“We hear more and more about breaches,” said Sandra Dolson, wholesale compliance manager at Sun Life Financial at CLIEDIS’s annual general meeting earlier this month. “You have to assess the risk and change things. (Do you want to) wake up in the morning and see your company name splashed across the paper?”
But not everyone does a good job of explicitly outlining their policies — especially when it comes to insurance industry websites. David Nash, a lawyer at Mackenzie Lake Lawyers in London, Ont., has looked at many insurance company websites and found that a lot of them don’t sufficiently state that they’re sharing customer information with third parties.
“One issue with insurance companies is cross marketing and cross referencing,” said Nash. “That really shouldn’t happen without the policy holder’s informed consent.”
Nash takes particular issue with sites where client information is automatically shared. “The policyholder has to take steps to agree,” he said. “If it said we’re going to use the info unless you disagree, there are certainly ethical issues there. You’re not supposed to function that way.”
For this reason, it’s imperative that advisors keep their privacy policies up-to-date. Terry Zavitz, president of London, Ont.-based Zavitz Insurance, just updated her policy last Monday. “You’re constantly evolving the process,” she said. “It’s tough because every time you think you have it nailed down you realize there’s another improvement.”
Zavitz first developed her policy in 2004 by using the template found in Advocis’ best practices manual, and charged an employee to handle all privacy-related tasks. After coming up with a plan, she told her clients in a newsletter that a policy was in place. Somewhat surprisingly, no one reacted to the document. “My feeling is that clients just expect that now,” she said. “They understand privacy policies.”
In Zavitz Insurance’s policy, clients are told that the company keeps a variety of policy forms, which they can choose to have destroyed. “Only one client has ever said that they didn’t want us to keep it,” she said. “So we shredded it.”
While Zavitz’s policy is comprehensive &$151; an advisor needs three passwords to access the company’s computers &$151; it doesn’t stipulate what to do in the case of a breach.
As good as it is to have these policies in place, no one is saying that developing a plan is easy. But Dolson said with technology constantly evolving &$151; especially in the insurance industry &$151; companies can’t ignore the importance of privacy. “As we start to automate and do things differently, we need to look at this. Whether it’s at the firm, carrier or advisor levels, you have to assess the threats and common incidences that can cause harm to a client and their business.”
Filed by Bryan Borzykowski, Advisor.ca, firstname.lastname@example.org