Safeguarding Customer Privacy Creates New Issue for States

August 5, 2002

Insurance associations have been abuzz the past couple of weeks with regard to impending changes and new proposals to privacy regulations under Congress’ Gramm-Leach-Bliley Financial Modernization Act (GLB).

Each state has already finalized details fulfilling one aspect of the GLB pertaining to the insurance industry (defining what method companies will use to send opt-out privacy notices to their customers), but many still are scrambling to catch up with another aspect, which would require companies to create a written information security program to safeguard customers’ personal information.

This new push for proposals stems from a recent General Accounting Office report reminding states that GLB mandates companies to protect customer’s non-public personal information, including financial and health.

According to a press release from the National Association of Independent Insurers (NAII), “the objectives of the information security program in the Gramm-Leach-Bliley Act are to ensure the security and confidentiality of customer information; protect against any anticipated threats or hazards to the security or integrity of the information and protect against unauthorized access to or use of the information that could result in substantial harm or inconvenience to any customer.”

“The model of standards for safeguarding customer information is written very well in that it leads up to each individual insurer the ability to determine what they need in the way of a standards for safeguarding their customer information,” said Kathleen Jensen, insurance services counsel for the NAII.

While New York and Oregon are the only two states to have officially adopted standards for safeguards, nine other states also already have proposals, according to Rey Becker, vice president of the property/casualty department of the Alliance of American Insurers. They include Arkansas, California, Iowa, Montana, Nebraska, North Carolina, South Dakota, Utah, and West Virginia.

One concern noted by the NAII is the use of the word “consumer” rather than “customer” by Arkansas and West Virginia, a move deemed burdensome by the NAII.

“The difference between customer and consumer go back to GLB,” said Jensen. “They encompass different people. A consumer is someone that the insurer does not have a continuing relationship with. Also included in the definition of consumer is claimant and work comp. An insurance applicant, at the time they become a policyholder, they become a customer, which [the insurer] has a continuing relationship with. You’re going to put in greater standards for those people [customers]. By extending standards for safeguarding to consumers, all of a sudden you have to put those same standards for an applicant.

“We don’t think that the states should extend it to consumers because it’s going to place another burden on the insurance companies,” she added.

Another state making waves in regard to privacy proposals for standards for safeguards is Oregon, whose adopted rule includes the requirement that the licensee shall “determine if standards should also ‘apply to commercial information derived from non-customer sources.'”

“If Oregon is saying that they need to look at commercial entities, they’re going beyond what GLB mandated. Part of GLB was to place all financial institutions on a level playing field with regard to privacy, so that one financial institution does not have to expend more money or have tighter restrictions placed on them with regard to compliance, and that therefore are put at a disadvantage than other financial institutions,” said Jensen. “By suggesting that a company needs to look at commercial lines, it’s taking away that leveling of the playing field and it’s putting greater restrictions on insurance companies that is not being placed on banks.”

On the California front, revisions to the original regulations continue to volley back and forth between the California Department of Insurance (CDI) and the associations representing the insurance industry. While the CDI maintains that their version of the regulations still closely resembles the ever-popular NAIC model, associations cite their concerns.

“Our major concerns really boil down to a fear that we’re going to have California-only requirements that are going to wind up to be very costly for the insurance industry to administer,” said Becker. “[It] will ultimately wind up in providing fewer choices for insurance consumers in California because the California system will be so different that companies are going to be reluctant to write business in the state.”

Becker named several aspects of the proposed regulations that the Alliance has voiced concern over. “The Department seems to want to take a rather unique approach to language in privacy notices, and require that [it] pass a readability test, and that [it] be printed in a certain type size. No other states are taking that approach,” he said. Another issue the Alliance has looked at is the requirement that insurers provide their customers with postage pre-paid return envelopes to use with their opt-out forms, one that Becker feels will impose unnecessary but costly postage and printing expenses.

A major concern shared by both Becker and Sam Sorich, senior vice president and general counsel at the National Association of Independent Insurers (NAII) is the CDI’s desire to regulate commercial insurance in addition to personal lines, an action that Becker and Sorich strongly disagree with. At a hearing held Feb. 8, 2002, Sorich and the NAII testified against this action, saying that “the federal law and state law only apply to insurance that’s purchased for family, personal purposes, and that the regulations should not extend to commercial insurance policies.”

Becker adds to this point, saying “That was not the intent of Congress, not the intent of the California legislature, and it’s also not necessary. When you’re talking about individual people who buy an auto insurance policy or homeowners policy, there’s something to be said for needing to have consumer protections in place and often one might be dealing with an unsophisticated buyer, in many cases. On the commercial side, these are business people. They make hiring and firing decisions every day, they sign leases, they purchase insurance; that’s not what the laws were designed to regulate.”

Sorich also said that the NAII is concerned over the requirement that would mandate an insurer to have the policyholder fill out an opt-out form to share information with other insurance companies at the time of renewal, in order for the insurer to be able to shop around for new quotes. “Our point was, that’s not really necessary, there’s no real requirement in the federal law to do that, and we thought it was a requirement that’s not going to help the consumer and is going to make life more difficult for agents to get the best coverage and price for an agent’s customers,” said Sorich.

In regards to the proposals for the written information security program, California has already included it in their privacy regulation. Becker adds, “We don’t have a problem with that part of the California regulation. It’s a requirement that’s in the GLB. What we have seen so far in the California regulation matches up pretty well with the NAIC model on that topic.”

Bottom line, privacy regulations are going to affect independent agents and brokers and insurance companies nationwide.

“Agents are often on the front lines of dealing with these issues and certainly in dealing with the customers and it’s gong to be one more bureaucratic task that they’ll be called upon to perform at a time when they’re perhaps already being squeezed on commissions,” said Becker.

“It’s the company that’s going to have to put together the program. It depends on the kinds of statutes that the state passes, and what kind of guidelines that are going to have to be in place. It could be costly,” said Susan McKenna, director of media relations at the NAII.

Sorich added, “There are more requirements imposed on insurance companies than agents. The ultimate responsibility for sending out the notice and compliance rests with the insurance company.”

Was this article valuable?

Here are more articles you may enjoy.

From This Issue

Insurance Journal West August 5, 2002
August 5, 2002
Insurance Journal West Magazine

2002 Program Directory, Vol. I