ALTA® Update: Gramm-Leach-Bliley Act Privacy Obligations for Title Insurers and Agents
|August 28, 2001|
August 28, 2001
Ann vom Eigen, Legislative and Regulatory Counsel
Collier & Shannon
The Gramm-Leach-Bliley Act (GLBA) imposes three basic requirements: (1) a privacy notice requirement; (2) a requirement that all consumers be provided the opportunity to opt-out of certain information disclosures; and (3) a requirement that measures be instituted to maintain the "security and integrity" of all nonpublic information.
Who Must Comply With The GLBA Privacy Requirements?
All "financial institutions" must comply. This includes all title insurance companies and agents.
Who Do The Rules Protect?
The GLBA applies only to individuals who are purchasing insurance or other financial products for personal, family or household purposes. In the title insurance context, the rules apply only to residential title insurance products; they do not apply to commercial title insurance activities.
The Privacy Notice Requirement
A privacy notice must be given to any individual who purchases a residential title insurance product or service at the time the product or service is sold or delivered. The Federal Trade Commission rules also covers entities that provide real estate settlement services (16 C.F.R.313). Other insurance companies and agents also must provide a privacy notice to their customers on an annual basis. In response to the successful lobbying efforts of ALTA, the GLBA rules all exempt real estate settlement services providers such as title insurance agents from this annual notice requirement provided that they have no customer contact after all of the activities relating to the real estate closing have been concluded.
Companies and their agents may provide notices independently; provide a single notice that covers the privacy practices of both the agent and the company; or provide separate notices together. Model State GLBA regulations (issued by the National Association of Insurance Commissioners (NAIC) and the National Conference of State Legislators (NCOIL)) contain an exception to the notice requirement for agents that do not disclose "nonpublic personal information" to any person other than the principal insurer or its affiliates. If an agent qualifies for this exception, the agent can rely on the principal?s notice and not provide a separate notice. Companies and agents also may provide joint notices with other financial institutions, such as a bank or securities affiliate.
What Must Be Included In The Notice?
When should the Notice be Provided?
The notice should be provided, according to the FTC, when you and a consumer enter into a continuing relationship. An example in the FTC regulations states that the relationship is established when the insurance is purchased.
The Opt-Out Right Requirement
As a general matter, before nonpublic personal information about any individual may be disclosed to a nonaffiliated third party, the individual must be informed of the intended disclosure and given at least 30 days to prevent it (a so-called "opt-out" notice). The right extends to present customers, former customers and anyone else about whom a company or agent maintains information. However, the right is subject to a long list of exceptions. No opt-out notice is required, for example, if the purpose of the disclosure is to complete the insurance transaction for which the information was provided or to service the title insurance policy.
If an opt-out notice is required, it must either include a copy of the general privacy notice (discussed above) or contain a statement that the person may obtain a copy of that notice and instructions on how to obtain it. The opt-out notice must inform the individual of the intended disclosure and provide an easy mechanism for the person to opt-out of that disclosure. The mechanism can require the individual to submit a form provided with the notice or call a toll-free number; it cannot require the individual to write a letter.
Protecting The Security And Integrity Of Nonpublic Personal Information
The GLBA requires all insurance companies and agents that collect or maintain nonpublic personal information to institute mechanisms for protecting the security and integrity of that information. Security mechanisms are designed to protect the information from inadvertent disclosures. Integrity mechanisms are intended to protect nonpublic personal information that is maintained in an electronic medium from becoming corrupted. The GLBA rules do not dictate that any specific mechanisms be instituted.
GLBA privacy rules are being implemented separately by the federal banking agencies, the Securities and Exchange Commission, the Federal Trade Commission (FTC), and each of the States. fn1/ The federal agencies have finalized their regulations; the States are still in the process of doing so. States are empowered to go beyond the stipulated statutory requirements.
The States are expected to base their GLBA rules on the model acts adopted by NAIC and NCOIL. Washington state has adopted the NAIC model GLBA regulations including the provision that eliminates the annual notice requirement for real estate settlement service providers. The citation for that Act is Chapter 28-04 of the Washington Administrative Code. The NAIC and NCOIL model rules would apply to all "licensees" in a State, meaning any person or entity licensed by the State?s Insurance Commissioner. A company or agent licensed to do business in multiple States must comply with the privacy requirements imposed in each State. Consequently, we recommend that you check your applicable state law. Title insurance agents in States in which attorneys are not required to be licensed by the Insurance Commissioner may not be subject to the state insurance privacy requirements. This does not mean that other privacy requirements are inapplicable.
For the further information please check the ALTA website:http://www.alta.org/govt/issues/privacy.htm
fn1/ The GLBA privacy requirements are in addition to other requirements already in place including the Fair Credit Reporting Act requirements and the state insurance privacy requirements that have previously been enacted in approximately 18 States. [Back]