Notification Is Just The Tip Of The Privacy Iceberg
“The bad news is that there is a whole new world of [privacy] compliance and you have to figure out the rules,” said attorney Scott Sinder in a recent panel discussion. “The worse news is that it’s only the beginning.”
Sinder, a partner in the Washington, D.C., law firm of Collier Shannon Scott, PLLC, reflected the views of his fellow insurance experts on the topic “Privacy: The Raging Consumer Issue.”
The CPCU Society and the Insurance Institute of Canada’s Chartered Insurance Professional Society presented the wide-ranging discussions on notice issues and the practicalities of implementing privacy mandates in a live satellite broadcast from Washington, D.C., last month.
As explained by Sinder, the Gramm-Leach-Bliley Financial Services Modernization Act sets out three basic requirements for all financial institutions in regard to privacy:
It requires that consumers be given notice about how information is collected and disclosed.
It requires a provision allowing consumers to “opt out” if the information is shared with third parties for a non-exempt purpose.
Certain data security and integrity measures are required.
Vance C. Gudmundsen, assistant general counsel for Capital One Financial Corp. in Falls Church, Va., added that GLB requires compliance with the consumer privacy protections by July 1, 2001.
Sinder noted that GLB’s privacy provisions apply not only to insurance companies, but also to insurance brokers and independent agents.
Colorado Insurance Commissioner William J. Kirven III added that the model privacy act developed by the National Association of Insurance Commissioners applies to all licensees, including brokers and independent agents.
Martin C. Loesch, an attorney and principal in Tech Risk Law of La Conner, Wash., noted that financial institutions have shared consumer information with third parties for a long time.
But the Internet has accelerated consumer awareness of how quickly and widely that information can be transmitted and stored, said John McGlynn, president and chief operating officer of Markham General Insurance Company of Toronto.
Gudmundsen suggested that the increased affiliations of banks, securities firms and insurance companies is also fueling the drive to greater privacy protection. He said that Congress and regulators realized these affiliations facilitate the sharing of information with many different groups–a notion that “scared a lot of people.”
McGlynn added that beleaguered recipients of unsolicited mail are the “grass-roots of the privacy movements.” In Sinder’s view, since federal lawmakers themselves receive such mail, they were eager to move privacy legislation along. He also said that “unusual constituencies” of people from both the right and the left coalesced around the goal of eliminating unfettered access to personal information.
According to Gudmundsen, if a customer does not affirmatively let a financial services institution know that he does not want his information going to non-affiliated parties or to affiliated parties for marketing purposes, the presumption is that the institution can use the information for any purpose. Consequently, he thinks of opt-out as the “inertia advantage.”
Sinder believes that the debate as to who owns information gathered from consumers remains unsettled in the United States. Nevertheless, he believes that the federal Fair Credit Reporting Act will prove to be the ultimate standard even under GLB.
He explained that, under the FRCA, consumer information that a financial services institution collects to determine eligibility for its product always belongs to the consumer, while information about direct transactions between the consumer and the institution–such as a payment history–belongs to both the consumer and the institution.
But with the FCRA expiring in June 2004–an election year–”a lot of people believe that the repositioning of GLB will be the vehicle that determines how privacy comes to be treated in the United States,” Gudmundsen noted.
Lenore Marema, vice president of the Alliance of American Insurers, based in Downers Grove, Ill., said that no financial services institution can create a GLB-compliant privacy notice without first auditing its own internal procedures. She said an institution must determine five basic facts:
The kind of information the institution gathers.
How the institution obtains the information.
How the institution uses the information.
The affiliates and non-affiliates with which the institution shares the information.
The internal controls in place for the security and confidentiality of the information.
Marema indicated that the GLB opt-out provision is the issue on which the Alliance receives the most inquiries from its members. She specified that insurance companies are asking “a lot of practical questions,” such as how they are to administer an opt-out program, whether they need to provide an 800 telephone number for opting out, whether customers can opt out by e-mail or whether to offer a combination of these services.
Other insurer concerns cited by Marema included whether an opt-out by one insured triggers an opt-out for the entire family covered by the policy and whether a company’s opt-out should apply to its entire holding group.
Gudmundsen pointed out that Section 13 of GLB provides exceptions to the opt-out requirement. This exemption covers joint marketing agreements between two financial services companies that offer a financial product, even if the companies are not affiliated, he said, adding that the exception also applies to joint service-provider agreements.
Sinder suggested that the Section 13 exception creates a potential loophole by allowing financial services institutions to enter into joint marketing agreements to circumvent the opt-out provision.
He added that GLB “will not be the last word” on privacy. He predicted that, because of an amendment to GLB allowing the states to exceed federal law in developing privacy rules, financial institutions “will be the first ones back” asking federal lawmakers “for a fix to the mosaic of state laws.”
Drawing a distinction between privacy and security, Loesch said that under GLB, “the parameters [for security] are not as finely defined as they are for the type of information that must be protected.” He noted that technological standards are constantly evolving, as are best practices. McGlynn added that this flux makes compliance “a moving target.”
Loesch also stated, “We have to think of security in two contexts: transfer and storage.”
Gudmundsen also observed that there is internal security and external security. He said that his employer has state-of-the-art internal security systems, including encryption, authorization, physical safeguards and authentication. In terms of external security, the company must now keep track of information it shares with third parties, he said.
“We have the obligation to do a risk assessment of all of our partners [and vendors] to determine how safe and secure the information is with them,” he said. Moreover, he said his employer must do preliminary due diligence on those partners and have contractual provisions in place obligating the partners to treat the information safely, securely and only for the purposes for which it was given to them.
Finally, and “most nebulous” of all, under GLB his employer must monitor the partners’ use of the information. He pointed out that GLB does not define “monitor.” However, the statute does indicate that the company should refer back to the risk assessment and determine, on the basis of several factors, what its monitoring obligations are.
He also believes that regulators will be looking into a company’s training programs. “You have to tell every one of your employees how important the privacy of customer information is and what their role is in protecting that privacy,” he stated. He added that July 1 “is just the beginning.” There needs to be a “constant retraining,” he said.
Marema acknowledged that “there is no cookie-cutter approach” to privacy notification. Although the Alliance and other groups have developed notification forms for members, forms must be tailored to reflect a particular institution’s practices, she said.
How a financial services company uses information will become a competitive advantage, McGlynn forecasted. In other words, consumers will gauge a company’s trustworthiness by looking at whether the company keeps its word about not disclosing customer information, he said.
He also believes brokers and agents will look for insurance companies “that will assist them in providing a safe environment”that can provide “conduits for the safe transmission of data” about policyholders.
“Do your privacy compliance right the first time,” Marema said, addressing all those concerned. Otherwise, that failure to comply will generate even more regulation, most likely at the federal level, she warned.
Colorado Commissioner, Kirven, advised that those who collect information should be “slow to share” it until they can be sure that they are in compliance with the law.
E.E. Mazier is a staff writer for NU’s Property & Casualty/Risk & Benefits Management Edition.
Reproduced from National Underwriter Life & Health/Financial Services Edition, June 11, 2001. Copyright 2001 by The National Underwriter Company in the serial publication. All rights reserved.Copyright in this article as an independent work may be held by the author.