Personal Information and Nonpublic Personal Information
Personal information is information that can be associated with an individual. Nonpublic personal information is personal information that is not readily available to the public. Nonpublic personal information includes but is not limited to credit history, social security number, income, health, and claim information. An individual has some rights in controlling how his or her nonpublic personal information is used.
Why and How We Collect Personal Information
We collect personal information to underwrite polices, administer claims or provide related services. We may obtain personal information directly from the policyholder, the claimant/injured worker, from third parties, such as medical providers, attorneys, administrative agencies or index bureaus, or from other carriers or third party administrators.
Protecting Personal Information
CNA employees may have access to personal information in the course of doing their jobs, which includes underwriting policies, processing claims or providing related services. Employees are required to keep this information in confidence and share the information only with those who have a business reason to know. Employees are prohibited from making unauthorized disclosure of the personal information we obtain about customers and claimants. Employees who violate our policies on privacy may be subject to disciplinary action.
We use procedural, manual and electronic security controls to maintain the confidentiality, security and integrity of personal information in our possession and to guard against unauthorized access and disclosure. Some techniques we may employ to protect information include locked files, proper methods to destroy out-of-date information, user authentication, encryption, firewall technology and the use of detection software.
Disclosing Personal Information
To administer our business and provide related services, we may share personal information with affiliated CNA member companies and with unaffiliated third parties, including insureds, agents, brokers, other insurance companies, reinsurers, regulators, administrators, law enforcement agencies, service providers, and as otherwise permitted or required by law. In addition, we may share such information with other unaffiliated third parties who assist us by performing services for us or on our behalf, such as loss control, claim adjusting, case management, investigation, or offering products or services under a joint agreement between us and the third party.
We may disclose personal information with proper written authorization from the individual or as otherwise permitted or required by law.
Storage And Disposal Of Personal Information Including Social Security Numbers
CNA takes reasonable steps so that all documents and files (both electronic and in hard copy) that contain personal information such as Social Security numbers are stored in a physically secure manner. Personal information is defined under the law as information capable of being associated with a particular individual through one or more identifiers. Examples of personal information include a person's Social Security number, driver's license number, passport number, credit or debit card numbers and health insurance identification numbers.
CNA requires that personal information be stored in a way that prevents unauthorized access. For example, hard copy documents that contain personal information are to be stored in files that can only be accessed by authorized CNA employees or third parties, and computers or other electronic devices that contain personal information are to be secured against unauthorized access, such as using a password. CNA requires that any authorized personnel who maintain personal information must take appropriate steps consistent with this policy to safeguard such information.
Documents or other materials (both electronic and in hard copy) that contain personal information are to be disposed of in a manner such that the personal information is erased or made unreadable at the time of disposal.
CNA employees receive training regarding privacy protection requirements and measures taken by CNA to assure those requirements are met.
CNA monitors its privacy policies and procedures on an ongoing basis to assess risks to its privacy program as technology and the business landscape evolve. Changes are instituted accordingly.
Third Party Administrators and Vendors
CNA requires, by contractual agreement, that TPAs and vendors who obtain and maintain CNA customer information have standards to protect that information. Licensed entities may be required by law and regulation to protect information.
CNA is a worldwide insurer and reinsurer, doing business in many different countries. Some of these countries have enacted laws and regulations protecting personal information; other countries have not. It is CNA's policy to comply with the privacy laws and regulations of every country in which we do business