 |
||
| Back To Education Home | Back To Education Library | Print this Page |
Privacy Summary: Gramm-Leach-Bliley Act |
||
By David Thompson, CPCU
The Gramm-Leach-Bliley Act (GLBA) was signed into law in 1999 and directly affects financial institutions, including insurance companies and agencies. This document summarizes the provisions of GLBA for Florida insurance agencies. This summary is not a complete discussion of GLBA and agencies may wish to consult an attorney when developing a privacy policy. At the heart of GLBA is a requirement that financial institutions provide a privacy notice to their customers and comply with the provisions of the law by restricting what non-public personal information (NPI) they share about customers with third parties. Financial institutions are also required to provide security and integrity of customer's NPI by way of physical and electronic means. The Florida Department of Financial Services has promulgated rule 69J-128 to implement GLBA in Florida. That rule provides an "agent exemption" to portions of GLBA, which is narrow in scope. The exemption raises the question by agencies, "Do I have to send out the privacy notice?" Before answering that question there are other important questions to consider.
Question. Must an agency
understand and comply with GLBA? Question. Must an agency
have a privacy policy?
Question. Must an agency
comply with the data security and integrity requirements?
Question. Must an agency
provide the actual privacy notice to customer? Brief definitions of selected terms are necessary in order to fully understand the agent exemption.
Non-public personal
information (NPI) is information an agency or company has about
customers that identifies them and is not verifiable in a reasonable manner
from a public data source. NPI includes a policy number, social security
number, amount of coverage, unlisted phone number, payment history, account
balance, name of insurer, effective dates of coverage, and even the simple fact
that an individual is a customer of an agency. An affiliate is an entity that the financial institution owns 25% or more interest in. Any other entity is referred to as a non-affiliated third party. For example, Bank of the City owns 50% of Quality Insurance Agency. These are affiliates. When Quality Insurance Agency provides a homeowners declarations page to Wells Fargo Home Mortgage Company they are sharing NPI with a non-affiliated third party. (As will be pointed out, this is permitted under GLBA and Quality Insurance Agency could still remain under the agent exemption in this situation.) A joint marketing agreement (JMA) is an agreement between two or more financial institutions to jointly market their products or services. The JMA must contain terms that address how the NPI shared between these two entities may be used. For example, Quality Insurance Agency may enter into a JMA with the Jones Life Insurance Agency to swap client names, address, phone numbers, and coverage amounts in order to cross sell to each other's customers. Or, an agency could enter into a JMA with a local bank to swap NPI on customers in order to better serve the financial needs of the customers. Several exempted purposes exist under GLBA that allow an agency to share NPI with a non-affiliated third party. The three exempted purposes are: Servicing and processing. For example, an agency providing a policy to a bank holding a loan on a customer's car, providing coverage data to an auto glass shop for a windshield claim, supplying a declarations page to a mortgage company, or providing NPI to an independent adjuster working a claim for a customer all fall under this exception. Joint marketing agreements fall under the GLBA exempted purposes. Note however, the Florida Department of Financial Services has stated that if an agency has a JMA in place allowing them to share NPI with a non-affiliated third party the agency no longer falls under the agent exemption and they must provide a privacy notice. Other exempted purposes fall under a general heading of "legal reasons" and include but are not limited to: 1> Sharing NPI with the customer's permission; 2> As directed by a federal, state, or local law; 3> Supplying rating information to rating bureaus such as ISO and; 4> As part of a fraud investigation. The Florida agent exemption states that a "licensee" (the agency) is exempt from the privacy notice if all of the following conditions exist: The "licensee" is an employee, agent, or other representative of another "licensee," referred to as the "principal." The principal complies with the law and provides the privacy notice to the customer. The agency does not share NPI with a non-affiliated third party under a JMA. The agency does not share NPI with a non-affiliated third party outside of a JMA, except as permitted by law. The agent does not take NPI from a customer from one line of business (such as personal auto) and disclose that NPI to anyone in order to "shop for coverage" for another line of business (such as homeowners) without permission of the customer. Again, note the "agent exemption" applies only to the actual delivery of the privacy notice. The agency still must have a privacy policy in place, must understand the provisions of GLBA, and must provide physical and electronic security and integrity of customer records by way of procedures such as locking buildings, having password protection, using computer backup procedures, limiting access to customer data to those with the need to know, and using computer firewall programs. It's important to note that if an agency represents 12 different companies all 12 companies must provide the privacy notice to customers. If one company does not, then the agency falls outside the agency exemption and must provide the notice. Additionally, if the agency shared NPI in a manner not consistent with the notices provided by the companies they represent, they would have to supply their own notice outlining their privacy policy. For example, if none of the companies represented by the agency shared customer NPI with a non-affiliated third party, but the agency desired to do so, then an agency privacy notice is required. In cases where the privacy notice is required it must be delivered when the customer relationship is established, annually, and any time the privacy policy changes. In general terms the notice must state how NPI is collected (such as from applications and motor vehicle reports), who it is shared with (as permitted by law, under a JMA, and/or to non-affiliates outside a JMA), and what data security and integrity controls are in place (locked buildings, alarm systems, computer firewalls, backup procedures, etc.). Additionally, if the agency shares NPI with a non-affiliated third party for a non-exempted purpose the privacy notice must offer an "opt-out" option permitting the customer to prevent such sharing of NPI. Note that an opt-out option is not required for the servicing and processing exception, nor when a JMA is in place, nor for the "other exempted purposes" category cited above. An agency should examine their operations to determine how NPI is shared. If it is determined that the agency procedures are within the agent exemption, then the agency should make certain employees understand GLBA requirements on sharing NPI and should comply with GLBA privacy provisions including the data security and integrity requirements. If it's determined that the agency falls outside the agent exemption then the privacy notice should be delivered to customers initially, annually, and as the privacy policy changes. Agencies should make certain they fall within the exemption before deciding not to send a privacy notice out. Even if the exemption does apply, the agency may be well served to consider sending such notice out anyway. Copyright FAIA, 2/28/08, David Thompson |
||
