At the 2017 Spring National Meeting, the National Association of Insurance Commissioners (“NAIC”) adopted important amendments to its Privacy of Consumer Financial and Health Information Model Regulation (Model No. 672). The Model Regulation implements the privacy provisions of the Gramm-Leach-Bliley Act (“GLBA”) for insurers, producers and other persons licensed by state insurance regulators (“licensees”).
Once adopted by the states, the amendments to the Model Regulation will have two effects:
- To take advantage of a compliance “safe harbor,” insurers and other licensees that have not already done so will need to change their GLBA privacy notice to follow a Model Privacy Form originally developed by federal regulators.
- Many more states will likely relieve licensees of the obligation of sending annual GLBA privacy notices.
These changes are discussed in greater detail below.
Safe Harbor for GLBA Privacy Notices
The amendments to the Model Regulation incorporate a Model Privacy Form that was developed by federal regulators in 2009 as a template for GLBA privacy notices for federally regulated financial institutions. The amendments establish a compliance safe harbor for use of the Model Privacy Form and, effective July 1, 2019, sunset the safe harbor for the privacy notice sample clauses found in the original Model Regulation. Many licensees now use notices incorporating the sample clauses. Insurers and other licensees may want to begin drafting changes to their GLBA privacy notice now to ensure they are ready when states begin adopting the amendments to the Model Regulation.
Elimination of Annual GLBA Privacy Notices
Licensees that limit their sharing of nonpublic personal information to ways that do not require offering consumers an opt-out no longer will need to provide a GLBA privacy notice every year. Instead, only an initial notice will be required, unless the licensee’s privacy policies and practices change, in which case an updated notice will need to be sent. This change follows an amendment to GLBA enacted by Congress in 2015. (See HERE). A few states already have adopted this change. Now, many more states likely will follow suit. Licensees that share nonpublic personal information in ways that require giving consumer an opportunity to opt out of the sharing will need to continue providing an annual GLBA privacy notice.
Morris, Manning & Martin has extensive experience working with insurers, producers and other financial services providers on the development of privacy notices and all other aspects of privacy and data security compliance.