A new federal statute called the Financial Services Modernization Act of 1999, 12 USC 93a, 15 USC §6801 et seq., now permits your bank, your insurance company, your stock broker, and other financial institutions to merge with each other and to share information about you. The new law has alarmed privacy advocates because it permits financial institutions not only to share personal information freely with their affiliates, but also to sell private data about their customers with only the barest constraints.
Leading the parade of horribles is the prospect of a bank making lending decisions based on the health data it gets from its affiliated insurance company, withholding mortgage loans from cancer patients, for example (see the discussion of state privacy protections, infra.). Another prospect is the insurance company that declines to sell insurance unless its prospective customers consent to having all their credit card transactions reviewed. A third is that individual citizens will find themselves in the crosshairs, as intimate details about them become widely known.
If you disclose medical information about yourself in order to purchase life insurance, your health records automatically become “financial information” because life insurance is considered a financial product. And since insurance companies are financial institutions, your account balances and credit card transactions can be disclosed to your health insurer. Thus, the Financial Services Modernization Act permits companies to develop and share rich sources of information about consumers, the easier to generate revenues and fend off undesirables. The new statute will provide some advantages, like one-stop shopping and improved fraud detection, but it will also permit financial institutions to track their customers' personal interests and preferences-creating a mother lode of valuable private information.
The “Opt-Out” Option
Financial institutions are free not only to share private information with their affiliates, they are also free to sell valuable private information to other companies, so long as they publish their privacy policies and give their customers a chance to “opt-out.”
All a bank has to do is to send you its “privacy” policy. This is an annual statement describing the information it collects about you, the kinds of affiliates it has, and the kinds of information it will sell.
You can “opt-out” by sending your financial institutions a letter asking them not to disclose information about you to other companies. The burden is entirely on you to speak up if you do not want to give them permission. Your silence will be interpreted as consent. Even if you opt-out, your financial institutions can freely disclose information with their “affiliates.”
State Privacy Protections Are Not Preempted
The Financial Services Modernization Act specifically provides that states may enact stronger privacy protections that will not be preempted by the federal statute; §§ 507, 524. New Jersey should enact legislation that would: (a) prohibit financial institutions from denying financial products or services to consumers who opt-out; (b) give consumers the right to examine personal information that has been made available to third parties; (c) give consumers the opportunity to dispute the accuracy of non-public personal information; (d) give consumers the right to prohibit subsequent disclosures by third parties; and (e) create a private right of action for privacy violations.
Fortunately, New Jersey provides a statutory scheme for protecting the privacy of individual health records. Generally, an insurance company may not disclose medical information about a person without that person's written authorization; NJSA 17:23A-13. However, there are numerous circumstances under which an insurance entity can disclose without authorization, and consumers' bargaining power with respect to giving consent is not particularly strong when they are applying for coverage. New Jersey does create a private right of action, with a fee-shifting provision, for statutory violations; NJSA 17:23-A-20.
Incentives for Privacy Protection
There are good business reasons for protecting privacy. Health care researchers have found, for example, that privacy violations imperil their industry. One out of every six patients engages in some kind of privacy-protective behavior, to shield themselves from the misuse of their health information. These behaviors include lying to doctors, providing inaccurate information, doctor-hopping to avoid a consolidated medical record, paying out-of-pocket for care that is covered by insurance, and, in the worst cases, avoiding care altogether. This skews health data, distorting epidemiological and outcome studies, to everyone's detriment (see Promoting Health/Protecting Privacy: A Primer, California Healthcare Foundation and Consumers Union (January 1999), available at http://www.chcf.org/topics/view.cfm?itemID=12502)
What Can You Do?
Write to your bank, insurance company, and any other financial institution that sends you an annual privacy statement. Tell your bank that you want to “opt-out.” A sample letter appears below.
Then, tell your financial institutions that it is bad business to violate customer privacy. Tell them you want a list of all the disclosures they've made about you. Tell them you'll take your money elsewhere if they fail to protect your privacy.
Finally, tell your legislators that you want better laws on the books. The ACLU led the charge against the privacy problems in the Financial Services Modernization Act in 1999, and continues to press for greater privacy protections on the federal and state levels. When President Clinton signed the measure, he called on Congress to pass new legislation that would prevent privacy abuses. The financial services lobby is much more powerful than the community of privacy advocates, so our legislators need to hear from us.
Sample Opt-Out Letter
NAME & DATE
October 19, 2000
Sample Opt-Out Letter
Name of Brokerage House
Re: Opt-Out Instructions
This is my “opt-out” request, instructing you and (name of brokerage house) to remove my name from your shared marketing lists. Please do not disclose information about me to any other companies.
Kindly let it be known at (name of brokerage house) that even though federal law permits financial institutions to share information about me with their “affiliates,” I consider it an invasion of privacy. Likewise, I consider the practice of disclosing my personal information to third parties an outrage. Please provide me with an accounting of the disclosures (name of brokerage house) has made about me in the last year, and see to it that no further disclosures are made without my affirmative consent.
I urge (name of brokerage house) to view privacy protection not as a restriction on commerce, but as good business, supporting innovation, confidentiality and trust.
Very truly yours,
Social Security Number
-By Grayson Barber, Esq. an ACLU-NJ Cooperating Attorney