Computerworld - WASHINGTON -- Beginning next week, financial services companies with Vermont customers will face strict limits on what they can do with the personal data of state residents. These new privacy rules have prompted five insurance industry trade groups to jointly file a lawsuit against state officials and warned that the rules will raise business costs and hurt customers.
Vermont's rules set an "opt-in" standard, which requires affirmative customer consent for sharing customer data in certain instances. Financial institutions in the U.S. generally follow the federal Gramm-Leach-Bliley Act of 1999, which allows the "opt-out" standard, meaning that unless the customer tells a bank, securities firm or insurer not to share data, the institution can do so.
Vermont's privacy rules mean that companies must adapt their customer systems to recognize the Green Mountain State's unique regulatory provisions.
"The industry can just assume that everybody with a Vermont ZIP code has opted out," said Elizabeth Costle, commissioner of Vermont's Department of Banking, Insurance, Securities and Health Care Administration. "That's the easy way to fix your computers."
And that's exactly what companies might do. Instead of adapting systems to meet the state's rules, they are warning that Vermont residents may be excluded en masse from the kinds of offers and information that data sharing allows.
"It would be a long time before anyone could afford to put in an opt-in system that would meet the goals of what [Costle] laid down," said Stephen Durkee, privacy implementation officer at Citigroup Inc. in New York. "So effectively, everybody in that state will have to be treated as if they opted out."
Vermont's rules illustrate the limits of the Gramm-Leach-Bliley Act, which took effect last July, and underscore industry fears that states may adopt differing privacy rules, increasing compliance costs. The federal law didn't preempt a state's ability to adopt tougher privacy standards.
"I think Gramm-Leach-Bliley very specifically said that states can have a stricter standard," said Costle. "That's fairly unusual in legislation. We're not going against [the law] at all. We're specifically complying with it."
Most notably, Vermont's standards require an opt-in decision for the sharing of information with third parties -- typically marketing agreements that financial institutions use to round out service offerings to customers.
Vermont's rules are a broader application of the state's existing banking privacy laws and not the result of legislative action. The insurance trade groups filed suit Jan. 30, challenging Costle's authority to make those changes, which take effect Feb. 15.
"The feeling is that the commission usurped legislative authority," said Jack Dolan, a spokesman for the Washington-based American Council of Life Insurers, one of the groups involved in the lawsuit.
Opt-in is seen as a tougher standard because it forces companies to sell consumers on the idea of information sharing. It also requires companies to develop systems to recognize state law variances and to train employees. In contrast, opt-out offers are usually ignored; only 2% to 3% of consumers opted out in response to the privacy notices mailed out this past summer, according to federal and industry sources.
Even if the insurance industry succeeds in blocking Vermont's law, it won't end the debate. New Mexico is considering similar rules, and 13 states have pending opt-in privacy bills, including Arkansas, California, Florida, Hawaii, Illinois, Massachusetts, Minnesota, North Dakota, New Hampshire, New Jersey and New York, according to the Internet Alliance, a Washington-based group.
Costle said she believes that she acted correctly and that the lawsuit will fail. Perhaps more important, the commissioner is convinced that residents want stronger privacy protections than those set in federal law.
"If you talk to the average U.S. citizen or Vermonter, they want their information protected," she said.
Related stories and links:
Read more about BI and Analytics in Computerworld's BI and Analytics Topic Center.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
