FROM: KAREN L. SUTER, COMMISSIONER
RE: ENFORCEMENT OF GRAMM-LEACH-BLILEY PRIVACY REQUIREMENTS
The Gramm-Leach-Bliley Act, P.L. 106 – 102 ("GLBA") enacted November 12, 1999, requires financial institutions, including insurers, to protect the privacy of consumers’ non-public personal information. Title V of GLBA requires Federal and state regulators to implement GLBA’s privacy protections within six months of the Act’s effective date, except to the extent a later date is specified by rule. The Act takes effect November 13, 2000; however, under the authority of GLBA at section 510(1), Federal regulators delayed enforcement until July 1, 2001. See 65 Fed. Reg. 35162, 35184 – 35185.
Under GLBA, state insurance regulators are authorized to enforce Federal privacy laws as they apply to insurers and may enact and enforce privacy standards that exceed those in GLBA. Section 505(c) of GLBA provides that if a state fails to adopt regulations that meet at least the Federal minimum standards, state action is preempted. Our existing law regarding the disclosure of information gathered by insurers generally meets or exceeds these Federal standards already and, as set forth below, we do not anticipate the need for significant changes.
N.J.S.A. 17:23A-1 et seq., effective December 7, 1985, and based on the National Association of Insurance Commissioners’ Insurance Information and Privacy Protection Model Act, regulates the collection, use and disclosure of information gathered by insurers in connection with policies, contracts or certificates of insurance issued or delivered in this State. In most respects, this statute provides standards that are at least as stringent, and in many cases more stringent, than the standards set forth in GLBA. Insurers transacting business in this State have been required to comply with N.J.S.A. 17:23A-1 et seq. with respect to the use, collection and disclosure of information and continue to be so required. If needed, the Department of Banking and Insurance ("Department") will seek any amendments to the existing law to ensure that this State’s existing information practices standards are, in all respects, at least as stringent as those standards in GLBA.
The Department also notes that the Office of the Comptroller of the Currency, Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, and Office of Thrift Supervision, proposed interagency guidelines establishing standards for the safe keeping of customer information, on June 26, 2000. See 65 Fed. Reg. 39472. These rules set forth the standards for financial institutions related to the administrative, technical and physical safeguards for customer records and information to ensure the security and confidentiality of this information. The Department intends to promulgate rules applying similar standards to insurers to be effective July 1, 2001.
Accordingly, the Department is issuing this Bulletin to advise insurers that:
The Department anticipates that insurers will begin to review the requirements of the Federal rules identified above so as to become familiar with the nature of the administrative, technical and physical safeguards necessary to ensure the confidentiality of customer records and information. Insurers should identify areas that may need to be improved for compliance with similar standards to be adopted by the Department for insurers.
11/8/00 /s/ Karen L. Suter, Commissioner