GLB Privacy Provisions Still Cause Confusion

GLB Privacy Provisions Still Cause Confusion Is it any wonder that consumers are confused and overwhelmed by their privacy options? The whole initiative has become a patchwork quilt with different requirements for different financial institutions. The issue is different state requirements that treat certain types of insurance differently.

Property-casualty insurers that write business in more than a few states have had to deal with a multitude of privacy compliance issues since President Clinton signed the Gramm-Leach-Bliley Act into law in July 1999.

The Act served many purposes. One purpose was to codify privacy regulations for all financial institutions. In addition, because it applies to all financial institutions, GLB attempted to create the “fully integrated” financial institution, allowing all of the various “financial” entities to co-exist with the same restrictions and benefits of sharing and receiving non-public personal financial information.

GLB was supposed to make it easier for multifaceted companies to transact business within their organizations by allowing affiliated companies to share information. The Act enabled this sharing but also assured that the individual consumers privacy is protected by requiring every financial institution to send a privacy notice to their customers advising them of the information they collect, how they use this information, and who they give the information to.

Additionally, GLB requires financial institutions to allow their customers to prevent the financial institution from sharing their information with other non-affiliated companies outside of a business need through an “opt-out provision.”

Keep in mind that GLB protects only personal, family or household financial information. Congress did not feel a need to protect information that is received as a result of a commercial transaction.

Furthermore, Congress knew it was not necessary to address health information because that was and continues to be regulated by the Department of Health and Human Services through the Health Information Portability and Accountability Act.

Since insurance is regulated by the states, Congress also stipulated that each state promulgate legislation or regulation that is consistent and no less restrictive than GLB.

With GLB in place, how did we end up with this patchwork of privacy legislation and regulation? Prior to GLB, many insurers already were complying with a privacy statute, though not as big and expansive as GLB.

The National Association of Insurance Commissioners had already developed the 1982 Insurance Information and Privacy Protection Model Act. Fifteen states subsequently enacted this statute. The 1982 model required insurers to send a privacy notice that is very similar to the GLB notice, but under the 1982 model, the insurer had to obtain an authorization prior to disclosing the information outside of a marketing or business purpose.

After the passage of GLB, Virginia was one of the first states to seize upon the 1982 model and make numerous revisions to it so that it would be in compliance with the Act. North Carolina was quick to follow.

While some states had already begun to grapple with revising the 1982 model, New York decided to draft an insurance regulation that would more closely track GLB. The New York draft eventually was adopted as the NAIC model. When the NAIC passed their final version of the model regulation, it contained a number of deviations from GLB.

The two most notable deviations from GLB appear in the New York regulation and the NAIC model. The first deviation is a requirement for workers compensation insurers to send a privacy notice to their commercial insureds, even though the regulation is in place only to protect personal, family and household information.

The second notable deviation is that both include specific provisions for health information, despite the fact that HIPAA was already in place to protect that health information.

Many states adopted a regulation consistent with the NAIC model. A number of states, however, chose to adopt a regulation that is more consistent with GLB and did not include the workers compensation or health privacy provisions. Michigan, Alabama, Indiana, Louisiana and Missouri all chose this path.

A handful of states that previously adopted the 1982 NAIC model statute decided to also adopt a GLB complaint regulation without revising the existing statute. Illinois was one of these states.

Initially, insurers were concerned about the subtle differences between the statute and the regulation, but many insurers doing business in those states eventually decided to send out two separate notices. One notice was in compliance with the 1982 statute, and one with the GLB regulation.

Finally, there are a few states that have decided to “do their own thing” to be GLB-compliant. These states have caused the most difficulty for insurer compliance, requiring state-specific notices and procedures.

New Mexico and Vermont decided to adopt the NAIC model regulation, but changed the opt-out provisions to opt-in provisions. Alaska is considering a regulation that would prohibit affiliate sharing prior to providing an opt-out provision to their customers. California and North Dakota also are considering legislation that would prohibit affiliate sharing prior to providing the opt-out provisions.

As many states decided to follow New Yorks lead in the initial GLB compliance, many insurers are concerned that if the initiatives in Alaska, California and North Dakota are successful, many states will feel consumer pressure to amend their privacy regulations. This situation would only add more confusion for consumers.

Insurers are also closely watching and participating in the debate surrounding the expiration of critical provisions in the Fair Credit Reporting Act. Those that are not familiar with the necessity for the FCRA provisions have suggested changes to GLB as a trade-off for retaining the FCRA provisions. Changes to GLB would require changes to notices being sent to the consumer, causing additional confusion and possibly more expenses for insurers.

Consumers are already very confused by the various “privacy” notices they receive from many different financial institutions. Most consumers receive the pure GLB privacy notice from their bank, another from their credit card provider and yet another from their mortgage company. All of these notices would include an opt-out provision.

Consumers also receive their insurers notices and, depending on the state they reside in, there could be three totally different notices sent even though they are all from insurance companies.

For example, their property-casualty insurer could send consumers a notice that is consistent with the 1982 statute and another notice that is consistent with the GLB insurance regulation. Their property-casualty insurers' GLB notice could include an opt-in provision for health information and an opt-out provision for financial information.

Also, consumers health insurers notices would only include the opt-out provision for financial information, but then they would receive a separate notice from their health providers with all the HIPAA requirements.

Is it any wonder that consumers and insurers are sometimes confused and overwhelmed by their privacy options?

While well-intentioned, state deviations from the guiding principles of GLB have helped to confuse rather than clarify privacy protections for consumers and have left insurers with the unenviable task of negotiating a minefield of compliance issues in order meet both state and federal standards.

Kathleen N. Jensen is insurance services counsel with the Des Plaines, Ill.-based National Association of Independent Insurers.

Reproduced from National Underwriter Edition, June 23, 2003. Copyright 2003 by The National Underwriter Company in the serial publication. All rights reserved. Copyright in this article as an independent work may be held by the author.