Privacy Under Gramm-Leach-Bliley

On November 13, 1999-the day after the passage of The Financial Services Modernization Act-insurance companies formed steering committees, project teams and task groups to determine what work needed to be done to comply with Title V of the Gramm-Leach-Bliley (GLB) legislation. Title V requires financial services institutions to establish privacy policies and deliver notices by July 1, 2001 to their customers informing them of how the company uses and shares nonpublic personal information. If a company shares that information with nonaffiliated third parties for marketing purposes, customers must be able to "opt-out" of such sharing. Thereafter, companies must distribute an annual privacy notice to their customers.

"Gramm-Leach-Bliley was designed to break down the walls between banks and insurance companies-walls that have been in place since the Great Depression," says Bob Zieman, vice president and assistant general counsel for the National Association of Independent Insurers (NAII), Des Plaines, Ill. "Therefore, GLB provides, among other things, marketing opportunities for financial institutions."

The price financial institutions had to pay for such "modernization" was additional privacy protection for consumers, he says.

Indeed, the price insurers have had to pay for modernization thus far has been larger than what meets the eye. Large insurance carriers-such as State Farm, Allstate, Nationwide and New York Life-have enlisted hundreds of people from across their companies to conduct inventories of what personal customer information they collect, where it resides, how they use it and with whom they share it.

They've written and reviewed the accuracy of their privacy policies, and planned and implemented internal communications and training programs to prepare their employees, agents and customer service centers to comply with the new law and to answer customer inquiries. With their notices now in the mail, they're also grappling with database management and systems security issues.

"There are people involved in this effort from literally every office and every function-systems, underwriting, claims, legal, communications, sales and marketing," says Kirk Herath, chief privacy officer at Nationwide Insurance Cos., Columbus, Ohio. "Every area has somebody at the table because privacy touches every area and every aspect of what we do since we gather and use a lot of personal information. That's the raw material for our products."

Nationwide began delivering between 13 million and 16 million privacy notices at the beginning of this year. "Different affiliates and subsidiaries are delivering them in different ways," Herath says. "Our mortgage company delivered a privacy statement with the 1099 tax forms right after the first of the year. Our property/casualty company is delivering them with the auto and homeowners renewal notices. Our life company is doing mass mailing, which began at the end of February, and those are going out with annual statements for life policies and annuities. We tried to deliver them in a cost-effective way by piggybacking, as much as possible, with other mail."

As daunting as the mailing is, it's only the tip of the iceberg, Herath says. "We spent more than a year building the back-room process to implement the mailing, as well as to determine what our privacy statement was going to look like, since a statement is really indicative of how you use customer information. It's an incredibly elaborate process."

The next Y2K

The breadth that privacy compliance spans within organizations has caused some observers to compare the issue to Y2K.

"I would agree with that comparison," says Thomas Warga, chief privacy officer at New York Life Insurance Co., New York. In fact, he says, when New York Life began its GLB privacy compliance effort, "I grabbed the project manager that just got off Y2K."

It made sense, Warga explains, because the Y2K project team had to take a broad look at the company's operations and systems. "The transferable skill was managing an enterprise-wide project of that magnitude. They had a database of where the systems were and a broad base of dealing with all the product and service areas. They had a database of vendors that we do business with," he says. "So by using the same project manager, we had a very quick start on how to organize and how to put our working groups together and what the issues were."

In addition to conducting audits and developing privacy notices, insurers have instituted massive communications and training programs to educate their agents, employees and customer service representatives-before they began distributing privacy notices to their customers.

The biggest onion

"Thousands and thousands of issues needed to be addressed for privacy compliance," Nationwide's Herath says. "I tell people this is the biggest onion you've ever peeled in your life. You peel back one layer, and just as soon as you think you've got all the layers, you realize there are another 100 under that one."

The logistics of mailing 44 million notices is only one layer, as State Farm Mutual Automobile Insurance Co. realized with the largest mailing in the company's history. "Do you know what 44 million notices look like stacked up?" asks Jim Tuit, associate general counsel for State Farm. "These things had to be sent out on trailer trucks around the country. A lot of trees were cut down for privacy notices."

A database issue

Indeed, notification is merely the first step in what will become a way of life for companies from now on, says Gloria Switzer, senior product manager at Experian, an Orange, Calif.-based company that provides privacy notification services to financial services providers.

"Our clients not only have to think about this notice that has to go out by July, but on an ongoing basis, how are they going to make sure they log anybody who opts out of a program?" she asks. "It becomes a database management issue as well."

Many of Switzer's clients are thinking about redesigning their databases, she says, "because they see that, right now, all you have to do is log the opt-outs, but ongoing, it's really about marketing to consumers the way they want to be marketed to." (See article, page 48)

New York Life does not share personal information with nonaffiliated third parties for marketing purposes-a policy shared by Allstate, Nationwide and State Farm. By law, therefore, New York Life was not required to offer an opt-out. However, the company wanted to protect its opportunities for joint marketing programs in the future, Warga says. Therefore, the company decided to offer the opt-out in its notice.

Logging these choices could have been a systems nightmare for New York Life. In fact, according to Warga, a few of his peers have decided to adopt a policy of not sharing with nonaffiliated third parties, just to avoid the time and expense of tracking opt-outs. "Technology drove their decision-making process rather than business driving it," he says.

Fortunately, Warga says, New York Life had already invested in a "gateway" system to its legacy contract administration systems, which aggregates multiple contracts for the same customer into a single client file. "That's where we decided to post our opt-outs," he says. "If we didn't have this technology in place, I don't know if it would have been worth spending the money on it now-for the potential to share in the future."

The costs of privacy

New York Life, which is sending out 4 million notices, has not determined the internal cost of time and labor for privacy compliance. But it has a budget of $4 million for its mailing and its "bare bones" systems programming for opt-outs, Warga says.

Nationwide didn't have to create new systems, but there was a lot of systems work that was done, Herath explains. "The security side of the house is making significant investments in our privacy infrastructure because privacy is policies and procedures, but security guarantees it," he says. To illustrate the contrast between the two functions, Herath notes that he has a staff of two, while his counterpart in the security office has a staff of about 35. "His job has just begun," he says.

"There's an enormous cost to privacy, and it's not going away," State Farm's Tuit says, describing the hiring and training of call center representatives at State Farm to respond to customer inquiries about their privacy notices. "So far, the response [from customers] has been very light," he adds. But "you have to over-budget for this because you don't know."

Much of the future cost of privacy for insurers will depend on what happens in state legislatures and in Congress over the next few years.

States are acting

"Action on the privacy issue is one of the major issues in the state legislatures affecting insurers this year," says NAII's Ziemen. That's because GLB requires the states to implement and enforce its privacy provisions, but it does not restrict the states from enacting stricter laws.

Several privacy models are under consideration in the states, including one developed by the National Association of Insurance Commissioners (NAIC), Kansas City, Mo., and another by the National Conference of Insurance Legislatures (NCOIL), Albany, N.Y.

The NAIC model includes provisions protecting information related to health, workers' compensation and third parties such as beneficiaries and claimants. Critics say these provisions go beyond GLB's intention to protect personal financial information and would necessitate huge investments in programming changes, add to administrative costs and hinder competitive underwriting.

"Our board expressed preference for the NCOIL model because it more closely tracks GLB," NAII's Ziemen says. "It does not include commercial lines. It does not treat third-party claimants as consumers. And it has a more streamlined approach to health information."

A few states are considering an "opt-in," which would require customers' affirmative consent for insurers to share information-in some cases, even with affiliates. And a 1982 NAIC privacy model, which 17 states had already adopted, as well as the current version of the privacy rules of the Health Information Portability and Accountability Act (HIPAA), permits customers to inspect their personal information. At the federal level, at least a dozen privacy-related bills are floating in the 107th Congress.

After july 1

"A lot of our clients are asking, 'What's going to happen on July 2-the day after they have to be in compliance with GLB," says Cynthia Andreason, partner at LaBoeuf, Lamb, Greene & MacRae LLP, a New York law firm specializing in insurance and financial services. In evaluating its clients' vulnerability, her firm uncovered about 70 lawsuits in the past two years against banks and Internet companies for sharing consumer information and for violating their own privacy policies.

"Companies that are drafting these policies need to make certain that they are absolutely accurate," she says. "You've got to know what you're doing, and then you've got to state it accurately. No one can afford to make statements in those notices that aren't accurate. For plaintiffs' lawyers, that's like fishing in a barrel," she warns.

"Most financial services institutions-and I include Nationwide in that-are very sensitive to people's privacy," Herath notes. "But I don't think it had ever been institutionalized to the extent that we had policies and procedures and training. There's a much more heightened sensitivity to privacy nationally . . . and we're a barometer of that trend."

For reprint and licensing requests for this article, click here.
Security risk Compliance Data security
MORE FROM DIGITAL INSURANCE