Financial Information Privacy
28 TAC §§ 22.1 - 22.26
1. INTRODUCTION. The Commissioner of Insurance adopts on an emergency basis, to take immediate effect, new §§22.1-22.26, which set forth procedures that insurers and other covered entities regulated by the Texas Department of Insurance must follow regarding privacy of their consumers' nonpublic personal financial information. Emergency §§22.1-22.26 set forth the requirements that insurers and other covered entities must meet in structuring their consumer financial practices to comply with the federal Gramm-Leach-Bliley Act (GLBA), 15 U.S.C §6801 et seq. Specifically, the rules provide the notice requirements, as well as other procedures that insurers and other covered entities must follow with regard to nonpublic personal financial information collected about a consumer.
Pursuant to the Administrative Procedure Act, Texas Government Code Sec. 2001.034, the Commissioner finds that a requirement of federal or state law requires adoption of this rule on fewer than 30 days' notice. Senate Bill 712 (SB 712), 77 th Texas Legislature, which enacted Insurance Code Art. 28A.01 et seq., requires covered entities (and certain of their affiliates) to comply with consumer privacy provisions contained in GLBA. SB 712 also requires the Commissioner to adopt rules necessary to implement financial privacy requirements, and also to adopt any other rules necessary to carry out the purposes of GLBA, to make the state of Texas eligible to override federal regulations, as described by Title V of GLBA. SB 712 further provides that in adopting these rules, the Commissioner shall attempt to keep state privacy regulations consistent with federal regulations adopted under GLBA. The Senate Bill Analysis, in pertinent part, states that "Senate Bill 712 requires insurers and other entities regulated by the Texas Department of Insurance to comply with requirements of GLBA and requires the commissioner of insurance to adopt rules consistent with GLBA based on the NAIC [National Association of Insurance Commissioners] privacy model." The proposed sections, while based on the NAIC model rule, have been clarified in certain sections for greater ease in reading. SB 712 also requires that the Commissioner adopt rules to implement financial information privacy protections not later than 30 days after the law's effective date, June 14, 2001. Finally, SB 712 provides that the Commissioner may adopt these rules on an emergency basis. The statutory scheme of federal and state regulation makes emergency adoption important to provide timely protection of consumer financial information privacy, consistent with other types of financial entities that are subject to the federal privacy provisions of GLBA.
New §22.1 explains the purpose and scope of the subchapter. New §22.2 defines terms within the subchapter. New §22.3 describes exceptions to applicability of the subchapter. New §22.4 describes the procedure for determining whether an individual is a consumer. New §22.5 details the method of determining whether a relationship is continuing. New §22.6 states the requirements for notices. New §22.7 defines a reasonable basis to believe information is lawfully made available to the general public. New §22.8 outlines requirements for initial privacy notices to consumers. New §22.9 outlines requirements for annual privacy notices to customers. New §22.10 details information to be included in privacy notices. New §22.11 prescribes requirements for the form of notice and methods for opting out. New §22.12 details provisions regarding revised privacy notices. New §22.13 describes permissible delivery of notices. New §22.14 establishes limits on disclosure of nonpublic personal financial information to nonaffiliated third parties. New §22.15 describes limits on redisclosure and reuse of nonpublic personal financial information. New §22.16 limits the sharing of account number information for marketing purposes. New §22.17 creates an exception to opt out requirements for disclosure of nonpublic personal financial information for service providers and joint marketing. New §22.18 describes exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information for processing and service transactions. New §22.19 lists other exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information. New §22.20 provides that the subchapter shall not affect the operation of the federal Fair Credit Reporting Act. New §22.21 prohibits discrimination against consumers or customers because of the exercise of rights under the subchapter. New §22.22 deems a violation of the subchapter to be an unfair method of competition or an unfair or deceptive act or practice. New §22.23 provides for severability of any section of the subchapter held invalid. New §22.24 establishes a compliance date for the subchapter. New §22.25 provides that the subchapter does not preempt or supersede existing state law related to financial information privacy. New §22.26 includes forms for use in compliance with the subchapter.
The department is simultaneously proposing adoption of this rule on a permanent basis in a separate submission.
2. STATUTORY AUTHORITY. The new sections are adopted on an emergency basis under the Insurance Code, Article 28A.51 and §36.001, and Government Code §2004.034. Article 28A.51 provides that the Commissioner shall adopt rules to implement this chapter, as well as any other rules necessary to carry out 15 U.S.C. Subchapter I, Chapter 94 (15 U.S.C. Section 6801 et seq.), as amended. Section 36.001 provides that the Commissioner of Insurance may adopt rules and regulations to execute the duties and functions of the Texas Department of Insurance only as authorized by statute. Section 2, SB 712, 77 th Texas Legislature, the legislation enacting Insurance Code Article 28A.51, requires that not later than 30 days after the effective date of the act, the Commissioner of Insurance shall adopt the rules required by Article 28A.51, Insurance Code, and allows the Commissioner to adopt these initial rules on an emergency basis. Government Code §2004.034 provides for the adoption of administrative rules on an emergency basis without notice and comment.
3. TEXT.
§22.1. Purpose and Scope.
(a) Purpose. This subchapter governs the treatment of nonpublic personal financial information about individuals by all covered entities. This subchapter:
(1) requires a covered entity to provide notice to individuals about its privacy policies and practices;
(2) describes the conditions under which a covered entity may disclose nonpublic personal financial information about individuals to affiliates and nonaffiliated third parties; and
(3) provides methods for individuals to prevent a covered entity from disclosing that information to nonaffiliated third parties.
(b) Scope. This subchapter applies to nonpublic personal financial information about individuals who obtain or are claimants or beneficiaries, primarily for personal, family or household purposes, of products or services from covered entities. This subchapter does not apply to information about companies or about individuals who obtain products or services for business, commercial or agricultural purposes.
§22.2. Definitions. The following words and terms, when used in this chapter, shall have the following meanings, unless the context clearly indicates otherwise.
(1) Affiliate – Any company that controls, is controlled by, or is under common control with another company.
(2) Agent – As set forth in the Insurance Code, Articles 9.36, 9.36A, and 21.02.
(3) Authorization – As set forth in the Insurance Code, Section 82.001.
(4) Clear and conspicuous – A notice which is reasonably understandable and designed to call attention to the nature and significance of the information in the notice.
(5) Collect – To obtain information that the covered entity organizes or can retrieve by the name of an individual or by identifying number, symbol or other identifying particular assigned to the individual, irrespective of the source of the underlying information.
(6) Commissioner – The Commissioner of Insurance.
(7) Company – A corporation, limited liability company, business trust, general or limited partnership, association, sole proprietorship or other similar organization.
(8) Consumer – An individual or that individual's representative who seeks to obtain, obtains or has obtained an insurance product or service from a covered entity that is to be used primarily for personal, family or household purposes, and about whom the covered entity has nonpublic personal financial information. For purposes of this subchapter, all references to consumer include the term customer, unless the purpose of the reference is to make a distinction between applicability of the subchapter to a customer and a consumer.
(9) Consumer reporting agency – As defined in Section 603(f) of the federal Fair Credit Reporting Act (15 U.S.C. 1681a(f)).
(10) Control – Includes the terms "controls," "controlled by," and "under common control," and has the meaning assigned that term by the Insurance Code, Article 21.49-1, Section 2(d).
(11) Covered entity – An individual or entity who receives an authorization from the Texas Department of Insurance. The term includes any individual or entity described by the Insurance Code, Section 82.002.
(12) Customer – A consumer who has a customer relationship with a covered entity.
(13) Customer relationship – A continuing relationship, as described in §22.5 of this subchapter (relating to Determination of Continuing Relationship), between a consumer and a covered entity under which the covered entity provides one or more insurance products or services to the consumer that are to be used primarily for personal, family or household purposes.
(14) Financial institution – Any institution the business of which is engaging in activities that are financial in nature or incidental to such financial activities as described in Section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. 1843(k)). Financial institution does not include:
(A) any person or entity with respect to any financial activity that is subject to the jurisdiction of the Commodity Futures Trading Commission under the Commodity Exchange Act (7 U.S.C. 1 et seq.);
(B) the Federal Agricultural Mortgage Corporation or any entity charged and operating under the Farm Credit Act of 1971 (12 U.S.C. 2001 et seq.); or
(C) institutions chartered by Congress specifically to engage in securitizations, secondary market sales (including sales of servicing rights) or similar transactions related to a transaction of a consumer, as long as the institutions do not sell or transfer nonpublic personal financial information to a nonaffiliated third party.
(15) Financial product or service – Any product or service that a financial holding company could offer by engaging in an activity that is financial in nature or incidental to such a financial activity under Section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. 1843(k)). Financial service includes a financial institution's evaluation or brokerage of information that the financial institution collects in connection with a request or an application from a consumer for a financial product or service.
(16) Health care –
(A) Preventive, diagnostic, therapeutic, rehabilitative, maintenance or palliative care, services, procedures, tests or counseling that:
(i) relates to the physical, mental or behavioral condition of an individual; or
(ii) affects the structure or function of the human body or any part of the human body, including the banking of blood, sperm, organs or any other tissue; or
(B) prescribing, dispensing or furnishing to an individual drugs or biologicals, or medical devices or health care equipment and supplies.
(17) Health care provider – A physician or other health care practitioner licensed, accredited or certified to perform specified health services consistent with state law, or a health care facility.
(18) Health information – Any information or data except age or gender, whether oral or recorded in any form or medium, created by or derived from a health care provider or the consumer that relates to:
(A) the past, present or future physical, mental or behavioral health or condition of an individual;
(B) the provision of health care to an individual; or
(C) payment for the provision of health care to an individual.
(19) Insurance product or service – Any product or service that is offered by a covered entity pursuant to the Insurance Code and other insurance laws of this state. Insurance service includes a covered entity's evaluation, brokerage or distribution of information that the covered entity collects in connection with a request or an application from a consumer for an insurance product or service.
(20) Nonaffiliated third party – An entity that is not an affiliate of, or related to by common ownership or affiliated by corporate control with, the covered entity. The term does not include a joint employee of the entity.
(21) Nonpublic personal financial information – Information which:
(A) includes:
(i) personally identifiable financial information;
(ii) any list, description or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available; and
(iii) any list of individuals' names and street addresses that is derived in whole or in part using personally identifiable financial information that is not publicly available, such as account numbers.
(B) does not include:
(i) health information;
(ii) publicly available information unless it is derived from a non-public source as described in subparagraphs (A)(ii) and (A)(iii) of this paragraph;
(iii) any list, description or other grouping of consumers (and publicly available information pertaining to them) that is derived without using any personally identifiable financial information that is not publicly available; and
(iv) any list of individuals' names and addresses that:
(I) contains only publicly available information,
(II) is wholly derived using personally identifiable financial information that is publicly available, and
(III) does not disclose that any of the individuals on the list is a consumer of a financial institution.
(22) Opt out – A direction by the consumer that the covered entity not disclose nonpublic personal financial information about that consumer to a nonaffiliated third party, other than as permitted by §22.17 of this title (relating to Exception to Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Service Providers and Joint Marketing), §22.18 of this title (relating to Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Processing and Servicing Transactions), and §22.19 of this title (relating to Other Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information).
(23) Personally identifiable financial information –
(A) The term includes:
(i) any information a consumer provides to a covered entity to obtain an insurance product or service from the covered entity;
(ii) any information about a consumer resulting from a transaction involving an insurance product or service between a covered entity and a consumer;
(iii) any information the covered entity otherwise obtains about a consumer in connection with providing an insurance product or service to that consumer;
(iv) account balance information and payment history;
(v) the fact that an individual is or has been one of the covered entity's customers or has obtained an insurance product or service from the covered entity;
(vi) any information about the covered entity's consumer if it is disclosed in a manner that indicates that the individual is or has been the covered entity's consumer;
(vii) any information that a consumer provides to a covered entity or that the covered entity or its agent otherwise obtains in connection with collecting on a loan or servicing a loan;
(viii) any information the covered entity collects through an information-collecting device from an Internet web server; and
(ix) information from a consumer report.
(B) The term does not include:
(i) health information;
(ii) a list of names and addresses of customers of an entity that is not a financial institution; and
(iii) information that does not identify a consumer, such as aggregate information or blind data that does not contain personal identifiers such as account numbers, names or addresses.
(24) Publicly available information – Any information that a covered entity has a reasonable basis to believe is lawfully made available to the general public from:
(A) federal, state or local government records;
(B) widely distributed media; or
(C) disclosures to the general public that are required to be made by federal, state or local law.
§22.3 Exceptions to Applicability of Subchapter.
(a) A covered entity is not subject to the notice and opt out requirements for nonpublic personal financial information set forth in this subchapter if the covered entity is an employee, agent or other representative of another covered entity ("a principal") and:
(1) the principal otherwise complies with, and provides the notices required by, the provisions of this subchapter; and
(2) the covered entity does not disclose any nonpublic personal financial information to any person other than the principal or its affiliates in a manner permitted by this subchapter.
(b) Subject to subsection (c) of this section, covered entity shall also include an eligible surplus lines insurer to the extent that insurer accepts business placed through a person subject to the Insurance Code, Article 1.14-2.
(c) A person transacting surplus lines business shall be deemed to be in compliance with the notice and opt out requirements for nonpublic personal financial information set forth in this subchapter provided:
(1) the person does not disclose nonpublic personal financial information of a consumer or a customer to nonaffiliated third parties for any purpose, including joint servicing or marketing under §22.17 of this title (relating to Exception to Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Service Providers and Joint Marketing), except as permitted by §22.18 of this title (relating to Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Processing and Servicing Transactions) and §22.19 of this title (relating to Other Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information); and
(2) the person delivers to the consumer at the time a customer relationship is established Form Number FNPRV DSC/SRPLN provided at Figure 8 of §22.26(b)(8) of this title (relating to Forms), in at least 16 point type.
§22.4. Determination of Consumer Status.
(a) The term consumer includes, but is not limited to:
(1) an individual who provides nonpublic personal financial information to a covered entity in connection with obtaining or seeking to obtain financial, investment or economic advisory services relating to an insurance product or service regardless of whether the covered entity establishes an ongoing relationship.
(2) an applicant for insurance prior to the inception of insurance coverage.
(3) an individual, if the covered entity discloses nonpublic personal financial information about the individual to a nonaffiliated third party other than as permitted under §22.17 of this title (relating to Exception to Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Service Providers and Joint Marketing), §22.18 of this title (relating to Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Processing and Servicing Transactions) and §22.19 of this title (relating to Other Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information), and:
(A) the individual is a beneficiary of a life insurance policy underwritten by the covered entity;
(B) the individual is a claimant under an insurance policy issued by the covered entity;
(C) the individual is an insured or an annuitant under an insurance policy or an annuity, respectively, issued by the covered entity; or
(D) the individual is a mortgagor of a mortgage covered under a mortgage insurance policy.
(b) Examples of when individuals will not be considered consumers of a covered entity:
(1) an individual who is a consumer of another financial institution is not a covered entity's consumer solely because the covered entity is acting as agent for, or provides processing or other services to, that financial institution.
(2) an individual is not a covered entity's consumer solely because he or she is a beneficiary of a trust for which the covered entity is a trustee.
(3) an individual is not a covered entity's consumer solely because he or she has designated the covered entity as trustee for a trust.
(c) Special rules for employee benefit plans, group or blanket insurance policies, group annuity contracts, or workers' compensation policies.
(1) An individual who is a participant or a beneficiary of an employee benefit plan that a covered entity administers or sponsors or for which the covered entity acts as a trustee, insurer or fiduciary is not the consumer of a covered entity that:
(A) provides all initial, annual and revised notices required by this subchapter to the employer or other entity establishing the plan; and
(B) does not disclose nonpublic personal financial information about the individual to a nonaffiliated third party other than as permitted under §§22.17, 22.18, and 22.19 of this title.
(2) An individual who is covered under a group or blanket insurance policy or group annuity contract issued by a covered entity is not the consumer of a covered entity that:
(A) provides all initial, annual and revised notices required by this subchapter to the policyholder or contract holder; and
(B) does not disclose nonpublic personal financial information about the individual to a nonaffiliated third party other than as permitted under §§22.17, 22.18, and 22.19 of this title.
(3) An individual that is a beneficiary of a workers' compensation policy issued by a covered entity is not the consumer of a covered entity that:
(A) provides all initial, annual and revised notices required by this subchapter to the plan participant; and
(B) does not disclose nonpublic personal financial information about the individual to a nonaffiliated third party other than as permitted under §§22.17, 22.18, and 22.19 of this title.
(d) An individual described in subsection (c) of this section is the consumer of a covered entity that does not comply with the applicable notice and nondisclosure requirements of that subsection.
(e) In no event shall an individual, solely by virtue of his status described in subsection (c) of this section, be deemed to be the customer of a covered entity for purposes of this subchapter.
§22.5. Determination of Continuing Relationship.
(a) A consumer has a continuing relationship with a covered entity if:
(1) the consumer is a current policyholder of an insurance product issued by or through the covered entity; or
(2) the consumer obtains financial, investment or economic advisory services relating to an insurance product or service from the covered entity for a fee.
(b) A consumer does not have a continuing relationship with a covered entity if:
(1) the consumer applies for insurance but does not purchase the insurance;
(2) the covered entity sells the consumer insurance in an isolated transaction involving single-event types of coverage including, but not limited to, auto rental liability, travel, and short-term non-resident auto liability insurance;
(3) the individual is no longer a current policyholder of an insurance product or no longer obtains insurance services with or through the covered entity;
(4) the consumer is a beneficiary or claimant under a policy even though the consumer has submitted a claim under a policy choosing a settlement option involving an ongoing relationship with the covered entity;
(5) the consumer is a beneficiary or a claimant under a policy and has submitted a claim under that policy choosing a lump sum settlement option;
(6) the customer's policy is lapsed, expired, or otherwise not in force, and the covered entity has not communicated with the customer about the relationship for a period of 12 consecutive months, other than annual privacy notices, material required by law or regulation, communication at the direction of a state or federal authority, or promotional materials;
(7) the individual is an insured or an annuitant under an insurance policy or annuity, respectively, but is not the policyholder or owner of the insurance policy or annuity; or
(8) the individual's last known address according to the covered entity's records is deemed invalid, which occurs when:
(A) mail sent to that address by the covered entity has been returned by the postal authorities as undeliverable, and
(B) subsequent attempts by the covered entity to obtain a current valid address for the individual have been unsuccessful.
§22.6. Notice Requirements.
(a) Any notice required by this subchapter must comply with the following standards.
(1) Designed to call attention. A covered entity designs its notice to call attention to the nature and significance of the information in it, if:
(A) with regard to all notices, the covered entity:
(i) uses a plain-language heading to call attention to the notice;
(ii) uses a typeface and type size that are easy to read;
(iii) provides wide margins and ample line spacing;
(iv) uses boldface or italics for key words; and
(v) uses distinctive type size, style, and graphic devices, such as shading or sidebars, when the covered entity combines its notice in a form with other information, in order to emphasize the privacy component of the form.
(B) on a notice on a Web page, the covered entity uses text or visual cues to encourage scrolling down the page if necessary to view the entire notice and to ensure that other elements on the Web site (such as text, graphics, hyperlinks or sound) do not distract attention from the notice, and the covered entity either:
(i) places the notice on a screen that consumers frequently access, such as a page on which transactions are conducted; or
(ii) places a link on a screen that consumers frequently access, such as a page on which transactions are conducted, that connects directly to the notice and is labeled appropriately to convey the importance, nature and relevance of the notice.
(2) Reasonably understandable. A covered entity makes its notice reasonably understandable if it:
(A) presents the information in the notice in clear, concise sentences, paragraphs, and sections;
(B) uses short explanatory sentences or bullet lists whenever possible;
(C) uses definite, concrete, everyday words and active voice whenever possible;
(D) avoids multiple negatives;
(E) avoids legal and highly technical business terminology whenever possible; and
(F) avoids explanations that are imprecise and readily subject to different interpretations.
§22.7. Determination of Reasonable Basis.
(a) For purposes of determining if information is publicly available as defined in this subchapter:
(1) a covered entity has a reasonable basis to believe that information is lawfully made available to the general public if the covered entity has taken steps to determine:
(A) that the information is of the type that is available to the general public; and
(B) whether an individual can direct that the information not be made available to the general public, and
(C) if an option as described in paragraph (1)(B) of this section is available, that the covered entity's consumer has not made such a direction.
(2) The following examples illustrate whether a reasonable basis exists to believe that information is publically available.
(A) A covered entity has a reasonable basis to believe that information is publicly available if the information comes from nonconfidential government records, such as information in real estate records and security interest filings.
(B) A covered entity has a reasonable basis to believe that information is publicly available if the information comes from widely distributed media, such as information from a telephone book, a television or radio program, a newspaper or a Web site that is available to the general public on an unrestricted basis. A Web site is not restricted merely because an Internet service provider or a site operator requires a fee or a password, so long as access is available to the general public.
(C) A covered entity has a reasonable basis to believe that mortgage information is lawfully made available to the general public if the covered entity has determined that the information is of the type included in the public record in the jurisdiction where the mortgage would be recorded.
(D) A covered entity has a reasonable basis to believe that an individual's telephone number is lawfully made available to the general public if the covered entity has located the telephone number in the telephone book or the consumer has informed the covered entity that the telephone number is not unlisted.
§22.8. Initial Privacy Notice.
(a) Initial notice requirement. A covered entity shall provide a clear and conspicuous notice that accurately reflects its privacy policies and practices to:
(1) an individual who becomes the covered entity's customer, not later than when the covered entity establishes a customer relationship, except as provided in subsection (e) of this section; and
(2) a consumer, before the covered entity discloses any nonpublic personal financial information about the consumer to any nonaffiliated third party, if the covered entity makes a disclosure other than as authorized by §22.18 of this title (relating to Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Processing and Servicing Transactions) and §22.19 of this title (relating to Other Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information).
(b) Initial notice not required. A covered entity is not required to provide an initial notice to a consumer under subsection (a)(2) of this section if:
(1) the covered entity does not disclose any nonpublic personal financial information about the consumer to any nonaffiliated third party, other than as authorized by §§22.18 and 22.19 of this title, and the covered entity does not have a customer relationship with the consumer; or
(2) a notice has been provided by an affiliated covered entity, so as long as the notice clearly identifies all covered entities to whom the notice applies and is accurate with respect to the covered entity and the other institutions.
(c) Establishment of a customer relationship.
(1) Generally, a covered entity establishes a customer relationship at the time the covered entity and the consumer enter into a continuing relationship.
(2) Some examples of a covered entity establishing a customer relationship occur when the consumer:
(A) becomes a policyholder of a covered entity that is an insurer when the insurer delivers an insurance policy or contract to the consumer, or in the case of a covered entity that is an insurance agent, obtains insurance through that covered entity; or
(B) agrees to obtain financial, economic or investment advisory services relating to insurance products or services for a fee from the covered entity.
(d) Existing customers. When an existing customer obtains a new insurance product or service from a covered entity that is to be used primarily for personal, family or household purposes, if the initial, revised or annual notice that the covered entity most recently provided to that customer was inaccurate with respect to the new insurance product or service, the covered entity shall, in accordance with the initial notice requirements of subsection (a) of this section, provide a revised privacy notice, under §22.12 of this title (relating to Revised Privacy Notices), that covers the customer's new insurance product or service. If the initial, revised or annual notice that the covered entity most recently provided to that customer was accurate with respect to the new insurance product or service, the covered entity does not need to provide a new privacy notice under subsection (a) of this section.
(e) Subsequent delivery of notice.
(1) General rule. A covered entity may provide the initial notice required by subsection (a)(1) of this section within a reasonable time after the covered entity establishes a customer relationship if:
(A) establishing the customer relationship is not at the customer's election; or
(B) providing notice not later than when the covered entity establishes a customer relationship would substantially delay the customer's transaction and the customer agrees to receive the notice at a later time.
(2) Not at customer's election. Establishing a customer relationship is not at the customer's election if a covered entity acquires or is assigned a customer's policy from another financial institution or residual market mechanism and the customer does not have a choice about the covered entity's acquisition or assignment.
(3) Substantial delay of customer's transaction. Providing notice not later than when a covered entity establishes a customer relationship would substantially delay the customer's transaction when the covered entity and the individual agree over the telephone to enter into a customer relationship involving prompt delivery of the insurance product or service.
(4) No substantial delay of customer's transaction. Providing notice not later than when a covered entity establishes a customer relationship would not substantially delay the customer's transaction when the relationship is initiated in person at the covered entity's office or through other means by which the customer may view the notice, such as on a Web site.
(f) Delivery. A covered entity shall deliver any notices required by this section according to §22.13 of this title (relating to Delivery). If the covered entity uses a short-form initial notice for non-customers according to §22.10(d) of this title (relating to Information to be Included in Privacy Notices), the covered entity may deliver its privacy notice according to §22.10(d)(3) of this title.
§22.9. Annual Privacy Notice.
(a) A covered entity shall provide a clear and conspicuous notice to customers that accurately reflects its privacy policies and practices not less than annually during the continuation of the customer relationship. "Annually" means at least once in any period of 12 consecutive months during which that relationship exists. A covered entity may define the 12-consecutive-month period, but the covered entity shall apply it to the customer on a consistent basis. A covered entity provides a notice annually if it defines the twelve-consecutive-month period as a calendar year and provides the annual notice to the customer once in each calendar year following the calendar year in which the covered entity provided the initial notice. For example, if a customer opens an account on any day of year 1, the covered entity shall provide an annual notice to that customer by December 31 of year 2.
(b) A covered entity is not required to provide an annual notice to a former customer. A former customer is an individual with whom a covered entity no longer has a continuing relationship.
(1) A covered entity no longer has a continuing relationship with an individual if the individual no longer is a current policyholder of an insurance product or no longer obtains insurance services with or through the covered entity.
(2) A covered entity no longer has a continuing relationship with an individual if the individual's policy is lapsed, expired or otherwise not in force, and the covered entity has not communicated with the customer about the relationship for a period of 12 consecutive months, other than to provide annual privacy notices, material required by law or regulation, or promotional materials.
(3) For the purposes of this subchapter, a covered entity no longer has a continuing relationship with an individual if:
(A) the covered entity sends mail to the individual's last known address, according to the covered entity's records, and the postal authorities return that mail as undeliverable, and
(B) subsequent attempts by the covered entity to obtain a current valid address for the individual are unsuccessful.
(4) A covered entity no longer has a continuing relationship with a customer, in the case of providing real estate settlement services, at the later of the following events:
(A) the customer completes execution of all documents related to the real estate closing;
(B) payment for those services has been received; or
(C) the covered entity has completed all of its responsibilities with respect to the settlement, including filing documents in the public record.
(c) A covered entity shall deliver any annual privacy notices required by this section according to §22.13 of this title (relating to Delivery).
§22.10. Information to be Included in Privacy Notices.
(a) Nondisclosure notice requirements. A covered entity that does not disclose, and does not reserve the right to disclose, nonpublic personal financial information about customers or former customers to affiliates or nonaffiliated third parties except as authorized under §22.18 of this title (relating to Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Processing and Servicing Transactions) and §22.19 of this title (relating to Other Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information), may comply with this subchapter by providing a notice which expresses:
(1) the nondisclosure policy stated in this subsection, and
(2) the information required by subsections (b)(1), (b)(8), (b)(9), and (c) of this section.
(b) Disclosure notice requirements. The initial, annual and revised privacy notices that a covered entity provides under §22.8 of this title (relating to Initial Privacy Notice), §22.9 of this title (relating to Annual Privacy Notice) and §22.12 of this title (relating to Revised Privacy Notices) shall include the following items of information, in addition to any other information the covered entity wishes to provide, that applies to the covered entity and to the consumers to whom the covered entity sends its privacy notice.
(1) The categories of nonpublic personal financial information that the covered entity collects. A covered entity satisfies the requirement to categorize the nonpublic personal financial information it collects when the covered entity categorizes it according to the source of the information, as applicable, including :
(A) information from the consumer;
(B) information about the consumer's transactions with the covered entity or its affiliates;
(C) information about the consumer's transactions with nonaffiliated third parties; and
(D) information from a consumer reporting agency.
(2) The categories of nonpublic personal financial information that the covered entity discloses.
(A) A covered entity satisfies the requirement to categorize nonpublic personal financial information it discloses when the covered entity categorizes the information according to source, as described in subsection (b)(1) of this section, as applicable, and provides examples to illustrate the types of information in each category, such as:
(i) information from the consumer, including application information (such as assets and income) and identifying information (such as name, address and social security number);
(ii) transaction information (such as information about balances, payment history and parties to the transaction); and
(iii) information from consumer reports (such as a consumer's creditworthiness and credit history).
(B) A covered entity does not adequately categorize the information that it discloses when the covered entity uses only general terms (such as transaction information about the consumer).
(C) A covered entity that reserves the right to disclose all of the nonpublic personal financial information about consumers that it collects may state that fact without describing the categories or examples of nonpublic personal financial information that the covered entity discloses.
(3) The categories of affiliates and nonaffiliated third parties to whom the covered entity discloses nonpublic personal financial information, other than those parties to whom the covered entity discloses information under §§22.18 and 22.19 of this title.
(4) The categories of nonpublic personal financial information about the covered entity's former customers that the covered entity discloses and the categories of affiliates and nonaffiliated third parties to whom the covered entity discloses nonpublic personal financial information about the covered entity's former customers, other than those parties to whom the covered entity discloses information under §§22.18 and 22.19 of this title.
(5) A covered entity that discloses nonpublic personal financial information to a nonaffiliated third party under §22.17 of this title (relating to Exception to Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Service Providers and Joint Marketing) and no other exception in §§22.18 and 22.19 of this title applies to that disclosure, shall provide a separate description of the categories of information the covered entity discloses and the categories of third parties with whom the covered entity has contracted.
(6) An explanation of the consumer's right under §22.14(a) of this title (relating to Limits on Disclosure of Nonpublic Personal Financial Information to Nonaffiliated Third Parties) to opt out of the disclosure of nonpublic personal financial information to nonaffiliated third parties, including the methods by which the consumer may exercise that right at that time.
(7) Any disclosures that the covered entity makes under Section 603(d)(2)(A)(iii) of the federal Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)(A)(iii)) (that is, notices regarding the ability to opt out of disclosures of information among affiliates).
(8) The covered entity's policies and practices with respect to protecting the confidentiality and security of nonpublic personal financial information. A covered entity provides an adequate description of its policies and practices with respect to protecting the confidentiality and security of nonpublic personal financial information if it does both of the following:
(A) describes in general terms who is authorized to have access to the information; and
(B) states whether the covered entity has security practices and procedures in place to ensure the confidentiality of the information in accordance with the covered entity's policy. The covered entity is not required to describe technical information about the safeguards it uses.
(9) Any disclosure that the covered entity makes under subsection (c) of this section.
(c) Description of parties subject to exceptions. A covered entity that discloses nonpublic personal financial information as authorized under §§22.18 and 22.19 of this title is not required to list those exceptions in the initial or annual privacy notices required by §§22.8 and 22.9 of this title. When describing the categories of parties to whom disclosure is made, the covered entity shall state that it makes disclosures to other affiliated or nonaffiliated third parties, as applicable, as permitted by law.
(d) Appropriate methods of categorizing affiliates and nonaffiliated third parties.
(1) A covered entity satisfies the requirement to categorize the affiliates and nonaffiliated third parties to which the covered entity discloses nonpublic personal financial information about consumers if the covered entity identifies the types of businesses in which they engage.
(2) Types of businesses may be described by general terms only if the covered entity uses illustrative examples of significant lines of business. For example, a covered entity may use the term "financial products or services" if the notice includes appropriate examples of significant lines of such businesses or services, such as life insurer, automobile insurer, consumer banking or securities brokerage.
(3) A covered entity also may categorize the affiliates and nonaffiliated third parties to which it discloses nonpublic personal financial information about consumers using more detailed categories.
(e) Disclosures under exception for service providers and joint marketers. A covered entity that discloses nonpublic personal financial information under the exception in §22.17 of this title to a nonaffiliated third party to market products or services that it offers alone or jointly with another financial institution satisfies the disclosure requirement of subsection (b)(5) of this section if it:
(1) lists the categories of nonpublic personal financial information it discloses, using the same categories and examples the covered entity used to meet the requirements of subsection (a)(2) of this section, as applicable; and
(2) states whether the third party is:
(A) a service provider that performs marketing services on the covered entity's behalf or on behalf of the covered entity and another financial institution; or
(B) a financial institution with whom the covered entity has a joint marketing agreement.
(f) Short-form initial notice with opt out notice for non-customers.
(1) A covered entity may satisfy the initial notice requirements in §22.8(a)(2) and §22.11(c) of this title (relating to Form of Opt Out Notice to Consumers and Opt Out Methods) for a consumer who is not a customer by providing a short-form initial notice at the same time as the covered entity delivers an opt out notice as required in §22.11 of this title.
(2) A short-form initial notice shall:
(A) be clear and conspicuous;
(B) state that the covered entity's privacy notice is available upon request; and
(C) explain a reasonable means by which the consumer may obtain that notice.
(3) The covered entity shall deliver its short-form initial notice according to §22.13 of this title (relating to Delivery). The covered entity is not required to deliver its privacy notice with its short-form initial notice. The covered entity instead may simply provide the consumer a reasonable means to obtain its privacy notice. If a consumer who receives the covered entity's short-form notice requests the covered entity's privacy notice, the covered entity shall deliver its privacy notice according to §22.13 of this title.
(4) The covered entity provides a reasonable means by which a consumer may obtain a copy of its privacy notice if the covered entity:
(A) provides a toll-free telephone number that the consumer may call to request the notice; or
(B) for a consumer who conducts business in person at the covered entity's office, maintains copies of the notice on hand that the covered entity provides to the consumer immediately upon request.
(g) Reservation of right to disclose. The covered entity's notice may include:
(1) categories of nonpublic personal financial information that the covered entity reserves the right to disclose in the future, but does not currently disclose; and
(2) categories of affiliates or nonaffiliated third parties to whom the covered entity reserves the right in the future to disclose, but to whom the covered entity does not currently disclose, nonpublic personal financial information.
(h) Forms. A covered entity may use the forms provided in §22.26 of this title (relating to Forms), as applicable, to meet the requirements of this section as follows:
(1) Form Number FNPRV INFO/COL provided at Figure 1 of §22.26(b)(1) of this title is intended to meet the requirement of subsection (b)(1) of this section to describe the categories of nonpublic personal financial information the covered entity collects.
(2) Form Number FNPRV INFO/DSC provided at Figure 2 of §22.26(b)(1) of this title is intended to meet the requirement of subsection (b)(2) of this section to describe the categories of nonpublic personal financial information the covered entity discloses. The covered entity may use these clauses if it discloses nonpublic personal financial information other than as permitted by the exceptions in §§22.17, 22.18, and 22.19 of this title.
(3) Form Number FNPRV INFO/NODSC provided at Figure 3 of §22.26(b)(3) of this subchapter is intended to meet the requirements of subsections (b)(2), (3), and (4) of this section to describe the categories of nonpublic personal financial information about customers and former customers that the covered entity discloses and the categories of affiliates and nonaffiliated third parties to whom the covered entity discloses this information. A covered entity may use this clause if the covered entity does not disclose nonpublic personal financial information to any party, other than as permitted by the exceptions in §§22.18 and 22.19 of this title.
(4) Form Number FNPRV INFO/TPDSC provided at Figure 4 of §22.26(b)(4) of this title is intended to meet the requirements of subsection (b)(3) of this section to describe the categories of affiliates and nonaffiliated third parties to whom the covered entity discloses nonpublic personal financial information. A covered entity may use this clause if the covered entity discloses nonpublic personal financial information other than as permitted by the exceptions in §§22.17, 22.18, and 22.19 of this title
(5) Form Number FNPRV INFO/SPJMDSC provided at Figure 5 of §22.26(b)(5) of this title is intended to meet the requirements of subsection (b)(5) of this section related to the exception for service providers and joint marketers in §22.17 of this title. If a covered entity discloses nonpublic personal financial information under this exception, the covered entity shall describe the categories of nonpublic personal financial information the covered entity discloses and the categories of third parties with which the covered entity has contracted.
(6) Form Number FNPRV INFO/OPT provided at Figure 6 of §22.26(b)(6) of this title is intended to meet the requirements of subsection (b)(6) of this section to provide an explanation of the consumer's right to opt out of the disclosure of nonpublic personal financial information to nonaffiliated third parties, including the method(s) by which the consumer may exercise that right. A covered entity may use this clause if the covered entity discloses nonpublic personal financial information other than as permitted by the exceptions in §§22.17, 22.18, and 22.19 of this title.
(7) Form Number FNPRV INFO/SEC provided at Figure 7 of §22.26(b)(7) of this subchapter is intended to meet the requirements of subsection (b)(8) of this section to describe the covered entity's policies and practices with respect to protecting the confidentiality and security of nonpublic personal financial information.
§22.11. Form of Opt Out Notice to Consumers and Opt Out Methods.
(a) If a covered entity is required to provide an opt out notice under §22.14(a) of this title (relating to Limits on Disclosure of Nonpublic Personal Financial Information to Nonaffiliated Third Parties), it shall provide a clear and conspicuous notice to each of its consumers that accurately explains the right to opt out. The notice shall state:
(1) that the covered entity discloses or reserves the right to disclose nonpublic personal financial information about its consumer to a nonaffiliated third party;
(2) that the consumer has the right to opt out of that disclosure; and
(3) a reasonable means by which the consumer may opt out .
(b) Adequate opt out notice. A covered entity provides adequate notice that the consumer can opt out of the disclosure of nonpublic personal financial information to a nonaffiliated third party if the covered entity:
(1) identifies all of the categories of nonpublic personal financial information that it discloses or reserves the right to disclose, and all of the categories of nonaffiliated third parties to which the covered entity discloses the information, as described in §22.10(a)(2) and (3) of this title (relating to Information to be Included in Privacy Notices), and states that the consumer can opt out of the disclosure of that information; and
(2) identifies the insurance products or services that the consumer obtains from the covered entity, either singly or jointly, to which the opt out direction would apply.
(c) Reasonable opt out means. A covered entity provides a reasonable means to exercise an opt out right if it:
(1) designates check-off boxes in a prominent position on the relevant forms with the opt out notice; and
(2) includes the reply form together with the opt out notice; or
(3) provides an electronic means to opt out, such as a form that can be sent via electronic mail or a process at the covered entity's Web site, if the consumer agrees to the electronic delivery of information; or
(4) provides a toll-free telephone number that consumers may call to opt out.
(d) A covered entity does not provide a reasonable means of opting out if:
(1) the only means of opting out is for the consumer to write his or her own letter to exercise that opt out right; or
(2) the only means of opting out as described in any notice subsequent to the initial notice is to use a check-off box that the covered entity provided with the initial notice but did not include with the subsequent notice. (e) A covered entity may require each consumer to opt out through a specific means, so long as that means is reasonable for that consumer.
(f) A covered entity may provide the opt out notice together with, or on the same written or electronic form as, the initial notice the covered entity provides in accordance with §22.8 of this title (relating to Initial Privacy Notice).
(g) If a covered entity provides the opt out notice later than required for the initial notice in accordance with §22.8 of this title, the covered entity shall also include a copy of the initial notice with the opt out notice in writing or, if the consumer agrees, electronically.
(h) A covered entity shall utilize the procedures set forth in paragraphs (1) - (4) of this subsection when joint relationships between consumers are involved.
(1) If two or more consumers jointly obtain or seek to obtain an insurance product or service from a covered entity, the covered entity may provide a single opt out notice. The covered entity's opt out notice shall explain how the covered entity will treat an opt out direction by a joint consumer (as explained in subsection (i) of this section).
(2) Any of the joint consumers may exercise the right to opt out. The covered entity may either:
(A) treat an opt out direction by a joint consumer as applying to all of the associated joint consumers; or
(B) permit each joint consumer to opt out separately.
(3) If a covered entity permits each joint consumer to opt out separately, the covered entity shall permit one of the joint consumers to opt out on behalf of all of the joint consumers.
(4) A covered entity may not require all joint consumers to opt out before it implements any opt out direction.
(i) The following are examples of how a covered entity should treat a joint relationship. If John and Mary are both named policyholders on a homeowner's insurance policy issued by a covered entity and the covered entity sends policy statements to John's address, the covered entity may do any of the following, but it shall explain in its opt out notice which opt out policy the covered entity will follow:
(1) send a single opt out notice to John's address, but the covered entity shall accept an opt out direction from either John or Mary.
(2) treat an opt out direction by either John or Mary as applying to the entire policy. If the covered entity does so and John opts out, the covered entity may not require Mary to opt out as well before implementing John's opt out direction.
(3) permit John and Mary to make different opt out directions. If the covered entity does so:
(A) it shall permit John and Mary to opt out for each other;
(B) if both opt out, the covered entity shall permit both of them to notify it in a single response (such as on a form or through a telephone call); and
(C) if John opts out and Mary does not, the covered entity may only disclose nonpublic personal financial information about Mary, but not about John and not about John and Mary jointly.
(j) A covered entity shall comply with a consumer's opt out direction as soon as reasonably practicable after the covered entity receives it.
(k) A consumer may exercise the right to opt out at any time.
(l) A consumer's direction to opt out under this section is effective until the consumer revokes it in writing or, if the consumer has agreed to conduct business electronically, electronically.
(m) When a customer relationship terminates, the customer's opt out direction continues to apply to the nonpublic personal financial information that the covered entity collected during or related to that relationship. If the individual subsequently establishes a new customer relationship with the covered entity, the opt out direction that applied to the former relationship does not apply to the new relationship.
(n) When a covered entity is required to deliver an opt out notice by this section, the covered entity shall deliver it according to §22.13 of this title (relating to Delivery).
§22.12. Revised Privacy Notices.
(a) Except as otherwise authorized in this subchapter, a covered entity shall not, directly or through an affiliate, disclose any nonpublic personal financial information about a consumer to a nonaffiliated third party other than as described in the initial notice that the covered entity provided to that consumer under §22.8 of this title (relating to Initial Privacy Notice), unless:
(1) the covered entity has provided to the consumer a clear and conspicuous revised notice that accurately describes its policies and practices;
(2) the covered entity has provided to the consumer a new opt out notice;
(3) the covered entity has given the consumer a reasonable opportunity, before the covered entity discloses the information to the nonaffiliated third party, to opt out of the disclosure; and
(4) the consumer does not opt out.
(b) Except as otherwise permitted by §22.17 of this title (relating to Exception to Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Service Providers and Joint Marketing), §22.18 of this title (relating to Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Processing and Servicing Transactions) and §22.19 of this title (relating to Other Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information), a covered entity shall provide a revised notice before it:
(1) discloses a new category of nonpublic personal financial information to any nonaffiliated third party;
(2) discloses nonpublic personal financial information to a new category of nonaffiliated third party; or
(3) discloses nonpublic personal financial information about a former customer to a nonaffiliated third party, if that former customer has not had the opportunity to exercise an opt out right regarding that disclosure.
(c) A revised notice is not required if the covered entity discloses nonpublic personal financial information to a new nonaffiliated third party that the covered entity adequately described in its prior notice.
(d) When a covered entity is required to deliver a revised privacy notice by this section, the covered entity shall deliver it according to §22.13 of this title (relating to Delivery).
§22.13. Delivery.
(a) How to provide notices. A covered entity shall provide any notices that this subchapter requires so that each consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, electronically.
(b) Examples of reasonable expectation of actual notice. A covered entity satisfies the reasonable expectation that a consumer will receive actual notice if the covered entity:
(1) hand-delivers a printed copy of the notice to the consumer;
(2) mails a printed copy of the notice to the last known address of the consumer separately, or in a policy, billing or other written communication;
(3) for a consumer who conducts transactions electronically, posts the notice on the electronic site and requires the consumer to acknowledge receipt of the notice as a necessary step to obtaining a particular insurance product or service;
(4) for an isolated transaction with a consumer, such as the covered entity providing an insurance quote or selling the consumer single-event types of coverage including, but not limited to, auto rental liability, travel, and short-term non-resident auto liability insurance, presents the notice and requires the consumer to acknowledge receipt of the notice as a necessary step to obtaining the particular insurance product or service.
(c) Examples of unreasonable expectation of actual notice. A covered entity has not met the reasonable expectation that a consumer will receive actual notice of its privacy policies and practices if it:
(1) only posts a sign in its office or generally publishes advertisements of its privacy policies and practices; or
(2) sends the notice via electronic mail to a consumer who does not obtain an insurance product or service from the covered entity electronically.
(d) Annual notices only. A covered entity satisfies the reasonable expectation that a customer will receive actual notice of the covered entity's annual privacy notice if:
(1) the customer uses the covered entity's Web site to access insurance products and services electronically and agrees to receive notices at the Web site and the covered entity posts its current privacy notice continuously in a clear and conspicuous manner on the Web site; or
(2) the customer has requested that the covered entity refrain from sending any information regarding the customer relationship, and the covered entity's current privacy notice remains available to the customer upon request.
(e) Oral description of notice insufficient. A covered entity may not provide any notice required by this subchapter solely by orally explaining the notice, either in person or over the telephone.
(f) Retention or accessibility of notices for customers.
(1) For customers only, a covered entity shall provide the initial notice required by §22.8(a)(1) of this title (relating to Initial Privacy Notice), the annual notice required by §22.9(a) of this title (relating to Annual Privacy Notice), and the revised notice required by §22.12 of this title (relating to Revised Privacy Notices) so that the customer can retain them or obtain them later in writing or, if the customer agrees, electronically.
(2) A covered entity provides a privacy notice to the customer so that the customer can retain it or obtain it later if the covered entity:
(A) hand-delivers a printed copy of the notice to the customer;
(B) mails a printed copy of the notice to the last known address of the customer; or
(C) makes its current privacy notice available on a Web site (or a link to another Web site) for the customer who obtains an insurance product or service electronically and agrees to receive the notice at the Web site.
(g) Joint notice with other financial institutions. A covered entity may provide a joint notice from the covered entity and one or more of its affiliates or other financial institutions, as identified in the notice, so long as the notice is accurate with respect to the covered entity and the other institutions. A covered entity also may provide a notice on behalf of another financial institution.
(h) Joint relationships. If two or more consumers jointly obtain an insurance product or service from a covered entity, the covered entity may satisfy the initial, annual and revised notice requirements of §§22.8(a), 22.9(a), and 22.12(a) of this title, respectively, by providing one notice to those consumers jointly.
§22.14. Limits on Disclosure of Nonpublic Personal Financial Information to Nonaffiliated Third Parties.
(a) Conditions for disclosure. Except as otherwise authorized in this subchapter, a covered entity may not, directly or through any affiliate, disclose any nonpublic personal financial information about a consumer to a nonaffiliated third party unless:
(1) the covered entity has provided to the consumer an initial notice as required under §22.8 of this title (relating to Initial Privacy Notice);
(2) the covered entity has provided to the consumer an opt out notice as required in §22.11 of this title (relating to Form of Opt Out Notice to Consumers and Opt Out Methods);
(3) the covered entity has given the consumer a reasonable opportunity, before it discloses the information to the nonaffiliated third party, to opt out of the disclosure; and
(4) the consumer does not opt out.
(b) Examples of reasonable opportunity to opt out. A covered entity provides a consumer with a reasonable opportunity to opt out if:
(1) the covered entity mails the notices required in subsection (a) of this section to the consumer and allows the consumer to opt out by mailing a form, calling a toll-free telephone number or any other reasonable means within 30 days from the date the covered entity mailed the notices.
(2) a customer opens an on-line account with a covered entity and agrees to receive the notices required in subsection (a) of this section electronically, and the covered entity allows the customer to opt out by any reasonable means within 30 days after the date that the customer acknowledges receipt of the notices in conjunction with opening the account.
(3) for an isolated transaction such as providing the consumer with an insurance quote, a covered entity provides the consumer with a reasonable opportunity to opt out if the covered entity provides the notices required in subsection (a) of this section at the time of the transaction and requests that the consumer decide, as a necessary part of the transaction, whether to opt out before completing the transaction.
(d) Application of opt out to all consumers and all nonpublic personal financial information.
(1) A covered entity shall comply with this section, regardless of whether the covered entity and the consumer have established a customer relationship.
(2) Unless a covered entity complies with this section, the covered entity may not, directly or through any affiliate, disclose any nonpublic personal financial information about a consumer that the covered entity has collected, regardless of whether the covered entity collected it before or after receiving the direction to opt out from the consumer.
(e) Partial opt out. A covered entity may allow a consumer to select certain nonpublic personal financial information or certain nonaffiliated third parties with respect to which the consumer wishes to opt out.
§22.15. Limits on Redisclosure and Reuse of Nonpublic Personal Financial Information.
(a) If a covered entity receives nonpublic personal financial information from a nonaffiliated financial institution under an exception in §22.18 of this title (relating to Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Processing and Servicing Transactions) and §22.19 of this title (relating to Other Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information), the covered entity's disclosure and use of that information is limited as follows:
(1) the covered entity may disclose the information to the affiliates of the financial institution from which the covered entity received the information;
(2) the covered entity may disclose the information to its affiliates, but the covered entity's affiliates may, in turn, disclose and use the information only to the extent that the covered entity may disclose and use the information; and
(3) the covered entity may disclose and use the information pursuant to an exception in §§22.18 and 22.19 of this title in the ordinary course of business to carry out the activity covered by the exception under which the covered entity received the information.
(b) If a covered entity receives information from a nonaffiliated financial institution for claims settlement purposes, the covered entity may disclose the information for fraud prevention, or in response to a properly authorized subpoena. The covered entity may not disclose that information to a third party for marketing purposes or use that information for its own marketing purposes.
(c) If a covered entity receives nonpublic personal financial information from a nonaffiliated financial institution other than under an exception in §§22.18 and 22.19 of this title, the covered entity may disclose the information only:
(1) to the affiliates of the financial institution from which the covered entity received the information;
(2) to its affiliates, but its affiliates may, in turn, disclose the information only to the extent that the covered entity may disclose the information; and
(3) to any other person, if the disclosure would be lawful if made directly to that person by the financial institution from which the covered entity received the information.
(d) If a covered entity obtains a customer list from a nonaffiliated financial institution outside of the exceptions in §§22.18 and 22.19 of this title:
(1) the covered entity may use that list for its own purposes; and
(2) the covered entity may disclose that list to another nonaffiliated third party only if the financial institution from which the covered entity purchased the list could have lawfully disclosed the list to that third party. That is, the covered entity may disclose the list in accordance with the privacy policy of the financial institution from which the covered entity received the list, as limited by the opt out direction of each consumer whose nonpublic personal financial information the covered entity intends to disclose, and the covered entity may disclose the list in accordance with an exception in §§22.18 and 22.19 of this title, such as to the covered entity's attorneys or accountants.
(e) If a covered entity discloses nonpublic personal financial information to a nonaffiliated third party under an exception in §§22.18 and 22.19 of this title, the third party may disclose and use that information only as follows:
(1) the third party may disclose the information to the covered entity's affiliates;
(2) the third party may disclose the information to its affiliates, but its affiliates may, in turn, disclose and use the information only to the extent that the third party may disclose and use the information; and
(3) the third party may disclose and use the information pursuant to an exception in §§22.18 or 22.19 of this title in the ordinary course of business to carry out the activity covered by the exception under which it received the information.
(f) If a covered entity discloses nonpublic personal financial information to a nonaffiliated third party other than under an exception in §§22.18 and 22.19 of this title, the third party may disclose the information only:
(1) to the covered entity's affiliates;
(2) to the third party's affiliates, but the third party's affiliates, in turn, may disclose the information only to the extent the third party can disclose the information; and
(3) to any other person, if the disclosure would be lawful if the covered entity made it directly to that person.
§22.16. Limits on Sharing Account Number Information for Marketing Purposes.
(a) A covered entity shall not, directly or through an affiliate, disclose, other than to a consumer reporting agency, a policy number or similar form of access number or access code for a consumer's policy or transaction account to any nonaffiliated third party for use in telemarketing, direct mail marketing or other marketing through electronic mail to the consumer.
(b) Subsection (a) of this section does not apply if a covered entity discloses a policy number or similar form of access number or access code:
(1) to another covered entity solely for the purpose of marketing the sharing covered entity's own products or services, so long as the receiving covered entity is not authorized to directly initiate charges to the account; or
(2) to a participant in an affinity or similar program as set forth in 12 CFR §40.12(b)(2), 12 CFR §216.12(b)(2), 12 CFR §332.12(b)(2), 12 CFR §573.12(b)(2), and 12 CFR §716.12(b)(2), where the participants in the program are identified to the customer when the customer enters into the program.
(c) A policy number, or similar form of access number or access code, does not include a number or code in an encrypted form, so long as the covered entity does not provide the recipient with a means to decode the number or code.
(d) For the purposes of this section, a policy or transaction account is an account other than a deposit account or a credit card account. A policy or transaction account does not include an account to which third parties cannot initiate charges.
§22.17. Exception to Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Service Providers and Joint Marketing.
(a) The opt out requirements in §22.11 of this title (relating to Form of Opt Out Notice to Consumers and Opt Out Methods) and §22.14 of this title (relating to Limits on Disclosure of Nonpublic Personal Financial Information to Nonaffiliated Third Parties) do not apply when a covered entity provides nonpublic personal financial information to a nonaffiliated third party to perform services for the covered entity or functions on the covered entity's behalf, if the covered entity:
(1) provides the initial notice in accordance with §22.8 of this title (relating to Initial Privacy Notice); and
(2) enters into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which the covered entity disclosed the information, including use under an exception in §22.18 of this title (relating to Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Processing and Servicing Transactions) and §22.19 of this title (relating to Other Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information) in the ordinary course of business to carry out those purposes.
(b) If a covered entity discloses nonpublic personal financial information under this section to a financial institution with which the covered entity performs joint marketing, the covered entity's contractual agreement with that institution meets the requirements of subsection (a)(2) of this section if it prohibits the institution from disclosing or using the nonpublic personal financial information except as necessary to carry out the joint marketing or under an exception set forth in §§22.18 and 22.19 of this title in the ordinary course of business to carry out that joint marketing.
(c) The services a nonaffiliated third party performs for a covered entity under subsection (a) of this section may include marketing of the covered entity's own products or services or marketing of financial products or services offered pursuant to joint agreements between the covered entity and one or more financial institutions.
(d) For purposes of this section, "joint agreement" means a written contract pursuant to which a covered entity and one or more financial institutions jointly offer, endorse or sponsor a financial product or service.
§22.18. Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Processing and Servicing Transactions.
(a) If the covered entity discloses nonpublic personal financial information as necessary to effect, administer or enforce a transaction that a consumer requests or authorizes, or in connection with a transaction listed in subsection (b) of this section, the following do not apply:
(1) provision of the initial notice in §22.8(a)(2) of this title (relating to Initial Privacy Notice),
(2) the opt out requirements in §22.11 of this title (relating to Form of Opt Out Notice to Consumers and Opt Out Methods) and the limitations on disclosure in §22.14 of this title (relating to Limits on Disclosure of Nonpublic Personal Financial Information to Nonaffiliated Third Parties), and
(3) the requirements pertaining to service providers and joint marketing in §22.17 of this title (relating to Exception to Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Service Providers and Joint Marketing).
(b) Applicable transactions include:
(1) servicing or processing an insurance product or service that a consumer requests or authorizes;
(2) maintaining or servicing the consumer's account with a covered entity, or with another entity as part of a private label credit card program or other extension of credit on behalf of such entity;
(3) a proposed or actual securitization, secondary market sale (including sales of servicing rights) or similar transaction related to a transaction of the consumer; or
(4) reinsurance or stop loss or excess loss insurance.
(c) A disclosure is necessary to effect, administer or enforce a transaction if it is:
(1) required, or is one of the lawful or appropriate methods, to enforce the covered entity's rights or the rights of other persons engaged in carrying out the financial transaction or providing the product or service; or
(2) required, or is a usual, appropriate or acceptable method:
(A) to carry out the transaction or the product or service business of which the transaction is a part, and record, service or maintain the consumer's account in the ordinary course of providing the insurance product or service;
(B) to administer or service benefits or claims relating to the transaction or the product or service business of which it is a part;
(C) to provide a confirmation, statement or other record of the transaction, or information on the status or value of the insurance product or service to the consumer or the consumer's agent or broker;
(D) to accrue or recognize incentives or bonuses associated with the transaction that are provided by a covered entity or any other party;
(E) to underwrite insurance at the consumer's request or for any of the following purposes as they relate to a consumer's insurance: account administration, reporting, investigating or preventing fraud or material misrepresentation, processing premium payments, processing insurance claims, administering insurance benefits (including utilization review activities), participating in research projects or as otherwise required or specifically permitted by federal or state law; or
(F) in connection with:
(i) the authorization, settlement, billing, processing, clearing, transferring, reconciling or collection of amounts charged, debited or otherwise paid using a debit, credit or other payment card, check or account number, or by other payment means;
(ii) the transfer of receivables, accounts or interests therein; or
(iii) the audit of debit, credit or other payment information.
§22.19. Other Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information.
(a) The requirements for initial notice to consumers in §22.8(a)(2) of this title (relating to Initial Privacy Notice), the opt out in §22.11 of this title (relating to Form of Opt Out Notice to Consumers and Opt Out Methods) and §22.14 of this title (relating to Limits on Disclosure of Nonpublic Personal Financial Information to Nonaffiliated Third Parties), and service providers and joint marketing in §22.17 of this title (relating to Exception to Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Service Providers and Joint Marketing) do not apply when a covered entity discloses nonpublic personal financial information:
(1) with the consent or at the direction of the consumer, provided that the consumer has not revoked the consent or direction;
(2) to protect the confidentiality or security of a covered entity's records pertaining to the consumer, service, product or transaction;
(3) to protect against or prevent actual or potential fraud or unauthorized transactions;
(4) for required institutional risk control or for resolving consumer disputes or inquiries;
(5) to persons holding a legal or beneficial interest relating to the consumer;
(6) to persons acting in a fiduciary or representative capacity on behalf of the consumer;
(7) to provide information to insurance rate advisory organizations, guaranty funds or agencies, agencies that are rating a covered entity, persons that are assessing the covered entity's compliance with industry standards, and the covered entity's attorneys, accountants and auditors;
(8) to the extent specifically permitted or required under other provisions of law and in accordance with the federal Right to Financial Privacy Act of 1978 (12 U.S.C. 3401 et seq.), to law enforcement agencies (including the Federal Reserve Board, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, Office of Thrift Supervision, National Credit Union Administration, the Securities and Exchange Commission, the Secretary of the Treasury, with respect to 31 U.S.C. Chapter 53, Subchapter II (Records and Reports on Monetary Instruments and Transactions) and 12 U.S.C. Chapter 21 (Financial Recordkeeping), a state insurance authority, and the Federal Trade Commission), self-regulatory organizations or for an investigation on a matter related to public safety;
(9) to a consumer reporting agency in accordance with the federal Fair Credit Reporting Act (15 U.S.C. 1681 et seq.); or from a consumer report reported by a consumer reporting agency;
(10) in connection with a proposed or actual sale, merger, transfer or exchange of all or a portion of a business or operating unit if the disclosure of nonpublic personal financial information concerns solely consumers of the business or unit;
(11) to comply with federal, state or local laws, rules and other applicable legal requirements;
(12) to comply with a properly authorized civil, criminal or regulatory investigation, or subpoena or summons by federal, state or local authorities;
(13) to respond to judicial process or government regulatory authorities having jurisdiction over a covered entity for examination, compliance or other purposes as authorized by law; or
(14) for purposes related to the replacement of a group benefit plan, a group health plan, a group welfare plan or a workers' compensation policy.
(b) A consumer may revoke consent by subsequently exercising the right to opt out of future disclosures of nonpublic personal financial information as permitted under §22.11(f) of this title.
§22.20. Protection of Fair Credit Reporting Act. Nothing in this subchapter shall be construed to modify, limit or supersede the operation of the federal Fair Credit Reporting Act (15 U.S.C. 1681 et seq.), and no inference shall be drawn on the basis of the provisions of this subchapter regarding whether information is transaction or experience information under Section 603 of that Act.
§22.21. Nondiscrimination. A covered entity shall not unfairly discriminate against any consumer or customer because that consumer or customer has opted out from the disclosure of his or her nonpublic personal financial information pursuant to the provisions of this subchapter.
§22.22. Violation.
(a) A violation of any section of this subchapter shall subject the covered entity to the penalties provided in the Insurance Code, Chapters 82 & 84, and other applicable provisions of the Insurance Code.
(b) In addition to and cumulative of the penalties provided in subsection (a) of this section, a violation of any section of this subchapter shall be considered to be an unfair method of competition or an unfair or deceptive practice and shall subject the covered entity to the penalties provided in the Insurance Code, Article 21.21, and other applicable provisions of the Insurance Code.
§22.23. Severability. If any section or portion of a section of this subchapter or its applicability to any person or circumstance is held invalid by a court, the remainder of the subchapter or the applicability of the provision to other persons or circumstances shall not be affected.
§22.24. Effective Date.
(a) This subchapter is effective July 12, 2001.
(b) By September 10, 2001, a covered entity shall provide an initial notice, as required by §22.8 of this title (relating to Initial Privacy Notice), to consumers who are the covered entity's customers on September 10, 2001. For example, a covered entity provides an initial notice to consumers who are its customers on September 10, 2001, if, by that date, the covered entity has established a system for providing an initial notice to all new customers and has mailed the initial notice to all the covered entity's existing customers.
(c) Until September 10, 2002, a contract that a covered entity has entered into with a nonaffiliated third party to perform services for the covered entity or functions on the covered entity's behalf satisfies the provisions of §22.17(a)(1)(B) of this title (relating to Exception to Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Service Providers and Joint Marketing), even if the contract does not include a requirement that the third party maintain the confidentiality of nonpublic personal financial information, so long as the covered entity entered into the agreement on or before September 10, 2000.
§22.25. Preservation of existing privacy law. Nothing in this subchapter shall preempt or supersede existing state law related to nonpublic personal financial information.
§22.26. Forms.
(a) The forms identified in this subchapter for covered entities referenced in this chapter are included in subsection (b) of this section in their entirety. The forms can be obtained from the Texas Department of Insurance, P.O. Box 149104, Austin, Texas 78714-9104. Covered entities, including a group of financial holding company affiliates that use a common privacy notice, may use the following forms, if the clause is accurate for each institution that uses the notice. Note that disclosure of certain information, such as assets, income and information from a consumer reporting agency, may give rise to obligations under the federal Fair Credit Reporting Act, such as a requirement to permit a consumer to opt out of disclosures to affiliates or designation as a consumer reporting agency if disclosures are made to nonaffiliated third parties.
(b) The forms referenced in this subchapter are as follows:
(1) Figure Number 1: Form Number FNPRV INFO/COL:
We collect nonpublic personal financial information about you from the following sources:
• Information we receive from you on applications or other forms;
• Information about your transactions with us, our affiliates or others; and
• Information we receive from a consumer reporting agency.
(2) Figure Number 2: Form Number FNPRV INFO/DSC:
(A) Alternative 1
We may disclose the following kinds of nonpublic personal financial information about you:
• Information we receive from you on applications or other forms, such as [provide illustrative examples, such as "your name, address, social security number, assets, income, and beneficiaries"];
• Information about your transactions with us, our affiliates or others, such as [provide illustrative examples, such as "your policy coverage, premiums, and payment history"]; and
• Information we receive from a consumer reporting agency, such as [provide illustrative examples, such as "your creditworthiness and credit history"].
(B) Alternative 2
We may disclose all of the information that we collect, as described [describe location in the notice, such as "above" or "below"].
(3) Figure Number 3: Form Number: FNPRV INFO/NODSC
We do not disclose any nonpublic personal financial information about our customers or former customers to anyone, except as permitted by law.
(4) Figure Number 4: Form Number FNPRV INFO/TPDSC:
We may disclose nonpublic personal financial information about you to the following types of third parties:
• Financial service providers, such as [provide illustrative examples, such as "life insurers, automobile insurers, mortgage bankers, securities broker-dealers, and insurance agents"];
• Non-financial companies, such as [provide illustrative examples, such as "retailers, direct marketers, airlines, and publishers"]; and
• Others, such as [provide illustrative examples, such as "non-profit organizations"].
We may also disclose nonpublic personal financial information about you to nonaffiliated third parties as permitted by law.
(5) Figure Number 5: Form Number FNPRV INFO/SPJMDSC:
(A) Alternative 1:
We may disclose the following information to companies that perform marketing services on our behalf or to other financial institutions with which we have joint marketing agreements:
• Information we receive from you on applications or other forms, such as [provide illustrative examples, such as "your name, address, social security number, assets, income, and beneficiaries"];
• Information about your transactions with us, our affiliates or others, such as [provide illustrative examples, such as "your policy coverage, premium, and payment history"]; and
• Information we receive from a consumer reporting agency, such as [provide illustrative examples, such as "your creditworthiness and credit history"].
(B) Alternative 2:
We may disclose all of the information we collect, as described [describe location in the notice, such as "above" or "below"] to companies that perform marketing services on our behalf or to other financial institutions with whom we have joint marketing agreements.
(6) Figure Number 6: Form Number FNPRV INFO/OPT:
If you prefer that we not disclose nonpublic personal financial information about you to nonaffiliated third parties, you may opt out of those disclosures, that is, you may direct us not to make those disclosures (other than disclosures permitted by law). If you wish to opt out of disclosures to nonaffiliated third parties, you may [describe a reasonable means of opting out, such as "call the following toll-free number: (insert number)].
(7) Figure Number 7: Form Number FNPRV INFO/SEC:
We restrict access to nonpublic personal financial information about you to [provide an appropriate description, such as "those employees who need to know that information to provide products or services to you"]. We maintain physical, electronic, and procedural safeguards that comply with federal regulations to guard your nonpublic personal financial information.
(8) Figure Number 8: Form Number FNPRV DSC/SRPLN:
PRIVACY NOTICE
NEITHER THE U.S. AGENTS THAT HANDLED THIS INSURANCE NOR THE INSURERS THAT HAVE UNDERWRITTEN THIS INSURANCE WILL DISCLOSE NONPUBLIC PERSONAL FINANCIAL INFORMATION CONCERNING THE BUYER TO NONAFFILIATES OF THE AGENTS OR INSURERS EXCEPT AS PERMITTED BY LAW.
CERTIFICATION. This agency certifies that the sections as adopted have been reviewed by legal counsel and found to be a valid exercise of the agency's legal authority.
Issued at Austin, Texas, on July 12, 2001.
____________________________
Lynda H. Nesenholtz
General Counsel and Chief Clerk
IT IS THEREFORE THE ORDER of the Commissioner of Insurance new §§22.1-22.26, concerning Insurance Consumer Financial Information Privacy, are adopted on emergency basis.
AND IT IS SO ORDERED.
COMMISSIONER'S ORDER NO.01-0647