United States: Insurance Industry Alert: Gramm-Leach-Bliley Annual Privacy Notices

About this time last year, many in the insurance industry were beginning to wrestle with the complexities of the Gramm-Leach-Bliley Financial Modernization Act of 1999 ("GLB"). July 1, 2001, was the deadline established by GLB for financial institutions, including insurance companies, to notify their customers regarding their privacy policies. Now, almost a year after insurance companies first assessed their treatment of customer information, developed privacy policies and procedures, and met the deadlines for the initial privacy notices, another deadline is fast approaching: the GLB annual privacy notice deadline.

The GLB privacy requirements are still in effect. New customers and consumers must receive the notices as they begin to interact with the insurer, and existing customers must be provided with annual notices as long as they are customers of the insurer. Revised notices must be sent if there are changes in privacy policies or an insurer's treatment of personally identifiable consumer financial information.

Many states have enacted rules and regulations to implement the GLB privacy notice requirements with respect to insurers within their jurisdiction. As these state rules and regulations are not in all cases uniform, insurers should pay close attention to the provisions issued by their particular regulator. Additionally, GLB promulgates federal security and privacy requirements that an insurer must address on a daily basis.

The "initial" notice under GLB was not only required by the July 1, 2001 deadline to inform existing customers of privacy policies and opt out rights but the initial privacy notice remains a continuing obligation of an insurer. This notice is required at the time of establishing a customer relationship with any consumer, regardless of when that relationship is formed. Regulation 76 also requires an insurer to provide an existing customer an initial notice when that existing customer obtains a new insurance product or service from the insurer.

Further, GLB requires that insurers send a clear and conspicuous notice to existing customers at least annually during the continuation of the customer relationship. As many insurers mailed out initial notices to meet the July 1, 2001 deadline, the time for providing the annual notices is drawing near. The law provides that, while the insurer may define the annual period it wishes to use for the mailing of these annual notices, the company must nonetheless provide notice at least once in any period of 12 consecutive months during which the customer relationship exists, and the insurer must apply the same annual standard to the customer on a consistent basis.

If an insurer decides to amend its privacy policy, or change the way it handles a customer's personally identifiable financial information, the insurer should consider issuing a revised privacy notice to its existing customers describing these changes. However, some state regulations only require this revised notice before an insurer may actually disclose non-public personal financial information to third parties not affiliated with the insurer.

In conclusion, GLB, and the state regulations promulgated thereunder, impose significant and ongoing obligations. Insurers must take care to establish and maintain procedures, guidelines, and safeguards that will insure continued compliance with both GLB and the applicable state regulatory authority, or face the possibility of state and/or federal regulatory discipline.