Notification Is Just The Tip Of The Privacy Iceberg
“The bad news is that there is a whole new world of [privacy] compliance and you have to figure out the rules,” said attorney Scott Sinder in a recent panel discussion. “The worse news is that it’s only the beginning.”
Sinder, a partner in the Washington, D.C., law firm of Collier Shannon Scott, PLLC, reflected the views of his fellow insurance experts on the topic “Privacy: The Raging Consumer Issue.”
The CPCU Society and the Insurance Institute of Canada’s Chartered Insurance Professional Society presented the wide-ranging discussions on notice issues and the practicalities of implementing privacy mandates in a live satellite broadcast from Washington, D.C., last month.
As explained by Sinder, the Gramm-Leach-Bliley Financial Services Modernization Act sets out three basic requirements for all financial institutions in regard to privacy:
It requires that consumers be given notice about how information is collected and disclosed.
It requires a provision allowing consumers to “opt out” if the information is shared with third parties for a non-exempt purpose.
Certain data security and integrity measures are required.
Vance C. Gudmundsen, assistant general counsel for Capital One Financial Corp. in Falls Church, Va., added that GLB requires compliance with the consumer privacy protections by July 1, 2001.
Sinder noted that GLB’s privacy provisions apply not only to insurance companies, but also to insurance brokers and independent agents.
Colorado Insurance Commissioner William J. Kirven III added that the model privacy act developed by the National Association of Insurance Commissioners applies to all licensees, including brokers and independent agents.
Martin C. Loesch, an attorney and principal in Tech Risk Law of La Conner, Wash., noted that financial institutions have shared consumer information with third parties for a long time.
But the Internet has accelerated consumer awareness of how quickly and widely that information can be transmitted and stored, said John McGlynn, president and chief operating officer of Markham General Insurance Company of Toronto.
Gudmundsen suggested that the increased affiliations of banks, securities firms and insurance companies is also fueling the drive to greater privacy protection. He said that Congress and regulators realized these affiliations facilitate the sharing of information with many different groups–a notion that “scared a lot of people.”
McGlynn added that beleaguered recipients of unsolicited mail are the “grass-roots of the privacy movements.” In Sinder’s view, since federal lawmakers themselves receive such mail, they were eager to move privacy legislation along. He also said that “unusual constituencies” of people from both the right and the left coalesced around the goal of eliminating unfettered access to personal information.
According to Gudmundsen, if a customer does not affirmatively let a financial services institution know that he does not want his information going to non-affiliated parties or to affiliated parties for marketing purposes, the presumption is that the institution can use the information for any purpose. Consequently, he thinks of opt-out as the “inertia advantage.”
Sinder believes that the debate as to who owns information gathered from consumers remains unsettled in the United States. Nevertheless, he believes that the federal Fair Credit Reporting Act will prove to be the ultimate standard even under GLB.
He explained that, under the FRCA, consumer information that a financial services institution collects to determine eligibility for its product always belongs to the consumer, while information about direct transactions between the consumer and the institution–such as a payment history–belongs to both the consumer and the institution.
But with the FCRA expiring in June 2004–an election year–”a lot of people believe that the repositioning of GLB will be the vehicle that determines how privacy comes to be treated in the United States,” Gudmundsen noted.
Lenore Marema, vice president of the Alliance of American Insurers, based in Downers Grove, Ill., said that no financial services institution can create a GLB-compliant privacy notice without first auditing its own internal procedures. She said an institution must determine five basic facts:
The kind of information the institution gathers.
How the institution obtains the information.