December 15, 2001(1)
LEE STREET MANAGEMENT'S(2)
protection for personal information acquired by financial institutions
and others is, and will remain, for the foreseeable future a potent political
issue. The Gramm-Leach-Bliley Act(3) ("GLB"
or "Gramm-Leach") gave the financial services industry a long sought competitive
boost. Certain consumer privacy protections accompanied GLB's competitive
benefits. GLB privacy protections apply to financial institutions regardless
of whether the institutions are financial holding companies ("FHCs") under
regulators have issued draft regulations to implement the privacy provisions
of Gramm-Leach(5). These regulations are to
be effective on November 13, 2000. Until final regulations implementing
GLB are adopted and possibly even after the adoption of federal regulations,
broadly defined terms such as "financial institutions", "financial activities",
nonpublic personal information", "personally identifiable financial information",
"consumer" and "customer" will generate debate, disputes and confusion.
Existing and future state laws on this subject will only complicate matters
because terms such as consumer, customer, privileged or personal information
may not be defined at all or definitions may differ from those in GLB.
It is possible that state insurance regulators may not act to implement
GLB by November 13, 2000, which could result in costly revisions
to disclosure materials developed by financial institutions in response
to federal regulations.
to enactment of GLB, relevant federal privacy laws limited disclosure
restrictions to medical and motor vehicle information, Fair Credit
Reporting Act ("FCRA") information, and privacy relating to the
activities of government agencies. GLB, however, includes provisions
intended to protect the privacy of personal nonpublic information
shared by financial institutions with third parties.
PRIVACY REQUIREMENTS, PROPOSED REGULATIONS AND STATE ISSUES
applies to "financial institutions", which GLB defines to encompass any entity
that engages in activities that are "financial in nature" and virtually any
other "financial" activity that federal regulators may designate. Insurers,
agents, and brokers are expressly included in the definition of "financial"
activity. The Federal Trade Commission (the "FTC"), for example, has proposed
regulations that would include among "financial institutions" (engaging in "financial"
activities) entities such as mortgage lenders, "pay day" lenders, finance companies,
mortgage brokers, account services, check cashers, wire transferors, travel
agencies operated in connection with financial services, debt collectors, credit
counselors, financial advisors, tax preparation firms and many other businesses
that never would have expected GLB to apply to them.
core privacy provisions address financial institution disclosure
policies regarding consumer information, consumer "opt-out rights,"
enforcement mechanisms, timing for implementation of regulations
promulgated pursuant to GLB, and preservation of state jurisdiction.
Each of these issues is discussed below. Exceptions to GLB's notice
and opt-out requirement are discussed in Section 5.
To appreciate the impact of GLB's disclosure
requirements, it is important to focus on the distinctions between "consumer"
and "customer" under GLB. A "consumer" is an "individual who obtains or has
obtained a financial product or service from you that is to be used primarily
for personal, family or household purposes, and that individual's legal representative."
A "customer" is a consumer who has a "continuing relationship" with the financial
institution. Financial institutions are not required under GLB to disclose privacy
practices and policies to "consumers", if they have no intention of sharing
information with nonaffiliated third parties. Therefore, unless an institution
is confident that sharing of nonpublic personal information will not occur,
disclosure might be most efficiently introduced in marketing and application
materials, i.e., to the "consumer". GLB requires all financial institutions
engaging in "financial" activities to disclose their privacy practices and policies
to "customers" regarding use of nonpublic personal information, regardless
of whether such institutions intend to share information with affiliates or
third parties. This disclosure must be made at the time of establishing a customer
relationship and then "not less than annually" during the continuation of the
pursuant to GLB must be "clear and conspicuous," may be made either in writing
or in electronic form or other form authorized by regulation. The disclosure
must set forth the institution's privacy policies and practices, and must include,
among other things, specific information regarding categories of persons to
whom information may be disclosed. Disclosure of privacy policies and practices
applies to sharing of personal information with affiliates and third parties.
Regulations implementing GLB expressly provide that oral delivery of the notice is not acceptable, although subsequent delivery of the written notice is permitted in certain circumstances such as transactions initiated by telephone.
Once the required GLB disclosures have been made,
financial institutions may share certain "nonpublic personal information" with
third parties provided that the "consumer" has been provided with notice of
his right to opt-out and has not opted out within a "reasonable time." Regulators
should permit opt-out disclosure to occur with the general disclosures. Unless
the GLB disclosure and opt-out requirements are observed, nonpublic personal
information may not be shared with third parties, possibly regardless of where
such information was obtained, i.e., even if the information was otherwise
Federal "functional regulators", state
insurance authorities, and the Federal Trade Commission will enforce
GLB's privacy requirements applicable to financial institutions
and "other persons". The Fair Credit
Reporting Act has also been
amended to clarify that the federal banking agencies have authority
to issue regulations "as necessary" to detect and enforce privacy
violations that may occur during the transfer of, and process of
correcting information given by banks to reporting agencies.
GLB contemplates multiple layers of regulation for financial institutions. Federal
agencies will regulate financial services entities to the extent of their jurisdiction.
State insurance regulators will have jurisdiction over insurance companies,
but that jurisdiction may overlap with the jurisdiction of federal agencies.
For example, an insurance company issuing registered products will be subject
to both state and federal regulation. An insurance agency that distributes registered
products will also be subject to both state and federal regulation. While the
GLB leaves enforcement of the federal privacy provisions to states and allows
states to adopt privacy laws or regulations relating to insurance that are more
strict than federal regulations, companies should anticipate inter-regulatory
conflicts in this area.
Timing and Effective
Regulations implementing GLB privacy provisions
are to be published in final form by May 12, 2000, but will not take effect
until November 13, 2000. After that date, financial institutions cannot
disclose nonpublic personal information about an individual who was a
customer before that date unless a policy notice and opt-out notice has
been provided and the individual has not opted out.
NAIC adopted the NAIC Insurance Information and Privacy Protection Model Act
(the "Model Act") nearly twenty years ago, and laws similar to it have been
adopted by fifteen states. Those states are likely to revisit privacy protections
in light of GLB, and states having no existing privacy legislation or regulations
affecting insurers are also likely to act. The Model Act provides that individuals
must affirmatively agree to disclosure of "personal" or "privileged" information.
"Personal" or "privileged" information as defined under the Model Act may cause
interpretive controversy because the GLB approach does not define these terms.
Rather, GLB addresses and defines the term "nonpublic personal information".
The concept of privileged information is not found in GLB.
that have not enacted the Model Act generally have only piecemeal laws which
would limit the extent to which an organization may disclose an individual's
medical information or motor vehicle records. More states are likely to enact
comprehensive privacy protection laws in light of recent developments such as
(1) enactment of Gramm-Leach, which applies to financial institutions;
(2) the rapid development of e-commerce; (3) increased consumer activist
and agent lobbying in states; (4) the NAIC's commitment to address privacy
issues; and (5) negative publicity concerning companies selling personal
information for fees or commissions.
issues on which states may diverge from Gramm-Leach may be of particular concern.
The first is whether an entity may share personal information after giving the
consumer the right to "opt-out" or whether data sharing may take place only
if the customer expressly authorizes it, i.e., "opts in." GLB adopts
the opt-out approach, but some states have already been lobbied to pursue the
more stringent opt in approach.
second issue regards data sharing among affiliated companies. GLB does not restrict
affiliate sharing of personal information, but states may well attempt to do
so, subject to restrictions in the FCRA. This will be critical to any financial
institution that seeks to take advantage of the new liberalized affiliation
rules under GLB to integrate financial businesses and cross-sell financial services.
However, FCRA preempts state law and permits the sharing of a broad class of
information within a corporate family. Therefore, such state action could also
spawn preemption litigation, notwithstanding GLB's preservation of state authority.
Financial institutions would argue that state prohibitions against affiliate
sharing of information directly conflict with and undermine GLB or are preempted
by the FCRA.
insurance industry is now closely monitoring legislative activity in numerous
states. The prospect of 50 different privacy regulatory regimes, in addition
to the federal GLB and agency provisions, is of great concern. In addition,
the NAIC has formed a Privacy Working Group to establish policy regarding the
implementation of the GLB privacy provisions. The potential for increased costs,
particularly for on-line business is tremendous, not to mention potential litigation
and enforcement defense costs resulting from a confusing patchwork of regulations.
legislators have responded to recent media attention regarding how easily
information provided by consumers on the internet can be obtained. See,
e.g., November 29, 1999 Forbes cover story, "The End of Privacy."(6)
In March, 1999, legislation was proposed in Maine to establish an "Internet
Policy" for the state which would apply privacy laws to electronic transmissions
and impose notice and consent requirements for disclosure of consumer
information online. See Me. House Bill 1339. In late January, 2000,
a settlement agreement was reached between Chase Manhattan Corp. ("Chase")
and the New York Attorney General concerning Chase's practice of providing
customer information to marketing firms, which apparently included encrypted
bank account numbers and loan data. The marketing firms allegedly used
the information to contact Chase customers to solicit products, such as
emergency road service plans, discount shopping clubs, legal services
and magazine subscriptions, and Chase received a commission on successful
the settlement, Chase agreed not to share any customer data with outside
marketers without customers' express written consent and even where consent
is given, the only information disclosed will be names, addresses and
telephone numbers; no financial data will be disclosed. This procedure
is more restrictive than the "opt-out" privacy provision in Gramm-Leach,
which allows financial institutions to share customers' data with outside
firms unless customers expressly ask them not to do so.
disputes over federal and state privacy laws and regulations are inevitable.
These disputes are likely to occur between state and federal regulators,
despite GLB's attempt to preserve state insurance regulation, and between
plaintiffs' class action lawyers and financial institutions. The FTC and
ultimately the federal courts will resolve such disputes.
institutions should consider adopting the highest standards of disclosure
found in any of the laws applicable to them. While this approach may seem
administratively and economically onerous, it could prove far less costly
over the long term.
I. FEDERAL LEGISLATION
Privacy After the Gramm-Leach-Bliley Act
History of the Gramm-Leach-Bliley Act Privacy Provisions
was signed into law on November 12, 1999. Its primary impact
was the elimination of many federal and state law barriers to affiliations
among banks, insurers, securities firms and other financial services
providers. Late in the congressional debate on financial services
reform legislation, privacy of personal information obtained by
financial institutions became critical to the bill's prospects.
No privacy provisions were in the version the House Banking Committee
passed in March of 1999 or in the versions passed by the Senate
Banking Committee in April and the full Senate in early May of 1999.
Indeed, no formal discussion of the issue occurred until the House
Commerce Committee first considered the bill in late May of 1999.
By that time, privacy emerged as a potent political issue. Privacy
issues had received attention several years earlier, when Congress
instructed federal agencies to draft rules protecting the confidentiality
of health-related data. Also, as the popularity of electronic commerce
grew, consumers were becoming increasingly alarmed that their credit
card numbers, buying habits, and other information would be put
up for sale to the highest bidder. Until May, however, confidentiality
of information maintained by financial institutions had not been
a front-burner issue on Capitol Hill.
House Commerce Committee changed that. As the legislation was prepared for subcommittee
markup, consumer groups and the Clinton Administration began prodding Democrats
to offer an amendment prohibiting the sharing of customer information among
and between financial affiliates or with outside third parties. The issue was
ripe, and the Democrats knew it. Not only was public angst about privacy growing,
but New York's Attorney General had commenced a lawsuit against Chase for allegedly
sharing customer names, Social Security numbers, and other information with
a telemarketing firm in exchange for several million dollars in commissions.
Thus, Democrats argued that their amendment was necessary to prevent unprecedented
erosions of consumer privacy.
industry lobbyists were most alarmed by two proposals that were
considered but ultimately rejected: (1) that financial institutions
must require affirmative consent from customers before sharing information;
and (2) that information sharing among affiliates be subject
to the new rules. The adoption of either would have severely restricted
one of the principal benefits of Gramm-Leach -- the ability to cross-market
services among affiliates and third parties. Thus, industry lobbyists
fought against these proposals and won. In the end, GLB restricted
information sharing only with third parties, and not among affiliates.
It also required only that customers be given notice and opportunity
to "opt out" if they do not want their personal information shared
with third parties.
Recent Responses to GL
and state regulators are now engaged in addressing consumer activists' demands
for further privacy protections. The financial services industry is geared for
battle at federal and state levels. Late last year, several major financial
services associations formed a new coalition to push for enactment of GLB. The
Financial Services Coordinating Council ("FSCC") is comprised of the American
Council of Life Insurance ("ACLI"), the American Insurance Association ("AIA"),
the American Bankers Association ("ABA"), the Investment Company Institutes
("ICI"), and the Securities Industry Association. The FSCC's priority is to
focus on the privacy issue so that GLB benefits are not diluted by more onerous
or multiple privacy requirements. The FSCC is also focusing on GLB-related regulatory
and state legislative issues, including electronic signatures, international
trade, taxation and legal reform.
members are urging states to take a "go slow" approach, and not enact major
new privacy initiatives until the GLB provisions have been implemented and tested.
The organization also notes that insurer privacy practices are already regulated
in some states and that inter-affiliate sharing is governed by the federal Fair
Credit Reporting Act, which preempts state law.
NAIC has formed a Privacy Working Group to establish policy regarding the implementation
of the GLB privacy provisions. Earlier this year, the NAIC issued a request
for comments on how states should respond. In addition, the Working Group held
a public hearing at the March quarterly NAIC meeting in Chicago, and is expected
to complete its work by the end of this year, if not before.
Clinton vowed, when signing GLB, to seek further legislation to toughen
privacy requirements on financial institutions. Indeed, some other legislators,
including a few prominent Republicans, have already sponsored legislation
to strengthen the privacy provisions of GLB(7).
A newly formed Democratic Privacy Task Force held its first meeting in
February. Thus, the politically charged privacy issue will not go away,
and may have an impact on this year's presidential and congressional elections.
is against this backdrop that all interested constituencies are lobbying to
protect their interests.
3. Gramm-Leach-Bliley Act and Proposed Regulations
relating to the disclosure and opt-out requirements in Gramm Leach were left
to subsequent rulemaking by federal regulators after consultation with state
insurance regulators. Federal regulators are federal banking agencies, i.e.,
the Federal Reserve, Office of the Comptroller of the Currency ("OCC"), Federal
Deposit Insurance Corporation ("FDIC") and the Office of Thrift Supervision
("OTC"); the National Credit Union Administration ("NCUA"); the Securities Exchange
Commission ("SEC"); and the Federal Trade Commission ("FTC"). Finally, state
insurance regulators will also seek to prescribe regulations to implement GLB's
privacy provisions. This broad mandate will include additional details about
disclosures and notice to consumers, as well as elaboration on any of the exceptions
to the third-party opt-out requirement. These agencies have published draft
also requires that the several agencies and departments engaging in rulemaking
"consult and coordinate" with each other and with state insurance authorities
to assure "to the extent possible, that the regulations prescribed by each such
agency and authority are consistent and comparable with the regulations prescribed
by other agencies and authorities." The final rule is expected to be promulgated
by May 12, 2000. However, the draft regulations would take effect on November
13, 2000. After that date, financial institutions cannot disclose nonpublic
personal information about an individual who was a customer before that date
unless a policy notice and opt-out notice has been provided and the individual
has not opted out. Notices to existing customers must be made within 30 days
under draft regulations. Proposed rules are discussed under section headings
4. Who Must Comply?
privacy provisions of GLB apply to "financial institutions," which are
defined to include any entity that is "engaging in financial activities
as described in section 4(k) of the Bank Holding Company Act."(8)
GLB identifies activities that are "financial in nature" and empowers
the Federal Reserve Board (in consultation with other regulators) to designate
other financial activities or activities that are incidental or complementary
to financial activities. (See Appendix A for the Board's current
list of activities that are financial in nature.) The FTC has issued a
proposed rule providing guidance as to covered entities. These include,
"mortgage lenders, "pay day" lenders, finance companies, mortgage brokers,
account servicers, check cashers, wire transferors, travel agencies operated
in connection with financial services, debt collectors, credit counselors
and other financial advisors, and tax preparation firms." Thus, entities
that may believe that GLB does not apply to them may be surprised to find
themselves subject to the privacy provisions of GLB.
Disclosure and Opt-Out Procedures
requires all financial institutions engaging in financial activities pursuant
to its provisions to disclose their privacy policies to each customer regarding
use of nonpublic personal information, both at the time of establishing a customer
relationship and then "not less than annually" during the continuation of the
relationship. This requirement applies regardless of whether such information
will be shared with affiliates and third parties. (Disclosure to consumers is
required only if the institution contemplates sharing nonpublic personal information
with nonaffiliated third parties.)
and proposed rules distinguish "consumers" and "customers." The distinction
is important because a financial institution's obligations to each are different
in some respects. A "consumer" is an "individual who obtains or has obtained
a financial product or service from you that is to be used primarily for personal,
family or household purposes, and that individual's legal representative." (Note
that these provisions do not apply to companies or individuals who purchase
services for business purposes.) Thus, a consumer who is shopping for a price
would receive an initial disclosure and opt-out notice only if the institution
intends to share personal information collected about the consumer with a nonaffiliated
third party. A "customer" is a consumer who has a "continuing relationship"
for "customers" in all circumstances, even if no data sharing with third parties
is contemplated. Opt-out notices are required only if data sharing with nonaffiliated
third parties is contemplated.
proposed regulations specifically provide that a person who engages in only
an "isolated transaction" is not a "customer." The term "isolated transaction"
is not defined, except that it specifically includes withdrawing cash from an
ATM machine or purchasing a cashier's check or travelers check at a bank. A
series of ATM transactions at the same bank would also satisfy the "isolated
transaction" standard. Consumer groups have already indicated they will protest
the ATM exception.
disclosures to consumers or customers must be "clear and conspicuous," may be
made either in writing or in electronic form or other form authorized by regulation
and must set forth the institution's privacy policies and practices, and must
Policies and practices regarding
disclosures to affiliates and to nonaffiliated third parties including
the categories of persons to whom information may be disclosed.
Policies regarding disclosures
of nonpublic information related to former customers.
General policies for protecting
the confidentiality and security of nonpublic personal information of
Categories of nonpublic personal
information that the institution collects.
Certain disclosures as may
be required under the Fair Credit Reporting Act.
proposed regulations expressly provide that oral delivery of the notice
will not satisfy these requirements. Affected industries are likely
to suggest circumstances (such as telephone marketing) where oral delivery
perhaps followed by a written or electronic confirmation might be appropriate.
may share certain "nonpublic personal information" with nonaffiliated third
parties provided that the customer has been provided with notice of his right
to opt-out and has not opted out within a "reasonable time." While the disclosure
requirement is independent of the opt-out notice requirement, commentary to
proposed regulations suggests that regulators will permit the disclosure and
opt-out notice to be combined. Importantly, a new disclosure notice is required
proposed regulations do not prescribe any particular method by which a consumer
must opt-out. The only requirements are that the opt-out be in writing, and
can be in electronic form if the customer agrees. The draft regulations do give
examples of "reasonable" opt-out methods, which include: (1) provision of an
e-mail address, if the customer agrees; (2) a check-off box in a prominent place
on relevant forms, together with the opt-out notice; and (3) detachable, pre-addressed
form or self-addressed, stamped postcard together with opt-out notice.
if a customer has not "opted out" of the institution's information sharing policy,
Gramm-Leach prohibits disclosure of account numbers or similar forms of access
codes for credit card accounts, deposit accounts, or transaction accounts to
any nonaffiliated third party for use in telemarketing, direct mail marketing
or other marketing through electronic mail to the consumer.
Act also prohibits nonaffiliated third parties that receive nonpublic personal
information from a financial institution for any purpose from reusing such information
by disclosing to any other person, unless the disclosure could otherwise have
been made lawfully to such person by the financial institution. This means,
for example, that an attorney, accountant, or auditor who received nonpublic
personal information from a financial institution (pursuant to GLB's specific
exemption) could not then disclose that information to others to whom the financial
institution could not directly disclose it.
are exceptions to GLB's notice and opt-out requirements. Under proposed regulations,
key exceptions include:
to "effect, administer, or enforce transactions requested or authorized
by the consumer" or for a number of other purposes, including, "to
underwrite insurance at the consumer's request or for reinsurance
purposes or for any of the following purposes as they relate to
a consumer's insurance: account administration, reporting, investigating,
or presenting fraud or material misrepresentation, processing premium
payments, processing insurance claims, administering insurance benefits
(including utilization review activities), participating in research
projects, or as otherwise required or specifically permitted by
federal or State law."
With certain conditions,
information provided to nonaffiliated third parties who perform
services (including joint marketing agreements);
Transfers to provide
information to an insurance rate advisory organization, guaranty
fund or agency, or credit rating agency, consumer reporting agencies
(in compliance with the Fair Credit Reporting Act); and
With certain conditions,
transfers in connection with sales, mergers, etc. of the financial
institution or its operating units.
(a) What constitutes nonpublic
proposed regulations provide that "nonpublic" information is "personally
identifiable financial information" that is: (1) provided by a customer
to a financial institution; (2) results from any transaction with
the customer or any service performed for the customer; or (3) otherwise
obtained by the financial institution. Nonpublic personal information
also includes any list, description, or other grouping of consumers (and
publicly available information pertaining to them) that is derived using
any nonpublic personal information. Public personal information is: (1) publicly
available information derived without using any nonpublic personal information;
or (2) any list, description, or other grouping of consumers (and
publicly available information pertaining to them) that is derived without
using any nonpublic personal information.
are divided on how to interpret these broad provisions and have asked
for public comment on two competing proposals. The first proposal (endorsed
by the Federal Reserve and supported by the OCC as one of two options)
states that information provided by an individual which is also available
from public sources is considered public and therefore not covered by
the regulations. Under the second proposal (not yet exclusively endorsed
by any regulator), if the information is obtained from the customer, then
it is "nonpublic" for purposes of the privacy regulations regardless of
whether it is otherwise obtainable from public sources. This issue will
undoubtedly be the subject of aggressive lobbying.
issue of how to define "nonpublic personal information" may be less important
than it appears, however, given that regulators are in agreement that
financial institutions may not share the fact that an individual is a
customer without providing the customer with notice and opportunity to
opt-out (unless that fact is available from government records or required
to be disclosed by law). Thus, if the information to be shared relates
to a customer, then it cannot be shared with third parties without notice
and an opportunity for the customer to opt-out, regardless of whether
the information is available from public sources. It is important to note
that the decision to prevent sharing of customer lists is being made by
regulators. Congress left this to the regulators' discretion and did not
require it in GLB. When the Federal Reserve released its proposed regulations,
it noted that this issue "appears to be a matter of concern in the financial
services industry", without further discussion. This aspect of the proposed
regulations is one of the most alarming to the financial services industry
and will undoubtedly attract considerable comment.
and federal financial regulators, including the FTC, have authority to enforce
the privacy regulations to the extent of their jurisdiction and consistent with
their general enforcement powers. However, GLB delegates to the FTC authority
to determine whether a state or federal regulation is most strict, after consultation
with relevant agencies and state regulators. This means, for example, that even
an insurance company that distributes registered products and owns or controls
an insurance investment adviser or broker-dealer would have to comply with state
and relevant federal agency regulations.
however, does not provide a private right of action for violations, but some
state unfair trade practices laws allow consumers to seek judicial redress for
violations of consumer protection laws. Thus, a private right of action could
exist for violation of relevant state privacy laws.
insurance regulators generally have no authority to enforce federal law. However,
GLB requires state and federal regulators to establish standards to: (1) ensure
the security and confidentiality of customer records and information; (2) protect
against any anticipated threats or hazards to the security or integrity of such
records; and (3) protect against unauthorized access to or use of such records
or information which could result in substantial harm or inconvenience to any
customer. State insurance regulators who decline to adopt these standards could
lose the power to preempt other provisions of the bill regarding insurance sales
the extent that insurers have subsidiaries that engage in activities subject
to federal regulation, such insurers may be subject to multiple layers of regulation
and enforcement regimes. For example, an insurance company issuing registered
products will be subject to both state and federal regulation. An insurance
agency that distributes registered products will also be subject to both state
and federal regulation. While the GLB leaves enforcement of the federal privacy
provisions against insurers to states and allows states to adopt privacy laws
or regulations that are more strict than federal law, companies should anticipate
inter-regulatory interpretive disputes in this area, despite the fact that the
FTC is to resolve disputes after consultation with the agency that regulates
the party filing a complaint or the financial institution that is the subject
of the complaint. As noted above, the FTC will also resolve disputes between
states and federal agencies as to which requirements are most stringent.
7. Relation to State Privacy Laws
privacy provisions preempt state law only where such laws or regulations are
inconsistent with GLB, and then only to the extent of the inconsistency. Moreover,
GLB provides that state law will not be preempted for inconsistency where state
law affords greater protection than that afforded by GLB. As previously noted,
GLB has prompted the introduction of privacy bills in a number of state legislatures
and action by the NAIC.
B. Other Federal Legislation Affecting Consumer Privacy Issues
to GLB, federal legislation addressed confidentiality of consumer information
mostly in the context of medical records (kept by employers) and motor vehicle
information, the Fair Credit Reporting Act, or privacy provisions which apply
only to governmental agencies.
1.Fair Credit Reporting Act
major federal consumer privacy statute is currently the FCRA(9),
which, among other things, permits (but regulates) the sharing of information
GLB, states are not permitted to preempt the FCRA. Thus, to the extent
that state privacy laws seek to go beyond GLB and regulate affiliate transactions,
they may (in many circumstances) be preempted by the FCRA.(10)
Specifically, FCRA permits unrestricted sharing within a corporate family
of so-called "transactions and experience information" relating to transactions
between affiliates and consumers. This includes, for example, a customer's
outstanding balance and whether the customer is delinquent in paying bills.(11)
FCRA does this by exempting such information from the definition of a
"consumer report." Generally, a consumer report is any communication,
by a "consumer reporting agency," of any information that bears on a consumer's
credit-worthiness, credit standing, credit capacity, character, general
reputation, personal characteristics, or mode of living that is collected
or used (or expected to be collected or used) as a factor in establishing
the consumer's eligibility for credit, insurance, employment, or any other
purposes permissible under the Act."(12)
Reports limited to the consumer's name and address, with no connotations
as to credit worthiness or other characteristics, do not constitute a
"consumer report." Information that is considered a "consumer report"
(i.e., non transaction and experience information) may nevertheless
be shared among affiliates if a notice and opt-out procedure is followed.
2. Medical Information
Occupational Safety and Health Act (29 U.S.C. § 651) ("OSHA") and the Americans
with Disabilities Act (42 U.S.C. § 12101) ("ADA") impose restrictions on the
maintenance of employees' medical records. In particular, OSHA, and its accompanying
regulations, require employers to disclose certain medical records about their
employees to the federal government, but otherwise does not permit disclosure.
The ADA provides that medical information obtained through employee medical
examinations is confidential.
1996, Congress passed the Health Insurance Portability and Accountability
Act of 1996 ("HIPAA") to protect health insurance coverage for workers
and their families when they change or lose jobs.(13)
It also calls for uniform standards to protect the privacy of individually
identifiable health information. HIPAA directed Congress to enact privacy
legislation by August 21, 1999, and, in the alternative, required the
Secretary of Health and Human Services to promulgate such standards by
regulation. As Congress did not pass such legislation, the Secretary was
required to publish final standards by February 21, 2000.
regulations were published on November 3, 1999. See 64 Federal Register
59918. The regulations apply to all health plans, all health care clearinghouses,
and all health care providers that transmit health information in an electronic
form in connection with a standard transaction (referred to collectively as
"covered entities"). Covered entities would be prohibited from using or disclosing
protected health information except under certain circumstances, such as disclosure
with an individual's authorization, and disclosure without authorization for
treatment, payment and health care operations. Covered entities also would be
permitted to use or disclose a patient's protected health information without
authorization for specified public and public policy-related purposes, including
public health, research, health oversight, law enforcement, and use by coroners.
With certain exceptions, permitted uses and disclosures of protected health
information would be restricted to the minimum amount of information necessary
to accomplish the purpose for which the information is used or disclosed, taking
into consideration practical and technological limitations (including the size
and nature of the covered entity's business) and costs.
3. Motor Vehicle Record Information
Driver's Privacy Protection Act of 1994 (18 U.S.C. § 2721) imposes federal restrictions
on the disclosure of state motor vehicle information. Personal information about
any individual obtained in connection with a motor vehicle record may be disclosed
only for certain enumerated uses. For example, personal information may be disclosed
"[f]or use by any insurer . . . or its agents, employees, or contractors, in
connection with claims investigation activities, antifraud activities, rating
or underwriting." 18 U.S.C. § 2721(b). An authorized recipient of personal information
may resell or re-disclose the information only for a stated permissible use.
18 U.S.C. § 2721(c).
federal act also mandates state implementation under 18 U.S.C. § 2723(b).(14)
Thus, most states' motor vehicle information privacy laws mirror the federal
act. (California and Virginia previously enacted such legislation.)
4. Information Obtained by Government Agencies
federal laws protect consumer information, e.g., Privacy Act of 1974
(5 U.S.C. § 552a), the Freedom of Information Act (5 U.S.C. § 552), and the
Right to Financial Privacy Act of 1978 (12 U.S.C. § 3401). These laws govern
the disclosure of information obtained by government agencies and not private
entities. The Right to Financial Privacy Act of 1978 limits governmental authorities
to obtaining financial records of individuals and partnerships with five or
II. STATE LAWS, THE NAIC MODEL ACT AND RELATED RECENT ACTIVITIES
directs state regulatory agencies to establish appropriate privacy standards
for financial institutions holding personal information provided by consumers.
The NAIC and states such as New York are seeking public comment on what
standards should be established in implementing the privacy provisions
of GLB.(15) Final recommendations are expected
before year-end.(16) The request for public
comment asks for recommendations on the type of regulation which should
be adopted by states, what privacy issues should be addressed, and input
on what types of notice/consent should be required before customer information
is disclosed. If states do not act before November 13, 2000 (the
date on which GLB privacy requirements take effect) financial institutions
may be burdened with revising their disclosure policies.
has already prompted many state legislators to seek passage of similar
privacy protections. For example, although California adopted the NAIC
Model Act, which prohibits an insurance institution's disclosure of personal
information about an individual except in certain circumstances, a bill
was introduced on January 3, 2000 in the California Assembly which would
afford privacy protections greater than those of the Model Act.(17)
The bill would prohibit a "financial institution" (defined to include
insurance companies, banks, credit unions, mortgage lenders, etc.) from
disclosing, without a consumer's written consent, the nonpublic
personal information collected by the institution in connection with any
transaction with the consumer involving any "financial product" or any
"financial service" (neither terms are defined) or otherwise obtained
by the financial institution. Unlike Gramm-Leach, which gives a customer
the ability to "opt-out" of the institution's arrangements to share customer
information, the California bill would require customers to "opt in" (agree
to the information sharing agreement) before the information could be
addition to California, at least seven other states have already introduced
some form of financial privacy legislation since the November 12, 1999 enactment
A. The NAIC Model Act
NAIC Model Act was adopted in 1980 to address the issue of confidentiality
of personal information obtained by insurance companies. Fifteen jurisdictions
-- Arizona, California, Connecticut, Georgia, Illinois, Maine, Massachusetts,
Minnesota, Montana, Nevada, New Jersey, North Carolina, Ohio, Oregon,
and Virginia -- have enacted laws that are substantially similar to the
Model Act.(18) The laws in these states may
differ slightly from the Model Act.
the Model Act, an "insurance institution"(19)
may disclose confidential personal and privileged information only under
limited circumstances. The Model Act establishes standards for the collection,
use, and disclosure of personal, privileged, or medical record information
gathered about an individual by an insurance institution in connection
with "insurance transactions," defined as:
transaction involving insurance primarily for personal, family or household
needs rather than business or professional needs which entails: (1)
the determination of an individual's eligibility for an insurance coverage,
benefit or payment; or (2) the servicing of an insurance application,
policy, contract or certificate.
Model Act requires insurance institutions to: (1) provide notice of their information
practices to applicants and policyholders; (2) inform individuals of marketing
questions; (3) give individuals access to their recorded personal information;
and (4) disclose their reasons for adverse underwriting decisions. The Act prohibits
insurance institutions from seeking information concerning previous underwriting.
Finally, the Act gives the state insurance commissioner the power to enforce
the law. An example of potential discord between state and federal regulators
could be whether an "applicant" should be treated as a "consumer" or "customer"
in determining whether state law is more strict or more lenient than federal
1. Disclosure of Personal or Privileged Information
a relevant exemption applies, the Model Act prohibits an insurance institution
from disclosing "any personal or privileged information" about an individual
collected or received in connection with an insurance transaction.
(a) What Constitutes "Personal" or "Privileged" Information?
The Act defines "personal information" as:
individually identifiable information gathered in connection with an
insurance transaction from which judgments can be made about an individual's
character, habits, avocations, finances, occupation, general reputation,
credit, health or any other personal characteristics including name,
address, and medical record information.
information generally includes individually identifiable information that:
(1) relates to a claim for benefits or a civil or criminal proceeding
involving an individual; and (2) is collected in connection with or in
reasonable anticipation of a claim for insurance benefits or civil or
criminal proceeding involving an individual. "Privileged information"
includes, for example, investigatory files compiled for law enforcement
purposes and trade secrets and confidential data or information. The definitions
of "personal" and "privileged" information are broad and encompass a wide
range of information.(20) GLB and proposed
regulations rely upon the term "nonpublic personal information" which
may be more encompassing than "personal" or "privileged" information.
However, this issue is likely to be debated.
(b) What Constitutes "Disclosure"?
Model Act does not define "disclose," and does not expressly address whether
an insurance institution is prohibited only from disclosing information
to third parties or whether the prohibition applies to affiliate disclosures
as well.(21) If it was intended to allow
disclosure among affiliates, the Model Act is not clear on this subject.
In 1980 (the year the Act was adopted), the President of the NAIC commented:
NAIC readily acknowledges that . . . the [Model Act] permits information
to flow with considerable freedom within the insurance industry. This
permissive approach to the flow of information within the insurance
industry does not apply to information flowing outside the industry,
however. As currently drafted, [the Model Act] establishes a strict
duty of confidentiality with respect to disclosures of information
outside the insurance industry.(22)
it could be inferred from exception (12) of the Model Act, regarding permitted
disclosures, that affiliate sharing is not allowed for any purpose other than
that stated in exception (12), discussed below. Since GLB allows states to adopt
more stringent privacy laws, such an interpretation could be devastating.
(c) Exemptions From Disclosure Prohibitions
Model Act contains eighteen enumerated exceptions to prohibiting disclosure
of "personal" or "privileged" information. One of these exceptions requires
affirmative consent to disclosure.(23) The
Model Act does not distinguish "consumers" and "customers" for this purpose.
Specifically, the Model Act permits disclosure of such information:
With the written authorization
of the individual;(24)
To an outside
entity if such disclosure is:
necessary for that entity to perform a business, professional,
or insurance function for the disclosing insurance
institution and that entity agrees not to re-disclose
the information without written authorization from
the individual; or
To enable the entity to provide information to the
insurance institution for the purpose of determining
an individual's eligibility for benefits or payments
or for the purpose of detecting or preventing criminal
activity, fraud, or material misrepresentation:
To an insurance institution,
provided the disclosure is to detect or prevent criminal activity,
fraud, or material misrepresentation; or for the receiving insurance
institution to perform its function in connection with an insurance
To a medical care institution
or medical professional if disclosure is reasonably necessary for
the purpose of verifying coverage, informing the individual of a
medical problem, or conducting an audit to verify the individuals
To an insurance regulatory
To a law enforcement
or governmental authority;
As otherwise permitted
or required by law;
In response to a valid
administrative or judicial order;
For the purpose of
conducting actuarial or research studies, provided the individual
is not identified in any report and the actuarial or research institution
does not re-disclose the information;
To a party proposing
or consummating a sale, transfer, merger, or consolidation of all
or part of the business of the insurance institution, provided such
disclosure is reasonably necessary and the recipient of the information
does not re-disclose the information;
To a person whose only
use of the information will be in connection with the marketing
of a product or service, provided:
No medical record information, privileged information, or
personal information relating to an individual's character,
habits, mode of living, or general reputation is disclosed;
The individual was given the opportunity to indicate that
he or she does not want personal information to be disclosed
for marketing purposes; and
The recipient of the information agrees not to use the information
except in connection with the marketing of a product or service;
To an affiliate whose
only use of the information will be in connection with an audit
of the insurance institution or the marketing of an insurance product
or service, provided the affiliate does not re-disclose the information
it obtains for another purpose or to unaffiliated persons;(25)
By a consumer reporting
agency, provided the disclosure is to a person other than an insurance
To a group policyholder,
if reasonably necessary for the purpose of reporting claims experience
or conducting an audit;
To a professional peer
review organization for the purpose of reviewing a medical care
institution or medical professional;
To a governmental authority
for the purpose of determining an individual's eligibility for health
benefits for which the authority might be liable;
To a policyholder for
the purpose of providing information concerning the status of an
insurance transaction; or
To a lienholder, mortgagee,
assignee, lessor, or other person having a legal or beneficial interest
in a policy.
2. Notice and Disclosure Authorization
Model Act requires an insurance institution to provide written notice of its
insurance information practices to applicants or policyholders in connection
with insurance transactions. The notice must state whether personal information
may be collected from persons other than the individual proposed for coverage,
the types of information that may be collected, the types of sources and investigative
techniques that may be used to collect such information, the types of disclosures
of this information that may be made, and the individual's right to access and
change his or her personal information recorded by the insurance institution.
the insurance institution may provide an abbreviated notice informing the individual
that personal information may be collected from persons other than the individual
proposed for coverage, such information may then be disclosed to third parties,
personal information may be accessed and changed by the individual, and full
notice (as described above) will be furnished to the individual upon request.
This type of notice could be deemed insufficient to satisfy GLB and federal
Model Act also requires the use of a disclosure authorization form, in
connection with insurance transactions, to specify the purposes for which
the information is collected and the length of time the authorization
will remain effective. The NAIC adopted these provisions to address the
fact that individuals might not be aware of the scope of information that
can be obtained from others, and the use that will be made of such information.
The Model Act acknowledges that authorizations issued at particular points
in time cannot encompass all future uses and disclosure of the information
collected.(26) In addition, the Model Act
does not expressly state that, once issued, an authorization is limited
to certain purposes or uses. Thus, "reuse" provisions under GLB may supersede
state law because the GLB's "reuse" prohibitions would be deemed to be
3. Medical Record Information
Model Act contains specific provisions governing medical record information,
which is defined as "personal information which relates to an individual's
physical or mental condition, medical history, or medical treatment, and
is obtained from a medical professional or medical care institution, from
the individual, or from the individual's spouse, parent, or legal guardian."
Insurance institutions may disclose such medical record information to
a designated medical professional if the insurance institution notifies
the individual at the time of disclosure that it has provided information
to the medical professional.
4. Marketing Questions
Model Act provides that if, as part of an insurance transaction, an insurance
institution or agent asks a question which is intended only for marketing
or research purposes, then the insurance institution must clearly specify
such purpose. Thus, in any application or other form provided to a policyholder
or applicant in an insurance transaction, any questions designed solely
for marketing purposes must be identified as such.
5. Customer's Access to Recorded Personal Information
the Model Act, an individual may submit a written request for access to his
or her recorded personal information which is reasonably described and reasonably
locatable and retrievable. Moreover, individuals may request to have such personal
information corrected, amended, or deleted.
6. Adverse Underwriting Decisions
the event of an adverse underwriting decision, the Model Act requires the insurance
institution to provide the applicant with the specific reasons for the adverse
decision, including the specific items of personal and privileged information
that support those reasons; however, personal or privileged information related
to the individual's engaging in fraud, criminal activity, material misrepresentation,
or material non-disclosure need not be provided. In addition, an insurance institution
may only seek information in connection with an insurance transaction concerning
previous adverse underwriting decisions experienced by an individual or previous
insurance coverage obtained by an individual through a residual market mechanism,
if such inquiry also requests the reasons for the previous adverse decision,
or the reason why coverage was previously obtained through a residual market
7. Pretext Interviews and Investigative Consumer Reports
the Model Act, insurance institutions may not use "pretext interviews" in connection
with an insurance transaction. Pretext interviews are defined as interviews
where, in an attempt to obtain information about an individual, a person: (1)
pretends to be someone he or she is not, (2) pretends to represent a person
he or she is not in fact representing, (3) misrepresents the true purpose of
the interview, or (4) refuses to identify himself or herself upon request. However,
insurance institutions may use pretext interviews to obtain information for
the purpose of investigating a claim, where a reasonable basis exists for suspecting
criminal activity, fraud, material misrepresentation, or material non-disclosure
in connection with the claim.
insurance institution also may not prepare or request an investigative consumer
report about in individual in connection with an insurance transaction involving
an application for insurance, a policy renewal, a policy reinstatement, or a
change in insurance benefits unless the insurance institution informs the individual
that the individual can request to be interviewed in connection with the preparation
of the investigative consumer report, and informs the individual that he or
she may obtain a copy of any such report. "Investigative consumer reports"
are defined as communications of information bearing on a person's credit worthiness,
credit standing, credit capacity, character, general reputation, personal characteristics,
or mode of living obtained through personal interviews with people who know
Model Act contains enforcement mechanisms.(27) The state
insurance commissioner has the power to investigate, hold hearings, and
issue cease and desist orders where there are violations of the Model
Act. If, after a hearing, the commissioner determines there was a knowing
violation, penalties may be imposed. Violation of a commissioner's cease
and desist order triggers additional penalties. The Model Act also authorizes
judicial review of orders or reports issued by the commissioner. The Model
Act bars causes of action for defamation, invasion of privacy, or negligence
for disclosure of personal or privileged information in accordance with
the Model Act. However, if an insurance institution improperly discloses
information in violation of the Model Act, it may be liable for damages
sustained by the individual to whom the information relates. No immunity
exists for disclosing or furnishing false information with malice or the
willful intent to injure any person.
B. Proposed State Legislation Governing Disclosure of Personal Information by Financial Institutions
least eight states have already introduced some form of financial privacy legislation
since the November 12, 1999 enactment of GLB. A few appear intended merely to
implement the state's enforcement obligations under GLB, and tend to track GLB's
definitions. Many others are more aggressive, often by requiring "opt in" procedures.
Set forth below is a summary of proposed state legislation introduced in response
to the recent federal legislation.
January 31, 2000, a bill was introduced in Arizona which would restrict the
collection and disclosure of personal information provided by a consumer in
a commercial context. See Ariz. House Bill 2717. The bill applies to
"information custodians," broadly defined as all entities that maintain data
containing such personal information and which share the information to others.
is disclosed to consumers and disclosed on the custodian's web site, and which
allows consumers to choose not to have the consumer's personal information shared.
bill introduced on January 3, 2000 in the California Assembly would
prohibit a "financial institution" (defined to include insurance
companies, banks, credit unions, mortgage lenders, etc.) from disclosing,
without a consumer's written consent, the nonpublic personal
information collected by the institution in connection with any
transaction with the consumer involving any "financial product"
or any "financial service" (neither terms are defined) or otherwise
obtained by the financial institution. See California House
Bill 1707, introduced on January 3, 2000.(28)
Unlike the federal act, which gives a customer the ability to "opt-out"
of the institution's arrangements to share customer information,
the California bill would require customers to "opt in" (agree to
the information sharing agreement) before the information could
has done nothing.
January 27, 2000, House Bill 4994 was introduced which would prohibit a financial
institution from disclosing nonpublic personal information of a consumer unless
the financial institution has obtained the consumer's written consent. A "financial
institution" would include banks, trust companies, and insurance companies that
are affiliates of a commercial bank or trust company, financial holding companies,
or persons engaged in the business of lending money. The bill details the types
of notices required for obtaining a consumer's consent. Exemptions provided
in the bill include disclosures necessary to effect a transaction authorized
by a consumer, to resolve consumer disputes or inquiries, and providing information
to insurance and financial institution rating agencies.
February 3, 2000, legislation was introduced in Minnesota which would require
financial institutions to comply with the federal privacy provisions of Gramm-Leach
and to allow consumers to exercise their choice to "opt-out" by using a convenient
communication method. Minn. House Bill 2810. The bill details appropriate communication
methods for opting out, including the submission of an opt-out form by e-mail
or facsimile. The bill refers to the federal legislation for the definition
of "consumer" and "financial institution." Separate legislation also pending
generally tracks GLB, but would require a consumer to "opt-out" before a financial
institution could share information. Minn. Senate Bill 3000. Minn. House Bill
January 20, 2000, a bill was introduced in Nebraska which would prohibit a financial
institution from disclosing any nonpublic personal information concerning a
customer unless the customer has affirmatively consented to the release of the
information in writing. Neb. Legislative Bill 1442. "Financial institution"
is defined to include any institution engaged in the business of providing financial
services to customers and any insurance company, credit card issuer, etc.
January 11, 2000, a bill was introduced in New Jersey which refers to the recent
federal legislation enacted, and requires that financial institutions send customers
an annual notice advising of the customer's right to opt-out of the institution's
information-sharing arrangements (prohibit disclosure of nonpublic personal
information to nonaffiliated third parties). N.J. Senate Bill 333. The bill
defines "financial institution" as a state or federally chartered bank, savings
bank, savings and loan association or credit union, or any affiliate thereof.
(New Jersey has adopted the NAIC Model Act, which governs insurance institutions.)
The bill details the requirements for the customer notice (i.e., it must
contain the notation, "URGENT," at the top and contain a space for the customer
to mark in order to opt-out).
January 19, 2000, a bill was introduced in South Dakota which would prohibit
any financial institution or business that grants credit from disclosing nonpublic
personal information to an unaffiliated third party without the customer's consent.
S.D. House Bill 1173. The bill also requires each financial institution or business
that grants credit to provide a process for a customer to "opt-out of such restriction."
Although the bill uses the "opt-out" language of the federal act, the effect
is that the South Dakota bill requires customers to consent, or "opt in," before
the information could be shared.
Bill 602, introduced on January 24, 2000, would prohibit a financial institution
from making available any personal information provided by a consumer unless
the consumer has affirmatively consented to the transfer of the information
in writing. "Financial institution" is defined to include any company engaging
in financial activities which are incidental or complementary to financial activities,
including banks, insurers, securities firms, and credit unions.
bill similar to Arizona House Bill 2717 (see above) was introduced in
Washington on February 4, 2000. Wash. S.B. 6513.
Other, less aware States
some states introduced privacy legislation before enactment of GLB. For example,
a bill introduced in Hawaii on January 28, 1999 would prohibit a "private enterprise"
from communicating to a third party the personal data collected about an individual
unless the individual consents to release of the information. See House
Bill 1232. "Private enterprise" includes any agency, business, organization
or individual who collects or disseminates information on a primarily commercial
or for-profit basis. In New York, Assembly Bill 699 was introduced on January
26, 1999, which would prohibit every person who sells, exchanges or releases
personal information to other persons for commercial purposes to disclose in
writing these practices upon initial contact with a "data subject" (the person
from whom information is collected) and at least annually thereafter. The disclosure
must give the data subject the option of prohibiting the release of personal
information for commercial purposes. An "exclusion list" must be kept listing
those who have exercised their option to prohibit release of personal information.
C. Other Privacy Laws
that have not adopted the Model Act generally do not have comprehensive
laws governing the information practices of institutions affecting confidentiality
of personal information. In fact, commentators have posited that the "United
States has maintained a regulation-averse approach to privacy, enacting
relatively broad statutes in the public sector, but leaving most of the
private sector to monitor its own collection and use of information."(29)
contrast, European countries have enacted sweeping laws to govern the
confidentiality of personal information.(30) The
European Union expanded information and data protection by approving the
Directive on the Protection of Individuals With Regard to the Processing
of Personal Data and on the Free Movement of Such Data. This Directive
limits the collection, storage, and transfer of personal data. Under the
Directive, personal data can be collected only for specific purposes and
data controllers must inform data subjects of the purposes for collecting
data and the persons to whom such data will be disclosed. Moreover, the
Directive prohibits the transfer of data to countries that do not provide
"adequate" levels of privacy protection. Thus, some worry that the Directive
might operate to prohibit data transfers from the European Union to the
United States, given the U.S.'s self-regulatory approach to privacy protection.(31)
the issue of privacy of personal information is receiving increased attention
in the United States, especially in light of the recent federal legislation.(32)
2. Medical Information
number of states regulate the use or disclosure of personal medical information.
For example, Wisconsin enacted provisions similar to the Model Act governing
the disclosure of "personal medical information" only. Wis. Stat. § 610.70.
The statute defines "personal medical information" as information relating to
an individual's physical or mental health, medical history, or medical treatment,
and which is obtained from a health care provider, a medical care institution,
the individual or his/her spouse, parent, or legal guardian. § 610.70(1)(f)(1).
Under Wisconsin's law, personal information does not include information obtained
from public records of a governmental authority that is maintained by an insurer
or its representatives for the purpose of insuring title to real property. § 610.70(1)(f)(2). Wisconsin's law provides for twelve exceptions to its disclosure
provisions. § 610.70(5). These do not include the Model Act's exceptions for
disclosure for marketing purposes or to an affiliate. See Id.
Wisconsin, other states have statutes that restrict the use or disclosure
of medical information. For example, Rhode Island enacted a broad provision
restricting the release or transfer of a patient's confidential health
care information, except with written consent or for limited purposes,
and requiring third party recipients of such information to establish
security procedures to maintain confidentiality.(33)
Less inclusive statutes in Illinois, Maryland and Massachusetts prohibit
an insurer from disclosing an insured's medical records without the insured's
written authorization, subject to limited exceptions.(34)
California and Connecticut impose similar restrictions on employers, preventing
them from using or disclosing an employee's medical information without
written authorization, again subject to limited exceptions.(35)
Some states specifically restrict disclosure of records containing information
regarding AIDS or HIV infection, or genetic testing,(36)
as well as mental health records.(37) Under
these laws, such information could only be disclosed in extremely limited
circumstances -- such as to physicians, parents, and governmental authorities.
3. NAIC Health Information Privacy Model Act
1998, the NAIC promulgated a model law establishing standards for the
collection, use, and disclosure of health information gathered by insurance
carriers. The Health Information Privacy Model Act ("HIP Model Act") sets
standards to protect health information from unauthorized collection,
use, and disclosure by requiring carriers to establish procedures for
the treatment of all health information. The HIP Model Act applies to
all "carriers," which are defined as entities required to be licensed
or authorized by the commissioner to assume risk, and includes insurers,
hospitals, medical or health service corporations, health maintenance
organizations, provider sponsored organizations, multiple employer welfare
arrangements, self-insured group funds, and workers' compensation self-insurers.
Although the HIP Model Act does not expressly include fraternal benefit
societies, an NAIC drafting note permits states to include the definition
of "insurance institution" from the Model Act on Insurance Information
and Privacy Protection in their enactments of the HIP Model Act, meaning
that fraternal benefit societies would be included. The HIP Model Act
protects all "health information," which is defined as information that
relates to the past, present, or future physical, mental, or behavioral
health of an individual or his or her family, the provision of health
care to an individual, or the payment for the provision of health care
to an individual. Moreover, the HIP Model Act prohibits a carrier from
collecting, using, or disclosing(38) protected
health information without written authorization from the individual who
is the subject of the information. To date, no state has enacted legislation
adopting this Act.
4. Motor Vehicle Record Information
state laws govern the disclosure of information obtained from motor vehicle
records. These laws commonly provide that personal information collected
by the state motor vehicle department is confidential and may not be disclosed.
However, these laws provide an exception for disclosure (upon proof of
identity and a representation that the entity intends to use the information
for its limited purpose) to "an insurer . . . or an . . .
employee . . . of an insurer, in connection with claims investigation
activities, anti-fraud activities, rating, or underwriting."(39)
Importantly, some of these laws also contain re-disclosure provisions
that would prohibit an organization from re-disclosing the personal information
unless specifically permitted by statute.(40)
5. Proposed Legislation Governing Other Privacy Protections
states have recently proposed legislation which would impose privacy-related
restrictions on the disclosure of information beyond insurance, financial, motor
vehicle or medical information. For example, on February 2, 2000, a bill was
introduced in California which would prohibit the collection and disclosure
of "unique individual personal identifying information," defined to include
any number, symbol, physical or biological trait or other genetic identifier
by which an individual could be uniquely identified from another. See
Calif. Senate Bill 1419.
Hawaii, a bill was introduced on January 25, 1999 to respond to the use of social
security numbers by criminals to engage in "identity theft." Hawaii Senate Bill
980. The bill would delete the requirement that individuals disclose their social
security numbers in records such as voter registration documents, and certain
motor vehicle records. Hawaii Senate Bill 980.
introduced a bill on January 13, 1999 prohibiting companies which purchase a
state database containing information regarding Illinois citizens from using
the database for commercial solicitation purposes (to contact individuals to
advertise, or market products or identify potential employees). See Ill.
House Bill 69.
introduced a bill proposing to establish an Internet policy for the state, which
would apply privacy laws to electronic transmissions and impose notice and consent
requirements for disclosure of consumer information online. Me. House Bill 1339,
introduced March 17, 1999.
was introduced in New York on January 5, 2000 to restrict financial institutions
from disclosing personal information contained in electronic fund transfers.
N.Y. Assembly Bill 623. "Financial institution" is defined as a bank, credit
union or other person who directly or indirectly, holds an account belonging
to a consumer.
Hampshire introduced legislation which would establish on "Office of Privacy"
in the state to monitor and restrict disclosure by the state of personal information
regarding its citizens. N.H. House Bill 1612, January 5, 2000.
that may be deemed to be "financial institutions" under GLB should be developing
compliance programs to address consumer privacy issues, despite the fact that
final federal regulations will not be adopted until later this year.
disputes over federal and state privacy laws and regulations are inevitable.
These disputes are likely to occur between state and federal regulators, despite
GLB's attempt to preserve state regulation, and between plaintiffs' class action
lawyers and financial institutions. Financial institutions should establish
compliance programs that anticipate such disputes. This approach may mean adopting
the highest standards for disclosure as "best practices".
Federal Reserve Board's list of financial activities is set forth in 12 CFR
225.86. They include in certain circumstances:
brokering or servicing loans;
real or personal property (or acting as agent, broker, or
advisor in such leasing) without operating, maintaining
or repairing the property;
appraising real or personal
check guaranty, collection
agency, credit bureau, and real estate settlement services;
providing financial or investment
advisory activities including tax planning, tax preparation, and instruction
on individual financial management;
management consulting and
counseling activities (including providing financial career counseling);
courier services for banking
printing and selling checks
and related documents;
community development or advisory
selling money orders, savings
bonds, or traveler's checks; and
providing financial data processing
and transmission services, facilities (including hardware, software, documentation
or operating personnel), data bases, advice, or access to these by technological
March 12, 2000, the Board issued an interim rule with request for comments
designating other financial activities including:
and other services to mutual funds;
owning shares of a securities
acting as a certification
authority for digital signatures;
histories to third parties for use in making credit decisions and
to depository institutions and their affiliates for use in the ordinary
course of business;
check cashing and wire
in connection with offering
banking services, providing notary public services, selling postage
stamps and postage-paid envelopes, providing vehicle registration
services, and selling public transportation tickets and tokens;
real estate title abstracting;
consulting services, including to any person with respect to nonfinancial
matters, so long as the management consulting services are advisory
and do not allow the financial holding company to control the person
to which the services are provided;
operating a travel agency
in connection with financial services offered by the financial holding
company or others;
and managing a mutual fund, so long as
the fund does
not exercise managerial control over the entities in which
the fund invests; and
holding company reduces its ownership in the fund, if any,
to less than 25 percent of the equity of the fund within one
year of sponsoring the fund or such additional period as the
The information contained on this webpage was current as of December 15,
2001. Since privacy issues are evolving at federal and state agencies,
changes may have occurred since December 15, 2001.
Mr.Michael Lee is the owner and operator of Lee Street Management,
a real estate management company operating residential rental
apartment buildings, condominiums and houses in the Chicago metropolitan
Pub. L. No. 106-102, 113 Stat. 1338 (1999).
Recipients should update references to laws and regulations discussed
Privacy of Consumer Financial Information, 65 Fed. Reg. 8,769 (2000); (Regulation
S-P) 65 Fed. Reg. 12,353 (2000); 65 Fed. Reg. 11,173 (2000); 65 Fed. Reg. 10,988
In conjunction with a recent settlement involving a bank's disclosure of information
for marketing purposes, New York Attorney General Eliot Spitzer has commented,
"New technology has brought extraordinary benefits to society, but it also has
placed all of us in an electronic fishbowl in which our habits, tastes and activities
are watched and recorded."
H.R. 3320, 106th Cong. (1999). S. 1903, 106th Cong. (1999).
Section 4(k)(4)(A-E) states "the following activities shall be considered to
be financial in nature: (A) Lending, exchanging, transferring, investing for
others, or safeguarding money or securities. (B) Insuring, guaranteeing, or
indemnifying against loss, harm, damage, illness, disability, or death, or providing
and issuing annuities, and acting as principal, agent, or broker for purposes
of the foregoing, in any State. (C) Providing financial, investment, or economic
advisory services, including advising an investment company (as defined in section
3 of the Investment Company Act of 1940). (D) Issuing or selling instruments
representing interests in pools of assets permissible for a bank to hold directly.
(E) Underwriting, dealing in, or making a market in securities."
15 U.S.C. 1681 et seq.
In addition, the GLB gives banking regulators new enforcement powers with respect
to the FCRA, and implementing regulations in this respect will be forthcoming.
See, e.g., DiGianni v. Stern's, 26 F3d 346, 348-49 (2nd
Cir. 1994), cert. denied, 513 U.S. 897 (1994); Rush v. Macy's
New York, Inc., 775 F. 2d 1554, 1556-57 (11th Cir. 1985).
15 U.S.C. § 1681(a)(d)(1).
Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 110
Stat. 1936 (1996).
one federal court ruled that this act was an unconstitutional exercise of power
over the states, other federal courts facing the issue ruled otherwise. See
generally Recent Cases, 112 Harv. Law Rev. 1100 (1999); Rashmi Luthra,
Current Development in the Law, 8 B.U. Pub. Int. L.J. 562 (1999); Gregory
E. Peterson, Current Development in the Law, 8 B.U. Pub. Int. L.J. 566
(1999); Gregory R. Youman, Current Development in the Law, 8 B.U. Pub.
Int. L.J. 571 (1999).
NAIC has traditionally opposed federal legislation concerning disclosure by
the insurance industry of personal information. See 1980 NAIC Proceedings,
supra note 9, at 1120 ("The NAIC does not support proposals to create
substantive federal standards for the information practices of the insurance
industry at this time. The NAIC believes that individual states are best able
to address the complex issues surrounding insurance information practices and
the protection of privacy rights of consumers.")
since passage of the federal legislation, NAIC President George Nichols has
been advising states against rushing to enact new legislation before fully considering
California House Bill 1707, introduced on January 3, 2000. See also,
Senate Bill 1372, introduced on January 20, 2000.
New York proposed similar legislation on January 11, 1999. See
N.Y. Assembly Bill 1498. Hawaii enacted a law similar to the Model Act
in 1988, but repealed it in 1993. Kansas enacted the provisions of the
Model Act pertaining to adverse underwriting decisions, but did not enact
the provisions governing the collection and disclosure of insurance information.
Wisconsin passed a statute based on the Model Act, but limited the provisions
of its law to the disclosure of personal medical information
"Insurance institution" is defined as:
corporation, association, partnership, reciprocal exchange, inter-insurer,
Lloyd's insurer, fraternal benefit society or other person engaged in
the business of insurance, including health maintenance organizations,
medical service plans and hospital service plans . . . .
example, a California court, in interpreting that state's act, determined that
"personal information" included the policy limits of an insurance contract.
See Griffith v. State Farm Mut. Auto. Ins. Co., 230 Cal. App.
3d 59 (1991).
contrast, the NAIC's Health Insurance Privacy Model Act defines "disclose" in
such a way that the dissemination of an individual's information even within
the institution would be considered disclosure.
of the National Association of Insurance Commissioners, Volume II, 1980-2 NAIC
Proc. 1110, 1115 (June 15, 1980 - June 20, 1980) (hereinafter 1980 NAIC Proceedings)
states' acts differ slightly from the Model Act concerning the number of enumerated
exceptions. For detailed information regarding individual state laws regarding
exemptions and other provisions, see the State Privacy Chart attached hereto.
insurance institution must provide a disclosure authorization form that fulfills
the requirements of the Model Act. For a summary of these requirements, see
Section II(B), infra.
is defined as "a person that directly, or indirectly through one or more intermediaries,
controls, is controlled by or is under common control with another person."
"Control" is defined as "the possession, direct or indirect, of the power to
direct or cause the direction of the management and policies of a person . . .
unless the power is the result of an official position with or corporate office
held by the person." Some states' acts differ slightly from the Model Act concerning
the affiliate exception. See State Privacy Chart, attached hereto.
NAIC noted that:
than require designation of specific persons authorized to disclose
and receive information . . ., the [Model Act] requires that persons
. . . be described generally by type. The NAIC believed that it would
be impractical to do otherwise. For example, at the time authorization
forms are obtained from the individual, the insurance institution cannot
be certain as to all persons from whom personal information may need
to be collected. It would be unnecessarily time consuming and costly
to require a new authorization every time information is needed [from]
a person from whom the need for disclosure was not originally contemplated.
states' acts differ slightly from the Model Act concerning permissible enforcement
mechanisms. See attached State Privacy Chart.
similar bill was introduced in the California Senate on January 20, 2000. See
Senate Bill 1372. See also Senate Bill 1337.
Amy Monahan, Note: Deconstructing Information Walls: The Impact of the European
Data Directive on U.S. Businesses, 29 Law & Pol'y Int'l Bus. 275, 278
id. (discussing at length Europe's comprehensive data information protection
statutes and noting the broad protection statutes governing both public and
private information processing). See also Peter A. Lynch, Peeking
Through the Electronic Keyhole, Best's Review: Property/Casualty 87, 88
(August 1999) ("The European Union's privacy directive requires consumer consent,
and firms must disclose how they intend to use the personal information. The
current U.S. policy is for industries to police themselves without government
oversight."); Joel R. Reidenberg & Francoise Gamet-Pol, The Fundamental
Role of Privacy and Confidence in the Network, 30 Wake Forest L. Rev. 105,
117 (1995) (noting that European countries, in contrast to the U.S., "have approached
the treatment of personal information in a comprehensive manner and have adopted
generally Monahan, supra, at 285-93. See also Jennifer M.
Myers, Note: Creating Data Protection Legislation in the United States: An
Examination of Current Legislation in the European Union, Spain, and the United
States, 29 Case W. Res. J. Int'l L. 109 (1997).
Richard Fischer, Privacy and Accuracy of Personal Information, 3 N.C.
Banking Inst. 11 (1999).
R.I. Gen. Laws § 5-37.3-4.
410 Ill. Comp. Stat. 50/3; Md. Code Ann., Ins. § 4-403; Mass. Gen. Laws Ann.
ch. 175I, § 13.
Cal. Civ. Code § 56.20; Conn. Gen. Stat. § 31-128f.
e.g., N.J. Stat. § 26:5C-7 (a "record maintained by . . . any other institution
or person; which contains identifying information about a person who has or
is suspected of having AIDS or HIV infection is confidential and shall be disclosed
only for [limited] purposes"); N.J. Stat. § 10:5-47 (genetic testing information).
e.g., 740 Ill. Comp. Stat. 110/3 (preventing disclosure of mental health
records without consent unless covered under certain limited exceptions). See
also N.M. Stat. Ann. § 43-1-19; Pa. Stat. Ann. tit. 50, § 7111.
contrast to the Model Act on Insurance Information and Privacy Protection, the
HIP Model Act does define "disclose" -- "to release, transfer, or otherwise
divulge protected health information to any person other than to the individual
who is the subject of the protected health information."
Alaska Stat. § 28.10.505; Del. Code tit. 21, § 305; Fla. Stat. ch. 119.07; Ga.
Code Ann. § 40-5-2; Idaho Code § 49-203; Ind. Code Ann. § 9-14-3.5-10; 601 Ky.
Admin. Regs. 2:020; Me. Rev. Stat. § 255; Md. Code Ann., State Gov't § 10-616;
Mich. Comp. Laws § 257.208c; Neb. Rev. Stat. Ann. § 60-2907; N.D. Cent. Code
§ 39-33-05; N.J. Stat. § 39:2-3.4; N.M. Stat. Ann. § 66-2-7.1; Ohio Rev. Code
Ann. ' 4501.27; Or. Rev. Stat. § 802.179; Tenn. Code Ann. § 55-25-107;
Va. Code § 46.2-208; W. Va. Code § 17A-2A-7. Cf. Cal. Veh. Code § 1808;
Mo. Stat. § 32.091; N.C. Gen. Stat. § 20-43.1. See also, Mass. House
Bill 4689, introduced on August 19, 1999.
Re-disclosure is typically permitted, inter alia,
to governmental authorities, in connection with civil or criminal
proceedings; for research and statistical activities; in connection
with matters involving motor vehicle theft or performance; and to
insurers in connection with claims investigation activities, anti-fraud
activities, rating, or underwriting. See Fla. Stat. ch. 119.07;
Ind. Code Ann. § 9-14-3.5-13; Mich. Comp. Laws § 257.232;
Neb. Rev. Stat. Ann. § 60-2910; N.J. Stat. § 39:2-3.4;
Ohio Rev. Code Ann. § 4501.27; Or. Rev. Stat. § 802.181.
for that entity to perform a business, professional, or insurance
function for the disclosing insurance institution and that
entity agrees not to re-disclose the information without written
authorization from the individual; or
To enable the entity to provide information to the insurance
institution for the purpose of determining an individual's
eligibility for benefits or payments or for the purpose of
detecting or preventing criminal activity, fraud, or material