Newsletter

G-L-B Remains a Hot Topic

September 2000

Efforts to complete implementation of the final rules for the Gramm-Leach-Bliley Act continue at a rapid pace – all pointing towards a July 1, 2001 full compliance date.

NAIC Task Force Adopts Revised Model
For the insurance industry, the National Association of Insurance Commissioners' privacy task force approved "model" regulations on September 12. NAIC members are scheduled to vote on this recommendation on September 26. If the NAIC adopts model regulations at that meeting, then the state insurance departments will need to react quickly to adopt their own rules. Insurers should not wait for these final steps. The outline of the final rules is apparent now, and insurers (and all other covered entities) need to be moving quickly to be in a position to meet the compliance dates.

The revised model does make some important changes from the earlier versions. It eliminates the controversial category of "third-party consumers," which had threatened to bring within the scope of the privacy rules a wide range of persons not traditionally viewed as customers of insurers, but the remaining provisions still seem to include a broad range of individuals that are not directly customers of the insurer. The task force model also significantly revises the section on health information. While the provision arguably is made simpler by the revisions, the NAIC model still creates a separate category of protection for health information, beyond the protections for other financial information. This will remain a significant stumbling block for insurers, particularly those insurers that are not covered by the Health Insurance Portability and Accountability Act ("HIPAA") rules. The health section also creates new contractual requirements for insurers to impose on those that receive health information, apparently even for purposes where no authorization is required. Last, the model makes clear that compliance with HIPAA will constitute compliance with G-L-B, but there still will be an interim period for health insurers where G-L-B compliance is required before a company will be required to be in compliance with the (even more stringent) HIPAA regulations.

FTC Begins Examining "Security"
In addition, the Federal Trade Commission has begun its efforts on the "security" aspects of the G-L-B. As part of the statute, covered entities must meet prescribed rules for the security of non-public personal information held by a financial institution and its business partners. For the most part, the privacy rules issued by the federal agencies (and the NAIC model version) essentially ignore the security issue, in favor of a subsequent rulemaking proceeding. The FTC recently issued a Federal Register notice, on September 7, 2000, seeking comments on how its draft rule should be prepared, and what it should cover. This is a preliminary step to a formal proceeding to develop security rules. These rules, while often considered separately from the privacy rules, are an integral component of an overall privacy compliance program. Just as the privacy rules to be issued under HIPAA contain a separate security component, these final rules will dictate much of the information systems elements that will govern how privacy of data must be maintained. Those involved in privacy compliance for financial institutions should follow these issues closely.

Read Time: 3 min

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek