INSURANCE DEPARTMENT [31 PA. CODE CH. 146c] Standards for Safeguarding Customer Information [33 Pa.B. 4917] The Insurance Department (Department) proposes to add Chapter 146c (relating to standards for safeguarding customer information) to read as set forth in Annex A. The proposed rulemaking is made under the general rulemaking authority of sections 205, 506, 1501 and 1502 of The Administrative Code of 1929 (71 P. S. §§ 66, 186, 411 and 412) and under the guidance of section 648 of the Insurance Department Act of 1921 (40 P. S. § 288). Likewise, this proposed rulemaking is made under the Department's rulemaking authority under the Unfair Insurance Practices Act (UIPA) (40 P. S. §§ 1171.1--1171.15) (the authority is further explained in PALU v. Insurance Department, 371 A.2d 564 (Pa. Cmwlth. 1977)), because the Insurance Commissioner (Commisioner) has determined that the improper disclosure or marketing, or both, of nonpublic personal financial and health information by members of the insurance industry constitutes an unfair method of competition and an unfair or deceptive act or practice.
Purpose
The purpose of this proposed rulemaking is to add Chapter 146c to implement the remaining privacy requirements for nonpublic financial and health information in Title V of the Gramm-Leach-Bliley Act (GLBA) (15 U.S.C.A. §§ 6801--6827) following the Department's implementation of Chapters 146a and 146b (relating to privacy of consumer financial information; and privacy of consumer health information).
Title V of the GLBA requires various state and Federal regulators of the financial services industries to promulgate regulations for their respective regulated communities. For example, state insurance authorities are required by Title V of the GLBA to establish appropriate consumer privacy standards for various entities in the insurance industry. The failure of a state to adopt privacy regulations will result in the state's inability to override the Federal insurance consumer protection regulations that were issued by the Federal banking agencies in final-form on December 4, 2000, under section 305 of the GLBA (12 U.S.C.A. § 1831x). See 65 FR 233, 75821 (to be codified at 12 CFR Parts 14, 208, 343 and 536). These regulations became effective on April 1, 2001, and they pertain generally to the sale of insurance by financial institutions and specifically to matters such as referral fees, separation of banking and insurance sales areas and disclosures regarding the nature of insurance products that are sold by banks.
The Department has already adopted Chapters 146a and 146b, which were based upon the National Association of Insurance Commissioners Model Privacy of Consumer Financial and Health Information Regulation (NAIC Model). With regard to health information, the NAIC Model generally requires that licensees of the Department obtain an authorization from a consumer prior to disclosing nonpublic personal health information unless the disclosure is specifically excluded from the requirements of the regulation. The NAIC Model requires that licensees provide consumers with notice and an opportunity to ''opt out'' of disclosures of their nonpublic personal financial information prior to making disclosures. The purpose of this proposed rulemaking is to implement the remaining requirements of Title V of the GBLA regarding the internal safeguarding of customer information maintained by a licensee. Accordingly, this proposed rulemaking is based upon the NAIC Standards for Safeguarding Customer Information Model Regulation.
Explanation of Regulatory Changes and Preproposed Comments and Responses
On November 9, 2002, the Department published at 32 Pa.B. 5595 (November 9, 2002) an Advanced Notice of Proposed Rulemaking for its Standards for Safeguarding Customer Information Regulation (privacy standards regulation), soliciting comments from the insurance industry. The Department received comments from the following industry members and trade associations: the American Insurance Association (AIA); the Alliance of American Insurers (AAI); Independence Blue Cross (IBC); Capital Blue Cross (CBC); the American Council of Life Insurers (ACLI); the Insurance Federation of Pennsylvania (IFP); and Highmark, Inc. (Highmark). The following is a summary of those comments as well as the Department's reaction.
Section 146c.1 (relating to purpose) explains that the purpose is to establish standards to guide licensees of the Department in the development and implementation of administrative, technical and physical safeguards that protect the security, confidentiality and integrity of customer information and protect against any anticipated threats or hazards to the security or integrity of customer records. The standards also are intended to protect against unauthorized access to or use of records or information that could result in substantial harm or inconvenience to a customer.
Section 146c.1(3) states that one of the purposes of the privacy standards regulation is to protect against any anticipated threats or hazards to the security or integrity of customer records maintained by licensees. Highmark believes that the standard in this section is unattainable because it would be impossible for a licensee to protect against any anticipated threats or hazards to the security or integrity of customer information. Accordingly, Highmark recommends that the word ''reasonably'' be inserted after the word ''any'' in paragraph (3) to make the standard more objective and attainable. The Department has adopted Highmark's recommendations in its proposed rulemaking.
Section 146c.2 (relating to definitions) defines the terms that are relevant to this chapter.
AAI and AIA commented that the definition of ''customer'' in the proposed rulemaking is overly broad because it encompasses both ''consumers'' and ''customers'' as defined in the health and financial privacy regulations. AAI asserted that this requirement goes beyond the requirements of the GLBA and, therefore, the Department lacks statutory authority to extend the scope of the proposed rulemaking. See section 501(b) of the GLBA (15 U.S.C.A. § 6801(b)). The Department respectfully disagrees with the comments from AAI and AIA because the Department does not rely on the GLBA for its statutory authority for the promulgation of this proposed rulemaking. Instead, the Department relies upon its implied rulemaking authority granted by the UIPA. See PALU v. Insurance Department, 371 A.2d 564 (Pa. Cmwlth. 1977). Furthermore, the GLBA merely establishes a floor for the regulation of insurance privacy and the law explicitly states that insurance regulators are permitted to be more protective of insurance information privacy. Accordingly, the comments made by AAI and AIA pertaining to the definition of ''customer'' in the privacy standards regulation are misplaced, and no modifications have been made to the definition in this proposed rulemaking.
Section 146c.3 (relating to information security program) requires licensees to implement a comprehensive written information security program appropriate to the size and complexity of the licensee and the nature and scope of its activities. The information security program must include administrative, technical and physical safeguards for the protection of customer information.
Section 146c.4 (relating to objectives of information security program) explains that a licensee's information security program should be designed to do the following: (1) ensure the security and confidentiality of customer information; (2) protect against any anticipated threats or hazards to the security or integrity of the information; and (3) protect against unauthorized access to or use of the information that could result in substantial harm or inconvenience to any customer.
Section 146c.4 of the privacy standards regulation identifies the objectives of the information security programs required by the regulation, one of which is to ensure the security and confidentiality of customer information. Highmark commented that the use of the word ''ensure'' in paragraph (1) imposes an unreasonable standard upon licensees because the term means to ''promise, guarantee or pledge.'' Accordingly, Highmark recommends that the word ''safeguard'' be used instead of the word ''ensure.'' The Department agrees with this comment and has made the appropriate change in the proposed rulemaking.
Another objective of an information security program is identified in § 146c.4(2), which states that an information security program must be designed to protect against any anticipated threats or hazards to the security or integrity of customer information. As in its comment pertaining to § 146c.1, Highmark believes that the standard in this section is unattainable because it would be impossible for a licensee to protect against any anticipated threats or hazards. Therefore, Highmark recommends that the word ''reasonably'' be inserted after the word ''any'' in paragraph (2) to make the standard more objective and attainable. The Department is in agreement with the comment provided by Highmark and has modified its proposed rulemaking to incorporate Highmark's suggestion.
Section 146c.5 (relating to examples of methods of development and implementation) explains that the actions and procedures found in §§ 146c.6--146c.9 are examples of the methods of implementation found in §§ 146c.3 and 146c.4 and are not the exclusive methods that licensees can comply within this chapter.
This provision of the privacy standards regulation states that the examples in §§ 146c.6--146c.9 of actions and procedures that comply with the information security program requirements are merely nonexclusive illustrations that licensees may follow when implementing an information security program. In their comments, AIA requested that § 146c.5 (as well as §§ 146c.6--146c.9) be deleted because they believe that the examples create the appearance of a standard that all companies must follow and this perception might result in additional litigation against licensees. The Department has not adopted the recommendation of AIA because the compliance examples provide invaluable guidance to licensees as they develop and implement information security programs to protect the security and integrity of customer information. Furthermore, the prefatory language in § 146c.5 makes it abundantly clear that the examples in the regulation are nonexclusive and are for illustrative purposes only.
Section 146c.6 (relating to assess risk) provides examples where the licensee identifies reasonably foreseeable internal or external threats that could result in unauthorized disclosure, misuse, alteration or destruction of customer information or customer information systems. This section also provides examples relating to how a licensee may assess the likelihood and potential damage of these threats and assess the sufficiency of policies, procedures, customer information systems and other safeguards in place to control risks.
Section 146c.7 (relating to manage and control risk) provides examples of how a licensee may comply with this chapter by designing its information security program to: (1) control the identified risks, commensurate with the sensitivity of the information, as well as the complexity and scope of the licensee's activities; (2) train staff, as appropriate, to implement the licensee's information security program; and (3) regularly test or otherwise regularly monitor the key controls, systems and procedures of the information security program.
Section 146c.8 (relating to oversee service provider arrangements) provides examples of how a licensee may comply with this chapter by exercising appropriate due diligence in selecting its service providers, requiring its service providers to implement appropriate measures designed to meet the objectives of this proposed rulemaking and by taking appropriate steps to confirm that its service providers have satisfied these obligations.
Several comments focused on the compliance example in § 146c.8, which addresses how a licensee may comply with the regulation by including certain safeguards when a third party service provider receives or maintains customer information on behalf of a licensee. The comments are also directed towards a provision in the Department's health privacy regulation, stating that licensees may be held liable for illegal disclosures of health information by its third party service providers. See § 146b.11(d) (relating to authorization required for disclosure of nonpublic personal health information). Several commentators, including ACLI and IFP, recommended that the proposed rulemaking incorporate the standards found in the final Federal data security regulation issued by the Department of Health and Human Services under the Health Insurance Portability and Accountability Act (Pub. L. No. 104-191, 110 Stat. 1836) (HIPAA). HIPAA was adopted in final-form on February 20, 2003.
Based upon the concerns presented by the industry, the Department has adopted a standard that is similar to that found in HIPAA. However, the additional language has been included in § 146c.10(b) (relating to determined violation). The Department believes that this additional provision satisfies the concerns of the commentators, while remaining consistent with the principles of the UIPA in that it requires a pattern or practice and it utilizes the ''knew or reasonably should have known'' standard.
Section 146c.9 (relating to adjust the program) provides examples of compliance with this chapter when the licensee monitors, evaluates and adjusts, as appropriate, the information security program in light of any relevant changes in technology, the sensitivity of its customer information, internal or external threats to information and the licensee's own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements and changes to customer information systems.
Section 146c.10 describes that violations of this chapter are deemed and defined by the Commissioner to be an unfair method of competition and an unfair or deceptive act or practice and shall be subject to any applicable penalties or remedies contained in the UIPA.
Section 146c.10 provides that a violation of the privacy standards regulation is deemed and defined to be an ''unfair method of competition'' and an ''unfair or deceptive act or practice'' subject to the penalties and remedies of the UIPA. This language is taken verbatim from the Department's previous financial and health privacy regulations. See §§ 146a.43 and 146b.23 (both relating to violation). Highmark suggested that a licensee should be held liable only when it ''knew or should have known'' that its actions were in violation of the regulation. AAI is concerned that creating new unfair insurance practices encourages private litigation and the resulting expenses would be burdensome. AIA recommended a clarification that violations of only § 146c.3 or § 146c.4 will result in a violation of the regulation since the remaining sections are definitions and examples for compliance.
The Department has not adopted Highmark's proposed modifications because § 146c.10 is taken verbatim from the financial and health privacy regulations and a substantive modification to the violation provision in this proposed rulemaking might implicate the language in the Department's two prior privacy regulations. Likewise, the Department disagrees with AAI's comment because there is no private cause of action for violations of the UIPA. See Smith v. Nationwide Mut. Fire Ins. Co., 935 F. Supp 616 (W.D. Pa. 1996); D'Ambrosio v. Penn. Nat. Mut. Cas. Ins. Co., 431 A.2d 966 (Pa. 1981).
However, the recommendation of AIA might provide additional clarity to the proposed rulemaking and further reinforce that the examples in §§ 146c.5--146c.9 are only illustrative examples of compliant actions and procedures that licensees may utilize in the development and implementation of an information security program. Accordingly, the Department has amended its proposed rulemaking to adopt the suggestion provided by AIA.
Section 146c.11 (relating to effective date) gives the parameters as to when this chapter will become effective.
Highmark, IBC and CBC suggested that the effective date of the proposed rulemaking should mirror that of HIPAA--April 20, 2005, for large health plans and April 20, 2006, for small health plans. See 45 CFR 164.318(a) (relating to compliance dates for the initial implementation). AAI suggests that insurers need at least 6 months to comply with the proposed rulemaking, so the effective date should be extended in the proposed rulemaking.
The Department has not mirrored the compliance date for HIPAA in this proposed rulemaking because compliance with HIPAA will not be enforced for more than 2 years. However, because implementation of the information security programs by the licensees will likely take some time, the Department has extended the compliance date for this proposed rulemaking to 6 months after the promulgation of the final-form rulemaking.
Compliance with HIPAA
Because HIPAA includes requirements similar to those in the Department's privacy standards regulation, several commentators requested that licensees be able to comply only with HIPAA and be deemed compliant with the Department's regulation. Specifically, Highmark and CBC would like the Department to include a deemer provision similar to that in the health privacy regulation whereby if a licensee is compliant with HIPAA, then it is deemed compliant with the privacy standards regulation.
It is true that HIPAA and the Department's privacy standards regulation have some overlapping requirements and it is further true that the requirements of the Department's regulation are consistent with those in HIPAA. Therefore, if a licensee satisfies the requirements of HIPAA, the licensee would also likely satisfy many of the requirements of the Department's regulation. However, compliance with HIPAA will not satisfy all of the requirements of the Department's regulation because HIPAA only addresses health information and not financial information. Therefore, if a deemer provision is included and a licensee complies with HIPAA, that licensee would be able to avoid the information security requirements for financial information. Accordingly, the requested deemer provision has not been included in the proposed rulemaking.
Fiscal Impact
There is no anticipated fiscal impact as a result of the proposed rulemaking. Insurers need to comply with the GLBA and Chapters 146a and 146b. Therefore, most, if not all, of the methods should be in place. This chapter bridges any gaps in those regulations and the privacy of consumer information.
Paperwork
There is no anticipated additional paperwork expected as a result of this proposed rulemaking.
Affected Parties
The proposed rulemaking will affect all licensed insurers doing the business of insurance in this Commonwealth.
Effectiveness/Sunset Date
The proposed rulemaking will become effective 6 months after final adoption of this proposed rulemaking.
Contact Person
Questions or comments regarding the proposed rulemaking should be addressed in writing to Peter J. Salvatore, Regulatory Coordinator, Insurance Department, 1326 Strawberry Square, Harrisburg, PA 17120, fax (717) 772-1969, psalvatore@state.pa.us within 30 days following the publication of this notice in the Pennsylvania Bulletin.
Under the Regulatory Review Act, the Department is required to write to all commentators requesting whether or not they wish to receive a copy of the final-form rulemaking. To better serve stakeholders, the Department has made a determination that all commentators will receive a copy of the final-form rulemaking when it is made available to the Independent Regulatory Review Commission (IRRC) and the Legislative Standing Committees.
Regulatory Review
Under section 5(a) of the Regulatory Review Act (71 P. S. § 745.5(a)), on September 23, 2003, the Department submitted a copy of this proposed rulemaking and a copy of a Regulatory Analysis Form to IRRC and to the Chairpersons of the Senate Banking and Insurance Committee and the House Insurance Committee. A copy of this material is available to the public upon request.
Under section 5(g) of the Regulatory Review Act, IRRC may convey any comments, recommendations or objections to the proposed rulemaking within 30 days of the close of the public comment period. The comments, recommendations or objections shall specify the regulatory review criteria which have not been met. The Regulatory Review Act specifies detailed procedures for review, prior to final publication of the rulemaking, by the Department, the General Assembly and the Governor of comments, recommendations or objections raised.
M. DIANE KOKEN,
Insurance CommissionerFiscal Note: 11-215. No fiscal impact; (8) recommends adoption.
Annex A TITLE 31. INSURANCE PART VIII. MISCELLANEOUS PROVISIONS CHAPTER 146c. STANDARDS FOR SAFEGUARDING CUSTOMER INFORMATION Sec.
146c.1. Purpose. 146c.2. Definitions. 146c.3. Information security program. 146c.4. Objectives of information security program. 146c.5. Examples of methods of development and implementation. 146c.6. Assess risk. 146c.7. Manage and control risk. 146c.8. Oversee service provider arrangements. 146c.9. Adjust the program. 146c.10. Determined violation. 146c.11. Effective date. § 146c.1. Purpose.
This chapter establishes standards:
(1) For developing and implementing administrative, technical and physical safeguards to protect the security, confidentiality and integrity of customer information, under sections 501, 505(b) and 507 of the Gramm-Leach-Bliley Act (15 U.S.C.A. §§ 6801, 6805(b) and 6807).
(2) For ensuring the security and confidentiality of customer records and information.
(3) To protect against any reasonably anticipated threats or hazards to the security or integrity of the records.
(4) To protect against unauthorized access to or use of records or information that could result in substantial harm or inconvenience to a customer.
(5) That apply to nonpublic personal information, including nonpublic personal financial information and nonpublic personal health information.
§ 146c.2. Definitions.
The following words and terms, when used in this chapter, have the following meanings, unless the context clearly indicates otherwise:
Act--The Insurance Department Act of 1921 (40 P. S. §§ 1--321).
Commissioner--The Insurance Commissioner of the Commonwealth.
Customer--Either a ''consumer'' or ''customer'' as defined in § 146a.2 (relating to definitions) or a ''consumer'' as defined in § 146b.2 (relating to definitions).
Customer information--Either ''nonpublic personal financial information'' as defined in § 146a.2 or ''nonpublic personal health information'' as defined in § 146b.2 about a customer, whether in paper, electronic or other form that is maintained by or on behalf of the licensee.
Customer information systems--The electronic or physical methods used to access, collect, store, use, transmit, protect or dispose of customer information.
Department--The Insurance Department of the Commonwealth.
Licensee--As defined in either § 146a.2 or § 146b.2. The term does not include a purchasing group or a nonadmitted insurer in regard to the surplus lines business conducted under Article XVI of the Insurance Company Law of 1921 (40 P. S. §§ 991.1601--991.1625).
Service provider--A person that maintains, processes or otherwise is permitted access to customer information through its provision of services directly to the licensee.
§ 146c.3. Information security program.
A licensee shall implement a comprehensive written information security program that includes administrative, technical and physical safeguards for the protection of customer information. The administrative, technical and physical safeguards included in the information security program shall be appropriate to the size and complexity of the licensee and the nature and scope of its activities.
§ 146c.4. Objectives of information security program.
A licensee's information security program shall be designed to do the following:
(1) Safeguard the security and confidentiality of customer information.
(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of the information.
(3) Protect against unauthorized access to or use of the information that could result in substantial harm or inconvenience to any customer.
§ 146c.5. Examples of methods of development and implementation.
The actions and procedures described in §§ 146c.6--146c.9 are examples of methods of implementation of the requirements of §§ 146c.3 and 146c.4 (relating to information security program; and objectives of information security program). These examples are nonexclusive illustrations of actions and procedures that licensees may follow to implement §§ 146c.3 and 146c.4.
§ 146c.6. Assess risk.
The licensee:
(1) Identifies reasonably foreseeable internal or external threats that could result in unauthorized disclosure, misuse, alteration or destruction of customer information or customer information systems.
(2) Assesses the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information.
(3) Assesses the sufficiency of policies, procedures, customer information systems and other safeguards in place to control risks.
§ 146c.7. Manage and control risk.
The licensee:
(1) Designs its information security program to control the identified risks, commensurate with the sensitivity of the information, as well as the complexity and scope of the licensee's activities.
(2) Trains staff, as appropriate, to implement the licensee's information security program.
(3) Regularly tests or otherwise regularly monitors the key controls, systems and procedures of the information security program. The frequency and nature of these tests or other monitoring practices are determined by the licensee's risk assessment.
§ 146c.8. Oversee service provider arrangements.
The licensee:
(1) Exercises appropriate due diligence in selecting its service providers.
(2) Requires its service providers to implement appropriate measures designed to meet the objectives of this chapter, and, when indicated by the licensee's risk assessment, takes appropriate steps to confirm that its service providers have satisfied these obligations.
§ 146c.9. Adjust the program.
The licensee monitors, evaluates and adjusts, as appropriate, the information security program in light of any relevant changes in technology, the sensitivity of its customer information, internal or external threats to information, and the licensee's own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements and changes to customer information systems.
§ 146c.10. Determined violation.
(a) Violations of §§ 146c.3 and 146c.4 (relating to information security program; and objectives of information security program) are deemed and defined by the Commissioner to be an unfair method of competition and an unfair or deceptive act or practice and shall be subject to any applicable penalties or remedies contained in the Unfair Insurance Practices Act (40 P. S. §§ 1171.1--1171.15).
(b) A licensee has violated this chapter when the licensee knew or reasonably should have known of a pattern of activity or a practice of a service provider that constitutes either a violation of Chapter 146a (relating to privacy of consumer financial information), Chapter 146b (relating to privacy of consumer health information) or this chapter or a material breach of the contract or other arrangement between the licensee and the service provider, unless the licensee took reasonable steps to cure the breach or end the violation, as applicable, and, if the steps were unsuccessful, did the following:
(1) Terminated the contract or arrangement with the service provider, if feasible.
(2) If termination is not feasible, reported the violation or breach to the Department.
§ 146c.11. Effective date.
Each licensee shall establish and implement an information security program, including appropriate policies and systems under this chapter by _____ (Editor's Note: The blank refers to a date 6 months after final adoption of this proposed rulemaking.).
[Pa.B. Doc. No. 03-1934. Filed for public inspection October 3, 2003, 9:00 a.m.]