Close Close

Regulation and Compliance > State Regulation

Vermont Proceeds With Controversial Consumer Privacy Regs

Your article was successfully shared with the contacts you provided.

NU Online News Service, Nov. 2, 6:26 p.m. – The Vermont Banking, Insurance, Securities and Health Care Administration will file three new department regulations pertaining to customer privacy issues in the areas of banking, insurance and securities with the Vermont Secretary of State’s Office.

The new regulations have been hotly contested by both life and property-casualty trade groups.

But Vermont Commissioner Elizabeth Costle says this is an “extremely important protection for all Vermonters. “Instead of waiving their right to privacy by inaction, Vermonters will be protected until they knowingly agree to the sharing of their personal information.”

The new regulations are to be filed in “the next few days,” according to a Nov. 2 statement. They are expected to be effective in mid-November. The rules were considered by Vermont’s Legislative Rules Committee and cleared the final review on Oct. 31.

Under these rules a customer must consent to disclosure of any nonpublic personal information to a non-affiliated third party (not covered by an exception.)

The Gramm-Leach-Bliley Financial Modernization Act of 1999 requires financial entities to protect their customers’ privacy by establishing minimum standards. However, states can adopt stricter standards.

Vermont banks are currently required to receive customer permission before disclosing nonpublic personal information. Additionally, under the Vermont Fair Credit Reporting Act, a consumer’s consent has been required for sharing among affiliated entities since 1992. That requirement was kept in place when Congress made amendments to the Act in 1996. The department says that the rules allow joint marketing as contemplated by GLB, but limit the information that may be disclosed to name, contact and “own transaction and experience” information under the federal Fair Credit Reporting Act.

The department outlined other major points covered by the regulation:

  • The Vermont rules prohibit the disclosure of account numbers and encrypted account numbers to nonaffiliated marketers, including telemarketers.
  • The affected industries will have 90 days after the rules take effect to come into compliance.
  • The rules contain very detailed transition rules for entities that have sent notices prior to the effective date of the rules.
  • With regard to health information, Vermont will treat compliance with the Department of Health and Human Services privacy rules as equivalent to compliance with the Vermont rules, except that the Vermont rules override the HHS rules in that they prohibit the use of the customer’s health information for marketing without the consumer’s prior consent.
  • The banking rules create exceptions that are not currently permitted under the Vermont bank privacy law.
  • Vermont continues to require consent for affiliate sharing of certain information under the Fair Credit Reporting Act. Under that law, affiliates may share name, contact and “own transaction and experience” information within the meaning of the federal Fair Credit Reporting Act. “Other information” that is considered part of a credit report may only be disclosed to an affiliate, if the consumer has given consent.

Insurer trade groups reacted angrily to the department’s plans.

Michael Lovendusky, a senior counsel with the American Council of Life Insurers, Washington, says the regulations deviate from a model privacy regulation adopted by the National Association of Insurance Commissioners, Kansas City, Mo.

The NAIC model regulation coordinates with federal privacy rules and is “the best bet for operational uniformity with the states,” Lovendusky says.

“We will evaluate whether to challenge this judicially over the next few weeks,” he says. A declaratory judgment could be sought before the regulations take effect, action could be taken after the regulations take effect, or a decision might be made not to take action, Lovendusky adds.

“We might just point to Vermont as the state that began digging the grave of state regulation of privacy because it undermines uniformity,” Lovendusky says.

The National Association of Independent Insurers, Des Plaines, Ill., is disappointed that the Legislative Committee failed to listen to the argument that “the insurance department lacked the authority to promulgate these rules,” says Gerald Zimmerman, an NAII senior counsel.

The best hope is to get Vermont H.B. 228 passed, says Zimmerman. Legislation would trump the regulation, he adds. A decision on whether to challenge the regulations is premature, he continues.

H.B. 228 mirrors GLB and gives the department authority to promulgate a regulation consistent with GLB and the NAIC model, he adds. The bill has roughly a one-in-three shot of passing, Zimmerman says.

Michael Moran, a spokesman for the American Insurance Association, Washington, says the Vermont action will “deny Vermonters the benefits of financial services modernization.” At press time, AIA says that no decision has been made on what action, if any will be taken in response to the department’s decision.