NU Online News Service, Nov. 2, 6:26 p.m. – The Vermont Banking, Insurance, Securities and Health Care Administration will file three new department regulations pertaining to customer privacy issues in the areas of banking, insurance and securities with the Vermont Secretary of State’s Office.
The new regulations have been hotly contested by both life and property-casualty trade groups.
But Vermont Commissioner Elizabeth Costle says this is an “extremely important protection for all Vermonters. “Instead of waiving their right to privacy by inaction, Vermonters will be protected until they knowingly agree to the sharing of their personal information.”
The new regulations are to be filed in “the next few days,” according to a Nov. 2 statement. They are expected to be effective in mid-November. The rules were considered by Vermont’s Legislative Rules Committee and cleared the final review on Oct. 31.
Under these rules a customer must consent to disclosure of any nonpublic personal information to a non-affiliated third party (not covered by an exception.)
The Gramm-Leach-Bliley Financial Modernization Act of 1999 requires financial entities to protect their customers’ privacy by establishing minimum standards. However, states can adopt stricter standards.
Vermont banks are currently required to receive customer permission before disclosing nonpublic personal information. Additionally, under the Vermont Fair Credit Reporting Act, a consumer’s consent has been required for sharing among affiliated entities since 1992. That requirement was kept in place when Congress made amendments to the Act in 1996. The department says that the rules allow joint marketing as contemplated by GLB, but limit the information that may be disclosed to name, contact and “own transaction and experience” information under the federal Fair Credit Reporting Act.
The department outlined other major points covered by the regulation:
- The Vermont rules prohibit the disclosure of account numbers and encrypted account numbers to nonaffiliated marketers, including telemarketers.
- The affected industries will have 90 days after the rules take effect to come into compliance.
- The rules contain very detailed transition rules for entities that have sent notices prior to the effective date of the rules.
- With regard to health information, Vermont will treat compliance with the Department of Health and Human Services privacy rules as equivalent to compliance with the Vermont rules, except that the Vermont rules override the HHS rules in that they prohibit the use of the customer’s health information for marketing without the consumer’s prior consent.
- The banking rules create exceptions that are not currently permitted under the Vermont bank privacy law.
- Vermont continues to require consent for affiliate sharing of certain information under the Fair Credit Reporting Act. Under that law, affiliates may share name, contact and “own transaction and experience” information within the meaning of the federal Fair Credit Reporting Act. “Other information” that is considered part of a credit report may only be disclosed to an affiliate, if the consumer has given consent.
Insurer trade groups reacted angrily to the department’s plans.