Thank you for sharing!

Your article was successfully shared with the contacts you provided.
As a summer deadline looms, insurance lawyers are finding themselves with an interesting dilemma on their hands. They have to bring clients into compliance with rules that do not yet exist. The nonexistent rules are consumer financial privacy legislation and regulations governing the insurance industry, which the states are allowed to adopt under the 1999 Gramm-Leach-Bliley Act (GLB). The states have until July 1 to do so; if they choose not to, Title 5 of the act becomes the default privacy standard. Among other things, GLB requires financial institutions to notify new customers and existing customers annually of their privacy policies and practices. It also allows a company’s customers to “opt out” of sharing financial information with third parties who are not affiliated with the company. And it enables the states to enact rules that are more stringent than its own. To date, with the deadline less than three months off, fewer than a dozen states have adopted rules in accordance with the act. New York is among them, having put in place the model regulations of the National Association of Insurance Commissioners (NAIC) safeguarding financial and health information. The financial privacy rules will go into effect on July 1 and the health rules on Dec. 31. The rest of the states are in various stages of consideration — most of them, anyway. Several states have done nothing at all. To make matters even more interesting, the rules being proposed and in some cases passed are by no means uniform. The American Insurance Association, a trade group in Washington, D.C., has been lobbying the states for uniformity, and the majority of states are looking to adopt the NAIC model act or regulations, either in whole or in part. But 16 other states already have variations of NAIC’s 1982 model privacy act in place and are debating whether to retain or reform their existing laws. And four states are considering a model law designed by the National Conference of Insurance Legislators. “It’s sort of a mess,” said Kirk Nahra, a partner at Washington, D.C.’s Wiley Rein & Fielding. UNUSUALLY COMPLEX Insurers, which traditionally are state-regulated, are used to dealing with the laws of 50 states. But even for them, the privacy issue is unusually complex, said Pamela M. Blumenthal, a partner at Washington, D.C.’s Hogan & Hartson. Part of the problem certainly derives from the 40 or so states that still have nothing on their books, or are considering whether to modify what they do have. But in the absence of guidance, most lawyers are counseling clients to follow the NAIC model rules, Blumenthal noted. Another wrinkle is the GLB privacy standard itself. GLB broke down Depression-era fire walls among banks, insurers and securities firms to allow cross-industry co-mingling. To militate against the unfettered use of consumer data, Congress added the privacy provision, mostly with the banks in mind, Blumenthal said. And for federally regulated banks and securities firms, guidance as to GLB’s privacy standard has been a relatively straightforward proposition. In a coordinated effort, the Federal Trade Commission, Federal Reserve Bank and Securities and Exchange Commission each adopted rules that largely mirror those of the other two agencies. Many practitioners agree with Joan Warrington, of counsel at the New York office of Morrison & Foerster, who said that the agencies did “an amazingly good job of creating consistent rules.” The banking industry was also ahead of the game even before GLB, Warrington said. Regulatory jawboning and media attention to the privacy issue prompted many banks to self-regulate, she added. It is a different story with the insurance industry, however. Although 16 states have had versions of NAIC’s 1982 model privacy law on their books for some time, insurers did not pay much attention to them, Warrington said, adding, “There was very little enforcement.” Thus for many insurers, although they tend to maintain a high degree of confidentiality because of the sensitive nature of the information they collect, enacting a formal privacy policy is a new proposition. And the awkward fit between GLB’s bank-oriented privacy standard and insurance companies, with their own distinct operational structure, does not help matters. Practitioners also have to contend with the challenge of fitting a broad-brush law to the intricate and mysterious inner workings of the large insurance company. “Legislators and regulators don’t really appreciate the complexities of business,” Warrington said. Warrington cited GLB’s annual privacy notice requirement as “one of the biggest difficulties with GLB.” Typically, with a single-premium insurance policy, once the customer pays, contact between insurer and customer ceases. So when a customer moves, the insurer does not necessarily update its records. “Some of the information we have is in shoeboxes, it’s so old,” Warrington said. Wiley, Rein & Fielding’s Nahra raised another concern over the poor fit: “What do you do about customers who are employers?” The statute, he said, is geared to customers as individuals, but many insurers provide group policies to companies that have employees throughout the country and even overseas, thus making notice and opt-out requirements a nightmare. Finally, to make things even more confusing, insurance companies also have to pay heed to the privacy protections of the Health Insurance Portability and Accountability Act (HIPPA) and the Fair Credit Reporting Act, both of which dictate how insurers can use consumer data. And when insurers go online, they also have to worry about any privacy policy they may post on their Web site. The result is a Tower of Babel of often-contradictory proposed and existing rules to safeguard consumer privacy. “It’s quite a matrix to work your way through,” Hogan & Hartson’s Barrington said. NO END IN SIGHT Not surprisingly, many financial services lawyers are finding that significant chunks of their time have been swallowed up by privacy issues. All of the lawyers interviewed said they spent most of their energy on privacy work. Blumenthal said Hogan & Hartson has a dozen lawyers working primarily on privacy issues, and another 20 or so dealing with privacy on and off. Morrison & Foerster has 20 lawyers in its privacy practice, Warrington said. Practitioners do not expect the work to ease up anytime soon. HIPPA goes into effect in two years, and many lawyers expect that compliance with its stringent privacy standards will prove to be even more difficult than what they face now. As for GLB, the years to come will see “a constant adjusting process for each state,” Blumenthal said. “I’ve been telling companies they’ve got a tough five years ahead of them,” Wiley, Rein & Fielding’s Nahra said.

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]

Reprints & Licensing
Mentioned in a Law.com story?

License our industry-leading legal content to extend your thought leadership and build your brand.


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.