TITLE 28.INSURANCE

Part 1. TEXAS DEPARTMENT OF INSURANCE

Chapter 22. PRIVACY

Subchapter A. INSURANCE CONSUMER FINANCIAL INFORMATION PRIVACY

28 TAC §§22.1 - 22.26

The Commissioner of Insurance adopts new §§22.1 - 22.26, concerning privacy of nonpublic personal financial information provided by consumers to insurers and other covered entities regulated by the Department. New §§22.1, 22.2, 22.4, 22.5, 22.9, 22.10, 22.13, 22.16, and 22.22 are adopted with changes to the proposed text published in the Texas Register (26 TexReg 5593). New §§22.3, 22.6 - 22.8, 22.11, 22.12, 22.14, 22.15, 22.17 - 22.21 & 22.23 - 22.26 are adopted without changes and will not be republished.

The new adopted rules are necessary to implement the provisions of Senate Bill 712, 77th Texas Legislature (Texas Insurance Code (TIC) Art. 28A.01 et seq.), which requires covered entities (and certain of their affiliates) to comply with the Gramm-Leach-Bliley Act (GLBA, 15 U.S.C §6801 et seq.) privacy provisions. SB 712 also directs the commissioner to implement the chapter by adopting rules necessary to make the State of Texas eligible, under Title V of GLBA, to override federal regulation, as well as to attempt to keep state privacy requirements consistent with federal regulations adopted under GLBA. This direction is consistent with the GLBA requirement that the various agencies enforcing GLBA coordinate with similarly situated agencies to assure, to the extent possible, that the regulations prescribed to enforce GLBA remain consistent and comparable. 15 USC §6804. The legislative analysis of SB 712 references the NAIC privacy model regulation as a guide for the department's adoption of rules.

The Texas Senate bill analysis, in pertinent part, states that "Senate Bill 712 requires insurers and other entities regulated by the Texas Department of Insurance to comply with requirements of GLBA and requires the commissioner of insurance to adopt rules consistent with GLBA based on the NAIC (National Association of Insurance Commissioners) privacy model." The adopted sections, while based on the NAIC model rule, have been clarified in certain sections for greater ease in reading. The adopted sections set forth the requirements that insurers and other covered entities must meet in structuring their consumer financial practices to comply with GLBA and SB 712. Specifically, the rules provide the notice requirements, as well as other procedures that insurers and other covered entities must follow with regard to nonpublic personal financial information collected about a consumer.

Section 22.1 was changed to delete a reference to sharing information with affiliates, as these rules do not prohibit the sharing of information with affiliates. Section 22.2 was changed to delete a sentence from the definition of consumer that was not included in the national model rule, and to make a clarifying grammatical change to the definition of health care. Section 22.4 was changed to add the term "claimant under" to the list of persons affected by a policy of workers' compensation insurance issued subject to the rule and in order to clarify a term. Section 22.5 was changed to reflect that the situations it details are exemplary. Section 22.9 was changed to achieve consistency with the standards for a continuing relationship in §22.5. Section 22.10 was changed to clarify that the rule does not prohibit information sharing with affiliates and to make nonsubstantive grammatical corrections. Section 22.13 was changed to clarify that certain compliance options are alternative. Section 22.16 was changed to clarify that a covered entity is permitted to provide account numbers to service providers for marketing purposes as long as the service provider is not authorized to directly initiate charges to the account. Section 22.22 was changed to conform more closely to legislative intent by deleting references to enforcement under TIC Art. 21.21.

General. Several commenters noted that the rule is not identical to the national model rule.

Agency Response. The department agrees that the rule is not identical to the national model rule. As noted in the preamble to the proposed rule, some definitions differ from those in the model rule because the proposal incorporated specific definitions contained in SB 712, as well as in other sections of the TIC. For example, the proposal used "covered entity," as defined in SB 712, in place of the model rule's term "licensee." Other deviations occur because parts of the model rule were ambiguous or confusing. The department has crafted the rule, however, to maintain substantive consistency with the model rule. As part of the effort to maintain congruity, the department discussed changes with a representative of the national organization that promulgated the model rule. Where appropriate, as indicated in responses to other comments, the department has changed some portions of the proposed rule to correct unintended substantive deviations from the model rule.

Rules of construction & use of examples. A commenter recommends the use of the example format and the "rule of construction" contained in the national model rule which provides that compliance with an example or sample clause set forth in the rule constitutes compliance.

Agency Response. The department agrees that the rule's format differs from the national model rule so that some items identified as examples in the model rule no longer appear as examples in this rule. In preparing the rule for proposal, the department determined that some of the "examples" used in the definition section of the model rule were actually substantive requirements, rather than examples or definitions. Accordingly, the department rephrased these items and placed them in the body of the rule. Where appropriate, however, the department retained the actual examples from the model rule. Despite the modification of some items no longer specifically labeled as examples, compliance with such provisions is indicative of compliance with the rule. Moreover, the department has, in accordance with the commenter's suggestion, restored the use of examples in §22.5 (concerning Examples of Continuing Relationships).

Compliance in other jurisdictions. A commenter recommends a provision stating that a covered entity domiciled in Texas in compliance with this rule is deemed to be in compliance with GLBA as to any other jurisdiction in which it does business.

Agency Response. The department declines to make this change. As the commenter recognizes, such a provision would not be enforceable. Art. 21.21-9, Sec. 5. Two commenters ask whether compliance with this rule will constitute compliance with TIC Art. 21.21-9, Sec. 5.

Agency Response. TIC Art. 21.21-9, Sec. 5 sets out two elements required before a person may disclose "nonpublic customer information" to a third party for the purpose of another's sale or solicitation of the purchase of insurance: clear and conspicuous disclosure regarding the proposed use of the information, and an opportunity for the customer to object before the use of the information for that purpose. The department believes compliance with the opt out requirements of this rule will provide the required "opportunity to object"; the question remaining is whether the notices required under this rule will provide the required "clear and conspicuous disclosure." The answer lies in a comparison of the sets of information protected by the two laws. Each covered entity will have to examine its internal policies to determine whether the "nonpublic customer information" it collects is wholly contained within the scope of the "nonpublic personal financial information" it collects. If so, the entity's compliance with this rule would satisfy the conditions of TIC Art. 21.21-9. To the extent the sets of information are different, however, the covered entity will need to go beyond the requirements of this rule to satisfy TIC Art. 21.21-9 standards. A covered entity may, however, comply with both laws through a single opt out notice by disclosing that the opt out opportunity applies to both sets of protected information. It is also important to note that TIC Art. 21.21-9 prohibits disclosure to any third party without distinction between affiliates and nonaffiliates. GLBA, and this rule, on the other hand, permit disclosure to affiliates without customer consent, and thus supersede TIC Art. 21.21-9, Sec. 5, to the extent it prohibits such disclosure.

Chapter 28B of TIC relating to health information. A commenter notes that Chapter 28B of the Texas Insurance Code makes health privacy requirements applicable to all covered entities including viatical settlement companies even though such companies are not subject to the Health Insurance Portability and Accessibility Act (HIPAA) privacy requirements.

Agency Response. This rule addresses only nonpublic personal financial information collected and held by covered entities. "Health information" is defined in the rule only to differentiate such information from financial information. SB 11, enacted by the 77th Texas Legislature, created new Chapter 28B of the TIC which addresses privacy of health information held by covered entities. SB 11 becomes effective in January of 2002. The department will propose a separate rule to implement SB 11 addressing the privacy of nonpublic personal health information and the commenter will be able to submit comments to that rule.

HIPAA. A commenter asks for clarification about the interplay between this rule and the HIPAA privacy rules.

Agency Response. An HMO, insurer, or any other covered entity that is subject to the HIPAA privacy rules will need to comply with both sets of rules once the HIPAA privacy rules become effective in April 2003. Since the two schemes address the protection of personal information differently, this may create conflicts. For example, the HIPAA rules state that items such as a person's name, address, social security number, and payment history can constitute individually identifiable health information. HIPAA will thus prohibit disclosure of such information unless the release is pursuant to an individual's express consent or a specific exception. Under the financial privacy requirements of GLBA, however, this same information can be considered to be financial information, subject to an "opt out" standard. As of this date, federal authorities responsible for compliance with HIPAA and GLBA have issued no guidance as to how they will resolve such conflicts facing entities subject to both sets of rules. The department will continue to monitor this issue as the compliance date for the HIPAA privacy rules approaches and provide information as it becomes available.

§22.1(a). A commenter asks if an individual may affirmatively "opt out" of information sharing that is permitted under GLBA.

Agency Response. This rule does not require a covered entity, simply because of an individual's contrary direction, to refrain from disclosing nonpublic personal financial information as permitted under the rule. The response to this comment is specifically limited to the requirements of these adopted rules; other laws may prohibit similar disclosure in specific situations.

§22.1(a). A commenter feels that the applicability of the rule to viatical settlement companies is contrary to Title V of GLBA because Title V does not delegate enforcement of the non-insurance business of viaticals to state insurance regulators. The commenter notes that viatical settlement companies are subject to the privacy requirements of GLBA. The commenter is concerned that the rule creates a dual system of regulation which will impact the offers provided to Texas viatical settlement customers.

Agency Response. SB 712 creates TIC Art. 28A.02(a), which states that "A covered entity shall comply with 15 USC §§6802 and 6803 [the notice and disclosure requirements for protected financial information under GLBA] as amended, in the same manner as a financial institution under those sections." A covered entity is defined by SB 712 as an individual or entity that receives an authorization from the department and includes any individual or entity described by TIC §82.002. Viatical settlement companies fit squarely under this definition (TIC Art. 3.50-6A). The Legislature clearly intended SB 712 and the rule to apply to viatical settlement companies. The rule treats viatical settlement companies no differently than other entities, such as banks, which are subject to regulation by more than one agency. The department reminds any persons subject to TIC Art. 3.50-6A (Viatical Settlements and Life Settlements) that this rule does not alter any other legal obligations to which they may be subject.

§§22.1(a)(2) & 22.10(a). A commenter suggests deletion of the reference to affiliates in this paragraph and subsection, since the rule does not address the sharing of information with affiliates.

Agency Response. The department agrees and has made this change. This rule was adapted from an NAIC Model Regulation concerning privacy of both financial and health information. Since this rule deals only with financial privacy, the references to "affiliates" in this subsection are incorrect. The rule does not require a covered entity sharing nonpublic personal financial information with an affiliate to provide a consumer/customer either notice or an opportunity to "opt out."

§22.1(b). A commenter asks if the rule applies to a collateral protection insurer that covers a creditor and/or a consumer under the Texas Credit Code. The commenter notes that this type of insurance "is designed explicitly to protect the interests of the lender."

Agency Response. The rule applies to covered entities providing collateral protection insurance. The department is unaware of any policy of collateral protection insurance that does not convey a benefit, or "service," to a borrower under the policy, thus making the borrower a consumer or customer under the rule. Under the rule, receipt of an insurance "service" creates customer status. The fact that the creditor may be the actual purchaser of the insurance does not void the borrower's consumer or customer status.

§§22.1(b) & 22.4. Several commenters urge that references to claimants, beneficiaries, workers' compensation plan participants, and beneficiaries in a workers' compensation plan, be deleted from these sections.

Agency Response. The department declines to make this suggested change. SB 712 requires the department to adopt rules that implement the requirements of GLBA in a way that balances the protection of Texas citizens with an emphasis on consistent state enforcement nationwide. The department accomplished this end by proposing a rule based on the national model rule for insurance regulation, as referenced in the Senate bill analysis to SB 712. The national model rule includes within its scope claimants, beneficiaries, and workers' compensation plan participants. Additionally, the department believes that all individuals who use insurance products or services primarily for personal, family or household purposes - including claimants and beneficiaries - should receive the same privacy protections as traditional consumers who have direct relationships with licensees. The right to financial privacy should not be diminished simply because an individual receives an insurance benefit through a policy held by another person or a commercial enterprise. Specifically, the department disagrees with the commenters regarding the nature of workers' compensation insurance. It is important to recognize the rule's distinction between insurance products and services. While a business generally purchases a workers' compensation insurance policy for a commercial purpose, an injured worker's receipt of a workers' compensation insurance benefit serves a personal, family, or household purpose, similar to an individual's receipt of a disability insurance benefit. Because of the commercial nature of the policyholder's contract with the covered entity, the rule, in accordance with the national model, does place simpler requirements on covered entities providing workers' compensation insurance and some other group coverages than the rule's general requirement for other types of coverage.

While it is true that some states have excluded these categories of individuals, they have done so under specific statutory direction. The Texas Legislature recognized no such exception in SB 712. Accordingly the department includes these individuals within the scope of the rule.

§22.2(8). Several commenters allege that the following sentence is confusing and recommend its deletion: "For purposes of this subchapter, all references to consumer include the term customer, unless the purpose of the reference is to make a distinction between applicability of the subchapter to a customer and a consumer."

Agency Response. The department disagrees that the sentence is confusing, but since it is an addition to the model rule, will defer to commenters and has deleted it to promote uniformity. The department reminds covered entities, however, that under the rule, simply becoming a customer does not forfeit an individual's status or rights as a consumer.

§22.2(8). A commenter inquires whether, in the context of a credit insurance policy issued to cover a bank loan, a borrower or the bank is the consumer of an insurance product.

Agency Response. The department cannot make a determination on an inquiry of this sort without the specific facts surrounding a particular transaction. Generally, since the rule pertains primarily to insurance products or services issued for "personal, family, or household purposes," and does not apply to information about companies, or about individuals who obtain products or services for business or commercial purposes, it is difficult to envision a scenario in which a bank would have consumer status. On the other hand, a borrower protected by a policy of credit insurance for personal, family, or household purposes is a named insured, as well as a beneficiary, of the policy and thus is a consumer under the rule.

§22.2(12). A commenter recommends adding the following sentence to the definition of "customer": "In no event shall a beneficiary or claimant under a policy, solely by virtue of their status as a beneficiary or claimant, be deemed to be a customer for purposes of this regulation."

Agency Response. The department declines to make this change. While the rule deems certain beneficiaries and claimants to be consumers and not customers, it does so expressly where such limitation is applicable. See §22.4(c).

§22.2(20). Three commenters suggest amending the definition of "nonaffiliated third party" to state that it does not include a person employed jointly by a covered entity and a nonaffiliated third party.

Agency Response. The Texas Legislature included this definition in SB 712 and the department declines to change it. The department agrees, however, with the commenters that a joint employee of a covered entity and a nonaffiliated third party would be excluded from the definition of "nonaffiliated third party," consistent with the national model rule.

§22.3(a). A commenter suggests amending this subsection to clarify that the rule does not prohibit an agent from disclosing nonpublic personal financial information to nonaffiliated third parties in the course of providing routine policyholder services on behalf of a consumer.

Agency Response. The department declines to make this change as unnecessary. Section 22.18(a) permits covered entities, including agents, to perform acts at the request of a consumer without providing an initial privacy notice.

§22.3(b). A commenter indicates that, based on its review of Commissioner's Bulletin No. B-0030-01, it does not believe that GLBA applies to reinsurers that do not write direct business in the State of Texas.

Agency Response. The purpose of the cited bulletin was to inform licensees generally of new laws concerning privacy and the department's plans for implementation. The department does not agree that a covered entity can determine, simply by reviewing the bulletin, whether the entity is in compliance with SB 712 or the rule. To the extent that a reinsurer is a covered entity that holds or collects nonpublic personal financial information under the rule, the rule requires appropriate compliance.

§22.3(c)(1). A commenter suggests changing "and" to "or."

Agency Response. The department disagrees. Both of the requirements of §22.3(c) must be met before a covered entity is considered to be in compliance with this paragraph.

§§22.3(c)(2) & 22.26(b)(8). A commenter prefers that the term "16 point type" be eliminated and that the text of the suggested privacy notice not be capitalized, as they believe these requirements differ from the national model rules.

Agency Response. The department disagrees. The 16 point type and capitalization of the notice are both specific requirements of the national model rule.

§22.4(c). A commenter asks for clarification on why the special requirements in §22.4(c) specify that certain persons are not consumers.

Agency Response. The rule provides that individuals in these specific circumstances, although similar in status to other consumers under the rule, are not treated as consumers if the covered entity provides required notices to group policyholders and does not disclose nonpublic personal financial information about the individuals to a nonaffiliated third party other than as permitted under §§22.17, 22.18, and 22.19.

§22.4(c)(1). A commenter asks whether a carrier must provide initial, annual and revised notices to an employer sponsoring an employee group health plan if it does not disclose protected financial information about plan enrollees other than as permitted by the exceptions enumerated in §§22.17, 22.18 and 22.19 of the rule.

Agency Response. Section 22.4(c)(1) provides that a covered entity is not required to provide notices to enrollees covered by an employer group health care plan if two conditions are met: (1) the covered entity does not share protected information about the individuals other than as exempted by the rule; and (2) the covered entity provides notices required by the rule to the employer sponsoring the plan. Section 22.9 requires a covered entity to send an annual notice to a customer and §22.8 requires the entity to send an initial notice to a customer and to a consumer if the covered entity discloses protected information about the consumer other than pursuant to an exception enumerated in §§22.18 and 22.19. If a covered entity does not comply with the requirements set forth in §22.4(c)(1), enrollees in the employer group health plan are considered to be "consumers" of the plan issuer. Section 22.4(e) dictates that an enrollee in an employer group health plan would not be considered to be a "customer" for purposes of the rule solely by virtue of his or her status as an enrollee. For purposes of §22.4(c)(1), however, the employer must receive an annual notice. The rule requires a revised notice only if the conditions set forth in §22.12 are applicable. If a covered entity discloses information about an enrollee in an employer group health plan that does not fall under an exception enumerated in §§22.17, 22.18 and 22.19, and this disclosure represents a change from the covered entity's previous privacy policy, the rule requires a revised notice to the employer. The rule would not require revised privacy notices for the plan enrollees since the employer, not the enrollees, would have received any previous notices. The rule would require initial notices for all enrollees about whom information may, as a result of the revision, be disclosed under the new privacy policy. The revision would also mean that the special requirements would no longer apply. If a covered entity were to fail to deliver or cease delivery of required notices to the employer, §22.4(c)(1) would no longer apply and the rule would require individual privacy and opt out notices for each enrollee pursuant to the requirements for each notice as applicable.

§22.4(c)(3). A commenter asks if a beneficiary of a workers' compensation policy is considered to be a consumer who is entitled to initial and annual notices under the rule if a covered entity wishes to share the beneficiary's protected financial information. The commenter asks if a beneficiary is a consumer if the covered entity does not share such information.

Agency Response. If a covered entity wishes to share protected information about a beneficiary or claimant other than pursuant to an exception set forth in the rule, the beneficiary or claimant is considered to be a consumer of the covered entity and the rule requires an initial privacy notice as well as an opt out notice. The rule requires annual notices only for customers. A workers' compensation insurance beneficiary would not be considered to be a customer of a covered entity by virtue of the covered entity's sharing of protected financial information outside of an enumerated exception. The sharing of such information would not trigger the annual notice requirement. However, the rule would require an annual notice to the employer that is the workers' compensation plan participant if a covered entity wishes to invoke §22.4(c)(3). See response to comment on §22.4(c)(1).

§22.4(c)(3). A commenter recommends changing the term "beneficiary of" to "claimant under" a workers' compensation policy as being consistent with common understanding in the industry.

Agency Response. The department has determined that both "claimants under" and "beneficiaries to" a workers' compensation policy accurately describe individuals protected by the rule and has changed the rule to include both terms.

§22.4(d). A commenter recommends changing the term "requirements" to "conditions" to clarify that covered entities have the option either to treat workers' compensation claimants as "consumers" or to comply with §22.4(c)(3).

Agency Response. The department does not believe this change is necessary. A covered entity that does not comply with the special requirement for workers' compensation set forth in §22.4(c)(3) would be required to treat the claimants as consumers pursuant to §22.4(d).

§22.5. A commenter asks that the rule be clarified as to whether a bank customer purchasing credit insurance in connection with a lending transaction establishes a customer relationship with the bank that is selling the insurance as an agent or with the insurance company that issues the policy. If notice is required of a bank, additional guidance is requested.

Agency Response. The rule treats a bank acting as an agent no differently than any other agent, and a bank formulating its privacy policy with regard to required notices should comply with the provisions of the rule. The bank's issuance of a loan to the credit insured does not necessarily create a customer relationship, under this rule, between the bank and the insured. The rule clearly details certain factors and transactions which will establish a customer relationship between an individual and a covered entity, whether the entity is an insurance carrier, an agent, or other entity. Whether a particular transaction creates a customer relationship under the rule will depend on the facts surrounding the transaction.

§§22.5(b)(6) & 22.9(b)(2). Several commenters believe these sections should track the national model rule's use of the phrase "inactive or dormant under the licensee's business practices" rather than the phrase "not in force."

Agency Response. The department believes that the term "not in force" is less confusing and more precise. Neither "inactive" nor "dormant" are terms of art and there does not appear to be a quantifiable distinction between the two words. In addition, the department believes that the use of this objective standard, rather than one which may vary from company to company, will promote a uniform interpretation of the rule and will simplify compliance issues.

§22.7(a)(2)(A). A commenter proposes deleting the word "nonconfidential."

Agency Response. The department disagrees. If a government record is confidential then it could not be considered to be "publicly available."

§22.8. A commenter asserts that where an insurer providing credit insurance has notified the creditor that the insurer does not share the borrower's nonpublic personal financial information except as necessary to administer the insurance policies, the privacy notice creditors are required to send to customers suffices to comply with this rule.

Agency Response. The department's response to this comment differs based on the type of insurance issued. Where the policy of credit insurance is a group policy subject to the requirements of §22.4(c)(2), the rule requires the insurer to send notice only to the group policyholder. For individual policies of credit insurance, however, notice to the creditor would not extinguish the carrier's duties under the rule. While it is possible the referenced privacy notice would satisfy the requirements of the rule, the department cannot make that determination without examining the notice.

§22.8. A commenter requests that the rule provide a consistent standard concerning when the duty to provide an initial privacy notice arises.

Agency Response. A covered entity's duty to provide an initial notice differs as to customers and consumers. For customers, §22.8 generally requires the notice not later than when the covered entity establishes a customer relationship. In an insurance context, the customer relationship will generally begin no later than when coverage attaches or when the policy is delivered. While most customer relationships will fall within this general rule, other facts and circumstances may affect the inception of customer relationships. For example, a covered entity may create a customer relationship by extending coverage prior to delivery of the policy. Accordingly, a covered entity must establish a consistent standard to determine when customer relationships commence. In the case of a consumer, an initial notice and opportunity to opt out is required prior to the release of any protected information other than as authorized under §§22.18 and 22.19.

§22.8(a). A commenter inquires whether an insurer acquiring another insurer's book of business must then provide its own "initial notice."

Agency Response. The answer to this question depends on the acquiring entity's privacy policy. If the privacy policy of the new entity differs from the privacy policy of the previous insurer, the new entity should provide a new statement of privacy policy. In addition, if the new entity plans to disclose nonpublic personal financial information to a new category of nonaffiliated third party, the entity must provide a revised notice pursuant to §22.12, along with the opportunity to opt out of this new disclosure. If the customer has previously elected to opt out in response to a notice delivered by the previous insurer, the new entity must continue to honor the customer's election as to those specific categories.

§§22.8(a) & 22.9(a). A commenter asks what steps a bank, providing notices on behalf of an issuing insurance company, must take to determine that the provided notice is accurate. Another commenter inquires as to what a bank, acting as an agent, must do to determine whether its covered entity principal is providing required notices under the rule. The commenter wonders whether it may rely on representations from the entity or whether it must conduct an audit.

Agency Response. The rule treats a bank acting as an agent no differently than any other agent, and a bank formulating its own privacy policy regarding required notices should thus comply with all applicable provisions of the TIC and departmental rules. A bank delivering notices on behalf of an insurance company presumably would be doing so in the capacity of an agent for the insurance company. A bank functioning for insurance business purposes as the agent of a principal insurance company would be subject to regulation under the Texas Insurance Code to the same extent as any other agent. A bank will have to exercise independent judgment to determine the measures necessary to assure itself that its principal is complying with the applicable rules. Even if an insurance company were to delegate a responsibility under the rule to an agent, however, the insurance company would remain responsible for its own compliance with the rule.

§22.8(b). A commenter proposes inserting "to a consumer" into the subheading.

Agency Response. The department does not believe this change is necessary since the full sentence following the subheading establishes that the section concerns notice to a consumer.

§22.8(b)(1). A commenter asks about applicability of the rule to a third party administrator (TPA).

Agency Response. A TPA, regardless of whether it is providing services on behalf of a self-funded plan or a commercial carrier, does not have to comply with the initial notice requirements for consumers under the rule as long as the TPA does not disclose information to a nonaffiliated third party for any reason other than an exemption permitted under §§22.18 or 22.19. A TPA would not be considered to have a "customer relationship" with a plan enrollee for whom the TPA is performing an administrative function on behalf of an insurer or an HMO and would not be subject to the annual notice requirement under §22.9.

§22.8(e). A commenter proposes supplementing the heading to clarify that this subsection contains exceptions.

Agency Response. The department declines to make this change, as the subsection contains a general rule as well as exceptions.

§22.8(f). A commenter proposes insertion of "initial" into the delivery requirement.

Agency Response. The department does not believe that this change is necessary, as the only notices required by this section are initial notices.

§§22.9 & 22.13(a). A commenter asks when a bank should deliver the various privacy notices required by the rule. The commenter specifically asks whether an initial privacy notice may accompany the delivery of the policy. The commenter indicated that the department had informed some insurers that a privacy notice could not be printed on a policy jacket. Another commenter asks whether a privacy notice can be delivered simultaneously with an insurance policy, billing notices, statements, or newsletter.

Agency Response. The rule treats a bank, whether acting as a covered entity or the agent of a covered entity, no differently than any other similarly situated entity, and a bank formulating its privacy policy regarding delivery of notices should thus comply with the applicable provisions of the rule. Generally, an entity may deliver any required notice either in a separate transmission or along with any other delivery to the consumer/customer, so long as the notice is in a format that meets all applicable requirements under the rule, including the requirement that the notice be clear and conspicuous. The department did state, in response to a similar query, that printing an opt out form on a policy jacket could discourage opting out as the consumer would be forced to copy the form or cut it off of the jacket to use it. Regarding initial privacy notices that do not include an opt out, a covered entity that elects to include this notice on a policy jacket must ensure that the notice meets all requirements under the rule, again with particular attention to the requirement that the notice be clear and conspicuous.

§22.10(a). A commenter proposes insertion of "simplified" into this description since the order was changed from the national model rule.

Agency Response. The department agrees and has made this change.

§22.10(a). A commenter questioned the meaning of the reference to "this subsection" in §22.10(a)(1).

Agency Response. The reference to this subsection means §22.10(a).

§22.10(b)(8). A commenter inquires whether the department intends to issue a separate rule with regard to necessary security procedures, and whether a covered entity must obtain agreements from parties with which it contracts to establish that the third parties have security procedures in place.

Agency Response. A proposed model rule addressing specific security procedures for covered entities is currently under consideration at the national level. The department may accordingly propose a conforming rule in the future. In the interim, covered entities should develop and follow their own security procedures to prevent the unauthorized disclosure of protected information. A covered entity remains responsible for any unauthorized disclosure of information or other rule violations that occur through its relationships with third parties. Entities should use their own judgment to guide their practices in this area and take necessary action to ensure that third parties properly secure protected information. It should be noted that SB 712 (TIC Art. 20A.02(b)) requires nonaffiliated third parties, in relation to a covered entity, to comply with the privacy requirements of GLBA.

§22.11(c)(1). A commenter proposes insertion of "and" at the end of this paragraph as a connector.

Agency Response. The word "and" is already included at the end of §22.11(c)(1) as a connector to indicate that a covered entity must comply with (c)(1) and either (c)(2), (c)(3), or (c)(4).

§22.11(l). A commenter proposes removing the term "to conduct business electronically."

Agency Response. The department disagrees. A consumer must agree to conduct business with a covered entity electronically before the entity can require the consumer to use an electronic means to perform any act relating to the rule. The requested change could be interpreted to enable a covered entity to condition a consumer's ability to exercise his or her rights under the rule by requiring the consumer to do so only electronically.

§22.13(a). A commenter asks what obligation a covered entity assuming the business of other institutions has to send notices to consumers/customers for whom it has a name but not an address.

Agency Response. Section 22.13(a) requires covered entities to provide any notices that this subchapter requires in such a way that each consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, electronically. Section 22.13(b) describes ways entities may satisfy this requirement. The department will have to examine situations falling outside these parameters on a case-by-case basis. Certainly since a covered entity cannot share information without providing a reasonable opportunity to opt out, a covered entity should not share a consumer/customer's information if the entity has no address for the consumer/customer and knows it has not contacted the consumer/customer.

§22.13(b)(3). A commenter proposes placing the connector "or" at the end of this paragraph. Agency Response. The department agrees and has made this change.

§22.15. A commenter proposes replacing "and" with "or" in subsections (a) and (c) - (f).

Agency Response. The department disagrees. Compliance with each of these provisions is mandatory. §22.16(b). Two commenters propose that a covered entity should be permitted to provide account numbers to service providers for marketing purposes as long as the service provider is not authorized to directly initiate charges to the account.

Agency Response. The department agrees that this comment is consistent with the national model rule and has made this change. Transactions of this type would fall under §22.17, which establishes standards for contractual limitation of a third party's use of nonpublic personal financial information disclosed to it by a covered entity.

§22.17. A commenter inquires whether a covered entity may share information with a joint employee without concern for the opt out requirements of GLBA.

Agency Response. The department believes that a covered entity that shares information with a joint employee in compliance with the rule is in compliance with the privacy requirements of GLBA.

§22.17(a). A commenter inquires as to the steps a covered entity must take to assure that a joint marketer or other shared servicer does not use shared information for purposes unrelated to the contract or other permitted use.

Agency Response. Section 22.17(a)(2) requires the covered entity to enter into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which the covered entity disclosed the information, including use under an exception in §22.18 and §22.19 in the ordinary course of business to carry out those purposes. If an entity shares information with another financial institution, the covered entity must also comply with §22.17(b) as well.

§22.17(a)(2) and §22.17(b). A commenter proposes replacing "and" with "or" in §22.17(a)(2) and (b).

Agency Response. Replacement of "and" with "or" within §22.17(a)(2) would have no effect on the rule's meaning. Moreover, the word "and" is not used in §22.17(b).

§22.17(c). A commenter asks which exception covers a data processing company's handling of statements and other materials for an insurance company, if the statements include marketing materials.

Agency Response. Section 22.17(c) states that "[t]he services a nonaffiliated third party performs for a covered entity under subsection (a) of this section may include marketing of (the covered entity's own products or services...." (emphasis added). The described transaction appears to involve an insurer using a third party firm both to market to its customers and to deliver statements and other customary business documents. This type of transaction is within the scope of the rule and would require appropriate compliance under this section.

§§22.18(b) & 22.18(c)(2)(C). A commenter believes these exceptions must be expanded to permit a covered entity to share with a policyholder or policyholder's representative specific protected financial information about claims asserted by consumers under a commercial liability or workers' compensation policy.

Agency Response. The department disagrees that this expansion is necessary. Disclosure of information to workers' compensation and commercial liability policyholders regarding details of the claims made against them would be considered to be integral to servicing or processing the claim made by the consumer and thus already permitted under the existing exemption in §22.18. Additionally, TIC Art. 5.65A(a) mandates that carriers notify workers' compensation policyholders of any claim filed against the policy, proposals to settle a claim, and, upon policyholder request, any administrative or judicial proceeding relating to the resolution of a claim. TIC Art. 5.65A(b) requires carriers, again upon policyholder request, to provide policyholders with a list of claims charged against the policy, payments made and reserves established on each claim, and a statement explaining the effect of claims on premium rates. The department reminds covered entities, however, that any such disclosure must be limited to information necessary to process the claim, and the recipient must use the information only for the purpose for which it was disclosed. To the extent that such information is requested to aid in replacement of coverage, see comment regarding §22.19(a)(14).

§22.18(c)(2)(B). A commenter believes the exception must be expanded to include the term "adjust."

Agency Response. The department disagrees that this expansion is necessary. Adjustment of a claim is commonly understood to be included within the administration and processing of a claim.

22.18(c)(2)(E). A commenter believes expansion of this exception is necessary to include specific actions relating to the payments of claims to claimants and beneficiaries.

Agency Response. The department disagrees that this expansion is necessary. The acts of adjusting, settling, or paying insurance claims are commonly understood to be included within the administration and processing of a claim.

§22.18(c)(2)(E). A commenter believes expansion of this exception is necessary to allow specific financial information about a workers' compensation or third party claimant to be shared at the request of a policyholder in order to underwrite insurance at the policyholder's request.

Agency Response. The department disagrees that this expansion is necessary. TIC Art. 5.65A(b) requires carriers, upon policyholder request, to provide policyholders with a list of claims charged against the policy, payments made and reserves established on each claim, and a statement explaining the effect of claims on premium rates. The department reminds covered entities, however, that any such disclosure must be limited to information necessary to achieve the purpose for which it was disclosed, and the recipient must use the information only for that purpose as well. A covered entity can facilitate the underwriting process for policies of this nature, without need of specific exception, by disclosing only claim information that does not identify or provide a means to identify individual claimants under the policy. The department also notes that the Texas Legislature has consistently taken a similar approach regarding disclosure of claim data; see TIC Art. 26.96(f) and HB 2146, 77th Texas Legislature.

§22.18(c)(2)(F)(ii). A commenter believes that expansion of this exception is necessary to allow the collection of debts by a covered entity in connection with processing a claim by a workers' compensation or third party claimant.

Agency Response. The department disagrees that this expansion is necessary. Disclosure of information to workers' compensation and commercial liability policyholders for retroactive billing purposes would be a part of servicing or processing the claim made by the consumer and thus covered under the exemption in §22.18(b). Additionally, TIC Art. 5.65A mandates such disclosure to workers' compensation policyholders at their request. The department reminds covered entities that any such disclosure must be limited to information necessary to the purpose of the exception, and the recipient must use the information only for the purpose for which it was disclosed.

§22.19(a)(14). A commenter requests that this exception be expanded to include replacement of an insurance policy under which a consumer's claim was asserted or paid.

Agency Response. The department declines to make this change. If required to aid the replacement process, a covered entity can disclose pertinent claim information, that is also protected financial information, in the aggregate, or in such other manner that does not identify or provide the means to identify individual claimants under a policy, to protect the identity of and other protected information about individual claimants. The rule provides flexibility for situations where an entity is being asked to cover a defined group. The requested change would expand the exception to include policies where the claimants are not known prior to the date of coverage. The department also notes that the Texas Legislature has consistently taken a similar approach regarding disclosure of claim data; see TIC Art. 26.96(f) and HB 2146, 77th Texas Legislature.

§22.21. A commenter suggests deletion of §22.21, arguing that it conflicts with Congress's exclusion of "usual, appropriate, or acceptable methods for insurance underwriting" from the scope of GLBA.

Agency Response. The department declines to make this change. The department disagrees with the commenter's assessment of the effect of this section. Section 22.21 does not prohibit "usual, appropriate, or acceptable methods" for insurance underwriting. It prohibits unfair methods of insurance underwriting. Accordingly, §22.21 does not conflict with GLBA's exception regarding appropriate insurance practices. Moreover, §22.21 is substantively identical to the antidiscrimination provision in the national model. Deleting the section would be detrimental to uniform state enforcement of GLBA.

§22.22(b). Several commenters recommend elimination of the reference to TIC Art. 21.21. Some commenters suggest that the reference to TIC Art. 21.21 in this subsection exceeds the department's statutory authority. Another commenter suggests that the provision is unnecessary as Chapters 82 & 84, TIC, contain adequate penalties. Another commenter suggests that if the reference remains, the department should add an amendment expressly prohibiting private causes of action for rule violations. Another commenter suggests that the reference puts insurers doing business in Texas at a competitive disadvantage vis-à-vis other financial service industries. Another commenter requests that this section be amended to clarify that the department is the sole source of remedy for violations. Another commenter supported the rule's incorporation of TIC Art. 21.21.

Agency Response. SB 712 directs the commissioner to adopt rules necessary to make Texas eligible, under GLBA, to override federal regulation. A second statutory provision directs the commissioner to attempt to keep state privacy requirements consistent with federal regulations adopted under GLBA. The legislative analysis of SB 712 references the NAIC privacy model regulation as a guide for the department's adoption of rules. The NAIC privacy model regulation specifically directs states to include their unfair trade practices act or other applicable state law as a remedy for violation of the rule.

While the proposal incorporated the TIC's unfair trade practices act as an enforcement mechanism, the department has deleted this subsection from the adopted rule, while retaining enforcement authority under other TIC chapters. Analysis of newly-enacted TIC Art. 28A.102 was the most critical factor in this determination. This section provides that in addition to departmental enforcement of GLBA, the attorney general, after conferring with the commissioner, may institute actions for injunctive or declaratory relief or for civil penalties in response to violations of TIC Chapter 28A. This specific enforcement authority for the attorney general, in addition to the department's authority under TIC Chapters 82, 83, & 84, provides an alternate statutory enforcement mechanism sufficient to comply with the Legislature's mandate to enforce GLBA in a manner consistent with federal regulations. In addition, this deviation from the specific penalty provisions of the model rule will not affect a covered entity's ability to comply with both the substantive provisions of the department's rule and the national model rule as adopted in other jurisdictions.

Since new TIC Art. 28A.102 specifically authorizes the attorney general to institute actions in response to violations of this chapter, the department disagrees with the comment that suggested it is the sole source of remedy for violations of the statute. The department also disagrees with the comment that suggested the inclusion of TIC Art. 21.21 in this subsection would have put insurers at a competitive disadvantage to other entities. The penalties available to federal regulators under GLBA are of comparable severity to those available under TIC Art. 21.21. See 12 USC §1818. It is also important to remember that TIC Art. 21.21 places no additional burden on covered entities in compliance with the rule, nor would it penalize inadvertent violators that are dealing in good faith with consumers. Finally, the department also disagrees with commenters that suggested that including TIC Art. 21.21 in the rule would create a private right of action. HB 668, enacted by the 74th Texas Legislature, amended TIC Art. 21.21 to delete the provision in Sec. 16 that gave rise to a private cause of action for a violation of departmental rules.

§22.24. A commenter requests that the compliance date for notices be extended for an additional 30 days. In the alternative, the commenter requests that extensions be considered on a case-by-case basis.

Agency Response. The department declines to extend the compliance date. The department does not have the authority to waive application of any rule on a case-by-case basis.

§22.26. A commenter recommends that the word "broker" be used in place of "agent."

Agency Response. The department declines to make the suggested change as neither the TIC nor any other rules in TAC Chapter 28 use or define the term "broker."

For: Office of Public Insurance Counsel.

For with changes: American Council of Life Insurers; American Family Life Assurance Company of Columbus; American Insurance Association; Alliance of American Insurers; American General Financial Group; Amerisure Companies; Alliance for Responsible Insurance Practices; Association of Fire and Casualty Companies of Texas; Independent Bankers Association of Texas; National Association of Independent Insurers; Sneed, Vine, & Perry; Texas Association of Insurance Officials; Texas Association of Life and Health Insurers; Viaticare; Texas Windstorm Insurance Association.

Against: Folksamerica Reinsurance Company.

Neither for nor against: Fulbright & Jaworski, LLP.

The new sections are adopted under the TIC Art. 28A.51 and §36.001. TIC Art. 28A.51 provides that the Commissioner shall adopt rules to implement this chapter, as well as any other rules necessary to carry out 15 U.S.C. Subchapter I, Chapter 94 (15 U.S.C. Section 6801 et seq.), as amended. TIC Section 36.001 provides that the Commissioner of Insurance may adopt rules to execute the duties and functions of the Texas Department of Insurance only as authorized by statute.

§22.1.Purpose and Scope.

(a) Purpose. This subchapter governs the treatment of nonpublic personal financial information about individuals by all covered entities. This subchapter:

(1) requires a covered entity to provide notice to individuals about its privacy policies and practices;

(2) describes the conditions under which a covered entity may disclose nonpublic personal financial information about individuals to nonaffiliated third parties; and

(3) provides methods for individuals to prevent a covered entity from disclosing that information to nonaffiliated third parties.

(b) Scope. This subchapter applies to nonpublic personal financial information about individuals who obtain or are claimants or beneficiaries, primarily for personal, family or household purposes, of products or services from covered entities. This subchapter does not apply to information about companies or about individuals who obtain products or services for business, commercial or agricultural purposes.

§22.2.Definitions.

The following words and terms, when used in this chapter, shall have the following meanings, unless the context clearly indicates otherwise.

(1) Affiliate--Any company that controls, is controlled by, or is under common control with another company.

(2) Agent--As set forth in the Insurance Code, Articles 9.36, 9.36A, and 21.02.

(3) Authorization--As set forth in the Insurance Code, Section 82.001.

(4) Clear and conspicuous--A notice which is reasonably understandable and designed to call attention to the nature and significance of the information in the notice.

(5) Collect--To obtain information that the covered entity organizes or can retrieve by the name of an individual or by identifying number, symbol or other identifying particular assigned to the individual, irrespective of the source of the underlying information.

(6) Commissioner--The Commissioner of Insurance.

(7) Company--A corporation, limited liability company, business trust, general or limited partnership, association, sole proprietorship or other similar organization.

(8) Consumer--An individual or that individual's representative who seeks to obtain, obtains or has obtained an insurance product or service from a covered entity that is to be used primarily for personal, family or household purposes, and about whom the covered entity has nonpublic personal financial information.

(9) Consumer reporting agency--As defined in Section 603(f) of the federal Fair Credit Reporting Act (15 U.S.C. 1681a(f)).

(10) Control--Includes the terms "controls," "controlled by," and "under common control," and has the meaning assigned that term by the Insurance Code, Article 21.49-1, Section 2(d).

(11) Covered entity--An individual or entity who receives an authorization from the Texas Department of Insurance. The term includes any individual or entity described by the Insurance Code, Section 82.002.

(12) Customer--A consumer who has a customer relationship with a covered entity.

(13) Customer relationship--A continuing relationship, as described in §22.5 of this subchapter (relating to Determination of Continuing Relationship), between a consumer and a covered entity under which the covered entity provides one or more insurance products or services to the consumer that are to be used primarily for personal, family or household purposes.

(14) Financial institution--Any institution the business of which is engaging in activities that are financial in nature or incidental to such financial activities as described in Section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. 1843(k)). Financial institution does not include:

(A) any person or entity with respect to any financial activity that is subject to the jurisdiction of the Commodity Futures Trading Commission under the Commodity Exchange Act (7 U.S.C. 1 et seq.);

(B) the Federal Agricultural Mortgage Corporation or any entity charged and operating under the Farm Credit Act of 1971 (12 U.S.C. 2001 et seq.); or

(C) institutions chartered by Congress specifically to engage in securitizations, secondary market sales (including sales of servicing rights) or similar transactions related to a transaction of a consumer, as long as the institutions do not sell or transfer nonpublic personal financial information to a nonaffiliated third party.

(15) Financial product or service--Any product or service that a financial holding company could offer by engaging in an activity that is financial in nature or incidental to such a financial activity under Section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. 1843(k)). Financial service includes a financial institution's evaluation or brokerage of information that the financial institution collects in connection with a request or an application from a consumer for a financial product or service.

(16) Health care--

(A) preventive, diagnostic, therapeutic, rehabilitative, maintenance or palliative care, services, procedures, tests or counseling that:

(i) relates to the physical, mental or behavioral condition of an individual; or

(ii) affects the structure or function of the human body or any part of the human body, including the banking of blood, sperm, organs or any other tissue; or

(B) prescribing, dispensing or furnishing drugs or biologicals, or medical devices or health care equipment and supplies to an individual.

(17) Health care provider--A physician or other health care practitioner licensed, accredited or certified to perform specified health services consistent with state law, or a health care facility.

(18) Health information--Any information or data except age or gender, whether oral or recorded, in any form or medium, created by or derived from a health care provider or the consumer that relates to:

(A) the past, present or future physical, mental or behavioral health or condition of an individual;

(B) the provision of health care to an individual; or

(C) payment for the provision of health care to an individual.

(19) Insurance product or service--Any product or service that is offered by a covered entity pursuant to the Insurance Code and other insurance laws of this state. Insurance service includes a covered entity's evaluation, brokerage or distribution of information that the covered entity collects in connection with a request or an application from a consumer for an insurance product or service.

(20) Nonaffiliated third party--An entity that is not an affiliate of, or related to by common ownership or affiliated by corporate control with, the covered entity. The term does not include a joint employee of the entity.

(21) Nonpublic personal financial information--Information which:

(A) includes:

(i) personally identifiable financial information;

(ii) any list, description or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available; and

(iii) any list of individuals' names and street addresses that is derived in whole or in part using personally identifiable financial information that is not publicly available, such as account numbers.

(B) does not include:

(i) health information;

(ii) publicly available information unless it is derived from a non-public source as described in subparagraphs (A)(ii) and (A)(iii) of this paragraph;

(iii) any list, description or other grouping of consumers (and publicly available information pertaining to them) that is derived without using any personally identifiable financial information that is not publicly available; and

(iv) any list of individuals' names and addresses that:

(I) contains only publicly available information,

(II) is wholly derived using personally identifiable financial information that is publicly available, and

(III) does not disclose that any of the individuals on the list is a consumer of a financial institution.

(22) Opt out--A direction by the consumer that the covered entity not disclose nonpublic personal financial information about that consumer to a nonaffiliated third party, other than as permitted by §22.17 of this title (relating to Exception to Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Service Providers and Joint Marketing), §22.18 of this title (relating to Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Processing and Servicing Transactions), and §22.19 of this title (relating to Other Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information).

(23) Personally identifiable financial information--

(A) The term includes:

(i) any information a consumer provides to a covered entity to obtain an insurance product or service from the covered entity;

(ii) any information about a consumer resulting from a transaction involving an insurance product or service between a covered entity and a consumer;

(iii) any information the covered entity otherwise obtains about a consumer in connection with providing an insurance product or service to that consumer;

(iv) account balance information and payment history;

(v) the fact that an individual is or has been one of the covered entity's customers or has obtained an insurance product or service from the covered entity;

(vi) any information about the covered entity's consumer if it is disclosed in a manner that indicates that the individual is or has been the covered entity's consumer;

(vii) any information that a consumer provides to a covered entity or that the covered entity or its agent otherwise obtains in connection with collecting on a loan or servicing a loan;

(viii) any information the covered entity collects through an information-collecting device from an Internet web server; and

(ix) information from a consumer report.

(B) The term does not include:

(i) health information;

(ii) a list of names and addresses of customers of an entity that is not a financial institution; and

(iii) information that does not identify a consumer, such as aggregate information or blind data that does not contain personal identifiers such as account numbers, names or addresses.

(24) Publicly available information--Any information that a covered entity has a reasonable basis to believe is lawfully made available to the general public from:

(A) federal, state or local government records;

(B) widely distributed media; or

(C) disclosures to the general public that are required to be made by federal, state or local law.

§22.4.Determination of Consumer Status.

(a) The term consumer includes, but is not limited to:

(1) an individual who provides nonpublic personal financial information to a covered entity in connection with obtaining or seeking to obtain financial, investment or economic advisory services relating to an insurance product or service regardless of whether the covered entity establishes an ongoing relationship.

(2) an applicant for insurance prior to the inception of insurance coverage.

(3) an individual, if the covered entity discloses nonpublic personal financial information about the individual to a nonaffiliated third party other than as permitted under §22.17 of this title (relating to Exception to Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Service Providers and Joint Marketing), §22.18 of this title (relating to Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Processing and Servicing Transactions) and §22.19 of this title (relating to Other Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information), and:

(A) the individual is a beneficiary of a life insurance policy underwritten by the covered entity;

(B) the individual is a claimant under an insurance policy issued by the covered entity;

(C) the individual is an insured or an annuitant under an insurance policy or an annuity, respectively, issued by the covered entity; or

(D) the individual is a mortgagor of a mortgage covered under a mortgage insurance policy.

(b) Examples of when individuals will not be considered consumers of a covered entity:

(1) an individual who is a consumer of another financial institution is not a covered entity's consumer solely because the covered entity is acting as agent for, or provides processing or other services to, that financial institution.

(2) an individual is not a covered entity's consumer solely because he or she is a beneficiary of a trust for which the covered entity is a trustee.

(3) an individual is not a covered entity's consumer solely because he or she has designated the covered entity as trustee for a trust.

(c) Special requirements for employee benefit plans, group or blanket insurance policies, group annuity contracts, or workers' compensation policies.

(1) An individual who is a participant or a beneficiary of an employee benefit plan that a covered entity administers or sponsors or for which the covered entity acts as a trustee, insurer or fiduciary is not the consumer of a covered entity that:

(A) provides all initial, annual and revised notices required by this subchapter to the employer or other entity establishing the plan; and

(B) does not disclose nonpublic personal financial information about the individual to a nonaffiliated third party other than as permitted under §§22.17, 22.18, and 22.19 of this title.

(2) An individual who is covered under a group or blanket insurance policy or group annuity contract issued by a covered entity is not the consumer of a covered entity that:

(A) provides all initial, annual and revised notices required by this subchapter to the policyholder or contractholder; and

(B) does not disclose nonpublic personal financial information about the individual to a nonaffiliated third party other than as permitted under §§22.17, 22.18, and 22.19 of this title.

(3) An individual that is a claimant under or beneficiary of a workers' compensation policy issued by a covered entity is not the consumer of a covered entity that:

(A) provides all initial, annual and revised notices required by this subchapter to the plan participant; and

(B) does not disclose nonpublic personal financial information about the individual to a nonaffiliated third party other than as permitted under §§22.17, 22.18, and 22.19 of this title.

(d) An individual described in subsection (c) of this section is the consumer of a covered entity that does not comply with the applicable notice and nondisclosure requirements of that subsection.

(e) In no event shall an individual, solely by virtue of his status described in subsection (c) of this section, be deemed to be the customer of a covered entity for purposes of this subchapter.

§22.5.Examples of Continuing Relationship.

(a) The following examples illustrate situations where a consumer has a continuing relationship with a covered entity:

(1) the consumer is a current policyholder of an insurance product issued by or through the covered entity; or

(2) the consumer obtains financial, investment or economic advisory services relating to an insurance product or service from the covered entity for a fee.

(b) The following examples illustrate situations where a consumer does not have a continuing relationship with a covered entity:

(1) the consumer applies for insurance but does not purchase the insurance;

(2) the covered entity sells the consumer insurance in an isolated transaction involving single-event types of coverage including, but not limited to, auto rental liability, travel, and short-term non-resident auto liability insurance;

(3) the individual is no longer a current policyholder of an insurance product or no longer obtains insurance services with or through the covered entity;

(4) the consumer is a beneficiary or claimant under a policy even though the consumer has submitted a claim under a policy choosing a settlement option involving an ongoing relationship with the covered entity;

(5) the consumer is a beneficiary or a claimant under a policy and has submitted a claim under that policy choosing a lump sum settlement option;

(6) the customer's policy is lapsed, expired, or otherwise not in force, and the covered entity has not communicated with the customer about the relationship for a period of 12 consecutive months, other than annual privacy notices, material required by law or regulation, communication at the direction of a state or federal authority, or promotional materials;

(7) the individual is an insured or an annuitant under an insurance policy or annuity, respectively, but is not the policyholder or owner of the insurance policy or annuity; or

(8) the individual's last known address according to the covered entity's records is deemed invalid, which occurs when:

(A) mail sent to that address by the covered entity has been returned by the postal authorities as undeliverable, and

(B) subsequent attempts by the covered entity to obtain a current valid address for the individual have been unsuccessful.

§22.9.Annual Privacy Notice.

(a) A covered entity shall provide a clear and conspicuous notice to customers that accurately reflects its privacy policies and practices not less than annually during the continuation of the customer relationship. "Annually" means at least once in any period of 12 consecutive months during which that relationship exists. A covered entity may define the 12-consecutive-month period, but the covered entity shall apply it to the customer on a consistent basis. A covered entity provides a notice annually if it defines the 12-consecutive-month period as a calendar year and provides the annual notice to the customer once in each calendar year following the calendar year in which the covered entity provided the initial notice. For example, if a customer opens an account on any day of year 1, the covered entity shall provide an annual notice to that customer by December 31 of year 2.

(b) A covered entity is not required to provide an annual notice to a former customer. A former customer is an individual with whom a covered entity no longer has a continuing relationship.

(1) A covered entity no longer has a continuing relationship with an individual if the individual no longer is a current policyholder of an insurance product or no longer obtains insurance services with or through the covered entity.

(2) A covered entity no longer has a continuing relationship with an individual if the individual's policy is lapsed, expired or otherwise not in force, and the covered entity has not communicated with the customer about the relationship for a period of 12 consecutive months, other than to provide annual privacy notices, material required by law or regulation, communication at the direction of a state or federal authority, or promotional materials.

(3) For the purposes of this subchapter, a covered entity no longer has a continuing relationship with an individual if:

(A) the covered entity sends mail to the individual's last known address, according to the covered entity's records, and the postal authorities return that mail as undeliverable, and

(B) subsequent attempts by the covered entity to obtain a current valid address for the individual are unsuccessful.

(4) A covered entity no longer has a continuing relationship with a customer, in the case of providing real estate settlement services, at the later of the following events:

(A) the customer completes execution of all documents related to the real estate closing;

(B) payment for those services has been received; or

(C) the covered entity has completed all of its responsibilities with respect to the settlement, including filing documents in the public record.

(c) A covered entity shall deliver any annual privacy notices required by this section according to §22.13 of this title (relating to Delivery).

§22.10.Information to be Included in Privacy Notices.

(a) Simplified nondisclosure notice requirements. A covered entity that does not disclose, and does not reserve the right to disclose, nonpublic personal financial information about customers or former customers to nonaffiliated third parties except as authorized under §22.18 of this title (relating to Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Processing and Servicing Transactions) and §22.19 of this title (relating to Other Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information), may comply with this subchapter by providing a simplified notice which expresses:

(1) the nondisclosure policy stated in this subsection, and

(2) the information required by subsections (b)(1), (b)(8), (b)(9), and (c) of this section.

(b) Disclosure notice requirements. The initial, annual and revised privacy notices that a covered entity provides under §22.8 of this title (relating to Initial Privacy Notice), §22.9 of this title (relating to Annual Privacy Notice) and §22.12 of this title (relating to Revised Privacy Notices) shall include the following items of information, in addition to any other information the covered entity wishes to provide, that applies to the covered entity and to the consumers to whom the covered entity sends its privacy notice.

(1) The categories of nonpublic personal financial information that the covered entity collects. A covered entity satisfies the requirement to categorize the nonpublic personal financial information it collects when the covered entity categorizes it according to the source of the information, as applicable, including:

(A) information from the consumer;

(B) information about the consumer's transactions with the covered entity or its affiliates;

(C) information about the consumer's transactions with nonaffiliated third parties; and

(D) information from a consumer reporting agency.

(2) The categories of nonpublic personal financial information that the covered entity discloses.

(A) A covered entity satisfies the requirement to categorize nonpublic personal financial information it discloses when the covered entity categorizes the information according to source, as described in paragraph (1) of this subsection, as applicable, and provides examples to illustrate the types of information in each category, such as:

(i) information from the consumer, including application information (such as assets and income) and identifying information (such as name, address and social security number);

(ii) transaction information (such as information about balances, payment history and parties to the transaction); and

(iii) information from consumer reports (such as a consumer's creditworthiness and credit history).

(B) A covered entity does not adequately categorize the information that it discloses when the covered entity uses only general terms (such as transaction information about the consumer).

(C) A covered entity that reserves the right to disclose all of the nonpublic personal financial information about consumers that it collects may state that fact without describing the categories or examples of nonpublic personal financial information that the covered entity discloses.

(3) The categories of affiliates and nonaffiliated third parties to whom the covered entity discloses nonpublic personal financial information, other than those parties to whom the covered entity discloses information under §§22.18 and 22.19 of this title.

(4) The categories of nonpublic personal financial information about the covered entity's former customers that the covered entity discloses and the categories of affiliates and nonaffiliated third parties to whom the covered entity discloses nonpublic personal financial information about the covered entity's former customers, other than those parties to whom the covered entity discloses information under §§22.18 and 22.19 of this title.

(5) A separate description of the categories of information the covered entity discloses and the categories of third parties with whom the covered entity has contracted, if the covered entity discloses nonpublic personal financial information to a nonaffiliated third party under §22.17 of this title (relating to Exception to Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Service Providers and Joint Marketing) and no other exception in §§22.18 and 22.19 of this title applies to that disclosure.

(6) An explanation of the consumer's right under §22.14(a) of this title (relating to Limits on Disclosure of Nonpublic Personal Financial Information to Nonaffiliated Third Parties) to opt out of the disclosure of nonpublic personal financial information to nonaffiliated third parties, including the methods by which the consumer may exercise that right at that time.

(7) Any disclosures that the covered entity makes under Section 603(d)(2)(A)(iii) of the federal Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)(A)(iii)) (that is, notices regarding the ability to opt out of disclosures of information among affiliates).

(8) The covered entity's policies and practices with respect to protecting the confidentiality and security of nonpublic personal financial information. A covered entity provides an adequate description of its policies and practices with respect to protecting the confidentiality and security of nonpublic personal financial information if it does both of the following:

(A) describes in general terms who is authorized to have access to the information; and

(B) states whether the covered entity has security practices and procedures in place to ensure the confidentiality of the information in accordance with the covered entity's policy. The covered entity is not required to describe technical information about the safeguards it uses.

(9) Any disclosure that the covered entity makes under subsection (c) of this section.

(c) Description of parties subject to exceptions. A covered entity that discloses nonpublic personal financial information as authorized under §§22.18 and 22.19 of this title is not required to list those exceptions in the initial or annual privacy notices required by §§22.8 and 22.9 of this title. When describing the categories of parties to whom disclosure is made, the covered entity shall state that it makes disclosures to other affiliated or nonaffiliated third parties, as applicable, as permitted by law.

(d) Appropriate methods of categorizing affiliates and nonaffiliated third parties.

(1) A covered entity satisfies the requirement to categorize the affiliates and nonaffiliated third parties to which the covered entity discloses nonpublic personal financial information about consumers if the covered entity identifies the types of businesses in which they engage.

(2) Types of businesses may be described by general terms only if the covered entity uses illustrative examples of significant lines of business. For example, a covered entity may use the term "financial products or services" if the notice includes appropriate examples of significant lines of such businesses or services, such as life insurer, automobile insurer, consumer banking or securities brokerage.

(3) A covered entity also may categorize the affiliates and nonaffiliated third parties to which it discloses nonpublic personal financial information about consumers using more detailed categories.

(e) Disclosures under exception for service providers and joint marketers. A covered entity that discloses nonpublic personal financial information under the exception in §22.17 of this title to a nonaffiliated third party to market products or services that it offers alone or jointly with another financial institution satisfies the disclosure requirement of subsection (b)(5) of this section if it:

(1) lists the categories of nonpublic personal financial information it discloses, using the same categories and examples the covered entity used to meet the requirements of subsection (a)(2) of this section, as applicable; and

(2) states whether the third party is:

(A) a service provider that performs marketing services on the covered entity's behalf or on behalf of the covered entity and another financial institution; or

(B) a financial institution with whom the covered entity has a joint marketing agreement.

(f) Short-form initial notice with opt out notice for non-customers.

(1) A covered entity may satisfy the initial notice requirements in §22.8(a)(2) and §22.11(c) of this title (relating to Form of Opt Out Notice to Consumers and Opt Out Methods) for a consumer who is not a customer by providing a short-form initial notice at the same time as the covered entity delivers an opt out notice as required in §22.11 of this title.

(2) A short-form initial notice shall:

(A) be clear and conspicuous;

(B) state that the covered entity's privacy notice is available upon request; and

(C) explain a reasonable means by which the consumer may obtain that notice.

(3) The covered entity shall deliver its short-form initial notice according to §22.13 of this title (relating to Delivery). The covered entity is not required to deliver its privacy notice with its short-form initial notice. The covered entity instead may simply provide the consumer a reasonable means to obtain its privacy notice. If a consumer who receives the covered entity's short-form notice requests the covered entity's privacy notice, the covered entity shall deliver its privacy notice according to §22.13 of this title.

(4) The covered entity provides a reasonable means by which a consumer may obtain a copy of its privacy notice if the covered entity:

(A) provides a toll-free telephone number that the consumer may call to request the notice; or

(B) for a consumer who conducts business in person at the covered entity's office, maintains copies of the notice on hand that the covered entity provides to the consumer immediately upon request.

(g) Reservation of right to disclose. The covered entity's notice may include:

(1) categories of nonpublic personal financial information that the covered entity reserves the right to disclose in the future, but does not currently disclose; and

(2) categories of affiliates or nonaffiliated third parties to whom the covered entity reserves the right in the future to disclose, but to whom the covered entity does not currently disclose, nonpublic personal financial information.

(h) Forms. A covered entity may use the forms provided in §22.26 of this title (relating to Forms), as applicable, to meet the requirements of this section as follows:

(1) Form Number FNPRV INFO/COL provided at Figure 1 of §22.26(b)(1) of this title is intended to meet the requirement of subsection (b)(1) of this section to describe the categories of nonpublic personal financial information the covered entity collects.

(2) Form Number FNPRV INFO/DSC provided at Figure 2 of §22.26(b)(1) of this title is intended to meet the requirement of subsection (b)(2) of this section to describe the categories of nonpublic personal financial information the covered entity discloses. The covered entity may use these clauses if it discloses nonpublic personal financial information other than as permitted by the exceptions in §§22.17, 22.18, and 22.19 of this title.

(3) Form Number FNPRV INFO/NODSC provided at Figure 3 of §22.26(b)(3) of this subchapter is intended to meet the requirements of subsections (b)(2), (3), and (4) of this section to describe the categories of nonpublic personal financial information about customers and former customers that the covered entity discloses and the categories of affiliates and nonaffiliated third parties to whom the covered entity discloses this information. A covered entity may use this clause if the covered entity does not disclose nonpublic personal financial information to any party, other than as permitted by the exceptions in §§22.18 and 22.19 of this title.

(4) Form Number FNPRV INFO/TPDSC provided at Figure 4 of §22.26(b)(4) of this title is intended to meet the requirements of subsection (b)(3) of this section to describe the categories of affiliates and nonaffiliated third parties to whom the covered entity discloses nonpublic personal financial information. A covered entity may use this clause if the covered entity discloses nonpublic personal financial information other than as permitted by the exceptions in §§22.17, 22.18, and 22.19 of this title.

(5) Form Number FNPRV INFO/SPJMDSC provided at Figure 5 of §22.26(b)(5) of this title is intended to meet the requirements of subsection (b)(5) of this section related to the exception for service providers and joint marketers in §22.17 of this title. If a covered entity discloses nonpublic personal financial information under this exception, the covered entity shall describe the categories of nonpublic personal financial information the covered entity discloses and the categories of third parties with which the covered entity has contracted.

(6) Form Number FNPRV INFO/OPT provided at Figure 6 of §22.26(b)(6) of this title is intended to meet the requirements of subsection (b)(6) of this section to provide an explanation of the consumer's right to opt out of the disclosure of nonpublic personal financial information to nonaffiliated third parties, including the method(s) by which the consumer may exercise that right. A covered entity may use this clause if the covered entity discloses nonpublic personal financial information other than as permitted by the exceptions in §§22.17, 22.18, and 22.19 of this title.

(7) Form Number FNPRV INFO/SEC provided at Figure 7 of §22.26(b)(7) of this subchapter is intended to meet the requirements of subsection (b)(8) of this section to describe the covered entity's policies and practices with respect to protecting the confidentiality and security of nonpublic personal financial information.

§22.13.Delivery.

(a) How to provide notices. A covered entity shall provide any notices that this subchapter requires so that each consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, electronically.

(b) Examples of reasonable expectation of actual notice. A covered entity satisfies the reasonable expectation that a consumer will receive actual notice if the covered entity:

(1) hand-delivers a printed copy of the notice to the consumer;

(2) mails a printed copy of the notice to the last known address of the consumer separately, or in a policy, billing or other written communication;

(3) for a consumer who conducts transactions electronically, posts the notice on the electronic site and requires the consumer to acknowledge receipt of the notice as a necessary step to obtaining a particular insurance product or service; or

(4) for an isolated transaction with a consumer, such as the covered entity providing an insurance quote or selling the consumer single-event types of coverage including, but not limited to, auto rental liability, travel, and short-term non-resident auto liability insurance, presents the notice and requires the consumer to acknowledge receipt of the notice as a necessary step to obtaining the particular insurance product or service.

(c) Examples of unreasonable expectation of actual notice. A covered entity has not met the reasonable expectation that a consumer will receive actual notice of its privacy policies and practices if it:

(1) only posts a sign in its office or generally publishes advertisements of its privacy policies and practices; or

(2) sends the notice via electronic mail to a consumer who does not obtain an insurance product or service from the covered entity electronically.

(d) Annual notices only. A covered entity satisfies the reasonable expectation that a customer will receive actual notice of the covered entity's annual privacy notice if:

(1) the customer uses the covered entity's Web site to access insurance products and services electronically and agrees to receive notices at the Web site and the covered entity posts its current privacy notice continuously in a clear and conspicuous manner on the Web site; or

(2) the customer has requested that the covered entity refrain from sending any information regarding the customer relationship, and the covered entity's current privacy notice remains available to the customer upon request.

(e) Oral description of notice insufficient. A covered entity may not provide any notice required by this subchapter solely by orally explaining the notice, either in person or over the telephone.

(f) Retention or accessibility of notices for customers.

(1) For customers only, a covered entity shall provide the initial notice required by §22.8(a)(1) of this title (relating to Initial Privacy Notice), the annual notice required by §22.9(a) of this title (relating to Annual Privacy Notice), and the revised notice required by §22.12 of this title (relating to Revised Privacy Notices) so that the customer can retain them or obtain them later in writing or, if the customer agrees, electronically.

(2) A covered entity provides a privacy notice to the customer so that the customer can retain it or obtain it later if the covered entity:

(A) hand-delivers a printed copy of the notice to the customer;

(B) mails a printed copy of the notice to the last known address of the customer; or

(C) makes its current privacy notice available on a Web site (or a link to another Web site) for the customer who obtains an insurance product or service electronically and agrees to receive the notice at the Web site.

(g) Joint notice with other financial institutions. A covered entity may provide a joint notice from the covered entity and one or more of its affiliates or other financial institutions, as identified in the notice, so long as the notice is accurate with respect to the covered entity and the other institutions. A covered entity also may provide a notice on behalf of another financial institution.

(h) Joint relationships. If two or more consumers jointly obtain an insurance product or service from a covered entity, the covered entity may satisfy the initial, annual and revised notice requirements of §§22.8(a), 22.9(a), and 22.12(a) of this title, respectively, by providing one notice to those consumers jointly.

§22.16.Limits on Sharing Account Number Information for Marketing Purposes.

(a) A covered entity shall not, directly or through an affiliate, disclose, other than to a consumer reporting agency, a policy number or similar form of access number or access code for a consumer's policy or transaction account to any nonaffiliated third party for use in telemarketing, direct mail marketing or other marketing through electronic mail to the consumer.

(b) Subsection (a) of this section does not apply if a covered entity discloses a policy number or similar form of access number or access code:

(1) to a service provider, including another covered entity, solely for the purpose of marketing the sharing covered entity's own products or services, so long as the receiving covered entity is not authorized to initiate charges directly to the account; or

(2) to a participant in an affinity or similar program as set forth in 12 CFR §40.12(b)(2), 12 CFR §216.12(b)(2), 12 CFR §332.12(b)(2), 12 CFR §573.12(b)(2), and 12 CFR §716.12(b)(2), where the participants in the program are identified to the customer when the customer enters into the program.

(c) A policy number, or similar form of access number or access code, does not include a number or code in an encrypted form, so long as the covered entity does not provide the recipient with a means to decode the number or code.

(d) For the purposes of this section, a policy or transaction account is an account other than a deposit account or a credit card account. A policy or transaction account does not include an account to which third parties cannot initiate charges.

§22.22.Violation.

A violation of any section of this subchapter shall subject the covered entity to the disciplinary and enforcement sanctions and penalties provided in the Insurance Code, Chapters 28A, 82, 83, and 84.

This agency hereby certifies that the adoption has been reviewed by legal counsel and found to be a valid exercise of the agency's legal authority.

Filed with the Office of the Secretary of State on November 27, 2001.

TRD-200107304

Lynda Nesenholtz

General Counsel and Chief Clerk

Texas Department of Insurance

Effective date: December 17, 2001

Proposal publication date: July 27, 2001

For further information, please call: (512) 463-6327