Writing e-Law into the books

As the world of insurance moves online, new laws are being established to validate online transactions, as well as protect consumer interests. Electronic signature and privacy legislation being enacted at both the federal and provincial levels will challenge the industry to tackle this new form of commerce with care. Speakers at the recent Canadian Institute conference on online insurance warned that cyber-law, still in its infancy, gives rise to as many questions as answers.

In a familiar game of catch-up, federal and provincial lawmakers are scurrying to get new laws on the books to deal with the e-commerce phenomena. “Wait and see” will not cut muster anymore, and Canadian businesses are looking for guidance today on how to conduct online transactions. They want to know what the rules are before they jump headlong into the game, and the insurance industry is no exception. At the recent Canadian Institute conference, “Online Insurance”, regulators and lawyers were asked when laws just now being drafted would be formalized into regulations to guide the industry’s e-commerce ventures. The answer is still unclear.

In the past year, the federal government passed new privacy legislation, with most provinces looking at enacting their own such legislation. As well, Ontario became the first province to put an electronic commerce act into effect, followed by Manitoba and Saskatchewan, with the federal government also drawing up e-commerce legislation effective May 1 of this year.

E-signature validity

As Ontario moves ahead with its e-commerce law, electronic signatures are among the issues on the front burner. In the insurance industry, there was particular need to have the validity of electronic signatures formally recognized. Existing legislation aimed at the industry uses terms such as “signature” and “certificate”, which tie companies to paper-based transactions and hold back the development of e-commerce, notes Dina Palozzi, superintendent of the Financial Services Commission of Ontario (FSCO).

The new federal law, a response to the rapid growth of Internet use, makes electronic signatures as valid as hand written signatures, notes Peter Thurton, director of market conduct for the Royal Bank Insurance Group. Unfortunately, the act is “limited in scope”, because it does not specify exactly what constitutes an acceptable signature format and what controls need to be in place to protect the validity of e-signatures. While the act says the signature does not have to resemble an actual handwritten form, and that is does not have to be attached to forms, the lack of clarification “opens all kinds of doors” because the simplest kind of signature may be acceptable even in the case of fairly complex transactions.

The law seems more directed at establishing the intent of the consumer to agree to the transaction, rather than the “nuts and bolts” of an acceptable signature. “It’s fair to say that in all cases the law is not absolutely clear as to what constitutes an electronic signature,” Thurton observes. The U.S. federal act is “all-encompassing”, he notes, providing a clearer picture that can later be used as proof in cases of disputes over signatures. Thurton hopes actual regulations will give detail as to what is acceptable, as well as working out potential points of conflict between federal and provincial legislation.

Palozzi admits the Ontario act is “minimalist”, intended to guide e-commerce, but not to prescribe it. The entire field of e-commerce is giving rise to more questions than answers at the moment, she notes. Questions include whether governments should be monitoring websites, and how this might be achieved, what level of security is acceptable for online transactions, preventing sales in unlicensed jurisdictions and advertising issues. The “borderless” marketplace is providing both opportunities for commerce and a slew of headaches to be dealt with.

Thurton observes that electronic signatures do have a great deal of potential, including the ability to reduce costs and increase efficiency. The laws are a response to increasing demand on the part of consumers for this instant kind of service. The biggest hurdle, he says, may be with the psychology of the insurance industry itself. “Despite the law allowing us to do business this way, I don’t think insurers will sign large documents online.”

Protecting privacy

One of the key concerns brought forward by increased consumer activity on the Internet will be the interaction with new federal and provincial privacy legislation. Palozzi points out that legislation being brought out by several provinces, including Ontario’s own privacy act currently under discussion, will be an important consideration for insurers. Provincial acts will replace the federal legislation when in place.

Ontario’s regulator notes that insurance involves very sensitive information, more personal information than is required to sell many other products online. Insurers are also involved in the use of new data mining techniques, notes Adam Kardash, a corporate communications lawyer with Heenan Blaikie. He says these “powerful” tools may come into conflict with new privacy laws which state that information cannot be used for purposes other than those specifically approved by the consumer.

The new acts mean that companies can not disclose information to anyone else without the expressed permission of the customer, and consent to use or disclose information can not be tied to the purchase of a product, explains Duncan Card, partner at Davies Ward & Beck. Such limitations may impact on dispute resolutions, mergers and acquisitions and a variety of other scenarios insurers may be involved in. There will also have to be some process in place for individuals to withdraw consent to use their information as is their right, he notes.

One area still to be worked out is what constitutes “identifiable” information. While companies can freely use non-identifiable information, information that can in any way be traced to an individual’s identity (such as a SIN, address or driver’s license number) can not be disclosed without consent.

All of these limits also become aggravated on the Internet because of security concerns. A hacker who gains access to any kind of consumer information, not simply credit card numbers, is putting the company in legal jeopardy. A November 1999 survey by Angus Reid Group shows that 70% of Canadians are concerned about the release of information over the Internet and 86% would go elsewhere if a company did not have a comprehensive privacy policy online. One of the most disturbing findings of the study, notes Libby Gillman, senior manager at Cap Gemini Ernst & Young Canada, is that most people believe financial institutions are using their information “in a way they’ve not authorized”.

Palozzi notes that a survey of broker Internet sites reveals that most did not have a privacy policy posted. “It just makes good business sense”, she says, to reassure consumers by putting a company’s privacy policy online. The fear of online consumers with regards to privacy will be just one of the concerns addressed by regulators through a working group established by the Canadian Council of Insurance Regulators (CCIR). The Working Group on E-commerce will be looking into what happens to information collected on the Internet, how it is stored and used and how consent is given online, says chair Jim Hall of Saskatchewan. One of his key concerns is the potential use of “negative option” checkboxes on websites being used to gain consent for information use. In essence, the consumer would have to specifically say they did not want to have their information used, rather than being required to give an affirmative answer. “In my personal opinion, that burden should be placed where it belongs, on the company [not the consumer].”

Several speakers urged companies to address the privacy issue now, rather than when the federal legislation comes into effect for insurers in four years. Reviewing a company’s privacy process could be “almost as daunting as the Y2K [review] process”,
says Gillman. It should be undertaken on an enterprise-wide basis, she adds. Kardash agrees and notes that insurance companies who have in the past put information to a variety of uses are going to have to change their ways. “I think it’s going to result in higher levels of disclosure for companies about what they’re collecting [the information] for…companies don’t always know what data might be used for when they collect it.”

On the other hand, Kardash says the insurance industry may be more prepared than others to meet the challenges of online privacy. “As the insurance industry moves into the online environment, are we going to see a tidal wave of privacy concerns? No.” Privacy is already a focus for insurers, he explains, the industry has already put its own self-regulatory code on privacy and historically insurers have seen very few privacy complaints aimed at them. “Your business is based on trust,” says Gillman, who agrees financial services as a whole have addressed privacy issues well in the past. As a regulator, Palozzi notes that her department rarely receives complaints about breaches of personal privacy by insurers.

Running the gamut

Beyond privacy fears, the CCIR working group will be looking at a host of online issues over the coming months. These range from regulatory oversight of new parties involved with online insurance, such as web hosts, Internet service providers (ISPs) and search engine operators, and whether regulators have authority over these third parties. “Basic insurance information can come from anywhere,” Hall observes, so regulators may have cause to look beyond insurers for accountability and consumer protection.

Hall says the group is also looking at online quotation services and “whether there are any biases inherent” in directing consumers to one company or another. Disclosure of any potentially compromising relationships will be the key, he says.

Another issue is the movement away from personal interaction with a broker or agent and how online transactions can be carried out in light of the duty to advise. What information must consumers be given, including information on how complaints can be handled, is one area of concern. Consumer error in filling out online forms and requesting information on products and coverage will also be a concern.

One way the CCIR will deal with these issues is to seek out the advice of other countries, specifically those involved in the International Association of Insurance Supervisors (IAIS), which is currently devising principles for proper online conduct. Regulatory cooperation is particularly important, Hall says, as companies stretch their wings in the borderless world of Internet commerce.