About UsWhy Choose GCG?ServicesResourcesProfilesContact UsHome

PRIVACY LAW & FINANCIAL SERVICES

The Perfect Storm:
GLBA-HIPAA Convergence
Episode II

June 28, 2002

By Christopher C. Gallagher, Esq.
as published in Privacy and Information Law Report

Contents:

GLBA and HIPAA at the State Level
The Privacy Phenomenon
Privacy Fundamentalists
Direct Marketing Expansion
The Tragedy of the Commons
"Where the Light is Better"
State-Level Politics
North Dakota
Financial Services and Health Care Providers Must Act

 

"Meteorologists see perfection in strange things, and the meshing of three completely independent weather systems to form a hundred year event is one of them. My God...this is the perfect storm."(1)

Anyone who read Sebastian Junger's bestseller can never forget the feeling of terror waiting for three unrelated, horizontally orbiting energy systems to merge into a single convergence of immense destructive power that would destroy anything in its path, including the innocent and unaware.

More than two years ago, this paper's earliest iteration noted that the issuance of Gramm-Leach-Bliley Act (GLBA) Title V Privacy Rule and the Dept. of Health & Human Services proposed Privacy Standard under the Health Insurance Portability and Accountability Act (HIPAA) portended such an event. The pending federal directives were clearly inconsistent in a number of aspects, including the all important "choice" mechanism." The outlook for those caught in the convergence, particularly health insurers, was grim. Entities with operations covered by these incompatible directives anticipated attack from all sides, especially from a determined band of state attorneys general basking in the "politics" of privacy.

As it turns out, the federal agencies got their act together. Even health insurers who are subject to both federal laws can now comply with each. Additionally, the National Association of Insurance Commissioners' (NAIC) Model Rule(2) dealing with GLBA insurance enforcement (now adopted in a majority of the states), which extends GLBA's financial directives into the area of personal health information, expressly addresses the issue of simultaneous compliance, providing exceptions to its GLBA requirements for compliance with HIPAA. (See Model Rule, Article V.) The first perfect storm was averted. Nevertheless, dark clouds still loom over providers of financial services and health care. State-level privacy activism coupled with consumer annoyance with direct marketing threatens to create another major energy system-only this time the swirling turbulence is vertical not horizontal-more like the funnels of 50 separate tornadoes, as the states begin their painful interaction with the new federal laws. This storm will not so easily be averted.

GLBA and HIPAA at the State Level —
50 Separate Storms

The problem is easy to state but hard to solve. GLBA and HIPAA are each infused with the "federal floor" doctrine, establishing a "reverse preemption" phenomenon that any more restrictive state measure must apply and thus be part of an entity's privacy policy. Under both laws, any more restrictive state laws must be woven into the federal compliance in that state. To comply with federal law, therefore, one must identify these state directives, compare them with the federal requirements, then carefully fold them into the privacy program and notice procedure applicable in each state. Accordingly, HIPAA and GLBA are only abstractions. For purposes of compliance, the applicable federal privacy laws are GLBA and HIPAA but only as modified by each state's applicable privacy law, and each state is unique.

The process of configuring a given state's application of HIPAA and GLBA is daunting. In the first place, it is not easy to find the "law" in every state. State privacy directives are scattered everywhere and vary by subject matter. In some cases they are buried deep in case law. Often, they are not based upon the fundamental privacy principles of Notice, Choice, Access and Security underlying GLBA and HIPAA. Some are conceptually tied to individual "property" rights. Others turn on the meaning of "privilege" or "confidentiality," or words like: "secure" and "private." These fundamental disparities with federal privacy directives thus require comparisons of "apples to oranges." Inevitably, subjective analysis produces varied results. If, for example, one were required by law to recognize personal information as one's property, would one then become a bailee? What are the terms of the bailment? Are these implications of ownership more or less restrictive than the rights and duties in HIPAA and GLBA? No one can be certain until the courts have acted. Compliance is required long before that.

Moreover, GLBA and HIPAA do not have matching "federal floors." HIPAA is totally preemptive, except for any "provision of state law [that] relates to the privacy of health information and is more stringent." (45 C.F.R. § 160.203(b) (2001)) "More stringent" is carefully defined at (45 C.F.R. § 160.202 (2001)), but again, the process of actual comparison is necessarily subjective. GLBA's federal "floor," set forth at Sec. 507 (the so-called "Sarbanes Amendment"), is quite different from HIPAA's more traditional preemption approach. It is set forth in full below.

SEC. 507. RELATION TO STATE LAWS.
(a) IN GENERAL. — This subtitle and the amendments made by this subtitle shall not be construed as superseding, altering, or affecting any statute, regulation, order, or interpretation in effect in any State, except to the extent that such statute, regulation, order, or interpretation is inconsistent with the provisions of this subtitle, and then only to the extent of the inconsistency.

(b) GREATER PROTECTION UNDER STATE LAW. — For purposes of this section, a State statute, regulation, order, or interpretation is not inconsistent with the provisions of this subtitle if the protection such statute, regulation, order, or interpretation affords any person is greater than the protection provided under this subtitle and the amendments made by this subtitle, as determined by the Federal Trade Commission, after consultation with the agency or authority with jurisdiction under section 505(a) of either the person that initiated the complaint or that is the subject of the compliant, on its own motion or upon the petition of any interested party.
Gramm-Leach-Bliley Act
Pub. L. No. 106-102, § 507, 113 Stat. 1338 (1999)

GLBA's enigmatic "greater protection" standard triggers even more "apple to orange" comparisons and, compared to HIPAA, GLBA offers little guidance. It is already clear, however, that there are circumstances where a state law would provide "greater protection" under GLBA, but may not be "more stringent" under HIPAA. For example, HIPAA's special treatment of certain information involving minors is not matched in GLBA, where the sharing of such information may provide "greater protection." (See 45 C.F.R. § 160.202 (2001), defining "More Stringent") To be sure, the courts or the Congress will clarify this some day, but again, compliance is required now. Health insurers, contractually bound to HIPAA through providers, health plans and TPA's with similar ties, are subjected to GLBA enforcement through the NAIC Model Rule, a state law. For them, the comparison process promises to be even more complex. Regulators have promised to be understanding. Attorneys general and class action litigants may not.

State-by-state analysis comparing existing state law with the provisions of GLBA and HIPAA is an arduous process, but not impossible. The dangerous turbulence now looming is more legislation by the states. Despite the comprehensive sweep of the new federal privacy regulation, pro-privacy activists want even more restrictions, and they view the "federal floor" doctrine as an express invitation to enact them. The balances so carefully achieved in GLBA and HIPAA are already tipped toward being more restrictive by their interaction with more restrictive existing state law. Enacting more restrictive laws, in 50 different states, will further tip the balance towards "restrictive." (More laws will also increase today's counterproductive complexity.) Why add restrictions? Comprehending the forces at work here requires drilling deeper into the privacy dynamic.

The Privacy Phenomenon

Rapid and relentless technical evolution in processing and connectivity, at a rate that far exceeds the evolutionary progress of humans, has elevated privacy concerns among the general public. Numerous polls confirming these concerns are available on-line(3). Indeed, this growing conflict between technology's drive to individuate consumers, and the feeling that somewhere in the process, our personal "space" is being violated has no end in sight. Former comfort with a "balance" between control over our own projected persona and the information marketplace's "profile" of us is rapidly waning. The expanding power and scope of the Internet has exacerbated this new discomfort. Elected officials are paying attention. The resultant political phenomenon, referred to as "the privacy issue," is now a very powerful force. Financial services and health providers whose operations require the efficient use of personal information are in its path.

Privacy Fundamentalists

Professor Alan Westin of Columbia University has been tracking the public's privacy sensitivities for decades. He divides society into three groups and measures their concerns. Privacy "fundamentalists" are privacy "hawks" to whom personal privacy is a critical issue. For years this category hovered around the 25 percent area. Privacy "pragmatists" traditionally number a moderate majority of 55 percent, leaving the "unconcerned," or folks who don't seem care, at around 20 percent. In 2000, however, when Westin focused on Internet users, the ranks of the fundamentalists swelled from 25 percent to 35 percent(4). He ascribed this expansion to the Internet itself. Two years later, Internet usage is even more widespread. Direct mail and telemarketing have expanded, while the proliferation of Internet spam, particularly pornography and sales scams, has become more offensive and has grown exponentially. Sleazy marketing intrusions do more than just add to the total number of the fundamentalists. They add righteous indignation to their ranks, considerably strengthening their political punch.

State politicians respond to the same electorate as their federal counterparts. They get no political credit for federal initiatives. Moreover, they are being told by fundamentalists that the federal laws do not go far enough, are "riddled with loopholes," and have been "delayed by lobbyists." Most state legislators lack the time or incentive to understand the complexities of the new federal laws. Driven by the fundamentalists, they "resolve" "the problem" by proposing sweeping privacy reforms that resemble the federal laws. Fundamentalists are still in the minority. Their numbers are growing, but they are being aided by another expanding energy system which is close enough to the privacy issue to create a combined majority. The new danger is unsolicited, annoying, direct telemarketing and junk e-mail, called "spam." Brightmail, Inc., a vendor of spam filtering software, compared such e-mails for the month of May of 2001 with May of 2002. In 2001, unwanted messages totaled 930,546. One year later for that month, the number had reached 4.7 million(5). Another brief drilldown explains why this expansion will continue indefinitely.

Direct Marketing Expansion

The 18 months predicted by Intel founder Gordon Moore as a repeating interval, during which the cost of processing will drop or remain flat while its power doubles (Moore's Law), has consistently been closer to 12 months. Accordingly, the costs of processing information continue to lessen. Metcalfe's Law, that by adding nodes to a network one increases rather than diminishes the value of each, leads to a rapidly expanding system of inexpensive communication with enormous "reach(6)." The Internet is a dramatic example of this powerful combination of processing and connectivity. To marketers, the Internet offers an invitation to inexpensive and random mass-marketing that looks personalized, feels targeted, and produces an economic return.

As the cost of communicating goes down, the return goes up. The varying sensitivities of beleaguered consumers are bombarded with unsolicited contacts that by themselves might not raise a universal ruckus, but in the aggregate are not acceptable. Expanding and incessant penetration of the barriers each person creates to protect one's personal "space" eventually angers everyone. It is this spreading indignation that the privacy fundamentalist minority will harness in order to enact laws reflecting their belief that GLBA and HIPAA did not go far enough. Sooner or later, maddened by the marketing onslaught, nearly everyone will cry, "There 'oughta' be a law!" The activists are waiting, ready to "improve" GLBA and HIPAA. When a few key states become more restrictive, federal law will follow.

The Tragedy of the Commons

Direct marketers are certainly aware of this dynamic. Why are they not more careful? The "Tragedy of the Commons," introduced by William Forster Lloyd's 19th century pastureland parable(7), is now a well-understood dynamic. It is explicated nicely in a 1968 paper by Garrett Hardin(8) quoted below.

The tragedy of the commons develops in this way. Picture a pasture open to all. It is to be expected that each herdsman will try to keep as many cattle as possible on the commons. Such an arrangement may work reasonably satisfactorily for centuries because tribal wars, poaching, and disease keep the numbers of both man and beast well below the carrying capacity of the land. Finally, however, comes the day of reckoning, that is, the day when the long-desired goal of social stability becomes a reality. At this point, the inherent logic of the commons remorselessly generates tragedy.

As a rational being, each herdsman seeks to maximize this gain. Explicitly or implicitly, more or less consciously, he asks, "What is the utility to me of adding one more animal to my herd?" This utility has one negative and one positive component.

1. The positive component is a function of the increment of one animal. Since the herdsman receives all the proceeds from the sale of the additional animal, the positive utility is nearly +1.

2. The negative component is a function of the additional overgrazing created by one more animal. Since, however, the effects of overgrazing are shared by all the herdsmen, the negative utility for any particular decision-making herdsman is only a fraction of -1.

Adding together the component partial utilities, the rational herdsman concludes that the only sensible course for him to pursue is to add another animal to his herd. And another...But this is the conclusion reached by each and every rational herdsman sharing a commons. Therein is the tragedy. Each man is locked into a system that compels him to increase his herd without limit-in a world that is limited. Ruin is the destination toward which all men rush, each pursuing his own best interest in a society that believes in the freedom of the commons. Freedom in a commons brings ruin to all.

This quaint fable depicting the inevitable unwillingness of individuals to restrain themselves when their personal gain outweighs their share of the overall harm to the system explains why direct marketing will continue to push until it pierces the thin line of tolerance in each of us separating annoyance from outrage. Because it is easier to demonize banks and insurance companies, and because of the high sensitivity of health information, privacy "fundamentalists" will use the frayed nerves of annoyed recipients of automated marketing to constrain the necessary development and use of personal information in health care and financial services. Unless there is a change in direction, a lot more privacy rules directed at providers of financial services and health care will be enacted at the state level.

Experience with GLBA shows that financial services are not the issue. GLBA has now run through its first procedural cycle. Significantly, only 5 percent of those who actually received their GLBA notice and opt-out took the trouble to opt out(9). Assuming again that Dr. Alan Westin's demographic analysis holds, it is safe to conclude that at least 30 percent of those who received GLBA opt-out notices were privacy fundamentalists. With only 5 percent responding, it follows that many, even "fundamentalists," didn't bother to do so. These numbers are telling. Pro-privacy activists may blame this massive failure to respond on financial institution gibberish and red tape, but the low number of opt-outs really proves that even those who express the most concern over privacy are not really concerned about the use of their personal information by financial services providers. Their concerns, therefore, lie elsewhere. What has folks riled up is the random but "personalized" annoyances of direct marketers. Their wrath is being aimed at tightening GLBA /HIPAA.

"Where the Light is Better"

An ancient Buddhist fable replicated in many other cultures tells the story of a Sufi searching for a lost coin. Pacing up and down in the bright sun, he was unable to find it. When asked when and where he lost it, he answered that he had earlier dropped it in a nearby cave. When asked why he was searching here in the sun and not there in the cave, he answered, "The light is better here."

This silly story's theme repeats itself throughout the ages. Whether it is the "nearest" sibling who is punished, the diversion of economic hardship to scapegoats, or the harnessing of discontent caused by "X" to attack "Y," political forces are often directed to "where the light is better." In this case, the annoyance with aggressive marketing is driving legislators to the now well-publicized, and thus well-lit, areas of financial services and health care privacy. Exponentially expanding "marketing" pressure is a public "itch" needing to be "scratched." The fundamentalist minority is about to be joined by the inevitable public backlash against aggressive and offensive unsolicited marketing.

State-Level Politics

Vocal minorities are "heard" politically. State legislators are not reelected by ignoring them. Fundamentalists, still in the minority, now have an opportunity to enact their own versions of GLBA and HIPAA. In states across the U.S, initiatives for privacy restrictions more stringent than the new federal laws have been proposed. Thus far, New Mexico and Vermont have acted to move the choice option from opt-out to opt-in. Most states, however, have determined to wait and see what happens when the federal laws take effect. In California, a state that drives 15 percent of our economy, the legislative conflict was closely watched. Each of California's most recent legislative sessions has featured a hard-fought battle, barely won by those who believe that for now compliance with the new federal laws is enough. But California's legislative session may not be California's only method to force state-level privacy revision. A more recent event may change the privacy picture, especially in California.

North Dakota

When GLBA became law, North Dakota had an opt-in choice mechanism for the disclosure of personal financial information. Its legislature then passed a measure which aligned the state's law with GLBA, moving its choice mechanism to opt-out. The change was viewed by activists as a "roll-back." In a referendum held on June 11, 2002, this very recent legislation was repealed by an almost 3-to-1 majority voting, "No." The actual language on the ballot describes the opt-out disclosure process and states that a "yes" vote indicates agreement with the measure. The wording was somewhat flawed because, along with those who favored the old opt-in, a person opposed to any government involvement in the disclosure of information would also vote "No(10)." Nevertheless, this referendum was decisively passed and will be used to pave the way to more public referenda, even in California.

North Dakota's transfer from the legislature to "the streets" of the privacy issue also marks an intensification of a fundamentalist strategy of dealing with the issue in ways that emotion can prevail over analysis. Public referenda fit this bill. During the referendum process in North Dakota, the banks were made the target of the public's wrath even though banks were not selling information to third parties. Mixing emotionalism and anti-bank populism is nothing new. The public is always ready to "blame the banks" anyway(11). But this further convergence of state activities, driven by privacy fundamentalists, coupled with public indignation about annoying direct "marketing" contacts promises to increase the confusion and complexity of post-GLBA/HIPAA compliance with emotionally-driven state regulatory "pile-on(12)."

Financial Services and Health Care Providers Must Act

Personal information flow is critical to customer and patient services in financial services and health care. It can be cut off as effectively by the added costs of complexity and confusion as by outright prohibitions. More enactment of comprehensive and confusing state laws can only paralyze the system. Federal preemption over the state privacy patchwork, could solve the providers' problem. (At this point, it is not likely to move in Congress.) But more important, federal preemption of GLBA and HIPAA does not address the public's problem. What is really stirring the privacy pot is the growing malignancy of unsolicited Internet marketing and telemarketing intrusions. Health care and financial services providers need to accept the reality that public indignation will continue to build until the "outrage" of random, "personalized" marketing is stopped. Providers must get legislators to pay more attention to what is really riling the public. Only then will the pressure for duplicative and more restrictive state-level HIPAA and GLBA activity safely subside.

The FTC is asking for a federal "do not call list(13)." The logic of a "do not call" or e-mail list is that it is focused on the individual, a defensible target, rather than the source, which cannot be identified before contact is made (and sometimes not even after). An anti-spam bill sponsored by Senator Conrad Burns (R - Montana) may move this year, but time is limited. Many states have laws that penalize false labeling. They should be strengthened. Unsolicited marketing is the appropriate area to focus limited legislative energy. Misdirected state laws targeting the flow of information in financial services and health care information will harm financial services and health care providers. Entities covered by GLBA and/or HIPAA are not the problem. Adding more burden to these service providers is not the solution. Laws directed at unsolicited marketing make more sense. "Do not call list" efforts should be supported at the federal level and replicated where necessary at the state level. The exponential growth of unsolicited, and at times unsavory, marketing contacts must be stopped. There are difficult First Amendment issues to be addressed, but that difficulty is not a good reason to add to restrictions on providers of health and financial services where the "light is better."

Unless laws are passed to curb these expanding marketing excesses, state storm clouds will continue to darken the horizon of financial services and health care providers now thrust into the privacy spotlight by comprehensive, but "federally floored," federal legislation. Whether or not the public's irritation is solved by their efforts, privacy fundamentalists and a public, annoyed by aggressive and offensive marketing intrusions, are ready to merge. They will strike the easy target, the world of financial services and health care, newly illuminated by GLBA and HIPAA, where the "light is bright." This looming convergence in states across the country is the new Perfect Storm.

Notes:

1. Sebastian Junger, The Perfect Storm (New York: W.W. Norton & Company, Inc., 1997), p. 150.

2. "Privacy of Consumer Financial and Health Information Model Regulation" (NAIC model # 672)

3. Opinion Surveys

4. John Buskin, "Choice and Trust," The Wall Street Journal, April 17, 2000

5. Mylene Mangalindan, "Multiplying Spam Spurs New Legislative Efforts," The Wall Street Journal, June 19, 2002

6. Benjamin Lipman, "The End of Privacy," Forbes, 6/15/98

7. W.F. Lloyd, Two Lectures on the Checks to Population (Oxford University Press, Oxford, England, 1833)

8. Garrett Hardin, "The Tragedy of the Commons," Science, 162 (1968): 1243-1248

9. Russell Gold, "Latest Privacy Mailings Are Hard to Decipher," The Wall Street Journal, May 30, 2002

10. Referred Measure No. 2 (Senate Bill No. 2191, 2001 North Dakota Session Laws, Ch. 97)

"Senate Bill No. 2191, approved by the 2001 Legislative Assembly, became law on July 1, 2001. The law pertains to the disclosure of customer information by financial institutions, including banks and credit unions, and notification of privacy policies by financial institutions. The law changes the definitions of a "customer" of a financial institution and "customer information" to be similar to that provided in federal law. It permits financial institutions to disclose nonpublic personal information to third parties unless the customer does not agree to the disclosure and so notifies the financial institution, a process described as "opting out." The law also requires financial institutions to notify their agricultural and commercial customers about the financial institution's privacy policies and to notify those customers annually of their right to "opt out" of having their nonpublic information disclosed.

A 'YES' vote means you agree with the provisions of Senate Bill No. 2191, as summarized above, and agree to uphold the measure.

A 'NO' vote means you disagree with the provisions of Senate Bill 2191, as summarized above, and agree to repeal the measure."

11. Anti-bank populism moves from rampant to remissive throughout our history. In a down economy, it may be summoned again to add to the push to pass state legislation.

12. Another loose cannon on the deck of the GLBA/HIPAA state legislation is warranted public concern with "identity" theft. Largely the product of direct, physical intrusions through the theft of mail or "dumpster diving," its growth in the public consciousness is beginning to merge with those other concerns, adding more force to the activists' movement toward more restrictive state-level GLBA/HIPAA.

13. http://www.ftc.gov/opa/2002/01/donotcall.htm

 

Return to top of page

Return to HOT TOPIC: PRIVACY
Return to Financial Services Articles
Return to Firm Publications

 

 

 

 

 

 

 

 

See also:

Hot Topic:
Privacy

 

 

 

 

 

 

You may contact Chris Gallagher at 800-528-1181.
About Us - Why Choose GCG? - Services - Resources - Professional Profiles - Contact Us - Home