Virginia insurance regulators issued their first fine for a violation of a 2003 law regarding the protection by agents and agencies of policyholder information, just three weeks after issuing a reminder on the requirements.

Virginia State Corporation Commission Bureau of Insurance officials confirmed that the action against Caryn J. Williams, a licensed life, health, property-casualty agent in Chesapeake, Va., and her property-casualty insurance company, SCK Enterprises Inc., for failing to properly protect policyholder information was the first issued by the state. Williams and the company were cited for six other infractions and fined $1,000 in September.

Over the last few years, industry trade groups have tried to educate agents about the law, which was passed in recognition of the increased instances of identity theft in the U.S.

“Creating an in-house information security plan is a time and dedication issue,” said Bob Bradshaw Jr., president and CEO of the Independent Insurance Agents of Virginia, which has offered resources and training on the law.

The 6-year-old law requires insurers, agents and insurance supported organizations to design and implement a written policy for ensuring the security and confidentiality of policyholder information.

The bureau issued an administrative letter Sept. 1 on the requirements, which served as a follow-up to its original administrative letter, issued May 19, 2003, detailing requirements under the law.

Bureau offers guidance on plans

Ken Schrad, a bureau spokesman, would not identify the reason for issuing the administrative reminder or say if other cases involving privacy safeguard protection issues are under investigation. Privacy safeguards are part of the routine field examination of compliance with state laws, conducted by staff of the bureau’s Agent Regulation and Administrative section, Schrad said.

The bureau’s latest letter offers 36 questions for agents and agency owners to consider when developing a written plan. They include questions about the security of office spaces, use of paper shredders, whether files are stored in a locked area, if visitors are allowed in non-public areas and if they are escorted. Another series of questions asks about virtual security, including how computer passwords are stored and protected, who has access to servers and whether client data is encrypted.

The bureau’s settlement order with Williams and SCK Enterprises, issued Sept. 22, also cited them for failing to obtain a signed consent form from a policyholder, charging an administrative fee in addition to premium, failing to retain three years of insurance records, failing to make records available to regulators promptly and failing to properly handle fiduciary accounts.

This story originally appeared in the November 2009 print edition of Insurance & Financial Advisor.