Insurers Detail Privacy Exam Concerns

Insurers say that they want to continue discussions concerning a market conduct examination initiative that would look at compliance with privacy requirements in the Gramm-Leach-Bliley Act of 1999.

Trade groups representing insurers say that there have been discussions with regulators including District of Columbia Director Larry Mirel.

Regulators are seeking to streamline the market conduct examination system to make state regulation more efficient.

A first round of a planned four-part round of surveys was distributed to insurers at the start of the month and the issue could be raised when the Kansas City-based National Association of Insurance Commissioners meets next month in Chicago for its fall meeting.

As functional regulators, insurance commissioners need to know that there is compliance with GLB, said Bruce Ferguson, senior vice president-state relations with the American Council of Life Insurers in Washington.

But “the execution of the concept is where the problems surface,” he continued. “It is one of the first tests in a post-Gramm-Leach-Bliley world as functional regulators.”

Issues that insurance trade groups say remain a concern include the lack of uniformity among state regulation, the uncertainty over reciprocity, cost and protection of proprietary information.

One issue that remains is how to conduct a national market conduct exam based on standards that differ, Mr. Ferguson added. For instance, he explained that some states have privacy standards that include health privacy requirements, while others have standards that solely address financial privacy.

Another issue of concern to companies is that the survey contains questions asking for proprietary information such as the security features of the computer system, he said. If the information from the survey is made public, along with the market conduct report, then “it could be a blueprint to invasion of computer systems,” he continues.

Such information would be better satisfied by an on-site demonstration, he said.

Cost is another factor, he adds. If a life company group has a centralized privacy standard, then the cost would be $30,000 for one market conduct examination. However, if a group has a decentralized structure with individual companies handling privacy differently, then the cost could be $30,000 multiplied by the number of different approaches, he said.

Companies are concerned over whether a sizeable number of states will sign on to a reciprocity agreement, according to Robert Zeman, senior vice president-state government affairs with the National Association of Independent Insurers in Des Plaines, Ill.

Additionally, there are concerns that PricewaterhouseCoopers, the contractor for the privacy market conduct initiative, has also acted as auditor for some companies, potentially creating a conflict of interest, he continued.

While the Health Insurance Association of America in Washington supports the concept of market conduct uniformity and privacy, member companies have some concerns, said Chris Petersen, an attorney with Morris Manning and Martin in Washington, who acts as outside counsel for the trade group.

Conflict of interest is one concern. But regulators have indicated that companies that feel there is a conflict of interest can approach them and an alternate vendor will be found to work with those entities, he said.

On the issue of reciprocity, critical mass in the order of 30-40 states would be desirable, Mr. Petersen said.

Of great concern to companies, he added, is that any “vulnerability assessment” concerning security be kept confidential. “Companies are very nervous about releasing that.”

What will be important for companies is to articulately describe privacy policies and procedures that are in place so that those procedures are not considered inadequate or misunderstood, he said. Failure to articulate procedures could lead to further examination by regulators, Mr. Petersen said.

The initiative could be a positive if a large number of states look at privacy only once and the document used is appropriate, said Peter Bisbecos, director of legal and regulatory affairs with the National Association of Mutual Insurance Companies in Indianapolis.

But companies are raising questions about the number of states that will participate, the broad nature of the survey and how confidential information provided in that survey will remain, he said.

Jim Connolly is a senior editor for NUs Life-Health and Financial Services Edition.

Reproduced from National Underwriter Property & Casualty/Risk & Benefits Management Edition, September 1, 2003. Copyright 2003 by The National Underwriter Company in the serial publication. All rights reserved.Copyright in this article as an independent work may be held by the author.