THE GRAMM-LEACH-BLILEY ACT
December 15, 2001⁽¹⁾

LEE STREET MANAGEMENT'S⁽²⁾  SUMMARY

      Privacy protection for personal information acquired by financial institutions and others is, and will remain, for the foreseeable future a potent political issue. The Gramm-Leach-Bliley Act⁽³⁾ ("GLB" or "Gramm-Leach") gave the financial services industry a long sought competitive boost. Certain consumer privacy protections accompanied GLB's competitive benefits. GLB privacy protections apply to financial institutions regardless of whether the institutions are financial holding companies ("FHCs") under Gramm-Leach⁽⁴⁾.

      Federal regulators have issued draft regulations to implement the privacy provisions of Gramm-Leach⁽⁵⁾. These regulations are to be effective on November 13, 2000. Until final regulations implementing GLB are adopted and possibly even after the adoption of federal regulations, broadly defined terms such as "financial institutions", "financial activities", nonpublic personal information", "personally identifiable financial information", "consumer" and "customer" will generate debate, disputes and confusion. Existing and future state laws on this subject will only complicate matters because terms such as consumer, customer, privileged or personal information may not be defined at all or definitions may differ from those in GLB. It is possible that state insurance regulators may not act to implement GLB by November 13, 2000, which could result in costly revisions to disclosure materials developed by financial institutions in response to federal regulations.

      Prior to enactment of GLB, relevant federal privacy laws limited disclosure restrictions to medical and motor vehicle information, Fair Credit Reporting Act ("FCRA") information, and privacy relating to the activities of government agencies. GLB, however, includes provisions intended to protect the privacy of personal nonpublic information shared by financial institutions with third parties.

GLB CORE PRIVACY REQUIREMENTS, PROPOSED REGULATIONS AND STATE ISSUES

      GLB applies to "financial institutions", which GLB defines to encompass any entity that engages in activities that are "financial in nature" and virtually any other "financial" activity that federal regulators may designate. Insurers, agents, and brokers are expressly included in the definition of "financial" activity. The Federal Trade Commission (the "FTC"), for example, has proposed regulations that would include among "financial institutions" (engaging in "financial" activities) entities such as mortgage lenders, "pay day" lenders, finance companies, mortgage brokers, account services, check cashers, wire transferors, travel agencies operated in connection with financial services, debt collectors, credit counselors, financial advisors, tax preparation firms and many other businesses that never would have expected GLB to apply to them.

      Gramm-Leach core privacy provisions address financial institution disclosure policies regarding consumer information, consumer "opt-out rights," enforcement mechanisms, timing for implementation of regulations promulgated pursuant to GLB, and preservation of state jurisdiction. Each of these issues is discussed below. Exceptions to GLB's notice and opt-out requirement are discussed in Section 5.

Disclosure Policies.
      To appreciate the impact of GLB's disclosure requirements, it is important to focus on the distinctions between "consumer" and "customer" under GLB. A "consumer" is an "individual who obtains or has obtained a financial product or service from you that is to be used primarily for personal, family or household purposes, and that individual's legal representative." A "customer" is a consumer who has a "continuing relationship" with the financial institution. Financial institutions are not required under GLB to disclose privacy practices and policies to "consumers", if they have no intention of sharing information with nonaffiliated third parties. Therefore, unless an institution is confident that sharing of nonpublic personal information will not occur, disclosure might be most efficiently introduced in marketing and application materials, i.e., to the "consumer". GLB requires all financial institutions engaging in "financial" activities to disclose their privacy practices and policies to "customers" regarding use of nonpublic personal information, regardless of whether such institutions intend to share information with affiliates or third parties. This disclosure must be made at the time of establishing a customer relationship and then "not less than annually" during the continuation of the relationship.

      Disclosures pursuant to GLB must be "clear and conspicuous," may be made either in writing or in electronic form or other form authorized by regulation. The disclosure must set forth the institution's privacy policies and practices, and must include, among other things, specific information regarding categories of persons to whom information may be disclosed. Disclosure of privacy policies and practices applies to sharing of personal information with affiliates and third parties.

      Regulations implementing GLB expressly provide that oral delivery of the notice is not acceptable, although subsequent delivery of the written notice is permitted in certain circumstances such as transactions initiated by telephone.

Opt-out.
     Once the required GLB disclosures have been made, financial institutions may share certain "nonpublic personal information" with third parties provided that the "consumer" has been provided with notice of his right to opt-out and has not opted out within a "reasonable time." Regulators should permit opt-out disclosure to occur with the general disclosures. Unless the GLB disclosure and opt-out requirements are observed, nonpublic personal information may not be shared with third parties, possibly regardless of where such information was obtained, i.e., even if the information was otherwise publicly available.

Enforcement.
     Federal "functional regulators", state insurance authorities, and the Federal Trade Commission will enforce GLB's privacy requirements applicable to financial institutions and "other persons". The Fair Credit Reporting Act has also been amended to clarify that the federal banking agencies have authority to issue regulations "as necessary" to detect and enforce privacy violations that may occur during the transfer of, and process of correcting information given by banks to reporting agencies.

     Accordingly, GLB contemplates multiple layers of regulation for financial institutions. Federal agencies will regulate financial services entities to the extent of their jurisdiction. State insurance regulators will have jurisdiction over insurance companies, but that jurisdiction may overlap with the jurisdiction of federal agencies. For example, an insurance company issuing registered products will be subject to both state and federal regulation. An insurance agency that distributes registered products will also be subject to both state and federal regulation. While the GLB leaves enforcement of the federal privacy provisions to states and allows states to adopt privacy laws or regulations relating to insurance that are more strict than federal regulations, companies should anticipate inter-regulatory conflicts in this area.

Timing and Effective Dates.
     Regulations implementing GLB privacy provisions are to be published in final form by May 12, 2000, but will not take effect until November 13, 2000. After that date, financial institutions cannot disclose nonpublic personal information about an individual who was a customer before that date unless a policy notice and opt-out notice has been provided and the individual has not opted out.

STATE ISSUES

     The NAIC adopted the NAIC Insurance Information and Privacy Protection Model Act (the "Model Act") nearly twenty years ago, and laws similar to it have been adopted by fifteen states. Those states are likely to revisit privacy protections in light of GLB, and states having no existing privacy legislation or regulations affecting insurers are also likely to act. The Model Act provides that individuals must affirmatively agree to disclosure of "personal" or "privileged" information. "Personal" or "privileged" information as defined under the Model Act may cause interpretive controversy because the GLB approach does not define these terms. Rather, GLB addresses and defines the term "nonpublic personal information". The concept of privileged information is not found in GLB.

     States that have not enacted the Model Act generally have only piecemeal laws which would limit the extent to which an organization may disclose an individual's medical information or motor vehicle records. More states are likely to enact comprehensive privacy protection laws in light of recent developments such as (1) enactment of Gramm-Leach, which applies to financial institutions; (2) the rapid development of e-commerce; (3) increased consumer activist and agent lobbying in states; (4) the NAIC's commitment to address privacy issues; and (5) negative publicity concerning companies selling personal information for fees or commissions.

     Two issues on which states may diverge from Gramm-Leach may be of particular concern. The first is whether an entity may share personal information after giving the consumer the right to "opt-out" or whether data sharing may take place only if the customer expressly authorizes it, i.e., "opts in." GLB adopts the opt-out approach, but some states have already been lobbied to pursue the more stringent opt in approach.

     The second issue regards data sharing among affiliated companies. GLB does not restrict affiliate sharing of personal information, but states may well attempt to do so, subject to restrictions in the FCRA. This will be critical to any financial institution that seeks to take advantage of the new liberalized affiliation rules under GLB to integrate financial businesses and cross-sell financial services. However, FCRA preempts state law and permits the sharing of a broad class of information within a corporate family. Therefore, such state action could also spawn preemption litigation, notwithstanding GLB's preservation of state authority. Financial institutions would argue that state prohibitions against affiliate sharing of information directly conflict with and undermine GLB or are preempted by the FCRA.

     The insurance industry is now closely monitoring legislative activity in numerous states. The prospect of 50 different privacy regulatory regimes, in addition to the federal GLB and agency provisions, is of great concern. In addition, the NAIC has formed a Privacy Working Group to establish policy regarding the implementation of the GLB privacy provisions. The potential for increased costs, particularly for on-line business is tremendous, not to mention potential litigation and enforcement defense costs resulting from a confusing patchwork of regulations.

     State legislators have responded to recent media attention regarding how easily information provided by consumers on the internet can be obtained. See, e.g., November 29, 1999 Forbes cover story, "The End of Privacy."⁽⁶⁾ In March, 1999, legislation was proposed in Maine to establish an "Internet Policy" for the state which would apply privacy laws to electronic transmissions and impose notice and consent requirements for disclosure of consumer information online. See Me. House Bill 1339. In late January, 2000, a settlement agreement was reached between Chase Manhattan Corp. ("Chase") and the New York Attorney General concerning Chase's practice of providing customer information to marketing firms, which apparently included encrypted bank account numbers and loan data. The marketing firms allegedly used the information to contact Chase customers to solicit products, such as emergency road service plans, discount shopping clubs, legal services and magazine subscriptions, and Chase received a commission on successful sales.

     In the settlement, Chase agreed not to share any customer data with outside marketers without customers' express written consent and even where consent is given, the only information disclosed will be names, addresses and telephone numbers; no financial data will be disclosed. This procedure is more restrictive than the "opt-out" privacy provision in Gramm-Leach, which allows financial institutions to share customers' data with outside firms unless customers expressly ask them not to do so.

CONCLUSION

     Interpretative disputes over federal and state privacy laws and regulations are inevitable. These disputes are likely to occur between state and federal regulators, despite GLB's attempt to preserve state insurance regulation, and between plaintiffs' class action lawyers and financial institutions. The FTC and ultimately the federal courts will resolve such disputes.

     Financial institutions should consider adopting the highest standards of disclosure found in any of the laws applicable to them. While this approach may seem administratively and economically onerous, it could prove far less costly over the long term.

DISCUSSION

     Gramm-Leach was signed into law on November 12, 1999. Its primary impact was the elimination of many federal and state law barriers to affiliations among banks, insurers, securities firms and other financial services providers. Late in the congressional debate on financial services reform legislation, privacy of personal information obtained by financial institutions became critical to the bill's prospects. No privacy provisions were in the version the House Banking Committee passed in March of 1999 or in the versions passed by the Senate Banking Committee in April and the full Senate in early May of 1999. Indeed, no formal discussion of the issue occurred until the House Commerce Committee first considered the bill in late May of 1999. By that time, privacy emerged as a potent political issue. Privacy issues had received attention several years earlier, when Congress instructed federal agencies to draft rules protecting the confidentiality of health-related data. Also, as the popularity of electronic commerce grew, consumers were becoming increasingly alarmed that their credit card numbers, buying habits, and other information would be put up for sale to the highest bidder. Until May, however, confidentiality of information maintained by financial institutions had not been a front-burner issue on Capitol Hill.

     The House Commerce Committee changed that. As the legislation was prepared for subcommittee markup, consumer groups and the Clinton Administration began prodding Democrats to offer an amendment prohibiting the sharing of customer information among and between financial affiliates or with outside third parties. The issue was ripe, and the Democrats knew it. Not only was public angst about privacy growing, but New York's Attorney General had commenced a lawsuit against Chase for allegedly sharing customer names, Social Security numbers, and other information with a telemarketing firm in exchange for several million dollars in commissions. Thus, Democrats argued that their amendment was necessary to prevent unprecedented erosions of consumer privacy.

     Financial industry lobbyists were most alarmed by two proposals that were considered but ultimately rejected: (1) that financial institutions must require affirmative consent from customers before sharing information; and (2) that information sharing among affiliates be subject to the new rules. The adoption of either would have severely restricted one of the principal benefits of Gramm-Leach -- the ability to cross-market services among affiliates and third parties. Thus, industry lobbyists fought against these proposals and won. In the end, GLB restricted information sharing only with third parties, and not among affiliates. It also required only that customers be given notice and opportunity to "opt out" if they do not want their personal information shared with third parties.

     Federal and state regulators are now engaged in addressing consumer activists' demands for further privacy protections. The financial services industry is geared for battle at federal and state levels. Late last year, several major financial services associations formed a new coalition to push for enactment of GLB. The Financial Services Coordinating Council ("FSCC") is comprised of the American Council of Life Insurance ("ACLI"), the American Insurance Association ("AIA"), the American Bankers Association ("ABA"), the Investment Company Institutes ("ICI"), and the Securities Industry Association. The FSCC's priority is to focus on the privacy issue so that GLB benefits are not diluted by more onerous or multiple privacy requirements. The FSCC is also focusing on GLB-related regulatory and state legislative issues, including electronic signatures, international trade, taxation and legal reform.

     FSCC's members are urging states to take a "go slow" approach, and not enact major new privacy initiatives until the GLB provisions have been implemented and tested. The organization also notes that insurer privacy practices are already regulated in some states and that inter-affiliate sharing is governed by the federal Fair Credit Reporting Act, which preempts state law.

     The NAIC has formed a Privacy Working Group to establish policy regarding the implementation of the GLB privacy provisions. Earlier this year, the NAIC issued a request for comments on how states should respond. In addition, the Working Group held a public hearing at the March quarterly NAIC meeting in Chicago, and is expected to complete its work by the end of this year, if not before.

     President Clinton vowed, when signing GLB, to seek further legislation to toughen privacy requirements on financial institutions. Indeed, some other legislators, including a few prominent Republicans, have already sponsored legislation to strengthen the privacy provisions of GLB⁽⁷⁾. A newly formed Democratic Privacy Task Force held its first meeting in February. Thus, the politically charged privacy issue will not go away, and may have an impact on this year's presidential and congressional elections.

     It is against this backdrop that all interested constituencies are lobbying to protect their interests.

     Details relating to the disclosure and opt-out requirements in Gramm Leach were left to subsequent rulemaking by federal regulators after consultation with state insurance regulators. Federal regulators are federal banking agencies, i.e., the Federal Reserve, Office of the Comptroller of the Currency ("OCC"), Federal Deposit Insurance Corporation ("FDIC") and the Office of Thrift Supervision ("OTC"); the National Credit Union Administration ("NCUA"); the Securities Exchange Commission ("SEC"); and the Federal Trade Commission ("FTC"). Finally, state insurance regulators will also seek to prescribe regulations to implement GLB's privacy provisions. This broad mandate will include additional details about disclosures and notice to consumers, as well as elaboration on any of the exceptions to the third-party opt-out requirement. These agencies have published draft regulations.

     GLB also requires that the several agencies and departments engaging in rulemaking "consult and coordinate" with each other and with state insurance authorities to assure "to the extent possible, that the regulations prescribed by each such agency and authority are consistent and comparable with the regulations prescribed by other agencies and authorities." The final rule is expected to be promulgated by May 12, 2000. However, the draft regulations would take effect on November 13, 2000. After that date, financial institutions cannot disclose nonpublic personal information about an individual who was a customer before that date unless a policy notice and opt-out notice has been provided and the individual has not opted out. Notices to existing customers must be made within 30 days under draft regulations. Proposed rules are discussed under section headings below.

     The privacy provisions of GLB apply to "financial institutions," which are defined to include any entity that is "engaging in financial activities as described in section 4(k) of the Bank Holding Company Act."⁽⁸⁾ GLB identifies activities that are "financial in nature" and empowers the Federal Reserve Board (in consultation with other regulators) to designate other financial activities or activities that are incidental or complementary to financial activities. (See Appendix A for the Board's current list of activities that are financial in nature.) The FTC has issued a proposed rule providing guidance as to covered entities. These include, "mortgage lenders, "pay day" lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, travel agencies operated in connection with financial services, debt collectors, credit counselors and other financial advisors, and tax preparation firms." Thus, entities that may believe that GLB does not apply to them may be surprised to find themselves subject to the privacy provisions of GLB.

     GLB requires all financial institutions engaging in financial activities pursuant to its provisions to disclose their privacy policies to each customer regarding use of nonpublic personal information, both at the time of establishing a customer relationship and then "not less than annually" during the continuation of the relationship. This requirement applies regardless of whether such information will be shared with affiliates and third parties. (Disclosure to consumers is required only if the institution contemplates sharing nonpublic personal information with nonaffiliated third parties.)

     GLB and proposed rules distinguish "consumers" and "customers." The distinction is important because a financial institution's obligations to each are different in some respects. A "consumer" is an "individual who obtains or has obtained a financial product or service from you that is to be used primarily for personal, family or household purposes, and that individual's legal representative." (Note that these provisions do not apply to companies or individuals who purchase services for business purposes.) Thus, a consumer who is shopping for a price quote, for example, would not be entitled to a privacy policy disclosure and would receive an initial disclosure and opt-out notice only if the institution intends to share personal information collected about the consumer with a nonaffiliated third party. A "customer" is a consumer who has a "continuing relationship" with the financial institution. Initial privacy policy disclosures are required for "customers" in all circumstances, even if no data sharing with third parties is contemplated. Opt-out notices are required only if data sharing with nonaffiliated third parties is contemplated.

     Currently proposed regulations specifically provide that a person who engages in only an "isolated transaction" is not a "customer." The term "isolated transaction" is not defined, except that it specifically includes withdrawing cash from an ATM machine or purchasing a cashier's check or travelers check at a bank. A series of ATM transactions at the same bank would also satisfy the "isolated transaction" standard. Consumer groups have already indicated they will protest the ATM exception.

     Required disclosures to consumers or customers must be "clear and conspicuous," may be made either in writing or in electronic form or other form authorized by regulation and must set forth the institution's privacy policies and practices, and must include:

     The proposed regulations expressly provide that oral delivery of the notice will not satisfy these requirements. Affected industries are likely to suggest circumstances (such as telephone marketing) where oral delivery perhaps followed by a written or electronic confirmation might be appropriate.

     Once the required privacy policy disclosure has been made, financial institutions may share certain "nonpublic personal information" with nonaffiliated third parties provided that the customer has been provided with notice of his right to opt-out and has not opted out within a "reasonable time." While the disclosure requirement is independent of the opt-out notice requirement, commentary to proposed regulations suggests that regulators will permit the disclosure and opt-out notice to be combined. Importantly, a new disclosure notice is required each time the company changes its privacy policy.

     The proposed regulations do not prescribe any particular method by which a consumer must opt-out. The only requirements are that the opt-out be in writing, and can be in electronic form if the customer agrees. The draft regulations do give examples of "reasonable" opt-out methods, which include: (1) provision of an e-mail address, if the customer agrees; (2) a check-off box in a prominent place on relevant forms, together with the opt-out notice; and (3) detachable, pre-addressed form or self-addressed, stamped postcard together with opt-out notice.

     Even if a customer has not "opted out" of the institution's information sharing policy, Gramm-Leach prohibits disclosure of account numbers or similar forms of access codes for credit card accounts, deposit accounts, or transaction accounts to any nonaffiliated third party for use in telemarketing, direct mail marketing or other marketing through electronic mail to the consumer.

     The Act also prohibits nonaffiliated third parties that receive nonpublic personal information from a financial institution for any purpose from reusing such information by disclosing to any other person, unless the disclosure could otherwise have been made lawfully to such person by the financial institution. This means, for example, that an attorney, accountant, or auditor who received nonpublic personal information from a financial institution (pursuant to GLB's specific exemption) could not then disclose that information to others to whom the financial institution could not directly disclose it.

     There are exceptions to GLB's notice and opt-out requirements. Under proposed regulations, key exceptions include:

(a) What constitutes nonpublic information?

     Currently proposed regulations provide that "nonpublic" information is "personally identifiable financial information" that is: (1) provided by a customer to a financial institution; (2) results from any transaction with the customer or any service performed for the customer; or (3) otherwise obtained by the financial institution. Nonpublic personal information also includes any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any nonpublic personal information. Public personal information is: (1) publicly available information derived without using any nonpublic personal information; or (2) any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived without using any nonpublic personal information.

     Regulators are divided on how to interpret these broad provisions and have asked for public comment on two competing proposals. The first proposal (endorsed by the Federal Reserve and supported by the OCC as one of two options) states that information provided by an individual which is also available from public sources is considered public and therefore not covered by the regulations. Under the second proposal (not yet exclusively endorsed by any regulator), if the information is obtained from the customer, then it is "nonpublic" for purposes of the privacy regulations regardless of whether it is otherwise obtainable from public sources. This issue will undoubtedly be the subject of aggressive lobbying.

     The issue of how to define "nonpublic personal information" may be less important than it appears, however, given that regulators are in agreement that financial institutions may not share the fact that an individual is a customer without providing the customer with notice and opportunity to opt-out (unless that fact is available from government records or required to be disclosed by law). Thus, if the information to be shared relates to a customer, then it cannot be shared with third parties without notice and an opportunity for the customer to opt-out, regardless of whether the information is available from public sources. It is important to note that the decision to prevent sharing of customer lists is being made by regulators. Congress left this to the regulators' discretion and did not require it in GLB. When the Federal Reserve released its proposed regulations, it noted that this issue "appears to be a matter of concern in the financial services industry", without further discussion. This aspect of the proposed regulations is one of the most alarming to the financial services industry and will undoubtedly attract considerable comment.

     State and federal financial regulators, including the FTC, have authority to enforce the privacy regulations to the extent of their jurisdiction and consistent with their general enforcement powers. However, GLB delegates to the FTC authority to determine whether a state or federal regulation is most strict, after consultation with relevant agencies and state regulators. This means, for example, that even an insurance company that distributes registered products and owns or controls an insurance investment adviser or broker-dealer would have to comply with state and relevant federal agency regulations.

     GLB, however, does not provide a private right of action for violations, but some state unfair trade practices laws allow consumers to seek judicial redress for violations of consumer protection laws. Thus, a private right of action could exist for violation of relevant state privacy laws.

     State insurance regulators generally have no authority to enforce federal law. However, GLB requires state and federal regulators to establish standards to: (1) ensure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of such records; and (3) protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer. State insurance regulators who decline to adopt these standards could lose the power to preempt other provisions of the bill regarding insurance sales practices.

     To the extent that insurers have subsidiaries that engage in activities subject to federal regulation, such insurers may be subject to multiple layers of regulation and enforcement regimes. For example, an insurance company issuing registered products will be subject to both state and federal regulation. An insurance agency that distributes registered products will also be subject to both state and federal regulation. While the GLB leaves enforcement of the federal privacy provisions against insurers to states and allows states to adopt privacy laws or regulations that are more strict than federal law, companies should anticipate inter-regulatory interpretive disputes in this area, despite the fact that the FTC is to resolve disputes after consultation with the agency that regulates the party filing a complaint or the financial institution that is the subject of the complaint. As noted above, the FTC will also resolve disputes between states and federal agencies as to which requirements are most stringent.

     GLB privacy provisions preempt state law only where such laws or regulations are inconsistent with GLB, and then only to the extent of the inconsistency. Moreover, GLB provides that state law will not be preempted for inconsistency where state law affords greater protection than that afforded by GLB. As previously noted, GLB has prompted the introduction of privacy bills in a number of state legislatures and action by the NAIC.

     Prior to GLB, federal legislation addressed confidentiality of consumer information mostly in the context of medical records (kept by employers) and motor vehicle information, the Fair Credit Reporting Act, or privacy provisions which apply only to governmental agencies.

     The major federal consumer privacy statute is currently the FCRA⁽⁹⁾, which, among other things, permits (but regulates) the sharing of information among affiliates.

     Unlike GLB, states are not permitted to preempt the FCRA. Thus, to the extent that state privacy laws seek to go beyond GLB and regulate affiliate transactions, they may (in many circumstances) be preempted by the FCRA.⁽¹⁰⁾ Specifically, FCRA permits unrestricted sharing within a corporate family of so-called "transactions and experience information" relating to transactions between affiliates and consumers. This includes, for example, a customer's outstanding balance and whether the customer is delinquent in paying bills.⁽¹¹⁾ FCRA does this by exempting such information from the definition of a "consumer report." Generally, a consumer report is any communication, by a "consumer reporting agency," of any information that bears on a consumer's credit-worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living that is collected or used (or expected to be collected or used) as a factor in establishing the consumer's eligibility for credit, insurance, employment, or any other purposes permissible under the Act."⁽¹²⁾ Reports limited to the consumer's name and address, with no connotations as to credit worthiness or other characteristics, do not constitute a "consumer report." Information that is considered a "consumer report" (i.e., non transaction and experience information) may nevertheless be shared among affiliates if a notice and opt-out procedure is followed.

     The Occupational Safety and Health Act (29 U.S.C. § 651) ("OSHA") and the Americans with Disabilities Act (42 U.S.C. § 12101) ("ADA") impose restrictions on the maintenance of employees' medical records. In particular, OSHA, and its accompanying regulations, require employers to disclose certain medical records about their employees to the federal government, but otherwise does not permit disclosure. The ADA provides that medical information obtained through employee medical examinations is confidential.

     In 1996, Congress passed the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") to protect health insurance coverage for workers and their families when they change or lose jobs.⁽¹³⁾ It also calls for uniform standards to protect the privacy of individually identifiable health information. HIPAA directed Congress to enact privacy legislation by August 21, 1999, and, in the alternative, required the Secretary of Health and Human Services to promulgate such standards by regulation. As Congress did not pass such legislation, the Secretary was required to publish final standards by February 21, 2000.

     Proposed regulations were published on November 3, 1999. See 64 Federal Register 59918. The regulations apply to all health plans, all health care clearinghouses, and all health care providers that transmit health information in an electronic form in connection with a standard transaction (referred to collectively as "covered entities"). Covered entities would be prohibited from using or disclosing protected health information except under certain circumstances, such as disclosure with an individual's authorization, and disclosure without authorization for treatment, payment and health care operations. Covered entities also would be permitted to use or disclose a patient's protected health information without authorization for specified public and public policy-related purposes, including public health, research, health oversight, law enforcement, and use by coroners. With certain exceptions, permitted uses and disclosures of protected health information would be restricted to the minimum amount of information necessary to accomplish the purpose for which the information is used or disclosed, taking into consideration practical and technological limitations (including the size and nature of the covered entity's business) and costs.

     The Driver's Privacy Protection Act of 1994 (18 U.S.C. § 2721) imposes federal restrictions on the disclosure of state motor vehicle information. Personal information about any individual obtained in connection with a motor vehicle record may be disclosed only for certain enumerated uses. For example, personal information may be disclosed "[f]or use by any insurer . . . or its agents, employees, or contractors, in connection with claims investigation activities, antifraud activities, rating or underwriting." 18 U.S.C. § 2721(b). An authorized recipient of personal information may resell or re-disclose the information only for a stated permissible use. 18 U.S.C. § 2721(c).

     The federal act also mandates state implementation under 18 U.S.C. § 2723(b).⁽¹⁴⁾ Thus, most states' motor vehicle information privacy laws mirror the federal act. (California and Virginia previously enacted such legislation.)

     Some federal laws protect consumer information, e.g., Privacy Act of 1974 (5 U.S.C. § 552a), the Freedom of Information Act (5 U.S.C. § 552), and the Right to Financial Privacy Act of 1978 (12 U.S.C. § 3401). These laws govern the disclosure of information obtained by government agencies and not private entities. The Right to Financial Privacy Act of 1978 limits governmental authorities to obtaining financial records of individuals and partnerships with five or more members.

II. STATE LAWS, THE NAIC MODEL ACT AND RELATED RECENT ACTIVITIES

     GLB directs state regulatory agencies to establish appropriate privacy standards for financial institutions holding personal information provided by consumers. The NAIC and states such as New York are seeking public comment on what standards should be established in implementing the privacy provisions of GLB.⁽¹⁵⁾ Final recommendations are expected before year-end.⁽¹⁶⁾ The request for public comment asks for recommendations on the type of regulation which should be adopted by states, what privacy issues should be addressed, and input on what types of notice/consent should be required before customer information is disclosed. If states do not act before November 13, 2000 (the date on which GLB privacy requirements take effect) financial institutions may be burdened with revising their disclosure policies.

     GLB has already prompted many state legislators to seek passage of similar privacy protections. For example, although California adopted the NAIC Model Act, which prohibits an insurance institution's disclosure of personal information about an individual except in certain circumstances, a bill was introduced on January 3, 2000 in the California Assembly which would afford privacy protections greater than those of the Model Act.⁽¹⁷⁾ The bill would prohibit a "financial institution" (defined to include insurance companies, banks, credit unions, mortgage lenders, etc.) from disclosing, without a consumer's written consent, the nonpublic personal information collected by the institution in connection with any transaction with the consumer involving any "financial product" or any "financial service" (neither terms are defined) or otherwise obtained by the financial institution. Unlike Gramm-Leach, which gives a customer the ability to "opt-out" of the institution's arrangements to share customer information, the California bill would require customers to "opt in" (agree to the information sharing agreement) before the information could be shared.

     In addition to California, at least seven other states have already introduced some form of financial privacy legislation since the November 12, 1999 enactment of Gramm-Leach.

     The NAIC Model Act was adopted in 1980 to address the issue of confidentiality of personal information obtained by insurance companies. Fifteen jurisdictions -- Arizona, California, Connecticut, Georgia, Illinois, Maine, Massachusetts, Minnesota, Montana, Nevada, New Jersey, North Carolina, Ohio, Oregon, and Virginia -- have enacted laws that are substantially similar to the Model Act.⁽¹⁸⁾ The laws in these states may differ slightly from the Model Act.

     Under the Model Act, an "insurance institution"⁽¹⁹⁾ may disclose confidential personal and privileged information only under limited circumstances. The Model Act establishes standards for the collection, use, and disclosure of personal, privileged, or medical record information gathered about an individual by an insurance institution in connection with "insurance transactions," defined as:

     The Model Act requires insurance institutions to: (1) provide notice of their information practices to applicants and policyholders; (2) inform individuals of marketing questions; (3) give individuals access to their recorded personal information; and (4) disclose their reasons for adverse underwriting decisions. The Act prohibits insurance institutions from seeking information concerning previous underwriting. Finally, the Act gives the state insurance commissioner the power to enforce the law. An example of potential discord between state and federal regulators could be whether an "applicant" should be treated as a "consumer" or "customer" in determining whether state law is more strict or more lenient than federal law.

     Unless a relevant exemption applies, the Model Act prohibits an insurance institution from disclosing "any personal or privileged information" about an individual collected or received in connection with an insurance transaction.

     The Act defines "personal information" as:

     Privileged information generally includes individually identifiable information that: (1) relates to a claim for benefits or a civil or criminal proceeding involving an individual; and (2) is collected in connection with or in reasonable anticipation of a claim for insurance benefits or civil or criminal proceeding involving an individual. "Privileged information" includes, for example, investigatory files compiled for law enforcement purposes and trade secrets and confidential data or information. The definitions of "personal" and "privileged" information are broad and encompass a wide range of information.⁽²⁰⁾ GLB and proposed regulations rely upon the term "nonpublic personal information" which may be more encompassing than "personal" or "privileged" information. However, this issue is likely to be debated.

     The Model Act does not define "disclose," and does not expressly address whether an insurance institution is prohibited only from disclosing information to third parties or whether the prohibition applies to affiliate disclosures as well.⁽²¹⁾ If it was intended to allow disclosure among affiliates, the Model Act is not clear on this subject. In 1980 (the year the Act was adopted), the President of the NAIC commented:

     However, it could be inferred from exception (12) of the Model Act, regarding permitted disclosures, that affiliate sharing is not allowed for any purpose other than that stated in exception (12), discussed below. Since GLB allows states to adopt more stringent privacy laws, such an interpretation could be devastating.

     The Model Act contains eighteen enumerated exceptions to prohibiting disclosure of "personal" or "privileged" information. One of these exceptions requires affirmative consent to disclosure.⁽²³⁾ The Model Act does not distinguish "consumers" and "customers" for this purpose. Specifically, the Model Act permits disclosure of such information:

     The Model Act requires an insurance institution to provide written notice of its insurance information practices to applicants or policyholders in connection with insurance transactions. The notice must state whether personal information may be collected from persons other than the individual proposed for coverage, the types of information that may be collected, the types of sources and investigative techniques that may be used to collect such information, the types of disclosures of this information that may be made, and the individual's right to access and change his or her personal information recorded by the insurance institution.

     Alternatively, the insurance institution may provide an abbreviated notice informing the individual that personal information may be collected from persons other than the individual proposed for coverage, such information may then be disclosed to third parties, personal information may be accessed and changed by the individual, and full notice (as described above) will be furnished to the individual upon request. This type of notice could be deemed insufficient to satisfy GLB and federal regulatory requirements.

     The Model Act also requires the use of a disclosure authorization form, in connection with insurance transactions, to specify the purposes for which the information is collected and the length of time the authorization will remain effective. The NAIC adopted these provisions to address the fact that individuals might not be aware of the scope of information that can be obtained from others, and the use that will be made of such information. The Model Act acknowledges that authorizations issued at particular points in time cannot encompass all future uses and disclosure of the information collected.⁽²⁶⁾ In addition, the Model Act does not expressly state that, once issued, an authorization is limited to certain purposes or uses. Thus, "reuse" provisions under GLB may supersede state law because the GLB's "reuse" prohibitions would be deemed to be more stringent.

     The Model Act contains specific provisions governing medical record information, which is defined as "personal information which relates to an individual's physical or mental condition, medical history, or medical treatment, and is obtained from a medical professional or medical care institution, from the individual, or from the individual's spouse, parent, or legal guardian." Insurance institutions may disclose such medical record information to a designated medical professional if the insurance institution notifies the individual at the time of disclosure that it has provided information to the medical professional.

     The Model Act provides that if, as part of an insurance transaction, an insurance institution or agent asks a question which is intended only for marketing or research purposes, then the insurance institution must clearly specify such purpose. Thus, in any application or other form provided to a policyholder or applicant in an insurance transaction, any questions designed solely for marketing purposes must be identified as such.

     Under the Model Act, an individual may submit a written request for access to his or her recorded personal information which is reasonably described and reasonably locatable and retrievable. Moreover, individuals may request to have such personal information corrected, amended, or deleted.

     In the event of an adverse underwriting decision, the Model Act requires the insurance institution to provide the applicant with the specific reasons for the adverse decision, including the specific items of personal and privileged information that support those reasons; however, personal or privileged information related to the individual's engaging in fraud, criminal activity, material misrepresentation, or material non-disclosure need not be provided. In addition, an insurance institution may only seek information in connection with an insurance transaction concerning previous adverse underwriting decisions experienced by an individual or previous insurance coverage obtained by an individual through a residual market mechanism, if such inquiry also requests the reasons for the previous adverse decision, or the reason why coverage was previously obtained through a residual market mechanism.

     Under the Model Act, insurance institutions may not use "pretext interviews" in connection with an insurance transaction. Pretext interviews are defined as interviews where, in an attempt to obtain information about an individual, a person: (1) pretends to be someone he or she is not, (2) pretends to represent a person he or she is not in fact representing, (3) misrepresents the true purpose of the interview, or (4) refuses to identify himself or herself upon request. However, insurance institutions may use pretext interviews to obtain information for the purpose of investigating a claim, where a reasonable basis exists for suspecting criminal activity, fraud, material misrepresentation, or material non-disclosure in connection with the claim.

     An insurance institution also may not prepare or request an investigative consumer report about in individual in connection with an insurance transaction involving an application for insurance, a policy renewal, a policy reinstatement, or a change in insurance benefits unless the insurance institution informs the individual that the individual can request to be interviewed in connection with the preparation of the investigative consumer report, and informs the individual that he or she may obtain a copy of any such report. "Investigative consumer reports" are defined as communications of information bearing on a person's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living obtained through personal interviews with people who know the individual.

     The Model Act contains enforcement mechanisms.⁽²⁷⁾ The state insurance commissioner has the power to investigate, hold hearings, and issue cease and desist orders where there are violations of the Model Act. If, after a hearing, the commissioner determines there was a knowing violation, penalties may be imposed. Violation of a commissioner's cease and desist order triggers additional penalties. The Model Act also authorizes judicial review of orders or reports issued by the commissioner. The Model Act bars causes of action for defamation, invasion of privacy, or negligence for disclosure of personal or privileged information in accordance with the Model Act. However, if an insurance institution improperly discloses information in violation of the Model Act, it may be liable for damages sustained by the individual to whom the information relates. No immunity exists for disclosing or furnishing false information with malice or the willful intent to injure any person.

     At least eight states have already introduced some form of financial privacy legislation since the November 12, 1999 enactment of GLB. A few appear intended merely to implement the state's enforcement obligations under GLB, and tend to track GLB's definitions. Many others are more aggressive, often by requiring "opt in" procedures. Set forth below is a summary of proposed state legislation introduced in response to the recent federal legislation.

     On January 31, 2000, a bill was introduced in Arizona which would restrict the collection and disclosure of personal information provided by a consumer in a commercial context. See Ariz. House Bill 2717. The bill applies to "information custodians," broadly defined as all entities that maintain data containing such personal information and which share the information to others. The bill requires information custodians to have a consumer privacy policy that is disclosed to consumers and disclosed on the custodian's web site, and which allows consumers to choose not to have the consumer's personal information shared.

     A bill introduced on January 3, 2000 in the California Assembly would prohibit a "financial institution" (defined to include insurance companies, banks, credit unions, mortgage lenders, etc.) from disclosing, without a consumer's written consent, the nonpublic personal information collected by the institution in connection with any transaction with the consumer involving any "financial product" or any "financial service" (neither terms are defined) or otherwise obtained by the financial institution. See California House Bill 1707, introduced on January 3, 2000.⁽²⁸⁾ Unlike the federal act, which gives a customer the ability to "opt-out" of the institution's arrangements to share customer information, the California bill would require customers to "opt in" (agree to the information sharing agreement) before the information could be shared.

     Illinois has done nothing.

     On January 27, 2000, House Bill 4994 was introduced which would prohibit a financial institution from disclosing nonpublic personal information of a consumer unless the financial institution has obtained the consumer's written consent. A "financial institution" would include banks, trust companies, and insurance companies that are affiliates of a commercial bank or trust company, financial holding companies, or persons engaged in the business of lending money. The bill details the types of notices required for obtaining a consumer's consent. Exemptions provided in the bill include disclosures necessary to effect a transaction authorized by a consumer, to resolve consumer disputes or inquiries, and providing information to insurance and financial institution rating agencies.

     On February 3, 2000, legislation was introduced in Minnesota which would require financial institutions to comply with the federal privacy provisions of Gramm-Leach and to allow consumers to exercise their choice to "opt-out" by using a convenient communication method. Minn. House Bill 2810. The bill details appropriate communication methods for opting out, including the submission of an opt-out form by e-mail or facsimile. The bill refers to the federal legislation for the definition of "consumer" and "financial institution." Separate legislation also pending generally tracks GLB, but would require a consumer to "opt-out" before a financial institution could share information. Minn. Senate Bill 3000. Minn. House Bill 3224.

     On January 20, 2000, a bill was introduced in Nebraska which would prohibit a financial institution from disclosing any nonpublic personal information concerning a customer unless the customer has affirmatively consented to the release of the information in writing. Neb. Legislative Bill 1442. "Financial institution" is defined to include any institution engaged in the business of providing financial services to customers and any insurance company, credit card issuer, etc.

     On January 11, 2000, a bill was introduced in New Jersey which refers to the recent federal legislation enacted, and requires that financial institutions send customers an annual notice advising of the customer's right to opt-out of the institution's information-sharing arrangements (prohibit disclosure of nonpublic personal information to nonaffiliated third parties). N.J. Senate Bill 333. The bill defines "financial institution" as a state or federally chartered bank, savings bank, savings and loan association or credit union, or any affiliate thereof. (New Jersey has adopted the NAIC Model Act, which governs insurance institutions.) The bill details the requirements for the customer notice (i.e., it must contain the notation, "URGENT," at the top and contain a space for the customer to mark in order to opt-out).

     On January 19, 2000, a bill was introduced in South Dakota which would prohibit any financial institution or business that grants credit from disclosing nonpublic personal information to an unaffiliated third party without the customer's consent. S.D. House Bill 1173. The bill also requires each financial institution or business that grants credit to provide a process for a customer to "opt-out of such restriction." Although the bill uses the "opt-out" language of the federal act, the effect is that the South Dakota bill requires customers to consent, or "opt in," before the information could be shared.

     Senate Bill 602, introduced on January 24, 2000, would prohibit a financial institution from making available any personal information provided by a consumer unless the consumer has affirmatively consented to the transfer of the information in writing. "Financial institution" is defined to include any company engaging in financial activities which are incidental or complementary to financial activities, including banks, insurers, securities firms, and credit unions.

     A bill similar to Arizona House Bill 2717 (see above) was introduced in Washington on February 4, 2000. Wash. S.B. 6513.

     Finally, some states introduced privacy legislation before enactment of GLB. For example, a bill introduced in Hawaii on January 28, 1999 would prohibit a "private enterprise" from communicating to a third party the personal data collected about an individual unless the individual consents to release of the information. See House Bill 1232. "Private enterprise" includes any agency, business, organization or individual who collects or disseminates information on a primarily commercial or for-profit basis. In New York, Assembly Bill 699 was introduced on January 26, 1999, which would prohibit every person who sells, exchanges or releases personal information to other persons for commercial purposes to disclose in writing these practices upon initial contact with a "data subject" (the person from whom information is collected) and at least annually thereafter. The disclosure must give the data subject the option of prohibiting the release of personal information for commercial purposes. An "exclusion list" must be kept listing those who have exercised their option to prohibit release of personal information.

     States that have not adopted the Model Act generally do not have comprehensive laws governing the information practices of institutions affecting confidentiality of personal information. In fact, commentators have posited that the "United States has maintained a regulation-averse approach to privacy, enacting relatively broad statutes in the public sector, but leaving most of the private sector to monitor its own collection and use of information."⁽²⁹⁾

     In contrast, European countries have enacted sweeping laws to govern the confidentiality of personal information.⁽³⁰⁾ The European Union expanded information and data protection by approving the Directive on the Protection of Individuals With Regard to the Processing of Personal Data and on the Free Movement of Such Data. This Directive limits the collection, storage, and transfer of personal data. Under the Directive, personal data can be collected only for specific purposes and data controllers must inform data subjects of the purposes for collecting data and the persons to whom such data will be disclosed. Moreover, the Directive prohibits the transfer of data to countries that do not provide "adequate" levels of privacy protection. Thus, some worry that the Directive might operate to prohibit data transfers from the European Union to the United States, given the U.S.'s self-regulatory approach to privacy protection.⁽³¹⁾

     However, the issue of privacy of personal information is receiving increased attention in the United States, especially in light of the recent federal legislation.⁽³²⁾

     A number of states regulate the use or disclosure of personal medical information. For example, Wisconsin enacted provisions similar to the Model Act governing the disclosure of "personal medical information" only. Wis. Stat. § 610.70. The statute defines "personal medical information" as information relating to an individual's physical or mental health, medical history, or medical treatment, and which is obtained from a health care provider, a medical care institution, the individual or his/her spouse, parent, or legal guardian. § 610.70(1)(f)(1). Under Wisconsin's law, personal information does not include information obtained from public records of a governmental authority that is maintained by an insurer or its representatives for the purpose of insuring title to real property. § 610.70(1)(f)(2). Wisconsin's law provides for twelve exceptions to its disclosure provisions. § 610.70(5). These do not include the Model Act's exceptions for disclosure for marketing purposes or to an affiliate. See Id.

     Like Wisconsin, other states have statutes that restrict the use or disclosure of medical information. For example, Rhode Island enacted a broad provision restricting the release or transfer of a patient's confidential health care information, except with written consent or for limited purposes, and requiring third party recipients of such information to establish security procedures to maintain confidentiality.⁽³³⁾ Less inclusive statutes in Illinois, Maryland and Massachusetts prohibit an insurer from disclosing an insured's medical records without the insured's written authorization, subject to limited exceptions.⁽³⁴⁾ California and Connecticut impose similar restrictions on employers, preventing them from using or disclosing an employee's medical information without written authorization, again subject to limited exceptions.⁽³⁵⁾ Some states specifically restrict disclosure of records containing information regarding AIDS or HIV infection, or genetic testing,⁽³⁶⁾ as well as mental health records.⁽³⁷⁾ Under these laws, such information could only be disclosed in extremely limited circumstances -- such as to physicians, parents, and governmental authorities.

     In 1998, the NAIC promulgated a model law establishing standards for the collection, use, and disclosure of health information gathered by insurance carriers. The Health Information Privacy Model Act ("HIP Model Act") sets standards to protect health information from unauthorized collection, use, and disclosure by requiring carriers to establish procedures for the treatment of all health information. The HIP Model Act applies to all "carriers," which are defined as entities required to be licensed or authorized by the commissioner to assume risk, and includes insurers, hospitals, medical or health service corporations, health maintenance organizations, provider sponsored organizations, multiple employer welfare arrangements, self-insured group funds, and workers' compensation self-insurers. Although the HIP Model Act does not expressly include fraternal benefit societies, an NAIC drafting note permits states to include the definition of "insurance institution" from the Model Act on Insurance Information and Privacy Protection in their enactments of the HIP Model Act, meaning that fraternal benefit societies would be included. The HIP Model Act protects all "health information," which is defined as information that relates to the past, present, or future physical, mental, or behavioral health of an individual or his or her family, the provision of health care to an individual, or the payment for the provision of health care to an individual. Moreover, the HIP Model Act prohibits a carrier from collecting, using, or disclosing⁽³⁸⁾ protected health information without written authorization from the individual who is the subject of the information. To date, no state has enacted legislation adopting this Act.

     Some state laws govern the disclosure of information obtained from motor vehicle records. These laws commonly provide that personal information collected by the state motor vehicle department is confidential and may not be disclosed. However, these laws provide an exception for disclosure (upon proof of identity and a representation that the entity intends to use the information for its limited purpose) to "an insurer . . . or an . . . employee . . . of an insurer, in connection with claims investigation activities, anti-fraud activities, rating, or underwriting."⁽³⁹⁾ Importantly, some of these laws also contain re-disclosure provisions that would prohibit an organization from re-disclosing the personal information unless specifically permitted by statute.⁽⁴⁰⁾

     Some states have recently proposed legislation which would impose privacy-related restrictions on the disclosure of information beyond insurance, financial, motor vehicle or medical information. For example, on February 2, 2000, a bill was introduced in California which would prohibit the collection and disclosure of "unique individual personal identifying information," defined to include any number, symbol, physical or biological trait or other genetic identifier by which an individual could be uniquely identified from another. See Calif. Senate Bill 1419.

     In Hawaii, a bill was introduced on January 25, 1999 to respond to the use of social security numbers by criminals to engage in "identity theft." Hawaii Senate Bill 980. The bill would delete the requirement that individuals disclose their social security numbers in records such as voter registration documents, and certain motor vehicle records. Hawaii Senate Bill 980.

     Illinois introduced a bill on January 13, 1999 prohibiting companies which purchase a state database containing information regarding Illinois citizens from using the database for commercial solicitation purposes (to contact individuals to advertise, or market products or identify potential employees). See Ill. House Bill 69.

     Maine introduced a bill proposing to establish an Internet policy for the state, which would apply privacy laws to electronic transmissions and impose notice and consent requirements for disclosure of consumer information online. Me. House Bill 1339, introduced March 17, 1999.

     Legislation was introduced in New York on January 5, 2000 to restrict financial institutions from disclosing personal information contained in electronic fund transfers. N.Y. Assembly Bill 623. "Financial institution" is defined as a bank, credit union or other person who directly or indirectly, holds an account belonging to a consumer.

     New Hampshire introduced legislation which would establish on "Office of Privacy" in the state to monitor and restrict disclosure by the state of personal information regarding its citizens. N.H. House Bill 1612, January 5, 2000.

CONCLUSION

     Entities that may be deemed to be "financial institutions" under GLB should be developing compliance programs to address consumer privacy issues, despite the fact that final federal regulations will not be adopted until later this year.

     Interpretative disputes over federal and state privacy laws and regulations are inevitable. These disputes are likely to occur between state and federal regulators, despite GLB's attempt to preserve state regulation, and between plaintiffs' class action lawyers and financial institutions. Financial institutions should establish compliance programs that anticipate such disputes. This approach may mean adopting the highest standards for disclosure as "best practices".

APPENDIX A

     The Federal Reserve Board's list of financial activities is set forth in 12 CFR 225.86. They include in certain circumstances:

     Effective March 12, 2000, the Board issued an interim rule with request for comments designating other financial activities including: