Legal experts recommend that MGAs take proactive approach
to meeting information disclosure requirements
One of the issues that the 1999 Gramm-Leach-Bliley (GLB) Act dealt with was "privacy." At the time, many mergers and acquisitions were taking place in the financial services sector. Moreover, the way in which GLB itself was constructed facilitated even more mergers and acquisitions, as the Glass-Steagall Act was brushed aside and as boundary lines between banks, insurance companies and securities firms suddenly disappeared. The architects of GLB--including not only the act's authors, but also the special interest groups that lobbied for more than a decade in construction of the law--had to address the issue of how this brave new world of integrated financial services would protect consumers' privacy of information. So, GLB made certain demands of financial services institutions.
Basically, GLB requires financial institutions to establish in-house "privacy" policies to inform their consumers about how these institutions intend to use private information obtained in the course of a particular financial transaction. The privacy policies have to address such things as what financial institutions will have access to the information, whether that information will be "shared" with an institution's subsidiary organizations and, most important, whether or not that information will be sold to other financial firms. There appears to be a very lucrative market in selling "lists" of names and their private information. In addition, GLB requires that such in-house privacy policies offer consumers the option of "opting out," meaning that consumers should be informed in some fashion that they have a right to say no to the dissemination of their private information.
As of today, most insurance companies have established such "privacy" policies. But what about the agents--both retail and wholesale--with whom insurance companies deal?
Last year, in a conference call arranged for members of the AAMGA, Steve Baker, a partner in Philadelphia law firm Drinker Biddle & Reath, warned that wholesale insurance agencies should establish in-house privacy policies to protect themselves against opportunistic lawsuits. Baker told AAMGA members that their access to private information about individual policyholders charges them with responsibilities under Gramm-Leach-Bliley to safeguard that information. Baker said the threat to managing general agencies comes not from government enforcement of the act, but from plaintiffs' attorneys seeking lawsuit targets.
"The plaintiffs' class action bar is looking at this as the next big thing," Baker said. "Insurance companies have taken a great deal of effort to protect themselves, so the class action bar will be looking for other targets, and you don't want to be one," he said.
Fortunately, agencies can protect themselves relatively easily Baker said. They need to draft an in-house privacy policy and then arrange to notify all individual policyholders of that policy. "It doesn't take much to put together a quick privacy policy and notify people," he said. "Do that, and you're probably protected." Baker also warned AAMGA members against putting too much faith in assurances from insurance companies that their own privacy policies protect wholesale agents. He said that protection is in force only if the managing general agency is in complete compliance with all aspects of the insurance company's privacy policy. "Any deviation cancels the protection and because each insurer has its own distinct privacy policy, it's easier and safer for a wholesaler to draft its own."
However, in a recent interview, Scott Brenner of Manhattan law firm Barton, Barton and Plotkin LLP, said that agents and brokers need to go even further. "Insurance agents and brokers should be well-versed as to what's required of them under the rubric of Gramm-Leach-Bliley, as well as any state law that may address privacy issues," he said. "Even if managing general agents and retail agents and brokers have their own privacy policies, they should make it clear to the consumer that their policies may not be the same as the insurance company they are placing them with. Therefore, if there is a misunderstanding later, the agent or broker has at least provided the consumer with as much information as possible."
Brenner warns that the privacy issue is a particularly thorny one in the area of shared medical information. "In life and health insurance contracts, insurance companies usually require the consumer to sign a waiver to allow the company to collect and disseminate medical information. Very often these waivers are pitched to influence the consumer to sign, and that could cause a problem later on down the line. The information gathered is often posted with database clearinghouses such as the Medical Information Board in Boston, Massachusetts, which are [suspected to be] used by the insurance industry to share information about proposed insureds. Privacy is currently a forefront issue. Commentators, jurists and courts alike are always waiting for new test cases to further redefine the scope of acceptable information gathering and disclosure. Agents and brokers should educate themselves with respect to federal and state law requirements, so as to avoid becoming the next example litigant."
In terms of dealing with GLB, Bernie Heinze, executive director of the AAMGA, said the key is MGAs' handling of what the law refers to as "non-public personal information." Baker defined the phrase as "any information about a customer or consumer that would not be generally available to the public." For example, personal address and telephone numbers are generally available. Health and income information--even Social Security numbers--generally are not and are therefore covered by the law.
Heinze says not only do MGAs have access to such information, they pass it on to others, such as premium financing companies. That's why they need to develop privacy policies and, equally important, inform individual policyholders of the existence and terms of those privacy policies.
Baker said existing customers should be notified as soon as possible, and new customers should be notified as soon as a policy is issued. He said that, while standardized language for a "one-size-fits-all" privacy policy is not feasible, customized privacy policies can be developed quickly and inexpensively.
"Believe me when I tell you that something is going to happen here. The plaintiffs' bar is ready for it. The insurers have responded to the threat very capably. You cannot afford to be left holding the bag," Baker said. "Don't assume the fix will be more expensive that the problem." *