April
11, 2013
Privacy,
particularly as it pertains to the digital realm, is an essential issue for
many Americans. As individuals use the
Internet for an increasing amount of daily activities, safeguarding personal
data remains an important component for both consumers and companies. In an early study, the Markle Foundation
found that online privacy was one of the most critical aspects among Internet
users, with concern over identity theft limiting some online transactions
(Friedman, 2001). This apprehension
persists in the modern era with online privacy legislation debated in the U.S.
legislature on a seemingly annual basis.
Among the concerns of Internet users, there are few aspects where
privacy is more critical than matters of financial importance. With more individuals conducting their
financial transactions online, the United States government along with the
banking sector sought a way to bolster consumer confidence. Their solution was the Financial Services
Modernization Act of 1999, more commonly known as the Gramm-Leach-Bliley (GLB)
Act of 1999. Although the purpose of the
GLB Act was to deregulate the financial industry, it also implemented a set of
privacy standards pertaining to companies in the banking and insurance
sectors. The following paper assesses
the key areas of the GLB Act as it applies to the life insurance market. Specifically, the privacy policies of three
insurance companies (Farmers Insurance Group, Monumental Life Insurance, and
Metropolitan Life Insurance) are examined to identify similarities and
differences among the companies as well as to provide the basis for
recommendations for improvement.
Organizations and Missions
The primary goal of the
GLB Act was to lower regulations enacted by the Bank Holding Company Act of
1956 and the Banking Act of 1933.
Legislators envisioned that the act would facilitate a stronger
financial sector by allowing companies to diversify across industries. In effect, the GLB Act encouraged banks,
securities firms, and insurance companies to expand into each other’s
sectors. The legislation also
facilitated mergers between companies within the different areas of the
financial services sector (Neale, Drake, & Clark, 2010). The GLB Act helped shaped some of most
recognizable insurance companies in the modern era.
Farmers Insurance Group
Formed in 1928 in
California as the Farmers Automobile Inter-Insurance Exchange, modern day
Farmers is one of America’s largest insurers.
Started with a handful of employees by entrepreneurs, John C. Tyler and
Thomas E. Leavey, the company now boasts 74,000 career and independent
agents. Farmers insures over 10 million
households representing 20 million individual policies, with customers in all
50 states (About Farmers, 2013).
Although the company primarily insures homes, automobiles, and small
businesses, they also offer a variety of other insurance and financial services
products. Farmers and its subsidiaries are wholly owned by the Zurich Insurance
Group Ltd (Farmers Insurance, 2013).
Monumental Life Insurance
Although the modern day
company has gone through a number of transformations, Monumental Life Insurance
can trace its origins back to 1858 when it became Maryland’s first life
insurance company (Monumental, 2010).
According to Hoovers (2013), the company offers life insurance, long
term care, accident and health insurance, and retirement products through a
blended workforce of career employees and independent agents. In 1986, Monumental was acquired by the Dutch
insurance company, Aegon. In 2011, Aegon
USA announced that its subsidiaries would conduct all transactions solely under
the umbrella name, Transamerica (Monumental, 2010). Transamerica primarily offers life insurance,
retirement and investment products. The
company has over 14 million customers throughout the United States and is
licensed in every state except New York and DC (Transamerica, 2013).
Metropolitan Life Insurance
Founded in 1868, the Metropolitan Life Insurance Company is a subsidiary of
MetLife, Inc. Headquartered in New York,
the company became a global insurer after their 2010 acquisition of the
American Life Insurance Company from the American International Group, Inc.
(AIG) (Bloomberg BusinessWeek, 2013).
This purchase added to Metropolitan’s customer base giving the firm 90
million customers in over 50 countries (MetLife, 2013). Metropolitan Life Insurance Company offers
individual home, life and accident insurance, retail banking, and various
financial and retirement services. The
company also sells retirement and financial services to institutions and
corporations. Metropolitan markets its
products directly through agents as well as through third-party banks and
brokers (Bloomberg BusinessWeek, 2013).
Privacy Policies
The United States
government has a long history of legislative efforts regarding the defense of
personal privacy. One of the key
components of this focus has been the protection of personally identifiable
information (Hermalin & Katz, 2006).
From the Fair Credit Reporting Act and the Privacy Act in the 1970’s to
more current legislation, the importance of this debate persists as increasing
amounts of personal data are moved into the digital realm. Safeguarding this information and reassuring
consumers remains an important matter for both public and private
organizations. In the American economy,
there are few areas where protection of this information is more critical than
the financial sector. Although the final
version of the GLB Act outlines privacy rules that financial institutions must
abide by, the original draft of the bill made no mention of this topic. It was not until the bill was presented to
the House Commerce Committee that the issue of privacy in the financial sector
became such a politically active issue that this subject was added to the final
legislation (Friedman, 2001).
Title V of the GLB Act
specifically addresses the privacy protections afforded to consumers regarding
their financial information. This
provision pertains to “non-public personally identifiable financial
information” to include data provided by the consumer as well as information
collected or obtained by the institution (Friedman, 2001, p. 3). Persons conducting business with a financial
company must receive notice of their privacy rights with special considerations
provided based on the relationship an individual has with an institution. For
instance, in the GLB Act a “customer” is defined as someone with a continuing
relationship with a company while a “consumer” has obtained a financial product
but is considered a short-term client.
This distinction is important because “customers” receive privacy
notices annually while “consumers” only receive them if their information is
shared with a non-affiliated firm. In
either case, notices “…must be a clear, conspicuous, and accurate statement of
the company’s privacy practices; it should include what information the company
collects about its consumers and customers, with whom it shares the
information, and how it protects or safeguards the information” (FTC, 2002, p.
2). Lastly, a company’s privacy policy
should also afford individuals with a method to “opt-out” of having their
personal information shared with unaffiliated third parties. This section must explain that consumers have
the right to limit the disclosure of their data and provide reasonable means to
remove their names from this process (FTC, 2002). Although the GLB Act mandates certain legally
enforceable guidelines, not all privacy policies are created equal with a
number of similarities and differences existing among firms.
Similarities
Since the GLB Act was passed
in 1999, financial companies have had over ten years to implement the
legislation. Of the companies assessed (Farmers, Monumental and Metropolitan),
all three had identifiable privacy policies conspicuously displayed on their
corporate websites. The firms clearly
outlined the purpose of their policies and who the notices pertained to. All three companies clearly detailed what
types of information was collected and who it was disclosed to. Each company mentioned in varying degrees of
detail how electronic information such as cookies and IP addresses were also
collected. Finally, all three companies
listed some level of detail pertaining to the safeguards their firms had in place
to protect consumer privacy.
Differences
Two years after the GLB
Act was passed, the Center for Democracy and Technology (CDT) conducted a
survey of 100 financial institutions to determine their level of policy
implementation completed. The Center found
a widely varying array of legislative application on the part of institutions
(Friedman, 2001). The majority of the
differences stemmed from digital services, a discrepancy that could be
explained by the relative newness of online financial transactions. Since then, the Internet and information
technology has evolved considerably; although discrepancies among corporate
policies is still evident.
Although Farmers,
Monumental and Metropolitan each had a section in their privacy policy
regarding digital safeguards, the level of detail provided differed among
firms. The Metropolitan policy only
discussed defenses in generalized terms, while Farmers went the additional step
to mention their company uses 2048-bit encryption (Farmers Privacy Policy,
2011). Monumental had the most
comprehensive security section which discussed areas such as access controls
and electronic transactions. Another
area that differed among the companies surveyed had to do with the “opt-out”
clause. In addition, only two of the insurance
companies assessed (Farmers and Metropolitan) had conspicuously displayed this
section in their privacy notices. No
such “opt-out” clause was evident in Monumental’s privacy policy (Monumental
Privacy Statement, 2012).
Recommendations
Since the GLB Act was
ratified in 1999, developments in the field of consumer privacy have revolved
around “…maintaining a healthy balance between the need for free and open
information sharing and the importance of protecting customers’ privacy rights
domestically and abroad” (Roach & Schuerman, 2005, p. 439). Although many corporations worry about the
government’s role in this arena, Hermalin and Katz (2006) found that privacy
policies can be improved to better protect consumer’s rights as well as become
more efficient and flexible for corporations.
For this bill to remain relevant in the modern era, supporters of online
privacy believe updated legislation is required.
Farmers Insurance Group
According to the FTC,
an individual’s right to prohibit having their information shared with other
companies must be offered in a reasonable manner. Examples of this can consist of opting out
via a toll-free number or online form. A
case of an unreasonable method would be to require the customer or consumer to
write a letter to the firm (FTC, 2002).
Although the Farmers’ privacy notice includes a toll-free number to
call, doing so then initiates a separate form mailed to the requestor. In the modern era, the argument could be made
that not being able to complete this activity completely over the phone or even
having an online option could constitute an unreasonable method. A 2004 study conducted by six federal
agencies surveyed 110 financial institutions about various implementation aspects
of the GLB Act. One of the topics these
agencies researched was the effectiveness of “opt-out” procedures among the
companies. What they determined was that
a more efficient system was needed. One
of the proposed solutions included a default “opt-out” policy for all consumers
with a centralized repository similar to the National Do Not Call Registry
(SEC, 2009). This would provide
consumers with increased control over their privacy rights, while streamlining
the process for institutions.
Of the three companies
examined, Farmers provided an average level of detail regarding their firm’s
cybersecurity. Although the GLB Act does
not dictate the amount of information a financial firm must provide, offering more
data could help alleviate individual’s concerns as well as allow them to make more
informed decisions regarding which financial firm to choose. Full disclosure in this area however must be
balanced with the firm’s need for digital security. Too much information disclosed could provide
hackers with enough information to facilitate attacks against the company’s
digital infrastructure.
Monumental Life Insurance
Although Monumental
provided the most detail regarding their security practices, this was the only
area sufficiently developed. In addition
to not having a conspicuous opt-out procedure, Monumental also had the shortest
privacy notice. Although the GLB Act
does not advocate a specific format, this area has long been a source of
contention between the financial industry and government regulators, with
companies allowed to develop their own policies. As late as 2009, federal agencies observed an
assortment of privacy notices varying in the amount of information delivered to
consumers. Some institutions have argued
that having excessively lengthy notices may confuse clients and actually run
contrary to the GLB Act’s “clear and conspicuous” requirement (SEC, 2009). The solution to this dilemma may lie
somewhere in the middle. Institutions
should be provided with a general framework for their firm’s privacy notices,
but be allowed to modify the policy as necessary. This would give companies both guidance and
flexibility, which could provide customers with clearer privacy notices and
allow companies to better adhere to federal regulations.
Metropolitan Life Insurance
While Metropolitan
provided the least amount of information about their security procedures, the
company provided an excessive amount of detail regarding their policy on
information sharing. This portion of
Metropolitan’s notice goes so far as to say that “even if you opt-out, however,
any MetLife company fortunate enough to have you as a customer may continue to
send you information about products and services offered by any of our
affiliated or unaffiliated companies” (MetLife Privacy Policy, 2009). While this may not strictly violate privacy
rights covered under the GLB Act, in effect this statement amounts to MetLife’s
ability to send their customers endless amounts of spam correspondence. This
raises a question first discussed in 2001, of the glaring exceptions to
information sharing within the GLB Act.
Proponents of consumer privacy feel portions of the act goes too far,
with the CDT arguing that consumers should also be provided the ability to opt-out
of public information sharing for marketing purposes. This recommendation would provide consumers
with a greater control over their personal privacy.
Conclusion
Privacy is a core tenet
of the Gramm-Leach-Bliley Act, having increased consumer awareness in the
financial services sector (FTC, 2002).
Although this act is important legislation, compliance does not always
equate to adequate customer protection however.
Almost 15 years after being enacted, there still exists a wide array of
privacy notices among companies.
Accordingly, a number of individual states have begun to view the
legislation as ineffective and have passed their own versions of the law. Often times, the outcome of this results in
more stringent and state-specific requirements that companies must follow. As a
result, adhering to the spirit of the GLB Act could prove advantageous for the
financial industry as a whole. Ensuring
privacy notices are clearly and accurately written protects institutions from
potential liability issues. Although a
standardized format for this notice may be too simplistic for some firms, a
list of best practices could provide adequate guidance to allow for both
consumer protection and organizational flexibility.
About
Farmers. (2013). Farmers Insurance Group.
Retrieved from http://www.farmers.com/farmers_insurance.html
Bloomberg
Business Week. (2013). Company overview of Metropolitan Life Insurance
Company.
Retrieved from http://investing.businessweek.com/research/stocks/private/snapshot.asp?privcapId=6544307
Farmers
Insurance. (2013). Farmers Insurance to celebrate 85th anniversary by joining
forces
with
Feeding America to conduct national food drive as way to continue giving back
to communities it serves (Press Release). Retrieved from http://www.marketwatch.com
Farmers
Privacy Policy. (2011). Farmers Insurance
Group. Retrieved from
Federal
Trade Commission (FTC). (2002). In
brief: The financial privacy requirements
of the Gramm-Leach-Bliley Act. Retrieved from http://business.ftc.gov/documents/bus53-brief-financial-privacy-requirements-gramm-leach-bliley-act
Friedman,
A. (2001). Online banking privacy: A slow confusing start to giving customers
control
over
their information. Center for Democracy
and Technology. Retrieved from http://www.ftc.gov/bcp/workshops/glb/supporting/CDTonlinebanking.pdf
Hermalin,
B., & Katz, M. (2006). Privacy, property rights and efficiency: The
economics of
privacy
as secrecy. Quantitative Marketing &
Economics, 4(3), 209-239. doi:10.1007/s11129-005-9004-7
Hoovers.
(2013). Monumental Life Insurance Company: Company profile. Retrieved from
MetLife.
(2013). Corporate profile. Retrieved from https://www.metlife.com/about/corporate-profile/metlife-history/metlife-today/index.html
MetLife
Privacy Policy. (2009). Metropolitan Life
Insurance Company. Retrieved from
Monumental.
(2010). History. Retrieved from https://www.monlife.com/ML/history.asp
Monumental
Privacy Statement. (2012). Monumental
Life Insurance Company. Retrieved from
Neale,
F. R., Drake, P. P., & Clark, S. P. (2010). Diversification in the
financial services
industry:
The effect of the financial modernization act. The B.E. Journal of Economic Analysis and Policy: Topics in Economic
Analysis & Policy, 10(1), 1-28. Retrieved from http://www.degruyter.com/view/j/bejeap
Roach,
S. R., & Schuerman Jr., W. R. (2005). Privacy year in review: Recent
developments in
the
Gramm-Leach Bliley Act, Fair Credit Reporting Act, and other acts affecting
financial privacy. I/S: A Journal of Law
and Policy for the Information Society, 1(2-3), 385-440. Retrieved from http://moritzlaw.osu.edu/students/groups/is/
Securities
and Exchange Commission (SEC). (2009). Final model privacy form under the
Gramm-Leach-Bliley
Act. Retrieved from http://www.sec.gov/rules/final/2009/34-61003.pdf
Transamerica.
(2013). About us. Retrieved from http://www.transamerica.com/about_us/
No comments:
Post a Comment