Introduction

I received in the mail a one-page form document from a Life Insurance Company titled OUR PRIVACY POLICY. The subheading of the document is "Required by the Federal Gramm-Leach-Bliley Act and state privacy law."

Topics covered include:

• How do we protect your privacy?
• What information do we collect?
• To whom do we disclose information?
• What are your rights?
• How do you contact us?

I decided to use this letter as the basis for some research into personal privacy protection.

Who is "We"?

The form letter came from one of my insurers. No policy related info was provided, just a page full of bullet points. Since the bullet points repeatedly refer to a "we" I decided to do some research.

The company is a subsidiary of a foreign based insurance conglomerate. The company's 2004 financial report (available online after a simple web portal registration process) lists the company that sent me the letter as a 100% owned subsidiary.

The terms "we," "our," "affiliates," "non-affiliates," and "corporate family" are used throughout the Privacy Policy form letter. Assuming that the form letter is expressing to me a corporate commitment to maintaining the privacy of my data, I am wondering who is actually making this commitment, and who is bound by it.

Is the letter stating that anyone throughout the parent company's international workforce with a need to know can get at some of my personal data and that they are bound by the terms of this policy? I can't tell. Also, if some of the terms of this policy are being dictated by the "Gramm-Leach-Bliley" act, a U.S. law, how bound are the non-U.S. employees to follow all aspects of this policy? I have no way of answering that one, either.

What is "Gramm-Leach-Bliley"?

Title V of the Gramm-Leach-Bliley “Financial Services Modernization Act” is called "Privacy."  It assigns responsibility for privacy enforcement to the Federal Trade Commission and the Federal banking agencies, the National Credit Union Administration, the Securities and Exchange Commission, and the States. The overall Act is not specifically focused on privacy; rather, it is an overall modification of federal regulation of banking and insurance businesses and includes a wide variety of provisions, including a requirement that ATM's clearly post fees for their use by customers of other financial institutions.

Reading the text of the Act, especially Section 6809, Definitions, some of the meaning of the rge Privacy Policy letter becomes apparent. An "affiliate," for example, is any company that "... controls, is controlled by, or is under common control with another company." Under this definition, it appears to me that the "we" referred to in the Privacy Policy letter I received refers not only to my insurer but but to all its parent company's other subsidiaries as well

What is "Non-Public Personal Information"?

This is how the Act defines this term:

(A) The term ''nonpublic personal information'' means personally identifiable financial information
(i) provided by a consumer to a financial institution;
(ii) resulting from any transaction with the consumer or any service performed for the consumer; or
(iii) otherwise obtained by the financial institution.

(B) Such term does not include publicly available information, as such term is defined by the regulations prescribed under section 6804 of this title.

(C) Notwithstanding subparagraph (B), such term -
(i) shall include any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any nonpublic personal information other than publicly available information; but
(ii) shall not include any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived without using any nonpublic personal information.

I think the two main points being made here are the following:

1. The primary focus of Gramm-Leach-Bliley is on financial information
2. Using nonpublic personal information to generate or retrieve public information associated with the private information doesn't change the "private" nature of the original information

My letter provides additional information about what constitutes non-public personal information, including:

1. Personal information provided in the insurance application such as name, date of birth, social security number, income, etc.
2. Medical information obtained under authorization from health care providers
3. Existing insurance policies with the company or its affiliates
   
4. Information obtained as authorized from organizations such as motor vehicle bureaus, credit reporting services, and medical records services.
   

The  letter also includes the following cryptic statement at the end of its list of the information it collects:

(NPI obtained from insurance support organizations may be kept by them and disclosed to others.)

The letter does not define "insurance support organizations" but I assume it refers to organizations that broker information about claims and payment history. Can this statament also be read to mean, "We may be restricted by law from distributing your nonpublic personal information but others may not have such restrictions"? I don't know.