G-L-B Remains a Hot Topic
Efforts to complete implementation of the final rules for the Gramm-Leach-Bliley Act continue at a rapid pace – all pointing towards a July 1, 2001 full compliance date.
NAIC Task Force Adopts Revised Model
For the insurance industry, the National Association of Insurance Commissioners' privacy task force approved "model" regulations on September 12. NAIC members are scheduled to vote on this recommendation on September 26. If the NAIC adopts model regulations at that meeting, then the state insurance departments will need to react quickly to adopt their own rules. Insurers should not wait for these final steps. The outline of the final rules is apparent now, and insurers (and all other covered entities) need to be moving quickly to be in a position to meet the compliance dates.
The revised model does make some important changes from the earlier versions. It eliminates the controversial category of "third-party consumers," which had threatened to bring within the scope of the privacy rules a wide range of persons not traditionally viewed as customers of insurers, but the remaining provisions still seem to include a broad range of individuals that are not directly customers of the insurer. The task force model also significantly revises the section on health information. While the provision arguably is made simpler by the revisions, the NAIC model still creates a separate category of protection for health information, beyond the protections for other financial information. This will remain a significant stumbling block for insurers, particularly those insurers that are not covered by the Health Insurance Portability and Accountability Act ("HIPAA") rules. The health section also creates new contractual requirements for insurers to impose on those that receive health information, apparently even for purposes where no authorization is required. Last, the model makes clear that compliance with HIPAA will constitute compliance with G-L-B, but there still will be an interim period for health insurers where G-L-B compliance is required before a company will be required to be in compliance with the (even more stringent) HIPAA regulations.
FTC Begins Examining "Security"
In addition, the Federal Trade Commission has begun its efforts on the "security" aspects of the G-L-B. As part of the statute, covered entities must meet prescribed rules for the security of non-public personal information held by a financial institution and its business partners. For the most part, the privacy rules issued by the federal agencies (and the NAIC model version) essentially ignore the security issue, in favor of a subsequent rulemaking proceeding. The FTC recently issued a Federal Register notice, on September 7, 2000, seeking comments on how its draft rule should be prepared, and what it should cover. This is a preliminary step to a formal proceeding to develop security rules. These rules, while often considered separately from the privacy rules, are an integral component of an overall privacy compliance program. Just as the privacy rules to be issued under HIPAA contain a separate security component, these final rules will dictate much of the information systems elements that will govern how privacy of data must be maintained. Those involved in privacy compliance for financial institutions should follow these issues closely.