middle of next week. Until then, enjoy time with your family and friends and try to experience the true spirit of the season for at least a little while.
A recent question about the use of privacy statements on websites maintained by insurance agencies prompted me to look again at the basic laws that govern when and how such statements must be given to the customers of insurance agencies. On the federal level ,there is the Gramm, Leach, Bliley Act (“GLBA”) passed by Congress in 1999 and in Georgia, there is Section 33-39-1, et seq., of the Insurance Code, which was enacted by the General Assembly in 1982 and became effective on January 1, 1984. The GLBA permits its requirements to be superseded by state laws that impose greater requirements on the giving and contents of privacy statements.
Unfortunately, for Georgia insurance agents, the Georgia law does impose greater requirements than the GLBA on the giving and contents of privacy statements. Fortunately, the requirements of both laws only apply to “personal information” (Georgia law) and “nonpublic personal information” (GLBA), which means that privacy notices need not be given to insureds or potential insureds who have or are seeking commercial lines coverages that do not involve the collection of personally identifiable information about individuals. In all cases where such information will be collected by an agency in connection with the obtaining of an insurance coverage, a privacy notice must be given.
Georgia law specifies different times for when such notices must be given in connection with an initial application for insurance, depending on the sources from which personal information about the applicant will be collected before a policy is issued. If such information will only be collected from the applicant and public records, a privacy notice need not be given until the policy is delivered to the applicant. If such information will be collected from any other source, a privacy notice must be given when any personal information is first collected about the applicant.
Thus, if an insurance agency has a website that allows a potential customer to get a quote by providing certain personally identifiable information about themselves and before providing that quote, the agency will get any more personal information about the potential customer from a source other than public records, the website must give the customer the required privacy notice when the customer first enters their personal information. The privacy notice in this situation required by Georgia law is more extensive than the one required by GLBA. Among other things, that notice must tell the customer of their right to inspect personal information about themselves in the records of an insurance institution, agent, or insurance support organization, to get other information from those entities, and to request a correction of any such information.
The Georgia law requires a privacy notice to be “in writing”. However, given the subsequent passage of the Georgia Uniform Electronic Transactions Act and the enactment last year of a revised Section 33-24-14 of the Georgia Insurance Code (click here for blog post), which specifically applied the provisions of that Act to the Insurance Code, if the requirements of the Act are met, the required privacy notice can be given electronically on the agency’s website. Those requirements have been explained in an article I wrote for the Dec Page magazine. If an agency would prefer not to put a full blown privacy notice on its website, the Georgia law permits an abbreviated notice to be given that informs the customer that (i) personal information may be collected from persons other than the customer, (ii) such information as well as other personal or privileged information subsequently collected by the agency may in certain circumstances be disclosed to third parties without authorization, (iii) a right of access and correction exists with respect to all personal information collected; and (iv) a complete privacy notice will be furnished to the customer upon request.
It’s been over nine months since my last post about the Affordable Care Act, commonly known as Obamacare. In that post, I discussed the exemptions from the “pay or play” penalty that would be effective for the 2015 calendar and plan years. Unfortunately for employers, the exemptions from that penalty do not apply to the reporting requirements imposed by Sections 6055 and 6056 of the Internal Revenue Code. Those requirements relate to the type of health insurance coverage provided by employers to their employees during 2015 and later years.
All employers, regardless of size, who offer any type of group health insurance are required to file the Section 6055 report for each employee, a copy of which report on Form 1095-B is to be given to each employee. Even those employers with less than 50 full-time equivalent employees are required to prepare and file this report. Fortunately, for those employers who have fully insured plans, the provider of those plans is responsible for preparing the report, distributing it to the employees, and filing it with the IRS. Those employers who self-insure their employees’ health insurance coverage will have to prepare, distribute, and file the required reports themselves.
Only those employers with 50 or more full-time equivalent employees have to file the report required by Section 6056. The employer is responsible for preparing this report, filing it with the IRS, and giving it to each full-time employee on Form 1095-C by January 31, 2016. This report must be prepared, filed, and delivered, even if the employer does not offer health insurance coverage to its employees and would be exempt from the penalty for not doing so because it had 30 or fewer true full-time employees (i.e., those who regularly work 30 or more hours a week). In addition, the employer must prepare and file with the IRS a transmittal form, Form 1094-C, for the Form 1095-Cs, which requires information about the insurance coverage provided and the number of employees on a monthly basis. For a more detailed explanation of the reporting requirements imposed by Sections 6055 and 6056 and what information must be provided click here. Even though the deadline for completing the required employee forms is only a little over four months away, the IRS has not yet released final versions of those forms for 2015. Click here for draft copies of those forms.
Earlier this month, there was a post on the Employee Benefit Adviser site that cautioned against seven myths about the above reports. For those employers who are planning on doing everything themselves, the author noted that the instructions for Form 1094-C and 1095-C are 14 pages long and written in the usual dense prose of the IRS. In addition, the IRS has released another 14 pages of clarifying questions and answers. For those who think they can wait a while longer before deciding what they will do, the author notes that information must be reported to the IRS on a monthly basis and many of the vendors who are offering their services in this area are increasing their fees the closer the deadline gets.
Although the IRS has indicated for this first year of reporting it will give some relief for improperly completed or filed reports under Sections 6055 and 6056, it has stated there will be no relief from the fines for failing to meet the requirements of those Sections for employers that cannot show a good faith effort to comply to the extent possible or who fail to timely file with the IRS or give a required report to their employees. Those fines are $250 for each form that is not filed or is incorrectly completed and filed with the IRS and for each form that was not properly delivered to an employee.
About 10 days ago, the Atlanta Journal Constitution published its annual ranking of the top places to work in the Metro Atlanta area. Two years ago J. Smith Lanier & Co. was ranked in the top 5 midsize business places to work and this year was ranked 13th in that group. (Click here for my blog post in 2013.) Congratulations are due to it for maintaining its status as a top workplace. As was the case in 2013, no other independent insurance agencies were ranked and there were no insurance companies anywhere to be found.
What most interested me were the results of a survey that the AJC gave the employees of the top ranked workplaces to find out what was most important to them about where they worked. The three most important factors cited by those employees all had to do with the feeling of connection between them and their employer. The most important factor was feeling genuinely appreciated by their employer, followed closely by a feeling of confidence about their future at work and that their employer was going in the right direction. To my surprise, the two things that were least important to these employees were feeling that their pay was fair for the work they did (cited by only 51%) and bringing up the rear, feeling that their benefits package was good compared to similar companies (cited by only 37%).
Engagement is the buzzword in human resources circles for creating a connection between the employee and employer. A recent survey of employees found that over 68% of them self-identified as being disengaged at work. Other studies show that disengaged employees are not as productive as employees who feel engaged at work and by some estimates cost the American economy $550 billion a year as a result.
In addition to productivity loss, disengaged employees can negatively affect office morale and generally do not provide the type of customer service that is needed in today’s economic environment to distinguish your insurance agency from everyone else. From the above description of the negative effects that disengaged employees can have on a workplace, it should not be hard to figure out which employees in your agency may be disengaged.
Three general rules for creating a workplace of engaged employees are: 1) listen to them, especially about problems they may see and suggestions they may have for improvements in workflow and other office procedures; 2) encourage them to work together to solve the problems that may exist and advance the goals of the agency; and 3) give them regular feedback on their performance, praise where warranted and constructive criticism where necessary. The key here as in most areas of life is regular and honest two-way communication.
For an article on seven actions that can be taken to implement the above general rules, click here. For those who want more information, click here to register for a free one hour webinar on creating an engaged workforce that will be held next week on April 8 at 1 p.m. Finally, if you are looking for suggestions on how to use reward and recognition to boost the productivity of your agency’s employees, click here to download a free booklet on that subject.
It’s been awhile since I wrote anything about the Affordable Care Act, commonly known as Obamacare. That’s mainly because the rules keep changing, especially for that provision of the law known as “play or pay”, which applies to employers and requires them to either provide “affordable” and “minimum essential” insurance coverage to their employees or pay a penalty for not doing so. What constitutes “affordable” and “minimum essential” insurance coverage has not changed, but whether an employer will be subject to a penalty for not offering such coverage in 2015 has changed.
Last year the “play or pay” penalty was delayed for all employers until January 1, 2015. This year the “play or pay” penalty has been delayed until January 1, 2016 for those employers who have 50-99 full-time employees or their equivalents, if they meet certain requirements, and has been watered down for those employers with 100 or more full-time employees or their equivalents. As I explained in a earlier post, employers with 30 or fewer full-time employees (those who are normally expected to work an average of 30 or more hours a week), do not have to worry about the “play or pay” penalty in 2015 and beyond, because in calculating the amount of the penalty, the first 30 such employees are not counted. For employers with 100 or more full-time employees or their equivalents, the exemption from the “play or pay” penalty for 2015 has been increased to the first 80 full-time employees. So, if such an employer has 80 or fewer full-time employees during 2015, it will not pay a penalty if it does not offer insurance coverage at all or even if it offers such coverage that is not “affordable” and “minimum essential.”
For employers with 100 or more full-time employees or their equivalents who offer insurance coverage under non-calendar year plans, there are other ways they can escape the “play or pay penalty” without having to offer “affordable” and “minimum essential” coverage to 95% of their full-time employees, which is what Obamacare initially required. For an explanation of these other ways and the changes made in the “play or pay” penalty for 2015 in general, click here.
In order for employers with 50-99 full-time employees or their equivalents to escape the “play or pay” penalty for 2015, they must continue to do what they have been doing since February 9, 2014. If they have not offered insurance coverage to their employees since that date, they do not have to offer such coverage during 2015. If they have offered such coverage on or after that date, they must continue to offer the same coverage to the same employees and contribute the same amount toward the premium for employee only coverage during 2015, but that coverage does not have to be “affordable” or “minimum essential.”
The open enrollment period for 2015 individual insurance coverage runs from November 15, 2014 through February 15, 2015. Insurance agents and brokers who want to be able to assist individuals in obtaining coverage through the federal insurance exchanges and the Small Business Health Options Program, more commonly known as SHOP, must register or re-register with Centers for Medicare and Medicaid Services (“CMS”). For a copy of the slides from a recent seminar on that subject that explains the requirements for insurance agents to take part in those programs, click here.
One new benefit for registering with CMS is that an agent’s name and contact information will be accessible from the home page of the healthcare.gov website under “Find Local Help.” For an article about this new benefit and how an agent can change their contact information, click here.
There is a time-honored tradition in many households on Thanksgiving for everyone at the dinner table to tell one thing about which they are particularly thankful. I wanted to take this opportunity to thank my readers for their interest in my blog posts. I have made over 130 posts since starting this blog in June 2012. Hopefully, most of them have been of interest and helpful to my readers.
As noted on my Feedback/Suggestions page, this blog is an ongoing process and if you have any suggestions for topics of interest that you would like me to discuss or any constructive criticism that you would like to make about Georgia Agency Resource, please feel free to use the Comment box below to let me know what you think. So far, I have not received very many such comments. In the spirit of the season, I have chosen to believe that is because I have discussed topics of interest to Georgia insurance agents in a way that provides value to them in running their agencies. If that is not so, please let me know what I need to do to make that true.
BEST WISHES FOR A HAPPY THANKSGIVING FOR YOU AND YOUR FAMILY.
I recently received a call on the IIAG Free Legal Service Program that I operate from an agent who was considering establishing a relationship with a business association, for whose members the agent was interested in writing insurance. The agent had developed a special expertise regarding the insurance needs of the business association’s members and wanted to gain access to them through their association.
The business association on the other hand was interested in receiving compensation beyond a mere referral fee for assisting the agent in gaining access to its members. In exchange for that compensation, the association was willing to provide assistance to the agent beyond just giving the agent contact information for its members. Establishing such a relationship with a business group can be a very effective way for an agent or agency to significantly increase its customer base.
The creation of a relationship with a person or entity that is not licensed by the Georgia Insurance Commissioner’s Office raises two significant issues under the Georgia Insurance Code that must be successfully dealt with. First, there is the prohibition on the sharing of commissions with a person or entity that does not have the proper license from the Insurance Commissioner’s Office. Second, there is the prohibition on engaging in activities that constitute the sale, solicitation, or negotiation of an insurance product without the proper license from the Insurance Commissioner’s Office.
The first issue can be resolved by entering into a payment arrangement with the unlicensed business group that is not tied in any way to the amount of commissions received by the agent or agency on insurance business written for the group’s members or even to whether any insurance business is written at all. The agreed on compensation for the performance of services by the business group should be paid regardless of those two factors.
Some people may think that having an employee of the business group get the proper insurance agent’s license and then paying an agreed on share of the commissions received directly to that employee will resolve the first issue. That would work if the employee was going to keep all the commissions paid to him or her. However, that is not likely to the case, and if the agent or agency was or should have been aware that the employee would turn over all or any part of such compensation to their employer, then they may well be in trouble with the Insurance Commissioner’s Office.
However, having an employee of the business group get such a license would resolve the other issue raised by the agent or agency’s relationship with that group. What duties constitute the sale, solicitation, or negotiation of insurance is a gray area and has been the subject of a couple of my earlier blog posts. Having a properly licensed insurance producer, who is employed by the business group, handle all the insurance related duties that the business group is to perform in exchange for its compensation would avoid any potential problem with the Insurance Commissioner’s Office over that issue. In the absence of such a employee, the agent or agency would be exposed to potential liability if the Insurance Commissioner’s Office were to determine that one or more of the duties being performed by the business group could only be performed by a properly licensed insurance agent.
Now that the electronic delivery of insurance policies and notices about them has been clearly authorized by the Georgia General Assembly (click here for an earlier post on this subject), the next step for agents who want to continue to work toward a truly paper free office and realize the savings in time and money that result is the use of electronic signatures for documents that, in the past, had to be physically signed by the insured (e.g., an application for or waiver of coverage). As with the electronic delivery of policies and other documents, there are both legal and practical issues associated with using electronic signatures on documents. ACORD has published an analysis by a well known law firm of these issues, which was the subject of an article by Jeff Yates of the Agents Council on Technology.
For those of you who have followed my blog posts and articles in the Dec Page magazine on the electronic delivery of insurance policies and other documents, the legal requirements for the use of electronic signatures will be familiar. They are essentially the same as for the electronic delivery of such documents. The consent of the customer to the use of electronic signatures must be obtained and that consent is subject to the same disclosure requirements in consumer transactions as for the electronic delivery of documents. However, the burden of proving the electronic signature of a customer involves much more than proving the electronic delivery of a document.
While it may be enough under Georgia law to prove that a document was delivered electronically by obtaining a receipt of delivery from the recipient’s internet service provider, proving the validity of an electronic signature requires much more. You must be able to prove not only that an electronic signature was obtained, but also the identity of the person who gave that signature and that the document to which it relates has not been changed since the date of the signature. The analysis published by ACORD contains guidelines for developing procedures to accomplish these requirements.
There are several technology providers who offer products that they claim will fulfill all the legal requirements. One of those providers is DocuSign, which has been endorsed by the IIABA and offers a discount to IIABA members. Another is Silanis, which has recently published a marketing brochure that explains how its product addresses the legal requirements discussed in the ACORD analysis. That brochure provides a good summation of those requirements and is worth reading for that reason alone.
If any of my readers have begun using electronic signatures in their agencies, I would appreciate hearing about your experience.