Insurers Largely Pleased With Actions By States On Privacy
By and large, insurers are pleased with states’ work on putting privacy standards in place for a July 1 deadline set by the Gramm-Leach-Bliley Act of 1999.
The two exceptions they say are blocking an unobstructed view to uniform privacy standards are a bill primed for action in the California legislature and a regulation being crafted in Vermont.
Depending on whom you ask, the number of states that have privacy regulations in place or will have them shortly totals between 37 and just over 40.
“The states have rallied and are performing their roles as functional regulators,” says Michael Lovendusky, senior counsel with the American Council of Life Insurers in Washington.
A number of states such as California, Massachusetts and Minnesota have 1982 NAIC model standards in place. Even if new laws or regulations are not immediately put in place July 1, insurers will have guidance, interviews suggest. And, even if a state department or legislature did not have or chose not to put a standard in place, they add, GLB’s requirements would become effective until a state established its own standards.
Both life and property-casualty companies were upset by S.B. 773 in California, a bill that was scheduled to be marked up and moved out of the Assembly Banking Committee to the Judiciary Committee.
The bill, sponsored by California State Senator Jackie Speier, D-San Mateo, would have established opt-in standards for financial information shared with third parties and an opt-out system for affiliates. An opt-in standard requires insurers to receive permission to use nonpublic personal information for marketing purposes. An opt-out, on the other hand, requires that an individual request the information not be used. California already has opt-in health privacy requirements in place.
The bill, says Nicole Mahrt, a spokeswoman for the American Insurance Association in Sacramento, failed by a vote of 5-3, which was one vote shy of the six needed for the bill to move.
Speier was being heavily lobbied by both insurers to make amendments to the bill.
Some adjustment was made, says Mahrt, who adds that just prior to a four-hour hearing on June 25, a change was made that would have allowed for an opt-out for affiliates, but an opt-in for information sharing with third parties.
The bill can be revisited in January 2002 or another bill, Assembly bill 784, could be considered, Mahrt says.
If S.B. 773 is taken up again, Mahrt says a concern that needs to be addressed is a personal right of action provision that could result in a $1,000 fine per letter for each privacy infraction. That would have a “huge impact” on insurers, particularly the small insurance broker, she says. “It is also an open invitation to class-action suits,” she adds.
In Vermont, insurers say an attempt to incorporate privacy standards using standards banks now have, including an opt-in for non- affiliates, will raise challenges if pursued.
The department will be reissuing a final regulation by the end of the summer and will probably not have an opt-out for joint marketing. An opt-in requirement would be established for non-affiliates. For affiliates, there would be an opt-in requirement to the extent it is required by the Vermont Fair Credit Reporting Act.
If the opt-in approach from the banking standards is part of the insurance standards, the proposed regulation will be challenged at the state’s legislative review level, Lovendusky says. There is a lack of authority to borrow banking standards, he says.
A bill to repeal the opt-in, H.B. 228, has floundered, but could be revisited when the legislature reconvenes. H.B. 228 says privacy requirements can be no more restrictive than GLB and creates opt-out language except for health information.
Vermont is “most problematic,” says Rey Becker, a vice president with the Alliance of American Insurers, Downers Grove, Ill. The regulation could provide opt-ins for non-affiliates. “The Vermont regulation could end up in the courts at some point,” Becker predicts.
Elizabeth Costle, commissioner of the Vermont department of banking, insurance, securities and health care administration, says a final regulation should be in place over the summer.
There are currently no privacy regulations on the books for insurers, but there is a privacy regulation for banks as well as the Vermont Fair Credit Reporting Act.
The proposed regulation that insurers will be held to is an opt-in standard for both nonpublic health and financial information with a joint marketing exception, Costle says. In fact, she says, a joint marketing exception will also have to be carved out for banks.
Reproduced from National Underwriter Life & Health/Financial Services Edition, July 6, 2001. Copyright 2001 by The National Underwriter Company in the serial publication. All rights reserved.Copyright in this article as an independent work may be held by the author.