FROM: KAREN L. SUTER, COMMISSIONER
RE: ENFORCEMENT REQUIREMENTS OF GRAMM-LEACH-BLILEY PRIVACY REQUIREMENTS
Bulletin No. 00-15, dated November 8, 2000, advised insurers that the Gramm-Leach-Bliley Act, P.L. 106-102 ("GLBA"), enacted November 12, 1999, requires financial institutions, including insurers, to protect the privacy of consumers’ non-public personal information. The Bulletin also advised that Title V of GLBA requires Federal and state regulators to implement GLBA’s privacy protections within six months of the Act’s effective date, except to the extent a later date is specified by the rule. The Act took effect November 13, 2000; however, under the authority of GLBA at section 501(1), Federal regulators delayed enforcement until July 1, 2001.
The Bulletin also advised that N.J.S.A. 17:23A-1 et seq., effective December 7, 1985, regulates the collection, use and disclosure of information gathered by insurers in connection with policies, contracts or certificates of insurance issued and delivered in this State. As noted in Bulletin No. 00-15, in most respects, this statute provides standards that are at least as stringent, and in many cases more stringent, than the standards set forth in GLBA.
The purpose of this Bulletin is to remind insurers that they have been and will continue to be subject to the information and collection disclosure requirements set forth in N.J.S.A. 17:23A-1 et seq, as well as the requirements set forth under GLBA. To the extent that GLBA imposes additional or different requirements than those set forth under New Jersey law in the form or timing of the notice, insurers are reminded that they are required also to comply with GLBA’s requirements. (For example, GLBA requires that notices be sent annually after the initial notice is provided; N.J.S.A. 17:23A-4 requires periodic notice within 24 months.) In complying with these standards, insurers may utilize those procedures they deem appropriate based on their current systems. For example, insurers may utilize one common notice that complies with both N.J.S.A. 17:23A-1 et seq. and GLBA and may issue one notice or form of notice for all affiliates.
In addition, companies and agents should review their contracts to understand their responsibilities under GLBA. Responsibilities for compliance may be allocated. If the insurer sends the required notices, its agents will not be required to do so, unless the agent(s) separately seeks to utilize or disclose non-public personal information other than in the course of its dealings with the insurer.
As noted in Bulletin No. 00-15, with respect to the enforcement of Federal privacy standards under GLBA, other than those set forth in N.J.S.A. 17:23A-1 et seq., the Department will act in accordance with the delayed enforcement date of July 1, 2001. Insurers should have a plan for compliance by that date. After July 1, 2001, the Department expects to include a compliance review of privacy protections in connection with its periodic examination of insurers.
Finally, the Department will provide further guidance from time to time as issues arise, including promulgation of administrative rules if appropriate.
June 25, 2001 /s/ Karen L. Suter, Commissioner