SUBJECT: IMPLEMENTATION OF PRIVACY REGULATIONS UNDER GRAMM-LEACH-BLILEY
DATE: October 11, 2000
The Gramm-Leach-Bliley Act (GLBA), a Federal law enacted November 12, 1999, requires financial institutions, including insurers, to take measures to protect the privacy of consumers. Within six months of enactment of GLBA, Federal financial regulators, not state regulators, were required to promulgate regulations regarding privacy of information for entities operating in the banking and securities industries. Under Title V, subtitle (a) of GLBA, Federal financial regulators were also empowered to extend the date on which they would begin enforcing compliance of those privacy regulations. Federal financial regulators have promulgated rules uniformly delaying the date with which entities subject to their jurisdiction must comply from November 13, 2000, to July 1, 2001.
Unlike our Federal financial regulatory counterparts, GLBA does not specifically set forth a date by which state insurance regulators must enact privacy regulations. At the time of its passage, President Clinton noted that GLBA raised a constitutional question because it seeks to have states implement and enforce insurance privacy provisions via a Federal Act. It is believed this constitutional concern was overcome because, under GLBA, states are not necessarily required to enact privacy regulations. If states fail to act to ensure the privacy of insurance consumers, they will forgo an opportunity to regulate privacy for insurance consumers. The Director of the Nebraska Department of Insurance, as a member of the National Association of Insurance Commissioners (NAIC), resolved to pursue the privacy rulemaking and enforcement authority espoused under GLBA. In order to promote uniformity between state and federal financial services regulation, the Director signed an NAIC resolution earlier this year, "Resolution to Coordinate State and Federal Implementation of GLBA Privacy Regulations." This resolution indicates that state insurance regulators will delay enforcing compliance with any privacy measure until July 1, 2001.
It should be noted that the State of Nebraska does not currently have a privacy law or regulation addressing the concerns of Title V, subtitle (a) of GLBA. Moreover, the Nebraska Department of Insurance does not have legal authority to enact privacy regulations in order to implement Title V, subtitle (a) of GLBA. In order to implement GLBA, the Department of Insurance anticipates that privacy legislation will be introduced in the Nebraska Legislature in January 2001. The Department of Insurance intends to recommend that such legislation contain a compliance date of July 1, 2001. Until such time as legislation implementing GLBA is enacted in Nebraska, please be advised that the Director will not be promulgating regulations on privacy and will not be enforcing compliance with any privacy provisions of GLBA before July 1, 2001.
L. Tim Wagner
DIRECTOR OF INSURANCE