State insurance regulators, who are pushing to align their privacy standards with others in the financial services industry, have insurers worried that the new rules will go far beyond those envisioned in the Gramm-Leach-Bliley Act.
The most detailed look yet at possible rule changes came last weekend when the National Association of Insurance Commissioners, based in Kansas City, Mo., issued a draft privacy regulation at its meeting in Orlando.
Issued in two main components, one covering financial and the other medical information, the draft regulation would make privacy rules uniform across the states. As such, it addresses some of the banking industry's worries.
Insurance industry representatives voiced concern at the proposed regulation, however, particularly with the medical information component. The regulation is designed to bring the insurance industry in line with Gramm-Leach-Bliley, though critics disputed whether it accomplishes this.
"Even though there's been some lip service paid to simply trying to implement Gramm-Leach-Bliley, in fact the draft regulations go far beyond the parameters of Gramm-Leach-Bliley and sweep in additional parties never intended to be covered by Gramm-Leach-Bliley," said Rey Becker, vice president of property/casualty for the Alliance of American Insurers, based in Downers Grove, Ill.
Debra Ballen, executive vice president of the American Insurance Association, based in Washington, said that of the two pieces of the draft she is far more concerned about the medical component. "The financial piece is in pretty good shape overall. What they did was take the federal regulation as a base text and then they made changes where it was necessary to reflect more of an insurance orientation."
Ms. Ballen's group believes the insurance commissioners should not try to develop rules for medical information privacy because they are not necessary to comply with Gramm-Leach-Bliley, she said. "There is no obligation whatsoever for them to do medical privacy," she said. "That issue is very much in flux."
Insurers also oppose the possible extension of the regulation to the commercial lines market and to third-party claimants, she said. The proposed regulation would require some opt-out option for employees covered by workers' compensation insurance, she said, and "the idea that you have to get opt-in or opt-outs from people who are not your customers is a whole different ball of wax from what's in Gramm-Leach-Bliley."
Mr. Becker said, "Gramm-Leach-Bliley only deals with customers and consumers," not with third-party claimants. "When you get beyond those two parties to the contract, you go beyond the scope of Gramm-Leach-Bliley."
"The NAIC and the individual insurance departments do not have that authority, in the absence of individual state legislation," he said.
In addition, he said, the alliance is concerned about the legality of an opt-in provision. Last week the Supreme Court declined to review a recent ruling by the U.S. Court of Appeals for the 10th Circuit in Denver, which held that such provisions violate the First Amendment.
Bankers at the Financial Institution Insurance Association meeting in Washington said they were following developments at the insurance commissioners meeting.
"We have to have uniform state regulations," said Richard Starr, director of strategic insurance initiatives for ABN Amro in Chicago, "and we're hopeful the NAIC is going to be successful in getting these uniform regulations. If a few states don't follow, many companies might decide not to do business there."
"Our concern at the FIIA is consistency," said William J. Abdale a director of the financial institution group and president of Buffalo-based HSBC Insurance. "We have to have consistent functional regulations because so many banks are in multistate situations."
The proposed regulation is open for written comments until June 30.
In addition to the draft regulation, the insurance commissioners association has agreed to a uniform compliance date for enforcement of the Gramm-Leach-Bliley Act's privacy regulations. The agreement extends the date for compliance with privacy regulations from next Nov. 13 to July 1, 2001, the same date as for the banking and securities industries.
David Reich-Hale contributed to this story.