Gramm-Leach-Bliley Act:
Amendments to Agency Agreements and
Sample Authorization Letter
In recent weeks, we have received numerous questions regarding various
amendments to agency agreements that insurance companies developed in
response to the requirements of the Gramm-Leach-Bliley Act ("GLBA").
A
review of some of those amendments enabled us to identify common issues of
importance to our members. These issues consist primarily of concerns that:
(a) some insurance companies are asking or requiring agencies to distribute
and/or adhere to the companies' privacy policies; (b) insurance companies'
privacy policies are imposing greater restrictions on the use and disclosure
of customer information than those mandated by GLBA or the states' privacy
statutes or regulations; and (c) insurance companies are limiting agency
access to loss run reports.
In addition, in response to requests for a form to use when obtaining MVRs
and consumer reports in the 16 states that have adopted the 1982 NAIC
Privacy Model Act, we have attached a sample authorization letter for that
purpose. Agencies also may use this form letter as a customer
authorization/consent form in all other states and the District of Columbia
when obtaining this type of information.
1. Distribution of and Adherence to Company Privacy Policies
GLBA imposes an obligation on each financial institution to respect the
privacy of its customers and to protect the security and confidentiality of
its customers' non-public personal information ("NPI"). Since insurance
companies and independent insurance agencies are financial institutions that
have separate and distinct relationships with customers, each insurance
company and independent agency must independently satisfy this GLBA
obligation. There is nothing in GLBA or the NAIC Model State Privacy
Regulation ("NAIC Model") to indicate that an independent agency
must assist
an insurance company in satisfying the insurance company's GLBA obligations.
Similarly, there is nothing in GLBA or the NAIC Model to require an
independent agency to adhere to an insurance company's privacy policy.
Therefore, an insurance company has no statutory or regulatory authority to
compel independent agencies to distribute or adhere to the insurance
company's privacy policy.
Nonetheless, some insurance companies are requesting and/or requiring
independent agencies to sign amendments to agency agreements that compel the
agencies to distribute and/or adhere to the insurance company's privacy
policy. While the distribution request may be administratively cumbersome,
it is the adherence to an insurance company's privacy policy that is far
more troublesome. This is because each insurance company may have different
technical, administrative and physical safeguards to protect customer data,
some or all of which may be inconsistent with the independent agency's own
privacy policy or with privacy policies of other insurance companies
represented by the agency with which the agency also is being asked to
comply. Thus, it will be impossible for the agency to adhere to the
insurance company privacy policies of all companies with which the agency
is
appointed unless those policies are consistent with each other and with the
agency's privacy policy, which is fairly unlikely.
2. Restrictions on Use and Disclosure of Customer Information
Numerous agency agreement amendments we reviewed contained clauses
imposing limits on the use and disclosure of customer information that are
more
restrictive than limits that request or require such compliance imposed by
GLBA and the NAIC Model. An example of this is a restriction against the
agency's use of NPI for any purpose other than the purpose for which it was
provided, even though GLBA and the NAIC Model permit an agency to use
customer NPI if the agency obtains the customer's consent or if the agency
has a joint marketing agreement with another insurance company.
If an independent agency agrees to an agency agreement amendment with a more
restrictive information sharing policy than that required by GLBA or the
NAIC Model, the agency must comply with the stricter policy. Therefore, it
is critical that an agency carefully examine the proposed amendments to
insure that they do not restrict the agency from using and/or disclosing
customer NPI for the purposes for which it has been supplied and as
otherwise permitted by law or regulation to the extent required by the
agency's business practices.
3. Limitations on Agency Access to Loss Run Reports
Some insurance companies are refusing to provide agencies with copies of
loss run reports unless the agencies sign contracts agreeing to use the
information only for the purposes for which it has been provided, or for
other purposes as agreed to in writing by the company and agency.
Noticeably absent from these contracts is language permitting the agency to
use the information either as permitted by law or pursuant to customer
consent. As a practical matter, this contractual limitation prevents an
agency from: (a) using loss run reports with NPI to quote coverage with
other insurance companies with which the agency has joint marketing
agreements, unless the insurance companies providing the loss run reports
agree to allow the agency to do so; and (b) obtaining consumer consent
prior to any disclosure of the NPI provided to the agency by the insurance
company.
It is clear that GLBA authorizes disclosure of a customer's NPI by an agency
when the agency obtains the customer's consent, or when there is an
applicable exception to GLBA's restrictions. To the extent that loss run
reports contain NPI that is protected under GLBA, agencies are subject to
GLBA's restrictions on reuse and redisclosure of that information and must
obtain customer consent prior to using the information as a marketing tool
to solicit competitive quotes.
There are three circumstances in which agencies may reuse or redisclose NPI
contained in loss run reports. First, an agency can reuse or redisclose NPI
contained in loss run reports as long as: (a) the reuse or redisclosure is
consistent with the reasons for the agency's receipt of the information in
the first place, or pursuant to an exception to GLBA (such as with the
customer's consent, or pursuant to a joint marketing agreement with another
insurance company); (b) the reuse or redisclosure of NPI is consistent
with the insurance company's privacy policy; or (c) the reuse and
redisclosure is subject to the applicable consumer opt out directive.
Second, an agency can reuse or redisclose NPI contained in loss run reports
when the agency has a joint marketing agreement in place with the entity to
which it is disclosing the information in the loss run reports, and such
reuse or redisclosure is consistent with the agency's privacy policy.
Third, the agency can reuse or redisclose NPI contained in loss run reports
when the agency obtains the consent of the customer who is the subject of
the NPI.
However, if an agency signs agreements with insurance companies that impose
greater restrictions on the agency's ability to use loss run reports than
those required by GLBA or applicable state law (such as amendments to agency
agreements), the agency becomes contractually obligated to those
restrictions. If an agency is not prepared to comply with those
restrictions, the agency should either strike the restrictive language from
the agreement prior to signing, or not sign the agreement at all.
Click here for a copy of the
Sample Authorization
Form
(Word Format)