28 TAC §§22.1 - 22.26
The Commissioner of Insurance adopts on an emergency basis,
to take immediate effect, new §§22.1 - 22.26, which set forth procedures
that insurers and other covered entities regulated by the Texas Department
of Insurance must follow regarding privacy of their consumers' nonpublic personal
financial information. Emergency §§22.1 - 22.26 set forth the requirements
that insurers and other covered entities must meet in structuring their consumer
financial practices to comply with the federal Gramm-Leach-Bliley Act (GLBA),
15 U.S.C §6801 et seq. Specifically, the rules provide the notice requirements,
as well as other procedures that insurers and other covered entities must
follow with regard to nonpublic personal financial information collected about
a consumer. Pursuant to the Administrative Procedure Act, Texas Government
Code §2001.034, the Commissioner finds that a requirement of federal
or state law requires adoption of this rule on fewer than 30 days' notice.
Senate Bill 712 (SB 712), 77th Texas Legislature, which enacted Insurance
Code Art. 28A.01 et seq., requires covered entities (and certain of their
affiliates) to comply with consumer privacy provisions contained in GLBA.
SB 712 also requires the Commissioner to adopt rules necessary to implement
financial privacy requirements, and also to adopt any other rules necessary
to carry out the purposes of GLBA, to make the state of Texas eligible to
override federal regulations, as described by Title V of GLBA. SB 712 further
provides that in adopting these rules, the Commissioner shall attempt to keep
state privacy regulations consistent with federal regulations adopted under
GLBA. The Senate Bill Analysis, in pertinent part, states that "Senate Bill
712 requires insurers and other entities regulated by the Texas Department
of Insurance to comply with requirements of GLBA and requires the commissioner
of insurance to adopt rules consistent with GLBA based on the NAIC (National
Association of Insurance Commissioners) privacy model." The proposed sections,
while based on the NAIC model rule, have been clarified in certain sections
for greater ease in reading. SB 712 also requires that the Commissioner adopt
rules to implement financial information privacy protections not later than
30 days after the law's effective date, June 14, 2001. Finally, SB 712 provides
that the Commissioner may adopt these rules on an emergency basis. The statutory
scheme of federal and state regulation makes emergency adoption important
to provide timely protection of consumer financial information privacy, consistent
with other types of financial entities that are subject to the federal privacy
provisions of GLBA.
New §22.1 explains the purpose and scope of the subchapter. New §22.2
defines terms within the subchapter. New §22.3 describes exceptions to
applicability of the subchapter. New §22.4 describes the procedure for
determining whether an individual is a consumer. New §22.5 details the
method of determining whether a relationship is continuing. New §22.6
states the requirements for notices. New §22.7 defines a reasonable basis
to believe information is lawfully made available to the general public. New §22.8
outlines requirements for initial privacy notices to consumers. New §22.9
outlines requirements for annual privacy notices to customers. New §22.10
details information to be included in privacy notices. New §22.11 prescribes
requirements for the form of notice and methods for opting out. New §22.12
details provisions regarding revised privacy notices. New §22.13 describes
permissible delivery of notices. New §22.14 establishes limits on disclosure
of nonpublic personal financial information to nonaffiliated third parties.
New §22.15 describes limits on redisclosure and reuse of nonpublic personal
financial information. New §22.16 limits the sharing of account number
information for marketing purposes. New §22.17 creates an exception to
opt out requirements for disclosure of nonpublic personal financial information
for service providers and joint marketing. New §22.18 describes exceptions
to notice and opt out requirements for disclosure of nonpublic personal financial
information for processing and service transactions. New §22.19 lists
other exceptions to notice and opt out requirements for disclosure of nonpublic
personal financial information. New §22.20 provides that the subchapter
shall not affect the operation of the federal Fair Credit Reporting Act. New §22.21
prohibits discrimination against consumers or customers because of the exercise
of rights under the subchapter. New §22.22 deems a violation of the subchapter
to be an unfair method of competition or an unfair or deceptive act or practice.
New §22.23 provides for severability of any section of the subchapter
held invalid. New §22.24 establishes a compliance date for the subchapter.
New §22.25 provides that the subchapter does not preempt or supersede
existing state law related to financial information privacy. New §22.26
includes forms for use in compliance with the subchapter.
The department is simultaneously proposing adoption of this rule on a permanent
basis in a separate submission.
The new sections are adopted on an emergency basis under the
Insurance Code, Article 28A.51 and §36.001, and Government Code §2004.034.
Article 28A.51 provides that the Commissioner shall adopt rules to implement
this chapter, as well as any other rules necessary to carry out 15 U.S.C.
Subchapter I, Chapter 94 (15 U.S.C. Section 6801 et seq.), as amended. Section
36.001 provides that the Commissioner of Insurance may adopt rules and regulations
to execute the duties and functions of the Texas Department of Insurance only
as authorized by statute. Section 2, SB 712, 77th Texas Legislature, the legislation
enacting Insurance Code Article 28A.51, requires that not later than 30 days
after the effective date of the act, the Commissioner of Insurance shall adopt
the rules required by Article 28A.51, Insurance Code, and allows the Commissioner
to adopt these initial rules on an emergency basis. Government Code §2004.034
provides for the adoption of administrative rules on an emergency basis without
notice and comment.
§22.1.Purpose and Scope.
(a)
Purpose. This subchapter governs the treatment of nonpublic
personal financial information about individuals by all covered entities.
This subchapter:
(1)
requires a covered entity to provide notice to individuals
about its privacy policies and practices;
(2)
describes the conditions under which a covered entity may
disclose nonpublic personal financial information about individuals to affiliates
and nonaffiliated third parties; and
(3)
provides methods for individuals to prevent a covered entity
from disclosing that information to nonaffiliated third parties.
(b)
Scope. This subchapter applies to nonpublic personal financial
information about individuals who obtain or are claimants or beneficiaries,
primarily for personal, family or household purposes, of products or services
from covered entities. This subchapter does not apply to information about
companies or about individuals who obtain products or services for business,
commercial or agricultural purposes.
§22.2.Definitions.
The following words and terms, when used in this chapter, shall have
the following meanings, unless the context clearly indicates otherwise.
(1)
Affiliate--Any company that controls, is controlled by,
or is under common control with another company.
(2)
Agent--As set forth in the Insurance Code, Articles 9.36,
9.36A, and 21.02.
(3)
Authorization--As set forth in the Insurance Code, Section
82.001.
(4)
Clear and conspicuous--A notice which is reasonably understandable
and designed to call attention to the nature and significance of the information
in the notice.
(5)
Collect--To obtain information that the covered entity
organizes or can retrieve by the name of an individual or by identifying number,
symbol or other identifying particular assigned to the individual, irrespective
of the source of the underlying information.
(6)
Commissioner--The Commissioner of Insurance.
(7)
Company--A corporation, limited liability company, business
trust, general or limited partnership, association, sole proprietorship or
other similar organization.
(8)
Consumer--An individual or that individual's representative
who seeks to obtain, obtains or has obtained an insurance product or service
from a covered entity that is to be used primarily for personal, family or
household purposes, and about whom the covered entity has nonpublic personal
financial information. For purposes of this subchapter, all references to
consumer include the term customer, unless the purpose of the reference is
to make a distinction between applicability of the subchapter to a customer
and a consumer.
(9)
Consumer reporting agency--As defined in Section 603(f)
of the federal Fair Credit Reporting Act (15 U.S.C. 1681a(f)).
(10)
Control--Includes the terms "controls," "controlled by,"
and "under common control," and has the meaning assigned that term by the
Insurance Code, Article 21.49-1, Section 2(d).
(11)
Covered entity--An individual or entity who receives an
authorization from the Texas Department of Insurance. The term includes any
individual or entity described by the Insurance Code, Section 82.002.
(12)
Customer--A consumer who has a customer relationship with
a covered entity.
(13)
Customer relationship--A continuing relationship, as described
in §22.5 of this subchapter (relating to Determination of Continuing
Relationship), between a consumer and a covered entity under which the covered
entity provides one or more insurance products or services to the consumer
that are to be used primarily for personal, family or household purposes.
(14)
Financial institution--Any institution the business of
which is engaging in activities that are financial in nature or incidental
to such financial activities as described in Section 4(k) of the Bank Holding
Company Act of 1956 (12 U.S.C. 1843(k)). Financial institution does not include:
(A)
any person or entity with respect to any financial activity
that is subject to the jurisdiction of the Commodity Futures Trading Commission
under the Commodity Exchange Act (7 U.S.C. 1 et seq.);
(B)
the Federal Agricultural Mortgage Corporation or any entity
charged and operating under the Farm Credit Act of 1971 (12 U.S.C. 2001 et
seq.); or
(C)
institutions chartered by Congress specifically to engage
in securitizations, secondary market sales (including sales of servicing rights)
or similar transactions related to a transaction of a consumer, as long as
the institutions do not sell or transfer nonpublic personal financial information
to a nonaffiliated third party.
(15)
Financial product or service--Any product or service that
a financial holding company could offer by engaging in an activity that is
financial in nature or incidental to such a financial activity under Section
4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. 1843(k)). Financial
service includes a financial institution's evaluation or brokerage of information
that the financial institution collects in connection with a request or an
application from a consumer for a financial product or service.
(16)
Health care--
(A)
Preventive, diagnostic, therapeutic, rehabilitative, maintenance
or palliative care, services, procedures, tests or counseling that:
(i)
relates to the physical, mental or behavioral condition
of an individual; or
(ii)
affects the structure or function of the human body or
any part of the human body, including the banking of blood, sperm, organs
or any other tissue; or
(B)
prescribing, dispensing or furnishing to an individual
drugs or biologicals, or medical devices or health care equipment and supplies.
(17)
Health care provider--A physician or other health care
practitioner licensed, accredited or certified to perform specified health
services consistent with state law, or a health care facility.
(18)
Health information--Any information or data except age
or gender, whether oral or recorded in any form or medium, created by or derived
from a health care provider or the consumer that relates to:
(A)
the past, present or future physical, mental or behavioral
health or condition of an individual;
(B)
the provision of health care to an individual; or
(C)
payment for the provision of health care to an individual.
(19)
Insurance product or service--Any product or service that
is offered by a covered entity pursuant to the Insurance Code and other insurance
laws of this state. Insurance service includes a covered entity's evaluation,
brokerage or distribution of information that the covered entity collects
in connection with a request or an application from a consumer for an insurance
product or service.
(20)
Nonaffiliated third party--An entity that is not an affiliate
of, or related to by common ownership or affiliated by corporate control with,
the covered entity. The term does not include a joint employee of the entity.
(21)
Nonpublic personal financial information--Information
which:
(A)
includes:
(i)
personally identifiable financial information;
(ii)
any list, description or other grouping of consumers (and
publicly available information pertaining to them) that is derived using any
personally identifiable financial information that is not publicly available;
and
(iii)
any list of individuals' names and street addresses that
is derived in whole or in part using personally identifiable financial information
that is not publicly available, such as account numbers.
(B)
does not include:
(i)
health information;
(ii)
publicly available information unless it is derived from
a non-public source as described in subparagraph (A)(ii) and (iii) of this
paragraph;
(iii)
any list, description or other grouping of consumers
(and publicly available information pertaining to them) that is derived without
using any personally identifiable financial information that is not publicly
available; and
(iv)
any list of individuals' names and addresses that:
(I)
contains only publicly available information,
(II)
is wholly derived using personally identifiable financial
information that is publicly available, and
(III)
does not disclose that any of the individuals on the
list is a consumer of a financial institution.
(22)
Opt out--A direction by the consumer that the covered
entity not disclose nonpublic personal financial information about that consumer
to a nonaffiliated third party, other than as permitted by §22.17 of
this title (relating to Exception to Opt Out Requirements for Disclosure of
Nonpublic Personal Financial Information for Service Providers and Joint Marketing), §22.18
of this title (relating to Exceptions to Notice and Opt Out Requirements for
Disclosure of Nonpublic Personal Financial Information for Processing and
Servicing Transactions), and §22.19 of this title (relating to Other
Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic
Personal Financial Information).
(23)
Personally identifiable financial information--
(A)
The term includes:
(i)
any information a consumer provides to a covered entity
to obtain an insurance product or service from the covered entity;
(ii)
any information about a consumer resulting from a transaction
involving an insurance product or service between a covered entity and a consumer;
(iii)
any information the covered entity otherwise obtains
about a consumer in connection with providing an insurance product or service
to that consumer;
(iv)
account balance information and payment history;
(v)
the fact that an individual is or has been one of the covered
entity's customers or has obtained an insurance product or service from the
covered entity;
(vi)
any information about the covered entity's consumer if
it is disclosed in a manner that indicates that the individual is or has been
the covered entity's consumer;
(vii)
any information that a consumer provides to a covered
entity or that the covered entity or its agent otherwise obtains in connection
with collecting on a loan or servicing a loan;
(viii)
any information the covered entity collects through
an information-collecting device from an Internet web server; and
(ix)
information from a consumer report.
(B)
The term does not include:
(i)
health information;
(ii)
a list of names and addresses of customers of an entity
that is not a financial institution; and
(iii)
information that does not identify a consumer, such as
aggregate information or blind data that does not contain personal identifiers
such as account numbers, names or addresses.
(24)
Publicly available information--Any information that a
covered entity has a reasonable basis to believe is lawfully made available
to the general public from:
(A)
federal, state or local government records;
(B)
widely distributed media; or
(C)
disclosures to the general public that are required to
be made by federal, state or local law.
§22.3.Exceptions to Applicability of Subchapter.
(a)
A covered entity is not subject to the notice and opt out
requirements for nonpublic personal financial information set forth in this
subchapter if the covered entity is an employee, agent or other representative
of another covered entity ("a principal") and:
(1)
the principal otherwise complies with, and provides the
notices required by, the provisions of this subchapter; and
(2)
the covered entity does not disclose any nonpublic personal
financial information to any person other than the principal or its affiliates
in a manner permitted by this subchapter.
(b)
Subject to subsection (c) of this section, covered entity
shall also include an eligible surplus lines insurer to the extent that insurer
accepts business placed through a person subject to the Insurance Code, Article
1.14-2.
(c)
A person transacting surplus lines business shall be deemed
to be in compliance with the notice and opt out requirements for nonpublic
personal financial information set forth in this subchapter provided:
(1)
the person does not disclose nonpublic personal financial
information of a consumer or a customer to nonaffiliated third parties for
any purpose, including joint servicing or marketing under §22.17 of this
title (relating to Exception to Opt Out Requirements for Disclosure of Nonpublic
Personal Financial Information for Service Providers and Joint Marketing),
except as permitted by §22.18 of this title (relating to Exceptions to
Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial
Information for Processing and Servicing Transactions) and §22.19 of
this title (relating to Other Exceptions to Notice and Opt Out Requirements
for Disclosure of Nonpublic Personal Financial Information); and
(2)
the person delivers to the consumer at the time a customer
relationship is established Form Number FNPRV DSC/SRPLN provided at Figure
8 of §22.26(b) of this title (relating to Forms), in at least 16 point
type.
§22.4.Determination of Consumer Status.
(a)
The term consumer includes, but is not limited to:
(1)
an individual who provides nonpublic personal financial
information to a covered entity in connection with obtaining or seeking to
obtain financial, investment or economic advisory services relating to an
insurance product or service regardless of whether the covered entity establishes
an ongoing relationship.
(2)
an applicant for insurance prior to the inception of insurance
coverage.
(3)
an individual, if the covered entity discloses nonpublic
personal financial information about the individual to a nonaffiliated third
party other than as permitted under §22.17 of this title (relating to
Exception to Opt Out Requirements for Disclosure of Nonpublic Personal Financial
Information for Service Providers and Joint Marketing), §22.18 of this
title (relating to Exceptions to Notice and Opt Out Requirements for Disclosure
of Nonpublic Personal Financial Information for Processing and Servicing Transactions)
and §22.19 of this title (relating to Other Exceptions to Notice and
Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information),
and:
(A)
the individual is a beneficiary of a life insurance policy
underwritten by the covered entity;
(B)
the individual is a claimant under an insurance policy
issued by the covered entity;
(C)
the individual is an insured or an annuitant under an insurance
policy or an annuity, respectively, issued by the covered entity; or
(D)
the individual is a mortgagor of a mortgage covered under
a mortgage insurance policy.
(b)
Examples of when individuals will not be considered consumers
of a covered entity:
(1)
an individual who is a consumer of another financial institution
is not a covered entity's consumer solely because the covered entity is acting
as agent for, or provides processing or other services to, that financial
institution.
(2)
an individual is not a covered entity's consumer solely
because he or she is a beneficiary of a trust for which the covered entity
is a trustee.
(3)
an individual is not a covered entity's consumer solely
because he or she has designated the covered entity as trustee for a trust.
(c)
Special rules for employee benefit plans, group or blanket
insurance policies, group annuity contracts, or workers' compensation policies.
(1)
An individual who is a participant or a beneficiary of
an employee benefit plan that a covered entity administers or sponsors or
for which the covered entity acts as a trustee, insurer or fiduciary is not
the consumer of a covered entity that:
(A)
provides all initial, annual and revised notices required
by this subchapter to the employer or other entity establishing the plan;
and
(B)
does not disclose nonpublic personal financial information
about the individual to a nonaffiliated third party other than as permitted
under §§22.17 - 22.19 of this title.
(2)
An individual who is covered under a group or blanket insurance
policy or group annuity contract issued by a covered entity is not the consumer
of a covered entity that:
(A)
provides all initial, annual and revised notices required
by this subchapter to the policyholder or contractholder; and
(B)
does not disclose nonpublic personal financial information
about the individual to a nonaffiliated third party other than as permitted
under §§22.17 - 22.19 of this title.
(3)
An individual that is a beneficiary of a workers' compensation
policy issued by a covered entity is not the consumer of a covered entity
that:
(A)
provides all initial, annual and revised notices required
by this subchapter to the plan participant; and
(B)
does not disclose nonpublic personal financial information
about the individual to a nonaffiliated third party other than as permitted
under §§22.17 - 22.19 of this title.
(d)
An individual described in subsection (c) of this section
is the consumer of a covered entity that does not comply with the applicable
notice and nondisclosure requirements of that subsection.
(e)
In no event shall an individual, solely by virtue of his
status described in subsection (c) of this section, be deemed to be the customer
of a covered entity for purposes of this subchapter.
§22.5.Determination of Continuing Relationship.
(a)
A consumer has a continuing relationship with a covered
entity if:
(1)
the consumer is a current policyholder of an insurance
product issued by or through the covered entity; or
(2)
the consumer obtains financial, investment or economic
advisory services relating to an insurance product or service from the covered
entity for a fee.
(b)
A consumer does not have a continuing relationship with
a covered entity if:
(1)
the consumer applies for insurance but does not purchase
the insurance;
(2)
the covered entity sells the consumer insurance in an isolated
transaction involving single-event types of coverage including, but not limited
to, auto rental liability, travel, and short-term non-resident auto liability
insurance;
(3)
the individual is no longer a current policyholder of an
insurance product or no longer obtains insurance services with or through
the covered entity;
(4)
the consumer is a beneficiary or claimant under a policy
even though the consumer has submitted a claim under a policy choosing a settlement
option involving an ongoing relationship with the covered entity;
(5)
the consumer is a beneficiary or a claimant under a policy
and has submitted a claim under that policy choosing a lump sum settlement
option;
(6)
the customer's policy is lapsed, expired, or otherwise
not in force, and the covered entity has not communicated with the customer
about the relationship for a period of 12 consecutive months, other than annual
privacy notices, material required by law or regulation, communication at
the direction of a state or federal authority, or promotional materials;
(7)
the individual is an insured or an annuitant under an insurance
policy or annuity, respectively, but is not the policyholder or owner of the
insurance policy or annuity; or
(8)
the individual's last known address according to the covered
entity's records is deemed invalid, which occurs when:
(A)
mail sent to that address by the covered entity has been
returned by the postal authorities as undeliverable, and
(B)
subsequent attempts by the covered entity to obtain a current
valid address for the individual have been unsuccessful.
§22.6.Notice Requirements.
Any notice required by this subchapter must comply with the following
standards.
(1)
Designed to call attention. A covered entity designs its
notice to call attention to the nature and significance of the information
in it, if:
(A)
with regard to all notices, the covered entity:
(i)
uses a plain-language heading to call attention to the
notice;
(ii)
uses a typeface and type size that are easy to read;
(iii)
provides wide margins and ample line spacing;
(iv)
uses boldface or italics for key words; and
(v)
uses distinctive type size, style, and graphic devices,
such as shading or sidebars, when the covered entity combines its notice in
a form with other information, in order to emphasize the privacy component
of the form.
(B)
on a notice on a Web page, the covered entity uses text
or visual cues to encourage scrolling down the page if necessary to view the
entire notice and to ensure that other elements on the Web site (such as text,
graphics, hyperlinks or sound) do not distract attention from the notice,
and the covered entity either:
(i)
places the notice on a screen that consumers frequently
access, such as a page on which transactions are conducted; or
(ii)
places a link on a screen that consumers frequently access,
such as a page on which transactions are conducted, that connects directly
to the notice and is labeled appropriately to convey the importance, nature
and relevance of the notice.
(2)
Reasonably understandable. A covered entity makes its notice
reasonably understandable if it:
(A)
presents the information in the notice in clear, concise
sentences, paragraphs, and sections;
(B)
uses short explanatory sentences or bullet lists whenever
possible;
(C)
uses definite, concrete, everyday words and active voice
whenever possible;
(D)
avoids multiple negatives;
(E)
avoids legal and highly technical business terminology
whenever possible; and
(F)
avoids explanations that are imprecise and readily subject
to different interpretations.
§22.7.Determination of Reasonable Basis.
For purposes of determining if information is publicly available as
defined in this subchapter:
(1)
a covered entity has a reasonable basis to believe that
information is lawfully made available to the general public if the covered
entity has taken steps to determine:
(A)
that the information is of the type that is available to
the general public; and
(B)
whether an individual can direct that the information not
be made available to the general public, and
(C)
if an option as described in subparagraph (B) of this paragraph
is available, that the covered entity's consumer has not made such a direction.
(2)
The following examples illustrate whether a reasonable
basis exists to believe that information is publically available.
(A)
A covered entity has a reasonable basis to believe that
information is publicly available if the information comes from nonconfidential
government records, such as information in real estate records and security
interest filings.
(B)
A covered entity has a reasonable basis to believe that
information is publicly available if the information comes from widely distributed
media, such as information from a telephone book, a television or radio program,
a newspaper or a Web site that is available to the general public on an unrestricted
basis. A Web site is not restricted merely because an Internet service provider
or a site operator requires a fee or a password, so long as access is available
to the general public.
(C)
A covered entity has a reasonable basis to believe that
mortgage information is lawfully made available to the general public if the
covered entity has determined that the information is of the type included
in the public record in the jurisdiction where the mortgage would be recorded.
(D)
A covered entity has a reasonable basis to believe that
an individual's telephone number is lawfully made available to the general
public if the covered entity has located the telephone number in the telephone
book or the consumer has informed the covered entity that the telephone number
is not unlisted.
§22.8.Initial Privacy Notice.
(a)
Initial notice requirement. A covered entity shall provide
a clear and conspicuous notice that accurately reflects its privacy policies
and practices to:
(1)
an individual who becomes the covered entity's customer,
not later than when the covered entity establishes a customer relationship,
except as provided in subsection (e) of this section; and
(2)
a consumer, before the covered entity discloses any nonpublic
personal financial information about the consumer to any nonaffiliated third
party, if the covered entity makes a disclosure other than as authorized by §22.18
of this title (relating to Exceptions to Notice and Opt Out Requirements for
Disclosure of Nonpublic Personal Financial Information for Processing and
Servicing Transactions) and §22.19 of this title (relating to Other Exceptions
to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial
Information).
(b)
Initial notice not required. A covered entity is not required
to provide an initial notice to a consumer under subsection (a)(2) of this
section if:
(1)
the covered entity does not disclose any nonpublic personal
financial information about the consumer to any nonaffiliated third party,
other than as authorized by §22.18 and §22.19 of this title, and
the covered entity does not have a customer relationship with the consumer;
or
(2)
a notice has been provided by an affiliated covered entity,
so as long as the notice clearly identifies all covered entities to whom the
notice applies and is accurate with respect to the covered entity and the
other institutions.
(c)
Establishment of a customer relationship.
(1)
Generally, a covered entity establishes a customer relationship
at the time the covered entity and the consumer enter into a continuing relationship.
(2)
Some examples of a covered entity establishing a customer
relationship occur when the consumer:
(A)
becomes a policyholder of a covered entity that is an insurer
when the insurer delivers an insurance policy or contract to the consumer,
or in the case of a covered entity that is an insurance agent, obtains insurance
through that covered entity; or
(B)
agrees to obtain financial, economic or investment advisory
services relating to insurance products or services for a fee from the covered
entity.
(d)
Existing customers. When an existing customer obtains a
new insurance product or service from a covered entity that is to be used
primarily for personal, family or household purposes, if the initial, revised
or annual notice that the covered entity most recently provided to that customer
was inaccurate with respect to the new insurance product or service, the covered
entity shall, in accordance with the initial notice requirements of subsection
(a) of this section, provide a revised privacy notice, under §22.12 of
this title (relating to Revised Privacy Notices), that covers the customer's
new insurance product or service. If the initial, revised or annual notice
that the covered entity most recently provided to that customer was accurate
with respect to the new insurance product or service, the covered entity does
not need to provide a new privacy notice under subsection (a) of this section.
(e)
Subsequent delivery of notice.
(1)
General rule. A covered entity may provide the initial
notice required by subsection (a)(1) of this section within a reasonable time
after the covered entity establishes a customer relationship if:
(A)
establishing the customer relationship is not at the customer's
election; or
(B)
providing notice not later than when the covered entity
establishes a customer relationship would substantially delay the customer's
transaction and the customer agrees to receive the notice at a later time.
(2)
Not at customer's election. Establishing a customer relationship
is not at the customer's election if a covered entity acquires or is assigned
a customer's policy from another financial institution or residual market
mechanism and the customer does not have a choice about the covered entity's
acquisition or assignment.
(3)
Substantial delay of customer's transaction. Providing
notice not later than when a covered entity establishes a customer relationship
would substantially delay the customer's transaction when the covered entity
and the individual agree over the telephone to enter into a customer relationship
involving prompt delivery of the insurance product or service.
(4)
No substantial delay of customer's transaction. Providing
notice not later than when a covered entity establishes a customer relationship
would not substantially delay the customer's transaction when the relationship
is initiated in person at the covered entity's office or through other means
by which the customer may view the notice, such as on a Web site.
(f)
Delivery. A covered entity shall deliver any notices required
by this section according to §22.13 of this title (relating to Delivery).
If the covered entity uses a short-form initial notice for non-customers according
to §22.10(d) of this title (relating to Information to be Included in
Privacy Notices), the covered entity may deliver its privacy notice according
to §22.10(d)(3) of this title.
§22.9.Annual Privacy Notice.
(a)
A covered entity shall provide a clear and conspicuous
notice to customers that accurately reflects its privacy policies and practices
not less than annually during the continuation of the customer relationship.
"Annually" means at least once in any period of 12 consecutive months during
which that relationship exists. A covered entity may define the 12-consecutive-month
period, but the covered entity shall apply it to the customer on a consistent
basis. A covered entity provides a notice annually if it defines the twelve-consecutive-month
period as a calendar year and provides the annual notice to the customer once
in each calendar year following the calendar year in which the covered entity
provided the initial notice. For example, if a customer opens an account on
any day of year 1, the covered entity shall provide an annual notice to that
customer by December 31 of year 2.
(b)
A covered entity is not required to provide an annual notice
to a former customer. A former customer is an individual with whom a covered
entity no longer has a continuing relationship.
(1)
A covered entity no longer has a continuing relationship
with an individual if the individual no longer is a current policyholder of
an insurance product or no longer obtains insurance services with or through
the covered entity.
(2)
A covered entity no longer has a continuing relationship
with an individual if the individual's policy is lapsed, expired or otherwise
not in force, and the covered entity has not communicated with the customer
about the relationship for a period of 12 consecutive months, other than to
provide annual privacy notices, material required by law or regulation, or
promotional materials.
(3)
For the purposes of this subchapter, a covered entity no
longer has a continuing relationship with an individual if:
(A)
the covered entity sends mail to the individual's last
known address, according to the covered entity's records, and the postal authorities
return that mail as undeliverable, and
(B)
subsequent attempts by the covered entity to obtain a current
valid address for the individual are unsuccessful.
(4)
A covered entity no longer has a continuing relationship
with a customer, in the case of providing real estate settlement services,
at the later of the following events:
(A)
the customer completes execution of all documents related
to the real estate closing;
(B)
payment for those services has been received; or
(C)
the covered entity has completed all of its responsibilities
with respect to the settlement, including filing documents in the public record.
(c)
A covered entity shall deliver any annual privacy notices
required by this section according to §22.13 of this title (relating
to Delivery).
§22.10.Information to be Included in Privacy Notices.
(a)
Nondisclosure notice requirements. A covered entity that
does not disclose, and does not reserve the right to disclose, nonpublic personal
financial information about customers or former customers to affiliates or
nonaffiliated third parties except as authorized under §22.18 of this
title (relating to Exceptions to Notice and Opt Out Requirements for Disclosure
of Nonpublic Personal Financial Information for Processing and Servicing Transactions)
and §22.19 of this title (relating to Other Exceptions to Notice and
Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information),
may comply with this subchapter by providing a notice which expresses:
(1)
the nondisclosure policy stated in this subsection, and
(2)
the information required by subsections (b)(1), (8), (9),
and (c) of this section.
(b)
Disclosure notice requirements. The initial, annual and
revised privacy notices that a covered entity provides under §22.8 of
this title (relating to Initial Privacy Notice), §22.9 of this title
(relating to Annual Privacy Notice) and §22.12 of this title (relating
to Revised Privacy Notices) shall include the following items of information,
in addition to any other information the covered entity wishes to provide,
that applies to the covered entity and to the consumers to whom the covered
entity sends its privacy notice.
(1)
The categories of nonpublic personal financial information
that the covered entity collects. A covered entity satisfies the requirement
to categorize the nonpublic personal financial information it collects when
the covered entity categorizes it according to the source of the information,
as applicable, including:
(A)
information from the consumer;
(B)
information about the consumer's transactions with the
covered entity or its affiliates;
(C)
information about the consumer's transactions with nonaffiliated
third parties; and
(D)
information from a consumer reporting agency.
(2)
The categories of nonpublic personal financial information
that the covered entity discloses.
(A)
A covered entity satisfies the requirement to categorize
nonpublic personal financial information it discloses when the covered entity
categorizes the information according to source, as described in paragraph
(1) of this subsection, as applicable, and provides examples to illustrate
the types of information in each category, such as:
(i)
information from the consumer, including application information
(such as assets and income) and identifying information (such as name, address
and social security number);
(ii)
transaction information (such as information about balances,
payment history and parties to the transaction); and
(iii)
information from consumer reports (such as a consumer's
creditworthiness and credit history).
(B)
A covered entity does not adequately categorize the information
that it discloses when the covered entity uses only general terms (such as
transaction information about the consumer).
(C)
A covered entity that reserves the right to disclose all
of the nonpublic personal financial information about consumers that it collects
may state that fact without describing the categories or examples of nonpublic
personal financial information that the covered entity discloses.
(3)
The categories of affiliates and nonaffiliated third parties
to whom the covered entity discloses nonpublic personal financial information,
other than those parties to whom the covered entity discloses information
under §22.18 and §22.19 of this title.
(4)
The categories of nonpublic personal financial information
about the covered entity's former customers that the covered entity discloses
and the categories of affiliates and nonaffiliated third parties to whom the
covered entity discloses nonpublic personal financial information about the
covered entity's former customers, other than those parties to whom the covered
entity discloses information under §22.18 and §22.19 of this title.
(5)
A covered entity that discloses nonpublic personal financial
information to a nonaffiliated third party under §22.17 of this title
(relating to Exception to Opt Out Requirements for Disclosure of Nonpublic
Personal Financial Information for Service Providers and Joint Marketing)
and no other exception in §22.18 and §22.19 of this title applies
to that disclosure, shall provide a separate description of the categories
of information the covered entity discloses and the categories of third parties
with whom the covered entity has contracted.
(6)
An explanation of the consumer's right under §22.14(a)
of this title (relating to Limits on Disclosure of Nonpublic Personal Financial
Information to Nonaffiliated Third Parties) to opt out of the disclosure of
nonpublic personal financial information to nonaffiliated third parties, including
the methods by which the consumer may exercise that right at that time.
(7)
Any disclosures that the covered entity makes under Section
603(d)(2)(A)(iii) of the federal Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)(A)(iii))
(that is, notices regarding the ability to opt out of disclosures of information
among affiliates).
(8)
The covered entity's policies and practices with respect
to protecting the confidentiality and security of nonpublic personal financial
information. A covered entity provides an adequate description of its policies
and practices with respect to protecting the confidentiality and security
of nonpublic personal financial information if it does both of the following:
(A)
describes in general terms who is authorized to have access
to the information; and
(B)
states whether the covered entity has security practices
and procedures in place to ensure the confidentiality of the information in
accordance with the covered entity's policy. The covered entity is not required
to describe technical information about the safeguards it uses.
(9)
Any disclosure that the covered entity makes under subsection
(c) of this section.
(c)
Description of parties subject to exceptions. A covered
entity that discloses nonpublic personal financial information as authorized
under §22.18 and §22.19 of this title is not required to list those
exceptions in the initial or annual privacy notices required by §22.8
and §22.9 of this title. When describing the categories of parties to
whom disclosure is made, the covered entity shall state that it makes disclosures
to other affiliated or nonaffiliated third parties, as applicable, as permitted
by law.
(d)
Appropriate methods of categorizing affiliates and nonaffiliated
third parties.
(1)
A covered entity satisfies the requirement to categorize
the affiliates and nonaffiliated third parties to which the covered entity
discloses nonpublic personal financial information about consumers if the
covered entity identifies the types of businesses in which they engage.
(2)
Types of businesses may be described by general terms only
if the covered entity uses illustrative examples of significant lines of business.
For example, a covered entity may use the term "financial products or services"
if the notice includes appropriate examples of significant lines of such businesses
or services, such as life insurer, automobile insurer, consumer banking or
securities brokerage.
(3)
A covered entity also may categorize the affiliates and
nonaffiliated third parties to which it discloses nonpublic personal financial
information about consumers using more detailed categories.
(e)
Disclosures under exception for service providers and joint
marketers. A covered entity that discloses nonpublic personal financial information
under the exception in §22.17 of this title to a nonaffiliated third
party to market products or services that it offers alone or jointly with
another financial institution satisfies the disclosure requirement of subsection
(b)(5) of this section if it:
(1)
lists the categories of nonpublic personal financial information
it discloses, using the same categories and examples the covered entity used
to meet the requirements of subsection (a)(2) of this section, as applicable;
and
(2)
states whether the third party is:
(A)
a service provider that performs marketing services on
the covered entity's behalf or on behalf of the covered entity and another
financial institution; or
(B)
a financial institution with whom the covered entity has
a joint marketing agreement.
(f)
Short-form initial notice with opt out notice for non-customers.
(1)
A covered entity may satisfy the initial notice requirements
in §22.8(a)(2) and §22.11(c) of this title (relating to Form of
Opt Out Notice to Consumers and Opt Out Methods) for a consumer who is not
a customer by providing a short-form initial notice at the same time as the
covered entity delivers an opt out notice as required in §22.11 of this
title.
(2)
A short-form initial notice shall:
(A)
be clear and conspicuous;
(B)
state that the covered entity's privacy notice is available
upon request; and
(C)
explain a reasonable means by which the consumer may obtain
that notice.
(3)
The covered entity shall deliver its short-form initial
notice according to §22.13 of this title (relating to Delivery). The
covered entity is not required to deliver its privacy notice with its short-form
initial notice. The covered entity instead may simply provide the consumer
a reasonable means to obtain its privacy notice. If a consumer who receives
the covered entity's short-form notice requests the covered entity's privacy
notice, the covered entity shall deliver its privacy notice according to §22.13
of this title.
(4)
The covered entity provides a reasonable means by which
a consumer may obtain a copy of its privacy notice if the covered entity:
(A)
provides a toll-free telephone number that the consumer
may call to request the notice; or
(B)
for a consumer who conducts business in person at the covered
entity's office, maintains copies of the notice on hand that the covered entity
provides to the consumer immediately upon request.
(g)
Reservation of right to disclose. The covered entity's
notice may include:
(1)
categories of nonpublic personal financial information
that the covered entity reserves the right to disclose in the future, but
does not currently disclose; and
(2)
categories of affiliates or nonaffiliated third parties
to whom the covered entity reserves the right in the future to disclose, but
to whom the covered entity does not currently disclose, nonpublic personal
financial information.
(h)
Forms. A covered entity may use the forms provided in §22.26
of this title (relating to Forms), as applicable, to meet the requirements
of this section as follows:
(1)
Form Number FNPRV INFO/COL provided at Figure 1 of §22.26(b)
of this title is intended to meet the requirement of subsection (b)(1) of
this section to describe the categories of nonpublic personal financial information
the covered entity collects.
(2)
Form Number FNPRV INFO/DSC provided at Figure 2 of §22.26(b)
of this title is intended to meet the requirement of subsection (b)(2) of
this section to describe the categories of nonpublic personal financial information
the covered entity discloses. The covered entity may use these clauses if
it discloses nonpublic personal financial information other than as permitted
by the exceptions in §§22.17 - 22.19 of this title.
(3)
Form Number FNPRV INFO/NODSC provided at Figure 3 of §22.26(b)
of this subchapter is intended to meet the requirements of subsections (b)(2),
(3), and (4) of this section to describe the categories of nonpublic personal
financial information about customers and former customers that the covered
entity discloses and the categories of affiliates and nonaffiliated third
parties to whom the covered entity discloses this information. A covered entity
may use this clause if the covered entity does not disclose nonpublic personal
financial information to any party, other than as permitted by the exceptions
in §22.18 and §22.19 of this title.
(4)
Form Number FNPRV INFO/TPDSC provided at Figure 4 of §22.26(b)
of this title is intended to meet the requirements of subsection (b)(3) of
this section to describe the categories of affiliates and nonaffiliated third
parties to whom the covered entity discloses nonpublic personal financial
information. A covered entity may use this clause if the covered entity discloses
nonpublic personal financial information other than as permitted by the exceptions
in §§22.17 - 22.19 of this title
(5)
Form Number FNPRV INFO/SPJMDSC provided at Figure 5 of §22.26(b)
of this title is intended to meet the requirements of subsection (b)(5) of
this section related to the exception for service providers and joint marketers
in §22.17 of this title. If a covered entity discloses nonpublic personal
financial information under this exception, the covered entity shall describe
the categories of nonpublic personal financial information the covered entity
discloses and the categories of third parties with which the covered entity
has contracted.
(6)
Form Number FNPRV INFO/OPT provided at Figure 6 of §22.26(b)
of this title is intended to meet the requirements of subsection (b)(6) of
this section to provide an explanation of the consumer's right to opt out
of the disclosure of nonpublic personal financial information to nonaffiliated
third parties, including the method(s) by which the consumer may exercise
that right. A covered entity may use this clause if the covered entity discloses
nonpublic personal financial information other than as permitted by the exceptions
in §§22.17 - 22.19 of this title.
(7)
Form Number FNPRV INFO/SEC provided at Figure 7 of §22.26(b)
of this subchapter is intended to meet the requirements of subsection (b)(8)
of this section to describe the covered entity's policies and practices with
respect to protecting the confidentiality and security of nonpublic personal
financial information.
§22.11.Form of Opt Out Notice to Consumers and Opt Out Methods.
(a)
If a covered entity is required to provide an opt out notice
under §22.14(a) of this title (relating to Limits on Disclosure of Nonpublic
Personal Financial Information to Nonaffiliated Third Parties), it shall provide
a clear and conspicuous notice to each of its consumers that accurately explains
the right to opt out. The notice shall state:
(1)
that the covered entity discloses or reserves the right
to disclose nonpublic personal financial information about its consumer to
a nonaffiliated third party;
(2)
that the consumer has the right to opt out of that disclosure;
and
(3)
a reasonable means by which the consumer may opt out .
(b)
Adequate opt out notice. A covered entity provides adequate
notice that the consumer can opt out of the disclosure of nonpublic personal
financial information to a nonaffiliated third party if the covered entity:
(1)
identifies all of the categories of nonpublic personal
financial information that it discloses or reserves the right to disclose,
and all of the categories of nonaffiliated third parties to which the covered
entity discloses the information, as described in §22.10(a)(2) and (3)
of this title (relating to Information to be Included in Privacy Notices),
and states that the consumer can opt out of the disclosure of that information;
and
(2)
identifies the insurance products or services that the
consumer obtains from the covered entity, either singly or jointly, to which
the opt out direction would apply.
(c)
Reasonable opt out means. A covered entity provides a reasonable
means to exercise an opt out right if it:
(1)
designates check-off boxes in a prominent position on the
relevant forms with the opt out notice; and
(2)
includes the reply form together with the opt out notice;
or
(3)
provides an electronic means to opt out, such as a form
that can be sent via electronic mail or a process at the covered entity's
Web site, if the consumer agrees to the electronic delivery of information;
or
(4)
provides a toll-free telephone number that consumers may
call to opt out.
(d)
A covered entity does not provide a reasonable means of
opting out if:
(1)
the only means of opting out is for the consumer to write
his or her own letter to exercise that opt out right; or
(2)
the only means of opting out as described in any notice
subsequent to the initial notice is to use a check-off box that the covered
entity provided with the initial notice but did not include with the subsequent
notice.
(e)
A covered entity may require each consumer to opt out through
a specific means, so long as that means is reasonable for that consumer.
(f)
A covered entity may provide the opt out notice together
with, or on the same written or electronic form as, the initial notice the
covered entity provides in accordance with §22.8 of this title (relating
to Initial Privacy Notice).
(g)
If a covered entity provides the opt out notice later than
required for the initial notice in accordance with §22.8 of this title,
the covered entity shall also include a copy of the initial notice with the
opt out notice in writing or, if the consumer agrees, electronically.
(h)
A covered entity shall utilize the procedures set forth
in paragraphs (1) - (4) of this subsection when joint relationships between
consumers are involved.
(1)
If two or more consumers jointly obtain or seek to obtain
an insurance product or service from a covered entity, the covered entity
may provide a single opt out notice. The covered entity's opt out notice shall
explain how the covered entity will treat an opt out direction by a joint
consumer (as explained in subsection (i) of this section).
(2)
Any of the joint consumers may exercise the right to opt
out. The covered entity may either:
(A)
treat an opt out direction by a joint consumer as applying
to all of the associated joint consumers; or
(B)
permit each joint consumer to opt out separately.
(3)
If a covered entity permits each joint consumer to opt
out separately, the covered entity shall permit one of the joint consumers
to opt out on behalf of all of the joint consumers.
(4)
A covered entity may not require all joint consumers to
opt out before it implements any opt out direction.
(i)
The following are examples of how a covered entity should
treat a joint relationship. If John and Mary are both named policyholders
on a homeowner's insurance policy issued by a covered entity and the covered
entity sends policy statements to John's address, the covered entity may do
any of the following, but it shall explain in its opt out notice which opt
out policy the covered entity will follow:
(1)
send a single opt out notice to John's address, but the
covered entity shall accept an opt out direction from either John or Mary.
(2)
treat an opt out direction by either John or Mary as applying
to the entire policy. If the covered entity does so and John opts out, the
covered entity may not require Mary to opt out as well before implementing
John's opt out direction.
(3)
permit John and Mary to make different opt out directions.
If the covered entity does so:
(A)
it shall permit John and Mary to opt out for each other;
(B)
if both opt out, the covered entity shall permit both of
them to notify it in a single response (such as on a form or through a telephone
call); and
(C)
if John opts out and Mary does not, the covered entity
may only disclose nonpublic personal financial information about Mary, but
not about John and not about John and Mary jointly.
(j)
A covered entity shall comply with a consumer's opt out
direction as soon as reasonably practicable after the covered entity receives
it.
(k)
A consumer may exercise the right to opt out at any time.
(l)
A consumer's direction to opt out under this section is
effective until the consumer revokes it in writing or, if the consumer has
agreed to conduct business electronically, electronically.
(m)
When a customer relationship terminates, the customer's
opt out direction continues to apply to the nonpublic personal financial information
that the covered entity collected during or related to that relationship.
If the individual subsequently establishes a new customer relationship with
the covered entity, the opt out direction that applied to the former relationship
does not apply to the new relationship.
(n)
When a covered entity is required to deliver an opt out
notice by this section, the covered entity shall deliver it according to §22.13
of this title (relating to Delivery).
§22.12.Revised Privacy Notices.
(a)
Except as otherwise authorized in this subchapter, a covered
entity shall not, directly or through an affiliate, disclose any nonpublic
personal financial information about a consumer to a nonaffiliated third party
other than as described in the initial notice that the covered entity provided
to that consumer under §22.8 of this title (relating to Initial Privacy
Notice), unless:
(1)
the covered entity has provided to the consumer a clear
and conspicuous revised notice that accurately describes its policies and
practices;
(2)
the covered entity has provided to the consumer a new opt
out notice;
(3)
the covered entity has given the consumer a reasonable
opportunity, before the covered entity discloses the information to the nonaffiliated
third party, to opt out of the disclosure; and
(4)
the consumer does not opt out.
(b)
Except as otherwise permitted by §22.17 of this title
(relating to Exception to Opt Out Requirements for Disclosure of Nonpublic
Personal Financial Information for Service Providers and Joint Marketing), §22.18
of this title (relating to Exceptions to Notice and Opt Out Requirements for
Disclosure of Nonpublic Personal Financial Information for Processing and
Servicing Transactions) and §22.19 of this title (relating to Other Exceptions
to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial
Information), a covered entity shall provide a revised notice before it:
(1)
discloses a new category of nonpublic personal financial
information to any nonaffiliated third party;
(2)
discloses nonpublic personal financial information to a
new category of nonaffiliated third party; or
(3)
discloses nonpublic personal financial information about
a former customer to a nonaffiliated third party, if that former customer
has not had the opportunity to exercise an opt out right regarding that disclosure.
(c)
A revised notice is not required if the covered entity
discloses nonpublic personal financial information to a new nonaffiliated
third party that the covered entity adequately described in its prior notice.
(d)
When a covered entity is required to deliver a revised
privacy notice by this section, the covered entity shall deliver it according
to §22.13 of this title (relating to Delivery).
§22.13.Delivery.
(a)
How to provide notices. A covered entity shall provide
any notices that this subchapter requires so that each consumer can reasonably
be expected to receive actual notice in writing or, if the consumer agrees,
electronically.
(b)
Examples of reasonable expectation of actual notice. A
covered entity satisfies the reasonable expectation that a consumer will receive
actual notice if the covered entity:
(1)
hand-delivers a printed copy of the notice to the consumer;
(2)
mails a printed copy of the notice to the last known address
of the consumer separately, or in a policy, billing or other written communication;
(3)
for a consumer who conducts transactions electronically,
posts the notice on the electronic site and requires the consumer to acknowledge
receipt of the notice as a necessary step to obtaining a particular insurance
product or service;
(4)
for an isolated transaction with a consumer, such as the
covered entity providing an insurance quote or selling the consumer single-event
types of coverage including, but not limited to, auto rental liability, travel,
and short-term non-resident auto liability insurance, presents the notice
and requires the consumer to acknowledge receipt of the notice as a necessary
step to obtaining the particular insurance product or service.
(c)
Examples of unreasonable expectation of actual notice.
A covered entity has not met the reasonable expectation that a consumer will
receive actual notice of its privacy policies and practices if it:
(1)
only posts a sign in its office or generally publishes
advertisements of its privacy policies and practices; or
(2)
sends the notice via electronic mail to a consumer who
does not obtain an insurance product or service from the covered entity electronically.
(d)
Annual notices only. A covered entity satisfies the reasonable
expectation that a customer will receive actual notice of the covered entity's
annual privacy notice if:
(1)
the customer uses the covered entity's Web site to access
insurance products and services electronically and agrees to receive notices
at the Web site and the covered entity posts its current privacy notice continuously
in a clear and conspicuous manner on the Web site; or
(2)
the customer has requested that the covered entity refrain
from sending any information regarding the customer relationship, and the
covered entity's current privacy notice remains available to the customer
upon request.
(e)
Oral description of notice insufficient. A covered entity
may not provide any notice required by this subchapter solely by orally explaining
the notice, either in person or over the telephone.
(f)
Retention or accessibility of notices for customers.
(1)
For customers only, a covered entity shall provide the
initial notice required by §22.8(a)(1) of this title (relating to Initial
Privacy Notice), the annual notice required by §22.9(a) of this title
(relating to Annual Privacy Notice), and the revised notice required by §22.12
of this title (relating to Revised Privacy Notices) so that the customer can
retain them or obtain them later in writing or, if the customer agrees, electronically.
(2)
A covered entity provides a privacy notice to the customer
so that the customer can retain it or obtain it later if the covered entity:
(A)
hand-delivers a printed copy of the notice to the customer;
(B)
mails a printed copy of the notice to the last known address
of the customer; or
(C)
makes its current privacy notice available on a Web site
(or a link to another Web site) for the customer who obtains an insurance
product or service electronically and agrees to receive the notice at the
Web site.
(g)
Joint notice with other financial institutions. A covered
entity may provide a joint notice from the covered entity and one or more
of its affiliates or other financial institutions, as identified in the notice,
so long as the notice is accurate with respect to the covered entity and the
other institutions. A covered entity also may provide a notice on behalf of
another financial institution.
(h)
Joint relationships. If two or more consumers jointly obtain
an insurance product or service from a covered entity, the covered entity
may satisfy the initial, annual and revised notice requirements of §§22.8(a),
22.9(a), and 22.12(a) of this title, respectively, by providing one notice
to those consumers jointly.
§22.14.Limits on Disclosure of Nonpublic Personal Financial Information to Nonaffiliated Third Parties.
(a)
Conditions for disclosure. Except as otherwise authorized
in this subchapter, a covered entity may not, directly or through any affiliate,
disclose any nonpublic personal financial information about a consumer to
a nonaffiliated third party unless:
(1)
the covered entity has provided to the consumer an initial
notice as required under §22.8 of this title (relating to Initial Privacy
Notice);
(2)
the covered entity has provided to the consumer an opt
out notice as required in §22.11 of this title (relating to Form of Opt
Out Notice to Consumers and Opt Out Methods);
(3)
the covered entity has given the consumer a reasonable
opportunity, before it discloses the information to the nonaffiliated third
party, to opt out of the disclosure; and
(4)
the consumer does not opt out.
(b)
Examples of reasonable opportunity to opt out. A covered
entity provides a consumer with a reasonable opportunity to opt out if:
(1)
the covered entity mails the notices required in subsection
(a) of this section to the consumer and allows the consumer to opt out by
mailing a form, calling a toll-free telephone number or any other reasonable
means within 30 days from the date the covered entity mailed the notices.
(2)
a customer opens an on-line account with a covered entity
and agrees to receive the notices required in subsection (a) of this section
electronically, and the covered entity allows the customer to opt out by any
reasonable means within 30 days after the date that the customer acknowledges
receipt of the notices in conjunction with opening the account.
(3)
for an isolated transaction such as providing the consumer
with an insurance quote, a covered entity provides the consumer with a reasonable
opportunity to opt out if the covered entity provides the notices required
in subsection (a) of this section at the time of the transaction and requests
that the consumer decide, as a necessary part of the transaction, whether
to opt out before completing the transaction.
(c)
Application of opt out to all consumers and all nonpublic
personal financial information.
(1)
A covered entity shall comply with this section, regardless
of whether the covered entity and the consumer have established a customer
relationship.
(2)
Unless a covered entity complies with this section, the
covered entity may not, directly or through any affiliate, disclose any nonpublic
personal financial information about a consumer that the covered entity has
collected, regardless of whether the covered entity collected it before or
after receiving the direction to opt out from the consumer.
(d)
Partial opt out. A covered entity may allow a consumer
to select certain nonpublic personal financial information or certain nonaffiliated
third parties with respect to which the consumer wishes to opt out.
§22.15.Limits on Redisclosure and Reuse of Nonpublic Personal Financial Information.
(a)
If a covered entity receives nonpublic personal financial
information from a nonaffiliated financial institution under an exception
in §22.18 of this title (relating to Exceptions to Notice and Opt Out
Requirements for Disclosure of Nonpublic Personal Financial Information for
Processing and Servicing Transactions) and §22.19 of this title (relating
to Other Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic
Personal Financial Information), the covered entity's disclosure and use of
that information is limited as follows:
(1)
the covered entity may disclose the information to the
affiliates of the financial institution from which the covered entity received
the information;
(2)
the covered entity may disclose the information to its
affiliates, but the covered entity's affiliates may, in turn, disclose and
use the information only to the extent that the covered entity may disclose
and use the information; and
(3)
the covered entity may disclose and use the information
pursuant to an exception in §22.18 and §22.19 of this title in the
ordinary course of business to carry out the activity covered by the exception
under which the covered entity received the information.
(b)
If a covered entity receives information from a nonaffiliated
financial institution for claims settlement purposes, the covered entity may
disclose the information for fraud prevention, or in response to a properly
authorized subpoena. The covered entity may not disclose that information
to a third party for marketing purposes or use that information for its own
marketing purposes.
(c)
If a covered entity receives nonpublic personal financial
information from a nonaffiliated financial institution other than under an
exception in §22.18 and §22.19 of this title, the covered entity
may disclose the information only:
(1)
to the affiliates of the financial institution from which
the covered entity received the information;
(2)
to its affiliates, but its affiliates may, in turn, disclose
the information only to the extent that the covered entity may disclose the
information; and
(3)
to any other person, if the disclosure would be lawful
if made directly to that person by the financial institution from which the
covered entity received the information.
(d)
If a covered entity obtains a customer list from a nonaffiliated
financial institution outside of the exceptions in §22.18 and §22.19
of this title:
(1)
the covered entity may use that list for its own purposes;
and
(2)
the covered entity may disclose that list to another nonaffiliated
third party only if the financial institution from which the covered entity
purchased the list could have lawfully disclosed the list to that third party.
That is, the covered entity may disclose the list in accordance with the privacy
policy of the financial institution from which the covered entity received
the list, as limited by the opt out direction of each consumer whose nonpublic
personal financial information the covered entity intends to disclose, and
the covered entity may disclose the list in accordance with an exception in §22.18
and §22.19 of this title, such as to the covered entity's attorneys or
accountants.
(e)
If a covered entity discloses nonpublic personal financial
information to a nonaffiliated third party under an exception in §22.18
and §22.19 of this title, the third party may disclose and use that information
only as follows:
(1)
the third party may disclose the information to the covered
entity's affiliates;
(2)
the third party may disclose the information to its affiliates,
but its affiliates may, in turn, disclose and use the information only to
the extent that the third party may disclose and use the information; and
(3)
the third party may disclose and use the information pursuant
to an exception in §22.18 or §22.19 of this title in the ordinary
course of business to carry out the activity covered by the exception under
which it received the information.
(f)
If a covered entity discloses nonpublic personal financial
information to a nonaffiliated third party other than under an exception in §22.18
and §22.19 of this title, the third party may disclose the information
only:
(1)
to the covered entity's affiliates;
(2)
to the third party's affiliates, but the third party's
affiliates, in turn, may disclose the information only to the extent the third
party can disclose the information; and
(3)
to any other person, if the disclosure would be lawful
if the covered entity made it directly to that person.
§22.16.Limits on Sharing Account Number Information for Marketing Purposes.
(a)
A covered entity shall not, directly or through an affiliate,
disclose, other than to a consumer reporting agency, a policy number or similar
form of access number or access code for a consumer's policy or transaction
account to any nonaffiliated third party for use in telemarketing, direct
mail marketing or other marketing through electronic mail to the consumer.
(b)
Subsection (a) of this section does not apply if a covered
entity discloses a policy number or similar form of access number or access
code:
(1)
to another covered entity solely for the purpose of marketing
the sharing covered entity's own products or services, so long as the receiving
covered entity is not authorized to directly initiate charges to the account;
or
(2)
to a participant in an affinity or similar program as set
forth in 12 CFR §40.12(b)(2), 12 CFR §216.12(b)(2), 12 CFR §332.12(b)(2),
12 CFR §573.12(b)(2), and 12 CFR §716.12(b)(2), where the participants
in the program are identified to the customer when the customer enters into
the program.
(c)
A policy number, or similar form of access number or access
code, does not include a number or code in an encrypted form, so long as the
covered entity does not provide the recipient with a means to decode the number
or code.
(d)
For the purposes of this section, a policy or transaction
account is an account other than a deposit account or a credit card account.
A policy or transaction account does not include an account to which third
parties cannot initiate charges.
§22.17.Exception to Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Service Providers and Joint Marketing.
(a)
The opt out requirements in §22.11 of this title (relating
to Form of Opt Out Notice to Consumers and Opt Out Methods) and §22.14
of this title (relating to Limits on Disclosure of Nonpublic Personal Financial
Information to Nonaffiliated Third Parties) do not apply when a covered entity
provides nonpublic personal financial information to a nonaffiliated third
party to perform services for the covered entity or functions on the covered
entity's behalf, if the covered entity:
(1)
provides the initial notice in accordance with §22.8
of this title (relating to Initial Privacy Notice); and
(2)
enters into a contractual agreement with the third party
that prohibits the third party from disclosing or using the information other
than to carry out the purposes for which the covered entity disclosed the
information, including use under an exception in §22.18 of this title
(relating to Exceptions to Notice and Opt Out Requirements for Disclosure
of Nonpublic Personal Financial Information for Processing and Servicing Transactions)
and §22.19 of this title (relating to Other Exceptions to Notice and
Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information)
in the ordinary course of business to carry out those purposes.
(b)
If a covered entity discloses nonpublic personal financial
information under this section to a financial institution with which the covered
entity performs joint marketing, the covered entity's contractual agreement
with that institution meets the requirements of subsection (a)(2) of this
section if it prohibits the institution from disclosing or using the nonpublic
personal financial information except as necessary to carry out the joint
marketing or under an exception set forth in §22.18 and §22.19 of
this title in the ordinary course of business to carry out that joint marketing.
(c)
The services a nonaffiliated third party performs for a
covered entity under subsection (a) of this section may include marketing
of the covered entity's own products or services or marketing of financial
products or services offered pursuant to joint agreements between the covered
entity and one or more financial institutions.
(d)
For purposes of this section, "joint agreement" means a
written contract pursuant to which a covered entity and one or more financial
institutions jointly offer, endorse or sponsor a financial product or service.
§22.18.Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Processing and Servicing Transactions.
(a)
If the covered entity discloses nonpublic personal financial
information as necessary to effect, administer or enforce a transaction that
a consumer requests or authorizes, or in connection with a transaction listed
in subsection (b) of this section, the following do not apply:
(1)
provision of the initial notice in §22.8(a)(2) of
this title (relating to Initial Privacy Notice),
(2)
the opt out requirements in §22.11 of this title (relating
to Form of Opt Out Notice to Consumers and Opt Out Methods) and the limitations
on disclosure in §22.14 of this title (relating to Limits on Disclosure
of Nonpublic Personal Financial Information to Nonaffiliated Third Parties),
and
(3)
the requirements pertaining to service providers and joint
marketing in §22.17 of this title (relating to Exception to Opt Out Requirements
for Disclosure of Nonpublic Personal Financial Information for Service Providers
and Joint Marketing).
(b)
Applicable transactions include:
(1)
servicing or processing an insurance product or service
that a consumer requests or authorizes;
(2)
maintaining or servicing the consumer's account with a
covered entity, or with another entity as part of a private label credit card
program or other extension of credit on behalf of such entity;
(3)
a proposed or actual securitization, secondary market sale
(including sales of servicing rights) or similar transaction related to a
transaction of the consumer; or
(4)
reinsurance or stop loss or excess loss insurance.
(c)
A disclosure is necessary to effect, administer or enforce
a transaction if it is:
(1)
required, or is one of the lawful or appropriate methods,
to enforce the covered entity's rights or the rights of other persons engaged
in carrying out the financial transaction or providing the product or service;
or
(2)
required, or is a usual, appropriate or acceptable method:
(A)
to carry out the transaction or the product or service
business of which the transaction is a part, and record, service or maintain
the consumer's account in the ordinary course of providing the insurance product
or service;
(B)
to administer or service benefits or claims relating to
the transaction or the product or service business of which it is a part;
(C)
to provide a confirmation, statement or other record of
the transaction, or information on the status or value of the insurance product
or service to the consumer or the consumer's agent or broker;
(D)
to accrue or recognize incentives or bonuses associated
with the transaction that are provided by a covered entity or any other party;
(E)
to underwrite insurance at the consumer's request or for
any of the following purposes as they relate to a consumer's insurance: account
administration, reporting, investigating or preventing fraud or material misrepresentation,
processing premium payments, processing insurance claims, administering insurance
benefits (including utilization review activities), participating in research
projects or as otherwise required or specifically permitted by federal or
state law; or
(F)
in connection with:
(i)
the authorization, settlement, billing, processing, clearing,
transferring, reconciling or collection of amounts charged, debited or otherwise
paid using a debit, credit or other payment card, check or account number,
or by other payment means;
(ii)
the transfer of receivables, accounts or interests therein;
or
(iii)
the audit of debit, credit or other payment information.
§22.19.Other Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information.
(a)
The requirements for initial notice to consumers in §22.8(a)(2)
of this title (relating to Initial Privacy Notice), the opt out in §22.11
of this title (relating to Form of Opt Out Notice to Consumers and Opt Out
Methods) and §22.14 of this title (relating to Limits on Disclosure of
Nonpublic Personal Financial Information to Nonaffiliated Third Parties),
and service providers and joint marketing in §22.17 of this title (relating
to Exception to Opt Out Requirements for Disclosure of Nonpublic Personal
Financial Information for Service Providers and Joint Marketing) do not apply
when a covered entity discloses nonpublic personal financial information:
(1)
with the consent or at the direction of the consumer, provided
that the consumer has not revoked the consent or direction;
(2)
to protect the confidentiality or security of a covered
entity's records pertaining to the consumer, service, product or transaction;
(3)
to protect against or prevent actual or potential fraud
or unauthorized transactions;
(4)
for required institutional risk control or for resolving
consumer disputes or inquiries;
(5)
to persons holding a legal or beneficial interest relating
to the consumer;
(6)
to persons acting in a fiduciary or representative capacity
on behalf of the consumer;
(7)
to provide information to insurance rate advisory organizations,
guaranty funds or agencies, agencies that are rating a covered entity, persons
that are assessing the covered entity's compliance with industry standards,
and the covered entity's attorneys, accountants and auditors;
(8)
to the extent specifically permitted or required under
other provisions of law and in accordance with the federal Right to Financial
Privacy Act of 1978 (12 U.S.C. 3401 et seq.), to law enforcement agencies
(including the Federal Reserve Board, Office of the Comptroller of the Currency,
Federal Deposit Insurance Corporation, Office of Thrift Supervision, National
Credit Union Administration, the Securities and Exchange Commission, the Secretary
of the Treasury, with respect to 31 U.S.C. Chapter 53, Subchapter II (Records
and Reports on Monetary Instruments and Transactions) and 12 U.S.C. Chapter
21 (Financial Recordkeeping), a state insurance authority, and the Federal
Trade Commission), self-regulatory organizations or for an investigation on
a matter related to public safety;
(9)
to a consumer reporting agency in accordance with the federal
Fair Credit Reporting Act (15 U.S.C. 1681 et seq.); or from a consumer report
reported by a consumer reporting agency;
(10)
in connection with a proposed or actual sale, merger,
transfer or exchange of all or a portion of a business or operating unit if
the disclosure of nonpublic personal financial information concerns solely
consumers of the business or unit;
(11)
to comply with federal, state or local laws, rules and
other applicable legal requirements;
(12)
to comply with a properly authorized civil, criminal or
regulatory investigation, or subpoena or summons by federal, state or local
authorities;
(13)
to respond to judicial process or government regulatory
authorities having jurisdiction over a covered entity for examination, compliance
or other purposes as authorized by law; or
(14)
for purposes related to the replacement of a group benefit
plan, a group health plan, a group welfare plan or a workers' compensation
policy.
(b)
A consumer may revoke consent by subsequently exercising
the right to opt out of future disclosures of nonpublic personal financial
information as permitted under §22.11(f) of this title.
§22.20.Protection of Fair Credit Reporting Act.
Nothing in this subchapter shall be construed to modify, limit or supersede
the operation of the federal Fair Credit Reporting Act (15 U.S.C. 1681 et
seq.), and no inference shall be drawn on the basis of the provisions of this
subchapter regarding whether information is transaction or experience information
under Section 603 of that Act.
§22.21.Nondiscrimination.
A covered entity shall not unfairly discriminate against any consumer
or customer because that consumer or customer has opted out from the disclosure
of his or her nonpublic personal financial information pursuant to the provisions
of this subchapter.
§22.22.Violation.
(a)
A violation of any section of this subchapter shall subject
the covered entity to the penalties provided in the Insurance Code, Chapters
82 and 84, and other applicable provisions of the Insurance Code.
(b)
In addition to and cumulative of the penalties provided
in subsection (a) of this section, a violation of any section of this subchapter
shall be considered to be an unfair method of competition or an unfair or
deceptive practice and shall subject the covered entity to the penalties provided
in the Insurance Code, Article 21.21, and other applicable provisions of the
Insurance Code.
§22.23.Severability.
If any section or portion of a section of this subchapter or its applicability
to any person or circumstance is held invalid by a court, the remainder of
the subchapter or the applicability of the provision to other persons or circumstances
shall not be affected.
§22.24.Effective Date.
(a)
This subchapter is effective July 12, 2001.
(b)
By September 10, 2001, a covered entity shall provide an
initial notice, as required by §22.8 of this title (relating to Initial
Privacy Notice), to consumers who are the covered entity's customers on September
10, 2001. For example, a covered entity provides an initial notice to consumers
who are its customers on September 10, 2001, if, by that date, the covered
entity has established a system for providing an initial notice to all new
customers and has mailed the initial notice to all the covered entity's existing
customers.
(c)
Until September 10, 2002, a contract that a covered entity
has entered into with a nonaffiliated third party to perform services for
the covered entity or functions on the covered entity's behalf satisfies the
provisions of §22.17(a)(1)(B) of this title (relating to Exception to
Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information
for Service Providers and Joint Marketing), even if the contract does not
include a requirement that the third party maintain the confidentiality of
nonpublic personal financial information, so long as the covered entity entered
into the agreement on or before September 10, 2000.
§22.25.Preservation of Existing Privacy Law.
Nothing in this subchapter shall preempt or supersede existing state
law related to nonpublic personal financial information.
§22.26.Forms.
(a)
The forms identified in this subchapter for covered entities
referenced in this chapter are included in subsection (b) of this section
in their entirety. The forms can be obtained from the Texas Department of
Insurance, P.O. Box 149104, Austin, Texas 78714-9104. Covered entities, including
a group of financial holding company affiliates that use a common privacy
notice, may use the following forms, if the clause is accurate for each institution
that uses the notice. Note that disclosure of certain information, such as
assets, income and information from a consumer reporting agency, may give
rise to obligations under the federal Fair Credit Reporting Act, such as a
requirement to permit a consumer to opt out of disclosures to affiliates or
designation as a consumer reporting agency if disclosures are made to nonaffiliated
third parties.
(b)
The forms referenced in this subchapter are as follows:
Figure 1: 28 TAC §22.26(b)
Figure 2: 28 TAC §22.26(b)
Figure 3: 28 TAC §22.26(b)
Figure 4: 28 TAC §22.26(b)
Figure 5: 28 TAC §22.26(b)
Figure 6: 28 TAC §22.26(b)
Figure 7: 28 TAC §22.26(b)
Figure 8: 28 TAC §22.26(b)
This agency hereby certifies that the emergency adoption
has been reviewed by legal counsel and found to be within the agency's legal
authority to adopt.
Filed with the Office of
the Secretary of State, on July 12, 2001.
TRD-200104026
Lynda Nesenholtz
General Counsel and Chief Clerk
Texas Department of Insurance
Effective Date: July 12, 2001
Expiration Date: November 9, 2001
For further information, please call: (512) 463-6327