28 TAC §§22.1 - 22.26
The Commissioner of Insurance adopts new §§22.1
- 22.26, concerning privacy of nonpublic personal financial information provided
by consumers to insurers and other covered entities regulated by the Department.
New §§22.1, 22.2, 22.4, 22.5, 22.9, 22.10, 22.13, 22.16, and 22.22
are adopted with changes to the proposed text published in the
Texas Register
(26 TexReg 5593). New §§22.3, 22.6 - 22.8,
22.11, 22.12, 22.14, 22.15, 22.17 - 22.21 & 22.23 - 22.26 are adopted
without changes and will not be republished.
The new adopted rules are necessary to implement the provisions of Senate
Bill 712, 77th Texas Legislature (Texas Insurance Code (TIC) Art. 28A.01 et
seq.), which requires covered entities (and certain of their affiliates) to
comply with the Gramm-Leach-Bliley Act (GLBA, 15 U.S.C §6801 et seq.)
privacy provisions. SB 712 also directs the commissioner to implement the
chapter by adopting rules necessary to make the State of Texas eligible, under
Title V of GLBA, to override federal regulation, as well as to attempt to
keep state privacy requirements consistent with federal regulations adopted
under GLBA. This direction is consistent with the GLBA requirement that the
various agencies enforcing GLBA coordinate with similarly situated agencies
to assure, to the extent possible, that the regulations prescribed to enforce
GLBA remain consistent and comparable. 15 USC §6804. The legislative
analysis of SB 712 references the NAIC privacy model regulation as a guide
for the department's adoption of rules.
The Texas Senate bill analysis, in pertinent part, states that "Senate
Bill 712 requires insurers and other entities regulated by the Texas Department
of Insurance to comply with requirements of GLBA and requires the commissioner
of insurance to adopt rules consistent with GLBA based on the NAIC (National
Association of Insurance Commissioners) privacy model." The adopted sections,
while based on the NAIC model rule, have been clarified in certain sections
for greater ease in reading. The adopted sections set forth the requirements
that insurers and other covered entities must meet in structuring their consumer
financial practices to comply with GLBA and SB 712. Specifically, the rules
provide the notice requirements, as well as other procedures that insurers
and other covered entities must follow with regard to nonpublic personal financial
information collected about a consumer.
Section 22.1 was changed to delete a reference to sharing information with
affiliates, as these rules do not prohibit the sharing of information with
affiliates. Section 22.2 was changed to delete a sentence from the definition
of consumer that was not included in the national model rule, and to make
a clarifying grammatical change to the definition of health care. Section
22.4 was changed to add the term "claimant under" to the list of persons affected
by a policy of workers' compensation insurance issued subject to the rule
and in order to clarify a term. Section 22.5 was changed to reflect that the
situations it details are exemplary. Section 22.9 was changed to achieve consistency
with the standards for a continuing relationship in §22.5. Section 22.10
was changed to clarify that the rule does not prohibit information sharing
with affiliates and to make nonsubstantive grammatical corrections. Section
22.13 was changed to clarify that certain compliance options are alternative.
Section 22.16 was changed to clarify that a covered entity is permitted to
provide account numbers to service providers for marketing purposes as long
as the service provider is not authorized to directly initiate charges to
the account. Section 22.22 was changed to conform more closely to legislative
intent by deleting references to enforcement under TIC Art. 21.21.
General. Several commenters noted that the rule is not identical to the
national model rule.
Agency Response. The department agrees that the rule is not identical to
the national model rule. As noted in the preamble to the proposed rule, some
definitions differ from those in the model rule because the proposal incorporated
specific definitions contained in SB 712, as well as in other sections of
the TIC. For example, the proposal used "covered entity," as defined in SB
712, in place of the model rule's term "licensee." Other deviations occur
because parts of the model rule were ambiguous or confusing. The department
has crafted the rule, however, to maintain substantive consistency with the
model rule. As part of the effort to maintain congruity, the department discussed
changes with a representative of the national organization that promulgated
the model rule. Where appropriate, as indicated in responses to other comments,
the department has changed some portions of the proposed rule to correct unintended
substantive deviations from the model rule.
Rules of construction & use of examples. A commenter recommends the
use of the example format and the "rule of construction" contained in the
national model rule which provides that compliance with an example or sample
clause set forth in the rule constitutes compliance.
Agency Response. The department agrees that the rule's format differs from
the national model rule so that some items identified as examples in the model
rule no longer appear as examples in this rule. In preparing the rule for
proposal, the department determined that some of the "examples" used in the
definition section of the model rule were actually substantive requirements,
rather than examples or definitions. Accordingly, the department rephrased
these items and placed them in the body of the rule. Where appropriate, however,
the department retained the actual examples from the model rule. Despite the
modification of some items no longer specifically labeled as examples, compliance
with such provisions is indicative of compliance with the rule. Moreover,
the department has, in accordance with the commenter's suggestion, restored
the use of examples in §22.5 (concerning Examples of Continuing Relationships).
Compliance in other jurisdictions. A commenter recommends a provision stating
that a covered entity domiciled in Texas in compliance with this rule is deemed
to be in compliance with GLBA as to any other jurisdiction in which it does
business.
Agency Response. The department declines to make this change. As the commenter
recognizes, such a provision would not be enforceable. Art. 21.21-9, Sec.
5. Two commenters ask whether compliance with this rule will constitute compliance
with TIC Art. 21.21-9, Sec. 5.
Agency Response. TIC Art. 21.21-9, Sec. 5 sets out two elements required
before a person may disclose "nonpublic customer information" to a third party
for the purpose of another's sale or solicitation of the purchase of insurance:
clear and conspicuous disclosure regarding the proposed use of the information,
and an opportunity for the customer to object before the use of the information
for that purpose. The department believes compliance with the opt out requirements
of this rule will provide the required "opportunity to object"; the question
remaining is whether the notices required under this rule will provide the
required "clear and conspicuous disclosure." The answer lies in a comparison
of the sets of information protected by the two laws. Each covered entity
will have to examine its internal policies to determine whether the "nonpublic
customer information" it collects is wholly contained within the scope of
the "nonpublic personal financial information" it collects. If so, the entity's
compliance with this rule would satisfy the conditions of TIC Art. 21.21-9.
To the extent the sets of information are different, however, the covered
entity will need to go beyond the requirements of this rule to satisfy TIC
Art. 21.21-9 standards. A covered entity may, however, comply with both laws
through a single opt out notice by disclosing that the opt out opportunity
applies to both sets of protected information. It is also important to note
that TIC Art. 21.21-9 prohibits disclosure to any third party without distinction
between affiliates and nonaffiliates. GLBA, and this rule, on the other hand,
permit disclosure to affiliates without customer consent, and thus supersede
TIC Art. 21.21-9, Sec. 5, to the extent it prohibits such disclosure.
Chapter 28B of TIC relating to health information. A commenter notes that
Chapter 28B of the Texas Insurance Code makes health privacy requirements
applicable to all covered entities including viatical settlement companies
even though such companies are not subject to the Health Insurance Portability
and Accessibility Act (HIPAA) privacy requirements.
Agency Response. This rule addresses only nonpublic personal financial
information collected and held by covered entities. "Health information" is
defined in the rule only to differentiate such information from financial
information. SB 11, enacted by the 77th Texas Legislature, created new Chapter
28B of the TIC which addresses privacy of health information held by covered
entities. SB 11 becomes effective in January of 2002. The department will
propose a separate rule to implement SB 11 addressing the privacy of nonpublic
personal health information and the commenter will be able to submit comments
to that rule.
HIPAA. A commenter asks for clarification about the interplay between this
rule and the HIPAA privacy rules.
Agency Response. An HMO, insurer, or any other covered entity that is subject
to the HIPAA privacy rules will need to comply with both sets of rules once
the HIPAA privacy rules become effective in April 2003. Since the two schemes
address the protection of personal information differently, this may create
conflicts. For example, the HIPAA rules state that items such as a person's
name, address, social security number, and payment history can constitute
individually identifiable health information. HIPAA will thus prohibit disclosure
of such information unless the release is pursuant to an individual's express
consent or a specific exception. Under the financial privacy requirements
of GLBA, however, this same information can be considered to be financial
information, subject to an "opt out" standard. As of this date, federal authorities
responsible for compliance with HIPAA and GLBA have issued no guidance as
to how they will resolve such conflicts facing entities subject to both sets
of rules. The department will continue to monitor this issue as the compliance
date for the HIPAA privacy rules approaches and provide information as it
becomes available.
§22.1(a). A commenter asks if an individual may affirmatively "opt
out" of information sharing that is permitted under GLBA.
Agency Response. This rule does not require a covered entity, simply because
of an individual's contrary direction, to refrain from disclosing nonpublic
personal financial information as permitted under the rule. The response to
this comment is specifically limited to the requirements of these adopted
rules; other laws may prohibit similar disclosure in specific situations.
§22.1(a). A commenter feels that the applicability of the rule to
viatical settlement companies is contrary to Title V of GLBA because Title
V does not delegate enforcement of the non-insurance business of viaticals
to state insurance regulators. The commenter notes that viatical settlement
companies are subject to the privacy requirements of GLBA. The commenter is
concerned that the rule creates a dual system of regulation which will impact
the offers provided to Texas viatical settlement customers.
Agency Response. SB 712 creates TIC Art. 28A.02(a), which states that "A
covered entity shall comply with 15 USC §§6802 and 6803 [the notice
and disclosure requirements for protected financial information under GLBA]
as amended, in the same manner as a financial institution under those sections."
A covered entity is defined by SB 712 as an individual or entity that receives
an authorization from the department and includes any individual or entity
described by TIC §82.002. Viatical settlement companies fit squarely
under this definition (TIC Art. 3.50-6A). The Legislature clearly intended
SB 712 and the rule to apply to viatical settlement companies. The rule treats
viatical settlement companies no differently than other entities, such as
banks, which are subject to regulation by more than one agency. The department
reminds any persons subject to TIC Art. 3.50-6A (Viatical Settlements and
Life Settlements) that this rule does not alter any other legal obligations
to which they may be subject.
§§22.1(a)(2) & 22.10(a). A commenter suggests deletion of
the reference to affiliates in this paragraph and subsection, since the rule
does not address the sharing of information with affiliates.
Agency Response. The department agrees and has made this change. This rule
was adapted from an NAIC Model Regulation concerning privacy of both financial
and health information. Since this rule deals only with financial privacy,
the references to "affiliates" in this subsection are incorrect. The rule
does not require a covered entity sharing nonpublic personal financial information
with an affiliate to provide a consumer/customer either notice or an opportunity
to "opt out."
§22.1(b). A commenter asks if the rule applies to a collateral protection
insurer that covers a creditor and/or a consumer under the Texas Credit Code.
The commenter notes that this type of insurance "is designed explicitly to
protect the interests of the lender."
Agency Response. The rule applies to covered entities providing collateral
protection insurance. The department is unaware of any policy of collateral
protection insurance that does not convey a benefit, or "service," to a borrower
under the policy, thus making the borrower a consumer or customer under the
rule. Under the rule, receipt of an insurance "service" creates customer status.
The fact that the creditor may be the actual purchaser of the insurance does
not void the borrower's consumer or customer status.
§§22.1(b) & 22.4. Several commenters urge that references
to claimants, beneficiaries, workers' compensation plan participants, and
beneficiaries in a workers' compensation plan, be deleted from these sections.
Agency Response. The department declines to make this suggested change.
SB 712 requires the department to adopt rules that implement the requirements
of GLBA in a way that balances the protection of Texas citizens with an emphasis
on consistent state enforcement nationwide. The department accomplished this
end by proposing a rule based on the national model rule for insurance regulation,
as referenced in the Senate bill analysis to SB 712. The national model rule
includes within its scope claimants, beneficiaries, and workers' compensation
plan participants. Additionally, the department believes that all individuals
who use insurance products or services primarily for personal, family or household
purposes - including claimants and beneficiaries - should receive the same
privacy protections as traditional consumers who have direct relationships
with licensees. The right to financial privacy should not be diminished simply
because an individual receives an insurance benefit through a policy held
by another person or a commercial enterprise. Specifically, the department
disagrees with the commenters regarding the nature of workers' compensation
insurance. It is important to recognize the rule's distinction between insurance
products and services. While a business generally purchases a workers' compensation
insurance policy for a commercial purpose, an injured worker's receipt of
a workers' compensation insurance benefit serves a personal, family, or household
purpose, similar to an individual's receipt of a disability insurance benefit.
Because of the commercial nature of the policyholder's contract with the covered
entity, the rule, in accordance with the national model, does place simpler
requirements on covered entities providing workers' compensation insurance
and some other group coverages than the rule's general requirement for other
types of coverage.
While it is true that some states have excluded these categories of individuals,
they have done so under specific statutory direction. The Texas Legislature
recognized no such exception in SB 712. Accordingly the department includes
these individuals within the scope of the rule.
§22.2(8). Several commenters allege that the following sentence is
confusing and recommend its deletion: "For purposes of this subchapter, all
references to consumer include the term customer, unless the purpose of the
reference is to make a distinction between applicability of the subchapter
to a customer and a consumer."
Agency Response. The department disagrees that the sentence is confusing,
but since it is an addition to the model rule, will defer to commenters and
has deleted it to promote uniformity. The department reminds covered entities,
however, that under the rule, simply becoming a customer does not forfeit
an individual's status or rights as a consumer.
§22.2(8). A commenter inquires whether, in the context of a credit
insurance policy issued to cover a bank loan, a borrower or the bank is the
consumer of an insurance product.
Agency Response. The department cannot make a determination on an inquiry
of this sort without the specific facts surrounding a particular transaction.
Generally, since the rule pertains primarily to insurance products or services
issued for "personal, family, or household purposes," and does not apply to
information about companies, or about individuals who obtain products or services
for business or commercial purposes, it is difficult to envision a scenario
in which a bank would have consumer status. On the other hand, a borrower
protected by a policy of credit insurance for personal, family, or household
purposes is a named insured, as well as a beneficiary, of the policy and thus
is a consumer under the rule.
§22.2(12). A commenter recommends adding the following sentence to
the definition of "customer": "In no event shall a beneficiary or claimant
under a policy, solely by virtue of their status as a beneficiary or claimant,
be deemed to be a customer for purposes of this regulation."
Agency Response. The department declines to make this change. While the
rule deems certain beneficiaries and claimants to be consumers and not customers,
it does so expressly where such limitation is applicable. See §22.4(c).
§22.2(20). Three commenters suggest amending the definition of "nonaffiliated
third party" to state that it does not include a person employed jointly by
a covered entity and a nonaffiliated third party.
Agency Response. The Texas Legislature included this definition in SB 712
and the department declines to change it. The department agrees, however,
with the commenters that a joint employee of a covered entity and a nonaffiliated
third party would be excluded from the definition of "nonaffiliated third
party," consistent with the national model rule.
§22.3(a). A commenter suggests amending this subsection to clarify
that the rule does not prohibit an agent from disclosing nonpublic personal
financial information to nonaffiliated third parties in the course of providing
routine policyholder services on behalf of a consumer.
Agency Response. The department declines to make this change as unnecessary.
Section 22.18(a) permits covered entities, including agents, to perform acts
at the request of a consumer without providing an initial privacy notice.
§22.3(b). A commenter indicates that, based on its review of Commissioner's
Bulletin No. B-0030-01, it does not believe that GLBA applies to reinsurers
that do not write direct business in the State of Texas.
Agency Response. The purpose of the cited bulletin was to inform licensees
generally of new laws concerning privacy and the department's plans for implementation.
The department does not agree that a covered entity can determine, simply
by reviewing the bulletin, whether the entity is in compliance with SB 712
or the rule. To the extent that a reinsurer is a covered entity that holds
or collects nonpublic personal financial information under the rule, the rule
requires appropriate compliance.
§22.3(c)(1). A commenter suggests changing "and" to "or."
Agency Response. The department disagrees. Both of the requirements of §22.3(c)
must be met before a covered entity is considered to be in compliance with
this paragraph.
§§22.3(c)(2) & 22.26(b)(8). A commenter prefers that the
term "16 point type" be eliminated and that the text of the suggested privacy
notice not be capitalized, as they believe these requirements differ from
the national model rules.
Agency Response. The department disagrees. The 16 point type and capitalization
of the notice are both specific requirements of the national model rule.
§22.4(c). A commenter asks for clarification on why the special requirements
in §22.4(c) specify that certain persons are not consumers.
Agency Response. The rule provides that individuals in these specific circumstances,
although similar in status to other consumers under the rule, are not treated
as consumers if the covered entity provides required notices to group policyholders
and does not disclose nonpublic personal financial information about the individuals
to a nonaffiliated third party other than as permitted under §§22.17,
22.18, and 22.19.
§22.4(c)(1). A commenter asks whether a carrier must provide initial,
annual and revised notices to an employer sponsoring an employee group health
plan if it does not disclose protected financial information about plan enrollees
other than as permitted by the exceptions enumerated in §§22.17,
22.18 and 22.19 of the rule.
Agency Response. Section 22.4(c)(1) provides that a covered entity is not
required to provide notices to enrollees covered by an employer group health
care plan if two conditions are met: (1) the covered entity does not share
protected information about the individuals other than as exempted by the
rule; and (2) the covered entity provides notices required by the rule to
the employer sponsoring the plan. Section 22.9 requires a covered entity to
send an annual notice to a customer and §22.8 requires the entity to
send an initial notice to a customer and to a consumer if the covered entity
discloses protected information about the consumer other than pursuant to
an exception enumerated in §§22.18 and 22.19. If a covered entity
does not comply with the requirements set forth in §22.4(c)(1), enrollees
in the employer group health plan are considered to be "consumers" of the
plan issuer. Section 22.4(e) dictates that an enrollee in an employer group
health plan would not be considered to be a "customer" for purposes of the
rule solely by virtue of his or her status as an enrollee. For purposes of §22.4(c)(1),
however, the employer must receive an annual notice. The rule requires a revised
notice only if the conditions set forth in §22.12 are applicable. If
a covered entity discloses information about an enrollee in an employer group
health plan that does not fall under an exception enumerated in §§22.17,
22.18 and 22.19, and this disclosure represents a change from the covered
entity's previous privacy policy, the rule requires a revised notice to the
employer. The rule would not require revised privacy notices for the plan
enrollees since the employer, not the enrollees, would have received any previous
notices. The rule would require initial notices for all enrollees about whom
information may, as a result of the revision, be disclosed under the new privacy
policy. The revision would also mean that the special requirements would no
longer apply. If a covered entity were to fail to deliver or cease delivery
of required notices to the employer, §22.4(c)(1) would no longer apply
and the rule would require individual privacy and opt out notices for each
enrollee pursuant to the requirements for each notice as applicable.
§22.4(c)(3). A commenter asks if a beneficiary of a workers' compensation
policy is considered to be a consumer who is entitled to initial and annual
notices under the rule if a covered entity wishes to share the beneficiary's
protected financial information. The commenter asks if a beneficiary is a
consumer if the covered entity does not share such information.
Agency Response. If a covered entity wishes to share protected information
about a beneficiary or claimant other than pursuant to an exception set forth
in the rule, the beneficiary or claimant is considered to be a consumer of
the covered entity and the rule requires an initial privacy notice as well
as an opt out notice. The rule requires annual notices only for customers.
A workers' compensation insurance beneficiary would not be considered to be
a customer of a covered entity by virtue of the covered entity's sharing of
protected financial information outside of an enumerated exception. The sharing
of such information would not trigger the annual notice requirement. However,
the rule would require an annual notice to the employer that is the workers'
compensation plan participant if a covered entity wishes to invoke §22.4(c)(3).
See response to comment on §22.4(c)(1).
§22.4(c)(3). A commenter recommends changing the term "beneficiary
of" to "claimant under" a workers' compensation policy as being consistent
with common understanding in the industry.
Agency Response. The department has determined that both "claimants under"
and "beneficiaries to" a workers' compensation policy accurately describe
individuals protected by the rule and has changed the rule to include both
terms.
§22.4(d). A commenter recommends changing the term "requirements"
to "conditions" to clarify that covered entities have the option either to
treat workers' compensation claimants as "consumers" or to comply with §22.4(c)(3).
Agency Response. The department does not believe this change is necessary.
A covered entity that does not comply with the special requirement for workers'
compensation set forth in §22.4(c)(3) would be required to treat the
claimants as consumers pursuant to §22.4(d).
§22.5. A commenter asks that the rule be clarified as to whether a
bank customer purchasing credit insurance in connection with a lending transaction
establishes a customer relationship with the bank that is selling the insurance
as an agent or with the insurance company that issues the policy. If notice
is required of a bank, additional guidance is requested.
Agency Response. The rule treats a bank acting as an agent no differently
than any other agent, and a bank formulating its privacy policy with regard
to required notices should comply with the provisions of the rule. The bank's
issuance of a loan to the credit insured does not necessarily create a customer
relationship, under this rule, between the bank and the insured. The rule
clearly details certain factors and transactions which will establish a customer
relationship between an individual and a covered entity, whether the entity
is an insurance carrier, an agent, or other entity. Whether a particular transaction
creates a customer relationship under the rule will depend on the facts surrounding
the transaction.
§§22.5(b)(6) & 22.9(b)(2). Several commenters believe these
sections should track the national model rule's use of the phrase "inactive
or dormant under the licensee's business practices" rather than the phrase
"not in force."
Agency Response. The department believes that the term "not in force" is
less confusing and more precise. Neither "inactive" nor "dormant" are terms
of art and there does not appear to be a quantifiable distinction between
the two words. In addition, the department believes that the use of this objective
standard, rather than one which may vary from company to company, will promote
a uniform interpretation of the rule and will simplify compliance issues.
§22.7(a)(2)(A). A commenter proposes deleting the word "nonconfidential."
Agency Response. The department disagrees. If a government record is confidential
then it could not be considered to be "publicly available."
§22.8. A commenter asserts that where an insurer providing credit
insurance has notified the creditor that the insurer does not share the borrower's
nonpublic personal financial information except as necessary to administer
the insurance policies, the privacy notice creditors are required to send
to customers suffices to comply with this rule.
Agency Response. The department's response to this comment differs based
on the type of insurance issued. Where the policy of credit insurance is a
group policy subject to the requirements of §22.4(c)(2), the rule requires
the insurer to send notice only to the group policyholder. For individual
policies of credit insurance, however, notice to the creditor would not extinguish
the carrier's duties under the rule. While it is possible the referenced privacy
notice would satisfy the requirements of the rule, the department cannot make
that determination without examining the notice.
§22.8. A commenter requests that the rule provide a consistent standard
concerning when the duty to provide an initial privacy notice arises.
Agency Response. A covered entity's duty to provide an initial notice differs
as to customers and consumers. For customers, §22.8 generally requires
the notice not later than when the covered entity establishes a customer relationship.
In an insurance context, the customer relationship will generally begin no
later than when coverage attaches or when the policy is delivered. While most
customer relationships will fall within this general rule, other facts and
circumstances may affect the inception of customer relationships. For example,
a covered entity may create a customer relationship by extending coverage
prior to delivery of the policy. Accordingly, a covered entity must establish
a consistent standard to determine when customer relationships commence. In
the case of a consumer, an initial notice and opportunity to opt out is required
prior to the release of any protected information other than as authorized
under §§22.18 and 22.19.
§22.8(a). A commenter inquires whether an insurer acquiring another
insurer's book of business must then provide its own "initial notice."
Agency Response. The answer to this question depends on the acquiring entity's
privacy policy. If the privacy policy of the new entity differs from the privacy
policy of the previous insurer, the new entity should provide a new statement
of privacy policy. In addition, if the new entity plans to disclose nonpublic
personal financial information to a new category of nonaffiliated third party,
the entity must provide a revised notice pursuant to §22.12, along with
the opportunity to opt out of this new disclosure. If the customer has previously
elected to opt out in response to a notice delivered by the previous insurer,
the new entity must continue to honor the customer's election as to those
specific categories.
§§22.8(a) & 22.9(a). A commenter asks what steps a bank,
providing notices on behalf of an issuing insurance company, must take to
determine that the provided notice is accurate. Another commenter inquires
as to what a bank, acting as an agent, must do to determine whether its covered
entity principal is providing required notices under the rule. The commenter
wonders whether it may rely on representations from the entity or whether
it must conduct an audit.
Agency Response. The rule treats a bank acting as an agent no differently
than any other agent, and a bank formulating its own privacy policy regarding
required notices should thus comply with all applicable provisions of the
TIC and departmental rules. A bank delivering notices on behalf of an insurance
company presumably would be doing so in the capacity of an agent for the insurance
company. A bank functioning for insurance business purposes as the agent of
a principal insurance company would be subject to regulation under the Texas
Insurance Code to the same extent as any other agent. A bank will have to
exercise independent judgment to determine the measures necessary to assure
itself that its principal is complying with the applicable rules. Even if
an insurance company were to delegate a responsibility under the rule to an
agent, however, the insurance company would remain responsible for its own
compliance with the rule.
§22.8(b). A commenter proposes inserting "to a consumer" into the
subheading.
Agency Response. The department does not believe this change is necessary
since the full sentence following the subheading establishes that the section
concerns notice to a consumer.
§22.8(b)(1). A commenter asks about applicability of the rule to a
third party administrator (TPA).
Agency Response. A TPA, regardless of whether it is providing services
on behalf of a self-funded plan or a commercial carrier, does not have to
comply with the initial notice requirements for consumers under the rule as
long as the TPA does not disclose information to a nonaffiliated third party
for any reason other than an exemption permitted under §§22.18 or
22.19. A TPA would not be considered to have a "customer relationship" with
a plan enrollee for whom the TPA is performing an administrative function
on behalf of an insurer or an HMO and would not be subject to the annual notice
requirement under §22.9.
§22.8(e). A commenter proposes supplementing the heading to clarify
that this subsection contains exceptions.
Agency Response. The department declines to make this change, as the subsection
contains a general rule as well as exceptions.
§22.8(f). A commenter proposes insertion of "initial" into the delivery
requirement.
Agency Response. The department does not believe that this change is necessary,
as the only notices required by this section are initial notices.
§§22.9 & 22.13(a). A commenter asks when a bank should deliver
the various privacy notices required by the rule. The commenter specifically
asks whether an initial privacy notice may accompany the delivery of the policy.
The commenter indicated that the department had informed some insurers that
a privacy notice could not be printed on a policy jacket. Another commenter
asks whether a privacy notice can be delivered simultaneously with an insurance
policy, billing notices, statements, or newsletter.
Agency Response. The rule treats a bank, whether acting as a covered entity
or the agent of a covered entity, no differently than any other similarly
situated entity, and a bank formulating its privacy policy regarding delivery
of notices should thus comply with the applicable provisions of the rule.
Generally, an entity may deliver any required notice either in a separate
transmission or along with any other delivery to the consumer/customer, so
long as the notice is in a format that meets all applicable requirements under
the rule, including the requirement that the notice be clear and conspicuous.
The department did state, in response to a similar query, that printing an
opt out form on a policy jacket could discourage opting out as the consumer
would be forced to copy the form or cut it off of the jacket to use it. Regarding
initial privacy notices that do not include an opt out, a covered entity that
elects to include this notice on a policy jacket must ensure that the notice
meets all requirements under the rule, again with particular attention to
the requirement that the notice be clear and conspicuous.
§22.10(a). A commenter proposes insertion of "simplified" into this
description since the order was changed from the national model rule.
Agency Response. The department agrees and has made this change.
§22.10(a). A commenter questioned the meaning of the reference to
"this subsection" in §22.10(a)(1).
Agency Response. The reference to this subsection means §22.10(a).
§22.10(b)(8). A commenter inquires whether the department intends
to issue a separate rule with regard to necessary security procedures, and
whether a covered entity must obtain agreements from parties with which it
contracts to establish that the third parties have security procedures in
place.
Agency Response. A proposed model rule addressing specific security procedures
for covered entities is currently under consideration at the national level.
The department may accordingly propose a conforming rule in the future. In
the interim, covered entities should develop and follow their own security
procedures to prevent the unauthorized disclosure of protected information.
A covered entity remains responsible for any unauthorized disclosure of information
or other rule violations that occur through its relationships with third parties.
Entities should use their own judgment to guide their practices in this area
and take necessary action to ensure that third parties properly secure protected
information. It should be noted that SB 712 (TIC Art. 20A.02(b)) requires
nonaffiliated third parties, in relation to a covered entity, to comply with
the privacy requirements of GLBA.
§22.11(c)(1). A commenter proposes insertion of "and" at the end of
this paragraph as a connector.
Agency Response. The word "and" is already included at the end of §22.11(c)(1)
as a connector to indicate that a covered entity must comply with (c)(1) and
either (c)(2), (c)(3), or (c)(4).
§22.11(l). A commenter proposes removing the term "to conduct business
electronically."
Agency Response. The department disagrees. A consumer must agree to conduct
business with a covered entity electronically before the entity can require
the consumer to use an electronic means to perform any act relating to the
rule. The requested change could be interpreted to enable a covered entity
to condition a consumer's ability to exercise his or her rights under the
rule by requiring the consumer to do so only electronically.
§22.13(a). A commenter asks what obligation a covered entity assuming
the business of other institutions has to send notices to consumers/customers
for whom it has a name but not an address.
Agency Response. Section 22.13(a) requires covered entities to provide
any notices that this subchapter requires in such a way that each consumer
can reasonably be expected to receive actual notice in writing or, if the
consumer agrees, electronically. Section 22.13(b) describes ways entities
may satisfy this requirement. The department will have to examine situations
falling outside these parameters on a case-by-case basis. Certainly since
a covered entity cannot share information without providing a reasonable opportunity
to opt out, a covered entity should not share a consumer/customer's information
if the entity has no address for the consumer/customer and knows it has not
contacted the consumer/customer.
§22.13(b)(3). A commenter proposes placing the connector "or" at the
end of this paragraph. Agency Response. The department agrees and has made
this change.
§22.15. A commenter proposes replacing "and" with "or" in subsections
(a) and (c) - (f).
Agency Response. The department disagrees. Compliance with each of these
provisions is mandatory. §22.16(b). Two commenters propose that a covered
entity should be permitted to provide account numbers to service providers
for marketing purposes as long as the service provider is not authorized to
directly initiate charges to the account.
Agency Response. The department agrees that this comment is consistent
with the national model rule and has made this change. Transactions of this
type would fall under §22.17, which establishes standards for contractual
limitation of a third party's use of nonpublic personal financial information
disclosed to it by a covered entity.
§22.17. A commenter inquires whether a covered entity may share information
with a joint employee without concern for the opt out requirements of GLBA.
Agency Response. The department believes that a covered entity that shares
information with a joint employee in compliance with the rule is in compliance
with the privacy requirements of GLBA.
§22.17(a). A commenter inquires as to the steps a covered entity must
take to assure that a joint marketer or other shared servicer does not use
shared information for purposes unrelated to the contract or other permitted
use.
Agency Response. Section 22.17(a)(2) requires the covered entity to enter
into a contractual agreement with the third party that prohibits the third
party from disclosing or using the information other than to carry out the
purposes for which the covered entity disclosed the information, including
use under an exception in §22.18 and §22.19 in the ordinary course
of business to carry out those purposes. If an entity shares information with
another financial institution, the covered entity must also comply with §22.17(b)
as well.
§22.17(a)(2) and §22.17(b). A commenter proposes replacing "and"
with "or" in §22.17(a)(2) and (b).
Agency Response. Replacement of "and" with "or" within §22.17(a)(2)
would have no effect on the rule's meaning. Moreover, the word "and" is not
used in §22.17(b).
§22.17(c). A commenter asks which exception covers a data processing
company's handling of statements and other materials for an insurance company,
if the statements include marketing materials.
Agency Response. Section 22.17(c) states that "[t]he services a nonaffiliated
third party performs for a covered entity under subsection (a) of this section
may include marketing of (the covered entity's own products or services...."
(emphasis added). The described transaction appears to involve an insurer
using a third party firm both to market to its customers and to deliver statements
and other customary business documents. This type of transaction is within
the scope of the rule and would require appropriate compliance under this
section.
§§22.18(b) & 22.18(c)(2)(C). A commenter believes these exceptions
must be expanded to permit a covered entity to share with a policyholder or
policyholder's representative specific protected financial information about
claims asserted by consumers under a commercial liability or workers' compensation
policy.
Agency Response. The department disagrees that this expansion is necessary.
Disclosure of information to workers' compensation and commercial liability
policyholders regarding details of the claims made against them would be considered
to be integral to servicing or processing the claim made by the consumer and
thus already permitted under the existing exemption in §22.18. Additionally,
TIC Art. 5.65A(a) mandates that carriers notify workers' compensation policyholders
of any claim filed against the policy, proposals to settle a claim, and, upon
policyholder request, any administrative or judicial proceeding relating to
the resolution of a claim. TIC Art. 5.65A(b) requires carriers, again upon
policyholder request, to provide policyholders with a list of claims charged
against the policy, payments made and reserves established on each claim,
and a statement explaining the effect of claims on premium rates. The department
reminds covered entities, however, that any such disclosure must be limited
to information necessary to process the claim, and the recipient must use
the information only for the purpose for which it was disclosed. To the extent
that such information is requested to aid in replacement of coverage, see
comment regarding §22.19(a)(14).
§22.18(c)(2)(B). A commenter believes the exception must be expanded
to include the term "adjust."
Agency Response. The department disagrees that this expansion is necessary.
Adjustment of a claim is commonly understood to be included within the administration
and processing of a claim.
22.18(c)(2)(E). A commenter believes expansion of this exception is necessary
to include specific actions relating to the payments of claims to claimants
and beneficiaries.
Agency Response. The department disagrees that this expansion is necessary.
The acts of adjusting, settling, or paying insurance claims are commonly understood
to be included within the administration and processing of a claim.
§22.18(c)(2)(E). A commenter believes expansion of this exception
is necessary to allow specific financial information about a workers' compensation
or third party claimant to be shared at the request of a policyholder in order
to underwrite insurance at the policyholder's request.
Agency Response. The department disagrees that this expansion is necessary.
TIC Art. 5.65A(b) requires carriers, upon policyholder request, to provide
policyholders with a list of claims charged against the policy, payments made
and reserves established on each claim, and a statement explaining the effect
of claims on premium rates. The department reminds covered entities, however,
that any such disclosure must be limited to information necessary to achieve
the purpose for which it was disclosed, and the recipient must use the information
only for that purpose as well. A covered entity can facilitate the underwriting
process for policies of this nature, without need of specific exception, by
disclosing only claim information that does not identify or provide a means
to identify individual claimants under the policy. The department also notes
that the Texas Legislature has consistently taken a similar approach regarding
disclosure of claim data; see TIC Art. 26.96(f) and HB 2146, 77th Texas Legislature.
§22.18(c)(2)(F)(ii). A commenter believes that expansion of this exception
is necessary to allow the collection of debts by a covered entity in connection
with processing a claim by a workers' compensation or third party claimant.
Agency Response. The department disagrees that this expansion is necessary.
Disclosure of information to workers' compensation and commercial liability
policyholders for retroactive billing purposes would be a part of servicing
or processing the claim made by the consumer and thus covered under the exemption
in §22.18(b). Additionally, TIC Art. 5.65A mandates such disclosure to
workers' compensation policyholders at their request. The department reminds
covered entities that any such disclosure must be limited to information necessary
to the purpose of the exception, and the recipient must use the information
only for the purpose for which it was disclosed.
§22.19(a)(14). A commenter requests that this exception be expanded
to include replacement of an insurance policy under which a consumer's claim
was asserted or paid.
Agency Response. The department declines to make this change. If required
to aid the replacement process, a covered entity can disclose pertinent claim
information, that is also protected financial information, in the aggregate,
or in such other manner that does not identify or provide the means to identify
individual claimants under a policy, to protect the identity of and other
protected information about individual claimants. The rule provides flexibility
for situations where an entity is being asked to cover a defined group. The
requested change would expand the exception to include policies where the
claimants are not known prior to the date of coverage. The department also
notes that the Texas Legislature has consistently taken a similar approach
regarding disclosure of claim data; see TIC Art. 26.96(f) and HB 2146, 77th
Texas Legislature.
§22.21. A commenter suggests deletion of §22.21, arguing that
it conflicts with Congress's exclusion of "usual, appropriate, or acceptable
methods for insurance underwriting" from the scope of GLBA.
Agency Response. The department declines to make this change. The department
disagrees with the commenter's assessment of the effect of this section. Section
22.21 does not prohibit "usual, appropriate, or acceptable methods" for insurance
underwriting. It prohibits unfair methods of insurance underwriting. Accordingly, §22.21
does not conflict with GLBA's exception regarding appropriate insurance practices.
Moreover, §22.21 is substantively identical to the antidiscrimination
provision in the national model. Deleting the section would be detrimental
to uniform state enforcement of GLBA.
§22.22(b). Several commenters recommend elimination of the reference
to TIC Art. 21.21. Some commenters suggest that the reference to TIC Art.
21.21 in this subsection exceeds the department's statutory authority. Another
commenter suggests that the provision is unnecessary as Chapters 82 &
84, TIC, contain adequate penalties. Another commenter suggests that if the
reference remains, the department should add an amendment expressly prohibiting
private causes of action for rule violations. Another commenter suggests that
the reference puts insurers doing business in Texas at a competitive disadvantage
vis-à-vis other financial service industries. Another commenter requests
that this section be amended to clarify that the department is the sole source
of remedy for violations. Another commenter supported the rule's incorporation
of TIC Art. 21.21.
Agency Response. SB 712 directs the commissioner to adopt rules necessary
to make Texas eligible, under GLBA, to override federal regulation. A second
statutory provision directs the commissioner to attempt to keep state privacy
requirements consistent with federal regulations adopted under GLBA. The legislative
analysis of SB 712 references the NAIC privacy model regulation as a guide
for the department's adoption of rules. The NAIC privacy model regulation
specifically directs states to include their unfair trade practices act or
other applicable state law as a remedy for violation of the rule.
While the proposal incorporated the TIC's unfair trade practices act as
an enforcement mechanism, the department has deleted this subsection from
the adopted rule, while retaining enforcement authority under other TIC chapters.
Analysis of newly-enacted TIC Art. 28A.102 was the most critical factor in
this determination. This section provides that in addition to departmental
enforcement of GLBA, the attorney general, after conferring with the commissioner,
may institute actions for injunctive or declaratory relief or for civil penalties
in response to violations of TIC Chapter 28A. This specific enforcement authority
for the attorney general, in addition to the department's authority under
TIC Chapters 82, 83, & 84, provides an alternate statutory enforcement
mechanism sufficient to comply with the Legislature's mandate to enforce GLBA
in a manner consistent with federal regulations. In addition, this deviation
from the specific penalty provisions of the model rule will not affect a covered
entity's ability to comply with both the substantive provisions of the department's
rule and the national model rule as adopted in other jurisdictions.
Since new TIC Art. 28A.102 specifically authorizes the attorney general
to institute actions in response to violations of this chapter, the department
disagrees with the comment that suggested it is the sole source of remedy
for violations of the statute. The department also disagrees with the comment
that suggested the inclusion of TIC Art. 21.21 in this subsection would have
put insurers at a competitive disadvantage to other entities. The penalties
available to federal regulators under GLBA are of comparable severity to those
available under TIC Art. 21.21. See 12 USC §1818. It is also important
to remember that TIC Art. 21.21 places no additional burden on covered entities
in compliance with the rule, nor would it penalize inadvertent violators that
are dealing in good faith with consumers. Finally, the department also disagrees
with commenters that suggested that including TIC Art. 21.21 in the rule would
create a private right of action. HB 668, enacted by the 74th Texas Legislature,
amended TIC Art. 21.21 to delete the provision in Sec. 16 that gave rise to
a private cause of action for a violation of departmental rules.
§22.24. A commenter requests that the compliance date for notices
be extended for an additional 30 days. In the alternative, the commenter requests
that extensions be considered on a case-by-case basis.
Agency Response. The department declines to extend the compliance date.
The department does not have the authority to waive application of any rule
on a case-by-case basis.
§22.26. A commenter recommends that the word "broker" be used in place
of "agent."
Agency Response. The department declines to make the suggested change as
neither the TIC nor any other rules in TAC Chapter 28 use or define the term
"broker."
For: Office of Public Insurance Counsel.
For with changes: American Council of Life Insurers; American Family Life
Assurance Company of Columbus; American Insurance Association; Alliance of
American Insurers; American General Financial Group; Amerisure Companies;
Alliance for Responsible Insurance Practices; Association of Fire and Casualty
Companies of Texas; Independent Bankers Association of Texas; National Association
of Independent Insurers; Sneed, Vine, & Perry; Texas Association of Insurance
Officials; Texas Association of Life and Health Insurers; Viaticare; Texas
Windstorm Insurance Association.
Against: Folksamerica Reinsurance Company.
Neither for nor against: Fulbright & Jaworski, LLP.
The new sections are adopted under the TIC Art. 28A.51 and §36.001.
TIC Art. 28A.51 provides that the Commissioner shall adopt rules to implement
this chapter, as well as any other rules necessary to carry out 15 U.S.C.
Subchapter I, Chapter 94 (15 U.S.C. Section 6801 et seq.), as amended. TIC
Section 36.001 provides that the Commissioner of Insurance may adopt rules
to execute the duties and functions of the Texas Department of Insurance only
as authorized by statute.
§22.1.Purpose and Scope.
(a)
Purpose. This subchapter governs the treatment of nonpublic
personal financial information about individuals by all covered entities.
This subchapter:
(1)
requires a covered entity to provide notice to individuals
about its privacy policies and practices;
(2)
describes the conditions under which a covered entity may
disclose nonpublic personal financial information about individuals to nonaffiliated
third parties; and
(3)
provides methods for individuals to prevent a covered entity
from disclosing that information to nonaffiliated third parties.
(b)
Scope. This subchapter applies to nonpublic personal financial
information about individuals who obtain or are claimants or beneficiaries,
primarily for personal, family or household purposes, of products or services
from covered entities. This subchapter does not apply to information about
companies or about individuals who obtain products or services for business,
commercial or agricultural purposes.
§22.2.Definitions.
The following words and terms, when used in this chapter, shall have
the following meanings, unless the context clearly indicates otherwise.
(1)
Affiliate--Any company that controls, is controlled by,
or is under common control with another company.
(2)
Agent--As set forth in the Insurance Code, Articles 9.36,
9.36A, and 21.02.
(3)
Authorization--As set forth in the Insurance Code, Section
82.001.
(4)
Clear and conspicuous--A notice which is reasonably understandable
and designed to call attention to the nature and significance of the information
in the notice.
(5)
Collect--To obtain information that the covered entity
organizes or can retrieve by the name of an individual or by identifying number,
symbol or other identifying particular assigned to the individual, irrespective
of the source of the underlying information.
(6)
Commissioner--The Commissioner of Insurance.
(7)
Company--A corporation, limited liability company, business
trust, general or limited partnership, association, sole proprietorship or
other similar organization.
(8)
Consumer--An individual or that individual's representative
who seeks to obtain, obtains or has obtained an insurance product or service
from a covered entity that is to be used primarily for personal, family or
household purposes, and about whom the covered entity has nonpublic personal
financial information.
(9)
Consumer reporting agency--As defined in Section 603(f)
of the federal Fair Credit Reporting Act (15 U.S.C. 1681a(f)).
(10)
Control--Includes the terms "controls," "controlled by,"
and "under common control," and has the meaning assigned that term by the
Insurance Code, Article 21.49-1, Section 2(d).
(11)
Covered entity--An individual or entity who receives an
authorization from the Texas Department of Insurance. The term includes any
individual or entity described by the Insurance Code, Section 82.002.
(12)
Customer--A consumer who has a customer relationship with
a covered entity.
(13)
Customer relationship--A continuing relationship, as described
in §22.5 of this subchapter (relating to Determination of Continuing
Relationship), between a consumer and a covered entity under which the covered
entity provides one or more insurance products or services to the consumer
that are to be used primarily for personal, family or household purposes.
(14)
Financial institution--Any institution the business of
which is engaging in activities that are financial in nature or incidental
to such financial activities as described in Section 4(k) of the Bank Holding
Company Act of 1956 (12 U.S.C. 1843(k)). Financial institution does not include:
(A)
any person or entity with respect to any financial activity
that is subject to the jurisdiction of the Commodity Futures Trading Commission
under the Commodity Exchange Act (7 U.S.C. 1 et seq.);
(B)
the Federal Agricultural Mortgage Corporation or any entity
charged and operating under the Farm Credit Act of 1971 (12 U.S.C. 2001 et
seq.); or
(C)
institutions chartered by Congress specifically to engage
in securitizations, secondary market sales (including sales of servicing rights)
or similar transactions related to a transaction of a consumer, as long as
the institutions do not sell or transfer nonpublic personal financial information
to a nonaffiliated third party.
(15)
Financial product or service--Any product or service that
a financial holding company could offer by engaging in an activity that is
financial in nature or incidental to such a financial activity under Section
4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. 1843(k)). Financial
service includes a financial institution's evaluation or brokerage of information
that the financial institution collects in connection with a request or an
application from a consumer for a financial product or service.
(16)
Health care--
(A)
preventive, diagnostic, therapeutic, rehabilitative, maintenance
or palliative care, services, procedures, tests or counseling that:
(i)
relates to the physical, mental or behavioral condition
of an individual; or
(ii)
affects the structure or function of the human body or
any part of the human body, including the banking of blood, sperm, organs
or any other tissue; or
(B)
prescribing, dispensing or furnishing drugs or biologicals,
or medical devices or health care equipment and supplies to an individual.
(17)
Health care provider--A physician or other health care
practitioner licensed, accredited or certified to perform specified health
services consistent with state law, or a health care facility.
(18)
Health information--Any information or data except age
or gender, whether oral or recorded, in any form or medium, created by or
derived from a health care provider or the consumer that relates to:
(A)
the past, present or future physical, mental or behavioral
health or condition of an individual;
(B)
the provision of health care to an individual; or
(C)
payment for the provision of health care to an individual.
(19)
Insurance product or service--Any product or service that
is offered by a covered entity pursuant to the Insurance Code and other insurance
laws of this state. Insurance service includes a covered entity's evaluation,
brokerage or distribution of information that the covered entity collects
in connection with a request or an application from a consumer for an insurance
product or service.
(20)
Nonaffiliated third party--An entity that is not an affiliate
of, or related to by common ownership or affiliated by corporate control with,
the covered entity. The term does not include a joint employee of the entity.
(21)
Nonpublic personal financial information--Information
which:
(A)
includes:
(i)
personally identifiable financial information;
(ii)
any list, description or other grouping of consumers (and
publicly available information pertaining to them) that is derived using any
personally identifiable financial information that is not publicly available;
and
(iii)
any list of individuals' names and street addresses that
is derived in whole or in part using personally identifiable financial information
that is not publicly available, such as account numbers.
(B)
does not include:
(i)
health information;
(ii)
publicly available information unless it is derived from
a non-public source as described in subparagraphs (A)(ii) and (A)(iii) of
this paragraph;
(iii)
any list, description or other grouping of consumers
(and publicly available information pertaining to them) that is derived without
using any personally identifiable financial information that is not publicly
available; and
(iv)
any list of individuals' names and addresses that:
(I)
contains only publicly available information,
(II)
is wholly derived using personally identifiable financial
information that is publicly available, and
(III)
does not disclose that any of the individuals on the
list is a consumer of a financial institution.
(22)
Opt out--A direction by the consumer that the covered
entity not disclose nonpublic personal financial information about that consumer
to a nonaffiliated third party, other than as permitted by §22.17 of
this title (relating to Exception to Opt Out Requirements for Disclosure of
Nonpublic Personal Financial Information for Service Providers and Joint Marketing), §22.18
of this title (relating to Exceptions to Notice and Opt Out Requirements for
Disclosure of Nonpublic Personal Financial Information for Processing and
Servicing Transactions), and §22.19 of this title (relating to Other
Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic
Personal Financial Information).
(23)
Personally identifiable financial information--
(A)
The term includes:
(i)
any information a consumer provides to a covered entity
to obtain an insurance product or service from the covered entity;
(ii)
any information about a consumer resulting from a transaction
involving an insurance product or service between a covered entity and a consumer;
(iii)
any information the covered entity otherwise obtains
about a consumer in connection with providing an insurance product or service
to that consumer;
(iv)
account balance information and payment history;
(v)
the fact that an individual is or has been one of the covered
entity's customers or has obtained an insurance product or service from the
covered entity;
(vi)
any information about the covered entity's consumer if
it is disclosed in a manner that indicates that the individual is or has been
the covered entity's consumer;
(vii)
any information that a consumer provides to a covered
entity or that the covered entity or its agent otherwise obtains in connection
with collecting on a loan or servicing a loan;
(viii)
any information the covered entity collects through
an information-collecting device from an Internet web server; and
(ix)
information from a consumer report.
(B)
The term does not include:
(i)
health information;
(ii)
a list of names and addresses of customers of an entity
that is not a financial institution; and
(iii)
information that does not identify a consumer, such as
aggregate information or blind data that does not contain personal identifiers
such as account numbers, names or addresses.
(24)
Publicly available information--Any information that a
covered entity has a reasonable basis to believe is lawfully made available
to the general public from:
(A)
federal, state or local government records;
(B)
widely distributed media; or
(C)
disclosures to the general public that are required to
be made by federal, state or local law.
§22.4.Determination of Consumer Status.
(a)
The term consumer includes, but is not limited to:
(1)
an individual who provides nonpublic personal financial
information to a covered entity in connection with obtaining or seeking to
obtain financial, investment or economic advisory services relating to an
insurance product or service regardless of whether the covered entity establishes
an ongoing relationship.
(2)
an applicant for insurance prior to the inception of insurance
coverage.
(3)
an individual, if the covered entity discloses nonpublic
personal financial information about the individual to a nonaffiliated third
party other than as permitted under §22.17 of this title (relating to
Exception to Opt Out Requirements for Disclosure of Nonpublic Personal Financial
Information for Service Providers and Joint Marketing), §22.18 of this
title (relating to Exceptions to Notice and Opt Out Requirements for Disclosure
of Nonpublic Personal Financial Information for Processing and Servicing Transactions)
and §22.19 of this title (relating to Other Exceptions to Notice and
Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information),
and:
(A)
the individual is a beneficiary of a life insurance policy
underwritten by the covered entity;
(B)
the individual is a claimant under an insurance policy
issued by the covered entity;
(C)
the individual is an insured or an annuitant under an insurance
policy or an annuity, respectively, issued by the covered entity; or
(D)
the individual is a mortgagor of a mortgage covered under
a mortgage insurance policy.
(b)
Examples of when individuals will not be considered consumers
of a covered entity:
(1)
an individual who is a consumer of another financial institution
is not a covered entity's consumer solely because the covered entity is acting
as agent for, or provides processing or other services to, that financial
institution.
(2)
an individual is not a covered entity's consumer solely
because he or she is a beneficiary of a trust for which the covered entity
is a trustee.
(3)
an individual is not a covered entity's consumer solely
because he or she has designated the covered entity as trustee for a trust.
(c)
Special requirements for employee benefit plans, group
or blanket insurance policies, group annuity contracts, or workers' compensation
policies.
(1)
An individual who is a participant or a beneficiary of
an employee benefit plan that a covered entity administers or sponsors or
for which the covered entity acts as a trustee, insurer or fiduciary is not
the consumer of a covered entity that:
(A)
provides all initial, annual and revised notices required
by this subchapter to the employer or other entity establishing the plan;
and
(B)
does not disclose nonpublic personal financial information
about the individual to a nonaffiliated third party other than as permitted
under §§22.17, 22.18, and 22.19 of this title.
(2)
An individual who is covered under a group or blanket insurance
policy or group annuity contract issued by a covered entity is not the consumer
of a covered entity that:
(A)
provides all initial, annual and revised notices required
by this subchapter to the policyholder or contractholder; and
(B)
does not disclose nonpublic personal financial information
about the individual to a nonaffiliated third party other than as permitted
under §§22.17, 22.18, and 22.19 of this title.
(3)
An individual that is a claimant under or beneficiary of
a workers' compensation policy issued by a covered entity is not the consumer
of a covered entity that:
(A)
provides all initial, annual and revised notices required
by this subchapter to the plan participant; and
(B)
does not disclose nonpublic personal financial information
about the individual to a nonaffiliated third party other than as permitted
under §§22.17, 22.18, and 22.19 of this title.
(d)
An individual described in subsection (c) of this section
is the consumer of a covered entity that does not comply with the applicable
notice and nondisclosure requirements of that subsection.
(e)
In no event shall an individual, solely by virtue of his
status described in subsection (c) of this section, be deemed to be the customer
of a covered entity for purposes of this subchapter.
§22.5.Examples of Continuing Relationship.
(a)
The following examples illustrate situations where a consumer
has a continuing relationship with a covered entity:
(1)
the consumer is a current policyholder of an insurance
product issued by or through the covered entity; or
(2)
the consumer obtains financial, investment or economic
advisory services relating to an insurance product or service from the covered
entity for a fee.
(b)
The following examples illustrate situations where a consumer
does not have a continuing relationship with a covered entity:
(1)
the consumer applies for insurance but does not purchase
the insurance;
(2)
the covered entity sells the consumer insurance in an isolated
transaction involving single-event types of coverage including, but not limited
to, auto rental liability, travel, and short-term non-resident auto liability
insurance;
(3)
the individual is no longer a current policyholder of an
insurance product or no longer obtains insurance services with or through
the covered entity;
(4)
the consumer is a beneficiary or claimant under a policy
even though the consumer has submitted a claim under a policy choosing a settlement
option involving an ongoing relationship with the covered entity;
(5)
the consumer is a beneficiary or a claimant under a policy
and has submitted a claim under that policy choosing a lump sum settlement
option;
(6)
the customer's policy is lapsed, expired, or otherwise
not in force, and the covered entity has not communicated with the customer
about the relationship for a period of 12 consecutive months, other than annual
privacy notices, material required by law or regulation, communication at
the direction of a state or federal authority, or promotional materials;
(7)
the individual is an insured or an annuitant under an insurance
policy or annuity, respectively, but is not the policyholder or owner of the
insurance policy or annuity; or
(8)
the individual's last known address according to the covered
entity's records is deemed invalid, which occurs when:
(A)
mail sent to that address by the covered entity has been
returned by the postal authorities as undeliverable, and
(B)
subsequent attempts by the covered entity to obtain a current
valid address for the individual have been unsuccessful.
§22.9.Annual Privacy Notice.
(a)
A covered entity shall provide a clear and conspicuous
notice to customers that accurately reflects its privacy policies and practices
not less than annually during the continuation of the customer relationship.
"Annually" means at least once in any period of 12 consecutive months during
which that relationship exists. A covered entity may define the 12-consecutive-month
period, but the covered entity shall apply it to the customer on a consistent
basis. A covered entity provides a notice annually if it defines the 12-consecutive-month
period as a calendar year and provides the annual notice to the customer once
in each calendar year following the calendar year in which the covered entity
provided the initial notice. For example, if a customer opens an account on
any day of year 1, the covered entity shall provide an annual notice to that
customer by December 31 of year 2.
(b)
A covered entity is not required to provide an annual notice
to a former customer. A former customer is an individual with whom a covered
entity no longer has a continuing relationship.
(1)
A covered entity no longer has a continuing relationship
with an individual if the individual no longer is a current policyholder of
an insurance product or no longer obtains insurance services with or through
the covered entity.
(2)
A covered entity no longer has a continuing relationship
with an individual if the individual's policy is lapsed, expired or otherwise
not in force, and the covered entity has not communicated with the customer
about the relationship for a period of 12 consecutive months, other than to
provide annual privacy notices, material required by law or regulation, communication
at the direction of a state or federal authority, or promotional materials.
(3)
For the purposes of this subchapter, a covered entity no
longer has a continuing relationship with an individual if:
(A)
the covered entity sends mail to the individual's last
known address, according to the covered entity's records, and the postal authorities
return that mail as undeliverable, and
(B)
subsequent attempts by the covered entity to obtain a current
valid address for the individual are unsuccessful.
(4)
A covered entity no longer has a continuing relationship
with a customer, in the case of providing real estate settlement services,
at the later of the following events:
(A)
the customer completes execution of all documents related
to the real estate closing;
(B)
payment for those services has been received; or
(C)
the covered entity has completed all of its responsibilities
with respect to the settlement, including filing documents in the public record.
(c)
A covered entity shall deliver any annual privacy notices
required by this section according to §22.13 of this title (relating
to Delivery).
§22.10.Information to be Included in Privacy Notices.
(a)
Simplified nondisclosure notice requirements. A covered
entity that does not disclose, and does not reserve the right to disclose,
nonpublic personal financial information about customers or former customers
to nonaffiliated third parties except as authorized under §22.18 of this
title (relating to Exceptions to Notice and Opt Out Requirements for Disclosure
of Nonpublic Personal Financial Information for Processing and Servicing Transactions)
and §22.19 of this title (relating to Other Exceptions to Notice and
Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information),
may comply with this subchapter by providing a simplified notice which expresses:
(1)
the nondisclosure policy stated in this subsection, and
(2)
the information required by subsections (b)(1), (b)(8),
(b)(9), and (c) of this section.
(b)
Disclosure notice requirements. The initial, annual and
revised privacy notices that a covered entity provides under §22.8 of
this title (relating to Initial Privacy Notice), §22.9 of this title
(relating to Annual Privacy Notice) and §22.12 of this title (relating
to Revised Privacy Notices) shall include the following items of information,
in addition to any other information the covered entity wishes to provide,
that applies to the covered entity and to the consumers to whom the covered
entity sends its privacy notice.
(1)
The categories of nonpublic personal financial information
that the covered entity collects. A covered entity satisfies the requirement
to categorize the nonpublic personal financial information it collects when
the covered entity categorizes it according to the source of the information,
as applicable, including:
(A)
information from the consumer;
(B)
information about the consumer's transactions with the
covered entity or its affiliates;
(C)
information about the consumer's transactions with nonaffiliated
third parties; and
(D)
information from a consumer reporting agency.
(2)
The categories of nonpublic personal financial information
that the covered entity discloses.
(A)
A covered entity satisfies the requirement to categorize
nonpublic personal financial information it discloses when the covered entity
categorizes the information according to source, as described in paragraph
(1) of this subsection, as applicable, and provides examples to illustrate
the types of information in each category, such as:
(i)
information from the consumer, including application information
(such as assets and income) and identifying information (such as name, address
and social security number);
(ii)
transaction information (such as information about balances,
payment history and parties to the transaction); and
(iii)
information from consumer reports (such as a consumer's
creditworthiness and credit history).
(B)
A covered entity does not adequately categorize the information
that it discloses when the covered entity uses only general terms (such as
transaction information about the consumer).
(C)
A covered entity that reserves the right to disclose all
of the nonpublic personal financial information about consumers that it collects
may state that fact without describing the categories or examples of nonpublic
personal financial information that the covered entity discloses.
(3)
The categories of affiliates and nonaffiliated third parties
to whom the covered entity discloses nonpublic personal financial information,
other than those parties to whom the covered entity discloses information
under §§22.18 and 22.19 of this title.
(4)
The categories of nonpublic personal financial information
about the covered entity's former customers that the covered entity discloses
and the categories of affiliates and nonaffiliated third parties to whom the
covered entity discloses nonpublic personal financial information about the
covered entity's former customers, other than those parties to whom the covered
entity discloses information under §§22.18 and 22.19 of this title.
(5)
A separate description of the categories of information
the covered entity discloses and the categories of third parties with whom
the covered entity has contracted, if the covered entity discloses nonpublic
personal financial information to a nonaffiliated third party under §22.17
of this title (relating to Exception to Opt Out Requirements for Disclosure
of Nonpublic Personal Financial Information for Service Providers and Joint
Marketing) and no other exception in §§22.18 and 22.19 of this title
applies to that disclosure.
(6)
An explanation of the consumer's right under §22.14(a)
of this title (relating to Limits on Disclosure of Nonpublic Personal Financial
Information to Nonaffiliated Third Parties) to opt out of the disclosure of
nonpublic personal financial information to nonaffiliated third parties, including
the methods by which the consumer may exercise that right at that time.
(7)
Any disclosures that the covered entity makes under Section
603(d)(2)(A)(iii) of the federal Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)(A)(iii))
(that is, notices regarding the ability to opt out of disclosures of information
among affiliates).
(8)
The covered entity's policies and practices with respect
to protecting the confidentiality and security of nonpublic personal financial
information. A covered entity provides an adequate description of its policies
and practices with respect to protecting the confidentiality and security
of nonpublic personal financial information if it does both of the following:
(A)
describes in general terms who is authorized to have access
to the information; and
(B)
states whether the covered entity has security practices
and procedures in place to ensure the confidentiality of the information in
accordance with the covered entity's policy. The covered entity is not required
to describe technical information about the safeguards it uses.
(9)
Any disclosure that the covered entity makes under subsection
(c) of this section.
(c)
Description of parties subject to exceptions. A covered
entity that discloses nonpublic personal financial information as authorized
under §§22.18 and 22.19 of this title is not required to list those
exceptions in the initial or annual privacy notices required by §§22.8
and 22.9 of this title. When describing the categories of parties to whom
disclosure is made, the covered entity shall state that it makes disclosures
to other affiliated or nonaffiliated third parties, as applicable, as permitted
by law.
(d)
Appropriate methods of categorizing affiliates and nonaffiliated
third parties.
(1)
A covered entity satisfies the requirement to categorize
the affiliates and nonaffiliated third parties to which the covered entity
discloses nonpublic personal financial information about consumers if the
covered entity identifies the types of businesses in which they engage.
(2)
Types of businesses may be described by general terms only
if the covered entity uses illustrative examples of significant lines of business.
For example, a covered entity may use the term "financial products or services"
if the notice includes appropriate examples of significant lines of such businesses
or services, such as life insurer, automobile insurer, consumer banking or
securities brokerage.
(3)
A covered entity also may categorize the affiliates and
nonaffiliated third parties to which it discloses nonpublic personal financial
information about consumers using more detailed categories.
(e)
Disclosures under exception for service providers and joint
marketers. A covered entity that discloses nonpublic personal financial information
under the exception in §22.17 of this title to a nonaffiliated third
party to market products or services that it offers alone or jointly with
another financial institution satisfies the disclosure requirement of subsection
(b)(5) of this section if it:
(1)
lists the categories of nonpublic personal financial information
it discloses, using the same categories and examples the covered entity used
to meet the requirements of subsection (a)(2) of this section, as applicable;
and
(2)
states whether the third party is:
(A)
a service provider that performs marketing services on
the covered entity's behalf or on behalf of the covered entity and another
financial institution; or
(B)
a financial institution with whom the covered entity has
a joint marketing agreement.
(f)
Short-form initial notice with opt out notice for non-customers.
(1)
A covered entity may satisfy the initial notice requirements
in §22.8(a)(2) and §22.11(c) of this title (relating to Form of
Opt Out Notice to Consumers and Opt Out Methods) for a consumer who is not
a customer by providing a short-form initial notice at the same time as the
covered entity delivers an opt out notice as required in §22.11 of this
title.
(2)
A short-form initial notice shall:
(A)
be clear and conspicuous;
(B)
state that the covered entity's privacy notice is available
upon request; and
(C)
explain a reasonable means by which the consumer may obtain
that notice.
(3)
The covered entity shall deliver its short-form initial
notice according to §22.13 of this title (relating to Delivery). The
covered entity is not required to deliver its privacy notice with its short-form
initial notice. The covered entity instead may simply provide the consumer
a reasonable means to obtain its privacy notice. If a consumer who receives
the covered entity's short-form notice requests the covered entity's privacy
notice, the covered entity shall deliver its privacy notice according to §22.13
of this title.
(4)
The covered entity provides a reasonable means by which
a consumer may obtain a copy of its privacy notice if the covered entity:
(A)
provides a toll-free telephone number that the consumer
may call to request the notice; or
(B)
for a consumer who conducts business in person at the covered
entity's office, maintains copies of the notice on hand that the covered entity
provides to the consumer immediately upon request.
(g)
Reservation of right to disclose. The covered entity's
notice may include:
(1)
categories of nonpublic personal financial information
that the covered entity reserves the right to disclose in the future, but
does not currently disclose; and
(2)
categories of affiliates or nonaffiliated third parties
to whom the covered entity reserves the right in the future to disclose, but
to whom the covered entity does not currently disclose, nonpublic personal
financial information.
(h)
Forms. A covered entity may use the forms provided in §22.26
of this title (relating to Forms), as applicable, to meet the requirements
of this section as follows:
(1)
Form Number FNPRV INFO/COL provided at Figure 1 of §22.26(b)(1)
of this title is intended to meet the requirement of subsection (b)(1) of
this section to describe the categories of nonpublic personal financial information
the covered entity collects.
(2)
Form Number FNPRV INFO/DSC provided at Figure 2 of §22.26(b)(1)
of this title is intended to meet the requirement of subsection (b)(2) of
this section to describe the categories of nonpublic personal financial information
the covered entity discloses. The covered entity may use these clauses if
it discloses nonpublic personal financial information other than as permitted
by the exceptions in §§22.17, 22.18, and 22.19 of this title.
(3)
Form Number FNPRV INFO/NODSC provided at Figure 3 of §22.26(b)(3)
of this subchapter is intended to meet the requirements of subsections (b)(2),
(3), and (4) of this section to describe the categories of nonpublic personal
financial information about customers and former customers that the covered
entity discloses and the categories of affiliates and nonaffiliated third
parties to whom the covered entity discloses this information. A covered entity
may use this clause if the covered entity does not disclose nonpublic personal
financial information to any party, other than as permitted by the exceptions
in §§22.18 and 22.19 of this title.
(4)
Form Number FNPRV INFO/TPDSC provided at Figure 4 of §22.26(b)(4)
of this title is intended to meet the requirements of subsection (b)(3) of
this section to describe the categories of affiliates and nonaffiliated third
parties to whom the covered entity discloses nonpublic personal financial
information. A covered entity may use this clause if the covered entity discloses
nonpublic personal financial information other than as permitted by the exceptions
in §§22.17, 22.18, and 22.19 of this title.
(5)
Form Number FNPRV INFO/SPJMDSC provided at Figure 5 of §22.26(b)(5)
of this title is intended to meet the requirements of subsection (b)(5) of
this section related to the exception for service providers and joint marketers
in §22.17 of this title. If a covered entity discloses nonpublic personal
financial information under this exception, the covered entity shall describe
the categories of nonpublic personal financial information the covered entity
discloses and the categories of third parties with which the covered entity
has contracted.
(6)
Form Number FNPRV INFO/OPT provided at Figure 6 of §22.26(b)(6)
of this title is intended to meet the requirements of subsection (b)(6) of
this section to provide an explanation of the consumer's right to opt out
of the disclosure of nonpublic personal financial information to nonaffiliated
third parties, including the method(s) by which the consumer may exercise
that right. A covered entity may use this clause if the covered entity discloses
nonpublic personal financial information other than as permitted by the exceptions
in §§22.17, 22.18, and 22.19 of this title.
(7)
Form Number FNPRV INFO/SEC provided at Figure 7 of §22.26(b)(7)
of this subchapter is intended to meet the requirements of subsection (b)(8)
of this section to describe the covered entity's policies and practices with
respect to protecting the confidentiality and security of nonpublic personal
financial information.
§22.13.Delivery.
(a)
How to provide notices. A covered entity shall provide
any notices that this subchapter requires so that each consumer can reasonably
be expected to receive actual notice in writing or, if the consumer agrees,
electronically.
(b)
Examples of reasonable expectation of actual notice. A
covered entity satisfies the reasonable expectation that a consumer will receive
actual notice if the covered entity:
(1)
hand-delivers a printed copy of the notice to the consumer;
(2)
mails a printed copy of the notice to the last known address
of the consumer separately, or in a policy, billing or other written communication;
(3)
for a consumer who conducts transactions electronically,
posts the notice on the electronic site and requires the consumer to acknowledge
receipt of the notice as a necessary step to obtaining a particular insurance
product or service; or
(4)
for an isolated transaction with a consumer, such as the
covered entity providing an insurance quote or selling the consumer single-event
types of coverage including, but not limited to, auto rental liability, travel,
and short-term non-resident auto liability insurance, presents the notice
and requires the consumer to acknowledge receipt of the notice as a necessary
step to obtaining the particular insurance product or service.
(c)
Examples of unreasonable expectation of actual notice.
A covered entity has not met the reasonable expectation that a consumer will
receive actual notice of its privacy policies and practices if it:
(1)
only posts a sign in its office or generally publishes
advertisements of its privacy policies and practices; or
(2)
sends the notice via electronic mail to a consumer who
does not obtain an insurance product or service from the covered entity electronically.
(d)
Annual notices only. A covered entity satisfies the reasonable
expectation that a customer will receive actual notice of the covered entity's
annual privacy notice if:
(1)
the customer uses the covered entity's Web site to access
insurance products and services electronically and agrees to receive notices
at the Web site and the covered entity posts its current privacy notice continuously
in a clear and conspicuous manner on the Web site; or
(2)
the customer has requested that the covered entity refrain
from sending any information regarding the customer relationship, and the
covered entity's current privacy notice remains available to the customer
upon request.
(e)
Oral description of notice insufficient. A covered entity
may not provide any notice required by this subchapter solely by orally explaining
the notice, either in person or over the telephone.
(f)
Retention or accessibility of notices for customers.
(1)
For customers only, a covered entity shall provide the
initial notice required by §22.8(a)(1) of this title (relating to Initial
Privacy Notice), the annual notice required by §22.9(a) of this title
(relating to Annual Privacy Notice), and the revised notice required by §22.12
of this title (relating to Revised Privacy Notices) so that the customer can
retain them or obtain them later in writing or, if the customer agrees, electronically.
(2)
A covered entity provides a privacy notice to the customer
so that the customer can retain it or obtain it later if the covered entity:
(A)
hand-delivers a printed copy of the notice to the customer;
(B)
mails a printed copy of the notice to the last known address
of the customer; or
(C)
makes its current privacy notice available on a Web site
(or a link to another Web site) for the customer who obtains an insurance
product or service electronically and agrees to receive the notice at the
Web site.
(g)
Joint notice with other financial institutions. A covered
entity may provide a joint notice from the covered entity and one or more
of its affiliates or other financial institutions, as identified in the notice,
so long as the notice is accurate with respect to the covered entity and the
other institutions. A covered entity also may provide a notice on behalf of
another financial institution.
(h)
Joint relationships. If two or more consumers jointly obtain
an insurance product or service from a covered entity, the covered entity
may satisfy the initial, annual and revised notice requirements of §§22.8(a),
22.9(a), and 22.12(a) of this title, respectively, by providing one notice
to those consumers jointly.
§22.16.Limits on Sharing Account Number Information for Marketing Purposes.
(a)
A covered entity shall not, directly or through an affiliate,
disclose, other than to a consumer reporting agency, a policy number or similar
form of access number or access code for a consumer's policy or transaction
account to any nonaffiliated third party for use in telemarketing, direct
mail marketing or other marketing through electronic mail to the consumer.
(b)
Subsection (a) of this section does not apply if a covered
entity discloses a policy number or similar form of access number or access
code:
(1)
to a service provider, including another covered entity,
solely for the purpose of marketing the sharing covered entity's own products
or services, so long as the receiving covered entity is not authorized to
initiate charges directly to the account; or
(2)
to a participant in an affinity or similar program as set
forth in 12 CFR §40.12(b)(2), 12 CFR §216.12(b)(2), 12 CFR §332.12(b)(2),
12 CFR §573.12(b)(2), and 12 CFR §716.12(b)(2), where the participants
in the program are identified to the customer when the customer enters into
the program.
(c)
A policy number, or similar form of access number or access
code, does not include a number or code in an encrypted form, so long as the
covered entity does not provide the recipient with a means to decode the number
or code.
(d)
For the purposes of this section, a policy or transaction
account is an account other than a deposit account or a credit card account.
A policy or transaction account does not include an account to which third
parties cannot initiate charges.
§22.22.Violation.
A violation of any section of this subchapter shall subject the covered
entity to the disciplinary and enforcement sanctions and penalties provided
in the Insurance Code, Chapters 28A, 82, 83, and 84.
This agency hereby certifies that the adoption has been reviewed
by legal counsel and found to be a valid exercise of the agency's legal authority.
Filed with the Office of
the Secretary of State on November 27, 2001.
TRD-200107304
Lynda Nesenholtz
General Counsel and Chief Clerk
Texas Department of Insurance
Effective date: December 17, 2001
Proposal publication date: July 27, 2001
For further information, please call: (512) 463-6327