Edwards Wildman
When it comes to handling the personal information of individuals, Bermuda-based captives are probably accustomed to complying with Bermuda’s Electronic Transactions Act, 1999 (ETA) and even the EU Privacy Directive and EU limitations on cross-border transfer of personal information. When handling personal information pertaining to US citizens or residents, however, whether they be claimants, insureds or even employees, captives must be mindful of the potential applicability and effect of US privacy and data security laws and regulations, both federal and state.
US data protection regulations
Many US states have enacted laws governing the protection of ‘personally identifiable information’ or the personal information (PI) of individuals, and most mandate the steps that a company must take in response to a breach of PI (including notice to individuals whose PI was accessed). While statutes vary somewhat as to what constitutes protected PI, most provide that an individual’s name plus social security number or financial account information are PI, and some include health information as well. Federal regulations mandating the security of PI can also come into play. Regulations of financial institutions can include insurance entities within their scope. Furthermore, when the
health
information of individuals is involved, federal legislation specifically directed at protecting the health information of individuals imposes very strict requirements on the security, transmission and storage of personal health information (PHI), and on the notification of breaches of that information.
These federal and state
laws and regulations can expose even an offshore captive to US regulatory requirements and associated fines and penalties for non- compliance—particularly captives which, while they may not be on US territory, have parents or affiliates located in the US and within the reach of US regulators.
The potential reach of US regulation
A Bermuda captive that processes or stores PI or PHI of US citizens or residents should be aware that US federal and state data security laws and regulations can apply even if it accesses US data only remotely, as well as when the data are physically transferred offshore. Although it is not clear whether US government agencies would have the legal ability to penalise offshore companies for violations, US authorities could pursue an action against a US-based parent or affiliate of an offshore captive that suffers a data breach or otherwise violates US data security or data privacy laws and regulations. Moreover, if the parent of the captive is a US publicly traded corporation, a data breach incident involving the captive may trigger an obligation, under US securities law, to disclose that as a material matter in its public filings.
Protection for health information Many lines of insurance involve the collection and transmission of
individuals’ health information, whether it be workers’ compensation or medical malpractice, or general liability insurance that inevitably includes claims of bodily injury and related medical information. Captives that collect health information of individuals, or that provide cyber risk coverage to entities that collect such information, should be aware of the data security and notice requirements of federal statutes such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its extension by the Health Information Technology for Economic and Clinical Health (HITECH) Act to entities that can include captives.
The US Department of Health and Human Services (HHS) issued
a privacy rule governing the use and disclosure of PHI by entities that are subject to HIPAA, and a security rule that sets forth required security standards for protecting PHI that is stored and transmitted electronically. Security standards include having written security procedures and protocols, physical safeguards (limitations on physical access to hardware, media, and software containing PHI), and technical safeguards (protective controls for information systems and networks).
While HIPAA initially applied only to health plans, providers,
and health care clearinghouses, in 2009 HITECH extended the requirements of the privacy and security rules to ‘business associates’ of HIPAA-covered entities. The term business associate is broadly defined and includes brokers, agents, third party administrators, and other parties that provide services to a covered entity that entail the use or disclosure of PHI.
HITECH also substantially increased the potential civil and criminal penalties that could be imposed by federal agencies charged with its enforcement, and gave limited enforcement power to the Attorneys General of the individual states. This means that if an offshore captive were to suffer a data breach involving the PHI of residents of a particular state, an affiliate of the captive that is based in that state could be vulnerable to an enforcement action brought by the state, as well as one brought by the federal government.
HITECH also mandated that rules be promulgated requiring HIPAA- covered entities and their business associates to notify consumers when the security of their health information has been breached. Under the
bermuda captive 2012 63
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40 |
Page 41 |
Page 42 |
Page 43 |
Page 44 |
Page 45 |
Page 46 |
Page 47 |
Page 48 |
Page 49 |
Page 50 |
Page 51 |
Page 52 |
Page 53 |
Page 54 |
Page 55 |
Page 56 |
Page 57 |
Page 58 |
Page 59 |
Page 60 |
Page 61 |
Page 62 |
Page 63 |
Page 64 |
Page 65 |
Page 66 |
Page 67 |
Page 68