SUBJECT: GRAMM-LEACH-BLILEY – Part I

BACKGROUND: The Financial Services Modernization Act, commonly known as the Gramm-Leach-Bliley Act, was signed into law by President Clinton on November 12, 1999.  (The Act is named for Sen. Phil Gramm of Texas, Rep. Jim Leach of Iowa, and Rep. Tom Bliley of Virginia.) It was the culmination of many years of work and debate, including negotiations which fluctuated between unparalleled cooperation and partisan bickering.  By removing the Depression-era barriers between banks, insurers, and securities firms, the GLBA will undoubtedly have a major impact on the entire financial services industry.  However, while most experts seem to believe that it is too early to assess the long-range effects, the potential impact is enormous.

 There are two provisions of GLBA that have great importance for the insurance industry immediately.  First, Title III of GLBA reaffirms that states remain the primary regulators of insurance, a policy which was first established by the McCarran-Ferguson Act of 1945.  During the debate over GLBA, many factions argued for stronger Federal control of insurance, and that debate continues.  Second, Title V of GLBA establishes guidelines for protecting the privacy of consumers.

MAIN POINTS: The sweeping reforms accomplished by GLBA allow, and perhaps encourage, the consolidation of previously separate financial operations into larger, multi-functional organizations. One natural outcome of this consolidation is the sharing of personal information about customers among the various affiliates of the organization, as well as with third parties with whom the organization has a joint relationship.  Supporters of financial modernization hail the efficiencies and benefits of such “one-stop-shopping,” while critics decry the potential dangers to the consumer from the loss of privacy and control of personal, private information.

 Title V was added to GLBA to address the concerns for consumer privacy.  Most in the financial services industry maintain that the privacy safeguards in GLBA are sufficient to protect personal customer information from being misused or inappropriately disseminated.  On the other hand, most privacy advocates argue that there are too many loopholes and exceptions in Title V, and the result is a very weak and ineffective privacy protection framework.

 All philosophical arguments aside, there is a pressing deadline of July 1 that insurance agents must meet in order to comply with the privacy provisions of GLBA Title V.  The three primary requirements in Title V are:

 (1) Privacy Notice :  Agencies must develop a written privacy policy describing what personal information the agency collects about its customers, and to whom it discloses that information.  GLBA requires this Privacy Notice sent to customers by July 1, 2001.  Note: AL Regulation 122; Section 21; extends the deadline to December 31, 2001.  In addition, new customers who are acquired after July 1 must be given the Privacy Notice when they become customers.  Lastly, customers must be given the Privacy Notice annually thereafter.

 (2)  Opt Out Option:  Under certain circumstances, customers can prohibit a financial institution from disclosing nonpublic personal information about them by completing an “Opt Out Notice.”  This is one of the more controversial provisions of GLBA, since there are several broad categories of exemptions that permit disclosure of nonpublic personal information, and for which the customer has no right to exercise an Opt Out Notice. The actual wording in GLBA states that the customer has a right to Opt Out in situations where the financial institution “discloses nonpublic personal information to non-affiliated third parties for non-exempted purposes.”

 Note first that the sharing information among affiliates is permitted, and cannot be stopped by the customer through the Opt Out process.  Under GLBA, entities are affiliates where there is 25% or more ownership.

 As to sharing information with third parties (other than affiliates), the rule, stated in the affirmative, means that a financial institution can share information with third parties under three broad categories of “exempted purposes.”  These are: (1) Service Providers and Joint Marketing Agreements; (2) Processing and Servicing; and (3) Other Specific Exceptions.

 Therefore, a customer can only exercise an Opt Out option in situations other than any of the above.  Such situations would be “non-exempted purposes,” and the customer can prohibit a financial institution from disclosing nonpublic personal information by completing an Opt Out Notice.

 From a practical point, however, virtually all of the information sharing an agency does would probably fall within one of the “exempted purposes,” and thus it would be rare that an agency ever needed to offer a customer an Opt Out Notice.

 For example, routine sharing of information like policy limits, value of a home or jewelry schedule, etc.  with third parties such as underwriters, claims adjusters, and mortgagees, clearly falls into the “exempted purposes” category, and no Opt Out Notice is required.

 Probably the largest potential “exempted purpose” is Joint Marketing. For example, if a home security firm wanted to purchase a list of insureds who have homes over valued over $200,000 or jewelry schedules over $10,000, the agency could sell (or share) the information.  If there was a Joint Marketing Agreement (JMA) between the agency and the home security firm, the customer would have no Opt Out option to prohibit the disclosure.  While this is an unlikely scenario for most agencies, many larger financial institutions routinely buy and sell customer information.  With a JMA in place, such sharing of a customer’s nonpublic personal information could not be stopped by the customer.  However, if there had been no JMA, and such sharing of the customer’s information did not fall within one of the other exemption categories, then the customer must be provided with an Opt Out Notice.

 (3) Data Security and Integrity:  Every agency must develop policies and procedures to protect the confidentiality, security and integrity of each customer’s nonpublic personal information.  To insure confidentiality and security, the agency should restrict access to such information to employees on a need-to-know basis. To protect the integrity of customer information, physical, electronic, and procedural safeguards must be implemented that eliminate or minimize the unauthorized disclosure, misuse, alteration or destruction of customer information.

Special Reports

 For a detailed analysis of Gramm-Leach-Bliley and how it impacts independent agents, the Independent Insurance Agents of America (IIAA) has an outstanding Special Report on their website, called “The Insurance Agent and Broker’s Guide to Privacy.”  At the IIAA website (www.independentagent.com), go to the “Members” section, enter your agency ID and password, go to “Virtual Village,” then to “Legal Group,” and find the Guide.  You can also obtain this information by calling our fax-on-demand service at 1-877-669-1872 and requesting document #6018.

The Alabama Department of Insurance has issued a new release regarding consumer privacy. At the ALDOI’s website www.aldoi.org, go to the Insurance News Index, click on the Protecting Consumer Privacy Link.  The news release states that a regulation is being developed to protect non-public personal information in financial transactions.
“Top 10” Questions and Answers

1.  What information is protected under Gramm-Leach-Bliley?
A. GLBA and Regulation 122  apply to “nonpublic personal financial information (NPFI) about individuals who obtain or are claimants or beneficiaries of products or services primarily for personal, family or household purposes.”

2.  So GLBA mostly applies to Personal Lines?
A.  Yes.  But GLBA applies to all financial services provided by an agency, so the scope includes not only traditional Personal Lines P&C policyholders such as Homeowners and Personal Auto, but individual Life, Health and Disability policyholders, as well as any other financial services the agency handles for individuals.  Regulation 122 however, exempts health information.

3.  Does it apply to Commercial Lines?
A.  No, with one exception.  Regulation 122, in Section 4, states that, “This regulation does not apply to information about companies or about individuals who obtain products or services for business, commercial, or agricultural purposes, nor does it apply to workers compensation claims, workers compensation insurance, workers compensation programs, or employee welfare benefits plans as defined in 29 USC Section 1002 (1) or any third party administrator to the extent it provides services to a workers compensation program or employee welfare benefit plan.  However, there is an exception for group policies  Therefore, no Privacy Notice is required to be sent to Workers Compensation policyholders in Alabama.

4.  What does an agency have to do to comply with GLBA, and when?
A. (1)  By July 1, 2001, send a Privacy Notice to each policyholder covered by GLBA, which is all Personal Lines accounts referenced above.

 (2)  After July 1, give each new customer covered by GLBA a copy of the Privacy Notice when the “customer relationship” is established.

 (3)  Annually thereafter, send a copy of the Privacy Notice to all customers covered by GLBA.  Regulation 122 allows delivery in Section 10 by hand, or mail using the last known address of the policyholder.   It can be mailed separately, or in a policy, billing or other written communication, including publications sent to a limited group of people which includes all or substantially all of the licensee’s customers.  A mailing that uses an address label directed to “all policyholders” at a single address, or a mailing that uses an address label identifying by name more than one policyholder at an address, may be used.

(4)  Establish a system of safeguards to protect the security and integrity of each customer’s NPFI.  See information above, and additional details below.

(5)  Send an Opt Out Notice if required – see discussion above, and additional details below.

5. What is required of the agency to comply with the data security and data integrity requirement?
A.  GLBA does not specify any particular procedure or mechanism, just that the agency have some reasonable safeguards in place to protect the privacy of customers’ NPFI.  For example, agencies should have procedures to limit access to customers’ NPFI only to employees on a “need to know” basis.  In addition, guidelines should be established to prevent the release of NPFI to unauthorized parties outside the agency.  Physical security of paper files and electronic records are in all likelihood already a part of each agency’s existing operational procedures, and these would be a part of the agency’s data security program.

6.  When would the agency be required to send an Opt Out Notice?
A.  Rarely, if ever.  The GLBA permits the disclosure of NPFI to certain parties and under certain circumstances (called “exempted purposes”), for which the customer has no Opt Out option. Therefore, in those situations, the agency would not have to provide an Opt Out Notice.   The “exempted purposes” for which no Opt Out is required are disclosures to: (1) affiliates; and (2) non-affiliated third parties for (a) Service Providers or Joint Marketing, (b) Processing and Servicing, and (c) Other Specific Exceptions.

For all practical purposes, virtually all disclosures by most agencies of NPFI through normal insurance channels, and in connection with routine insurance processing, would almost certainly fall into one of the permitted “exempted purposes.”  In the Special Report done by IIAA, the recommendation is made that to be fully in compliance with GLBA when remarketing an account at renewal, the agency should have a Joint Marketing Agreement (JMA) with each of its insurers.  Refer to the IIAA Special Report for details.

Incidentally, there is a provision in GLBA that allows agencies that never disclose NPFI outside the permitted exceptions (“exempted purposes”) to use a “Simplified” Privacy Notice. [See Regulation 122, Section 7. C.5., or NAIC model act Section 7.C.(5)]. This probably applies to most agencies.  See discussion below, along with a sample Simplified Privacy Notice, at the end of this report.

However, should an agency disclose NPFI outside of any of these exceptions, an Opt Out Notice must be provided to customers (and the “Simplified” Privacy Notice cannot be used).

Further, if the agency discloses NPFI about “consumers” (vs. “customers”) outside the exceptions, the consumer is also entitled to an Opt Out Notice, as well as the agency’s Privacy Notice.  A “customer” is a person with whom the agency has an “continuing relationship,” typically meaning they have purchased a policy or service from the agency.  A “consumer” is a person with whom there is no “continuing relationship” with, such as an applicant.  The Privacy Notice always must be provided to “customers,” but would only be provided to “consumers” if the agency disclosed NPFI about them, at which time the “consumer” would get both the Privacy Notice and the Opt Out Notice.
 

7.  Are there any agents that don’t have to send Privacy Notices?
A.  Yes, but most authorities believe the so-called “agent exemption” does not apply to independent agents.  Specifically, the regulation says that a “licensee” (agent) does not have to send a Privacy Notice if the “principal” (the insurer) sends one, and “the licensee does not disclose NPFI to any person other than the principal or its affiliates.”  Since independent agents disclose NPFI to several insurers or brokers in remarketing an account at renewal, they would be disclosing NPFI to other parties (i.e., other insurers), who are not “the principal” referenced in the exception.  In other words, it appears that independent agents operate outside the narrow “agent exemption,” and thus should send their own Privacy Notice.

8.  Does each state develop its own regulations to comply with GLBA?
A.  Yes.  One of the outcomes of the battle between those who want strong Federal control of insurance, and those who want to retain state control, was the provision in GLBA that permits each individual state to develop its own compliance regulations.  Most states seem to be following the NAIC model act, but many are making modifications in one way or another.  (Alabama adopted the NAIC model act with minor changes.) The net effect of each state’s adopting its own compliance guidelines is that financial services organizations, including insurers and agencies, that operate in multiple states have to contend with a hodgepodge of regulations interpreting and implementing the same Federal law (GLBA).

9.  Are any changes anticipated to GLBA?
A.  Possibly.  Many privacy advocates feel that the privacy protections afforded to consumers under GLBA are too weak.  For example, most cite the very limited Opt Out opportunities consumers have to prevent their NPFI from being disclosed to other parties.  In addition, proponents of stronger Federal control of insurance point to the jumble of state compliance regulations implementing GLBA.  And from many quarters come complaints about the complexity and confusion over some provisions of GLBA.  So amendments at the Federal or state level at some point seem likely.
 

10.  Is there a “Simplified” Privacy Notice that agencies can use?
A.  Yes.  As mentioned above, for agencies that do not disclose NPFI outside the permitted exceptions (that is, all disclosures of NPFI are within the “exempted purposes”), the GLBA [NAIC model act Section 7.C.(5)], and Alabama Regulation 122 [Section 7C.5.] allow for the use of a “simplified” Privacy Notice.  This rule probably applies to most agencies,  and will allow a very brief Privacy Notice to satisfy the GLBA requirement.  The rule requires certain points to be covered in the “simplified” version, and both the NAIC model act and Alabama Regulation 122 include (in the “Appendix of Sample Clauses” section) suggested wording that would meet the required content.

AIIA has drafted a sample of the “simplified” Privacy Notice.  It appears on the next page.
 

(draft)
Gramm-Leach-Bliley Act
Sample Privacy Policy
“Simplified Notice”

Notes to agents:
Note (1): Alabama Department of Insurance Regulation 122, Rule 7. C.5. permits a “simplified” Gramm-Leach-Bliley Privacy Notice for use by agencies that do not disclose nonpublic personal financial information about customers outside the three categories of exceptions.

Note (2): This sample “simplified” Privacy Notice is applicable to agencies that disclose nonpublic personal financial information about customers only as provided under Alabama  Department of Insurance Regulation 122, Section 15 and Section 16 (Service Providers and Joint Marketing), (Information for Processing and Servicing), and (Other Exceptions). See Alabama Regulation 122, Sample Clauses A-1, A-3, and A-7.  If an agency discloses nonpublic personal financial information about customers under any other circumstances, this sample Privacy Notice cannot be used.

Our Privacy Policy
(Optional introductory paragraph):
We appreciate the opportunity to serve you by providing a quality insurance program and other financial services.  We have always placed a high priority on protecting the personal information you provide us.
*******************************************************************************************

Here is our policy on the personal information about you we collect and use.

We collect nonpublic personal financial information about you from the following sources:
 *  Information we receive from you on applications and other forms;
*  Information about your transactions with us, our affiliates or others; and
 *  Information we receive from a consumer reporting agency.

We do not disclose any nonpublic personal financial information about our customers or former customers to anyone, except as permitted by law.

We restrict access to nonpublic personal financial information about you to those employees who need to know that information to provide products or services to you.  We maintain physical, electronic, and procedural safeguards that comply with federal regulations to guard your nonpublic personal financial information.