| To: GLBRule@ftc.gov Subject: Gramm-Leach-Bliley Act Privacy Rule, 16 CFR Part 313 - Comment Dear Sirs/Madams: On behalf of Progressive Casualty Insurance Company ("Progressive"), please accept the following comments on the Federal Trade Commission's proposed Gramm-Leach-Bliley Act Privacy Rule, 16 CFR Part 313, et seq. (the "Rule"): § 313.3 Definitions e. Consumer. By way of example, the Rule defines "consumer" to include an individual who only applies for a financial product or service, but does not actually obtain the same. This is inconsistent with Gramm-Leach-Bliley Act ("GLB"), which defines a consumer as an individual who actually obtains financial products or services. Accordingly, the Rule should be revised to state that the term "consumer" does not include an individual who merely applies for a financial product or service, but does not actually obtain the same. n. Nonpublic personal information. The Commission has invited comment on Alternatives A and B. It makes little sense to afford protection to information that is publicly available, merely because the financial institution obtained the information other than from public sources. No public interest is served by doing so, and the expense and complexity of tracking the origin of public information to determine whether it would be protected argues strongly in favor of Alternative B. o. Personally identifiable financial information. The Commission has invited comment on the proposed definition of personally identifiable financial information. The Rule defines nonpublic personal information broadly by adopting a definition of personally identifiable financial information that would include virtually all information provided in connection with a transaction involving a financial product or service. By contrast, GLB is designed to protect only personally identifiable financial information. Clearly, Congress intended to include within nonpublic personal information only personally identifiable information of a financial nature. The Rule expands this definition in an attempt to create a "workable and clear standard," but financial information is easily identifiable, without the need for an overly-broad definition that clearly exceeds the scope of GLB. As such, this term should be defined in the final Rule to include only information of a financial nature. "Personally identifiable" is clear without further definition. p. Publicly available information. The Commission has invited comment on which alternative is more appropriate and what information is appropriately considered publicly available, particularly in the context of information available over the Internet. For the reasons stated above, Alternative B is the preferable definition. With respect to information available over the Internet, the test should be whether the information is available to any member of the public, as opposed to being available only to a certain class of individuals, such as law enforcement. Password protection should not automatically remove the information from the definition, since many times the password is used only as evidence of payment or membership in a designated organization. § 313.4 Initial notice to customers and consumers of privacy policies and practices required. When initial notice is required. The proposed Rule requires that notice be provided to "[a]n individual who becomes your customer, prior to the time that you establish a customer relationship . . . ." The Rule defines a customer as "a consumer who has a customer relationship with you." Since one cannot determine which consumer will become a customer until the customer relationship is established, it is impossible to comply with the timing requirements of this provision. Moreover, the proposed "prior to" standard is contrary to § 503 of GLB, which requires that the notice be provided "at the time of establishing a customer relationship." Therefore, notice of the financial institution's privacy policy should not be required prior to the time that a financial institution establishes a customer relationship. The Rule states that if a financial institution and a customer orally agree to enter into a customer relationship, the institution may provide the § 503 privacy notice within a reasonable time thereafter if the customer "agrees." Since the financial institution is not permitted to provide the privacy notice orally, the institution will have no alternative but to provide the written notice after the customer relationship has been established orally. Therefore, requiring the customer's agreement to do so is meaningless and confusing. If a consumer chooses to engage in an oral transaction, the consumer must necessarily consent to receive all written notifications, including the privacy notice, at a later date. How to provide notice. The Commission has invited comment on whether, when there is more than one party to an account, there are instances where all parties to the account need not receive the § 503 notice. When there is more than one party to an account, the party initiating the financial transaction should be presumed to have authority to act on behalf of the other parties for purposes of receiving the initial privacy notices. A requirement that each party to the transaction be notified would inconvenience consumers by delaying the availability of financial products and services until after the notices can be delivered to all parties, even though it is clear in most cases that such parties have vested authority in the person initiating the transaction to act on their behalf. Moreover, a requirement to send notices to each party to a joint account will result in multiple, identical notices being sent to the same household, generating further confusion and frustration on the part of consumers. § 313.6 Information to be included in initial and annual notices of privacy policies and practices. The proposed Rule would require a financial institution to include in its § 503 notice more detail than would be useful to the average consumer. Requiring this level of detail will make the notice difficult to accurately draft and maintain, and will likely generate consumer confusion, rather than provide meaningful information. Requiring overly-detailed § 503 notices will also increase the frequency of change in terms notices, resulting in more consumer confusion and significant processing costs. The Commission has invited comment on whether a notice listing the categories of persons to whom information may be disclosed pursuant to one of the exceptions set out in proposed §§ 313.10 and 313.11 would be adequate. Progressive submits that it is unnecessary to require a list of the categories of person to whom information may be disclosed pursuant to one of the exceptions set out in proposed §§ 313.10 and 313.11. Doing so would only lengthen an already complex notice, diluting more important and useful information for the customer. Under Subsection (a)(6) of the proposed Rule, a financial institution would be required to inform the consumer of the right to opt out under § 502. This is redundant with requirements for the § 502 notice, and would unnecessarily increase the length and complexity of the § 503 notice. § 313.7 Limitation on disclosure of nonpublic personal information about consumers to nonaffiliated third parties. The Commission has invited comment on how the right of opt out should apply in the case of joint accounts. Given that nonpublic personal information may be stored under an account number, rather than by individual names, an opt out by any one account holder should, at the option of the financial institution, be treated as an opt out for all joint account holders. Thirty days provides customers a reasonable opportunity to opt out. § 313.8 Form and method of providing opt out notice to consumer. Paragraph (a). The Commission has invited comment on whether financial institutions should be required to accept opt outs through any means of communication. Given the potential size of financial institutions, which often employ thousands of employees, any such requirement would be difficult or impossible to administer. Financial institutions should be permitted to specify any method of opt out that is convenient for consumers, and to limit the ability to opt out to the specified channels of communication. Paragraph (b). The Commission has invited comment on whether a more specific time by which the opt out notice must be given would be appropriate. Sec. 502(b) of GLB requires that the consumer be given the opportunity to opt out "before the time that such information is initially disclosed . . . ." As such, a reasonable time would be any time prior to disclosure. Further definition in the Rule is unnecessary. Paragraph (c). The Commission has invited comment on whether the Rule should establish a time limit by which the opt out election must be effectuated by the financial institution. Progressive agrees with the Commission that the wide variety of practices of financial institutions make any such limit inappropriate, and advocates adoption of the "as soon as reasonably practicable" standard. § 313.9 Exception to opt out requirements for service providers and joint marketing. The Commission has invited comment on whether third party contractors should be permitted to use information received pursuant to proposed § 313.9 to improve credit scoring models or analyze marketing trends, as long as the third parties do not maintain the information in a way that would permit identification of a particular consumer. GLB clearly permits sharing nonpublic personal information with a nonaffiliated third party to perform services for or functions on behalf of the financial institution. Since nonpublic personal information is defined, in part, as "personally identifiable" information, requiring maintenance of the information in a way that would not permit identification of a particular consumer is contrary to the statutory exception in GLB. Such sharing of information is appropriate with full disclosure and a contract requiring that the third party maintain confidentiality of the information. Any additional requirement to maintain such information in a way that would preclude identification of a particular consumer is unnecessary and contrary to the provisions of GLB. The Commission states that § 502(b)(2) of GLB allows the Commission to impose additional requirements on the disclosure of information pursuant to the exception for service providers beyond those imposed in the statute. However, § 502(b)(2) references the Commission's regulations only with respect to the provision of nonpublic personal information to a nonaffiliated third party to market financial products or services offered pursuant to joint agreements between two or more financial institutions. To impose requirements on the recipient of information who performs services for the financial institution beyond a requirement to maintain the confidentiality of the information is unnecessary and beyond the statutory mandate. § 313.11 Other exceptions to opt out requirements. The Commission has invited comment on whether specific safeguards should be added to the exception for consent in order to minimize the potential for consumer confusion. The method by which a financial institution obtains consent from a consumer for the disclosure of nonpublic personal information to a nonaffiliated third party will necessarily vary with the circumstances surrounding the financial transaction, such as how it is conducted (i.e., electronically, in writing, or over the telephone), the time by which it must be completed, etc. Consent should be reasonable under the circumstances. Imposing specific safeguards, such as written consent, separate signature lines and the like, will only serve to inconvenience the consumer, without reducing the potential for consumer confusion. § 313.12 Limits on redisclosure and reuse of information. The Commission has invited comment on whether the rule should require a financial institution that discloses nonpublic personal information to a nonaffiliated third party to develop policies and procedures to ensure that the third party complies with the limits on redisclosure of that information. Section 502(c) of GLB imposes a direct and affirmative legal obligation on the receiving party not to further disclose the information. Given this, there is no need for the disclosing institution to establish policies and procedures that would, in effect, require the disclosing institution to police the activities of the recipient. The Commission has requested comment on whether proposed §§ 313.12(a)(2) and 313.12(b)(2) would restrict a nonaffiliated third party from using information obtained in accordance with applicable exceptions for purposes beyond the scope of the exceptions, if the information is not used in a personally identifiable form. Since the cited sections apply only to nonpublic personal information, which is defined, in part, as personally identifiable information, information that is not used in a personally identifiable form will not and should not be subject to restrictions on further use or disclosure. If the information is not personally identifiable, then there can be no harm to the individual about whom the information pertains. Further restricting use of information that is not personally identifiable exceeds the scope of GLB, and will have a chilling effect on the development of innovative products and services that can be beneficial to consumers, such as the refinement of credit scoring and underwriting models. § 313.16 Effective date; transition rule. Ensuring compliance with GLB will require financial institutions to conduct a comprehensive audit of their current procedures with respect to the collection, use and disclosure of nonpublic personal information, obtain agreement with key business units and functional areas on an acceptable privacy policy in light of the requirements of GLB and applicable regulations, and then implement internal changes to various systems and processes involved in information handling. The agreed privacy policy and procedures must then be communicated to consumers, vendors, business partners and other interested parties, and implemented through contractual amendments and appropriate changes to business practices. This represents an enormous undertaking for all but the smallest financial institutions, and six months will be insufficient time to plan and implement the necessary changes in an effective, comprehensive, accurate, and controlled manner. The Commission should provide at least 12 and, preferably, 18 months following the adoption of a final rule for financial institutions to bring their policies and procedures into compliance. GLB and its regulations will generate millions of pieces of mail. Progressive, alone, expects to provide over four million customers a copy of its privacy policies and associated opt out notice. Requiring all financial institutions subject to GLB to provide these notices within 30 days after the effective date of the Commission's rule will be burdensome to the U.S. Postal Service and very confusing to consumers who will receive multiple notices from various financial institutions, such as their bank, mortgage company, credit card companies, finance companies, insurance companies, and others. A better approach, at least for existing customer relationships, would be to allow notice to be included with periodic statements from the financial institutions. Banks, credit card companies and the like could provide their notices with monthly statements. Insurance companies could provide notice with 6 and 12-month policy renewal notices. To allow adequate time for billing and renewal cycles, and to reduce consumer confusion and the burden on the U.S. Postal Service, a 12-month notice period following the required compliance date is suggested. Section E. Regulatory Flexibility Act. The Commission has asked for identification of all relevant Federal, state or local rules that may duplicate, overlap or conflict with the proposed Rule. With respect to insurance, over a dozen states have enacted a version of the National Association of Insurance Commissioner's Insurance Information and Privacy Protection Model Act ("IIPPA"), which contains many of the same features found in GLB. The IIPPA includes a requirement that insurance companies issue a notice of information practices, provisions for the protection, correction, and limited disclosure of personal and privileged information, and the opportunity to opt out of information sharing for marketing purposes. ******************************* Progressive appreciates the opportunity to comment on the proposed Rules. Sincerely, Peter J. Albert, Corporate Attorney |