Frequently Asked Questions about Your Financial Privacy Rights
Insurance Specific Questions
A Consumer's Guide
to Financial Privacy Rights under the Gramm-Leach-Bliley Act
NOTE: These FAQ's summarize your rights under the privacy
laws that apply to the financial services industry in general. Laws
regulating specific types of financial services, such as banking, insurance,
or investments may provide some additional protections. For further
information, you may consult the individual agency web pages listed
under question #13.
I have been receiving privacy notices in the mail from my
bank and credit union, finance company, insurance company, and investment
firm. What is this all about?
In 1999 the Federal government passed a law called the Gramm-Leach
Bliley Act. The law requires these institutions to send you a notice
regarding your privacy rights by July 1, 2001. In the notices, the companies
must tell you what information they collect about you and with whom
they share that information. Further, they must offer you an opportunity
to "opt-out" of having your information shared beyond exceptions
provided by law.
What exactly is Gramm-Leach-Bliley and who does it affect?
Gramm-Leach-Bliley ("GLB") is also known as the Financial
Services Modernization Act. It removed most of the legal barriers that
previously existed between the banking, insurance, and securities industries.
GLB established consumer privacy standards, including notice requirements,
limits on information sharing, and requirements to protect the confidentiality
and security of personal information.
Banks, credit unions, mortgage companies, finance companies, insurance
companies, insurance agents, and investment firms are all subject to
Gramm-Leach-Bliley. The law also applies to some retailers and automobile
dealers that collect and share information about consumers to whom they
extend credit or for whom they arrange credit.
Some of these notices use words like "opt out."
What does this mean?
"Opt out" means that you have an opportunity to say no ("opt
out") before a financial institution shares information about you.
Generally, Gramm-Leach-Bliley requires that consumers be given the right
to "opt out" before personal information about them is shared
with companies outside of the corporate family. If you exercise your
right to "opt out," then (with the limited exceptions discussed
below) the institution may not share nonpublic personal information
about you with companies that are not part of the same parent organization.
It is up to you to tell the company if you don't want your personal
financial information shared without your permission. If you do not
opt out, the company may share information with third parties in the
way they describe in the notice it sends you.
What do they mean when they say they share information "as
permitted by law"?
There are certain uses of nonpublic personal information for ordinary
business purposes that are exceptions to the "opt out" right.
These are often described in generic terms in privacy notices, using
language such as "disclosures permitted by law." For example,
personal information about you may be disclosed to carry out a transaction
you have requested, to service your account, to prevent fraud, as part
of an examination by regulators, or to an auditor, rating agency, or
prospective buyer of the institution. In addition, information other
than health information may be shared within the corporate family or
under joint marketing agreements with other institutions. In all these
cases, the third party receiving the personal information must protect
its confidentiality and may not use or disclose the information for
other purposes.
What kind of information can be shared if I do not opt out?
Any information that the institution may share with companies outside
of the corporate family must be described in the privacy notice you
receive. The types of personal financial information that may be shared
if you do not opt out include:
- Information you put on an application to obtain a loan, credit card,
or other financial product or service;
- Account balance information, payment history, overdraft history,
investments purchased or owned and credit or debit card purchase information;
- The fact that you are a customer;
- Any information provided by you in connection with collecting or
servicing a loan;
- Information provided by you for purposes of analyzing your investments;
- Information collected through an Internet "cookie";
- Information from a consumer report.
What kind of a notice does the institution have to give to
me about its privacy policy?
GLB requires the institution to give you a privacy notice that describes
the types of information collected by the institution and if the institution
might share your information, the types of businesses with whom the
information might be shared. This notice must first be provided to existing
customers by July 1, 2001 and then once a year after that. If you begin
to do business with an institution after July 1, 2001, the notice must
be given at the time the account is opened and then once a year.
This notice must also tell you how to exercise your right to "opt
out" or say "no" to sharing your information. The institution
may require you to return a form they send you or they may give you
a toll free telephone number to call. However, the institution cannot
require that you write your own letter as the only way to opt
out of information sharing. If the institution does not provide an opportunity
to "opt-out", then it cannot share your information except
as specifically permitted by law in the ordinary course of business.
Finally, the notice must also tell you how the institution will protect
the confidentiality and security of your information.
Can I still protect my personal financial information under
an "opt out" standard and prohibit the sharing of that information?
Yes. If you exercise your right to "opt out," then an institution
may not share your personal financial information, unless it is otherwise
permitted under state or federal law. Some provisions of Maine law provide
considerable civil money penalties for institutions that violate these
confidentiality requirements. Banks, for example, could be fined up
to $10,000 per violation.
If I choose to opt out, how long will it last?
If you choose to opt out, that choice is effective until you revoke
it in writing.
What if I don't opt out when I first receive the privacy notice?
Can I opt out later?
Yes. A consumer can opt out at any time, but it will only affect the
future sharing of information and will not be retroactive.
What if I don't understand the privacy notices?
GLB requires that the notices be clear and conspicuous, and that they
accurately explain the right to opt out. If an institution does not
comply with the privacy requirements or does not provide clear disclosures,
the State may investigate, bring an enforcement action, or assess fines.
If you don't understand a privacy notice, you may contact the company
that sent it to you or you may contact the agencies below for assistance.
What should I do if I threw away or lost my privacy notice?
You should contact the institution involved to request a new notice.
Are there any other steps that I can take to protect my privacy
and limit the sharing of personal information?
Yes, existing state and federal laws give you the right to reduce
or eliminate telemarketing calls, unsolicited e-mails and pre-screened
credit offers.
- To prevent pre-screened offers from all three major credit reporting
agencies: Call 1-888-5-OPT-OUT (1-888-567-8688).
- One major credit reporting agency (Experian) also permits you to
opt out of receiving marketing and promotional information from its
clients. Call 1-800-407-1088.
- To avoid unwanted phone calls from many national marketers, send
your name, address and phone number to Direct Marketing Association
(DMA), Telephone Preference Service, PO Box 9014, Farmingdale, NY
11735-9014.
- To remove your name from national direct mail lists, write Direct
Marketing Association, Mail Preference Service, PO Box 9008, Farmingdale,
NY 11735-9008.
- To remove your e-mail address from many national direct e-mail lists,
follow the instructions found at DMA's e-mail preference service website,
www.e-mps.org.
- Regarding driver's license information, the Maine Secretary of State's
Office no longer shares such information with marketing or promotional
companies. You only need to contact the Bureau of Motor Vehicles if
you wish to "opt in," to permit the sharing of that information.
What if I have problems getting information from my financial
services provider?
The following agencies within the Department of Professional and Financial
Regulation are available to assist you:
For questions about banks and credit unions, contact the Bureau of
Financial Institutions: 1-800-965-5235; Internet website: www.maine.gov/pfr/financialinstitutions/
For questions about insurance companies or insurance agents, contact
the Bureau of Insurance: 1-800-300-5000; Internet website: www.maine.gov/pfr/insurance
For questions about mortgage companies, finance companies, automobile
dealers and other providers of consumer credit contact the Office of
Consumer Credit Regulation: 1-800-332-8529; Internet website: www.maine.gov/pfr/consumercredit/
For questions about investment firms and securities issues contact
the Office of Securities: 1-877-624-8551; Internet website: www.maine.gov/pfr/securities/.
Insurance Specific Questions
How are the privacy rights of insurance consumers different
from privacy rights in other financial markets?
Because insurance business requires a more extensive use of sensitive
personal information than most other financial services, the Maine Insurance
Information and Privacy Protection Act provides some additional consumer
protections above and beyond those discussed in the general frequently
asked questions. These protections currently apply to life and health
insurance and will apply to all consumer lines of insurance (like auto
and homeowners) effective September 21, 2001:
- In addition to health information, information about character,
personal habits, style of living, or general reputation may not be
disclosed to non-affiliated third parties for marketing purposes without
your written consent.
- You have the right to obtain access to recorded personal information
that the regulated insurance entity has, to request correction if
you think the information is inaccurate, and to add a rebuttal statement
to the file if there is a dispute between you and the insurance company.
- You also have the right to know the reasons why a company made an
unfavorable decision when they reviewed your application for insurance.
How do the new federal and state privacy laws affect insurance?
For life and health insurance consumers (including disability, long-term
care, and Medicare Supplement), there is very little change in the law.
The Maine Privacy Act has been in place for several years and is one
of the strongest insurance consumer privacy laws in the nation. In most
respects, the state law already equals or exceeds the requirements of
the federal Gramm-Leach-Bliley Act. Under the federal law one of the
new requirements is that notices to consumers must now be sent every
year instead of every two years. Also, changes this year primarily affect
homeowner's insurance, personal auto insurance, and other personal property
and casualty lines. These lines of insurance will also become subject
to the Maine Privacy Act effective September 21, 2001, as a result of
recently passed state legislation. In the meantime, property and casualty
companies that had not already adopted similar practices on a voluntary
basis became subject to the notice and confidentiality requirements
of the federal law on July 1.
Can my medical information be shared with other companies?
Except for certain limited purposes such as underwriting and claims
processing where it is necessary to collect and use health information,
companies cannot share health information without your specific written
permission.
If Maine already had an insurance privacy law, why was another
one passed?
There are two changes to the consumer privacy laws this year, one
at the federal level and one at the state level. Both of these changes
involve the entire financial services market and are not specifically
directed at insurance. The insurance part of the new state law extends
the protections of the existing Privacy Act (which is currently limited
to life and health insurance) to include all personal lines of insurance.
The new federal privacy law establishes a minimum set of nationwide
standards that applies to all states and all types of financial services.
State privacy laws which provide equal or better consumer protection,
such as the confidentiality provisions of the Maine Privacy Act, stay
in place and are not affected by Gramm-Leach-Bliley.
Prepared by the Department of Professional & Financial
Regulation
July 5, 2001
