Author: ACT News Team 

Hold-harmless wording in agency-carrier contracts tends to place all burden for costs associated with agents' acts, errors and omissions, and negligence on the agency. The list of federal acts and state laws that are addressed in agency-carrier agreements has expanded greatly over the past 15 to 20 years, leaving agencies that are behind on technology more vulnerable than ever to violations of federal law. It's time to do a review of your carrier contracts as a technology risk management effort. You may find specific vulnerabilities that help you create a priority list of tech adaptations you need to make. 

A 2016 white paper prepared by Judi Newman, of Phaze II Consulting, and Bill Larson, of Profit Protection Management Consulting, runs through many of the laws and agreements agencies face and spotlights particular exposures that could leave agencies holding the bag for all sorts of breaches that could be prevented with technology upgrades. These agreements span all independent agent segments and include addenda that are frequently sent via email after an agency-carrier contract is already in force. It is crucial that these addenda be included in your agency's thorough review of liability exposures generated by the relationship with the carrier. 

Some Primary Exposures

Privacy of personal data is probably the primary issue agencies worry about. You hold all sorts of non-public private information on your insureds. If privacy or control of that data is mishandled by an agent or an agency system or is violated by a cyber-criminal, the costs to the agency can be exorbitant. Agency-carrier contracts often state that the agency "will comply will all applicable privacy laws" regarding the confidentiality of non-public personal information. The authors of the white paper note that failures in this duty put the agency in a position of breach of the carrier contract, which could affect the agency's own insurance protection should the insurer be harmed by the privacy breach. 

A quick review of the white paper shows that the Gramm-Leach-Bliley Act requires agencies to provide consumers with privacy-protection and information-sharing practices. This notice must give a clear depiction of your agency's privacy protection practices. Though the language may be boilerplate, the risk management behind it should be reviewed regularly to ensure your systems and protocols are keeping up with the threat. Many agencies don't even implement the most rudimentary cyber security practices, so to state that you are protecting customer data could be a misrepresentation. A cyber security review is a priority to make sure you are in compliance with data privacy laws and your own customer privacy notices. 

Security of communications is another area where agencies may be behind on the technology end. Email is now the preferred communication method of many clients, but it is also an avenue hackers use to invade agency—and then carrier—systems. Using email securely isn't difficult, but you will have to integrate that into your business practices in order to protect private information as it flows between you and your insureds. 

Erroneous transfer of documents does happen. In most cases, the unintended recipient will just delete the document or throw it away, but if they use it in any way, the agency could be in hot water. Even if they don't use it, you still have a privacy violation that must be disclosed. Using a secure portal on your agency website where customers can review documents after receiving an email notification that they are available for viewing can eliminate this exposure.

Risk Management Techniques 

The white paper highlights four areas of risk management that focus on the agency-carrier agreement: a review of your exposures; the establishment of a security program; a data breach response plan; and a business continuity plan. 

These four elements together represent a major part of your business strategy, and they can't be swept away with the brush of your hand using the excuse that the technology is too expensive or too difficult to understand. Your agency-carrier agreements hold your firm to a high standard, but it's one that is achievable. The Agents Council for Technology has many resources that can help you with the technology needed to comply with your carrier contracts. Avail yourself of the written resources and the person-to-person help from fellow members to reduce the exposures your agency has under your carrier contracts.