What Is GLBA Permissible Purpose? (Plain English for Plaintiff Attorneys)

Insurance policy discovery sits at the intersection of three federal statutes: the Gramm-Leach-Bliley Act (GLBA), the Driver's Privacy Protection Act (DPPA), and the Fair Credit Reporting Act (FCRA). Each has rules about when consumer financial information can be accessed and disclosed — and each has carve-outs that make plaintiff litigation possible. Here is what each statute actually requires, in plain English, for plaintiff attorneys commissioning policy searches.

GLBA: the financial-information statute.

GLBA §6802 prohibits financial institutions (banks, carriers, lenders) from disclosing nonpublic personal information to non-affiliated third parties. But §6802(e) carves out exceptions — including disclosures necessary to effect, administer, or enforce a transaction; to protect against fraud; to authorized recipients; and, critically for plaintiff litigation, in connection with an actual or threatened legal proceeding. Every policy search file run by a compliant firm documents the §6802(e) basis applicable to that search.

DPPA: the DMV-records statute.

18 U.S.C. §2721 governs disclosure of motor vehicle records held by state DMVs. The default is restriction — DMVs may not disclose personal information from a motor vehicle record. But §2721(b) lists 14 permissible uses, including §2721(b)(1) (government function), §2721(b)(4) (use in connection with court proceeding, including in anticipation of litigation), and §2721(b)(5) (use by licensed investigator in connection with a permissible use). A licensed PI firm operating on a plaintiff matter typically logs the search under §2721(b)(4) — anticipation of litigation — and that basis is what the investigator can testify to.

FCRA: the consumer-report statute.

FCRA governs consumer reports — credit reports, employment screening, insurance underwriting reports. Most policy-search work does not implicate FCRA because we are not pulling consumer reports; we are locating coverage that already exists. The exception is when a search drifts into FCRA-defined consumer-report territory (for example, requesting a CLUE report, which is a consumer report under FCRA). A compliant firm flags FCRA exposure before the search and routes around it.

Why permissible-purpose discipline matters at deposition.

When opposing counsel deposes you on the source of an insurance disclosure, the only correct answer is one that documents the permissible-purpose basis. "The investigator told me" is not enough. The chain of custody runs: licensed investigator → documented permissible purpose → state-required logging of the records touched → admissible source attribution. If any link is missing, the entire disclosure is open to suppression. This is why "I bought a $39 background-check report" is risky — the report may have been generated without proper permissible-purpose documentation, leaving you holding the bag.

What plaintiff attorneys should require from any search firm.

Ask three questions. (1) "Are you licensed in your operating state, and can you provide license number?" — anything other than yes is disqualifying for litigation use. (2) "Will you document the permissible-purpose basis on this search?" — anything other than yes means you cannot defend the disclosure. (3) "Will your investigator testify to the search if challenged?" — anything other than yes means you do not have a defensible record. A firm that says yes to all three is operating like a licensed investigator. A firm that says no to any is operating like a data broker — useful for some things, not for litigation.