States Strive for Consistency in Complying with New Privacy Provisions

The 2001 state legislative sessions are off and running. Among the more pressing challenges this year for a number of insurance commissioners and lawmakers is reaching compliance with the privacy provisions of the Gramm-Leach-Bliley Act (GLBA) by a rapidly approaching deadline.

Signed into law by President Clinton in 1999, GLBA became effective in November 2000. The legislation was enacted by Congress with the aim of strengthening the obligations of financial institutions to respect and protect the confidentiality of customers’ nonpublic personal information.

While banks are federally regulated, insurance is, of course, regulated by the individual states. As a result, states cannot be forced to adopt laws or regulations to implement GLBA. In fact, a number of states already have privacy legislation in place that is consistent with the provisions of GLBA.

However, regulations and/or legislation have been proposed in a number of states in an effort to reach compliance with GLBA privacy requirements. The majority of states have followed the lead of federal agencies, which extended the GLBA compliance date to July 1, 2001, for financial institutions.

What is compliance?
Mike Koziol, senior director and counsel of the National Association of Independent Insurers (NAII), described three basic levels of privacy compliance, which in GLBA relates specifically to financial information.

First, insurers, like all financial institutions, are required to give annual notice to customers regarding their practices for the collection and sharing of non-public personal information. However, there are two categories of individuals that interact with the financial institution, as defined in GLBA.

“Under certain transactions, they may be required to give a notice out to either ‘consumers,’ which are people looking at buying their products, or ‘customers,’ which are really insureds,” Koziol said. “The first level of compliance would be whether or not an insurer needs to send out a notice and to whom and when.”

GLBA specifies that those insurance products referred to are primarily for personal, family or household use.

Second, insurers must provide to a consumer or customer an option to “opt out” of marketing use of information with non-affiliated third parties. Annual notices informing individuals that they have that opt-out right must be sent.

Third, entities like insurers need to have internal procedures to protect information that gets into a company-that is, keep it from being improperly shared or released. That might consist of anything from security systems to protection against hackers to particular wording in contracts.

Koziol noted that property/casualty insurers are not any less affected under GLBA than their life/health counterparts. There is, however, one slight distinction. GLBA applies to products generally associated with personal lines; however, in property/casualty, numerous types of commercial coverages also abound. Furthermore, the impact of privacy requirements reaches far across the insurance food chain-affecting carriers, producers and other participants.

“It applies to agents and brokers-certainly as entities that have personal information and are collecting it,” Koziol said. “Under GLBA…they’re subsidiaries of financial institutions technically.”

Two models for privacy
In response to states’ efforts to comply with GLBA, both the National Association of Insurance Commissioners (NAIC) and the National Conference of Insurance Legislators (NCOIL) drafted model regulation and legislation incorporating GLBA. Both models, intended to outline states’ requirements under GLBA as the privacy regulators for insurers, were adopted by the NAIC Executive Committee and Plenary Session last year-the NAIC model regulation on Sept. 26 and the NCOIL model law on Nov. 17.

Kathleen Jensen, insurance services counsel for NAII, noted that the two models are very similar, sharing much of the same language. There are, however, some notable differences between them.

First, NCOIL specifically excludes workers’ compensation and any sort of commercial lines. The NAIC model also specifically excludes commercial lines, but includes a workers’ compensation participant (which would be the employer that purchased the insurance) in the definition of “consumer.” Consequently, there is a duty to send a notice to the employer, and that employer then would have the opportunity to opt out as a consumer.

Another difference relates to health provisions, which both models contain.

“The NAIC is much more specific that you cannot disclose any information to anyone,” Jensen explained. “The NCOIL model is you cannot disclose for marketing purposes….You still would be able to disclose for other business needs.”

The third difference is that NAIC includes third-party claimants as consumers whereas NCOIL does not. “If you are accumulating third-party claimant information to determine loss ratios…and you disclose that information to a staff agency, not for purposes of reporting but for accumulating that information to help you determine rates, you would not be able to do that,” Jensen said.

States take action on privacy
According to Koziol, some states, feeling that health information is not addressed by GLBA, just want to get the GLBA financial information taken care of as soon as possible. The NAII estimates that about a dozen states intend to adopt the NAIC model. Eight of those states, including Washington, have decided to revise the model regulation by removing a portion covering health privacy provisions. The NAII, on the other hand, favors adoption of the NCOIL model, which it maintains “takes a more reasonable approach” with regard to sharing a consumer’s health information.

Furthermore, 16 states have already adopted a previous NAIC privacy model regulation, drafted in 1982. The intention of a number of such states is to modify the 1982 NAIC model in order to comply with GLBA. For other states, the decision is influenced by the fact that they do not have authority to pass a regulation without a statute already in place.

Understandably, the wide array of approaches taken by the different states can create some complications.

“As a trade association, [the NAII’s] position would be: ‘Just have privacy consistent with GLBA because that’s what the banks have to live under,'” Koziol said. “The major differences occur in things like the inclusion of health information. Some states just simply are not addressing that…The other one may be, ‘Do we include workers’ comp or not? Do we include commercial lines?'”

There have been some questions as to how burdensome complying with GLBA and its privacy provisions will become in terms of time, costs and the sheer volume of paper involved. But ultimately, no overwhelming problems are expected on the road to compliance, and many view the fact that insurers will have to be extra careful with the financial information in their care as a good thing. Indeed, a number of insurers already live with these general rules.

But as far as privacy legislation is concerned, the industry may be seeing only the tip of the iceberg.

“Last year…there was a real crazy quilt of bills affecting all sorts of activities,” said Sam Sorich, NAII vice president and western regional manager. “Most of that legislation did not pass. We’re seeing it again this year.”

Topics Carriers Legislation Workers' Compensation