The Gramm-Leach-Bliley Act and its Impact on the Discovery of Customer Lists and Policyholder Files By Edgar M. Elliott, IV In November 1999, Congress enacted the Federal Financial Modernization Act, better known as the Gramm-Leach-Bliley Act, or GLBA, found at 15 U.S.C. 6801, et. seq. Section 6802 of the GLBA provides that except as otherwise provided in this chapter, a financial institution may not... disclose to a nonaffiliated third party any nonpublic personal information, unless such financial institution provides or has provided to the consumer a notice that complies with section 6803 of this title. 15 U.S.C.A. 6802(a). An insurance company meets the definition of a financial provider under the terms of the GLBA. 15 U.S.C. 6809 ; 12 U.S.C. 1843(k)(4). As a result, the provisions of this section and the GLBA in general may serve to limit, if not preclude, plaintiffs in bad faith or fraud actions against insurance companies from obtaining discovery of pattern and practice evidence, in particular the names and addresses of other insureds having made similar claims. The Congressional intent behind the GLBA was to enhance competition in the financial services industry by providing a prudential framework for the affiliation of banks, securities, firms, insurance companies, and other financial providers.... Landry v. Union Planters Corp., 2003 WL 21355462 at * 3 (E.D.La. 2003) (quoting H.R. Rep. No. 106-434, at 245 (1999), reprinted in 1999 U.S.C.C.A.N. 245, 245) (emphasis added). As the Landry court noted, the GLBA was intended in part to provide consumers with a high degree of confidence with respect to privacy issues: 1
To ensure that increased competition would enure to the benefit of consumers, Congress assuaged consumers concerns regarding dissemination of personal financial information by providing them the power to choose how their personal financial information will be shared by financial institutions.... During the debates in congress, legislators noted that the proposed Act would provide some of the strongest privacy protections to ever be enacted into federal law, and would represent the most comprehensive federal privacy protection ever enacted by Congress. Landry, supra at *3. Insurers can now argue that the GLBA preempts Alabama state law permitting the discovery of information concerning other insureds or other claims. The Alabama Supreme Court has recognized that comprehensive federal legislation, such as the GLBA, preempts state law. General Motors Corp. v. Kilgore, 853 So. 2d 171, 174 (Ala. 2002). In Kilgore, the Alabama Supreme Court stated that in determining whether a federal statute preempts state law, the critical question is whether Congress intended that federal regulations supersede state law. Id. (emphasis supplied). The GLBA states that it supersedes any [s]tate statute, regulation, order, or interpretation to the extent that any such statute, regulation, order or interpretation is inconsistent with the provisions of this subchapter.... 15 U.S.C. 6807(a); see also 15 U.S.C. 6701(d)(2). A number of courts have held that the GLBA preempts any contrary state law, rule, ordinance, or court order. 1 The Mississippi Supreme Court reached that conclusion in Equitable Life Assurance Society of the United States v. Irving, holding that the GLBA prohibits insurance companies from disclosing the names and addresses of their policyholders pursuant to a party s discovery request. Equitable Life, 2003 WL 22098021, *4 (Miss. Sept. 11, 2003). 2
The plaintiff in Equitable Life sought discovery of policyholder information from an insurer in a bad faith/fraud action. The Court held that, under the Supremacy Clause, the GLBA preempts any state law which conflicts with it and thus, bars state courts from issuing orders that conflict with it. Id. The Mississippi Court concluded that the purpose of the GLBA was to protect the privacy of customers of financial institutions. The Court found that Equitable fell within the definition of a financial institution under the GLBA. Id. Therefore, the Mississippi Supreme Court reversed the trial court and held that the plaintiff was not entitled to the policyholder information requested. Id. at *3. An important issue in determining whether the GLBA applies to pattern and practice discovery is whether the discovery request seeks nonpublic personal information. Section 6802 states that a financial institution may not, directly or through an affiliate, disclose to a non-affiliated third party any nonpublic, personal information. 15 U.S.C. 6802(a); see also Equitable Life, 2003 WL 22098021 at *2. The Federal Trade Commission regulations which interpret the GLBA define nonpublic personal information as personally identifiable financial information or any list... or other grouping of consumers... that is derived using any personally identifiable financial information. 16 C.F.R. 313.3(n)(1)(emphasis added). The FTC regulations define personally identifiable financial information to include any information about [the] consumer if it is disclosed in a manner that indicates that the individual is or has been [a] consumer [of the financial institution]. 16 C.F.R. 313.3(o)(2)(i)(D) (emphasis added). In Equitable Life, the Mississippi Court implicitly held that the names and addresses of an insurer s policyholders constituted nonpublic personal information. 2003 3
WL 22098021 at *2. The FTC s broad definition of the phrase personally identifiable financial information has been upheld by the courts. See e.g., Trans Union L.L.C. v. Federal Trade Commission, 295 F.3d 42, 51 (D.C. Cir. 2002). In Trans Union, a credit reporting agency challenged the FTC regulations on numerous grounds, including the ground that the definition of personally identifiable financial information was overbroad. 295 F.3d at 46. Trans Union contended that the term financial should only apply to information that describes an individual s financial condition and should not apply to information appearing in consumer credit report headers, such as name, address, telephone number, and social security number. 2 295 F.3d at 50. The Circuit Court disagreed, holding that while the FTC could have chosen the narrow definition espoused by Trans Union, it did not and that the FTC s definition was a permissible one. 295 F.3d at 51. The prohibitions against disclosure apply not only to the insurance company, but also to third parties with whom the insurance company does business. Union Planters Bank v. Gavel, 2002 WL 975675 (E.D. La. 2002), involved a subpoena to a third party seeking information related to customers of the defendant. The district court held that the GLBA prohibited the third party from disclosing the information sought by the subpoena without the consent of the customers because the third party was engaged in activity which was financial in nature. Union Planters, 2002 WL 975675 at *5. Necessary to the holding in Trans Union was the conclusion that the customer names, addresses, and telephone numbers constituted protected nonpublic personal information within the provisions of the GLBA. On this issue, the court held that records regarding the forced placement of flood insurance for Union Planters customers constitutes a `grouping of non-public personally 4
identifiable financial information which is precluded by the GLBA. Id. at *6. This holding was later relied on by the Mississippi Court in Equitable Life. There are express exceptions to the GLBA s prohibition against the disclosure of nonpublic personal information found at 15 U.S.C. 6802(e). None of the exceptions specifically speaks to discovery requests in a civil fraud action. Both the Union Planters and the Equitable Life court concluded that the exceptions did not apply to the discovery requests in those cases. Two exceptions warrant specific mention. Exception (3)(B) applies to disclosure to protect against or prevent actual or potential fraud and exception (8) applies to disclosure to comply with federal, state or local laws, rules and other applicable legal requirements; to comply with a properly authorized civil, criminal, or regulatory investigation or subpoena or summons by Federal, state or local authorities; or to respond to judicial process or government regulatory authorities having jurisdiction over the financial institution for examination, compliance, or other purposes as authorized by law. 15 U.S.C. 6802(e)(3)(B) & (8). The Equitable Life Court held that the fraud exception does not authorize the production of policyholder information in a civil fraud case, but is instead intended to allow governmental authorities to conduct investigations of financial institutions. Equitable Life, supra at * 3, (quoting Union Planters, 2002 WL 975675 at *8). Further, the Equitable Life court held that the exception for compliance with federal, state, or local laws applied to government authorities when investigating financial institutions and not to private plaintiffs. Equitable Life, 2003 WL 22098021 at *1, *3 (citations omitted)(emphasis added). 5
In conclusion, the effect of the GLBA on civil discovery requests is an emerging area of the law. This article has attempted to outline the approaches taken to date. As yet, the Alabama courts have not interpreted the act in this context. However, this is likely to change in the very near future. 1. See, Bowler v. Hawke, 320 F.3d 59 (1st Cir. 2003)(discussion of GLBA preemption of state statutes regulating insurance); Cline v. Hawke, 2002 WL 31557392, 51 Fed.Appx. 392 (4th Cir. 2002)(GLBA preempted certain West Virginia insurance regulations); Bank of America v. City of Daly City, California, 279 F.Supp.2d 1118 (N.D. Cal. 2003)(GLBA preempted local ordinances). 2. The FTC regulations define nonpublic information (the phrase used by GLBA) as (i) personally identifiable financial information; and (ii) any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available. 16 C.F.R. 313.3(n)(1). 6