Privacy and Information Protection
Data breaches have recently been highlighted in several high profile incidents in which private customer data was compromised, including data breaches within the insurance industry. At Paul Revere we consider it a high priority to earn and keep our customers’ trust and confidence. Protecting the confidentiality of customer information is a responsibility that we take seriously.
PDF of this information
Existing Policies and Procedures
Paul Revere has an integrated privacy and security approach. The privacy team works closely with the company’s information security, physical security and records management areas, and meets monthly with a wider, cross-functional legal team to support the Company’s comprehensive approach to privacy and security issues.
Paul Revere has adopted and implemented internal privacy procedures, processes, and controls designed to: (1) ensure the confidentiality of personal information; and, (2) comply with state and federal privacy and security laws and regulations. We have cross-functional frameworks that incorporate policies, procedures, and business practices, and a fabric of technical and operational controls. For example, among the measures we have implemented are policies and procedures in compliance with various states’ laws regarding the treatment and confidentiality of personal information, its notification requirements in the event of an electronic data breach, and its requirements for the collection, use and disclosure of Social Security numbers.
We may share customers’ personal information primarily with...
- People who perform insurance, business and professional services for us
- Medical providers for insurance and treatment purposes
- Group policyholders for reporting and auditing
- Government or legal authorities when required or permitted by law
Our practices apply to our current, former, and future customers.
The law allows us to share personal information (except health information) with affiliates to market financial products and services. The law does not allow customers to restrict these disclosures. When required by law, we ask customers’ permission before sharing personal information for marketing purposes.
We have physical, electronic and procedural safeguards that protect the confidentiality and security of personal information. We give access only to employees who need to know personal information to provide insurance products or services.
Education and Awareness
Privacy and information security training is provided to new hires and existing employees on an annual basis, as well as through various types of targeted training based on business and compliance need. Employees are required to manage personal data responsibly and in compliance with privacy laws and our company policies. This begins with our Code of Conduct and applies to the following:
- Personal data of our customers, business partners and employees
- Details about the company’s business that are not known publicly
- Non-public information that might be of use to competitors or harmful to the company if disclosed, such as product development or new technology
- Information that suppliers, customers and claimants have entrusted to us
Paul Revere has an incident response plan, which is frequently updated to ensure all steps are clear, concise and accurate. The Incident Response Team investigates any reported unauthorized release of sensitive personal information to determine if an information security breach has occurred. If the Incident Response Team determines that a breach has occurred, we will take appropriate actions to protect the impacted individuals.
We align to the regulatory and compliance requirements for reporting based on state data security breach notification laws and, for HIPAA covered products, to the US Department of Health and Human Services (HHS) federal laws. In
the event of a security breach, we will notify you in the most expedient time and manner possible, without unreasonable delay, consistent with applicable federal and state laws.