State insurance departments should keep a closer eye on insurers’ use of purchased data concerning individual consumers.

Officials at the U.S. Government Accountability Office have come to that conclusion in a new report on financial services companies’ purchases of consumer information from information resellers.

The officials looked at federal and state agencies’ efforts to monitor and enforce compliance with the privacy and data security provisions of the Gramm-Leach-Bliley Financial Services Modernization Act and the Fair Credit Reporting Act.

The Federal Trade Commission is responsible for getting insurers to comply with the FCRA, but state insurance regulators are responsible for enforcing Gramm-Leach-Bliley.

“We recommend that state insurance regulators, individually and in concert with the National Association of Insurance Commissioners, take additional measures to ensure appropriate enforcement of insurance companies’ compliance with the privacy and safeguarding provisions of the Gramm-Leach-Bliley Act,” Yvonne Jones, GAO director for financial markets and community investments, writes in a letter summarizing the results of the research.

State regulators and the NAIC, Kansas City, Mo., should start by following up on the results of a 2005 multistate Gramm-Leach-Bliley compliance review that included dozens of life insurers with 2002 gross written premiums over $200 million as well as many health insurers and property-casualty insurers, Jones writes.

Federal bank examiners have the authority to examine banks’ information resellers and do so on a regular basis, Jones writes.

But state insurance regulators usually lack the authority to examine information resellers, unless the resellers are classified as organizations that help insurers come up with rates, Jones writes.

“DISB staff told us that most state insurance regulators, as well as DISB, do not have staff with adequate expertise to actually examine insurers’ information privacy and safeguarding programs,” Jones writes.

All states and the District of Columbia have adopted the NAIC’s financial and health information privacy model, which was adopted in 2000, but only 33 states have adopted the NAIC’s 2002 consumer information protection model, Jones reports.

One obstacle to enforcement of privacy and data protection rules may be that states are focusing more on “targeted examinations” of insurers that are the subject of complaints, and less on comprehensive exams of all insurers, Jones writes, citing the comments of an NAIC official.

“As a result of a lack of complaints regarding privacy matters…states are probably doing few targeted examinations of compliance with privacy requirements,” Jones writes.

Even when states conducted the 2005 compliance review, they simply referred the results to an NAIC working group rather than taking action to address possible problems, Jones writes.

A copy of the GAO report is on the Web at Document Link