BACKGROUND: The Financial Services Modernization Act, commonly known as the Gramm-Leach-Bliley Act, was signed into law by President Clinton on November 12, 1999.  (The Act is named for Sen. Phil Gramm of Texas, Rep. Jim Leach of Iowa, and Rep. Tom Bliley of Virginia.) It was the culmination of many years of work and debate, including negotiations, which fluctuated between unparalleled cooperation and partisan bickering.  By removing the Depression-era barriers between banks, insurers, and securities firms, the GLBA will undoubtedly have a major impact on the entire financial services industry.  However, while most experts seem to believe that it is too early to assess the long-range effects, the potential impact is enormous.

                        There are two provisions of GLBA that have great importance for the insurance industry immediately.  First, Title III of GLBA reaffirms that states remain the primary regulators of insurance, a policy that was first established by the McCarran-Ferguson Act of 1945.  Second, Title V of GLBA establishes guidelines for protecting the privacy of consumers. 

MAIN POINTS: The sweeping reforms accomplished by GLBA allow the consolidation of previously separate financial operations into larger, multi-functional organizations.  One natural outcome of this consolidation is the sharing of personal information about customers among the various affiliates of the organization, as well as with third parties with whom the organization has a joint relationship.  Title V was added to GLBA to address the concerns for consumer privacy

                        Most important now is a pressing deadline of July 1 that insurance agents must meet in order to comply with the privacy provisions of GLBA Title V.  The three primary requirements in Title V are:        

                        (1) Privacy Notice:  Agencies must develop a written privacy policy describing what personal information the agency collects about its customers, and to whom it discloses that information.  This Privacy Notice must be sent to customers by July 1.  In addition, new customers who are acquired after July 1 must be given the Privacy Notice when they become customers.  Lastly, customers must be given the Privacy Notice annually thereafter.

                        (2)  Opt Out Option:  Under certain circumstances, customers can prohibit a financial institution from disclosing nonpublic personal information about them by completing an “Opt Out Notice.”  This is one of the more controversial provisions of GLBA, since there are several broad categories of exemptions that permit disclosure of nonpublic personal information, and for which the customer has no right to exercise an Opt Out Notice. The actual wording in GLBA states that the customer has a right to Opt Out in situations where the financial institution “discloses nonpublic personal information to non-affiliated third parties for non-exempted purposes.”

                        Note first that the sharing information among affiliates is permitted, and cannot be stopped by the customer through the Opt Out process.  Under GLBA, entities are affiliates where there is 25% or more ownership.

                        As to sharing information with third parties (other than affiliates), the rule, stated in the affirmative, means that a financial institution can share information with third parties under three broad categories of “exempted purposes.”  These are: (1) Service Providers and Joint Marketing Agreements; (2) Processing and Servicing; and (3) Other Specific Exceptions. 

                        Therefore, a customer can only exercise an Opt Out option in situations other than any of the above.  Such situations would be “non-exempted purposes,” and the customer can prohibit a financial institution from disclosing nonpublic personal information by completing an Opt Out Notice.

                        For example, routine sharing of information like policy limits, value of a home or jewelry schedule, etc.  with third parties such as underwriters, claims adjusters, and mortgagees, clearly falls into the “exempted purposes” category, and no Opt Out Notice is required.

                        (3) Data Security and Integrity:  Every agency must develop policies and procedures to protect the confidentiality, security and integrity of each customer’s nonpublic personal information.  To insure confidentiality and security, the agency should restrict access to such information to employees on a need-to-know basis. To protect the integrity of customer information, physical, electronic, and procedural safeguards must be implemented that eliminate or minimize the unauthorized disclosure, misuse, alteration or destruction of customer information .

SPECIAL REPORTS For a detailed analysis of Gramm-Leach-Bliley and how it impacts independent agents, the Independent Insurance Agents of America (IIAA) has an outstanding Special Report on their website, called “The Insurance Agent and Broker’s Guide to Privacy.”  At the IIAA website (www.independentagent.com), go to the “Members” section, enter your agency ID and password, go to “Virtual Village,” then to “Legal Group,” and find the Guide.

FREQUENTLY ASKED QUESTIONS WITH ANSWERS

1.  Are agents required to comply with the privacy notice?

Yes, although there is an agent exception in GLBA, as a practical matter the exception is of limited benefit to independent agents because it does not apply if an agency intends to solicit competitive bids or renewals for its customers. 

2.  What information is protected under Gramm-Leach-Bliley?

GLBA apply to “nonpublic personal information (NPI) about individuals who obtain or are claimants or beneficiaries of products or services primarily for personal, family or household purposes.”

3.  What is nonpublic personal information (NPI)? A consumer gives to an agent

·        An agent obtains from a transaction with the consumer or any service performed for the consumer

·        An agent obtains from other sources

Examples include information provided on a loan, credit card, or insurance application; policy number information; and information from a consumer report.

4.  So GLBA mostly applies to Personal Lines?

      Yes,  but GLBA applies to all financial services provided by an agency, so the scope includes not only traditional Personal Lines P&C policyholders such as Homeowners and Personal Auto, but individual Life, Health and Disability policyholders, as well as any other financial services the agency handles for individuals.

5.  Does it apply to Commercial Lines?

No, with one exception.  “This regulation does not apply to information about companies or about individuals who obtain products or services for business, commercial, or agricultural purposes.”  However, there is an exception for group policies.  In addition to sending a Privacy Notice to all Personal Lines policyholders, the agency’s Privacy Notice must be sent to the plan sponsor of any group insurance policy, i.e. workers’ compensation, group health, life, disability.

6.  What does an agency have to do to comply with GLBA, and when?

      (1)  By July 1, 2001, send a Privacy Notice to each policyholder covered by GLBA, which is all Personal Lines accounts referenced above, and to the plan sponsor of all group policies.

      (2)  After July 1, give each new customer covered by GLBA a copy of the Privacy Notice when the “customer relationship” is established.

      (3)  Annually thereafter, send a copy of the Privacy Notice to all customers covered by GLBA.

(4)  Establish a system of safeguards to protect the security and integrity of each customer’s NPI.  See information above, and additional details below.

(5)  Send an Opt Out Notice if required.

7.  What is required of the agency to comply with the data security and data integrity? requirement?

GLBA does not specify any particular procedure or mechanism, just that the agency have some reasonable safeguards in place to protect the privacy of customers’ NPI.  For example, agencies should have procedures to limit access to customers’ NPI only to employees on a “need to know” basis.  In addition, guidelines should be established to prevent the release of NPI to unauthorized parties outside the agency.  Physical security of paper files and electronic records are in all likelihood already a part of each agency’s existing operational procedures, and these would be a part of the agency’s data security program.

8.  When would the agency be required to send an Opt Out Notice?

In most instances, agents would need to provide the Opt Out Notice.  However, the GLBA permits the disclosure of NPI to certain parties and under certain circumstances (called “exempted purposes”), for which the customer has no Opt Out option. Therefore, in those situations, the agency would not have to provide an Opt Out Notice.   The “exempted purposes” for which no Opt Out is required are disclosures to: (1) affiliates; and (2) non-affiliated third parties for (a) Service Providers or Joint Marketing, (b) Processing and Servicing, and (c) Other Specific Exceptions. 

In the Special Report done by IIAA, the recommendation is made that to be fully in compliance with GLBA when remarketing an account at renewal, the agency should have a Joint Marketing Agreement (JMA) with each of its insurers.  Refer to the IIAA Special Report for details.

Incidentally, there is a provision in GLBA that allows agencies that never disclose NPI outside the permitted exceptions (“exempted purposes”) to use a “Simplified” Privacy Notice.  This probably applies to most agencies.

However, should an agency disclose NPI outside of any of these exceptions, an Opt Out Notice must be provided to customers (and the “Simplified” Privacy Notice cannot be used).

Further, if the agency discloses NPI about “consumers” (vs. “customers”) outside the exceptions, the consumer is also entitled to an Opt Out Notice, as well as the agency’s Privacy Notice.  A “customer” is a person with whom the agency has a “continuing relationship,” typically meaning they have purchased a policy or service from the agency.  A “consumer” is a person with whom there is no “continuing relationship” with, such as an applicant.  The Privacy Notice always must be provided to “customers,” but would only be provided to “consumers” if the agency disclosed NPI about them, at which time the “consumer” would get both the Privacy Notice and the Opt Out Notice.

9.  Are there any agents that don’t have to send Privacy Notices?

Yes, but most authorities believe the so-called “agent exemption” does not apply to independent agents.  Specifically, the regulation says that a “licensee” (agent) does not have to send a Privacy Notice if the “principal” (the insurer) sends one, and “the licensee does not disclose NPI to any person other than the principal or its affiliates.”  Since independent agents disclose NPI to several insurers or brokers in remarketing an account at renewal, they would be disclosing NPI to other parties (i.e., other insurers), who are not “the principal” referenced in the exception.  In other words, it appears that independent agents operate outside the narrow “agent exemption,” and thus should send their own Privacy Notice.

10.  Can insurers share nonpublic personal information with agents?

Yes insurers can share NPI with agents when agents are acting as service providers for a variety of purposes regardless of whether a consumer permits disclosure of his or her information.