INSURANCE DEPARTMENT [31 PA. CODE CH. 146a] Privacy of Consumer Financial Information [31 Pa.B. 1748] The Insurance Department (Department) proposes to adopt Chapter 146a (relating to privacy of consumer financial information) to read as set forth in Annex A. The proposal is made under the general rulemaking authority of sections 205, 506, 1501 and 1502 of The Administrative Code of 1929 (71 P. S. §§ 66, 186, 411 and 412), and under the guidance of section 648 of The Insurance Department Act of 1921 (40 P. S. § 288), as amended by the act of June 25, 1997 (P. L. 349, No. 40) (Act 40). Likewise, this proposal is made under the Department's rulemaking authority under the Unfair Insurance Practices Act (40 P. S. §§ 1171.1--1171.14) (as this authority is further explained in PALU v. Insurance Department, 371 A.2d 564 (Pa. Cmwlth. 1977)), because the Insurance Commissioner of the Commonwealth has determined that the improper disclosure or marketing, or both, of nonpublic personal financial information by members of the insurance industry constitutes an unfair method of competition and an unfair or deceptive act or practice.
Purpose
The purpose of this proposed rulemaking is to adopt Chapter 146a in order to implement the privacy requirements for nonpublic financial information set forth in Title V of the act of November 12, 1999 (Pub. L. No. 106-102, 113 Stat. 1338) known as the Gramm-Leach-Bliley Act (GLBA) (15 U.S.C.A. §§ 6801--6827). Title V of the GLBA requires various state and Federal regulators of the financial services industries to promulgate regulations for their respective regulated communities. For example, the Federal banking regulators (the Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC), the Office of Thrift Supervision (OTS) and the Board of Governors of the Federal Reserve System (BGFRS)) have already promulgated final-form regulations pertaining to the privacy of nonpublic personal financial information when that information is collected by the various Federal banking entities within their regulatory jurisdiction. See, for example, 12 CFR 40.1 et seq. (OCC regulations) and 12 CFR 216.1 et seq. (BGFRS regulations).
As with the Federal banking regulators, state insurance authorities are required by Title V of the GLBA to establish appropriate consumer privacy standards for various entities in the insurance industry. The failure of a state to adopt privacy regulations will result in the state's inability to override the Federal insurance consumer protection regulations that were issued by the Federal banking agencies in final form on December 4, 2000, under section 305 of the GLBA. See 65 Fed. Reg. 233, 75821 (to be codified at 12 CFR Parts 14, 208, 343 and 536). These regulations were initially scheduled to become effective on April 1, 2001, but the compliance date of these regulations has now been delayed until October 1, 2001. These regulations pertain generally to the sale of insurance by financial institutions and specifically to matters such as referral fees, separation of banking and insurance sales areas and disclosures regarding the nature of insurance products that are sold by banks.
Background
These proposed regulations are modeled from the Privacy of Consumer Financial and Health Information Regulation that was adopted by the National Association of Insurance Commissioners (NAIC) on September 26, 2000. For purposes of this rulemaking, the Department will make available a copy of the NAIC model to the Standing Committees of the Senate and the House, and to the Independent Regulatory Review Commission (IRRC). Otherwise, this material is copyrighted and is available from the NAIC upon request. For further information, see the NAIC website at http://www.naic.org. In general, the NAIC model resembles the Federal banking privacy regulations by utilizing a notice and opt out structure for the protection of customer financial information from disclosure. The NAIC model, however, does vary from the Federal banking privacy regulations. Because of the nature of insurance products and their inherent differences from banking products and services, the NAIC model extends its privacy protections to persons who do not have a direct relationship with a regulated entity, namely insurance policy beneficiaries and claimants. Otherwise, the NAIC model and the Federal privacy regulations generally share a common ideological framework for the protection of financial information privacy.
In addition to achieving a level of parity with the Federal regulations in order to place the insurance industry on an equal footing in the financial services industry with other banking and securities counterparts, another primary goal of the NAIC model is achieving a level of uniformity among the states. Because each state is responsible for the promulgation of its own privacy regulation for the implementation of Title V of the GLBA, uniformity among these regulations is of central importance. The insurance industry generally views uniformity of the states' privacy regulations as crucial because activities in the insurance marketplace essentially transcend state boundaries and compliance with privacy regulations with dramatically differing approaches and schemes could result in significant administrative burden and impede the transaction of the business of insurance.
For these reasons and in the interest of uniformity, the Department has attempted to implement the NAIC model as closely as possible. However, because of the statutory framework established by Act 40, the Department was required to make certain substantive variations of that model regulation for this proposed rulemaking. For example, these proposed regulations require an opt out for the sharing of information between both affiliates and nonaffiliates, while the NAIC model allows the sharing of information among affiliates without providing consumers with an opportunity to opt out of such sharing. Also, because of the standing requirements in Act 40, this rulemaking requires a financial institution to send a second opt out notice to any consumer or customer who does not respond to the first notice. There is no such requirement in the NAIC model. These and other substantive differences between the NAIC Model and the proposed rulemaking are explained in greater detail below.
Preproposal Comments
The Department, on November 8, 2000, held an outreach meeting with various members of this Commonwealth's insurance industry that could be affected by this rulemaking. The purpose of the meeting was to discuss the NAIC model and the Department's intent to base its privacy rulemaking on such model, as well as to solicit comments from these groups. Written comments were submitted by the following entities and, where applicable, were considered during the design of this proposed rulemaking: the National Association of Independent Insurers (NAII), American Family Life Assurance Company of Columbus (AFLAC), Pennsylvania Association of Health Underwriters (PAHU), Independent Insurance Agents of Pennsylvania/Pennsylvania Association of Insurance and Financial Advisors (IIAP/PAIFA), Managed Care Association of Pennsylvania (MCAP), Capital Blue Cross (CBC), Pennsylvania Bankers Association (PBA), Blue Cross of Northeastern Pennsylvania (BCNP), Alliance of American Insurers (AAI), Pennsylvania Association of Mutual Insurers (PAMIC), Independence Blue Cross (IBC) and the Insurance Federation of Pennsylvania, Inc. (IFP).
Copies of the written comments submitted by these groups in the preproposal period are available upon request. The following is a synopsis of the most important comments raised by the industry, and the Department's reaction thereto:
Health Information Privacy
The NAIC model tracks very closely the privacy regulations of the Federal banking agencies in most aspects, with some obvious modifications to tailor the regulation for application to the insurance industry. However, one point of departure between the NAIC model and the Federal banking regulations is their differing approaches for the treatment of health information privacy. On one hand, the Federal banking regulations treat health information in the same manner as financial information by requiring that an institution refrain from disclosing consumer health information to nonaffiliated third parties only when the consumer opts out of the disclosure. On the other hand, the NAIC model takes a different approach by requiring an affirmative opt in of the consumer before health information may be disclosed by an insurance entity. Thus, the NAIC model establishes an entirely different scheme of regulation for health information.
Also, it is important to note that Federal regulations pertaining to health information privacy under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Pub. Law No. 104-191) (August 21, 1996) were issued in final form by the United States Department of Health and Human Services (HHS) on December 28, 2000. See 65 Fed. Reg. 250, 82461-82510 (to be codified at 45 CFR Parts 160 and 164). Generally, the HHS regulations require a ''covered entity'' to obtain an individual authorization prior to disclosing covered health information.
* Concerns regarding the inclusion of an opt in health requirement relating to health information privacy in the NAIC model were raised by NAII, AFLAC, PAHU, IIAP/PAIFA, MCAP, CBC, PBA, BCNP, AAI, PAMIC and IBC.
* These groups oppose the inclusion of an opt in requirement for health information privacy because it allegedly exceeds the scope of the GLBA, and they assert that there is no requirement in the GLBA for states to implement such rules.
* At the time of the preproposal comment period, some commentators also noted that the HHS will soon be issuing health information privacy regulations in final form and the groups assert that the provisions in the NAIC model will be duplicative and confusing for entities that have to comply with both rules (that is, health insurers), and any less protective state laws will be preempted by the HHS rules.
* The commentators also assert that the opt in requirement for health information in the NAIC model applies to the sharing of health information with both nonaffiliated third parties and affiliated third parties for marketing purposes, so treatment of health information is inconsistent with the other Federal privacy regulations for banks and securities, potentially causing an unfair disadvantage for insurance entities in the financial services industry.
The Department has reviewed these comments, the NAIC model, the GLBA and the Department's statutory authority for the promulgation of this rulemaking. While the Department believes that it has statutory authority to include an opt in requirement for health information and that section 507 of the GLBA clearly preserves the ability of states to enact more rigorous consent requirements for health information, it has decided to remove the opt in requirement for health information for the purpose of this proposed rulemaking. Rather, the Department will defer the implementation of health privacy regulations until a later date. It is the intent of the Department to develop health privacy regulations that will supplement rather than duplicate the HHS health information privacy regulations that were issued in final form on December 28, 2000.
Workers' Compensation Insurance Coverage Inclusion in NAIC Model
The NAIC model includes workers' compensation insurance coverage within the scheme for regulating privacy of consumer information.
* Concerns regarding the inclusion of workers' compensation insurance coverage in the proposed rulemaking were raised by NAII, IIAP/PAIFA, PAMIC and AAI.
* These groups oppose the inclusion of workers' compensation insurance coverage in the privacy regulation because the GLBA was intended to cover only products for personal, family or household use.
The Department considered these comments while developing the proposed rulemaking. Although workers' compensation insurance is not necessarily purchased for household purposes, carriers of this product collect and maintain nonpublic personal financial information pertaining to individuals, and the protection of this information is consistent with the purposes of this proposed regulation. Also, to the extent possible, the Department is committed to uniformity, so it will retain this provision of the NAIC model. Therefore, because nonpublic personal financial information is obtained as a regular part of the underwriting process in issuing workers' compensation policies and because of the interest in uniformity, the provisions pertaining to the inclusion of workers' compensation insurance remain in this proposal as § 146a.2 (definition of ''consumer,'' subsection (v)).
In addition, because worker's compensation insurance issues generally fall within the dual jurisdiction of both the Department and the Department of Labor and Industry (DLI), the Department has met and consulted with the DLI Bureau of Workers' Compensation in order to discuss the applicability and effect of this proposed regulation to workers' compensation insurance. As a result of these meetings, the DLI Bureau of Workers' Compensation has commented that it is supportive of the Department's privacy regulation.
Producer Issues
The NAIC model states that insurance producers are generally subject to this proposed rulemaking as licensees of the Department. However, an exception in the NAIC model states that insurance producers acting as an agent from another licensee covered by the regulation will not be subject to the notice and opt out requirements of the regulation, if the principal licensee otherwise complies with the NAIC model. Also, the NAIC model contains numerous exceptions to the notice and opt out requirements that are generally intended to preserve the ability of an insurance entity to engage in the daily operations of its business with minimal interference.
* Concerns regarding certain insurance producer issues were raised by NAII and AFLAC.
* These groups believe that producers will be subject to liability because they will be unable to determine if the insurers for which they act as agents will be in compliance.
* Also, these commentators are concerned that the NAIC model does not allow independent producers to perform certain functions on behalf of an insurer (such as, communications to resolve claims that require the disclosure of personally identifiable information) unless they individually comply with the opt out and notice requirements.
The Department has retained the exception to the opt out and notice requirements for insurance producers acting as agents for another licensee covered by the regulation when the principal licensee otherwise complies with the requirements of this proposed regulation at proposed § 146a.2 (definition of ''licensee,'' subparagraph (iii)). Without this exception, consumers would receive notices and opt out forms from both insurers and producers, and these multiple notices might be confusing to consumers, especially when they relate to the same information from the same insurance transactions. Imposing a requirement on insurance producers who are acting on behalf of an entity that is required to comply with this rulemaking is duplicative and serves no purpose toward the ultimate goal of consumer protection.
The Department further believes that the concern that independent producers acting as agents on behalf of another licensee will be unable to perform certain functions on behalf of their principals is unfounded. Subchapter D (relating to exceptions to limits on disclosures of financial information) contains numerous business exceptions to general opt out and notice requirements set forth in the proposed rulemaking. Since it is not the intent of the Department or this proposed rulemaking to hinder the transaction of the business of insurance, these exceptions were carefully crafted in the NAIC model to allow insurance producers and insurers to conduct their daily business with minimal interference, while maintaining the necessary protection for the privacy of consumer information.
Definition of ''Consumer''
The NAIC Model includes within the definition of consumer, and therefore extends privacy protections to, persons who do not necessarily have a direct or contractual relationship with an insurer, producer or other licensee covered by the regulation. These individuals include claimants and beneficiaries under insurance policies or workers' compensation benefits.
* Concerns regarding the definition of consumer in the NAIC model were raised by NAII, AFLAC, MCAP, AAI, PAMIC and IBC.
* The definition of ''consumer'' in the NAIC model includes beneficiaries and third party claimants to an insurance policy, participants and beneficiaries of an employee benefit plan, individuals covered under a group or blanket insurance plan and beneficiaries of workers' compensation plans. The NAII, AFLAC, MCAP, AAI, PAMIC and IBC have asserted that they believe it is inappropriate to extend the protections of the privacy regulation to persons, thereby requiring that an entity satisfy the notice and opt out requirements of the privacy regulation before information about persons may be disclosed. These commentators base their comments on the fact that the protections of the privacy regulation will then be extended beyond persons who have a direct contractual relationship with a licensee.
The Department has carefully considered these comments, but believes that beneficiaries and third party claimants to an insurance policy, participants and beneficiaries of an employee benefit plan, individuals covered under a group or blanket insurance plan, and beneficiaries of workers' compensation plans are properly included in the definition of consumer. Licensees regularly collect and maintain nonpublic personal financial information pertaining to such individuals, so these beneficiaries, claimants, plan and group policy participants, and beneficiaries of workers' compensation plans should be afforded protection of their privacy in that information, despite the fact that they do not have a direct contractual relationship with the licensee. Consequently, these persons have been retained in the definition of consumer in this proposed rulemaking as § 146a.2 (definition of consumer, subparagraphs (iv) and (v)), and the protections set forth therein will extend to them. Also, in the interest of uniformity, the Department wants to remain as consistent as possible with the NAIC model, especially with regard to its fundamental principles and definitions.
''Unclear'' Unfair Discrimination Provisions
The NAIC model contains an ''unfair discrimination'' provision that prohibits insurance entities from discriminating against consumers on the basis of a consumer's exercising his opt out rights or otherwise directing an institution from disclosing his nonpublic personal information.
* Concerns regarding an alleged lack of clarity in the ''unclear'' unfair discrimination provisions of the NAIC model were raised by NAII and AAI.
* These groups believe that the unfair discrimination provision of the NAIC model is unclear and does not provide sufficient information as to what activities fall within this term.
Contrary to these comments, the Department believes that the unfair discrimination provisions of the NAIC model are adequately clear and has retained them in this proposed regulation at § 146a.42 (relating to nondiscrimination). As with any regulation, the Department is unable to provide an exhaustive list of activities that might constitute unfair discrimination against persons who chose to exercise their opt out rights. Rather, in the interest of consumer protection, the Department believes that it should not limit its enforcement authority on this issue in the proposal. Rather, potential violations will be considered on a case-by-case basis.
NCOIL Model Besides the NAIC, the National Conference of Insurance Legislators (NCOIL) has also developed a model for the protection of nonpublic personal information that is applicable to insurance entities. The NCOIL model is available from the NCOIL website at http://www.ncoil.org/.
* AFLAC has raised a concern that it prefers the NCOIL privacy model over the NAIC model, especially with respect to the treatment of health information, insurance producers and the electronic delivery of notices.
The Department has reviewed the NCOIL model and because the Department has decided not to require an opt in for health information, the concern raised by AFLAC in that regard has been eliminated. However, with regard to the treatment of independent producers and electronic delivery of notices, the NAIC model and the NCOIL model are very similar. Both models provide that independent producers need not provide an opportunity to opt out or notices when their principals otherwise comply with the regulation, and the independent producers do not otherwise disclose information beyond the exceptions identified in the regulation. Also, both models allow for the electronic delivery of notices when a consumer consents to such delivery. Therefore, in the interest of uniformity and because there is little substantive difference in the models, the Department has based this proposed rulemaking on the NAIC model. Finally, numerous other states have expressed a commitment to implementing the NAIC model, and some states have already introduced the NAIC model through legislation or regulation. Thus, the Department is committed to implementing the NAIC model over the NCOIL model.
Electronic Notices
The NAIC model generally allows insurance entities to provide consumers with notices through electronic means, provided that the consumer has consented to receiving notices through this means. The NAIC model also contains several examples of situations where a consumer may be deemed to have consented to receiving notices through electronic means.
* AFLAC has raised a concern that the NAIC model does not appear to be consistent in its treatment of the ability of a licensee to deliver electronic notices because the proposed rulemaking in § 146a.16(b)(1)(iii) and (2)(ii) (relating to delivery) seems to suggest that a consumer must conduct electronic transactions or purchase insurance electronically in order to be eligible for receipt of electronic notices. AFLAC believes that this is contrary to the general rule that consumers may receive notices electronically if they chose.
The Department believes that there is no inconsistency in the proposed rulemaking with regard to electronic notices. Rather, § 146a.16(b)(1)(iii) and (2)(ii) are only included as examples of compliant and noncompliant activities with regard to electronic notices, and do not otherwise limit the general rule set forth in the proposed rulemaking in § 146a.16(a) which allows consumers to consent to the electronic delivery of notices, regardless of the means through which the consumer obtained the insurance product. Finally, the Commonwealth has adopted the Electronic Transactions Act (73 P. S. §§ 2260.101--2260.903) (ETA), and these proposed regulations are consistent with the ETA in that consumers are not required to conduct transactions electronically, but are free to consent to the transaction of business through electronic means.
Delivery of Notices Through Policyholder
The NAIC model includes a provision that allows for the satisfaction of the notice requirements when notices are delivered to a main policyholder, as opposed to providing notices to each individual that obtains a certificate of coverage under a group policy.
* AFLAC has also commented that it would like a new subsection added to the proposed rulemaking that clarifies that a licensee may satisfy the delivery requirements to insurance beneficiaries, account insureds or claimants by delivering the notice to the policyholder.
The Department believes that the delivery requirements for insurance beneficiaries, account insureds or claimants are abundantly clear in the proposed rulemaking in § 146a.2 (definition of ''licensee'', subparagraph (v)) and has not made any changes to the NAIC model in that regard.
Compliance Date
Both the NAIC model and § 146a.44 (relating to effective date) provide that the effective date of the regulations will be July 1, 2001, especially since the date is of central importance in avoiding the loss of the Commonwealth's ability to override the Federal insurance consumer protection regulations that were issued in final form on December 4, 2000. See 65 Fed. Reg. 233, 75821 (to be codified at 12 CFR Parts 14, 208, 343 and 536).
* Concerns relating to the compliance date for the proposed rulemaking were raised by AFLAC, IIAP/PAIFA, MCAP, PBA and BCNP.
* These groups assert that there is insufficient time to comply with the privacy regulations by July 1, 2001, especially if the regulations are not promulgated in final form until after that date.
The Department previously issued Insurance Department Notice 2000-08 to provide guidance to insurers authorized to do business in this Commonwealth in regard to the compliance date for the privacy provisions of the GLBA.
Under the Insurance Department Act of 1921 (40 P. S. §§ 1--321), and the Insurance Company Law of 1921 (40 P. S. §§ 341--991), the Insurance Commissioner and the Department are charged with the regulation and oversight of insurers and insurance producers within this Commonwealth. See 40 P. S. §§ 1, 341; 71 P. S. § 66, 186, 411, 412. The GLBA recognizes the Department's jurisdiction by reaffirming the McCarran-Ferguson Act (15 U.S.C.A. §§ 1011 et seq.), which provides for the functional regulation of insurance by the states. See section 301 GLBA.
The GLBA recognizes that states are the functional regulators of the insurance industry and directs state insurance regulators to promulgate privacy regulations for its regulated community. In addition, state insurance regulators are also charged with the duty of enforcing the customer privacy requirements contained in the Federal statute. Although there is no requirement that state insurance regulators promulgate their regulations prior to a specific date, the GLBA's general statutory privacy requirements would have become effective on November 12, 2000, and all relevant insurance entities would have been required to comply with these statutory provisions by that time. However, because enforcement of the GLBA's statutory privacy provisions is within the jurisdiction of state insurance regulators, it was clear that the Department was authorized to extend the date on which all relevant insurance entities must comply with the GLBA's statutory privacy requirements.
While enforcement of the GLBA's statutory privacy requirements for insurers and insurance producers is within the jurisdiction of the state insurance regulators, enforcement for banking entities is within the jurisdiction of the Federal banking agencies. Like the state insurance regulators, the Federal banking agencies are authorized to extend the compliance date for enforcement of the GLBA's statutory privacy requirements. However, unlike the state insurance regulators, the Federal banking agencies were required to develop their ''appropriate standards'' in the form of final regulations by May 12, 2000. In these regulations, the Federal banking agencies determined that the compliance date should be extended to July 1, 2001.
To achieve a sense of parity between insurance entities and other members of the financial services industry, the Department joined other members of the NAIC in a June 11, 2000, resolution which details that it was the intent of state insurance regulators to extend the GLBA privacy requirements compliance date to July 1, 2001, for entities within their respective jurisdictions.
Therefore, under its regulatory authority under the Insurance Department Act and the Insurance Company Law, as recognized by the section 505 of GLBA, the Department issued Insurance Department Bulletin No. 2000-08, which stated that the compliance date for the GLBA's statutory privacy requirements as they apply to insurers and insurance producers shall be extended until July 1, 2001. The bulletin also informed this Commonwealth's insurance industry that prior to this date, no action to enforce the GLBA's statutory privacy requirements would be taken against an insurer or insurance producer subject to the Department's jurisdiction. For these reasons, the Department intends to have this proposed rulemaking become effective on July 1, 2001, to avoid the potential loss of its authority to override the Federal insurance consumer protection regulations as previously discussed.
Although the Department intends to make this proposed rulemaking effective on July 1, 2001, it intends to remain flexible with regard to its initial enforcement of the regulations and the privacy provisions of the GLBA. For approximately 6 months after the promulgation of the privacy regulations, the Department intends to utilize its Market Surveillance Unit to monitor the insurance industry's implementation of the privacy regulation and provide assistance to the industry. The Department believes that this enforcement approach will best serve both the insurance industry and this Commonwealth's insurance consumers, especially since implementation of the privacy regulation may prove to be a time consuming and complex undertaking for some insurance entities.
Uniformity
As previously explained, because each state is responsible under the GLBA to enact privacy regulations for its regulated community, uniformity of the regulations is of central importance to the insurance industry.
* Concerns regarding uniformity of insurance privacy regulations implemented under the GLBA among all 50 states were raised by PAHU, IIAP/PAIFA and PBA.
* These groups assert that there is a need for uniformity among the states with regard to the privacy regulations, which they must implement under the GLBA.
The Department agrees that uniformity is of central importance in the promulgation of privacy regulations by the various states. Each state must enact either legislation or regulation to be in compliance with GLBA or it could lose its regulatory authority over certain consumer protection issues addressed in the Federal regulations on this subject. However, as do other states, this Commonwealth has an existing statutory framework for privacy of insurance information in section 648 of the Insurance Department Act (40 P. S. § 288). Therefore, the Department has adhered to the NAIC model to every extent possible, but certain changes were required to ensure compliance with section 648.
Explanation of Regulatory Changes
Subchapter A. General provisions
Section 146a.1 (relating to purpose) contains the purpose, scope and compliance requirements needed to govern the treatment of nonpublic personal information about individuals in this Commonwealth by licensees of the Department.
Section 146a.2 (relating to definitions) contains the definitions as they are used in this chapter and gives examples that, to the extent applicable, constitute compliance and noncompliance with this proposed rulemaking.
Subchapter B. Privacy And Opt Out Notices For Financial Information
Section 146a.11 (relating to initial privacy notice to consumers required) contains the requirements for the provision of an initial privacy notice to consumers and customers by a licensee. It also contains the exceptions, under which subsequent notice is permissible.
Section 146a.12 (relating to annual privacy notice to customers requires) contains the general rule and provides examples for the provision of annual privacy notice to customers.
Section 146a.13 (relating to information to be included in privacy notices) describes the information that shall be included in initial, annual and revised privacy notices. It also contains the exceptions to the inclusion of the required information. The situations when the use of simplified and short-form initial notice is permissible is set forth.
Section 146a.14 (relating to form of opt out notice to consumers and opt out methods) describes the form of the opt out notice and specifies the information that shall be contained in the notice. It also specifies reasonable opt out means and gives examples of what would be unreasonable. It also contains the means for treating joint consumers of an insurance product or service.
Section 146a.15 (relating to revised privacy notices) contains the requirements imposed on licensees for providing revised privacy notices.
Section 146a.16 (relating to delivery) describes how notices shall be delivered and provides examples of when a licensee may reasonably expect that a consumer has received actual notice. It also describes when a licensee may reasonably expect that a customer will receive actual notice of a licensee's annual privacy notice.
Subchapter C. Limits On Disclosures Of Financial Information
§ 146a.21 (relating to limits on disclosure of nonpublic personal financial information to nonaffiliated third parties) contains the limits on disclosure of nonpublic personal financial information to nonaffiliated third parties. It lists the conditions for disclosure and describes the opt out direction. It includes examples of when a licensee shall provide a consumer with a reasonable opportunity to opt out.
Section 146a.22 (relating to limits on redisclosure and reuse of nonpublic personal financial information) contains the limits on redisclosure and reuse of nonpublic personal financial information in situations when the licensee receives the information under one of the exceptions contained in this proposed rulemaking, as well as when the licensee receives the information outside of an exception.
Section 146a.23 (relating to limits on sharing account number information for marketing purposes) contains a prohibition of sharing certain account number information and the exceptions to this prohibition.
Subchapter D. Exceptions To Limits On Disclosures Of Financial Information
Section 146a.31 (relating to exception to opt out requirements for disclosure of nonpublic personal financial information for service providers and joint marketing) describes when the opt out requirements contained in §§ 146a.13 and 146a.20 do not apply for service providers and joint marketing.
Section 146a.32 (relating to exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information for processing and servicing transactions) contains the exceptions to the notice and opt out requirements for disclosure of nonpublic personal financial information for certain processing and servicing transactions.
Section 146a.33 (relating to other exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information) contains certain other exceptions to the notice and opt out requirements contained in §§ 146a.10, 146a.13, 146a.20 and 146a.30.
Subchapter E. Additional Provisions
Section 146a.41 (relating to Protection of Fair Credit Reporting Act) provides that nothing in this proposed rulemaking should be construed to modify, limit or supersede the Federal Fair Credit Reporting Act (15 U.S.C.A. §§ 1681--681u).
Section 146a.42 (relating to nondiscrimination) prohibits a licensee from discriminating against a consumer or customer because the consumer or customer has opted out from the disclosure of his nonpublic personal financial information.
Section 146a.43 (relating to violation) provides that a contravention of this proposed rulemaking shall be deemed to be an unfair or deceptive act and practice in the conduct of the business of insurance and shall be deemed to be a determined violation, as defined in section 2 of the Unfair Insurance Practices Act (40 P. S. § 1171.2).
Section 146a.44 (relating to effective date) provides that this proposed rulemaking is effective on July 1, 2001.
To provide guidance to licensees that are covered by the regulation, Appendix A of this proposed rulemaking provides numerous examples of sample clauses that may be used in Appendix A for the privacy notices that are required by the regulation.
Fiscal Impact
There will be a fiscal impact as a result of the proposed rulemaking. However, Federal statute requires that this provision be mandated, therefore, the adoption of these regulations should not have a significant cost impact over what is currently being required.
Paperwork
Unless specifically executed under § 146a.2 definition of ''licensee'' of the proposed rulemaking, the rulemaking will affect all licensees doing the business of insurance in this Commonwealth by imposing additional paperwork requirements pertaining to the delivery and treating of opt out notices.
Effectiveness/Sunset Date
The proposed rulemaking will become effective July 1, 2001, as previously provided in Insurance Department Notice 2000-08.
Contact Person
Questions or comments regarding the proposed rulemaking may be addressed in writing to Peter J. Salvatore, Regulatory Coordinator, Insurance Department, 1326 Strawberry Square, Harrisburg, PA 17120, within 30 days following the publication of this notice in the Pennsylvania Bulletin. Questions and comments may also be e-mailed to psalvatore@state.pa.us or faxed to (717) 772-1969.
Regulatory Review
Under section 5(a) of the Regulatory Review Act (71 P. S. § 745.5(a)), on March 21, 2001, the Department submitted a copy of this proposed rulemaking to IRRC and to the Chairpersons of the Senate Banking and Insurance Committee and the House Insurance Committee. In addition to the submitted proposed rulemaking, the Department has provided IRRC and the Committees with a copy of a detailed Regulatory Analysis Form prepared by the Department in compliance with Executive Order 1996-1, ''Regulatory Review and Promulgation.'' A copy of that material is available to the public upon request.
Under section 5(g) of the Regulatory Review Act, if IRRC has objections to any portion of the proposed rulemaking, it will notify the Department within 10 days after the close of the Committees' review. The notification shall specify the regulatory review criteria that have not been met by that portion. The Regulatory Review Act specifies detailed procedures for the Department, the Governor, and the General Assembly to review these objections before final publication of the regulations.
M. DIANE KOKEN,
Insurance CommissionerFiscal Note: 11-206. No fiscal impact; (8) recommends adoption.
Annex A TITLE 31. INSURANCE PART VIII. MISCELLANEOUS PROVISIONS CHAPTER 146a. PRIVACY OF CONSUMER FINANCIAL INFORMATION Subch.
A. GENERAL PROVISIONS B. PRIVACY AND OPT OUT NOTICE FOR FINANCIAL INFORMATION C. LIMITS ON DISCLOSURES OF FINANCIAL INFORMATION D. EXCEPTIONS TO LIMITS ON DISCLOSURES OF FINANCIAL INFORMATION E. ADDITIONAL PROVISIONS Subchapter A. GENERAL PROVISIONS Sec.
146a.1. Purpose. 146a.2. Definitions. § 146a.1. Purpose.
(a) Purpose. This chapter governs the treatment of nonpublic personal financial information about individuals by various licensees of the Department. This chapter:
(1) Requires a licensee to provide notice to individuals about its privacy policies and practices.
(2) Describes the conditions under which a licensee may disclose nonpublic personal financial information about individuals to third parties.
(3) Provides methods for individuals to prevent a licensee from disclosing that information.
(b) Scope. This chapter applies to nonpublic personal financial information about individuals who obtain or are claimants or beneficiaries of products or services primarily for personal, family or household purposes from licensees. Unless otherwise specified, this chapter generally does not apply to information about companies or about individuals who obtain products or services for business, commercial or agricultural purposes.
(c) Compliance. A licensee domiciled in this Commonwealth that is in compliance with this chapter in a state that has not enacted laws or regulations that meet the requirements of Title V of the act of November 12, 1999 (Pub. L. No. 106-102, 113 Stat. 1338) known as the Gramm-Leach-Bliley Act (Financial Services Modernization Act of 1999) (15 U.S.C.A. §§ 6801--6827) may nonetheless be deemed to be in compliance with Title V of the Gramm-Leach-Bliley Act in the other state.
(d) Examples. The examples provided in this chapter are for illustrative purposes only and do not otherwise limit or restrict the scope of this chapter.
§ 146a.2. Definitions.
The following words and terms, when used in this chapter, have the following meanings, unless the context requires otherwise:
Act--The Insurance Department Act of 1921 (40 P. S. §§ 1--321)
Affiliate--A company that controls, is controlled by or is under common control with another company.
Clear and conspicuous--That a notice is reasonably understandable and designed to call attention to the nature and significance of the information in the notice. Examples include:
(i) Reasonably understandable. A licensee makes its notice reasonably understandable if it:
(A) Presents the information in the notice in clear, concise sentences, paragraphs and sections.
(B) Uses short explanatory sentences or bullet lists whenever possible.
(C) Uses definite, concrete, everyday words and active voice whenever possible.
(D) Avoids multiple negatives.
(E) Avoids legal and highly technical business terminology whenever possible.
(F) Avoids explanations that are imprecise and readily subject to different interpretations.
(ii) Designed to call attention. A licensee designs its notice to call attention to the nature and significance of the information in it if the licensee:
(A) Uses a plain-language heading to call attention to the notice.
(B) Uses a typeface and type size that are easy to read.
(C) Provides wide margins and ample line spacing.
(D) Uses boldface or italics for key words.
(E) In a form that combines the licensee's notice with other information, uses distinctive type size, style and graphic devices, such as shading or sidebars.
(iii) Notices on websites. If a licensee provides a notice on a web page, the licensee designs its notice to call attention to the nature and significance of the information in it if the licensee uses text or visual cues to encourage scrolling down the page if necessary to view the entire notice and ensure that other elements on the web site (such as text, graphics, hyperlinks or sound) do not distract attention from the notice, and the licensee either:
(A) Places the notice on a screen that consumers frequently access, such as a page on which transactions are conducted.
(B) Places a link on a screen that consumers frequently access, such as a page on which transactions are conducted, that connects directly to the notice and is labeled appropriately to convey the importance, nature and relevance of the notice.
Collect--To obtain information that the licensee organizes or can retrieve by the name of an individual or by identifying number, symbol or other identifying particular assigned to the individual, irrespective of the source of the underlying information.
Commissioner--The Insurance Commissioner of the Commonwealth.
Company--A corporation, limited liability company, business trust, general or limited partnership, association, sole proprietorship or similar organization.
Consumer--An individual who seeks to obtain, obtains or has obtained an insurance product or service from a licensee that is to be used primarily for personal, family or household purposes, and about whom the licensee has nonpublic personal information, or that individual's legal representative.
(i) Examples of consumers.
(A) An individual who provides nonpublic personal information to a licensee in connection with obtaining or seeking to obtain financial, investment or economic advisory services relating to an insurance product or service is a consumer regardless of whether the licensee establishes an ongoing advisory relationship.
(B) An applicant for insurance prior to the inception of insurance coverage is a licensee's consumer.
(C) An individual who is a consumer of another financial institution is not a licensee's consumer solely because the licensee is acting as agent for, or provides processing or other services to, that financial institution.
(D) An individual is a licensee's consumer if the licensee discloses nonpublic personal financial information about the individual to a third party other than as permitted under Subchapter D (relating to exceptions to limits on disclosures of financial information), and the individual is:
(I) A beneficiary of a life insurance policy underwritten by the licensee.
(II) A claimant under an insurance policy issued by the licensee.
(III) An insured or an annuitant under an insurance policy or an annuity, respectively, issued by the licensee.
(IV) A mortgagor of a mortgage covered under a mortgage insurance policy.
(ii) Examples of nonconsumers.
(A) Provided that the licensee provides the initial, annual and revised notices under §§ 146a.11, 146a.12 and 146a.15 (relating to initial privacy notice to consumers required; annual privacy notice to customers required; and revised privacy notices) to the plan sponsor, group or blanket insurance policyholder or group annuity contractholder, workers' compensation plan participant, and further provided that the licensee does not disclose to a third-party nonpublic personal financial information about an individual other than as permitted under Subchapter D, an individual is not the consumer of the licensee solely because the individual is:
(I) A participant or a beneficiary of an employee benefit plan that the licensee administers or sponsors or for which the licensee acts as a trustee, insurer or fiduciary.
(II) Covered under a group or blanket insurance policy or group annuity contract issued by the licensee.
(III) A beneficiary in a workers' compensation plan.
(B) The individuals described in subparagraph (v) are consumers of a licensee if the licensee does not meet all the conditions of subparagraph (v).
(C) Individuals, solely by virtue of the status described in subparagraph (v), may not be deemed to be customers for purposes of this chapter.
(D) An individual is not a licensee's consumer solely because the individual is a beneficiary of a trust for which the licensee is a trustee.
(E) An individual is not a licensee's consumer solely because the individual has designated the licensee as trustee for a trust.
Consumer reporting agency--Has the same meaning as in section 603(f) of the Federal Fair Credit Reporting Act (15 U.S.C.A. § 1681a(f)).
Control--As defined in section 1401 of The Insurance Company Law (40 P. S. § 991.1401).
Customer--A consumer who has a customer relationship with a licensee.
Customer relationship--A continuing relationship between a consumer and a licensee under which the licensee provides one or more insurance products or services to the consumer that are to be used primarily for personal, family or household purposes. Examples include:
(i) A consumer has a continuing relationship with a licensee if:
(A) The consumer is a current policyholder of an insurance product issued by or through the licensee.
(B) The consumer obtains financial, investment or economic advisory services relating to an insurance product or service from the licensee for a fee.
(ii) A consumer does not have a continuing relationship with a licensee if:
(A) The consumer applies for insurance but does not purchase the insurance.
(B) The licensee sells the consumer airline travel insurance in an isolated transaction.
(C) The individual is no longer a current policyholder of an insurance product or no longer obtains insurance services with or through the licensee.
(D) The consumer is a beneficiary or claimant under a policy and has submitted a claim under a policy choosing a settlement option involving an ongoing relationship with the licensee.
(E) The consumer is a beneficiary or a claimant under a policy and has submitted a claim under that policy choosing a lump sum settlement option.
(F) The customer's policy is lapsed, expired or otherwise inactive or dormant under the licensee's business practices, and the licensee has not communicated with the customer about the relationship for a period of 12-consecutive months, other than annual privacy notices, material required by law or regulation, communication at the direction of a state or Federal authority, or promotional materials.
(G) The individual is an insured or an annuitant under an insurance policy or annuity, respectively, but is not the policyholder or owner of the insurance policy or annuity.
(H) For the purposes of this regulation, the individual's last known address according to the licensee's records is deemed invalid. An address of record is deemed invalid if mail sent to that address by the licensee has been returned by the postal authorities as undeliverable and if subsequent attempts by the licensee to obtain a current valid address for the individual have been unsuccessful.
Department--The Insurance Department of the Commonwealth.
Financial institution--An institution the business of which is engaging in activities that are financial in nature or incidental to the financial activities as described in section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C.A. § 1843(k)). The term does not include the following:
(i) A person or entity with respect to any financial activity that is subject to the jurisdiction of the Commodity Futures Trading Commission under the Commodity Exchange Act (7 U.S.C.A. §§ 1--25).
(ii) The Federal Agricultural Mortgage Corporation or any entity charged and operating under the Farm Credit Act of 1971 (12 U.S.C.A. §§ 2001--2279cc).
(iii) Institutions chartered by Congress specifically to engage in securitizations, secondary market sales (including sales of servicing rights) or similar transactions related to a transaction of a consumer, as long as the institutions do not sell or transfer nonpublic personal information to a third party.
Financial product or service--A product or service that a financial holding company could offer by engaging in an activity that is financial in nature or incidental to the financial activity under section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C.A. § 1843(k)). Financial service includes a financial institution's evaluation or brokerage of information that the financial institution collects in connection with a request or an application from a consumer for a financial product or service.
Insurance product or service--A product or service that is offered by a licensee under the insurance laws of the Commonwealth. Insurance service includes a licensee's evaluation, brokerage or distribution of information that the licensee collects in connection with a request or an application from a consumer for an insurance product or service.
Licensee--
(i) A licensed insurer, as defined in section 201-A of the act (40 P. S. § 65.1-A), a producer and other persons or entities licensed or required to be licensed, or authorized or required to be authorized, or registered or required to be registered under the act, including health maintenance organizations holding a certificate of authority under section 201 of the Health Care Facilities Act (35 P. S. § 448.201).
(ii) The term does not include:
(A) Bail bondsmen as defined in 42 Pa.C.S.A. § 5741 (relating to definitions).
(B) Motor vehicle physical damage appraisers as defined in section 2 of the Motor Vehicle Physical Damage Appraiser Act (63 P. S. § 852) and § 62.1 (relating to definitions).
(C) Public adjusters as defined in section 1 of the act of December 20, 1983 (P. L. 260, No. 72) (63 P. S. § 1601) and § 115.1 (relating to definitions).
(D) An entity providing continuing care as defined in section 3 and licensed under section 4 of the Continuing-Care Provider Registration and Disclosure Act (40 P. S. §§ 3203 and 3204).
(iii) A licensee is not subject to the notice and opt out requirements for nonpublic personal financial information in Subchapters A--D if the licensee is an employee, agent or other representative of another licensee (''the principal'') and:
(A) The principal otherwise complies with, and provides the notices required by, this chapter.
(B) The licensee does not disclose nonpublic personal information to any person other than the principal in a manner permitted by this chapter.
(C) Subject to subparagraph (ii), the term ''licensee'' shall also include an unauthorized insurer that accepts business placed through a licensed surplus lines broker in this Commonwealth, but only in regard to the surplus lines placements placed under section 1601 of The Insurance Company Law (40 P. S. § 991.1601).
(D) A surplus lines broker or surplus lines insurer shall be deemed to be in compliance with the notice and opt out requirements for nonpublic personal financial information in Subchapters A--D provided:
(I) The broker or insurer does not disclose nonpublic personal information of a consumer or a customer to third parties for any purpose, including joint servicing or marketing under § 146a.31 (relating to exception to opt out requirements for disclosure of nonpublic personal financial information for service providers and joint marketing), except as permitted by § 146a.32 or § 146a.33 (relating to exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information for processing and servicing transactions; and other exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information).
(II) The broker or insurer delivers a notice to the consumer at the time a customer relationship is established on which the following is printed in 16-point type:
PRIVACY NOTICE ''NEITHER THE U.S. BROKERS THAT HAVE HANDLED THIS INSURANCE NOR THE INSURERS THAT HAVE UNDERWRITTEN THIS INSURANCE WILL DISCLOSE NONPUBLIC PERSONAL INFORMATION CONCERNING THE BUYER TO THIRD PARTIES EXCEPT AS PERMITTED BY LAW.''
Nonaffiliated third party--Any person except:
(i) A licensee's affiliate.
(ii) A person employed jointly by a licensee and any company that is not the licensee's affiliate (but nonaffiliated third party includes the other company that jointly employs the person).
(iii) Nonaffiliated third party includes any company that is an affiliate solely by virtue of the direct or indirect ownership or control of the company by the licensee or its affiliate in conducting merchant banking or investment banking activities of the type described in section 4(k)(4)(H) or insurance company investment activities of the type described in section 4(k)(4)(I) of the Federal Bank Holding Company Act (12 U.S.C.A. §§ 1843(k)(4)(H) and (I)).
Nonpublic personal information--
(i) The term includes the following:
(A) Personally identifiable financial information.
(B) Any list, description or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available.
(ii) The term does not include:
(A) Publicly available information, except as included on a list described in clause (B).
(B) Any list, description or other grouping of consumers (and publicly available information pertaining to them) that is derived without using any personally identifiable financial information that is not publicly available.
(iii) Examples of lists are as follows:
(A) Nonpublic personal financial information includes any list of individuals' names and street addresses that is derived in whole or in part using personally identifiable financial information that is not publicly available, such as account numbers.
(B) Nonpublic personal financial information does not include any list of individuals' names and addresses that contains only publicly available information, is not derived in whole or in part using personally identifiable financial information that is not publicly available, and is not disclosed in a manner that indicates that any of the individuals on the list is a consumer of a financial institution.
Personally identifiable financial information--
(i) Customer information, as defined in section 601 of The Insurance Department Act (40 P. S. § 231) and includes the following:
(A) Information that a consumer provides to a licensee to obtain an insurance product or service from the licensee.
(B) Information about a consumer resulting from a transaction involving an insurance product or service between a licensee and a consumer.
(C) Information that the licensee otherwise obtains about a consumer in connection with providing an insurance product or service to that consumer.
(ii) Examples are as follows:
(A) Information included. Personally identifiable financial information includes:
(I) Information a consumer provides to a licensee on an application to obtain an insurance product or service.
(II) Account balance information and payment history.
(III) The fact that an individual is or has been one of the licensee's customers or has obtained an insurance product or service from the licensee.
(IV) Information about the licensee's consumer if it is disclosed in a manner that indicates that the individual is or has been the licensee's consumer.
(V) Information that a consumer provides to a licensee or that the licensee or its agent otherwise obtains in connection with collecting on a loan or servicing a loan.
(VI) Information the licensee collects through an Internet cookie (an information-collecting device from a web server).
(VII) Information from a consumer report.
(B) Information not included. Personally identifiable financial information does not include:
(I) A list of names and addresses of customers of an entity that is not a financial institution.
(II) Information that does not identify a consumer, such as aggregate information or blind data that does not contain personal identifiers such as account numbers, names or addresses.
Publicly available information--Information that a licensee has a reasonable basis to believe is lawfully made available to the public from:
(i) Federal, State or local government records.
(ii) Widely distributed media.
(iii) Disclosures to the public that are required to be made by Federal, State or local law.
Reasonable basis--
(i) A licensee has a reasonable basis to believe that information is lawfully made available to the public if the licensee has taken steps to determine:
(A) That the information is of the type that is available to the public.
(B) Whether an individual can direct that the information not be made available to the public and, if so, that the licensee's consumer has not done so.
(ii) The term includes the following conditions:
(A) A licensee has a reasonable basis to believe that mortgage information is lawfully made available to the public if the licensee has determined that the information is of the type included on the public record in the jurisdiction where the mortgage would be recorded.
(B) A licensee has a reasonable basis to believe that an individual's telephone number is lawfully made available to the public if the licensee has located the telephone number in the telephone book or the consumer has informed the licensee that the telephone number is not unlisted.
(iii) Examples are as follows:
(A) Government records. Publicly available information in government records includes information in government real estate records and security interest filings.
(B) Widely distributed media. Publicly available information from widely distributed media includes information from a telephone book, a television or radio program, a newspaper or a web site that is available to the public on an unrestricted basis. A web site is not restricted merely because an Internet service provider or a site operator requires a fee or a password, so long as access is available to the public.
[Continued on next Web Page]
[Continued from previous Web Page] Subchapter B. PRIVACY AND OPT OUT NOTICES FOR FINANCIAL INFORMATION Sec.
146a.11. Initial privacy notice to consumers required. 146a.12. Annual privacy notice to customers required. 146a.13. Information to be included in privacy notices. 146a.14. Form of opt out notice to consumers and opt out methods. 146a.15. Revised privacy notices. 146a.16. Delivery. § 146a.11. Initial privacy notice to consumers required.
(a) Initial notice requirement. A licensee shall provide a clear and conspicuous notice that accurately reflects its privacy policies and practices to:
(1) Customer. An individual who becomes the licensee's customer, not later than when the licensee establishes a customer relationship, except as provided in subsection (e).
(2) Consumer. A consumer, before the licensee discloses nonpublic personal financial information about the consumer to any third party, if the licensee makes a disclosure other than as authorized by §§ 146a.32 and 146a.33 (relating to exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information for processing and servicing transactions; and other exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information).
(b) When initial notice to a consumer is not required. A licensee is not required to provide an initial notice to a consumer under subsection (a)(2) if:
(1) The licensee does not disclose any nonpublic personal financial information about the consumer to any third party, other than as authorized by §§ 146a.32 and 146a.33, and the licensee does not have a customer relationship with the consumer.
(2) A notice has been provided by an affiliated licensee, as long as the notice clearly identifies all licensees to whom the notice applies and is accurate with respect to the licensee and the other institutions.
(c) When the licensee establishes a customer relationship.
(1) General rule. A licensee establishes a customer relationship at the time the licensee and the consumer enter into a continuing relationship.
(2) Examples of establishing customer relationship. A licensee establishes a customer relationship when the consumer:
(i) Becomes a policyholder of a licensee that is an insurer when the insurer delivers an insurance policy or contract to the consumer, or in the case of a licensee that is an insurance producer or insurance broker, obtains insurance through that licensee.
(ii) Agrees to obtain financial, economic or investment advisory services relating to insurance products or services for a fee from the licensee.
(d) Existing customers. When an existing customer obtains a new insurance product or service from a licensee that is to be used primarily for personal, family or household purposes, the licensee satisfies the initial notice requirements of subsection (a) as follows:
(1) The licensee may provide a revised policy notice, under § 146a.15 (relating to revised privacy notices), that covers the customer's new insurance product or service.
(2) If the initial, revised or annual notice that the licensee most recently provided to that customer was accurate with respect to the new insurance product or service, the licensee does not need to provide a new privacy notice under subsection (a).
(e) Exceptions to allow subsequent delivery of notice.
(1) A licensee may provide the initial notice required by subsection (a)(1) within a reasonable time after the licensee establishes a customer relationship if:
(i) Establishing the customer relationship is not at the customer's election.
(ii) Providing notice not later than when the licensee establishes a customer relationship would substantially delay the customer's transaction and the customer agrees to receive the notice at a later time.
(2) Examples of exceptions are as follows:
(i) Not at customer's election. Establishing a customer relationship is not at the customer's election if a licensee acquires or is assigned a customer's policy from another financial institution or residual market mechanism and the customer does not have a choice about the licensee's acquisition or assignment.
(ii) Substantial delay of customer's transaction. Providing notice not later than when a licensee establishes a customer relationship would substantially delay the customer's transaction when the licensee and the individual agree over the telephone to enter into a customer relationship involving prompt delivery of the insurance product or service.
(iii) No substantial delay of customer's transaction. Providing notice not later than when a licensee establishes a customer relationship would not substantially delay the customer's transaction when the relationship is initiated in person at the licensee's office or through other means by which the customer may view the notice, such as on a web site.
(f) Delivery. When a licensee is required to deliver an initial privacy notice by this section, the licensee shall deliver it according to § 146a.16 (relating to delivery). If the licensee uses a short-form initial notice for noncustomers according to § 146a.13(d), the licensee may deliver its privacy notice according to § 146a.13(d)(3).
§ 146a.12. Annual privacy notice to customers required.
(a) Notice.
(1) General rule. A licensee shall provide a clear and conspicuous notice to customers that accurately reflects its privacy policies and practices not less than annually during the continuation of the customer relationship. Annually means at least once in any period of 12 consecutive months during which that relationship exists. A licensee may define the 12-consecutive-month period, but the licensee shall apply it to the customer on a consistent basis.
(2) Example. A licensee provides a notice annually if it defines the 12-consecutive-month period as a calendar year and provides the annual notice to the customer once in each calendar year following the calendar year in which the licensee provided the initial notice. For example, if a customer opens an account on any day of year 1, the licensee shall provide an annual notice to that customer by December 31 of year 2.
(b) Termination.
(1) Termination of customer relationship. A licensee is not required to provide an annual notice to a former customer. A former customer is an individual with whom a licensee no longer has a continuing relationship.
(2) Examples.
(i) A licensee no longer has a continuing relationship with an individual if the individual no longer is a current policyholder of an insurance product or no longer obtains insurance services with or through the licensee.
(ii) A licensee no longer has a continuing relationship with an individual if the individual's policy is lapsed, expired or otherwise inactive or dormant under the licensee's business practices, and the licensee has not communicated with the customer about the relationship for a period of 12 consecutive months, other than to provide annual privacy notices, material required by law or regulation, or promotional materials.
(iii) For the purposes of this regulation, a licensee no longer has a continuing relationship with an individual if the individual's last known address according to the licensee's records is deemed invalid. An address of record is deemed invalid if mail sent to that address by the licensee has been returned by the postal authorities as undeliverable and if subsequent attempts by the licensee to obtain a current valid address for the individual have been unsuccessful.
(iv) A licensee no longer has a continuing relationship with a customer in the case of providing real estate settlement services, at the time the customer completes execution of all documents related to the real estate closing, payment for those services has been received, or the licensee has completed all of its responsibilities with respect to the settlement, including filing documents on the public record, whichever is later.
(c) Delivery. When a licensee is required by this section to deliver an annual privacy notice, the licensee shall deliver it according to § 146a.16 (relating to delivery).
§ 146a.13. Information to be included in privacy notices.
(a) General rule. The initial, annual and revised privacy notices that a licensee provides under §§ 146a.11, 146a.12 and 146a.15 (relating to initial privacy notice to consumers required; annual privacy notice to customers required; and revised privacy notices) shall include each of the following items of information, in addition to other information the licensee wishes to provide, that applies to the licensee and to the consumers to whom the licensee sends its privacy notice:
(1) The categories of nonpublic personal financial information that the licensee collects.
(2) The categories of nonpublic personal financial information that the licensee discloses.
(3) The categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal financial information, other than those parties to whom the licensee discloses information under §§ 146a.32 and 146a.33 (relating to exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information for processing and servicing transactions; and other exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information).
(4) The categories of nonpublic personal financial information about the licensee's former customers that the licensee discloses and the categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal financial information about the licensee's former customers, other than those parties to whom the licensee discloses information under §§ 146a.32 and 146a.33.
(5) If a licensee discloses nonpublic personal financial information to a third party under § 146a.31 (relating to exception to opt out requirements for disclosure of nonpublic personal financial information for service providers and joint marketing) (and no other exception in §§ 146a.32 and 146a.33 applies to that disclosure), a separate description of the categories of information the licensee discloses and the categories of third parties with whom the licensee has contracted.
(6) An explanation of the consumer's right under § 146a.21(a) (relating to limitation on disclosure of nonpublic personal financial information to third parties) to opt out of the disclosure of nonpublic personal financial information to any third parties, including the methods by which the consumer may exercise that right at that time.
(7) Any disclosures that the licensee makes under section 603(d)(2)(A)(iii) of the Federal Fair Credit Reporting Act (15 U.S.C.A. § 1681a(d)(2)(A)(iii)).
(8) The licensee's policies and practices with respect to protecting the confidentiality and security of nonpublic personal information.
(9) Any disclosure that the licensee makes under subsection (b).
(b) Description of parties subject to exceptions. If a licensee discloses nonpublic personal financial information as authorized under §§ 146a.32 and 146a.33, the licensee is not required to list those exceptions in the initial or annual privacy notices required by §§ 146a.11 and 146a.12. When describing the categories of parties to whom disclosure is made, the licensee is required to state only that it makes disclosures to other affiliated or nonaffiliated third parties, as applicable, as permitted by law.
(c) Examples.
(1) Categories of nonpublic personal financial information that the licensee collects. A licensee satisfies the requirement to categorize the nonpublic personal financial information it collects if the licensee categorizes it according to the source of the information, as applicable:
(i) Information from the consumer.
(ii) Information about the consumer's transactions with the licensee or its affiliates.
(iii) Information about the consumer's transactions with nonaffiliated third parties.
(iv) Information from a consumer reporting agency.
(2) Categories of nonpublic personal financial information a licensee discloses.
(i) A licensee satisfies the requirement to categorize nonpublic personal financial information it discloses if the licensee categorizes the information according to source, as described in subsection (c)(1), as applicable, and provides a few examples to illustrate the types of information in each category. These might include:
(A) Information from the consumer, including application information, such as assets and income and identifying information, such as name, address and social security number.
(B) Transaction information, such as information about balances, payment history and parties to the transaction.
(C) Information from consumer reports, such as a consumer's creditworthiness and credit history.
(ii) A licensee does not adequately categorize the information that it discloses if the licensee uses only general terms, such as transaction information about the consumer.
(iii) If a licensee reserves the right to disclose all of the nonpublic personal financial information about consumers that it collects, the licensee may simply state that fact without describing the categories or examples of nonpublic personal information that the licensee discloses.
(3) Categories of affiliates and nonaffiliated third parties to whom the licensee discloses.
(i) A licensee satisfies the requirement to categorize the affiliates and nonaffiliated third parties to which the licensee discloses nonpublic personal financial information about consumers if the licensee identifies the types of businesses in which they engage.
(ii) Types of businesses may be described by general terms only if the licensee uses a few illustrative examples of significant lines of business. For example, a licensee may use the term financial products or services if it includes appropriate examples of significant lines of businesses, such as life insurer, automobile insurer, consumer banking or securities brokerage.
(iii) A licensee also may categorize the affiliates and nonaffiliated third parties to which it discloses nonpublic personal financial information about consumers using more detailed categories.
(4) Disclosures under exception for service providers and joint marketers. If a licensee discloses nonpublic personal financial information under the exception in § 146a.31 to a third party to market products or services that it offers alone or jointly with another financial institution, the licensee satisfies the disclosure requirement of subsection (a)(5) if it:
(i) Lists the categories of nonpublic personal financial information it discloses, using the same categories and examples the licensee used to meet the requirements of subsection (a)(2), as applicable.
(ii) States whether the third party is:
(A) A service provider that performs marketing services on the licensee's behalf or on behalf of the licensee and another financial institution.
(B) A financial institution with whom the licensee has a joint marketing agreement.
(5) Simplified notices. If a licensee does not disclose, and does not wish to reserve the right to disclose, nonpublic personal financial information about customers or former customers to affiliates or nonaffiliated third parties except as authorized under §§ 146a.32 and 146a.33, the licensee may simply state that fact, in addition to the information it shall provide under subsection (a)(1), (8) and (9), and subsection (b).
(6) Confidentiality and security. A licensee describes its policies and practices with respect to protecting the confidentiality and security of nonpublic personal financial information if it does both of the following:
(i) Describes in general terms who is authorized to have access to the information.
(ii) States whether the licensee has security practices and procedures in place to ensure the confidentiality of the information in accordance with the licensee's policy. The licensee is not required to describe technical information about the safeguards it uses.
(d) Short-form initial notice with opt out notice for noncustomers.
(1) A licensee may satisfy the initial notice requirements in § 146a.11(a)(2) and § 146a.14(c) (relating to form of opt out notice to consumers and opt out methods) for a consumer who is not a customer by providing a short-form initial notice at the same time as the licensee delivers an opt out notice as required in § 146a.14.
(2) A short-form initial notice shall:
(i) Be clear and conspicuous.
(ii) State that the licensee's privacy notice is available upon request.
(iii) Explain a reasonable means by which the consumer may obtain that notice.
(3) The licensee shall deliver its short-form initial notice according to § 146a.16 (relating to delivery). The licensee is not required to deliver its privacy notice with its short-form initial notice. The licensee instead may simply provide the consumer a reasonable means to obtain its privacy notice. If a consumer who receives the licensee's short-form notice requests the licensee's privacy notice, the licensee shall deliver its privacy notice according to § 146a.16.
(4) Examples of obtaining privacy notice are included in this paragraph. The licensee provides a reasonable means by which a consumer may obtain a copy of its privacy notice if the licensee:
(i) Provides a toll-free telephone number that the consumer may call to request the notice.
(ii) For a consumer who conducts business in person at the licensee's office, maintains copies of the notice on hand that the licensee provides to the consumer immediately upon request.
(e) Future disclosures. The licensee's notice may include categories of:
(1) Nonpublic personal financial information that the licensee reserves the right to disclose in the future, but does not currently disclose.
(2) Affiliates or nonaffiliated third parties to whom the licensee reserves the right in the future to disclose, but to whom the licensee does not currently disclose, nonpublic personal financial information.
(f) Sample clauses. Sample clauses illustrating some of the notice content required by this section are included in Appendix A (relating to sample clauses).
§ 146a.14. Form of opt out notice to consumers and opt out methods.
(a) Opt out notice.
(1) Form of opt out notice. If a licensee is required to provide an opt out notice under § 146a.21(a) (relating to limitation on disclosure of nonpublic personal financial information to third parties), it shall provide a clear and conspicuous notice to each of its consumers that accurately explains the right to opt out under that section. The notice shall state:
(i) That the licensee discloses or reserves the right to disclose nonpublic personal financial information about its consumer to a third party.
(ii) That the consumer has the right to opt out of that disclosure.
(iii) A reasonable means by which the consumer may exercise the opt out right.
(2) Examples.
(i) Adequate opt out notice. A licensee provides adequate notice that the consumer can opt out of the disclosure of nonpublic personal financial information to a third party if the licensee:
(A) Identifies all of the categories of nonpublic personal financial information that it discloses or reserves the right to disclose, and all of the categories of third parties to which the licensee discloses the information, as described in §§ 146a.13(a)(2) and (3) (relating to information to be included in privacy notices), and states that the consumer can opt out of the disclosure of that information.
(B) Identifies the insurance products or services that the consumer obtains from the licensee, either singly or jointly, to which the opt out direction would apply.
(ii) Reasonable opt out means. A licensee provides a reasonable means to exercise an opt out right if it:
(A) Designates check-off boxes in a prominent position on the relevant forms with the opt out notice.
(B) Includes a reply form together with the opt out notice.
(C) Provides an electronic means to opt out, such as a form that can be sent by means of electronic mail or a process at the licensee's web site, if the consumer agrees to the electronic delivery of information.
(D) Provides a toll-free telephone number that consumers may call to opt out.
(iii) Unreasonable opt out means. A licensee does not provide a reasonable means of opting out if:
(A) The only means of opting out is for the consumer to write his own letter to exercise that opt out right.
(B) The only means of opting out as described in any notice subsequent to the initial notice is to use a check-off box that the licensee provided with the initial notice but did not include with the subsequent notice.
(iv) Specific opt out means. A licensee may require each consumer to opt out through a specific means, as long as that means is reasonable for that consumer.
(b) Same form as initial notice permitted. A licensee may provide the opt out notice together with or on the same written or electronic form as the initial notice the licensee provides in accordance with § 146a.11 (relating to initial privacy notice to consumers required).
(c) Initial notice required when opt out notice delivered subsequent to initial notice. If a licensee provides the opt out notice later than required for the initial notice in accordance with § 146a.11, the licensee shall also include a copy of the initial notice with the opt out notice in writing or, if the consumer agrees, electronically.
(d) Joint relationships.
(1) If two or more consumers jointly obtain an insurance product or service from a licensee, the licensee may provide a single opt out notice. The licensee's opt out notice shall explain how the licensee will treat an opt out direction by a joint consumer (as explained in paragraph (5)).
(2) Any of the joint consumers may exercise the right to opt out. The licensee may either:
(i) Treat an opt out direction by a joint consumer as applying to all of the associated joint consumers.
(ii) Permit each joint consumer to opt out separately.
(3) If a licensee permits each joint consumer to opt out separately, the licensee shall permit one of the joint consumers to opt out on behalf of all of the joint consumers.
(4) A licensee may not require all joint consumers to opt out before it implements any opt out direction.
(5) An example is as follows: If John and Mary are both named policyholders on a homeowner's insurance policy issued by a licensee and the licensee sends policy statements to John's address, the licensee may do any of the following, but it shall explain in its opt out notice which opt out policy the licensee will follow:
(i) Send a single opt out notice to John's address, but the licensee shall accept an opt out direction from either John or Mary.
(ii) Treat an opt out direction by either John or Mary as applying to the entire policy. If the licensee does so and John opts out, the licensee may not require Mary to opt out as well before implementing John's opt out direction.
(iii) Permit John and Mary to make different opt out directions. If the licensee does so:
(A) It shall permit John and Mary to opt out for each other.
(B) If both opt out, the licensee shall permit both of them to notify it in a single response (such as on a form or through a telephone call).
(C) If John opts out and Mary does not, the licensee may only disclose nonpublic personal financial information about Mary, but not about John and not about John and Mary jointly.
(e) Time to comply with opt out. A licensee shall comply with a consumer's opt out direction as soon as reasonably practicable after the licensee receives it.
(f) Continuing right to opt out. A consumer may exercise the right to opt out at any time.
(g) Duration of consumer's opt out direction.
(1) A consumer's direction to opt out under this section is effective until the consumer revokes it in writing or, if the consumer agrees, electronically.
(2) When a customer relationship terminates, the customer's opt out direction continues to apply to the nonpublic personal financial information that the licensee collected during or related to that relationship. If the individual subsequently establishes a new customer relationship with the licensee, the opt out direction that applied to the former relationship does not apply to the new relationship.
(h) Delivery. When a licensee is required to deliver an opt out notice by this section, the licensee shall deliver it according to § 146a.16 (relating to delivery).
(i) Written consent alternative. Nothing in this section otherwise prohibits a licensee from directly obtaining written consent for the use of nonpublic personal information from a consumer or customer under section 648(e) of the act (40 P. S. § 288(e)), if applicable to the licensee, provided that an adequate initial or annual, or both, notice has been provided to the consumer or customer. A consumer or customer's refusal to provide written consent shall be dispositive until the consumer or customer affirmatively permits the use of the information.
§ 146a.15. Revised privacy notices.
(a) General rule. Except as otherwise authorized in this chapter, a licensee may not, directly or through an affiliate, disclose any nonpublic personal financial information about a consumer to a third party other than as described in the initial notice that the licensee provided to that consumer under § 146a.11 (relating to initial privacy notice to consumers required), unless:
(1) The licensee has provided to the consumer a clear and conspicuous revised notice that accurately describes its policies and practices.
(2) The licensee has provided to the consumer a new opt out notice.
(3) The licensee has given the consumer a reasonable opportunity, before the licensee discloses the information to the third party, to opt out of the disclosure.
(4) The consumer does not opt out.
(b) Examples.
(1) Except as otherwise permitted by Subchapter D (relating to exceptions to limits on disclosure of financial information), a licensee shall provide a revised notice before it discloses:
(i) A new category of nonpublic personal financial information to any third party.
(ii) Nonpublic personal financial information to a new category of third party.
(iii) Nonpublic personal financial information about a former customer to a third party, if that former customer has not had the opportunity to exercise an opt outright regarding that disclosure.
(2) A revised notice is not required if the licensee discloses nonpublic personal financial information to a new third party that the licensee adequately described in its prior notice.
(c) Delivery. When a licensee is required to deliver a revised privacy notice by this section, the licensee shall deliver it according to § 146a.16 (relating to delivery).
§ 146a.16. Delivery.
(a) How to provide notices. A licensee shall provide any notices that this chapter requires so that each consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, electronically.
(b) Actual notice.
(1) Examples of reasonable expectation of actual notice. A licensee may reasonably expect that a consumer will receive actual notice if the licensee:
(i) Hand-delivers a printed copy of the notice to the consumer.
(ii) Mails a printed copy of the notice to the last known address of the consumer separately, or in a policy, billing or other written communication.
(iii) For a consumer who conducts transactions electronically, posts the notice on the electronic site and requires the consumer to acknowledge receipt of the notice as a necessary step to obtaining a particular insurance product or service.
(iv) For an isolated transaction with a consumer, such as the licensee providing an insurance quote or selling the consumer travel insurance, posts the notice and requires the consumer to acknowledge receipt of the notice as a necessary step to obtaining the particular insurance product or service.
(2) Examples of unreasonable expectation of actual notice. A licensee may not, however, reasonably expect that a consumer will receive actual notice of its privacy policies and practices if it:
(i) Only posts a sign in its office or generally publishes advertisements of its privacy policies and practices.
(ii) Sends the notice via electronic mail to a consumer who does not obtain an insurance product or service from the licensee electronically.
(c) Annual notices only. A licensee may reasonably expect that a customer will receive actual notice of the licensee's annual privacy notice if:
(1) The customer uses the licensee's website to access insurance products and services electronically and agrees to receive notices at the website and the licensee posts its current privacy notice continuously in a clear and conspicuous manner on the website.
(2) The customer has requested that the licensee refrain from sending any information regarding the customer relationship, and the licensee's current privacy notice remains available to the customer upon request.
(d) Oral description of notice insufficient. A licensee may not provide any notice required by this regulation solely by orally explaining the notice, either in person or over the telephone.
(e) Retention or accessibility of notices for customers.
(1) Notices for customers. For customers only, a licensee shall provide the initial notice required by § 146a.11(a)(1) (relating to initial privacy notice to consumers required), the annual notice required by § 146a.12(a) (relating to annual privacy notice to consumers required), and the revised notice required by § 146a.15 (relating to revised privacy notices) so that the customer can retain them or obtain them later in writing or, if the customer agrees, electronically.
(2) Examples of retention or accessibility. A licensee provides a privacy notice to the customer so that the customer can retain it or obtain it later if the licensee:
(i) Hand-delivers a printed copy of the notice to the customer.
(ii) Mails a printed copy of the notice to the last known address of the customer.
(iii) Makes its current privacy notice available on a website (or a link to another website) for the customer who obtains an insurance product or service electronically and agrees to receive the notice at the web site.
(f) Joint notice with other financial institutions. A licensee may provide a joint notice from the licensee and one or more of its affiliates or other financial institutions, as identified in the notice, as long as the notice is accurate with respect to the licensee and the other institutions. A licensee also may provide a notice on behalf of another financial institution.
(g) Joint relationships. If two or more consumers jointly obtain an insurance product or service from a licensee, the licensee may satisfy the initial, annual and revised notice requirements of §§ 146a.11(a), 146a.12(a) and 146a.15(a), respectively, by providing one notice to those consumers jointly.
Subchapter C. LIMITS ON DISCLOSURES OF FINANCIAL INFORMATION Sec.
146a.21. Limitation on disclosure of nonpublic personal financial information to third parties. 146a.22. Limits on redisclosure and reuse of nonpublic personal financial information. 146a.23. Limits on sharing account number information for marketing purposes. § 146a.21. Limits on disclosure of nonpublic personal financial information to third parties.
(a) Conditions for disclosure. Except as otherwise authorized in this chapter, a licensee may not, directly or through an affiliate, disclose nonpublic personal financial information about a consumer to a third party unless:
(1) The licensee has provided to the consumer an initial notice as required under § 146a.11 (relating to initial privacy notice to consumers required).
(2) The licensee has provided to the consumer an opt out notice as required in § 146a.14 (relating to form of opt out notice to consumers and opt out methods).
(3) The licensee has given the consumer a reasonable opportunity, before it discloses the information to the third party, to opt out of the disclosure.
(4) The consumer does not opt out.
(b) Opt out definition. Opt out means a direction by the consumer that the licensee not disclose nonpublic personal financial information about that consumer to a third party, other than as permitted by Subchapter D (relating to exceptions to limits on disclosure of financial information).
(c) Examples of reasonable opportunity to opt out. A licensee provides a consumer with a reasonable opportunity to opt out if:
(1) By mail. The licensee mails the notices required in subsection (a) to the consumer and allows the consumer to opt out by mailing a form, calling a toll-free telephone number or any other reasonable means within 30 days from the date the licensee mailed the notices.
(2) By electronic means. A customer opens an online account with a licensee and agrees to receive the notices required in subsection (a) electronically, and the licensee allows the customer to opt out by any reasonable means within 30 days after the date that the customer acknowledges receipt of the notices in conjunction with opening the account.
(3) Second opt out notice required. If required by section 648 of the act (40 P. S. § 288), after 30 days from the date of delivering, electronically or otherwise, a first opt out notice, a consumer or customer has not responded to the notice, a licensee must deliver to the consumer or customer a second opt out notice satisfying the same requirement and criteria as the first opt out notice. When a second notice is required, the licensee shall deliver it according to § 146a.16 (relating to delivery). Thereafter, the licensee may disclose nonpublic personal information as permitted by this chapter and section 648 of the act, if applicable.
(4) Isolated transaction with consumer. For an isolated transaction such as providing the consumer with an insurance quote, a licensee provides the consumer with a reasonable opportunity to opt out if the licensee provides the notices required in subsection (a) at the time of the transaction and requests that the consumer decide, as a necessary part of the transaction, whether to opt out before completing the transaction.
(d) Application of opt out to all consumers and all nonpublic personal financial information.
(1) A licensee shall comply with this section, regardless of whether the licensee and the consumer have established a customer relationship.
(2) Unless a licensee complies with this section, the licensee may not, directly or through an affiliate, disclose nonpublic personal financial information about a consumer that the licensee has collected, regardless of whether the licensee collected it before or after receiving the direction to opt out from the consumer.
(e) Partial opt out. A licensee may allow a consumer to select certain nonpublic personal financial information or certain third parties with respect to which the consumer wishes to opt out.
§ 146a.22. Limits on redisclosure and reuse of nonpublic personal financial information.
(a) Information the licensee receives under an exception. If a licensee receives nonpublic personal financial information from a financial institution under an exception in § 146a.32 or § 146a.33 (relating to exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information for processing and servicing transactions; and other exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information), the licensee's disclosure and use of that information is limited to the disclosure and use of the information under an exception in § 146a.32 or § 146a.33, in the ordinary course of business to carry out the activity covered by the exception under which the licensee received the information.
(b) Example. If a licensee receives information from a financial institution for claims settlement purposes, the licensee may disclose the information for fraud prevention, or in response to a properly authorized subpoena. The licensee may not disclose that information to a third party for marketing purposes or use that information for its own marketing purposes.
(c) Information a licensee receives outside of an exception. If a licensee receives nonpublic personal financial information from a financial institution other than under an exception in § 146a.32 or § 146a.33, the licensee may disclose the information only if the disclosure would be lawful if made directly to that person by the financial institution from which the licensee received the information.
(d) Example. If a licensee obtains a customer list from a financial institution outside of the exceptions in § 146a.32 or § 146a.33:
(1) The licensee may use that list for its own purposes.
(2) The licensee may disclose that list to another third party only if the financial institution from which the licensee purchased the list could have lawfully disclosed the list to that third party. That is, the licensee may disclose the list in accordance with the privacy policy of the financial institution from which the licensee received the list, as limited by the opt out direction of each consumer whose nonpublic personal financial information the licensee intends to disclose, and the licensee may disclose the list in accordance with an exception in § 146a.32 or § 146a.33, such as to the licensee's attorneys or accountants.
(e) Information a licensee discloses under an exception. If a licensee discloses nonpublic personal financial information to a third party under an exception in § 146a.32 or § 146a.33, the third party may disclose and use that information only under an exception in § 146a.32 or § 146a.33 in the ordinary course of business to carry out the activity covered by the exception under which it received the information.
(f) Information a licensee discloses outside of an exception. If a licensee discloses nonpublic personal financial information to a third party other than under an exception in § 146a.32 or § 146a.33, the third party may disclose the information only if the disclosure would be lawful if the licensee made it directly to that person.
§ 146a.23. Limits on sharing account number information for marketing purposes.
(a) General prohibition on disclosure of account numbers. A licensee may not, directly or through an affiliate, disclose, other than to a consumer reporting agency, a policy number or similar form of access number or access code for a consumer's policy or transaction account to any third party for use in telemarketing, direct mail marketing or other marketing through electronic mail to the consumer.
(b) Exceptions. Subsection (a) does not apply if a licensee discloses a policy number or similar form of access number or access code to:
(1) The licensee's service provider solely in order to perform marketing for the licensee's own products or services, as long as the service provider is not authorized to directly initiate charges to the account.
(2) A licensee who is a producer solely in order to perform marketing for the licensee's own products or services.
(3) A participant in an affinity or similar program where the participants in the program are identified to the customer when the customer enters into the program.
(c) Examples.
(1) Policy number. A policy number, or similar form of access number or access code, does not include a number or code in an encrypted form, as long as the licensee does not provide the recipient with a means to decode the number or code.
(2) Policy or transaction account. For the purposes of this section, a policy or transaction account is an account other than a deposit account or a credit card account. A policy or transaction account does not include an account to which third parties cannot initiate charges.
Subchapter D. EXCEPTIONS TO LIMITS ON DISCLOSURES OF FINANCIAL INFORMATION Sec.
146a.31. Exception to opt out requirements for disclosure of nonpublic personal financial information for service providers and joint marketing. 146a.32. Exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information for processing and servicing transactions. 146a.33. Other exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information. § 146a.31. Exception to opt out requirements for disclosure of nonpublic personal financial information for service providers and joint marketing.
(a) General rule.
(1) Opt out requirements. The opt out requirements in §§ 146a.14 and 146a.21 (relating to form of opt out notice to consumers and opt out methods; and limitation on disclosure of nonpublic personal financial information to third parties) do not apply when a licensee provides nonpublic personal financial information to a third party to perform services for the licensee or functions on the licensee's behalf, if the licensee:
(i) Provides the initial notice in accordance with § 146a.11 (relating to initial privacy notice to consumers required).
(ii) Enters into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which the licensee disclosed the information, including use under an exception in § 146a.32 or § 146a.33 (relating to exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information for processing and servicing transactions; and other exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information) in the ordinary course of business to carry out those purposes.
(2) Example. If a licensee discloses nonpublic personal financial information under this section to a financial institution with which the licensee performs joint marketing, the licensee's contractual agreement with that institution meets the requirements of paragraph (1)(i) if it prohibits the institution from disclosing or using the nonpublic personal financial information except as necessary to carry out the joint marketing or under an exception in § 146a.32 or § 146a.33 in the ordinary course of business to carry out that joint marketing.
(b) Service may include joint marketing. The services a third party performs for a licensee under subsection (a) may include marketing of the licensee's own products or services or marketing of financial products or services offered under joint agreements between the licensee and one or more financial institutions.
(c) Definition of ''joint agreement.'' For purposes of this section, ''joint agreement'' means a written contract under which a licensee and one or more financial institutions jointly offer, endorse or sponsor a financial product or service.
§ 146a.32. Exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information for processing and servicing transactions.
(a) Exceptions for processing transactions at consumer's request. The requirements for initial notice in § 146a.11(a)(2) (relating to initial privacy notice to consumers required), the opt out in §§ 146a.14 and 146a.21 (relating to form of opt out notice to consumers and opt out methods; and limitation on disclosure of nonpublic personal financial information to third parties), and service providers and joint marketing in § 146a.31 (relating to exception to opt out requirements for disclosure of nonpublic personal financial information for service providers and joint marketing) do not apply if the licensee discloses nonpublic personal financial information as necessary to effect, administer or enforce a transaction that a consumer requests or authorizes, or in connection with:
(1) Servicing or processing an insurance product or service that a consumer requests or authorizes.
(2) Maintaining or servicing the consumer's account with a licensee, or with another entity as part of a private label credit card program or other extension of credit on behalf of that entity.
(3) A proposed or actual securitization, secondary market sale (including sales of servicing rights) or similar transaction related to a transaction of the consumer.
(4) Reinsurance or stop loss or excess loss insurance.
(b) Necessary to effect, administer or enforce a transaction. When used in this section, this means that the disclosure is required or is:
(1) One of the lawful or appropriate methods, to enforce the licensee's rights or the rights of other persons engaged in carrying out the financial transaction or providing the product or service.
(2) A usual, appropriate or acceptable method:
(i) To carry out the transaction or the product or service business of which the transaction is a part, and record, service or maintain the consumer's account in the ordinary course of providing the insurance product or service.
(ii) To administer or service benefits or claims relating to the transaction or the product or service business of which it is a part.
(iii) To provide a confirmation, statement or other record of the transaction, or information on the status or value of the insurance product or service to the consumer or the consumer's agent or broker.
(iv) To accrue or recognize incentives or bonuses associated with the transaction that are provided by a licensee or any other party.
(v) To underwrite insurance at the consumer's request or for any of the following purposes as they relate to a consumer's insurance: account administration, reporting, investigating or preventing fraud or material misrepresentation, processing premium payments, processing insurance claims, administering insurance benefits (including utilization review activities), participating in research projects or as otherwise required or specifically permitted by Federal or State law.
(vi) In connection with:
(A) The authorization, settlement, billing, processing, clearing, transferring, reconciling or collection of amounts charged, debited or otherwise paid using a debit, credit or other payment card, check or account number, or by other payment means.
(B) The transfer of receivables, accounts or interests therein.
(C) The audit of debit, credit or other payment information.
§ 146a.33. Other exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information.
(a) Exceptions to opt out requirements. The requirements for initial notice to consumers in § 146a.11(a)(2) (relating to initial privacy notice to consumers required) the opt out in §§ 146a.14 and 146a.21 (relating to form of opt out notice to consumers and opt out methods; and limitation on disclosure of nonpublic personal financial information to third parties), and service providers and joint marketing in § 146a.31 (relating to exception to opt out requirements for disclosure of nonpublic personal financial information for service providers and joint marketing) do not apply when a licensee discloses nonpublic personal financial information:
(1) With the consent or at the direction of the consumer, provided that the consumer has not revoked the consent or direction.
(2) To protect the confidentiality or security of a licensee's records pertaining to the consumer, service, product or transaction.
(3) To protect against or prevent actual or potential fraud or unauthorized transactions.
(4) For required institutional risk control or for resolving consumer disputes or inquiries.
(5) To persons holding a legal or beneficial interest relating to the consumer.
(6) To persons acting in a fiduciary or representative capacity on behalf of the consumer.
(7) To provide information to insurance rate advisory organizations, guaranty funds or agencies, agencies that are rating a licensee, persons that are assessing the licensee's compliance with industry standards, and the licensee's attorneys, accountants and auditors.
(8) To the extent specifically permitted or required under other provisions of law and in accordance with the Federal Right to Financial Privacy Act of 1978 (12 U.S.C.A. §§ 3401--3422), to law enforcement agencies (including the Federal Reserve Board, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, Office of Thrift Supervision, National Credit Union Administration, the Securities and Exchange Commission, the Secretary of the Treasury, with respect to 31 U.S.C.A. Chapter 53, Subchapter II (Records and Reports on Monetary Instruments and Transactions) and 12 U.S.C.A. Chapter 21 (Financial Recordkeeping), a state insurance authority, and the Federal Trade Commission), self-regulatory organizations or for an investigation on a matter related to public safety.
(9) To a consumer reporting agency in accordance with the Federal Fair Credit Reporting Act (15 U.S.C.A. §§ 1681--1681u). From a consumer report reported by a consumer reporting agency.
(10) In connection with a proposed or actual sale, merger, transfer or exchange of all or a portion of a business or operating unit if the disclosure of nonpublic personal financial information concerns solely consumers of the business or unit.
(11) To comply with Federal, state or local laws, rules and other applicable legal requirements.
(12) To comply with a properly authorized civil, criminal or regulatory investigation, or subpoena or summons by Federal, state or local authorities.
(13) To respond to judicial process or government regulatory authorities having jurisdiction over a licensee for examination, compliance or other purposes as authorized by law.
(14) For purposes related to the replacement of a group benefit plan, a group health plan, a group welfare plan or a workers' compensation plan.
(b) Example of revocation of consent. A consumer may revoke consent by subsequently exercising the right to opt out of future disclosures of nonpublic personal information as permitted under § 146a.14(f) (relating to form of opt out notice to consumers and opt out methods).
Subchapter E. ADDITIONAL PROVISIONS Sec.
146a.41. Protection of Fair Credit Reporting Act. 146a.42. Nondiscrimination. 146a.43. Violation. 146a.44. Effective date. § 146a.41. Protection of Fair Credit Reporting Act.
This chapter will not be construed to modify, limit or supersede the operation of the Federal Fair Credit Reporting Act (15 U.S.C.A. §§ 1681--1681u), and no inference may be drawn on the basis of the provisions of this chapter regarding whether information is transaction or experience information under section 603 of that act (15 U.S.C.A. § 1681a).
§ 146a.42. Nondiscrimination.
A licensee may not unfairly discriminate against any consumer or customer because that consumer or customer has opted out from the disclosure of his nonpublic personal financial information under this chapter.
§ 146a.43. Violation.
Violations of this chapter are deemed and defined by the Commissioner to be an unfair method of competition and an unfair or deceptive act or practice and shall be subject to all penalties contained in sections 9--11 of the Unfair Insurance Practices Act (40 P. S. §§ 1171.9--1171.11)
§ 146a.44. Effective date.
(a) Effective date. This chapter is effective July 1, 2001.
(b) Notice requirements.
(1) Consumers who are the licensee's customers on the effective date. By July 1, 2001, a licensee shall provide an initial notice, as required by § 146a.11 (relating to initial privacy notice to consumers required), to consumers who are the licensee's customers on July 1, 2001.
(2) Example. A licensee provides an initial notice to consumers who are its customers on July 1, 2001, if, by that date, the licensee has established a system for providing an initial notice to all new customers and has mailed the initial notice to all the licensee's existing customers.
(c) Two-year grandfathering of service agreements. Until July 1, 2002, a contract that a licensee has entered into with a third party to perform services for the licensee or functions on the licensee's behalf satisfies the provisions of § 146a.31(a)(1)(ii) (relating to exception to opt out requirements for disclosure of nonpublic personal financial information for service providers and joint marketing), even if the contract does not include a requirement that the third party maintain the confidentiality of nonpublic personal information, as long as the licensee entered into the agreement on or before July 1, 2000.
APPENDIX A--SAMPLE CLAUSES Licensees, including a group of financial holding company affiliates that use a common privacy notice, may use the following sample clauses, if the clause is accurate for each institution that uses the notice. (Note that disclosure of certain information, such as assets, income and information from a consumer reporting agency, may give rise to obligations under the Federal Fair Credit Reporting Act, such as a requirement to permit a consumer to opt out of disclosures to affiliates or designation as a consumer reporting agency if disclosures are made to nonaffiliated third parties.)
A-1--Categories of information a licensee collects (all institutions)
A licensee may use this clause, as applicable, to meet the requirement of § 146a.13(a)(1) to describe the categories of nonpublic personal information the licensee collects.
Sample Clause A-1:
We collect nonpublic personal information about you from the following sources:
* Information we receive from you on applications or other forms.
* Information about your transactions with us, our affiliates or others.
* Information we receive from a consumer reporting agency.
A-2--Categories of information a licensee discloses (institutions that disclose outside of the exceptions)
A licensee may use one of these clauses, as applicable, to meet the requirement of § 146a.13(a)(2) to describe the categories of nonpublic personal information the licensee discloses. The licensee may use these clauses if it discloses nonpublic personal information other than as permitted by the exceptions in §§ 146a.31, 146a.32 and 146a.33.
Sample Clause A-2, Alternative 1:
We may disclose the following kinds of nonpublic personal information about you:
* Information we receive from you on applications or other forms, such as [provide illustrative examples, such as ''your name, address, social security number, assets, income, and beneficiaries''].
* Information about your transactions with us, our affiliates or others, such as [provide illustrative examples, such as ''your policy coverage, premiums, and payment history''].
* Information we receive from a consumer reporting agency, such as [provide illustrative examples, such as ''your creditworthiness and credit history''].
Sample Clause A-2, Alternative 2:
We may disclose all of the information that we collect, as described [describe location in the notice, such as ''above'' or ''below''].
A-3--Categories of information a licensee discloses and parties to whom the licensee discloses (institutions that do not disclose outside of the exceptions)
A licensee may use this clause, as applicable, to meet the requirements of §§ 146a.13(a)(2), (3) and (4) to describe the categories of nonpublic personal information about customers and former customers that the licensee discloses and the categories of affiliates and nonaffiliated third parties to whom the licensee discloses. A licensee may use this clause if the licensee does not disclose nonpublic personal information to any party, other than as permitted by the exceptions in §§ 146a.32 and 146a.33.
Sample Clause A-3:
We do not disclose any nonpublic personal information about our customers or former customers to anyone, except as permitted by law.
A-4--Categories of parties to whom a licensee discloses (institutions that disclose outside of the exceptions)
A licensee may use this clause, as applicable, to meet the requirement of § 146a.13(a)(3) to describe the categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal information. This clause may be used if the licensee discloses nonpublic personal information other than as permitted by the exceptions in §§ 146a.31, 146a.32 and 146a.33, as well as when permitted by the exceptions in §§ 146a.32 and 146a.33.
Sample Clause A-4:
We may disclose nonpublic personal information about you to the following types of third parties:
* Financial service providers, such as [provide illustrative examples, such as ''life insurers, automobile insurers, mortgage bankers, securities broker-dealers, and insurance agents''].
* Non-financial companies, such as [provide illustrative examples, such as ''retailers, direct marketers, airlines, and publishers''].
* Others, such as [provide illustrative examples, such as ''non-profit organizations''].
We may also disclose nonpublic personal information about you to nonaffiliated third parties as permitted by law.
A-5--Service provider/joint marketing exception
A licensee may use one of these clauses, as applicable, to meet the requirements of § 146a.13(a)(5) related to the exception for service providers and joint marketers in § 146a.31. If a licensee discloses nonpublic personal information under this exception, the licensee shall describe the categories of nonpublic personal information the licensee discloses and the categories of third parties with which the licensee has contracted.
Sample Clause A-5, Alternative 1:
We may disclose the following information to companies that perform marketing services on our behalf or to other financial institutions with which we have joint marketing agreements:
* Information we receive from you on applications or other forms, such as [provide illustrative examples, such as ''your name, address, social security number, assets, income, and beneficiaries''].
* Information about your transactions with us, our affiliates or others, such as [provide illustrative examples, such as ''your policy coverage, premium, and payment history''].
* Information we receive from a consumer reporting agency, such as [provide illustrative examples, such as ''your creditworthiness and credit history''].
Sample Clause A-5, Alternative 2:
We may disclose all of the information we collect, as described [describe location in the notice, such as ''above'' or ''below''] to companies that perform marketing services on our behalf or to other financial institutions with whom we have joint marketing agreements.
A-6--Explanation of opt out right (institutions that disclose outside of the exceptions)
A licensee may use this clause, as applicable, to meet the requirement of § 146a.13(a)(6) to provide an explanation of the consumer's right to opt out of the disclosure of nonpublic personal information to third parties, including the method(s) by which the consumer may exercise that right. The licensee may use this clause if the licensee discloses nonpublic personal information other than as permitted by the exceptions in §§ 146a.31, 146a.32 and 146a.33.
Sample Clause A-6:
If you prefer that we not disclose nonpublic personal information about you to third parties, you may opt out of those disclosures, that is, you may direct us not to make those disclosures (other than disclosures permitted by law). If you wish to opt out of disclosures to third parties, you may [describe a reasonable means of opting out, such as ''call the following toll-free number: (insert number)].
A-7--Confidentiality and security (all institutions)
A licensee may use this clause, as applicable, to meet the requirement of § 146a.13(a)(8) to describe its policies and practices with respect to protecting the confidentiality and security of nonpublic personal information.
Sample Clause A-7:
We restrict access to nonpublic personal information about you to [provide an appropriate description, such as ''those employees who need to know that information to provide products or services to you'']. We maintain physical, electronic, and procedural safeguards that comply with Federal regulations to guard your nonpublic personal information.
[Pa.B. Doc. No. 01-550. Filed for public inspection March 30, 2001, 9:00 a.m.]
