USA Law and Practice Contributed by: Jeffrey Harvey, Randall Parks, Andrew Geyer and Cecilia Oh, Hunton Andrews Kurth LLP
implement emerging technologies that are designed to decrease costs and improve the efficiency of out - sourced insurance functions. Outsourced functions often include: • insurance and reinsurance accounting services; • actuarial analytics; • underwriting analysis; • insurance policy and endorsement drafting and processing;
involve access to critical cyber-assets (eg, monitor - ing and maintenance functions). Regulated entities may run into challenges when choosing foreign out - sourcing providers, even if the outsourcing agreement contains robust contractual obligations around com - pliance with the CIP standards. Failure to comply with the CIP standards may result in fines and penalties of up to USD1 million per viola - tion per day. 2.3 Restrictions on Data Processing or Data Security As a general matter, the USA does not have a com - prehensive federal data protection law. Rather, there are many sources of privacy and data security laws at the state, federal and local levels. Federal Requirements At the federal level, the different privacy and data security requirements tend to be sectoral in nature and apply to different industry sectors or particular data-processing activities. By way of an example, Title V of the Gramm-Leach-Bliley Act (GLBA) requires financial institutions to ensure the security and confi - dentiality of the non-public personal information they collect and maintain. As part of its implementation of the GLBA, the Federal Trade Commission (FTC) issued the Safeguards Rule, which requires financial institutions to implement reasonable administrative, technical and physical safeguards to protect the secu - rity, confidentiality and integrity of non-public person - al information and imposes certain security incident notification obligations on financial institutions. Another key example is HIPAA, which was enacted to help ensure the privacy and security of PHI, as dis - cussed in 2.2 Industry-Specific Restrictions . Industry standards are also relevant. By way of an example, the Payment Card Industry Association’s Data Secu - rity Standard specifies requirements for relationships between companies and their vendors that process cardholder data. Although industry standards do not generally have the force of law, they may help inform what is deemed “reasonable” security under applica - ble information security laws.
• claims reporting and handling; • business process management; • insurance software development; • data entry; and • customer service.
Companies in the insurance space – whether policy - holders, captive insurers, insurers, agents, brokers, intermediaries or others – looking to outsource insur - ance functions in the USA face unique challenges because, unlike many other industries, insurance in the USA is primarily regulated at the state level. As a result, there is a patchwork of rules that may vary from state to state and may affect insurance outsourcing operations. Energy In the energy and utility sector, regulated entities must comply with the Critical Infrastructure Protection (CIP) Reliability Standards, which are mandatory proactive cybersecurity requirements issued and enforced by the North American Electric Reliability Corporation (and its subsidiary regional entities) and overseen and backstopped by the Federal Energy Regulatory Commission. The CIP standards are designed to pro - tect and secure cyber-assets associated with criti - cal assets that support North America’s power grid, the Bulk Power System. All owners, operators and users of the bulk power system (which may include both public and investor-owned utilities, generation and transmission co-operatives, and non-utility own - ers and operators of electric power generation) and transmission facilities are required to comply with the CIP standards. A CIP compliance issue may arise in the context of outsourcing when a regulated entity outsources its IT infrastructure or those business processes that
95 CHAMBERS.COM
Powered by FlippingBook