Wednesday, March 24, 2010

Mass Privacy Legislation: Other States too?

Below is Kathleen Zortman's response to my question as to whether VA, MD or DC have laws similar to that which recently went into effect in Massachusetts. Read on!


What does Jimmy do all day? Follow him:

Sent using BlackBerry

From: Kathleen Zortman,
Professional Risk Solutions

As promised, I spoke with our attorneys re: any law or legislation in DC, MD or VA (or other states) that is similar to the new Massachusetts Privacy Legislation. Our quick research indicates the following:

· Virginia, Maryland and District of Columbia have enacted breach notification laws—which require notification to consumers of security breaches involving personal information (e.g. name, ss#, driver’s license #, credit card #, etc.). In fact, they are part of the approx. 45 states that have done so (see PDF list attached). However, according to a March 1, 2010 article by The Compliance Authority, Inc., it appears that only Massachusetts and California have called for access control—i.e. the monitoring operations and encryption of data requirements as set forth in Massachusetts law (20 CMR 17.00).

· Other articles suggest that the Massachusetts law (20 CMR 17.00.) is breaking new ground in data protection requirements, just as the California state data breach notification law <> that was passed in 2003 did for state data breach notification laws. It appears that the Massachusetts government didn't believe that data breach notification alone was sufficient to protect its citizens especially in the midst of the current climate of consumer protectionism. The effect of the Massachusetts law has already been seen though, as other states (such as Michigan) are looking at passing similar tough data protection requirements for their state residents' personal information.

It appears that this is a burgeoning area of the law. Therefore, we will continue to monitor the situation and let you know of any meaningful changes. I hope this information is helpful. Please let me know if you have any further questions.



Kathleen O. Zortman


Professional Risk Solutions

285 Davidson Ave, Suite 101

Somerset, NJ 08873

p. 732.764.1000 x17

m. 908.230.5731


Thursday, March 18, 2010

Does Your Company Have a Cell Phone Policy?

I'm working on a white paper with my client Zoom Safer about corporate liability that arises from employee cell phone use behind the wheel. Zoom Safer has begun to explore this topic here. In this new paper, we discuss the elements of a sound company policy that addresses employee cell phone use.

Essentially, if businesses don't address it, then they can be accused of condoning irresponsible driving behavior resulting in loss to life or limb.

The first step is to institute a written Fleet Safety policy that addresses cell phone use while driving.

Does your company have a policy? What does it include? How is the policy enforced?

New Privacy Legislation For Companies with Clients in Massachusetts

I received the following notice of a new law regarding private information contained on any residents of the state of Massachusetts. This information must be secured in manners outlined by the law. If not, and the information is leaked or exposed, then companies can be liable for suit from the Massachusetts Attorney General. Customers, whose information was exposed, can also use violation of the law as further basis for their violation of privacy suit.

iability from exposure of private information is NOT covered by a General Liability policy. Specialized coverage must be secured through a Cyber Liability policy - or possibly endorsed onto an Errors & Omissions (E&O) or Directors & Officers (D&O) policy.

Thanks to the specialists at Professional Risk Solutions ( for sending this information out to agents.

More states might follow suit in the future.

New Massachusetts ‘Personal Information and Privacy’ Law: 201 CMR 17.00

Effective March 1, 2010

This affects:

Any company who maintains private, personal or confidential information on residents of Massachusetts. Confidential information includes financial, medical, credit, SSN, driver’s license, insurance policy numbers, and the like. Banks, leasing companies, insurance companies, brokerages, mortgage companies, credit companies, online retailers, utilities, medical firms could all be affected by the new law.

Our recommendation:

For any company that maintains records on residents of Massachusetts, we urge you to review:

· data security procedures and practices to make sure they comply with the new law

· the Massachusetts compliance checklist

· insurance coverages and limits, including Cyber Liability and D&O

What the law says

Starting March 1, the new law requires that any company that holds personal information on Massachusetts residents, must abide by certain standards and practices to protect and store that information, and prevent it from ‘leaking out’ or being exposed to unauthorized persons.

The law apparently applies independently of other data security regulations. So even if a company complies with HIPAA regulations, for example, the new Massachusetts requirements still apply.

It doesn’t matter whether the company or organization is based in Massachusetts or not - - only that they hold personal or private information on residents of Massachusetts.

What’s the insurance and liability issue

If a company failed to follow these established standards and security practices -- and customer records were ever exposed, whether maliciously or accidentally -- the company could possible be liable for action by the Massachusetts Attorney General. Or, consumers whose records or information were compromised could sue for damages. Having a stringent law ‘on the books’ about safeguards could conceivably strengthen their cases.

Kathleen O. Zortman


Professional Risk Solutions

Monday, March 1, 2010

My Value Proposition

It's hard to stand out against the hordes of other insurance agents out
there. Of course, I think I'm great, but potential clients don't know
me from agent Adam.

I will start with a good Value Proposition. People will listen if they
perceive that the conversation will benefit them. Here's what I have so

Commercial Insurance
I will simplify it.
I will explain it.
I will tell you how to improve it.
I will work to save you money on it.

If I can't accomplish those goals, then I'll tell you about it.

Does that make sense to you?