NU Online News Service, Nov. 29, 4:33 p.m. – Insurers are weighing a legal challenge to privacy regulations recently established by the Vermont Department of Banking, Insurance, Securities & Health Care Administration.

Insurers argue that the rule exceeds the department’s authority and the dictates of the Gramm-Leach Bliley Act of 1999 because an opt-in would be required for non-affiliates sharing information such as credit worthiness and personal characteristics.

The department has maintained that it is trying to establish standards similar to those the state requires for banks.

The American Council of Life Insurers, Washington, says that an initial decision to legally challenge the decision has been made and a final decision should be made by the end of the first week in December. Among the options that need to be considered are whether the challenge would be a federal or state legal challenge. If a legal challenge is pursued, it would seek a temporary restraining order or an injunctive relief.

At press time, the American Insurance Association, Washington, was scheduled to hold a conference call for members Nov. 29, to determine whether to sue to prevent implementation of the regulation with a final decision also expected at the end of the first week in December.

Rey Becker, a vice president with the Alliance of American Insurers, Downers Grove, Ill., says that the alliance is considering the issue but that no decision has been made.

Becker spoke of separate efforts to develop privacy notice language that the National Association of Insurance Commissioners, Kansas City, Mo., is currently working on, stating that it was important not to add undue cost or added work to insurers who have already put privacy notice systems in place.

The National Association of Independent Insurers, Des Plaines, Ill., would rather seek a compromise with Vermont than pursue a lawsuit, according to Jerry Zimmerman, NAII senior counsel. Zimmerman says that the regulation would impose a different health notice than a required national notice if health data was collected.

The department does not have authority to enact such a regulation and the concern is that it could exceed its authority again in the future, according to Zimmerman. Enabling legislation that would give the department the right to enforce its privacy regulation could be a solution, he says.