Congress recently passed, and on December 4, 2015, President Obama signed, the Fixing America's Surface Transportation Act ("FAST Act"), a comprehensive transportation infrastructure bill.

The FAST Act includes a tacked-on provision relieving certain financial institutions from their obligation to deliver annual (but not initial) privacy notices required under the Gramm-Leach-Bliley Act, also known as the Financial Services Modernization Act of 1999 ("GLBA"), in certain circumstances.

Specifically, a financial institution can avoid sending annual privacy notices under GLBA if it does not share protected customer personal information in a manner requiring customers to receive an opt-out notice and the financial institution has not changed its privacy policies and practices since its most recently delivered annual privacy notice. To the extent service contract providers and administrators are subject to GLBA's privacy provisions (and a federal regulatory agency's related implementing regulations), they too have the opportunity to cease their delivery of annual privacy notices and save the expenses of their preparation and mailing.

Brief History of GLBA Privacy Notices for the Insurance Industry

GLBA, the primary purpose of which was to repeal the Depression-Era Glass-Steagall Act of 1933, also included the first federal privacy law requirements for financial institutions (banks, thrifts, savings & loan associations, credit unions, securities brokers, investment advisors, and insurance companies and producers), including the obligation of financial institutions to deliver initial and annual privacy notices to consumers of financial products and services from financial institutions for personal, family and household purposes.

GLBA mandated that federal regulatory agencies with oversight of financial institutions promulgate regulations to implement GLBA's privacy law, and indeed, in 2000, the Office of the Comptroller of the Currency, former Office of Thrift Supervision, Federal Reserve Board, National Credit Union Administration, Federal Deposit Insurance Corporation, Securities and Exchange Commission, Federal Trade Commission and Secretary of the Treasury published such regulations. The Federal Trade Commission's GLBA privacy regulations generally apply to financial institutions which are not primarily subject to regulatory oversight by another federal regulator.

With respect to insurance companies and producers, because of the McCarran-Ferguson Act's long-standing deference to state regulation of the business of insurance, GLBA provided such continued deference to states for GLBA's privacy law requirements if a state's privacy laws are not inconsistent with GLBA's. This means that a state's privacy laws must afford insurance consumers greater privacy protections that does GLBA.

In 2000, in the wake of the passage of GLBA, the National Association of Insurance Commissioners adopted its Privacy of Consumer Financial and Health Information Regulation, which it modeled after the federal agencies' GLBA privacy regulations.

The states thereafter adopted the NAIC's regulation in one form or another, by statute or regulation, and it became the state-based implementation of GLBA's privacy law for the insurance industry ("State Insurance GLBA Privacy Laws").

Because state insurance GLBA privacy laws currently require annual privacy notices, and because state requirements can be more protective of consumers than GLBA without being deemed inconsistent with GLBA, it appears that state insurance GLBA privacy laws will require amendments to permit insurance companies and producers to avoid mailing annual privacy notices as contemplated by the FAST Act.

Application of GLBA Privacy Laws to Service Contracts Industry

The applicability of state insurance GLBA privacy laws to service contracts has not been entirely clear. Because most states' service contract laws expressly state that a service contract is not insurance, some have argued that therefore state insurance GLBA privacy laws do not apply to service contracts. See the Service Contract Industry Council's Position Paper on Application of Gramm-Leach-Bliley Act to Service Contract Industry, dated July 23, 2001.

While that conclusion may be correct, it does not end the inquiry of whether some other GLBA privacy regulation may apply to a service contract provider. To be sure, a service contract, when issued by a third party that is not the manufacturer of the product covered by the service contract, is presumptively an insurance contract because it meets the hallmark definition of insurance (risk shifting, risk pooling, indemnity promise, occurrence of fortuitous event).

This is why the state service contract laws go out of their way to deny that service contracts are insurance. They are, after all, a consumer financial product or service and would be regulated as insurance if not for the deregulation as insurance they enjoy under state service contract acts.

Moreover, under GLBA, the Federal Trade Commission became the default privacy regulator for consumer financial products and services offered by financial institutions for which there was no other functional regulatory agency exercising oversight of such products or services. However, the Dodd-Frank Wall Street Reform and Consumer Protection Ac later transferred some of the FTC's GLBA privacy laws jurisdiction to the Consumer Financial Protection Bureau with respect to consumer financial products and services over which it has regulatory jurisdiction.

The FTC's GLBA privacy regulations broadly define what is a financial institution, which ultimately means a person engaged in any significant amount of financial activities in which a national bank may engage and, for example, includes auto dealers that lease autos in the ordinary course of business and likely also includes offering service contracts to the extent they are not regulated as the business of insurance.

Thus, because a service contract is a consumer financial product or service, to the extent that a service contract is not insurance, making inapplicable state insurance GLBA privacy laws to a service contract, the FTC's GLBA privacy regulation likely applies to service contracts.

Accordingly, a service contract provider should be a financial institution under the FAST Act and should be able to obviate the need to deliver annual GLBA privacy notices to its service contract holder customers if the terms of the service contract provider's GLBA annual privacy notice have not changed and if the service contract provider does not share its service contract holder customers' non-public personally identifiable information in a manner that requires them to receive a notice of right to opt-out of a service contract provider's information-sharing practices.

About the Author:

Brian T. Casey is a partner in the Atlanta office of the international law firm Locke Lord LLP. As co-leader of Locke Lord's Regulatory and Transactional Insurance Practice Group, and a member of the firm's Corporate, Capital Markets and Health Care Practice Groups, Brian focuses on corporate, merger and acquisition, corporate and structured finance and other transactional, and regulatory matters for corporate clients in the insurance, financial services and health care industries.

One significant facet to Brian's practice is a focus on the service contracts industry across all types of covered products, including mobile phones, computers, homes, furniture and automobiles. His clients include insurance companies, insurance holding companies, managing general agents and insurance agencies, third party and claims administrators, banks and other financial institutions, investment banks and reinsurance companies.