Did Vermont's banking commissioner have authority to issue rules requiring opt-in consent before banks, insurers, and securities firms shared customer financial or health information, and could she go beyond Gramm-Leach-Bliley's federal opt-out floor?

Plain-English summary

After the federal Gramm-Leach-Bliley Financial Modernization Act let banks, insurers, and securities firms expand into one another's businesses, Vermont's Department of Banking, Insurance, Securities and Health Care Administration (BISHCA) proposed three parallel rules requiring opt-in consent before customer financial or health information could be shared with third parties. The Legislative Committee on Administrative Rules asked the AG whether the commissioner had authority to do this, and how the rules squared with GLB.

Assistant Attorney General Bridget Asay (with Deputy AG Wallace Malley signing approval) said yes. Three points anchored the analysis.

First, 8 V.S.A. § 10 directed the commissioner to "supervise" financial services organizations and to provide consumer protection. Section 15(a) gave general rulemaking authority "as shall be authorized by or necessary to" administering and carrying out the banking and insurance laws. Vermont's Supreme Court had upheld similar broad rulemaking authority where the legislature provided a guiding standard, citing Rogers v. Watson. The "nexus test" from Vermont Ass'n of Realtors was satisfied because the rules connected directly to consumer protection and to ensuring orderly competition among newly converging financial sectors.

Second, the banking rule had additional grounding in 8 V.S.A. §§ 10201-10205 (the Vermont banking privacy law) and 8 V.S.A. § 10204(23) (commissioner's authority to identify additional permissible disclosures). The insurance rule drew from Title 8's many specific rulemaking grants for insurers, HMOs, captives, and consumer disclosures. The securities rule drew on 9 V.S.A. § 4237's general grant.

Third, the GLB question. GLB § 507 expressly preserved state laws that provided greater consumer privacy protection. So Vermont could go beyond GLB's federal opt-out floor and require opt-in. The "nondiscrimination" clause in GLB § 104, which prevents state laws that discriminate against banks in the regulation of insurance sales, did not reach privacy rules, because privacy regulates information practices rather than financial activities. Even commenters' argument that the rule discriminated against banks (because some federally regulated financial firms were beyond the commissioner's reach) failed: reading § 104 to require complete uniformity would gut state privacy regulation entirely, which § 507 cannot have intended.

Currency note

This opinion was issued in 2001. Subsequent statutory amendments, court decisions, or later AG opinions may have changed the analysis. Treat this page as historical context, not current legal advice. Verify current law before relying on any specific rule, deadline, or remedy mentioned here.

Vermont restructured BISHCA in 2012 into the Department of Financial Regulation, and federal financial privacy law has continued to evolve through Dodd-Frank, CFPB rulemaking, and several rounds of GLB Privacy Rule amendments. The basic framework that GLB § 507 preserves more-protective state law remains in place, but specific rule citations and agency labels in this opinion no longer match the current Vermont structure.

Historical summary

For state regulators (at the time): The opinion was a green light for opt-in privacy rules. The commissioner relied on it to finalize the BISHCA banking, insurance, and securities rules.

For preemption researchers: This is one of the early state AG opinions reading GLB § 507's savings clause and § 104's nondiscrimination clause together. The conclusion that privacy rules are not "financial activities" within § 104 has had a long shelf life across other state opinions.

For administrative law researchers: The opinion is a workmanlike application of Vermont's rulemaking-authority framework: enabling statute, basic standard, nexus test, and specific statutory hooks. Rogers v. Watson and Vermont Ass'n of Realtors are the controlling Vermont cases on each prong.

Common questions

Did the opinion address whether opt-in versus opt-out was sound consumer policy?
No. The opinion addressed only the commissioner's authority to issue the rules, not whether the policy choice was wise.

Did the opinion preempt federal law in any way?
No. The analysis ran the other direction: GLB's express savings clause permitted Vermont to go further than the federal floor.

Were these rules ever challenged in court?
The opinion does not record any. The opinion was an internal review for LCAR's nonbinding objection power under 3 V.S.A. § 842(b)(1).

Citations and references

Statutes:
- 8 V.S.A. § 10 (commissioner's supervisory and consumer protection mandates)
- 8 V.S.A. § 15(a) (general rulemaking authority)
- 8 V.S.A. §§ 10201-10205 (banking privacy law); § 10204(23) (additional permissible disclosures)
- 8 V.S.A. §§ 2066, 2214 (credit unions, licensed lenders rulemaking)
- 8 V.S.A. § 4902 (insurance consumer disclosures); §§ 3541 et seq., 3829, 4062, 4108, 4201, 4480, 4515a, 4587, 4690, ch. 129, 5104, 8005 (form approval)
- 8 V.S.A. §§ 3688, 3858, 4113, 4464, 4481, 4812, 4902, 4990, 5111, 6015, 8014, 8053 (segment-specific rulemaking)
- 9 V.S.A. § 4201 et seq. (Vermont Securities Act); § 4237 (general securities rulemaking)
- 3 V.S.A. § 842(b)(1) (LCAR objection authority)
- 15 U.S.C. § 6701 (GLB § 104, nondiscrimination)
- 15 U.S.C. § 6807 (GLB § 507, savings clause for more-protective state laws)

Cases:
- Rogers v. Watson, 156 Vt. 483 (1991) (general rulemaking authority sustained where legislature provides a basic standard)
- Vermont Ass'n of Realtors, Inc. v. State, 156 Vt. 525 (1991) (nexus test for agency rules)
- In re Club 107, 152 Vt. 320 (1989) (nexus principle, cited via Vermont Ass'n of Realtors)

Source

• Landing page: https://ago.vermont.gov/about-attorney-generals-office/attorney-general-opinions
• Original PDF: https://ago.vermont.gov/sites/ago/files/2025-11/FO%202001-3.pdf

Original opinion text

October 17, 2001
Senator Ann Cummings
Chair
Legislative Committee on Administrative Rules
Statehouse
Montpelier, Vermont
Opinion No. 2001-3
Re:

BISHCA Proposed Rules B-2001-01, IH-2001-O1, S-2001-01
Privacy of Consumer Financial and Health Information

Dear Senator Cummings:
At the October 3, 2001 meeting of the Legislative Committee on Administrative
Rules, the Committee considered three final proposed rules from the Department of
Banking, Insurance, Securities and Health Care Administration.
The proposed rules relate to the privacy of consumer financial and health information, in
the banking, insurance, and securities industries respectively. After hearing testimony on
the proposed rules, the Committee asked the Attorney General to provide an opinion
regarding the Commissioner's authority to promulgate the rules. See 3 V.S.A. § 842(b)(1)
(committee may object to proposed rule if it is "beyond the authority of the agency"). The
Committee also raised questions regarding the relationship between the proposed rules and
the privacy title of the federal Gramm-Leach-Bliley Financial Modernization Act ("GLB").
This opinion letter will, first, set forth the Commissioner's general rulemaking
authority; second, address the Commissioner's authority to promulgate each of the three
proposed rules; and third, discuss the relationship between the proposed rules and GLB.
As the following discussion makes clear, it is our opinion that the Commissioner
possesses the statutory authority to promulgate these rules.

I. The Commissioner's General Rulemaking Authority
By statute, the Commissioner is charged with supervising "the business of
organizations that offer financial services and products." 8 V.S.A. § 10. The Legislature
has provided the Commissioner with specific guidance for this task. She must, first,
"assure the solvency, liquidity, stability, and efficiency of all such organizations, [and]
assure reasonable and orderly competition, thereby encouraging the development,
expansion and availability of financial services and products advantageous to the public
welfare." Id. § 10(1). The Commissioner must also supervise financial services
organizations "in such a way as to protect consumers against unfair and
unconscionable practices and to provide consumer education." Id. § 10(2).

The Legislature has granted the Commissioner extensive rulemaking authority to
carry out her task. In addition to specific statutory grants of authority, the
Commissioner has general authority to "adopt rules and issue orders as shall be
authorized by or necessary to the administration of ... and to carry out the purposes of
the banking and insurance laws. 8 V.S.A. § 15(a). The Vermont Supreme Court has
approved this type of general rulemaking authority where the Legislature has provided a
"basic standard" for the administrative agency to follow. See Rogers v. Watson, 156
Vt. 483, 493 (1991) (noting that statute giving Board of Health rulemaking authority in
"all matters relating to the preservation of the public health" provided a sufficient
standard to guide the agency's actions). Here, the standards provided by the Legislature
(as quoted above) are similarly sufficient to guide the Commissioner's actions.

The Vermont Supreme Court has provided some additional guidance for
evaluating exercises of rulemaking by an administrative agency. Generally, "'an agency's
regulations must be reasonably related to its enabling legislation in order to withstand
judicial scrutiny.'" Vermont Ass'n of Realtors, Inc. v. State, 156 Vt. 525, 530 (1991)
(quoting In re Club 107, 152 Vt. 320, 323 (1989)). "There must be some nexus between
the agency regulation, the activity it seeks to regulate, and the scope of the agency's
grant of authority." Id. Again, the Legislature's directives in 8 V.S.A. § 10, together with
other specific provisions of Title 8, provide a clear standard for evaluating whether there
is a nexus between the proposed rules and the Commissioner's grant of authority.

Thus, the proposed rules are an appropriate exercise of the Commissioner's
general rulemaking authority if (1) they are "authorized by or necessary to" the
administration of the banking and insurance statutes, or "carry out the purposes of
those statutes and (2) there is a nexus between the proposed rules and the activities
they regulate and the scope of the Commissioner's grant of authority. (Elements of the
proposed rules may also be authorized by other, more specific statutory grants

therefore provides a basis for promulgating regulations under the banking privacy law.

In addition to falling within the Commissioner's statutory grant of authority, the
proposed rule also meets the Vermont Supreme Court's "nexus" test. The rule furthers the
legislative directive to protect the privacy of information held by banking institutions by
requiring accurate notices to consumers, and by further elucidating the rules for
disclosures of consumer information to third parties. The Commissioner is charged with
supervising financial services organizations in a manner that provides for consumer
protection and consumer education and is specifically charged with the enforcement of the
banking privacy law. This is more than sufficient to establish a nexus between the
proposed rule and the scope of the Commissioner's authority.

Finally, there are several other bases for the Commissioner's authority which do not
appear to be relevant to the Committee's concerns. Sections 2066 and 2214 of Title 8
repeat the Commissioner's general rulemaking authority with respect to credit unions and
licensed lenders, respectively. In addition, the Commissioner added some exceptions to the
general prohibition on disclosure of financial information as permitted by 8 V.S.A. §
10204(23).

Proposed Rule I-H-2001-04 (Insurance Industry)
This proposed rule extends to the insurance industry basically the same disclosure
and "opt-in" requirements that the proposed banking rule imposes on financial
institutions. For purposes of this opinion, the primary distinction is that Vermont's
banking privacy law, 8 V.S.A. §§ 10201-10205; does not apply to insurers. Nonetheless, it
is the opinion of the Attorney General that the Commissioner has authority under §§ 10
and 15 of Title 8 (as well as other specific grants of authority in Title 8) to promulgate this
rule for the insurance industry.
The proposed rule is necessary to and carries out the purposes of two of the
Legislature's principal directives to the Commissioner: (1) to provide for consumer
protection and education, and (2) to assure reasonable and orderly competition in
the financial services market. 8 V.S.A. § 10. First, as discussed at greater length above and
in the Commissioner's filings, the proposed rule protects consumer privacy and provides
for consumers to be informed of their privacy rights. It does so in a way that is consistent
with the Legislature's intent (for an opt-in system) in the banking privacy law. This type of
consumer protection measure falls within the scope of the Commissioner's authority
under § 10.
Second, the proposed rule also serves the Commissioner's statutory goal of
assuring reasonable and orderly competition in the financial services market. As a result
of the changes wrought by the federal GLB, banks and insurers, as well as

other financial services organizations, may now engage in direct competition. In the
absence of the proposed rule, insurers in Vermont might gain an unfair advantage (at the
expense of consumer privacy) over financial institutions that are covered by the banking
privacy law. The Commissioner has the authority to promulgate this rule to assure, to the
extent possible, a level playing field in Vermont.
As with the proposed banking rule, the proposed insurance rule meets the
Vermont Supreme Court's "nexus" test. The rule both protects consumer privacy and
provides for "reasonable and orderly competition" among financial services
organizations by applying the same requirements to banks and insurers. This provides the
required nexus between the proposed rule and the scope of the Commissioner's authority.
In addition to §§ 10 and 15 of Title 8, the Commissioner relies upon several other
specific grants of rulemaking authority for different aspects of the proposed rule. Several
of these sections merely repeat the Commissioner's general rulemaking authority with
respect to certain segments of the insurance industry, such as HMOs and captive
insurance companies, and do not require separate analysis. See 8 V.S.A. §§ 3688, 3858,
4113, 4464, 4481, 4812, 4902, 4990, 5111, 6015, 8014, 8053. The Attorney General
agrees with the Commissioner that her authority to regulate and approve forms, and to
formulate consumer disclosures, provides an additional basis for the portion of the
proposed rule dealing with written disclosures to consumers. See 8 V.S.A. § 4902
(consumer disclosures), id. §§ 3541 et. seq., 3829, 4062, 4108, 4201, 4480, 4515a, 4587,
4690, ch. 129, 5104, and 8005 (approval of forms).
Proposed Rule S-2001-01 (Securities Industry)

This proposed rule extends the consumer privacy protections to the brokerdealers
and investment advisers who are regulated by the Department. The Commissioner has
authority to regulate certain aspects of the securities industry under the Securities Act, 9
V.S.A. § 4201 et seq. This chapter includes a grant of authority "to make general rules
and regulations ... to carry this chapter into full force and effect." Id. § 4237. In addition,
the Legislature's general directives to the Commissioner in 8 V.S.A. § 10 apply to her
supervision of the securities industry, as broker-dealers and investment advisers are
"financial services organizations."
The proposed rule for the securities industry is an appropriate exercise of the
Commissioner's authority for largely the same reasons that the proposed rule for the
insurance industry is appropriate. Again, the proposed rule is necessary to and carries out
the purposes of consumer protection and education, because it prohibits unauthorized
disclosures of consumer information and requires that consumers be advised of their
rights. The proposed rule also assures reasonable and orderly competition by establishing
uniform rules for all regulated industries. And the

proposed rule has the required nexus with the scope of the Commissioner's authority to
regulate the securities industry.
III. The Proposed Rules and Gramm-Leach-Bliley
As the Committee raised some concerns about the relationship between the
proposed rules and the Gramm-Leach-Bliley Act, this opinion will discuss several
aspects of GLB.
First, although Congress did not, and cannot, give the Commissioner state
rulemaking authority, the passage of GLB inevitably affected the Commissioner's
obligations under Vermont law. For example, by requiring certain disclosures that
would be inconsistent with Vermont law, GLB required the Commissioner to take
action to protect Vermont's privacy law with respect to banking institutions. Moreover,
by changing the overall rules for competition among financial services organizations,
GLB also prompted the Commissioner to promulgate uniform privacy rules for all the
state-regulated industries, to assure reasonable and orderly competition in Vermont.
Second, with respect to determining the Commissioner's rulemaking authority
under Vermont law, it is irrelevant that the proposed rules provide more protection for
consumer privacy than the minimum standards of GLB. GLB explicitly provides that
state laws that provide more protection are not preempted by the federal law. Thus, the
Commissioner had no obligation to promulgate rules following the "opt-out" standard of
GLB. Indeed, to the extent that it has spoken on privacy issues, the Legislature has
explicitly provided that Vermont consumers should have the greater protection of the
"opt-in" standard.
Third, the proposed rules do not violate the so-called "nondiscrimination"
provisions of GLB § 104 (codified at 15 U.S.C. § 6701). GLB § 104 prohibits state laws
that discriminate against banks in the regulation of sales of insurance and other noninsurance financial activities. Some commenters on the proposed banking rule suggested
that the rule would discriminate against banks because it would not apply to every
financial services provider. The Commissioner, however, is powerless to promulgate a
rule that covers every financial services provider, because some providers are regulated
only by federal law. To interpret § 104 to bar any state privacy regulation that does not
cover all financial services providers would effectively eliminate states' ability (either
by statute or rule) to protect consumer privacy. As noted above, the privacy title of
GLB, in § 507 (codified at 15 U.S.C. § 6807), specifically preserves state laws and
regulations that provide greater protection for consumer privacy than GLB.
The Attorney General believes that the most reasonable interpretation of GLB is
that the nondiscrimination provisions of § 104 do not apply to state privacy

laws and regulations, because such laws and regulations do not regulate "financial
activities" but information sharing practices. On the other hand, interpreting § 104 to
eliminate states' ability to enact privacy regulations is not reasonable, because it is
contrary to the explicit provisions of § 507.
Conclusion
After reviewing the proposed rules, the relevant statutes, and judicial precedent,
it is the opinion of the Attorney General that the Commissioner has authority under
Vermont law to promulgate these rules.
Sincerely,

Bridget C. Asay
Assistant Attorney General
Approved:
J. Wallace Malley, Jr.
Deputy Attorney General