IIAM OVERVIEW OF
GRAMM-LEACH-BLILEY PRIVACY INFORMATION
A special report exclusively for IIAM Members
Introduction
This guideline and
suggested privacy notice are brief explanations and suggestions regarding
compliance with the privacy provisions of the Gramm-Leach-Bliley Act. More
detailed sources, such as those published by the Independent Insurance Agents of
America, Inc., which is available to members only at www.iiaa.org,
are available and should be reviewed by those agents having further questions or
complicated corporate structures. The following suggested forms are
intended to address only the situations likely to be encountered in stand-alone
agencies, that is, agencies operated as one entity or multiple agencies operated
under common ownership, but involving only insurance agencies. Any
insurance agency that is affiliated in any way with another financial
institution, or other business, should get special counsel regarding their
privacy requirements and notices, as these forms are not prepared for their use. Furthermore,
the information contained herein, and the forms suggested, are intended only to
address the privacy requirements of the Gramm-Leach-Bliley Act and do not
address other potential privacy concerns such as the FCRA, the Federal Crime Act
or HIPAA.
Overview
For those not
previously focused on privacy issues, Congress created new requirements for
those businesses in the financial services with the passage of the
Gramm-Leach-Bliley Act (“GLBA”). Title V of the GLBA
regulates the use of customer information, termed “non-public personal
information”, by financial institutions, including insurance agencies.
Essentially the Act imposes three requirements:
1. Notice requirements.
Every financial
institution must provide their customers, as defined by the Act, with a
notice describing how the customer’s non-public personal information is
handled by the financial institution, and to whom, if anyone, that information
is disseminated.
2. Opt out provisions.
Before a financial
institution can share non-public personal information about a customer
with a non-affiliated third party, the customer must be notified of
their right to prohibit such sharing of information by executing an
“opt-out” provision.
3. Security.
All financial
institutions that collect non-public personal information must institute
mechanisms for protecting the security and integrity of that information.
A further GLBA
distinction should be noted. The GLBA distinguishes between customers
and consumers. Every person with whom an agency has business dealings
is a consumer, especially if the agency gathers information on that person, but
only consumers with specific and on-going relationships are customers. In
the case of insurance agencies, that generally means a customer is one who has
purchased an insurance policy from the agency. The distinction is
important because all consumers are entitled to the security protection of
paragraph 3 above. However, only customers are entitled to the notice
and opt-out provisions noted in paragraphs 1 and 2, unless the agency plans to
disclose non-public personal information about a consumer to a non-affiliated
third party, which then entitles the consumer to the protections of the opt-out
provisions.
The Maryland
legislature has passed legislation that authorizes the Insurance Administration
to issue regulations to enforce the GLBA. While the regulations are
not yet
published, it is expected that the regulations will be similar to the model
regulations developed by the NAIC. The
MIA expects to have the regulations published and approved by January 1, 2002.
For insurance
agencies the open questions are (1) how can they comply and (2) when is
compliance required. For ease, we can first address the security
requirements of item 3 above. Because portions of the GLBA
requirements are effective July 1, 2001, each insurance agency should have a
plan for the security of the customer’s private information that is non-public
personal information. Neither the GLBA nor the regulations are very
specific as to the security to be provided, but at a minimum an agency should
develop a memo to all employees instructing them not to discuss or disclose any
non-public personal information without specific direction from the agency
management. The use of such information for regular business purposes
may already be addressed by any written agency procedures, which should continue
to suffice as part of the compliance for GLBA security. An agency
should also be expected to impose what could be viewed as fairly simple security
rules. If any other parties have access to the agency when it is
closed, such as cleaning services, then file drawers should be locked, and
computers should be closed out or turned off so no one can access the
information in the computer system. To the extent possible, agencies
should use available computer security mechanisms to protect the information
from outside hackers.
As to the notice
provisions of GLBA, paragraph 1 above, the appropriate date to implement the
notice provisions is subject to different interpretations. Initially,
the GLBA required compliance by 11/12/00, but the GLBA authorized regulators to
extend that compliance date. The Maryland Insurance Administration
extended the compliance date to July 1, 2001 by Department bulletin, using the
same dates selected by most federal agencies and most states by agreement at the
NAIC. However, the Maryland legislature just passed legislation.
The potential question is whether the GLBA allows the second extension of
the deadline for the notice provisions. The GLBA does not
specifically allow such an extension, nor does it prohibit one. While
sending notices by July 1, 2001 ensures an agency’s compliance with GLBA, there
is at least a good faith argument of compliance if the agency follows the
January 1, 2002, date set by the Maryland legislature.
A primary concern
for the insurance agency is what should be in the privacy notice. Generally
the agency wants to describe the type of non-public personal information the
agency has, how it is obtained, how it is used, if it is disclosed to any
affiliates or non-affiliated third parties, and most specifically if the
information is disclosed through any joint marketing or service agreements. If
an opt-out provision notice is required, the notice should explain that as well. The
first notice must be sent by whatever date the agency determines is the legal
requirement, and then annually after that. The future notices could,
of course, be included with renewal statements.
Most insurance
agencies will benefit from what is known as the “agent” exception. Basically,
this exception means that if all the non-public personal information the agency
possesses is as a result of being an agent of an insurance company, and the
insurance company has sent a privacy notice, then the agency is allowed to rely
upon that notice and not to send an additional notice. However, this exception would not apply to any business
that is brokered, because in those situations the agency is not an agent of the
insurance company. Therefore, the insurance agency will be required
to send a notice for all customers with brokered business.
Some questions
exist as to what customers must receive a notice. The GLBA and
expected state regulations require the notice to go to customers with personal,
family or household business with the agency. This eliminates the
need to send notice to commercial lines customers. Many commentators
also think this is true for farm, but if the farm is not incorporated, it may be
difficult to separate what is farm from what is personal. If you
broker a farm, a notice will not hurt.
The final concern
for the agency is when and how an opt-out provision must be provided to the
customers. Generally, an insurance agency must provide an opt-out
notice if it discloses any non-public personal information to non-affiliated
third parties. The GLBA generally allows financial institutions,
including insurance agencies, to share non-public personal information as long
as:
1. The agency
provides an initial privacy notice;
2. The agency
discloses the recipient of the information;
3. The agency
provides and opt-out opportunity to the customer; and
4. The customer
does not opt-out.
Certain disclosures
of information are exempt from the opt-out notice, meaning that no opt-out
notice is required so long as the disclosure falls within these certain
exemptions. The primary exemptions are:
1. The use of the
information is to complete the transaction for which the information was
originally provided, for example, in an agency, the information is used in an
application to place an insurance policy.
2. The agency has
the consent of the consumer for the disclosure.
3. Specific legal
requirements recognized by the GLBA or the enforcing regulation, for example to
comply with court orders.
4. If the
non-affiliated third party to whom the information is disclosed performs
services or engages in a joint marketing agreement with the agency. These
services agreements or joint marketing agreements should be in writing and must
contain an agreement that the non-affiliated third party will maintain the
confidentiality of the non-public personal information.
Some commentators
have expressed concern over what occurs if an agent wants to
re-bid
insurance for a customer. The original transaction leading to the
issuance of insurance would be exempt from an opt-out notice both from an agency
exemption and from the consumer’s consent for that purpose. However,
since the customer may not know about the re-submission for new bids, is an
appropriate consent involved, or should the agency provide a new notice? Some
commentators have suggested that agencies enter joint marketing agreements with
all companies they represent, which would exempt the insurance agency from an
opt-out notice under what is known as the “joint marketing exception”. However,
while such joint marketing agreements may eventually occur with most companies,
not all companies are likely to be prepared for those by July 1, 2001. Therefore,
the simplest safeguard an agency could take at this point would be to obtain
consent from the customer for the re-submission. The agency may even
want to create a form that advises all consumers at the time of the original
application that the agency will use the non-public personal information it
obtains to obtain coverages, and may later provide the same information to other
companies for the purpose of obtaining the same insurance. The
consumer’s signature and consent to this form would provide some safeguards
for the agency.
In summary, agencies are required to send an original privacy notice to all brokered personal lines customers. All customers placed with appointed companies receive their notice from the company. If non-public personal information is disclosed to non-affiliate third parties, then the notice must include an opt-out provision, unless the relationship is a service agreement or a joint marketing agreement. The notices must be provided annually.