Insurance associations have been abuzz the past couple of weeks with regard to impending changes and new proposals to privacy regulations under Congress’ Gramm-Leach-Bliley Financial Modernization Act (GLB).
States have finalized details fulfilling one aspect of the GLB pertaining to the insurance industry (defining what method companies will use to send opt-out privacy notices to their customers), but many still are scrambling to catch up with another element, one requiring companies to create a written information security program to safeguard customers’ personal information.
According to a statement released by the National Association of Independent Insurers (NAII), “the objectives of the information security program in the Gramm-Leach-Bliley Act are to ensure the security and confidentiality of customer information; protect against any anticipated threats or hazards to the security or integrity of the information and protect against unauthorized access to or use of the information that could result in substantial harm or inconvenience to any customer.”
“The model of standards for safeguarding customer information is written very well in that it leaves up to each individual insurer the ability to determine what they need in the way of a standards for safeguarding their customer information,” said Kathleen Jensen, insurance services counsel for the NAII.
New York and Oregon have officially adopted a model for safeguards. Of the states’ proprosals currently on the table, the Arkansas and West Virginia version present a concern to the NAII. That is the use of the word “consumer” rather than “customer” by Arkansas and West Virginia, a move deemed burdensome by the NAII.
Arkansas Proposed Rule and Regulation 77, “Standards for Safeguarding Consumer Information,” uses the definition of “consumer” found in Arkansas Rule and Regulation 74, “Insurance Consumer Financial and Health Information Privacy.” That rule states in part: “‘Consumer’ means an individual who seeks to obtain, obtains or has obtained an insurance product or service from a licensee that is to be used primarily for personal, family or household purposes, and about whom the licensee has nonpublic personal information.” Proposed Rule 77 states further that: “‘Consumer’ shall also mean a consumer who has a customer relationship with a licensee.”
“The difference between customer and consumer go back to GLB,” said Jensen. “They encompass different people. A consumer is someone that the insurer does not have a continuing relationship with. Also included in the definition of consumer is claimant and work comp. An insurance applicant, at the time they become a policyholder, they become a customer, which [the insurer] has a continuing relationship with. You’re going to put in greater standards for those people [customers]. By extending standards for safeguarding to consumers, all of a sudden you have to put those same standards for an applicant.
“We don’t think that the states should extend it to consumers because it’s going to place another burden on the insurance companies,” she added.
When Texas adopted its “opt-out” privacy rule, it included language requiring companies to secure customers’ private information. The state directed individual companies to develop and follow their own security procedures however, and reserved the right to propose a rule in the future that conforms with a nationally accepted model outlining specific procedures that companies must follow.
Topics Legislation Arkansas
Was this article valuable?
Here are more articles you may enjoy.
Let Good Adjusters, Not Expensive Lawyers, Make the Difference on Claims, CEO Says 
Home Insurance at $10,000 a Year Shows California Buyers’ Pain 
Farmers Adjusters Cry Foul Over Workloads, Claims Handling in Letter to Regulators 
US Judge Skeptical of Biden Overtime Pay Rule From This Issue
