[31 PA. CODE CH. 146a] Privacy of Consumer Financial Information [31 Pa.B. 4426] The Insurance Department (Department) adopts Chapter 146a (relating to privacy of consumer financial information) to read as set forth in Annex A.
Statutory Authority
These final-form regulations are adopted under the Department's general rulemaking authority of sections 205, 506, 1501 and 1502 of The Administrative Code of 1929 (71 P. S. §§ 66, 186, 411 and 412). Likewise, the adoption of this final-form rulemaking is under the Department's rulemaking authority under the Unfair Insurance Practices Act (40 P. S. §§ 1171.1--1171.14) (act) (as such authority is further explained in PALU v. Insurance Department, 371 A.2d 564 (Pa. Cmwlth. 1977)), because the Commissioner has determined that the improper disclosure or marketing, or both, of nonpublic personal financial information by members of the insurance industry constitutes an unfair method of competition and an unfair or deceptive act or practice.
Comments and Response
Notice of proposed rulemaking was published at 31 Pa.B. 1748 (March 31, 2001) with a 30-day comment period. During the 30-day comment period, comments were received from the Alliance of American Insurers (AAI), the American Insurance Association (AIA), Capital Blue Cross (CBC), Farmers' Insurance Group (Farmers'), Harleysville Insurance Group (Harleysville), Highmark, Inc. (Highmark), Independence Blue Cross (IBC), the Independent Insurance Agents of Pennsylvania (co-author) and the Pennsylvania Association of Insurance and Financial Advisors (co-author) (IIAP/PAIFA), the Insurance Federation of Pennsylvania, Inc. (IFP), the Pennsylvania Association of Mutual Insurance Companies (PAMIC), the Pennsylvania Bankers Association (PBA) and the Professional Insurance Agents of Pennsylvania, Maryland and Delaware (PIA).
On May 11, 2001, the Department shared with these and other interested parties an advance draft of the Department's final-form privacy regulations, which incorporated several important changes based upon the comments received during the initial comment period. In addition, the Department requested that interested parties provide additional comments based upon the advance draft of the final form privacy regulation. AAI, AIA, Highmark, IBC, IIAP/PAIFA, IFP, the National Association of Independent Insurers (NAII) (which provided no initial comment on the proposed privacy regulation), PAMIC, PBA, the Pennsylvania Association of Health Underwriters (PAHU) (which provided no initial comment on the proposed privacy regulation) and PIA provided the Department with comments. In conjunction with this request for additional comments on the advance draft of the final-form regulations, the Department held a stakeholder meeting on May 18, 2001, with many of the previously mentioned parties in attendance. The comments received as a result of this additional comment period on the advance draft of the final-form regulations will be addressed only if different from the initial comments provided by the various stakeholders. If the second comment is the same as the initial comment, the Department will make only one response in this Preamble. Comments on the advance draft of the final-form regulations that are different from the initial comments on the proposed regulations submitted by an interested party are denoted with the number 2 in parenthesis (2) after the commentators name.
During its regulatory review, the Independent Regulatory Review Commission (IRRC) also submitted comments to the Department. The following is a response to those comments as well as the public comments received by the Department in response to its proposed rulemaking and any additional comments submitted under the May 18, 2001, stakeholder meeting.
General Comments
Affiliate Information Sharing In the proposed regulations, the Department deviated from the National Association of Insurance Commissioners Model Regulation for the Privacy of Consumer Financial Information (NAIC Model) (adopted by the NAIC on September 26, 2000) by prohibiting the sharing of information without providing consumers with a notice and an opportunity to opt out for both affiliate and nonaffiliate sharing. This deviation was made because of the Department's initial interpretation of section 648 of the Insurance Department Act of 1921 (40 P. S. § 288) (Act 40) as potentially being applicable to the same activities as the privacy regulation with regard to financial institutions. Almost all of the commentators and IRRC agreed that the Department needed to reinstate the distinction between affiliate and nonaffiliate information sharing throughout the rulemaking, as in the NAIC Model, which allows affiliate information sharing without providing consumers with a notice and an opportunity to opt out. The primary reasons cited by the interested parties was the need for uniformity among the various states' privacy regulations, and the interference the restrictions on affiliate information sharing would potentially cause in the insurance industry.
In addition, when the Department initially removed the distinction between affiliate and nonaffiliate sharing in its proposed regulation, the privacy rulemaking then governed the sharing of information among any third parties. Because the term ''third party'' was undefined in the regulations, IBC(2) asked that the Department more precisely describe the conditions under which a licensee may disclose nonpublic personal financial information about individuals to affiliates and nonaffiliated third parties.
The Department agrees with the comments received, and has restored the distinction between affiliate and nonaffiliate information sharing as found in the NAIC Model. Although the Department had initially adopted a much narrower construction of Act 40, the principles of statutory construction do support a broader reading of that statute. Rather than applying to similar transactions, Act 40's privacy provision applies only to customer information (as defined in 40 P. S. § 231) gathered as a result of a financial institution's lending activities. The privacy regulations, on the other hand, applies to nonpublic personal financial information (as defined in § 146a.2 (relating to definitions)) gathered as a result of a financial institution's or other licensee's insurance activities. Therefore, because Act 40 and the privacy regulations govern separate transactions and different types of information, one is not affected by the other and the Department has restored the NAIC Model's distinction between nonaffiliate information sharing (which requires a notice and an opportunity to opt out) and affiliate information sharing (which can be done without complying with the notice or opt out procedures). However, the Department has also amended § 146a.41 (relating to effect on other laws) to recognize that financial institutions must still comply with Act 40's privacy provision for any transaction governed by that statute.
Workers' Compensation Insurance A number of insurers and trade associations have recommended the deletion of workers' compensation insurance from within the purview of these regulations, noting that it is not a product or service for ''personal, family or household purposes'' as envisioned in the Gramm-Leach-Bliley Act (15 U.S.C.A. §§ 6801--6827) (GLBA). Also, the commentators sought clarification from both the Department and the Department of Labor and Industry (L&I), that these regulations do not interfere with the proper processing and examination of workers' compensation claims and settlements.
However, if workers' compensation is to be included in the scope of the final-form rulemaking, the commentators suggested that these regulations should refer to ''policyholders'' and ''claimants,'' not ''participant'' and ''beneficiaries,'' to be consistent with existing workers' compensation laws and terminology.
The Department has retained its inclusion of workers' compensation insurance in this final-form rulemaking. First, it is necessary to note that section 507 of the GLBA (15 U.S.C.A. § 6807) explicitly allows states to afford any person greater protection than that provided in the GLBA or in the Federal banking privacy regulations promulgated under Title V of the GLBA. See, for example, 12 CFR 40.1 et seq. (Office of the Comptroller of Currency privacy regulations) and 12 CFR 216.1 et seq. (Federal Board of Governors of the Federal Reserve System privacy regulations). Therefore, the GLBA not only allows, but envisions, states providing broader insurance privacy protection, as well as affording privacy protection to classes of persons not addressed in the GLBA or the Federal banking regulations.
Also, in some respects, claimants under a workers' compensation insurance policy do receive a ''personal service'' from licensees for the recovery of their personal income. Therefore, the Department asserts that workers' compensation claimants are properly within the scope of these privacy regulations.
In addition, it is important to note that claimants under a workers' compensation insurance plan generally are unable choose the licensees with whom they transact business. Rather, that choice is made by their employer, who is the policyholder in the workers' compensation insurance plan. Unlike ''consumers'' and ''customers'' (as defined in § 146a.2) who are able to choose the licensees with whom they transact business, workers' compensation insurance claimants are unable to ''shop around'' for licensees to choose one with a licensee that has a privacy policy that suits their needs. Therefore, workers' compensation insurance claimants are entitled to protection under these privacy regulations.
Finally, the Department has met with and discussed this rulemaking with L&I, and they agree that workers' compensation insurance is properly covered within the scope of these regulations.
The Department does agree, however, with the commentators' suggestion that the term ''claimant'' be substituted for ''beneficiary'' and the term ''policyholder'' replace ''participant'' in the regulations. To make the regulation consistent with existing workers' compensation terminology, these changes have been made in the final-form regulations.
Assigned Risk Producers Typically, assigned risk producers are not appointed insurance agents of the insurance carrier that is ultimately assigned to take on an assigned risk customer with whom the producer is working. For this reason, IFP recommended that assigned risk producers be considered ''agents'' of the assigned risk insurance carrier for the purpose of these regulations. Otherwise, IFP asserted that these producers would not be affiliates of the assigned risk insurance carriers and they would not be entitled to the agent exception under § 146a.2 definition of ''licensee,'' subparagraph (iii).
The Department believes that no additional changes need to be made to the final-form regulations, as this issue is readily addressed in the regulations as presently written. In § 146a.2, an agent need not comply with the opt out and notice requirements of the regulations if the principle for whom they are acting satisfies all of the requirements of the regulations, and the agent does not otherwise disclose the individual's nonpublic personal financial information. The term ''agent'' as used in this section of the regulations is not limited to insurance agents who have an appointment with an insurance carrier. Rather, the term is broader and applies to any agent acting on behalf of a principal. Therefore, despite the fact that an assigned risk agent may not necessarily have an appointment with the insurer that ultimately issues the policy (as ''agent'' is defined in the insurance laws), the licensee would still be an agent (under the broader, common law definition of an ''agent'') of the insurer and would be entitled to the exception in the regulation's definition of ''licensee.''
Also, in this situation, although the assigned risk producer would not necessarily be considered an ''affiliate'' as that term is defined in § 146a.2, the producers would be able to receive and convey a consumer's nonpublic personal financial information under any of the exceptions in §§ 146a.32 and 146a.33 (relating to exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information for processing and servicing transactions; and other exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information) without triggering the notice and opt out requirements.
Claims Servicing and Administration IFP also suggested that the regulations need clarification that the requirements, under the GLBA, are directed only at sharing nonpublic personal financial information for marketing purposes, and not information sharing for the purpose of claims administration.
The Department asserts that the final-form regulations are abundantly clear that information sharing that is associated with claims administration is exempted from the requirements of the regulations. For example, § 146a.32(a) explicitly states that the notice and opt out requirements of the regulations do not apply ''if the licensee discloses nonpublic personal financial information as necessary to effect, administer or enforce a transaction'' that is authorized by the consumer or in connection with a processing or servicing transaction. Section 146a.32(b)(2)(ii) further defines ''necessary to effect, administer or enforce a transaction'' to include a usual, appropriate or acceptable method ''to administer or service benefits or claims relating to the transaction.'' Therefore, it is abundantly clear that the notice and opt out requirements of these final-form regulations do not attach to information sharing associated with claims servicing and administration. However, the Department has added additional language proposed by IFP in § 146a.32(b)(2)(iii) to clarify that an agent's involvement in claims administration or servicing is also exempt from the regulation's notice and opt out requirements.
Agent Liability for Principal Disclosures or Failure to Comply The IIAP/PAIFA commented that the regulations do not appear to include a limit on an agent's liability if an insurance company violates terms of the GLBA or of the regulations. These commentators provide the example that an agent may be required by an insurance carrier to obtain and transmit a consumer's Social Security number in order for the insurer to obtain MVRs, credit scores, and the like, as part of underwriting. If an employee of that carrier uses that consumer's Social Security number (which is considered nonpublic personal financial information) in a fraudulent or improper manner, then IIAP/PAIFA believe that both the agent and the company may ultimately be held liable. These commentators believe that agents may be forced to incur significant legal expense just to distance themselves from the improper disclosure made by the carrier employee in this situation. Therefore, it has been suggested that agent's be exempt from liability if they justifiably rely on the principal's satisfaction of the regulations' requirements under § 146a.2, definition of ''licensee,'' subparagraph (iii) or if a principal violates the regulations by disclosing nonpublic personal financial information that was initially collected and conveyed to the principal by the agent.
In addition, the PIA suggested that principal should be required to inform agents of its notice and opt out procedures to the policyholders and confirm that the regulatory requirements of this rulemaking have been satisfied under § 146a.2, definition of ''licensee,'' subparagraph (iii). PIA(2) also requested that if the Department should not decide to address the notification provision then the Department should make known its enforcement position, in writing, for handling any enforcement actions that might arise as a result of a principal's failure to satisfy the regulations' requirements and the agent's reliance thereon.
The Department has not included this exemption from liability in the final-form regulations and asserts that this issue is best addressed individually between the agent and any principals for whom it transacts the business of insurance. Agents are able to have proper indemnification clauses negotiated into their contracts with their principals in order to avoid liability for the principal's improper disclosure of nonpublic personal financial information that was initially collected and conveyed to the principal by the agent.
To address PIA's comment, the issue of notification of a principal's privacy regulations compliance is also a matter that is best addressed between the agent and the principal rather than in the privacy regulation itself. As far as any potential enforcement action in this regard is concerned, if an agent is able to adequately demonstrate to the Department's satisfaction that it justifiably relied upon the principal's agreement to comply with the regulations' requirements on behalf of the agent and no disclosure has actually been made by the agent itself, then it is likely that no enforcement action would be taken against the agent.
Health Information The PAHU(2) commented that because agents may know health information or act as an advocate when there is a claim dispute or question, there will not be sufficient time to get an authorization signed before the agent can discuss their problem with an insurance carrier.
As explained in greater detail in the Preamble to the proposed rulemaking at 31 Pa.B. 1748, health information privacy will be the subject of a separate rulemaking that the Department intends to promulgate shortly after the final publication of this rulemaking.
Section 146a.1. Purpose.
AAI commented that § 146a.1 improperly applies to ''claimants or beneficiaries'' and that it directly conflicts with Title V of the GLBA's exemption for ''processing insurance claims.'' AAI stated that claimants and beneficiaries do not obtain any product, are not policyholders and therefore should not be included within the purview of the regulations' privacy protections. AAI also recommended the revision of § 146a.1(b) by deleting the reference to ''claimants or beneficiaries.''
IRRC also had similar concerns with the privacy regulations' application to claimants and beneficiaries, and requested that the Department explain its rationale for the inclusion of claimants and beneficiaries within the purview of the regulations' privacy protections.
The Department is unwilling to delete the reference to ''claimants and beneficiaries'' in § 146a.1 of the final-form regulations. Claimants and beneficiaries are properly included within the scope of the regulations, in that they do obtain services from licensees, namely the payment and processing of any claims that they may have against an insurance policy maintained by the licensee. Further, it is clear that licensees will obtain nonpublic personal financial information from claimants and beneficiaries, and these persons should not be excluded from the regulation merely because they do not have a direct contractual relationship with the licensee.
Finally, as with workers' compensation insurance claimants, claimants and beneficiaries are unable to choose the licensees with whom they transact business, and therefore have a licensee's privacy policies imposed upon them. Because of this, the protection of nonpublic personal financial information of claimants and beneficiaries is crucial to provide them with notice of a licensee's privacy policies and an opportunity to opt out of any unwanted disclosures of their nonpublic personal financial information.
Harleysville suggested that reliance upon Act 40, to any extent, as authority for this rulemaking is problematic, not only in regard to the originally proposed health information provisions, but also in regard to the opt out regimes of the regulations. Therefore, Harleysville suggested that every effort should be extended, as part of the rulemaking, not to go beyond the parameters set forth in the GLBA. This commentator also noted that the NAIC Model is not the appropriate authority for the regulation because it is at odds with clear Congressional intent as provided in GLBA.
The Department respectfully disagrees with Harleysville's comments. The Department does not rely on Act 40 for its statutory authority to promulgate this final-form rulemaking. Rather, the Department's statutory authority lies in the general rulemaking authority of sections 205, 506, 1501 and 1502 of The Administrative Code of 1929 and the Department's rulemaking authority under the act (as such authority is further explained in PALU v. Insurance Department, 371 A.2d 564 (Pa. Cmwlth. 1977)). In fact, the Department has now determined that Act 40's privacy provision (40 P. S. § 288) applies only to a financial institution's lending activities, while this privacy regulation applies to a financial institution's or other licensee's insurance activities.
Also, as previously explained, section 507 of the GLBA clearly authorizes states to be more protective of nonpublic personal financial information. Therefore, the Department is wholly authorized to go beyond the parameters set forth in the GLBA.
Finally, the NAIC Model is not at odds with the GLBA because it provides greater protection to the privacy of insurance consumers' nonpublic personal financial information. Also, the NAIC Model represents a reasonable regulatory scheme for the protection of nonpublic personal financial information, and the NAIC Model was thoughtfully developed after months of deliberation and extensive contributions from both consumers and representatives of the insurance industry.
PIA stated that in § 146a.1, the regulation limits the applicability to personal lines of insurance. Questions arise when commercial policies have more than one purpose. For example, personal umbrella coverages may be added by endorsements to commercial umbrella policies, or personal automobiles may be covered by commercial policies. The PIA believes that the regulation should be made clearer in these types of circumstances.
As explained at the stakeholders meeting on May 18, 2001, this rulemaking provides the general framework for the protection of nonpublic personal financial information. Specific questions such as those posed by the PIA are best addressed in the implementation phase of this rulemaking rather than in the text of the rulemaking itself. The Department intends to provide guidance to the insurance industry on questions such as this by developing a formal question and answer procedure, meeting with the industry to address any issues that may arise in the implementation of this regulation and through the assistance of the Department's market surveillance unit.
IRRC questioned the need for § 146a.1 and requested a clarification of certain aspects of that provision. IRRC commented that subsection (a) states the regulations govern the treatment of nonpublic personal financial information about individuals. Similarly, subsection (b) states that the chapter applies to nonpublic personal financial information. IRRC noted, however, that the term ''nonpublic personal financial information'' is not defined in § 146a.2. Instead, the terms ''nonpublic personal information'' and 11personally identifiable financial information'' are defined. Given the stated purpose and scope of the regulation, IRRC recommended that either the terms in § 146a.1 be modified or that the term nonpublic personal financial information be defined in § 146a.2 and used consistently throughout the regulations. Other commentators also raised this issue with the Department.
The Department agrees that the regulations lacked consistency in the use of the terms ''nonpublic personal information'' and ''nonpublic personal financial information.'' To remedy this inconsistency, the Department has changed the definition of ''nonpublic personal information'' to ''nonpublic personal financial information'' and any reference throughout the regulations to ''nonpublic personal information'' was changed to ''nonpublic personal financial information.''
Subsection (d) clarifies that the examples contained in the regulation are illustrative and do not restrict the scope of Chapter 146a. IRRC noted that the language in this subsection, however, varies from section 3 of the NAIC Model. Given the Department's stated goal of implementing the NAIC Model ''as closely as possible,'' why is the proposed language different from the NAIC Model language?
The Department has modified this language in the NAIC Model because it is reluctant to limit its enforcement authority of the regulations. The examples throughout the regulations are provided only to explain or clarify the rules set forth in the regulations and to act as guidance for entities that must comply with the regulations. While strict compliance with the examples might constitute a ''safe harbor'' in some instances, other situations may arise where licensees could potentially misconstrue or extend the examples in ways that the Department would not necessarily consider as complying with the regulation. Therefore, the Department modified the NIAC Model to indicate that the examples are provided for guidance or clarification purposes.
Section 146a.2. Definition of ''company.''
The PIA(2) believes the phrase ''similar organization'' in the regulations' definition of ''company'' should be changed to ''similar entity.''
The Department believes that its use of the phrase ''similar organization'' is essentially identical to the PIA's suggestion for the use of to ''similar entity,'' and has not made this change in its final-form rulemaking.
Section 146a.2. Definition of ''consumer.''
Comments from the IBC, PBA and IRRC suggested the need for clarification in the definition of ''consumer'' in the final-form regulations. Also, the CBC believes that the Department should eliminate any requirement to send notices to the individual members covered by group contracts.
The Department has clarified the definition of ''consumer'' in its final-form regulations by moving language in subparagraph (iv)(E) to the prefatory language in subparagraph (iv). In response to the CBC's comment, there is no requirement that notices be sent to the individuals covered by group insurance contracts or workers' compensation plans if a licensee does not disclose nonpublic personal financial information about the individuals outside of the permitted exceptions in §§ 146a.31, 146a.32 and 146a.33 and the group policyholder or contract holder receives any applicable notices required by the regulations. This ''exception'' for individuals covered by a group insurance contract or workers' compensation plan is found in the definition of ''consumer'' subparagraph (v), and adequately addresses IBC's comment.
Section 146a.2. Definition of ''control.''
Farmers' believes clarification is needed to make certain that contractual control is included in the proposed regulations. Current practices in the insurance industry and language in existing insurance laws provide support that exchanges and management companies are affiliates. Farmers' would like clarification to confirm that control can be established through management contracts, so as to minimize their risk while developing a structure that permits nonpersonal public information to be disclosed between an exchange and its administrative manager.
PAMIC initially commented on the proposed regulation that it the NAIC definition of ''control'' should be restored in the final-form regulation. This change was made in the advance draft of the final-form regulation, which prompted IFP(2) to comment that it would like the Department to reinstate the original 10% standard included in the proposed draft of the regulations.
In response to Farmers' comments, the Department believes that the definition of ''control'' in the final-form regulations, and specifically subparagraph (iii) of that definition, is sufficiently broad to cover contractual control such as through management contracts.
In response to IFP's comments, the Department believes that it was required to reinstate the NAIC's definition of ''control'' when it restored the provisions allowing affiliate information sharing. If the 10% standard of the Holding Company Law were retained as in the proposed regulations, it is possible that the Department's regulations would not meet the minimum privacy standards required by the GLBA, as the entities meeting the definition of affiliate would be greater and there would be more information sharing permitted without compliance with the regulations' opt out and notice requirements. Therefore, the Department has restored the definition of ''control'' to that found in the NAIC Model.
Section 146a.2. Definition of ''customer.''
The AIA and IFP recommended adding a sentence to the definition of ''customer'' to confirm that a consumer's status as a beneficiary or claimant alone does not make that consumer a licensee's ''customer'' (as defined in the final-form rulemaking). They suggested that the new sentence added to the definition would read: ''In no event, however, shall a beneficiary or a claimant under a policy of insurance, solely by virtue of their status as a beneficiary or claimant, be deemed to be a customer for purposes of this regulation.'' The AIA and IFP suggest that the additional sentence is consistent with the NAIC Model Regulation (see §§ 4F(2)(d) & 4J(2)(b)(iv), (v)) and the FAQs recently released by the NAIC. Furthermore, the AIA and IFP noted that the additional language it proposed is identical to the confirming sentence added to the final version of the National Conference of Insurance Legislators (NCOIL) Privacy Model.
The Department believes that the final-form regulations are abundantly clear that merely because a person is a claimant or beneficiary, that person is not necessarily a customer. However, there are instances when a claimant or beneficiary could become a customer when a long-term relationship is developed between the claimant or beneficiary and the licensee. Also, the definition of ''customer'' is of central importance to the regulatory scheme established by the NAIC Model, and there is no additional language in the NAIC Model. Therefore, in order to preserve National uniformity, no change has been made to the definition of ''customer'' in the final-form regulations with regard to this issue.
Section 146a.2. Definition of ''customer relationship.''
AIA and IFP recommended deleting the word ''airline'' in examples listed in the regulations' definition of ''customer relationship'' relating to situations that do not constitute a ''customer relationship'' (see subparagraph (ii)(B)). They wanted the provision to read as follows: ''The licensee sells the consumer travel insurance in an isolated transaction.''
It is important to note that airline insurance is used in the regulations only as an example of a situation that clearly does not give rise to a customer relationship. That is because airline insurance generally exists for only a short duration, and there is commonly no long-term customer relationship developed between the airline insurance carrier or agent and the consumer. Travel insurance, on the other hand, is not as clear an example as airline insurance because this type of insurance covers a broader spectrum of products, which may lead to the development of a long-term customer relationship between the consumer and the travel insurance carrier or agent. For example, travel insurance may include a health insurance component covering any illnesses or injuries sustained by a consumer while traveling. If the illness or injury were to have a long-term impact on the life of the consumer, a long-term customer relationship might develop between the travel insurance consumer and the licensee. Therefore, although the Department recognizes that there are situations where travel insurance (as opposed to airline travel insurance) might not give rise to a customer relationship, some types of travel insurance may involve long-term relationships, so the Department has not modified the airline travel insurance example in the regulation's definition of ''customer relationship.''
The IBC(2) believed that the Department inadvertently used the term ''invalid'' in the first sentence of the section relating to a customer's last known address, and requested that this be changed.
The thrust of this provision is to exclude consumers whose last known address has been deemed invalid from the definition ''customer relationship.'' Otherwise, licensees would be expected to comply with the annual notice requirements for customers' whose last known address has been deemed invalid. Therefore the use of the term ''invalid'' is proper. However, the Department agrees that this language lacks clarity and has deleted the phrase ''for the purposes of this regulation'' from the start of the first sentence in subparagraph (ii)(H) in the definition of customer relationship, and has moved that phrase to the start of the second sentence in that clause.
Section 146a.2. Definition of ''licensee.''
CBC believed that the reference in the definition of ''licensee'' to ''entities licensed, authorized or registered under the insurance laws'' was too vague, and recommended that the definition be revised to more specifically identify by category the specific entities subject to the regulations.
The Department has retained this language in its final-form regulations because it is necessary to capture all of the Department's licensees. Also, this language is more efficient than specifically listing all of the licensees of the Department that are subject to the requirements of these regulations, and this list would have to be modified any time the Department licenses a new category or type of insurance entity.
With regard to the quoted privacy notice text for surplus lines entities, the AIA suggested that the text not be provided in all capital letters. The AIA stated that the identical language in the NAIC Model is not printed in all capital letters and asserts that if this notice language remains in all capital letters, it may be inconsistent with other jurisdictions following the NAIC Model precisely, and surplus lines companies or brokers may be required to provide a separate Commonwealth notice.
The AIA's assertions made in its comment are inaccurate. The NAIC Model, does, in fact, set forth the privacy notice for surplus lines entities in all capital letters. Therefore, the Department has rejected this comment and has not modified the surplus lines notice in the definition of ''licensee'' in its final-form regulations.
Several commentators suggested that the Children's Health Insurance Program (CHIP), Medicaid and Medicare+Choice programs be specifically excluded from the definition of licensee. Also, the IBC(2) suggested that licensees that administer these programs be included in the exceptions, and that they not be subject to the requirements of the privacy regulations. The IBC believed that it was inconsistent to exclude the government agency that may provide nonpublic personal financial information to a licensee from the requirements of the regulations while requiring the licensee that administers the program to abide by the terms of the regulations.
Although the Department believes that the CHIP, Medicaid and Medicare+Choice programs would not be subject to the privacy regulations without a specific exception because these programs are not licensed or required to be licensed by the Department, it has included specific exceptions for these programs in the definition of ''licensee.'' Please note, however, that this exception does not extend to entities that enroll participants through these programs. The Department does not agree with IBC that CHIP, Medicaid and Medicare+Choice enrollees are not entitled to the same protection as other consumers merely because they obtain their health insurance through these governmental assistance programs. Therefore, although there are exceptions for CHIP, Medicaid and Medicare+Choice in the definition of ''licensee,'' these exceptions do not extend to licensees who enroll participants through these programs.
IRRC and the PIA suggested that a definition for ''producer'' as used in the definition of ''licensee'' be made clearer in the final-form regulations. The PIA suggested that the term ''producer'' as used in the definition of ''licensee'' be defined as ''a person required to be licensed to sell, solicit or negotiate insurance.''
The term ''producer'' is commonly used and understood in the insurance industry to mean a person engaging in the activities of an insurance agent or an insurance broker. Also, the Department is currently undertaking the enactment of the NAIC Producer Licensing Model Act under Title III of the GLBA. This forthcoming statute will provide an extensive definition of the term ''producer.''
In § 146a.2(iii)(D), ''surplus lines broker'' is not defined anywhere in the laws of the Commonwealth, and the PIA was unsure as to the precise meaning of the term.
The Department has modified its definitions with regard to ''surplus lines licensees'' so that they are consistent with the definitions in Article XVI of the Insurance Company Law (40 P. S. §§ 991.1601--991.1625).
Section 146a.2. Definition of ''nonpublic personal information.''
The IFP, Highmark, PBA, IBC and AIA(2) recommended that the term ''health information'' should be added under the exclusions from definition of ''nonpublic personal information'' to clarify the scope of the regulations. IRRC also commented that health information should be excluded from the definition of ''nonpublic personal financial information.''
The IBC(2) also suggested that the Department adopt a definition of ''health insurance'' that is consistent with protected health information under HIPAA so that it will be much easier for insurers and providers to come into compliance with State privacy requirements.
The Department has included ''health information'' as an exception to nonpublic personal financial information, and has defined ''health information,'' ''health care'' and ''health care provider'' consistent with the NAIC Model. However, the Department would like to clarify that any financial information that is obtained in tandem with health information is protected pursuant to this regulation. Simply because ''nonpublic personal financial information'' is received or obtained in the context of other ''health information,'' the ''nonpublic personal financial information'' is still entitled to the full protections of this final-form rulemaking. As discussed previously, the Department intends to begin the process of promulgating a health component of the privacy regulation during the implementation phase of the final-form regulations.
The PBA(2) believed that the word ''mean'' should be used rather than ''include,'' as used in the NAIC Model. PBA asserted that using ''include'' might cause a question to arise as to whether ''other'' items might be included in the definition.
The Department agrees and has made this change in its final-form regulations.
Section 146a.2. Definition of ''personally identifiable financial information.''
The IFP suggested that the Department's reference to the definition of ''customer information'' in section 601 of Act 40 (40 P. S. § 231) is flawed, as that applies only to information of financial institutions.
The Department agrees and has removed the reference to ''customer information'' in the definition of personally identifiable financial information.
Section 146a.11. Initial privacy notice to consumers required.
The PIA and IRRC noted that § 146a.11(e)(ii) allows a customer to receive the initial notice at a later time provided that customer agrees to the delay. Both IRRC and the PIA believed that clarification was needed in this section, specifically, as to what constitutes a customer's agreement as well as what is satisfactory evidence of meeting the consented delay requirements.
The Department does not believe that it is necessary to specifically define what constitutes a customer's agreement to receive the initial notice at a time later than when the customer relationship is formed. Rather, the Department believes that it is best to leave flexibility for licensees to implement this provision of the regulations, and the Department will enforce this provision on a case-by-case basis, depending on the facts and circumstances surrounding evidencing the customer's agreement. Also, there is no definition of ''customer agreement'' in the NAIC Model, and in the interest of National uniformity, no definition will be included in the Department's final-form rulemaking.
Section 146a.12. Annual privacy notice to customers required.
The PAMIC expressed concerns with the annual notices. Their concern is that the requirement to send all customers an annual notice covers all licensees, and burdens that are inevitably placed on smaller companies are disproportionately larger in their operational impact than the burdens placed on larger companies.
The Department asserts that the annual notice serves an important function in the regulatory scheme developed by the privacy rulemaking, regardless of the size of the entity that is subject to the regulation's requirements. Therefore, the annual notice requirement has been retained in this final-form rulemaking. Also, because the annual notice may be mailed with other materials (such as a policy renewal or billing) that will already be delivered to customers irrespective of the privacy notice, the Department believes that the impact on smaller and larger licensees is similar.
Section 146a.13. Information to be included in privacy notices.
IRRC believed that § 146a.13 required clarification. Subsection (c)(2)(i) states that the requirements of § 146a.13(c) are satisfied if a licensee ''provides a few examples.'' Similar language is used in subsection (c)(3)(ii) that requires ''a few illustrative examples.'' IRRC suggested that these requirements are vague and that the regulations should specify the minimum number of examples required.
In response to IRRC's comment, the Department is reluctant to include a definite number of examples that would be required to comply with the regulations. Rather, the industry requires flexibility with regard to the drafting and development of its privacy notices, and to require a certain number would eliminate this much-needed flexibility. Instead, licensees should use an adequate number of examples to make the categories of information it discloses so that the notice is reasonably understandable (as defined in the definition of ''clear and conspicuous'' in § 146a.2). However, for the purpose of clarifying this final-form regulations, the Department has removed the phrase ''a few'' from both provisions identified by IRRC.
The IBC believed that the provision found in § 146a.13(d) pertaining to short form initial notices was in direct conflict with § 146a.11. Section 146a.11 does not require a licensee to provide an initial privacy notice to a consumer if the licensee: (1) does not disclose any nonpublic personal financial information about the consumer to a third party except as authorized by §§ 146a.32 and 146a.33; and (2) the licensee does not have a customer relationship with the customer. Section 146a.13(d) provides that a licensee may satisfy the initial notice requirements for consumers by providing a short form notice that is described in the regulation. According to the IBC, § 146a.13(d) was inconsistent with § 146a.11 and should be deleted.
The Department has not deleted § 146a.13(d), as the short form initial notice applies to both customers and consumers. While it is true that no initial notice may be required for consumers when a licensee does not intend to disclose that person's nonpublic personal financial information, an initial notice is required when a licensee does disclose a consumer's nonpublic personal financial information. The short form initial notice described in § 146a.13(d) allows for added flexibility in this situation and cannot be deleted from the final-form regulations.
Section 146a.14. Form of opt out notice to consumers and opt out methods.
IRRC indicated that § 146a.14 also required clarification. Subsection (a)(1) requires a notice to be ''clear and conspicuous'' and provide a ''reasonable opt out means.'' Subsection (a)(2)(ii) and (iii) provide examples of reasonable and unreasonable opt out means that clearly relate to subsection (a)(1). However, subsection (a)(2)(i) and (iv) provide examples that describe ''adequate opt out notice'' and ''specific opt out means.'' IRRC commented that the regulation is unclear regarding what requirement the examples in subsection (a)(2)(i) and (iv) are describing.
Also, subsection (a)(2)(iv) was listed as an example based upon its placement under paragraph (a)(2) relating to examples. However, subsection (a)(2)(iv) stated ''a licensee may require each consumer to opt out through a specific means, as long as that means is reasonable for that consumer.'' This is phrased as a requirement for ''specific opt out means,'' not an example. Subsection (a)(2)(iv) should be moved out of subsection (a)(2) and clarified.
In response to IRRC's comments and by way of clarification, the term ''clear and conspicuous'' is extensively defined in § 146a.2, and § 146a.14(a)(2)(i) merely provides an example of what information would be contained in an ''adequate'' opt out notice (that is, a notice is clear and conspicuous). As such, the Department has not made any changes in this regard to the final-form regulations.
The Department does agree, however, that § 146a.14(a)(2)(iv) is improperly included as an example, and the Department has renumbered subsection (a)(2)(iv) as subsection (a)(3) of § 146a.14.
Section 146a.16. Delivery of notices.
The PIA(2) stated that traditionally in insurance law, an offer is made in request by an individual applicant for coverage. In § 146a.16(b)(iv), notice is required to be given to each consumer when a ''quote'' is provided. The PIA would like to know the elements the Department considers to be part of a ''quote'' because of the apparent conflicting exempting language that appears regarding a transaction instituted at the request of a customer, and a quote traditionally is regarded as a reply to that offer to do business.
Although the Department has not included a definition of the term ''quote'' in the final-form regulations, as it believes such a definition is unnecessary, it will provide some clarification of § 146a.16(b)(iv). It is important to note that a consumer is required to receive an initial notice only if the licensee intends to disclose that consumer's nonpublic personal financial information other than as allowed under the regulations' permitted exceptions. Therefore, if in the context of providing a quote, a licensee does not intend to disclose the consumer's nonpublic personal financial information, no initial notice would be required. Section 146a.16(b)(iv) is not inconsistent with this scenario. Section 146a.16(b)(iv) merely provides an example of when an initial notice could be reasonably expected to be received by a consumer receiving a quote if the licensee is required to provide the notice. Section 146a.16(b)(iv) does not in any way impose an additional requirement that all consumers receiving a quote be provided an initial notice.
Section 146a.21. Limitation on disclosure of nonpublic personal financial information to nonaffiliated third parties.
The AAI, AIA, Harleysville, IBC, IFP and PBA all believed that the double opt requirement in this provision extended beyond the scope of the GLBA and conflicts with the NAIC Model. IRRC also questioned the requirement for a second opt out notice. IRRC believed that the regulations should be consistent with the statute and recommended the deletion of the double opt out requirement.
As explained in greater detail previously, the Department now interprets Act 40 as applying to a financial institution's lending activities while the privacy regulation applies to a financial institution's or other licensee's insurance transactions. Therefore, consistent with the comments received, the Department has deleted § 146a.21(c)(3).
Section 146a.31. Exception to the opt out requirements for disclosure of nonpublic personal financial information for service providers and joint marketing.
The CBC suggested that § 146a.31 be modified to mirror §§ 146a.32 and 146a.33 to provide that the exception applies to both the notice and the opt out requirements. IRRC also believed that § 146a.31 should be clarified because the exceptions in §§ 146a.32 and 146a.33 do not require initial notice under § 146a.11, while the exception in § 146a.31 maintains the requirement for an initial notice.
The Department has not modified § 146a.31 to be an exception to both the notice and opt out requirements as in §§ 146a.32 and 146a.33. Rather, the Department maintains that it is proper for consumers to receive notice that their nonpublic personal financial information is disclosed to nonaffiliated third party service providers and under joint marketing agreements, despite the fact that there is no opportunity to opt out of these disclosures. With this information, consumers may choose whether or not to engage in business with that licensee. The exceptions under §§ 146a.32 and 146a.33 do not require an initial notice because they are the exceptions that apply so that the requirements of the regulation do not interfere with the day to day transaction of the business of insurance. The exceptions in §§ 146a.32 and 146a.33 are necessary for licensees to transact business, while the exception in § 146a.31 is for sharing information with nonaffiliated third party service providers or joint marketing agreements, both of which are not necessary components of the business of insurance. Also, to be consistent with the NAIC Model and to promote National uniformity, no change has been made to this provision of the regulations.
Harleysville believed that the exceptions to the opt out requirements should be clarified to include claims processing and fraud investigation service providers as § 146a.31 exceptions. IRRC also noted that commentators stated that the exceptions from the opt out requirements should include claims processing and fraud investigation as exceptions in this section.
The Department has not specifically included claims processing and fraud investigation in the § 146a.31 exceptions because this exception is adequately addressed in §§ 146a.32 and 146a.33. Sections 146a.32 and 146a.33 specifically state that the requirements for service providers and joint marketing in § 146a.31 (that is, written agreement and initial notice) do not apply when a disclosure is made under one of the exceptions in §§ 146a.32 and 146a.33. Therefore, the exception for fraud investigation and claims processing performed by third parties is adequately addressed in §§ 146a.32 and 146a.33 and is not included in § 146a.31.
Section 146a.32. Exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information for processing and servicing transactions.
The AIA(2) recommended adding a new paragraph to § 146a.32 to explicitly allow for servicing policyholder accounts. The AIA asserted that this addition simply clarifies the regulatory intent to preserve the ability to service policyholder accounts.
The IFP also expressed a concern whether the exceptions to the notice and opt out requirements for processing and service transactions in § 146a.32 sufficiently cover all applicable situations. The IFP(2) provided the Department with language from South Dakota's privacy regulations under which an insurer's sharing information on a claim with its agents does not trigger privacy requirements with respect to claimants.
In its comments, the PAMIC stated that certain transactions should be authorized without delivery of privacy notice under § 146a.32, when the transaction is ''necessary to effect, administer, or enforce a transaction'' and authorized by the consumer.
Finally, the NAII(2) believed that, as drafted, § 146a.32 was not sufficient and the regulation would prohibit agents, producers and brokers to provide services to consumers because they would be denied access to necessary nonpublic personal financial information. Specifically, agents, producers and brokers are often asked to review claims and loss runs. The NAII believes that these services could no longer be performed by them under the present draft, and presented the Department with an amendment that is similar to the amendment suggested by the IFP.
In this final-form regulation, the Department has amended the language in § 146a.32(b)(2)(iii) and (v) as suggested by IFP and NAII. This additional language appears to be sufficient to address all of the comments raised on this issue.
Section 146a.33. Other exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information.
Harleysville believed that exceptions should be expanded under subsection (a)(7), thereof, to include claims processing and fraud investigation service providers.
Fraud investigation and claims processing are adequately addressed as exceptions to the notice and opt out requirements in §§ 146a.32 and 146a.33.
Section 146a.42. Nondiscrimination.
The AAI believes that the regulation's nondiscrimination provision is not authorized by the GLBA and directly conflicts with Title V's insurance underwriting exemption. The AAI preferred language from the NCOIL version in this regard.
Section 146a.42, which prohibits discrimination against a consumer for exercising the opportunity to opt out, is not contrary to the GLBA. First, it is important to recall that section 507 of the GLBA authorizes state insurance regulators to provide greater protection to insurance consumers than those provided in the GLBA or the Federal banking privacy regulations. Also, the underwriting exception in the GLBA only applies to exempting the sharing of information for underwriting purposes, not for the purposes of unfairly discriminating against consumers who chose to exercise the rights conferred upon them by the regulation. Therefore, the Department has retained the regulation's nondiscrimination provision in its final-form rulemaking.
Section 146a.43. Violations.
The AIA recommended revising § 146a.43 as follows: ''Violations of this chapter may be deemed and defined by the Commissioner to be an unfair method of competition and an unfair or deceptive act or practice and may be subject to a cease and desist order or to fines contained in sections 9--11 of the act (40 P. S. §§ 1171.9--1171.11).'' Suspending or revoking a license for noncompliance with this proposed rule is a drastic measure and should not be included.
Also, the IFP recommended deletion of this section as unnecessary. The IFP believed that the regulation is being promulgated under the act, so violations of it could only be prosecuted under that act. The IFP also believes that the Department wants to ''deem and define'' any violation of these regulations as a violation of the act. The bulk of the UIPA, however, penalizes patterns of conduct, not single acts, as done here. In addition, the IFP believed that while the Commissioner is given some discretion to expand the specific conduct listed in the UIPA, it is generally limited to conduct uncovered in an investigation, and its penalties come only after hearings.
Finally, the IIAP/PAIFA(2) wanted language in this section stating that producers who make a good faith effort to ensure insurer compliance with this regulation will be held harmless if an insurer is found to be noncompliant by the Department.
The Department has modified § 146a.43 to state that violations will be subject to ''any applicable penalties or remedies'' as opposed to ''all penalties'' contained in the UIPA. The concerns asserted by IIAP/PAIFA are addressed previously in this Preamble.
[Continued on next Web Page]
[Continued from previous Web Page] Section 146a.44. Effective date.
The CBC stated that they understand the importance of retaining the July 1, 2001, effective date for these regulations and that they appreciate the additional 6 months to come into compliance before enforcement. However, given the timing of the implementation of these regulations and the HIPAA regulation, the CBC has recommended that enforcement of these regulations coincide with the HIPAA Privacy April 14, 2003, compliance date.
Harleysville, Highmark, IBS, IFP, PAMIC and PBA expressed similar concerns with the compliance date of the regulations.
The Department has maintained the July 1, 2001, effective and compliance date in this final-form regulations. The Department has maintained this effective and compliance date to prevent the Federal preemption of insurance privacy laws in this Commonwealth under Title V of the GLBA. Also under the GLBA, the failure of a state to adopt a sufficient privacy regulation will result in the state's inability to override the Federal insurance consumer protection regulations that were issued by the Federal banking agencies in final-form on December 4, 2000, under section 305 of the GLBA. See 65 Fed. Reg. 233, 75821 (to be codified at 12 CFR Parts 14, 208, 343 and 536). These regulations will become effective on October 1, 2001, and they pertain generally to the sale of insurance by financial institutions and specifically to matters such as referral fees, separation of banking and insurance sales areas and disclosures regarding the nature of insurance products that are sold by banks. Because the counterpart Federal banking privacy regulations are effective on July 1, 2001, the Department is essentially required under the GLBA to maintain a similar effective date for its privacy regulation promulgated under Title V of the GLBA.
However, given that the regulations will have a retroactive effective date, the Department has committed to assisting the insurance industry in complying with the regulation, rather than strictly enforcing the regulation at the outset. For example, for the 6-month period following the effective date of the final-form regulations, the Department will engage in a formal question and answer procedure to address any concerns that are raised as a result of implementing this rulemaking. Also, the Department intends to utilize its market surveillance unit, as opposed to its market conduct or enforcement unit to assist the insurance industry with any compliance issues that may be encountered. Finally, the Department plans to meet with the industry to address any implementation problems that may arise.
Affected Parties
The rulemaking applies to all persons possessing a license issued by the Department, and all persons required to be licensed by the Department, unless specifically exempted.
Fiscal Impact
State Government
There will be no increase in cost to the Department due to the adoption of Chapter 146a.
General Public
There will be no fiscal impact to the public due to the adoption of Chapter 146a.
Political Subdivisions
The rulemaking will not impose additional costs on political subdivisions.
Private Sector
The rulemaking will impose additional costs of insurance companies, financial institutions and other nonexempted licensees doing the business of insurance in this Commonwealth. However, the adoption of this rulemaking will not be the cause of that additional cost. Insurance entities, financial institutions and other nonexempted licensees are required by Title V of the GLBA to comply with several statutory privacy requirements found in the Federal act. Title V of GLBA also requires various state and Federal regulators of the financial services industries to promulgate regulations for their respective regulated communities in order to further explain and define those statutory privacy requirements in the Federal act. For example, the Federal banking regulators (the Office of the Comptroller of the Currency (OCC)), the Federal Deposit Insurance Corporation, the Office of Thrift Supervision and the Board of Governors of the Federal Reserve System (BGFRS)) have already promulgated final-form regulations pertaining to the privacy of nonpublic personal financial information when such information is collected by the various Federal banking entities within their regulatory jurisdiction. See e.g. 12 CFR 40.1 et seq. (OCC regulations) and 12 CFR. 216.1 et seq. (BGFRS regulations). Therefore, the Federal requirements in the GLBA are the catalyst for the increase in the cost to insurers, financial institutions and other nonexempted licensees.
Paperwork
Unless specifically excluded under the § 146a.2 definition of licensee of the proposed rulemaking, the rulemaking will affect all licensees doing the business of insurance in this Commonwealth by imposing additional paperwork requirements pertaining to the delivery and tracking of opt out notices.
Effectiveness/Sunset Date
The final-form rulemaking will become effective July 1, 2001, as previously provided in Department Notice 2000-08 and as stated in § 146a.44.
Contact Person
Any questions regarding this final-form rulemaking, should be directed to Peter J. Salvatore, Regulatory Coordinator, Special Projects Office, 1326 Strawberry Square, Harrisburg, PA 17120, (717) 787-4429. In addition, questions may be e-mailed to psalvatore@state.pa.us or faxed to (717) 772-1969.
Regulatory Review
Under section 5(a) of the Regulatory Review Act, (71 P. S. § 745.5(a)), on March 21, 2001, the Department submitted a copy of this rulemaking to IRRC and to the Chairpersons of the House Insurance Committee and the Senate Banking and Insurance Committee. In addition to the submitted rulemaking, the Department has provided IRRC and the Committees with a copy of a detailed Regulatory Analysis Form prepared by the agency in compliance with Executive Order 1996-1, ''Regulatory Review and Promulgation.'' A copy of that material is available to the public upon request.
In preparing this final-form rulemaking, the Department considered all comments received from IRRC, the Committees and the public. This final-form rulemaking was deemed approved by the House and Senate Committees on July 5, 2001. In accordance with section 5a(d) of the Regulatory Review Act (71 P. S. § 745.5a(d)), IRRC met on July 12, 2001, and approved the final-form rulemaking in accordance with section 5.1(e) of the Regulatory Review Act.
Findings
The Commissioner finds that:
(1) Public notice of intention to adopt this rulemaking as amended by this order has been given under sections 201 and 202 of the act of July 31, 1968 (P. L. 769, No. 240) (45 P. S. §§ 1201 and 1202) and the regulations thereunder, 1 Pa. Code §§ 7.1 and 7.2.
(2) The adoption of this rulemaking in the manner provided in this order is necessary and appropriate for the administration and enforcement of the authorizing statutes.
Order
The Commissioner, acting under the authorizing statutes, orders that:
(1) The regulations of the Department, 31 Pa. Code, are amended by adding §§ 146a.1, 146a.2, 146a.11--146a.16, 146a.21--146a.23, 146a.31--146a.33 and 146a.41--146a.44 and Appendix A, to read as set forth in Annex A.
(2) The Commissioner shall submit this order and Annex A to the Office of General Counsel and Office of Attorney General for approval as to form and legality as required by law.
(3) The Commissioner shall certify this order and Annex A and deposit them with the Legislative Reference Bureau as required by law.
(4) The regulations adopted by this order shall take effect July 1, 2001
M. DIANE KOKEN,
Insurance Commissioner(Editor's Note: For the text of the order of the Independent Regulatory Review Commission relating to this order, see 31 Pa.B. 4136 (July 28, 2001).)
Fiscal Note: Fiscal Note 11-206 remains valid for the final adoption of the subject regulations.
Annex A TITLE 31. INSURANCE PART VIII. MISCELLANEOUS PROVISIONS CHAPTER 146a. PRIVACY OF CONSUMER FINANCIAL INFORMATION Subch.
A. GENERAL PROVISIONS B. PRIVACY AND OPT OUT NOTICES FOR FINANCIAL INFORMATION C. LIMITS ON DISCLOSURES OF FINANCIAL INFORMATION D. EXCEPTIONS TO LIMITS ON DISCLOSURES OF NONPUBLIC PERSONAL FINANCIAL INFORMATION E. ADDITIONAL PROVISIONS Subchapter A. GENERAL PROVISIONS Sec.
146a.1. Purpose. 146a.2. Definitions. § 146a.1. Purpose.
(a) Purpose. This chapter governs the treatment of nonpublic personal financial information about individuals by various licensees of the Department. This chapter:
(1) Requires a licensee to provide notice to individuals about its privacy policies and practices.
(2) Describes the conditions under which a licensee may disclose nonpublic personal financial information about individuals to affiliates and nonaffiliated third parties.
(3) Provides methods for individuals to prevent a licensee from disclosing that information.
(b) Scope. This chapter applies to nonpublic personal financial information about individuals who obtain or are claimants or beneficiaries of products or services primarily for personal, family or household purposes from licensees. Unless otherwise specified, this chapter generally does not apply to information about companies or about individuals who obtain products or services for business, commercial or agricultural purposes.
(c) Compliance. A licensee domiciled in this Commonwealth that is in compliance with this chapter in a state that has not enacted laws or regulations that meet the requirements of Title V of the act of November 12, 1999 (Pub. L. No. 106-102, 113 Stat. 1338) known as the Gramm-Leach-Bliley Act (Financial Services Modernization Act of 1999) (15 U.S.C.A. §§ 6801--6827) may nonetheless be deemed to be in compliance with Title V of the Gramm-Leach-Bliley Act in the other state.
(d) Examples. The examples provided in this chapter are for illustrative purposes only and do not otherwise limit or restrict the scope of this chapter.
§ 146a.2. Definitions.
The following words and terms, when used in this chapter, have the following meanings, unless the context requires otherwise:
Act--The Insurance Department Act of 1921 (40 P. S. §§ 1--321)
Affiliate--A company that controls, is controlled by or is under common control with another company.
Clear and conspicuous--That a notice is reasonably understandable and designed to call attention to the nature and significance of the information in the notice. Examples include:
(i) Reasonably understandable. A licensee makes its notice reasonably understandable if it does all of the following:
(A) Presents the information in the notice in clear, concise sentences, paragraphs and sections.
(B) Uses short explanatory sentences or bullet lists whenever possible.
(C) Uses definite, concrete, everyday words and active voice whenever possible.
(D) Avoids multiple negatives.
(E) Avoids legal and highly technical business terminology whenever possible.
(F) Avoids explanations that are imprecise and readily subject to different interpretations.
(ii) Designed to call attention. A licensee designs its notice to call attention to the nature and significance of the information in it if the licensee does all of the following:
(A) Uses a plain-language heading to call attention to the notice.
(B) Uses a typeface and type size that are easy to read.
(C) Provides wide margins and ample line spacing.
(D) Uses boldface or italics for key words.
(E) In a form that combines the licensee's notice with other information, uses distinctive type size, style and graphic devices, such as shading or sidebars.
(iii) Notices on websites. If a licensee provides a notice on a webpage, the licensee designs its notice to call attention to the nature and significance of the information in it if the licensee uses text or visual cues to encourage scrolling down the page if necessary to view the entire notice and ensure that other elements on the website (such as text, graphics, hyperlinks or sound) do not distract attention from the notice, and the licensee either:
(A) Places the notice on a screen that consumers frequently access, such as a page on which transactions are conducted.
(B) Places a link on a screen that consumers frequently access, such as a page on which transactions are conducted, that connects directly to the notice and is labeled appropriately to convey the importance, nature and relevance of the notice.
Collect--To obtain information that the licensee organizes or can retrieve by the name of an individual or by identifying number, symbol or other identifying particular assigned to the individual, irrespective of the source of the underlying information.
Commissioner--The Insurance Commissioner of the Commonwealth.
Company--A corporation, limited liability company, business trust, general or limited partnership, association, sole proprietorship or similar organization.
Consumer--An individual who seeks to obtain, obtains or has obtained an insurance product or service from a licensee that is to be used primarily for personal, family or household purposes, and about whom the licensee has nonpublic personal financial information, or that individual's legal representative. Examples include:
(i) An individual who provides nonpublic personal financial information to a licensee in connection with obtaining or seeking to obtain financial, investment or economic advisory services relating to an insurance product or service is a consumer regardless of whether the licensee establishes an ongoing advisory relationship.
(ii) An applicant for insurance prior to the inception of insurance coverage is a licensee's consumer.
(iii) An individual who is a consumer of another financial institution is not a licensee's consumer solely because the licensee is acting as agent for, or provides processing or other services to, that financial institution.
(iv) An individual about whom a licensee discloses nonpublic personal financial information to a nonaffiliated third party other than as permitted under Subchapter D (relating to exceptions to limits on disclosures of nonpublic personal financial information) and the individual is one of the following:
(A) A beneficiary of a life insurance policy underwritten by the licensee.
(B) A claimant under an insurance policy issued by the licensee.
(C) An insured or an annuitant under an insurance policy or an annuity, respectively, issued by the licensee.
(D) A mortgagor of a mortgage covered under a mortgage insurance policy.
(v) Provided that the licensee provides the initial, annual and revised notices under §§ 146a.11, 146a.12 and 146a.15 (relating to initial privacy notice to consumers required; annual privacy notice to customers required; and revised privacy notices) to the plan sponsor, group or blanket insurance policyholder, group annuity contractholder, or workers' compensation policyholder, and further provided that the licensee does not disclose to a nonaffiliated third party nonpublic personal financial information about such an individual other than as permitted under Subchapter D, an individual is not the consumer of the licensee solely because the individual is one of the following:
(A) A participant or a beneficiary of an employee benefit plan that the licensee administers or sponsors or for which the licensee acts as a trustee, insurer or fiduciary.
(B) Covered under a group or blanket insurance policy or group annuity contract issued by the licensee.
(C) A claimant in a workers' compensation plan.
(vi) The individuals described in subparagraph (v) are consumers of a licensee if the licensee does not meet all the conditions of subparagraph (v).
(vii) In no event shall the individuals, solely by virtue of the status described in subparagraph (v), be deemed to be customers for purposes of this chapter.
(viii) An individual is not a licensee's consumer solely because the individual is a beneficiary of a trust for which the licensee is a trustee.
(ix) An individual is not a licensee's consumer solely because the individual has designated the licensee as trustee for a trust.
Consumer reporting agency--The term has the same meaning as in section 603(f) of the Federal Fair Credit Reporting Act (15 U.S.C.A. § 1681a(f)).
Control--The term includes any of the following:
(i) Ownership, control or power to vote 25% or more of the outstanding shares of any class of voting security of the company, directly or indirectly, or acting through one or more other persons.
(ii) Control in any manner over the election of a majority of the directors, trustees or general partners (or individuals exercising similar functions) of the company.
(iii) The power to exercise, directly or indirectly, a controlling influence over the management or policies of the company, as determined by the Commissioner.
Customer--A consumer who has a customer relationship with a licensee.
Customer relationship--A continuing relationship between a consumer and a licensee under which the licensee provides one or more insurance products or services to the consumer that are to be used primarily for personal, family or household purposes. Examples are as follows:
(i) A consumer has a continuing relationship with a licensee if either:
(A) The consumer is a current policyholder of an insurance product issued by or through the licensee.
(B) The consumer obtains financial, investment or economic advisory services relating to an insurance product or service from the licensee for a fee.
(ii) A consumer does not have a continuing relationship with a licensee if one of the following applies:
(A) The consumer applies for insurance but does not purchase the insurance.
(B) The licensee sells the consumer airline travel insurance in an isolated transaction.
(C) The individual is no longer a current policyholder of an insurance product or no longer obtains insurance services with or through the licensee.
(D) The consumer is a beneficiary or claimant under a policy and has submitted a claim under a policy choosing a settlement option involving an ongoing relationship with the licensee.
(E) The consumer is a beneficiary or a claimant under a policy and has submitted a claim under that policy choosing a lump sum settlement option.
(F) The customer's policy is lapsed, expired or otherwise inactive or dormant under the licensee's business practices, and the licensee has not communicated with the customer about the relationship for a period of 12-consecutive months, other than annual privacy notices, material required by law or regulation, communication at the direction of a state or Federal authority, or promotional materials.
(G) The individual is an insured or an annuitant under an insurance policy or annuity, respectively, but is not the policyholder or owner of the insurance policy or annuity.
(H) The individual's last known address according to the licensee's records is deemed invalid. For the purposes of this section, an address of record is deemed invalid if mail sent to that address by the licensee has been returned by the postal authorities as undeliverable and if subsequent attempts by the licensee to obtain a current valid address for the individual have been unsuccessful.
Department--The Insurance Department of the Commonwealth.
Financial institution--An institution the business of which is engaging in activities that are financial in nature or incidental to the financial activities as described in section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C.A. § 1843(k)). The term does not include the following:
(i) A person or entity with respect to any financial activity that is subject to the jurisdiction of the Commodity Futures Trading Commission under the Commodity Exchange Act (7 U.S.C.A. §§ 1--25).
(ii) The Federal Agricultural Mortgage Corporation or any entity charged and operating under the Farm Credit Act of 1971 (12 U.S.C.A. §§ 2001--2279cc).
(iii) Institutions chartered by Congress specifically to engage in securitizations, secondary market sales (including sales of servicing rights) or similar transactions related to a transaction of a consumer, as long as the institutions do not sell or transfer nonpublic personal financial information to a nonaffiliated third party.
Financial product or service--A product or service that a financial holding company could offer by engaging in an activity that is financial in nature or incidental to the financial activity under section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C.A. § 1843(k)). Financial service includes a financial institution's evaluation or brokerage of information that the financial institution collects in connection with a request or an application from a consumer for a financial product or service.
Health care--The term includes the following:
(i) Preventative, diagnostic, therapeutic, rehabilitative, maintenance or palliative care, services, procedures, tests or counseling that either:
(A) Relates to the physical, mental or behavioral condition of an individual.
(B) Affects the structure or function of the human body or any part of the human body, including the banking of blood, sperm, organs or any other tissue.
(ii) Prescribing, dispensing or furnishing to an individual drugs or biologicals, or medical devices or health care equipment and supplies.
Health care provider--A physician or other health care practitioner licensed, accredited or certified to perform specified health services consistent with State law, or a health care facility.
Health information--Any information or data except age or gender, whether oral or recorded in any form or medium, created by or derived from a health care provider or the consumer or customer that relates to one or more of the following:
(i) The past, present or future physical, mental or behavioral health or condition of an individual.
(ii) The provision of health care to an individual.
(iii) Payment for the provision of health care to an individual.
Insurance product or service--A product or service that is offered by a licensee under the insurance laws of the Commonwealth. Insurance service includes a licensee's evaluation, brokerage or distribution of information that the licensee collects in connection with a request or an application from a consumer for an insurance product or service.
Licensee--
(i) A licensed insurer, as defined in section 201-A of the act (40 P. S. § 65.1-A), a producer and other persons or entities licensed or required to be licensed, or authorized or required to be authorized, or registered or required to be registered under the act or The Insurance Company Law of 1921 (40 P. S. §§ 341--999), including health maintenance organizations holding a certificate of authority under section 201 of the Health Care Facilities Act (35 P. S. § 448.201).
(ii) The term does not include:
(A) Bail bondsmen as defined in 42 Pa.C.S. § 5741 (relating to definitions).
(B) Motor vehicle physical damage appraisers as defined in section 2 of the Motor Vehicle Physical Damage Appraiser Act (63 P. S. § 852) and § 62.1 (relating to definitions).
(C) Public adjusters as defined in section 1 of the act of December 20, 1983 (P. L. 260, No. 72) (63 P. S. § 1601) and § 115.1 (relating to definitions).
(D) An entity providing continuing care as defined in section 3 and licensed under section 4 of the Continuing-Care Provider Registration and Disclosure Act (40 P. S. §§ 3203 and 3204).
(iii) Subject to subparagraph (iv), the term does not include governmental health insurance programs such as the following:
(A) The Children's Health Insurance Program as provided for in the Children's Health Care Act (40 P. S. §§ 991.2301--991.2361).
(B) The Medicaid Program as provided for in 62 P. S. §§ 441.1--449.
(C) The Medicare+Choice Program as provided for in the Balanced Budget Act of 1997, sections 1851--1859, Medicare Part C under Title XVIII of the Social Security Act.
(iv) The term includes a licensee that enrolls, insures or otherwise provides insurance related services to participants that procure health insurance through a governmental health insurance program exempted under subparagraph (iii).
(v) A licensee is not subject to the notice and opt out requirements for nonpublic personal financial information in Subchapters A--D if the licensee is an employee, agent or other representative of another licensee (''the principal'') and both of the following apply:
(A) The principal otherwise complies with, and provides the notices required by, this chapter.
(B) The licensee does not disclose nonpublic personal financial information to any person other than the principal or its affiliates in a manner permitted by this chapter.
(vi) Subject to subparagraph (vii), the term ''licensee'' shall also include a nonadmitted insurer that accepts business placed through a surplus lines licensee (as defined in 40 P. S. § 991.1602 (relating to definition of surplus lines licensee)) in this Commonwealth, but only in regard to the surplus lines placements placed under Article XVI of The Insurance Company Law (40 P. S. §§ 991.1601--991.1625).
(vii) A surplus lines licensee or surplus lines insurer shall be deemed to be in compliance with the notice and opt out requirements for nonpublic personal financial information in Subchapters A--D provided both of the following apply:
(A) The surplus lines licensee or insurer does not disclose nonpublic personal financial information of a consumer or a customer to nonaffiliated third parties for any purpose, including joint servicing or marketing under § 146a.31 (relating to exception to opt out requirements for disclosure of nonpublic personal financial information for service providers and joint marketing), except as permitted by § 146a.32 or § 146a.33 (relating to exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information for processing and servicing transactions; and other exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information).
(B) The broker or insurer delivers a notice to the consumer at the time a customer relationship is established on which the following is printed in 16-point type:
Privacy Notice
''Neither the U. S. brokers that have handled this insurance nor the insurers that have underwritten this insurance will disclose nonpublic personal financial information concerning the buyer to nonaffiliated third parties except as permitted by law.''
Nonaffiliated third party--
(i) Any person except either:
(A) A licensee's affiliate.
(B) A person employed jointly by a licensee and any company that is not the licensee's affiliate (but nonaffiliated third party includes the other company that jointly employs the person).
(ii) Nonaffiliated third party includes any company that is an affiliate solely by virtue of the direct or indirect ownership or control of the company by the licensee or its affiliate in conducting merchant banking or investment banking activities of the type described in section 4(k)(4)(H) or insurance company investment activities of the type described in section 4(k)(4)(I) of the Federal Bank Holding Company Act (12 U.S.C.A. §§ 1843(k)(4)(H) and (I)).
Nonpublic personal financial information--
(i) The term means the following:
(A) Personally identifiable financial information.
(B) Any list, description or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available.
(ii) The term does not include any of the following:
(A) Publicly available information, except as included on a list described in subparagraph (i)(B).
(B) Any list, description or other grouping of consumers (and publicly available information pertaining to them) that is derived without using any personally identifiable financial information that is not publicly available.
(C) Health information.
(iii) Examples of lists are as follows:
(A) Nonpublic personal financial information includes any list of individuals' names and street addresses that is derived in whole or in part using personally identifiable financial information that is not publicly available, such as account numbers.
(B) Nonpublic personal financial information does not include any list of individuals' names and addresses that contains only publicly available information, is not derived in whole or in part using personally identifiable financial information that is not publicly available, and is not disclosed in a manner that indicates that any of the individuals on the list is a consumer of a financial institution.
Personally identifiable financial information--
(i) The term means any of the following:
(A) Information that a consumer provides to a licensee to obtain an insurance product or service from the licensee.
(B) Information about a consumer resulting from a transaction involving an insurance product or service between a licensee and a consumer.
(C) Information that the licensee otherwise obtains about a consumer in connection with providing an insurance product or service to that consumer.
(ii) Examples are as follows:
(A) Information included. Personally identifiable financial information includes:
(I) Information a consumer provides to a licensee on an application to obtain an insurance product or service.
(II) Account balance information and payment history.
(III) The fact that an individual is or has been one of the licensee's customers or has obtained an insurance product or service from the licensee.
(IV) Information about the licensee's consumer if it is disclosed in a manner that indicates that the individual is or has been the licensee's consumer.
(V) Information that a consumer provides to a licensee or that the licensee or its agent otherwise obtains in connection with collecting on a loan or servicing a loan.
(VI) Information the licensee collects through an Internet cookie (an information-collecting device from a web server).
(VII) Information from a consumer report.
(B) Information not included. Personally identifiable financial information does not include:
(I) A list of names and addresses of customers of an entity that is not a financial institution.
(II) Information that does not identify a consumer, such as aggregate information or blind data that does not contain personal identifiers such as account numbers, names or addresses.
(III) Health information.
Publicly available information--Information that a licensee has a reasonable basis to believe is lawfully made available to the public from one or more of the following:
(i) Federal, State or local government records.
(ii) Widely distributed media.
(iii) Disclosures to the public that are required to be made by Federal, State or local law.
Reasonable basis--
(i) A licensee has a reasonable basis to believe that information is lawfully made available to the public if the licensee has taken steps to determine the following:
(A) That the information is of the type that is available to the public.
(B) Whether an individual can direct that the information not be made available to the public and, if so, that the licensee's consumer has not done so.
(ii) The term includes the following conditions:
(A) A licensee has a reasonable basis to believe that mortgage information is lawfully made available to the public if the licensee has determined that the information is of the type included on the public record in the jurisdiction where the mortgage would be recorded.
(B) A licensee has a reasonable basis to believe that an individual's telephone number is lawfully made available to the public if the licensee has located the telephone number in the telephone book or the consumer has informed the licensee that the telephone number is not unlisted.
(iii) Examples are as follows:
(A) Government records. Publicly available information in government records includes information in government real estate records and security interest filings.
(B) Widely distributed media. Publicly available information from widely distributed media includes information from a telephone book, a television or radio program, a newspaper or a website that is available to the public on an unrestricted basis. A website is not restricted merely because an Internet service provider or a site operator requires a fee or a password, so long as access is available to the public.
Subchapter B. PRIVACY AND OPT OUT NOTICES FOR FINANCIAL INFORMATION Sec.
146a.11. Initial privacy notice to consumers required. 146a.12. Annual privacy notice to customers required. 146a.13. Information to be included in privacy notices. 146a.14. Form of opt out notice to consumers and opt out methods. 146a.15. Revised privacy notices. 146a.16. Delivery. § 146a.11. Initial privacy notice to consumers required.
(a) Initial notice requirement. A licensee shall provide a clear and conspicuous notice that accurately reflects its privacy policies and practices to:
(1) Customer. An individual who becomes the licensee's customer, not later than when the licensee establishes a customer relationship, except as provided in subsection (e).
(2) Consumer. A consumer, before the licensee discloses nonpublic personal financial information about the consumer to any nonaffiliated third party, if the licensee makes a disclosure other than as authorized by §§ 146a.32 and 146a.33 (relating to exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information for processing and servicing transactions; and other exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information).
(b) When initial notice to a consumer is not required. A licensee is not required to provide an initial notice to a consumer under subsection (a)(2) if either:
(1) The licensee does not disclose any nonpublic personal financial information about the consumer to any nonaffiliated third party, other than as authorized by §§ 146a.32 and 146a.33, and the licensee does not have a customer relationship with the consumer.
(2) A notice has been provided by an affiliated licensee, as long as the notice clearly identifies all licensees to whom the notice applies and is accurate with respect to the licensee and the other institutions.
(c) When the licensee establishes a customer relationship.
(1) General rule. A licensee establishes a customer relationship at the time the licensee and the consumer enter into a continuing relationship.
(2) Examples of establishing customer relationship. A licensee establishes a customer relationship when the consumer either:
(i) Becomes a policyholder of a licensee that is an insurer when the insurer delivers an insurance policy or contract to the consumer, or in the case of a licensee that is an insurance producer or insurance broker, obtains insurance through that licensee.
(ii) Agrees to obtain financial, economic or investment advisory services relating to insurance products or services for a fee from the licensee.
(d) Existing customers. When an existing customer obtains a new insurance product or service from a licensee that is to be used primarily for personal, family or household purposes, the licensee satisfies the initial notice requirements of subsection (a) in either of the following ways:
(1) The licensee may provide a revised policy notice, under § 146a.15 (relating to revised privacy notices), that covers the customer's new insurance product or service.
(2) If the initial, revised or annual notice that the licensee most recently provided to that customer was accurate with respect to the new insurance product or service, the licensee does not need to provide a new privacy notice under subsection (a).
(e) Exceptions to allow subsequent delivery of notice.
(1) A licensee may provide the initial notice required by subsection (a)(1) within a reasonable time after the licensee establishes a customer relationship if either of the following conditions is met:
(i) Establishing the customer relationship is not at the customer's election.
(ii) Providing notice not later than when the licensee establishes a customer relationship would substantially delay the customer's transaction and the customer agrees to receive the notice at a later time.
(2) Examples of exceptions are as follows:
(i) Not at customer's election. Establishing a customer relationship is not at the customer's election if a licensee acquires or is assigned a customer's policy from another financial institution or residual market mechanism and the customer does not have a choice about the licensee's acquisition or assignment.
(ii) Substantial delay of customer's transaction. Providing notice not later than when a licensee establishes a customer relationship would substantially delay the customer's transaction when the licensee and the individual agree over the telephone to enter into a customer relationship involving prompt delivery of the insurance product or service.
(iii) No substantial delay of customer's transaction. Providing notice not later than when a licensee establishes a customer relationship would not substantially delay the customer's transaction when the relationship is initiated in person at the licensee's office or through other means by which the customer may view the notice, such as on a website.
(f) Delivery. When a licensee is required to deliver an initial privacy notice by this section, the licensee shall deliver it according to § 146a.16 (relating to delivery). If the licensee uses a short-form initial notice for noncustomers according to § 146a.13(d), the licensee may deliver its privacy notice according to § 146a.13(d)(3).
§ 146a.12. Annual privacy notice to customers required.
(a) Notice.
(1) General rule. A licensee shall provide a clear and conspicuous notice to customers that accurately reflects its privacy policies and practices not less than annually during the continuation of the customer relationship. Annually means at least once in any period of 12 consecutive months during which that relationship exists. A licensee may define the 12-consecutive-month period, but the licensee shall apply it to the customer on a consistent basis.
(2) Example. A licensee provides a notice annually if it defines the 12-consecutive-month period as a calendar year and provides the annual notice to the customer once in each calendar year following the calendar year in which the licensee provided the initial notice. For example, if a customer opens an account on any day of year 1, the licensee shall provide an annual notice to that customer by December 31 of year 2.
(b) Termination.
(1) Termination of customer relationship. A licensee is not required to provide an annual notice to a former customer. A former customer is an individual with whom a licensee no longer has a continuing relationship.
(2) Examples.
(i) A licensee no longer has a continuing relationship with an individual if the individual no longer is a current policyholder of an insurance product or no longer obtains insurance services with or through the licensee.
(ii) A licensee no longer has a continuing relationship with an individual if the individual's policy is lapsed, expired or otherwise inactive or dormant under the licensee's business practices, and the licensee has not communicated with the customer about the relationship for a period of 12-consecutive months, other than to provide annual privacy notices, material required by law or regulation, or promotional materials.
(iii) For the purposes of this section, a licensee no longer has a continuing relationship with an individual if the individual's last known address according to the licensee's records is deemed invalid. An address of record is deemed invalid if mail sent to that address by the licensee has been returned by the postal authorities as undeliverable and if subsequent attempts by the licensee to obtain a current valid address for the individual have been unsuccessful.
(iv) A licensee no longer has a continuing relationship with a customer in the case of providing real estate settlement services, at the time the customer completes execution of all documents related to the real estate closing, payment for those services has been received, or the licensee has completed all of its responsibilities with respect to the settlement, including filing documents on the public record, whichever is later.
(c) Delivery. When a licensee is required by this section to deliver an annual privacy notice, the licensee shall deliver it according to § 146a.16 (relating to delivery).
§ 146a.13. Information to be included in privacy notices.
(a) General rule. The initial, annual and revised privacy notices that a licensee provides under §§ 146a.11, 146a.12 and 146a.15 (relating to initial privacy notice to consumers required; annual privacy notice to customers required; and revised privacy notices) shall include all of the following items of information, in addition to other information the licensee wishes to provide, that applies to the licensee and to the consumers to whom the licensee sends its privacy notice:
(1) The categories of nonpublic personal financial information that the licensee collects.
(2) The categories of nonpublic personal financial information that the licensee discloses.
(3) The categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal financial information, other than those parties to whom the licensee discloses information under §§ 146a.32 and 146a.33 (relating to exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information for processing and servicing transactions; and other exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information).
(4) The categories of nonpublic personal financial information about the licensee's former customers that the licensee discloses and the categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal financial information about the licensee's former customers, other than those parties to whom the licensee discloses information under §§ 146a.32 and 146a.33.
(5) If a licensee discloses nonpublic personal financial information to a nonaffiliated third party under § 146a.31 (relating to exception to opt out requirements for disclosure of nonpublic personal financial information for service providers and joint marketing) (and no other exception in §§ 146a.32 and 146a.33 applies to that disclosure), a separate description of the categories of information the licensee discloses and the categories of nonaffiliated third parties with whom the licensee has contracted.
(6) An explanation of the consumer's right under § 146a.21(a) (relating to limitation on disclosure of nonpublic personal financial information to nonaffiliated third parties) to opt out of the disclosure of nonpublic personal financial information to any nonaffiliated third parties, including the methods by which the consumer may exercise that right at that time.
(7) Any disclosures that the licensee makes under section 603(d)(2)(A)(iii) of the Federal Fair Credit Reporting Act (15 U.S.C.A. § 1681a(d)(2)(A)(iii)).
(8) The licensee's policies and practices with respect to protecting the confidentiality and security of nonpublic personal financial information.
(9) Any disclosure that the licensee makes under subsection (b).
(b) Description of parties subject to exceptions. If a licensee discloses nonpublic personal financial information as authorized under §§ 146a.32 and 146a.33, the licensee is not required to list those exceptions in the initial or annual privacy notices required by §§ 146a.11 and 146a.12. When describing the categories of parties to whom disclosure is made, the licensee is required to state only that it makes disclosures to other affiliated or nonaffiliated third parties, as applicable, as permitted by law.
(c) Examples.
(1) Categories of nonpublic personal financial information that the licensee collects. A licensee satisfies the requirement to categorize the nonpublic personal financial information it collects if the licensee categorizes it according to the source of the information, as applicable:
(i) Information from the consumer.
(ii) Information about the consumer's transactions with the licensee or its affiliates.
(iii) Information about the consumer's transactions with nonaffiliated third parties.
(iv) Information from a consumer reporting agency.
(2) Categories of nonpublic personal financial information a licensee discloses.
(i) A licensee satisfies the requirement to categorize nonpublic personal financial information it discloses if the licensee categorizes the information according to source, as described in subsection (c)(1), as applicable, and provides examples to illustrate the types of information in each category. These examples include:
(A) Information from the consumer, including application information, such as assets and income and identifying information, such as name, address and Social Security number.
(B) Transaction information, such as information about balances, payment history and parties to the transaction.
(C) Information from consumer reports, such as a consumer's creditworthiness and credit history.
(ii) A licensee does not adequately categorize the information that it discloses if the licensee uses only general terms, such as transaction information about the consumer.
(iii) If a licensee reserves the right to disclose all of the nonpublic personal financial information about consumers that it collects, the licensee may simply state that fact without describing the categories or examples of nonpublic personal financial information that the licensee discloses.
(3) Categories of affiliates and nonaffiliated third parties to whom the licensee discloses.
(i) A licensee satisfies the requirement to categorize the affiliates and nonaffiliated third parties to which the licensee discloses nonpublic personal financial information about consumers if the licensee identifies the types of businesses in which they engage.
(ii) Types of businesses may be described by general terms only if the licensee uses illustrative examples of significant lines of business. For example, a licensee may use the term financial products or services if it includes appropriate examples of significant lines of businesses, such as life insurer, automobile insurer, consumer banking or securities brokerage.
(iii) A licensee also may categorize the affiliates and nonaffiliated third parties to which it discloses nonpublic personal financial information about consumers using more detailed categories.
(4) Disclosures under exception for service providers and joint marketers. If a licensee discloses nonpublic personal financial information under the exception in § 146a.31 to a nonaffiliated third party to market products or services that it offers alone or jointly with another financial institution, the licensee satisfies the disclosure requirement of subsection (a)(5) if it does all of the following:
(i) Lists the categories of nonpublic personal financial information it discloses, using the same categories and examples the licensee used to meet the requirements of subsection (a)(2), as applicable.
(ii) States whether the nonaffiliated third party is either:
(A) A service provider that performs marketing services on the licensee's behalf or on behalf of the licensee and another financial institution.
(B) A financial institution with whom the licensee has a joint marketing agreement.
(5) Simplified notices. If a licensee does not disclose, and does not wish to reserve the right to disclose, nonpublic personal financial information about customers or former customers to affiliates or nonaffiliated third parties except as authorized under §§ 146a.32 and 146a.33, the licensee may simply state that fact, in addition to the information it shall provide under subsection (a)(1), (8) and (9), and subsection (b).
(6) Confidentiality and security. A licensee describes its policies and practices with respect to protecting the confidentiality and security of nonpublic personal financial information if it does both of the following:
(i) Describes in general terms who is authorized to have access to the information.
(ii) States whether the licensee has security practices and procedures in place to ensure the confidentiality of the information in accordance with the licensee's policy. The licensee is not required to describe technical information about the safeguards it uses.
(d) Short-form initial notice with opt out notice for noncustomers.
(1) A licensee may satisfy the initial notice requirements in § 146a.11(a)(2) and § 146a.14(c) (relating to form of opt out notice to consumers and opt out methods) for a consumer who is not a customer by providing a short-form initial notice at the same time as the licensee delivers an opt out notice as required in § 146a.14.
(2) A short-form initial notice shall do all of the following:
(i) Be clear and conspicuous.
(ii) State that the licensee's privacy notice is available upon request.
(iii) Explain a reasonable means by which the consumer may obtain that notice.
(3) The licensee shall deliver its short-form initial notice according to § 146a.16 (relating to delivery). The licensee is not required to deliver its privacy notice with its short-form initial notice. The licensee instead may simply provide the consumer a reasonable means to obtain its privacy notice. If a consumer who receives the licensee's short-form notice requests the licensee's privacy notice, the licensee shall deliver its privacy notice according to § 146a.16.
(4) Examples of obtaining privacy notice are included in this paragraph. The licensee provides a reasonable means by which a consumer may obtain a copy of its privacy notice if the licensee does either of the following:
(i) Provides a toll-free telephone number that the consumer may call to request the notice.
(ii) For a consumer who conducts business in person at the licensee's office, maintains copies of the notice on hand that the licensee provides to the consumer immediately upon request.
(e) Future disclosures. The licensee's notice may include categories of:
(1) Nonpublic personal financial information that the licensee reserves the right to disclose in the future, but does not currently disclose.
(2) Affiliates or nonaffiliated third parties to whom the licensee reserves the right in the future to disclose, but to whom the licensee does not currently disclose, nonpublic personal financial information.
(f) Sample clauses. Sample clauses illustrating some of the notice content required by this section are included in Appendix A (relating to sample clauses).
[Continued on next Web Page]
[Continued from previous Web Page] § 146a.14. Form of opt out notice to consumers and opt out methods.
(a) Opt out notice.
(1) Form of opt out notice. If a licensee is required to provide an opt out notice under § 146a.21(a) (relating to limitation on disclosure of nonpublic personal financial information to nonaffiliated third parties), it shall provide a clear and conspicuous notice to each of its consumers that accurately explains the right to opt out under that section. The notice shall state all of the following:
(i) That the licensee discloses or reserves the right to disclose nonpublic personal financial information about its consumer to a nonaffiliated third party.
(ii) That the consumer has the right to opt out of that disclosure.
(iii) A reasonable means by which the consumer may exercise the opt out right.
(2) Examples.
(i) Adequate opt out notice. A licensee provides adequate notice that the consumer can opt out of the disclosure of nonpublic personal financial information to a nonaffiliated third party if the licensee does both of the following:
(A) Identifies all of the categories of nonpublic personal financial information that it discloses or reserves the right to disclose, and all of the categories of nonaffiliated third parties to which the licensee discloses the information, as described in § 146a.13(a)(2) and (3) (relating to information to be included in privacy notices), and states that the consumer can opt out of the disclosure of that information.
(B) Identifies the insurance products or services that the consumer obtains from the licensee, either singly or jointly, to which the opt out direction would apply.
(ii) Reasonable opt out means. A licensee provides a reasonable means to exercise an opt out right if it does any of the following:
(A) Designates check-off boxes in a prominent position on the relevant forms with the opt out notice.
(B) Includes a reply form together with the opt out notice.
(C) Provides an electronic means to opt out, such as a form that can be sent by means of electronic mail or a process at the licensee's website, if the consumer agrees to the electronic delivery of information.
(D) Provides a toll-free telephone number that consumers may call to opt out.
(iii) Unreasonable opt out means. A licensee does not provide a reasonable means of opting out if the only means of opting out is either of the following:
(A) For the consumer to write a letter to exercise that opt out right.
(B) As described in any notice subsequent to the initial notice is to use a check-off box that the licensee provided with the initial notice but did not include with the subsequent notice.
(3) Specific opt out means. A licensee may require each consumer to opt out through a specific means, as long as that means is reasonable for that consumer.
(b) Same form as initial notice permitted. A licensee may provide the opt out notice together with or on the same written or electronic form as the initial notice the licensee provides in accordance with § 146a.11 (relating to initial privacy notice to consumers required).
(c) Initial notice required when opt out notice delivered subsequent to initial notice. If a licensee provides the opt out notice later than required for the initial notice in accordance with § 146a.11, the licensee shall also include a copy of the initial notice with the opt out notice in writing or, if the consumer agrees, electronically.
(d) Joint relationships.
(1) If two or more consumers jointly obtain an insurance product or service from a licensee, the licensee may provide a single opt out notice. The licensee's opt out notice shall explain how the licensee will treat an opt out direction by a joint consumer (as explained in paragraph (5)).
(2) Any of the joint consumers may exercise the right to opt out. The licensee may either:
(i) Treat an opt out direction by a joint consumer as applying to all of the associated joint consumers.
(ii) Permit each joint consumer to opt out separately.
(3) If a licensee permits each joint consumer to opt out separately, the licensee shall permit one of the joint consumers to opt out on behalf of all of the joint consumers.
(4) A licensee may not require all joint consumers to opt out before it implements any opt out direction.
(5) An example is as follows: If John and Mary are both named policyholders on a homeowner's insurance policy issued by a licensee and the licensee sends policy statements to John's address, the licensee may do any of the following, but it shall explain in its opt out notice which opt out policy the licensee will follow:
(i) Send a single opt out notice to John's address, but the licensee shall accept an opt out direction from either John or Mary.
(ii) Treat an opt out direction by either John or Mary as applying to the entire policy. If the licensee does so and John opts out, the licensee may not require Mary to opt out as well before implementing John's opt out direction.
(iii) Permit John and Mary to make different opt out directions. If the licensee does so all of the following apply:
(A) The licensee shall permit John and Mary to opt out for each other.
(B) If both opt out, the licensee shall permit both of them to notify it in a single response (such as on a form or through a telephone call).
(C) If John opts out and Mary does not, the licensee may only disclose nonpublic personal financial information about Mary, but not about John and not about John and Mary jointly.
(e) Time to comply with opt out. A licensee shall comply with a consumer's opt out direction as soon as reasonably practicable after the licensee receives it.
(f) Continuing right to opt out. A consumer may exercise the right to opt out at any time.
(g) Duration of consumer's opt out direction.
(1) A consumer's direction to opt out under this section is effective until the consumer revokes it in writing or, if the consumer agrees, electronically.
(2) When a customer relationship terminates, the customer's opt out direction continues to apply to the nonpublic personal financial information that the licensee collected during or related to that relationship. If the individual subsequently establishes a new customer relationship with the licensee, the opt out direction that applied to the former relationship does not apply to the new relationship.
(h) Delivery. When a licensee is required to deliver an opt out notice by this section, the licensee shall deliver it according to § 146a.16 (relating to delivery).
§ 146a.15. Revised privacy notices.
(a) General rule. Except as otherwise authorized in this chapter, a licensee may not, directly or through an affiliate, disclose any nonpublic personal financial information about a consumer to a nonaffiliated third party other than as described in the initial notice that the licensee provided to that consumer under § 146a.11 (relating to initial privacy notice to consumers required), unless all of the following conditions are met:
(1) The licensee has provided to the consumer a clear and conspicuous revised notice that accurately describes its policies and practices.
(2) The licensee has provided to the consumer a new opt out notice.
(3) The licensee has given the consumer a reasonable opportunity, before the licensee discloses the information to the nonaffiliated third party, to opt out of the disclosure.
(4) The consumer does not opt out.
(b) Examples.
(1) Except as otherwise permitted by Subchapter D (relating to exceptions to limits on disclosure of nonpublic personal financial information), a licensee shall provide a revised notice before it discloses one or more of the following:
(i) A new category of nonpublic personal financial information to any nonaffiliated third party.
(ii) Nonpublic personal financial information to a new category of nonaffiliated third party.
(iii) Nonpublic personal financial information about a former customer to a nonaffiliated third party, if that former customer has not had the opportunity to exercise an opt outright regarding that disclosure.
(2) A revised notice is not required if the licensee discloses nonpublic personal financial information to a new nonaffiliated third party that the licensee adequately described in its prior notice.
(c) Delivery. When a licensee is required to deliver a revised privacy notice by this section, the licensee shall deliver it according to § 146a.16 (relating to delivery).
§ 146a.16. Delivery.
(a) How to provide notices. A licensee shall provide any notices that this chapter requires so that each consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, electronically.
(b) Actual notice.
(1) Examples of reasonable expectation of actual notice. A licensee may reasonably expect that a consumer will receive actual notice if the licensee meets one of the following conditions:
(i) Hand-delivers a printed copy of the notice to the consumer.
(ii) Mails a printed copy of the notice to the last known address of the consumer separately, or in a policy, billing or other written communication.
(iii) For a consumer who conducts transactions electronically, posts the notice on the electronic site and requires the consumer to acknowledge receipt of the notice as a necessary step to obtaining a particular insurance product or service.
(iv) For an isolated transaction with a consumer, such as the licensee providing an insurance quote or selling the consumer travel insurance, posts the notice and requires the consumer to acknowledge receipt of the notice as a necessary step to obtaining the particular insurance product or service.
(2) Examples of unreasonable expectation of actual notice. A licensee may not, however, reasonably expect that a consumer will receive actual notice of its privacy policies and practices if it either:
(i) Only posts a sign in its office or generally publishes advertisements of its privacy policies and practices.
(ii) Sends the notice via electronic mail to a consumer who does not obtain an insurance product or service from the licensee electronically.
(c) Annual notices only. A licensee may reasonably expect that a customer will receive actual notice of the licensee's annual privacy notice if either:
(1) The customer uses the licensee's website to access insurance products and services electronically and agrees to receive notices at the website and the licensee posts its current privacy notice continuously in a clear and conspicuous manner on the website.
(2) The customer has requested that the licensee refrain from sending any information regarding the customer relationship, and the licensee's current privacy notice remains available to the customer upon request.
(d) Oral description of notice insufficient. A licensee may not provide any notice required by this regulation solely by orally explaining the notice, either in person or over the telephone.
(e) Retention or accessibility of notices for customers.
(1) Notices for customers. For customers only, a licensee shall provide the initial notice required by § 146a.11(a)(1) (relating to initial privacy notice to consumers required), the annual notice required by § 146a.12(a) (relating to annual privacy notice to customers required), and the revised notice required by § 146a.15 (relating to revised privacy notices) so that the customer can retain them or obtain them later in writing or, if the customer agrees, electronically.
(2) Examples of retention or accessibility. A licensee provides a privacy notice to the customer so that the customer can retain it or obtain it later if the licensee meets one or more of the following conditions:
(i) Hand-delivers a printed copy of the notice to the customer.
(ii) Mails a printed copy of the notice to the last known address of the customer.
(iii) Makes its current privacy notice available on a website (or a link to another website) for the customer who obtains an insurance product or service electronically and agrees to receive the notice at the website.
(f) Joint notice with other financial institutions. A licensee may provide a joint notice from the licensee and one or more of its affiliates or other financial institutions, as identified in the notice, as long as the notice is accurate with respect to the licensee and the other institutions. A licensee also may provide a notice on behalf of another financial institution.
(g) Joint relationships. If two or more consumers jointly obtain an insurance product or service from a licensee, the licensee may satisfy the initial, annual and revised notice requirements of §§ 146a.11(a), 146a.12(a) and 146a.15(a), respectively, by providing one notice to those consumers jointly.
Subchapter C. LIMITS ON DISCLOSURES OF FINANCIAL INFORMATION Sec.
146a.21. Limitation on disclosure of nonpublic personal financial information to nonaffiliated third parties. 146a.22. Limits on redisclosure and reuse of nonpublic personal financial information. 146a.23. Limits on sharing account number information for marketing purposes. § 146a.21. Limits on disclosure of nonpublic personal financial information to nonaffiliated third parties.
(a) Conditions for disclosure. Except as otherwise authorized in this chapter, a licensee may not, directly or through an affiliate, disclose nonpublic personal financial information about a consumer to a nonaffiliated third party unless all of the following conditions are met:
(1) The licensee has provided to the consumer an initial notice as required under § 146a.11 (relating to initial privacy notice to consumers required).
(2) The licensee has provided to the consumer an opt out notice as required in § 146a.14 (relating to form of opt out notice to consumers and opt out methods).
(3) The licensee has given the consumer a reasonable opportunity, before it discloses the information to the nonaffiliated third party, to opt out of the disclosure.
(4) The consumer does not opt out.
(b) Opt out definition. Opt out means a direction by the consumer that the licensee not disclose nonpublic personal financial information about that consumer to a nonaffiliated third party, other than as permitted by Subchapter D (relating to exceptions to limits on disclosure of nonpublic personal financial information).
(c) Examples of reasonable opportunity to opt out. A licensee provides a consumer with a reasonable opportunity to opt out if:
(1) By mail. The licensee mails the notices required in subsection (a) to the consumer and allows the consumer to opt out by mailing a form, calling a toll-free telephone number or any other reasonable means within 30 days from the date the licensee mailed the notices.
(2) By electronic means. A customer opens an online account with a licensee and agrees to receive the notices required in subsection (a) electronically, and the licensee allows the customer to opt out by any reasonable means within 30 days after the date that the customer acknowledges receipt of the notices in conjunction with opening the account.
(3) Isolated transaction with consumer. For an isolated transaction such as providing the consumer with an insurance quote, a licensee provides the consumer with a reasonable opportunity to opt out if the licensee provides the notices required in subsection (a) at the time of the transaction and requests that the consumer decide, as a necessary part of the transaction, whether to opt out before completing the transaction.
(d) Application of opt out to all consumers and all nonpublic personal financial information.
(1) A licensee shall comply with this section, regardless of whether the licensee and the consumer have established a customer relationship.
(2) Unless a licensee complies with this section, the licensee may not, directly or through an affiliate, disclose nonpublic personal financial information about a consumer that the licensee has collected, regardless of whether the licensee collected it before or after receiving the direction to opt out from the consumer.
(e) Partial opt out. A licensee may allow a consumer to select certain nonpublic personal financial information or certain nonaffiliated third parties with respect to which the consumer wishes to opt out.
§ 146a.22. Limits on redisclosure and reuse of nonpublic personal financial information.
(a) Information the licensee receives under an exception.
(1) If a licensee receives nonpublic personal financial information from a nonaffiliated financial institution under an exception in § 146a.32 or § 146a.33 (relating to exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information for processing and servicing transactions; and other exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information), the licensee's disclosure and use of that information is limited as follows:
(i) The licensee may disclose the information to the affiliates of the financial institution from which the licensee received the information.
(ii) The licensee may disclose the information to its affiliates, but the licensee's affiliates may, in turn, disclose and use the information only to the extent that the licensee may disclose and use the information.
(iii) The licensee may disclose and use the information under an exception in § 146a.32 or § 146a.33, in the ordinary course of business to carry out the activity covered by the exception under which the licensee received the information.
(2) Example. If a licensee receives information from a nonaffiliated financial institution for claims settlement purposes, the licensee may disclose the information for fraud prevention, or in response to a properly authorized subpoena. The licensee may not disclose that information to a nonaffiliated third party for marketing purposes or use that information for its own marketing purposes.
(b) Information a licensee receives outside of an exception.
(1) If a licensee receives nonpublic personal financial information from a nonaffiliated financial institution other than under an exception in § 146a.32 or § 146a.33, the licensee may disclose the information only:
(i) To the affiliates of the financial institution from which the licensee received the information.
(ii) To its affiliates, but its affiliates may, in turn, disclose the information only to the extent that the licensee may disclose the information.
(iii) To any other person, if the disclosure would be lawful if made directly to that person by the financial institution from which the licensee received the information.
(2) Example. If a licensee obtains a customer list from a nonaffiliated financial institution outside of the exceptions in § 146a.32 or § 146a.33 the licensee may do the following:
(i) Use that list for its own purposes.
(ii) Disclose that list to another nonaffiliated third party only if the financial institution from which the licensee purchased the list could have lawfully disclosed the list to that nonaffiliated third party. That is, the licensee may disclose the list in accordance with the privacy policy of the financial institution from which the licensee received the list, as limited by the opt out direction of each consumer whose nonpublic personal financial information the licensee intends to disclose, and the licensee may disclose the list in accordance with an exception in § 146a.32 or § 146a.33, such as to the licensee's attorneys or accountants.
(c) Information a licensee discloses under an exception. If a licensee discloses nonpublic personal financial information to a nonaffiliated third party under an exception in § 146a.32 or § 146a.33, the nonaffiliated third party may disclose and use that information only as follows:
(1) The nonaffiliated third party may disclose the information to the licensee's affiliates.
(2) The nonaffiliated third party may disclose the information to its affiliates, but its affiliates may, in turn, disclose and use the information only to the extent that the nonaffiliated third party may disclose and use the information.
(3) The nonaffiliated third party may disclose and use the information under an exception in § 146a.32 or § 146a.33, in the ordinary course of business to carry out the activity covered by the exception under which the licensee received the information.
(d) Information a licensee discloses outside of an exception. If a licensee discloses nonpublic personal financial information to a nonaffiliated third party other than under an exception in § 146a.32 or § 146a.33, the nonaffiliated third party may disclose the information only:
(1) To the licensee's affiliates.
(2) To the nonaffiliated third party's affiliates, but the nonaffiliated third party's affiliates, in turn, may disclose the information only to the extent the nonaffiliated third party can disclose the information.
(3) To any other person, if the disclosure would be lawful if the licensee made it directly to that person.
§ 146a.23. Limits on sharing account number information for marketing purposes.
(a) General prohibition on disclosure of account numbers. A licensee may not, directly or through an affiliate, disclose, other than to a consumer reporting agency, a policy number or similar form of access number or access code for a consumer's policy or transaction account to any nonaffiliated third party for use in telemarketing, direct mail marketing or other marketing through electronic mail to the consumer.
(b) Exceptions. Subsection (a) does not apply if a licensee discloses a policy number or similar form of access number or access code to any of the following:
(1) The licensee's service provider solely in order to perform marketing for the licensee's own products or services, as long as the service provider is not authorized to directly initiate charges to the account.
(2) A licensee who is a producer solely in order to perform marketing for the licensee's own products or services.
(3) A participant in an affinity or similar program where the participants in the program are identified to the customer when the customer enters into the program.
(c) Examples.
(1) Policy number. A policy number, or similar form of access number or access code, does not include a number or code in an encrypted form, as long as the licensee does not provide the recipient with a means to decode the number or code.
(2) Policy or transaction account. For the purposes of this section, a policy or transaction account is an account other than a deposit account or a credit card account. A policy or transaction account does not include an account to which third parties cannot initiate charges.
Subchapter D. EXCEPTIONS TO LIMITS ON DISCLOSURES OF NONPUBLIC PERSONAL FINANCIAL INFORMATION Sec.
146a.31. Exception to opt out requirements for disclosure of nonpublic personal financial information for service providers and joint marketing. 146a.32. Exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information for processing and servicing transactions. 146a.33. Other exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information. § 146a.31. Exception to opt out requirements for disclosure of nonpublic personal financial information for service providers and joint marketing.
(a) General rule.
(1) Opt out requirements. The opt out requirements in §§ 146a.14 and 146a.21 (relating to form of opt out notice to consumers and opt out methods; and limitation on disclosure of nonpublic personal financial information to nonaffiliated third parties) do not apply when a licensee provides nonpublic personal financial information to a nonaffiliated third party to perform services for the licensee or functions on the licensee's behalf, if the licensee meets both of the following conditions:
(i) Provides the initial notice in accordance with § 146a.11 (relating to initial privacy notice to consumers required).
(ii) Enters into a contractual agreement with the nonaffiliated third party that prohibits the nonaffiliated third party from disclosing or using the information other than to carry out the purposes for which the licensee disclosed the information, including use under an exception in § 146a.32 or § 146a.33 (relating to exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information for processing and servicing transactions; and other exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information) in the ordinary course of business to carry out those purposes.
(2) Example. If a licensee discloses nonpublic personal financial information under this section to a financial institution with which the licensee performs joint marketing, the licensee's contractual agreement with that institution meets the requirements of paragraph (1) if it prohibits the institution from disclosing or using the nonpublic personal financial information except as necessary to carry out the joint marketing or under an exception in § 146a.32 or § 146a.33 in the ordinary course of business to carry out that joint marketing.
(b) Service may include joint marketing. The services a nonaffiliated third party performs for a licensee under subsection (a) may include marketing of the licensee's own products or services or marketing of financial products or services offered under joint agreements between the licensee and one or more financial institutions.
(c) Definition of ''joint agreement.'' For purposes of this section, ''joint agreement'' means a written contract under which a licensee and one or more financial institutions jointly offer, endorse or sponsor a financial product or service.
§ 146a.32. Exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information for processing and servicing transactions.
(a) Exceptions for processing transactions at consumer's request. The requirements for initial notice in § 146a.11(a)(2) (relating to initial privacy notice to consumers required), the opt out in §§ 146a.14 and 146a.21 (relating to form of opt out notice to consumers and opt out methods; and limitation on disclosure of nonpublic personal financial information to nonaffiliated third parties), and service providers and joint marketing in § 146a.31 (relating to exception to opt out requirements for disclosure of nonpublic personal financial information for service providers and joint marketing) do not apply if the licensee discloses nonpublic personal financial information as necessary to effect, administer or enforce a transaction that a consumer requests or authorizes, or in connection with any of the following:
(1) Servicing or processing an insurance product or service that a consumer requests or authorizes.
(2) Maintaining or servicing the consumer's account with a licensee, or with another entity as part of a private label credit card program or other extension of credit on behalf of that entity.
(3) A proposed or actual securitization, secondary market sale (including sales of servicing rights) or similar transaction related to a transaction of the consumer.
(4) Reinsurance or stop loss or excess loss insurance.
(b) Necessary to effect, administer or enforce a transaction. When used in this section, ''necessary to effect, administer or enforce a transaction'' means that the disclosure is required or is either of the following:
(1) One of the lawful or appropriate methods, to enforce the licensee's rights or the rights of other persons engaged in carrying out the financial transaction or providing the product or service.
(2) A usual, appropriate or acceptable method to do one or more of the following:
(i) Carry out the transaction or the product or service business of which the transaction is a part, and record, service or maintain the consumer's account in the ordinary course of providing the insurance product or service.
(ii) Administer or service benefits or claims relating to the transaction or the product or service business of which it is a part.
(iii) Provide a confirmation, explanation, statement or other record of the transaction, or information on the status or value of the insurance product or service to the consumer, the consumer's producer, or a policyholder or the policyholder's agent, producer, or broker with respect to a claim asserted by, or paid to, a consumer under a policy.
(iv) Accrue or recognize incentives or bonuses associated with the transaction that are provided by a licensee or any other party.
(v) Underwrite insurance at the consumer's request or for any of the following purposes as they relate to a consumer's insurance, or, when the consumer is a workers' compensation claimant or third party claimant, to the policyholder's insurance: account administration, reporting, investigating or preventing fraud or material misrepresentation, processing premium payments, processing, adjusting, paying, and settling insurance claims, administering insurance benefits (including utilization review activities), participating in research projects or as otherwise required or specifically permitted by Federal or State law.
(vi) Use in connection with any of the following:
(A) The authorization, settlement, billing, processing, clearing, transferring, reconciling or collection of amounts charged, debited or otherwise paid using a debit, credit or other payment card, check or account number, or by other payment means.
(B) The transfer of receivables, accounts or interests therein.
(C) The audit of debit, credit or other payment information.
§ 146a.33. Other exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information.
(a) Exceptions to opt out requirements. The requirements for initial notice to consumers in § 146a.11(a)(2) (relating to initial privacy notice to consumers required) the opt out in §§ 146a.14 and 146a.21 (relating to form of opt out notice to consumers and opt out methods; and limitation on disclosure of nonpublic personal financial information to nonaffiliated third parties), and service providers and joint marketing in § 146a.31 (relating to exception to opt out requirements for disclosure of nonpublic personal financial information for service providers and joint marketing) do not apply when a licensee discloses nonpublic personal financial information:
(1) With the consent or at the direction of the consumer, provided that the consumer has not revoked the consent or direction.
(2) To protect the confidentiality or security of a licensee's records pertaining to the consumer, service, product or transaction.
(3) To protect against or prevent actual or potential fraud or unauthorized transactions.
(4) For required institutional risk control or for resolving consumer disputes or inquiries.
(5) To persons holding a legal or beneficial interest relating to the consumer.
(6) To persons acting in a fiduciary or representative capacity on behalf of the consumer.
(7) To provide information to insurance rate advisory organizations, guaranty funds or agencies, agencies that are rating a licensee, persons that are assessing the licensee's compliance with industry standards, and the licensee's attorneys, accountants and auditors.
(8) To the extent specifically permitted or required under other provisions of law and in accordance with the Federal Right to Financial Privacy Act of 1978 (12 U.S.C.A. §§ 3401--3422), to law enforcement agencies (including the Federal Reserve Board, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, Office of Thrift Supervision, National Credit Union Administration, the Securities and Exchange Commission, the Secretary of the Treasury, with respect to 31 U.S.C.A. Chapter 53, Subchapter II (Records and Reports on Monetary Instruments and Transactions) and 12 U.S.C.A. Chapter 21 (Financial Recordkeeping), a state insurance authority, and the Federal Trade Commission), self-regulatory organizations or for an investigation on a matter related to public safety.
(9) To a consumer reporting agency in accordance with the Federal Fair Credit Reporting Act (15 U.S.C.A. §§ 1681--1681u), or from a consumer report reported by a consumer reporting agency.
(10) In connection with a proposed or actual sale, merger, transfer or exchange of all or a portion of a business or operating unit if the disclosure of nonpublic personal financial information concerns solely consumers of the business or unit.
(11) To comply with Federal, state or local laws, rules and other applicable legal requirements.
(12) To comply with a properly authorized civil, criminal or regulatory investigation, or subpoena or summons by Federal, state or local authorities.
(13) To respond to judicial process or government regulatory authorities having jurisdiction over a licensee for examination, compliance or other purposes as authorized by law.
(14) For purposes related to the replacement of a group benefit plan, a group health plan, a group welfare plan or a workers' compensation plan.
(b) Example of revocation of consent. A consumer may revoke consent by subsequently exercising the right to opt out of future disclosures of nonpublic personal financial information as permitted under § 146a.14(f) (relating to form of opt out notice to consumers and opt out methods).
Subchapter E. ADDITIONAL PROVISIONS Sec.
146a.41. Effect on other laws. 146a.42. Nondiscrimination. 146a.43. Violation. 146a.44. Effective date. § 146a.41. Effect on other laws.
(a) Protection of Fair Credit Reporting Act. This chapter will not be construed to modify, limit or supersede the operation of the Federal Fair Credit Reporting Act (15 U.S.C.A. §§ 1681--1681u), and no inference may be drawn on the basis of the provisions of this chapter regarding whether information is transaction or experience information under section 603 of that act (15 U.S.C.A. § 1681a).
(b) Protection of section 648 of the act (40 P. S. § 288) (relating to customer privacy). This chapter does not modify, limit or supercede the operation of section 648 of the act.
§ 146a.42. Nondiscrimination.
A licensee may not unfairly discriminate against any consumer or customer because that consumer or customer has opted out from the disclosure of nonpublic personal financial information under this chapter.
§ 146a.43. Violation.
Violations of this chapter are deemed and defined by the Commissioner to be an unfair method of competition and an unfair or deceptive act or practice and shall be subject to any applicable penalties or remedies contained in the Unfair Insurance Practices Act (40 P. S. §§ 1171.1--1171.15).
§ 146a.44. Effective date.
(a) Effective date. This chapter is effective July 1, 2001.
(b) Notice requirements.
(1) Consumers who are the licensee's customers on the effective date. By July 1, 2001, a licensee shall provide an initial notice, as required by § 146a.11 (relating to initial privacy notice to consumers required), to consumers who are the licensee's customers on July 1, 2001.
(2) Example. A licensee provides an initial notice to consumers who are its customers on July 1, 2001, if, by that date, the licensee has established a system for providing an initial notice to all new customers and has mailed the initial notice to all the licensee's existing customers.
(c) Two-year grandfathering of service agreements. Until July 1, 2002, a contract that a licensee has entered into with a nonaffiliated third party to perform services for the licensee or functions on the licensee's behalf satisfies the provisions of § 146a.31(a)(1)(ii) (relating to exception to opt out requirements for disclosure of nonpublic personal financial information for service providers and joint marketing), even if the contract does not include a requirement that the nonaffiliated third party maintain the confidentiality of nonpublic personal financial information, as long as the licensee entered into the agreement on or before July 1, 2000.
APPENDIX A SAMPLE CLAUSES Licensees, including a group of financial holding company affiliates that use a common privacy notice, may use the following sample clauses, if the clause is accurate for each institution that uses the notice. (Note that disclosure of certain information, such as assets, income and information from a consumer reporting agency, may give rise to obligations under the Federal Fair Credit Reporting Act, such as a requirement to permit a consumer to opt out of disclosures to affiliates or designation as a consumer reporting agency if disclosures are made to nonaffiliated third parties.)
A-1--Categories of information a licensee collects (all institutions)
A licensee may use this clause, as applicable, to meet the requirement of § 146a.13(a)(1) to describe the categories of nonpublic personal financial information the licensee collects.
Sample Clause A-1:
We collect nonpublic personal financial information about you from the following sources:
* Information we receive from you on applications or other forms.
* Information about your transactions with us, our affiliates or others.
* Information we receive from a consumer reporting agency.
A-2-Categories of information a licensee discloses (institutions that disclose outside of the exceptions)
A licensee may use one of these clauses, as applicable, to meet the requirement of § 146a.13(a)(2) to describe the categories of nonpublic personal financial information the licensee discloses. The licensee may use these clauses if it discloses nonpublic personal financial information other than as permitted by the exceptions in §§ 146a.31, 146a.32 and 146a.33.
Sample Clause A-2, Alternative 1:
We may disclose the following kinds of nonpublic personal financial information about you:
* Information we receive from you on applications or other forms, such as [provide illustrative examples, such as ''your name, address, social security number, assets, income, and beneficiaries''].
* Information about your transactions with us, our affiliates or others, such as [provide illustrative examples, such as ''your policy coverage, premiums, and payment history''].
* Information we receive from a consumer reporting agency, such as [provide illustrative examples, such as ''your creditworthiness and credit history''].
Sample Clause A-2, Alternative 2:
We may disclose all of the information that we collect, as described [describe location in the notice, such as ''above'' or ''below''].
A-3-Categories of information a licensee discloses and parties to whom the licensee discloses (institutions that do not disclose outside of the exceptions)
A licensee may use this clause, as applicable, to meet the requirements of § 146a.13(a)(2), (3) and (4) to describe the categories of nonpublic personal financial information about customers and former customers that the licensee discloses and the categories of affiliates and nonaffiliated third parties to whom the licensee discloses. A licensee may use this clause if the licensee does not disclose nonpublic personal financial information to any party, other than as permitted by the exceptions in §§ 146a.32 and 146a.33.
Sample Clause A-3:
We do not disclose any nonpublic personal financial information about our customers or former customers to anyone, except as permitted by law.
A-4-Categories of parties to whom a licensee discloses (institutions that disclose outside of the exceptions)
A licensee may use this clause, as applicable, to meet the requirement of § 146a.13(a)(3) to describe the categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal financial information. This clause may be used if the licensee discloses nonpublic personal financial information other than as permitted by the exceptions in §§ 146a.31, 146a.32 and 146a.33, as well as when permitted by the exceptions in §§ 146a.32 and 146a.33.
Sample Clause A-4:
We may disclose nonpublic personal financial information about you to the following types of third parties:
* Financial service providers, such as [provide illustrative examples, such as ''life insurers, automobile insurers, mortgage bankers, securities broker-dealers, and insurance agents''].
* Non-financial companies, such as [provide illustrative examples, such as ''retailers, direct marketers, airlines, and publishers''].
* Others, such as [provide illustrative examples, such as ''non-profit organizations''].
We may also disclose nonpublic personal financial information about you to nonaffiliated third parties as permitted by law.
A-5--Service provider/joint marketing exception
A licensee may use one of these clauses, as applicable, to meet the requirements of § 146a.13(a)(5) related to the exception for service providers and joint marketers in § 146a.31. If a licensee discloses nonpublic personal financial information under this exception, the licensee shall describe the categories of nonpublic personal financial information the licensee discloses and the categories of third parties with which the licensee has contracted.
Sample Clause A-5, Alternative 1:
We may disclose the following information to companies that perform marketing services on our behalf or to other financial institutions with which we have joint marketing agreements:
* Information we receive from you on applications or other forms, such as [provide illustrative examples, such as ''your name, address, social security number, assets, income, and beneficiaries''].
* Information about your transactions with us, our affiliates or others, such as [provide illustrative examples, such as ''your policy coverage, premium, and payment history''].
* Information we receive from a consumer reporting agency, such as [provide illustrative examples, such as ''your creditworthiness and credit history''].
Sample Clause A-5, Alternative 2:
We may disclose all of the information we collect, as described [describe location in the notice, such as ''above'' or ''below''] to companies that perform marketing services on our behalf or to other financial institutions with whom we have joint marketing agreements.
A-6-Explanation of opt out right (institutions that disclose outside of the exceptions)
A licensee may use this clause, as applicable, to meet the requirement of § 146a.13(a)(6) to provide an explanation of the consumer's right to opt out of the disclosure of nonpublic personal financial information to nonaffiliated third parties, including the method(s) by which the consumer may exercise that right. The licensee may use this clause if the licensee discloses nonpublic personal financial information other than as permitted by the exceptions in §§ 146a.31, 146a.32 and 146a.33.
Sample Clause A-6:
If you prefer that we not disclose nonpublic personal financial information about you to nonaffiliated third parties, you may opt out of those disclosures, that is, you may direct us not to make those disclosures (other than disclosures permitted by law). If you wish to opt out of disclosures to nonaffiliated third parties, you may [describe a reasonable means of opting out, such as ''call the following toll-free number: (insert number)''].
A-7--Confidentiality and security (all institutions)
A licensee may use this clause, as applicable, to meet the requirement of § 146a.13(a)(8) to describe its policies and practices with respect to protecting the confidential-ity and security of nonpublic personal financial information.
Sample Clause A-7:
We restrict access to nonpublic personal financial information about you to [provide an appropriate description, such as ''those employees who need to know that information to provide products or services to you'']. We maintain physical, electronic, and procedural safeguards that comply with Federal regulations to guard your nonpublic personal financial information.
[Pa.B. Doc. No. 01-1457. Filed for public inspection August 10, 2001, 9:00 a.m.]
