GLB Privacy Provisions Still Cause ConfusionIs it any wonder that consumers are confusedand overwhelmed by their privacy options? The whole initiative hasbecome a patchwork quilt with different requirements for differentfinancial institutions. The issue is different state requirementsthat treat certain types of insurance differently.

|

Property-casualty insurers that write business in more than afew states have had to deal with a multitude of privacy complianceissues since President Clinton signed the Gramm-Leach-Bliley Actinto law in July 1999.

|

The Act served many purposes. One purpose was to codify privacyregulations for all financial institutions. In addition, because itapplies to all financial institutions, GLB attempted to create the“fully integrated” financial institution, allowing all of thevarious “financial” entities to co-exist with the same restrictionsand benefits of sharing and receiving non-public personal financialinformation.

|

GLB was supposed to make it easier for multifaceted companies totransact business within their organizations by allowing affiliatedcompanies to share information. The Act enabled this sharing butalso assured that the individual consumers privacy is protected byrequiring every financial institution to send a privacy notice totheir customers advising them of the information they collect, howthey use this information, and who they give the informationto.

|

Additionally, GLB requires financial institutions to allow theircustomers to prevent the financial institution from sharing theirinformation with other non-affiliated companies outside of abusiness need through an “opt-out provision.”

|

Keep in mind that GLB protects only personal, family orhousehold financial information. Congress did not feel a need toprotect information that is received as a result of a commercialtransaction.

|

Furthermore, Congress knew it was not necessary to addresshealth information because that was and continues to be regulatedby the Department of Health and Human Services through the HealthInformation Portability and Accountability Act.

|

Since insurance is regulated by the states, Congress alsostipulated that each state promulgate legislation or regulationthat is consistent and no less restrictive than GLB.

|

With GLB in place, how did we end up with this patchwork ofprivacy legislation and regulation? Prior to GLB, many insurersalready were complying with a privacy statute, though not as bigand expansive as GLB.

|

The National Association of Insurance Commissioners had alreadydeveloped the 1982 Insurance Information and Privacy ProtectionModel Act. Fifteen states subsequently enacted this statute. The1982 model required insurers to send a privacy notice that is verysimilar to the GLB notice, but under the 1982 model, the insurerhad to obtain an authorization prior to disclosing the informationoutside of a marketing or business purpose.

|

After the passage of GLB, Virginia was one of the first statesto seize upon the 1982 model and make numerous revisions to it sothat it would be in compliance with the Act. North Carolina wasquick to follow.

|

While some states had already begun to grapple with revising the1982 model, New York decided to draft an insurance regulation thatwould more closely track GLB. The New York draft eventually wasadopted as the NAIC model. When the NAIC passed their final versionof the model regulation, it contained a number of deviations fromGLB.

|

The two most notable deviations from GLB appear in the New Yorkregulation and the NAIC model. The first deviation is a requirementfor workers compensation insurers to send a privacy notice to theircommercial insureds, even though the regulation is in place only toprotect personal, family and household information.

|

The second notable deviation is that both include specificprovisions for health information, despite the fact that HIPAA wasalready in place to protect that health information.

|

Many states adopted a regulation consistent with the NAIC model.A number of states, however, chose to adopt a regulation that ismore consistent with GLB and did not include the workerscompensation or health privacy provisions. Michigan, Alabama,Indiana, Louisiana and Missouri all chose this path.

|

A handful of states that previously adopted the 1982 NAIC modelstatute decided to also adopt a GLB complaint regulation withoutrevising the existing statute. Illinois was one of thesestates.

|

Initially, insurers were concerned about the subtle differencesbetween the statute and the regulation, but many insurers doingbusiness in those states eventually decided to send out twoseparate notices. One notice was in compliance with the 1982statute, and one with the GLB regulation.

|

Finally, there are a few states that have decided to “do theirown thing” to be GLB-compliant. These states have caused the mostdifficulty for insurer compliance, requiring state-specific noticesand procedures.

|

New Mexico and Vermont decided to adopt the NAIC modelregulation, but changed the opt-out provisions to opt-inprovisions. Alaska is considering a regulation that would prohibitaffiliate sharing prior to providing an opt-out provision to theircustomers. California and North Dakota also are consideringlegislation that would prohibit affiliate sharing prior toproviding the opt-out provisions.

|

As many states decided to follow New Yorks lead in the initialGLB compliance, many insurers are concerned that if the initiativesin Alaska, California and North Dakota are successful, many stateswill feel consumer pressure to amend their privacy regulations.This situation would only add more confusion for consumers.

|

Insurers are also closely watching and participating in thedebate surrounding the expiration of critical provisions in theFair Credit Reporting Act. Those that are not familiar with thenecessity for the FCRA provisions have suggested changes to GLB asa trade-off for retaining the FCRA provisions. Changes to GLB wouldrequire changes to notices being sent to the consumer, causingadditional confusion and possibly more expenses for insurers.

|

Consumers are already very confused by the various “privacy”notices they receive from many different financial institutions.Most consumers receive the pure GLB privacy notice from their bank,another from their credit card provider and yet another from theirmortgage company. All of these notices would include an opt-outprovision.

|

Consumers also receive their insurers notices and, depending onthe state they reside in, there could be three totally differentnotices sent even though they are all from insurance companies.

|

For example, their property-casualty insurer could sendconsumers a notice that is consistent with the 1982 statute andanother notice that is consistent with the GLB insuranceregulation. Their property-casualty insurers' GLB notice couldinclude an opt-in provision for health information and an opt-outprovision for financial information.

|

Also, consumers health insurers notices would only include theopt-out provision for financial information, but then they wouldreceive a separate notice from their health providers with all theHIPAA requirements.

|

Is it any wonder that consumers and insurers are sometimesconfused and overwhelmed by their privacy options?

|

While well-intentioned, state deviations from the guidingprinciples of GLB have helped to confuse rather than clarifyprivacy protections for consumers and have left insurers with theunenviable task of negotiating a minefield of compliance issues inorder meet both state and federal standards.

|

Kathleen N. Jensen is insurance services counsel with theDes Plaines, Ill.-based National Association of IndependentInsurers.


Reproduced from National Underwriter Edition, June 23, 2003.Copyright 2003 by The National Underwriter Company in the serialpublication. All rights reserved. Copyright in this article as anindependent work may be held by the author.


Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader

  • All PropertyCasualty360.com news coverage, best practices, and in-depth analysis.
  • Educational webcasts, resources from industry leaders, and informative newsletters.
  • Other award-winning websites including BenefitsPRO.com and ThinkAdvisor.com.
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.