NAIC Privacy Project Has Insurers Concerned Over Many Issues

By

Insurers say they want to continue discussions with regulators regarding a market conduct examination initiative that would look at compliance with privacy requirements in the Gramm-Leach-Bliley Act of 1999.

Trade groups representing insurers say they have had discussions with regulators, including District of Columbia Director Larry Mirel.

Regulators are engaged in an ongoing process to streamline the market conduct examination system to make state regulation more efficient and say this project is part of that effort.

The first round of a planned four-part round of surveys was distributed to insurers at the start of the month. The subject of the surveys could be raised when the National Association of Insurance Commissioners, Kansas City, Mo., meets next month in Chicago for its fall meeting.

As functional regulators, insurance commissioners need to know that there is compliance with GLB, says Bruce Ferguson, senior vice president, state relations, with the American Council of Life Insurers, Washington.

However, “the execution of the concept is where the problems surface,” he continues. “It is one of the first tests in a post-Gramm-Leach-Bliley world as functional regulators.”

Issues that insurance trade groups say are concerns include the lack of regulatory uniformity among the states, the uncertainty over reciprocity, cost and protection of proprietary information.

One issue is how to conduct a national market conduct exam based on standards that differ, Ferguson adds. For instance, he explains, some states have privacy standards that include health privacy requirements while other states have standards that solely address financial privacy.

Another issue of concern to companies is that the survey contains questions asking for proprietary information such as the security features of the computer system, Ferguson says.

If the information from the survey is made public along with the market conduct report, then “it could be a blueprint to invasion of computer systems,” he continues. Such information would be better satisfied by an onsite demonstration, Ferguson explains.

Cost is another factor, he says. If a life company group has a centralized privacy standard, then the cost would be $30,000 for one market conduct exam. However, if a group has a decentralized structure with individual companies handling privacy differently, then the cost could be $30,000 multiplied by the number of different approaches, he explains.

Companies also are concerned over whether a sizeable number of states will sign on to a reciprocity agreement, says Robert Zeman, senior vice president-state government affairs with the National Association of Independent Insurers, Des Plaines, Ill.

Additionally, there are concerns that PricewaterhouseCoopers, the contractor for the privacy market conduct initiative, also has acted as an auditor for some companies, potentially creating a conflict of interest, Zeman continues.

While the Health Insurance Association of America, Washington, supports the concept of market conduct uniformity and privacy, member companies have some concerns, says Chris Petersen, an attorney with Morris Manning and Martin, Washington, outside counsel for the trade group.

Conflict of interest is one concern, he says, but regulators have indicated that companies that feel there is a conflict of interest can approach them and an alternate vendor will be found to work with those entities.

On the question of reciprocity, critical mass on the order of 30-40 states would be desirable, Petersen says.

Of great concern to companies, he adds, is that any “vulnerability assessment” concerning security be kept confidential. “Companies are very nervous about releasing that.”

What will be important for companies, is to articulately describe privacy policies and procedures that are in place so that those procedures are not considered inadequate or misunderstood, he says. Failure to articulate procedures could lead to further examination by regulators, Petersen says.

The initiative could be a positive if a large number of states look at privacy only once and the document used is appropriate, says Peter Bisbecos, director of legal and regulatory affairs with the National Association of Mutual Insurance Companies, Indianapolis.

But companies are raising questions about the number of states that will participate, the broad nature of the survey and how confidential information provided in that survey will remain, he adds.


Reproduced from National Underwriter Life & Health/Financial Services Edition, August 25, 2003. Copyright 2003 by The National Underwriter Company in the serial publication. All rights reserved.Copyright in this article as an independent work may be held by the author.