With deadlines for Bill C-6 in the distance, can the P&C industry be trusted to comply on time?
By Anna Sharratt
June, 2001 – Privacy is anything but a private topic these days. With
the first deadline for Bill C-6, the Personal Protection and Electronic Documents Act,
coming into effect three months ago, it’s no surprise the p&c industry is talking up
issues of confidentiality, consent and compliance. In fact, the Insurance Institute of
Canada, in conjunction with the Chartered Property Casualty Underwriters (CPCU), is
holding a satellite teleconference on “Privacy: The Raging Consumer Issue” May 17.
Although insurers and brokers are accustomed to the
day-to-day handling of confidential client data, many are reassessing information
gathering techniques and interpreting the legislation. Under Bill C-6, set to kick in for
individual companies on January 1, 2004, it won’t be good enough to clean out the dusty
boxes in the back office or simply hook up the firewall to the Web site. Insurers will
have to be attuned to the smallest privacy issues – safe-guarding the information of their
clients through a combination of policy and technology.
At the moment, insurers are fortunate to sit on the
sidelines of the trial run. As of January 1, 2001, Bill C-6 requires that all
“distributors of information” be compliant with the legislation. That means the
Insurance Information Centre of Canada and the Investigative Services Division of the IBC,
but it also applies to financial, telecommunications and broadcasting institutions. In
many cases, this involves designating privacy officers, controlling the flow of
information and training staff. As banks put the finishing touches on their compliance,
installing technology that will regulate the release of data and mailing out privacy
policies with clients’ bank statements, insurers can prepare.
It’s not the first time the industry has had training
wheels. In 1997, the Insurance Bureau of Canada developed a model privacy code — The
Model Code for the Protection of Personal Information — with input from the Insurance
Brokers Association of Canada, insurers and reinsurers. Tailored to the p&c business,
the model code outlined the majority of the provisions now included in Bill C-6 — issues
of consent, retention and the use of technology to protect data. It was the privacy litmus test.
According to Deirdre Martin, legal counsel at the IBC, more
than 75 per cent of companies have adopted the model privacy code, with only a few
stragglers still toying with idea. “Companies are in different stages because it’s
not easy to implement any sort of code for a national company, ” she says. “It
takes time to consult with your regions and your branches to develop the policies that are necessary.”
Vivian Bercovici, The Dominion of Canada General Insurance
Company’s privacy officer and a member of the IBC regulatory affairs committee privacy
working group, feels that if insurers have adopted the model code, there is no need to
sound the alarm bells. “The bottom line is if you’re a company out there and you’re
conducting your business responsibly, it’s not going to knock your socks off.”
Like the model privacy code, which gave insurers a taste of
what to expect, Quebec’s Bill 68, introduced in 1994 was also a precursor to Bill C-6. As
Jill McCutcheon, a member of the Insurance Business Law Group at the legal firm Blaney
McMurtry points out, many large companies with offices in the province applied the privacy
legislation nationally. “The smaller companies didn’t do that,” she says.
“And those are the companies that are going to have to adjust.”
Despite the preparatory steps insurers have taken towards
privacy compliance, McCutcheon’s comment highlights the hurdles ahead. In the next several
years, insurers will have long compliance agendas, ranging from initiating internal
privacy audits to centralizing privacy issues in one department of position to keeping
tabs on all the members of the insurance food chain. Although insurers are optimistic now,
some argue the process won’t be easy.
Tracking everyone’s movements will perhaps be the biggest
obstacle. McCutcheon feels insurers may not have too much difficulty monitoring their
internal operations – it’s the activities of other parties that could present a challenge.
“They’ve got all these relationships where they outsource various insurance functions
and while they keep their own house in order; it’s not too clear how some of these other
It’s here that brokers enter the equation. Keeping one’s
house in order includes ensuring the confidentiality of broker client lists, something
Lloyd Ellam, technology practice leader for Marsh Risk Consulting, feels should be
protected at all costs. He believes brokers should have a corporate policy in place that
tracks the entry and exit of information from the operation. “Your customer list, if
you’re a broker, is valuable to somebody else. Privacy in that form means keeping your
From an insurer perspective, Stephen Lingard, senior
counsel at the IBC suggests companies “have at least some degree of due diligence
that a brokerage has taken the necessary steps to bring itself into compliance with Bill
C-6.” Otherwise, the insurer could be liable, adds Carole Machtinger, the IICC’s
vice-president of government relations and planning.
To remedy this, Lingard advocates privacy audits, one of
the stipulations of the new privacy legislation. “One of the first things companies
need to do is a privacy audit, ” he says. “They should examine how they collect
information, who they collect it from. What sort of consent do they have? And to whom do
they disclose that information?”
Many larger insurers are already conducting audits. Some
have also appointed privacy officers — individuals who are accountable for compliance and
Bill McCrae, corporate responsibility officer at Economical Mutual Insurance Company,
adding that his company will be conducting a privacy audit shortly. McCrae says Economical
plans to enlist the help of a consultant to oversee the investigation.
Like Economical, Dominion has also started on the path to
compliance with Bill C-6, part of a growing trend to meet the requirements well in advance
of the deadline. Bercovici says the push for compliance is simply a proactive approach. In
fact, biting the bullet early may come in handy for companies wishing to gain a
competitive advantage. McCrae points out that gaining trust and showing confidential data
is taken seriously can be a customer service issue. With rival banks already compliant, he
argues there is even more pressure on insurers to make the grade.
Despite its benefits, Bill-C-6 presents its share of
problems. One area of concern is the issue of consent, implied or direct. While Martin and
Lingard advocate the use of a signature as a means of authorization — “Get written
consent, even if you have to have someone fax you” — McCutcheon is of the view that
“a wet signature” does not add additional security. Many argue that insurers
need to simplify the language used to obtain consent from a client in order to remain
liability-free in the future.
Once consent is (or is not) given, the challenge an insurer
then faces is alerting all staff. For cross-selling, this is particularly problematic, as
‘Do Not Sell To’ lists must be circulated. McCutcheon explains the problem. “I don’t
know how a company would monitor its brokers or agents and remind them they shouldn’t be
soliciting people on their don’t call list.” She advises companies set up broker
server sites where information about these clients is posted.
Another interpretative challenge is the section of Bill C-6
dealing with technology, a grey area discussed in general terms with no specific
technological safeguards mentioned. “They don’t go into great detail in the area of
security safeguards,” notes Lingaard. He says it’s really up to companies which products to use.
Ellam stresses that adding technology is useless without a
security policy all staff are familiar with. “You can’t just throw one thing and say:
‘I put up a great firewall up here and that’s going to solve it,'” he says. “You
have to have the internal policy and all the applicable rules and regulations.”
Perhaps the greatest challenge in Bill C-6 lies in its
murky wordings, which do not clearly outline the specific requirements a company must
undertake. “The bill is an extraordinarily poorly drafted piece of legislation,”
argues McCutcheon, explaining that its interpretive style is a deliberate attempt to spur
provincial action on the legislative front.
Lingard agrees. He suggests gaps left in the federal
legislation — the health information components of the bill — will be eventually filled
in by provincial laws. In Ontario, he predicts Bill-158, the health privacy law, will
return to the legislative agenda and pass before 2004. Other provinces are considering or
drafting similar health privacy legislation.
This volley of current and future privacy laws has the
potential to stump some insurers and brokers. Ellam says he has seen many insurers and
brokers confused about applicable legislation. “There’s a concern that they’re
compliant,” he says. “They just don’t know what they should be compliant with.”
McCutcheon predicts the outcome will be the adoption of the
farthest-reaching legislation. “What I think most insurers will do is they will pick
whatever the most stringent piece of all of the legislation — whether it be the federal
piece, the Quebec piece or the new health privacy piece — and they will apply that across
While the implementation of an internal privacy
infrastructure may be a daunting task, insurers and brokers are as yet in no danger of
violation. With Bill C-6’s penalties for non-compliance a bit hazy at best and with no
clear definition of what constitutes a security breach, the process of becoming compliant
will likely be a learning process for regulators, insurers and brokers.
Consumers, concerned with media coverage showing cases of
privacy violation and breach of confidential data, will have their fair share of questions.
Perhaps more than the legislation, the pressure will be on insurers and brokers to answer them.
Published in Canadian Insurance Magazine, May 2001 issue. Re-printed with permission.