28 TAC §§ 22.1 - 22.26
The Commissioner of Insurance adopts new §§22.1 - 22.26, concerning privacy of nonpublic personal financial information provided by consumers to insurers and other covered entities regulated by the Department. New §§22.1, 22.2, 22.4, 22.5, 22.9, 22.10, 22.13, 22.16, and 22.22 are adopted with changes to the proposed text published in the Texas Register (26 TexReg 5593). New §§22.3, 22.6 - 22.8, 22.11, 22.12, 22.14, 22.15, 22.17 - 22.21 § 22.23 - 22.26 are adopted without changes and will not be republished.
The new adopted rules are necessary to implement the provisions of Senate Bill 712, 77th Texas Legislature (Texas Insurance Code (TIC) Art. 28A.01 et seq.), which requires covered entities (and certain of their affiliates) to comply with the Gramm-Leach-Bliley Act (GLBA, 15 U.S.C §6801 et seq.) privacy provisions. SB 712 also directs the commissioner to implement the chapter by adopting rules necessary to make the State of Texas eligible, under Title V of GLBA, to override federal regulation, as well as to attempt to keep state privacy requirements consistent with federal regulations adopted under GLBA. This direction is consistent with the GLBA requirement that the various agencies enforcing GLBA coordinate with similarly situated agencies to assure, to the extent possible, that the regulations prescribed to enforce GLBA remain consistent and comparable. 15 USC §6804. The legislative analysis of SB 712 references the NAIC privacy model regulation as a guide for the department’s adoption of rules.
The Texas Senate bill analysis, in pertinent part, states that "Senate Bill 712 requires insurers and other entities regulated by the Texas Department of Insurance to comply with requirements of GLBA and requires the commissioner of insurance to adopt rules consistent with GLBA based on the NAIC (National Association of Insurance Commissioners) privacy model." The adopted sections, while based on the NAIC model rule, have been clarified in certain sections for greater ease in reading. The adopted sections set forth the requirements that insurers and other covered entities must meet in structuring their consumer financial practices to comply with GLBA and SB 712. Specifically, the rules provide the notice requirements, as well as other procedures that insurers and other covered entities must follow with regard to nonpublic personal financial information collected about a consumer.
Section 22.1 was changed to delete a reference to sharing information with affiliates, as these rules do not prohibit the sharing of information with affiliates. Section 22.2 was changed to delete a sentence from the definition of consumer that was not included in the national model rule, and to make a clarifying grammatical change to the definition of health care. Section 22.4 was changed to add the term "claimant under" to the list of persons affected by a policy of workers’ compensation insurance issued subject to the rule and in order to clarify a term. Section 22.5 was changed to reflect that the situations it details are exemplary. Section 22.9 was changed to achieve consistency with the standards for a continuing relationship in §22.5. Section 22.10 was changed to clarify that the rule does not prohibit information sharing with affiliates and to make nonsubstantive grammatical corrections. Section 22.13 was changed to clarify that certain compliance options are alternative. Section 22.16 was changed to clarify that a covered entity is permitted to provide account numbers to service providers for marketing purposes as long as the service provider is not authorized to directly initiate charges to the account. Section 22.22 was changed to conform more closely to legislative intent by deleting references to enforcement under TIC Art. 21.21.
General. Several commenters noted that the rule is not identical to the national model rule.
Agency Response. The department agrees that the rule is not identical to the national model rule. As noted in the preamble to the proposed rule, some definitions differ from those in the model rule because the proposal incorporated specific definitions contained in SB 712, as well as in other sections of the TIC. For example, the proposal used "covered entity," as defined in SB 712, in place of the model rule's term "licensee." Other deviations occur because parts of the model rule were ambiguous or confusing. The department has crafted the rule, however, to maintain substantive consistency with the model rule. As part of the effort to maintain congruity, the department discussed changes with a representative of the national organization that promulgated the model rule. Where appropriate, as indicated in responses to other comments, the department has changed some portions of the proposed rule to correct unintended substantive deviations from the model rule.
Rules of construction § use of examples. A commenter recommends the use of the example format and the "rule of construction" contained in the national model rule which provides that compliance with an example or sample clause set forth in the rule constitutes compliance.
Agency Response. The department agrees that the rule’s format differs from the national model rule so that some items identified as examples in the model rule no longer appear as examples in this rule. In preparing the rule for proposal, the department determined that some of the "examples" used in the definition section of the model rule were actually substantive requirements, rather than examples or definitions. Accordingly, the department rephrased these items and placed them in the body of the rule. Where appropriate, however, the department retained the actual examples from the model rule. Despite the modification of some items no longer specifically labeled as examples, compliance with such provisions is indicative of compliance with the rule. Moreover, the department has, in accordance with the commenter’s suggestion, restored the use of examples in §22.5 (concerning Examples of Continuing Relationships).
Compliance in other jurisdictions. A commenter recommends a provision stating that a covered entity domiciled in Texas in compliance with this rule is deemed to be in compliance with GLBA as to any other jurisdiction in which it does business.
Agency Response. The department declines to make this change. As the commenter recognizes, such a provision would not be enforceable.
Art. 21.21-9, Sec. 5. Two commenters ask whether compliance with this rule will constitute compliance with TIC Art. 21.21-9, Sec. 5.
Agency Response. TIC Art. 21.21-9, Sec. 5 sets out two elements required before a person may disclose "nonpublic customer information" to a third party for the purpose of another’s sale or solicitation of the purchase of insurance: clear and conspicuous disclosure regarding the proposed use of the information, and an opportunity for the customer to object before the use of the information for that purpose. The department believes compliance with the opt out requirements of this rule will provide the required "opportunity to object"; the question remaining is whether the notices required under this rule will provide the required "clear and conspicuous disclosure." The answer lies in a comparison of the sets of information protected by the two laws. Each covered entity will have to examine its internal policies to determine whether the "nonpublic customer information" it collects is wholly contained within the scope of the "nonpublic personal financial information" it collects. If so, the entity’s compliance with this rule would satisfy the conditions of TIC Art. 21.21-9. To the extent the sets of information are different, however, the covered entity will need to go beyond the requirements of this rule to satisfy TIC Art. 21.21-9 standards. A covered entity may, however, comply with both laws through a single opt out notice by disclosing that the opt out opportunity applies to both sets of protected information. It is also important to note that TIC Art. 21.21-9 prohibits disclosure to any third party without distinction between affiliates and nonaffiliates. GLBA, and this rule, on the other hand, permit disclosure to affiliates without customer consent, and thus supersede TIC Art. 21.21-9, Sec. 5, to the extent it prohibits such disclosure.
Chapter 28B of TIC relating to health information. A commenter notes that Chapter 28B of the Texas Insurance Code makes health privacy requirements applicable to all covered entities including viatical settlement companies even though such companies are not subject to the Health Insurance Portability and Accessibility Act (HIPAA) privacy requirements.
Agency Response. This rule addresses only nonpublic personal financial information collected and held by covered entities. "Health information" is defined in the rule only to differentiate such information from financial information. SB 11, enacted by the 77 th Texas Legislature, created new Chapter 28B of the TIC which addresses privacy of health information held by covered entities. SB 11 becomes effective in January of 2002. The department will propose a separate rule to implement SB 11 addressing the privacy of nonpublic personal health information and the commenter will be able to submit comments to that rule.
HIPAA. A commenter asks for clarification about the interplay between this rule and the HIPAA privacy rules.
Agency Response. An HMO, insurer, or any other covered entity that is subject to the HIPAA privacy rules will need to comply with both sets of rules once the HIPAA privacy rules become effective in April 2003. Since the two schemes address the protection of personal information differently, this may create conflicts. For example, the HIPAA rules state that items such as a person's name, address, social security number, and payment history can constitute individually identifiable health information. HIPAA will thus prohibit disclosure of such information unless the release is pursuant to an individual’s express consent or a specific exception. Under the financial privacy requirements of GLBA, however, this same information can be considered to be financial information, subject to an "opt out" standard. As of this date, federal authorities responsible for compliance with HIPAA and GLBA have issued no guidance as to how they will resolve such conflicts facing entities subject to both sets of rules. The department will continue to monitor this issue as the compliance date for the HIPAA privacy rules approaches and provide information as it becomes available.
§22.1(a). A commenter asks if an individual may affirmatively "opt out" of information sharing that is permitted under GLBA.
Agency Response. This rule does not require a covered entity, simply because of an individual’s contrary direction, to refrain from disclosing nonpublic personal financial information as permitted under the rule. The response to this comment is specifically limited to the requirements of these adopted rules; other laws may prohibit similar disclosure in specific situations.
§22.1(a). A commenter feels that the applicability of the rule to viatical settlement companies is contrary to Title V of GLBA because Title V does not delegate enforcement of the non-insurance business of viaticals to state insurance regulators. The commenter notes that viatical settlement companies are subject to the privacy requirements of GLBA. The commenter is concerned that the rule creates a dual system of regulation which will impact the offers provided to Texas viatical settlement customers.
Agency Response. SB 712 creates TIC Art. 28A.02(a), which states that "A covered entity shall comply with 15 USC §§6802 and 6803 [the notice and disclosure requirements for protected financial information under GLBA] as amended, in the same manner as a financial institution under those sections." A covered entity is defined by SB 712 as an individual or entity that receives an authorization from the department and includes any individual or entity described by TIC §82.002. Viatical settlement companies fit squarely under this definition (TIC Art. 3.50-6A). The Legislature clearly intended SB 712 and the rule to apply to viatical settlement companies. The rule treats viatical settlement companies no differently than other entities, such as banks, which are subject to regulation by more than one agency. The department reminds any persons subject to TIC Art. 3.50-6A (Viatical Settlements and Life Settlements) that this rule does not alter any other legal obligations to which they may be subject.
§§22.1(a)(2) § 22.10(a). A commenter suggests deletion of the reference to affiliates in this paragraph and subsection, since the rule does not address the sharing of information with affiliates.
Agency Response. The department agrees and has made this change. This rule was adapted from an NAIC Model Regulation concerning privacy of both financial and health information. Since this rule deals only with financial privacy, the references to "affiliates" in this subsection are incorrect. The rule does not require a covered entity sharing nonpublic personal financial information with an affiliate to provide a consumer/customer either notice or an opportunity to "opt out."
§22.1(b). A commenter asks if the rule applies to a collateral protection insurer that covers a creditor and/or a consumer under the Texas Credit Code. The commenter notes that this type of insurance "is designed explicitly to protect the interests of the lender."
Agency Response. The rule applies to covered entities providing collateral protection insurance. The department is unaware of any policy of collateral protection insurance that does not convey a benefit, or "service," to a borrower under the policy, thus making the borrower a consumer or customer under the rule. Under the rule, receipt of an insurance "service" creates customer status. The fact that the creditor may be the actual purchaser of the insurance does not void the borrower’s consumer or customer status.
§§22.1(b) § 22.4. Several commenters urge that references to claimants, beneficiaries, workers' compensation plan participants, and beneficiaries in a workers' compensation plan, be deleted from these sections.
Agency Response. The department declines to make this suggested change. SB 712 requires the department to adopt rules that implement the requirements of GLBA in a way that balances the protection of Texas citizens with an emphasis on consistent state enforcement nationwide. The department accomplished this end by proposing a rule based on the national model rule for insurance regulation, as referenced in the Senate bill analysis to SB 712. The national model rule includes within its scope claimants, beneficiaries, and workers’ compensation plan participants. Additionally, the department believes that all individuals who use insurance products or services primarily for personal, family or household purposes - including claimants and beneficiaries - should receive the same privacy protections as traditional consumers who have direct relationships with licensees. The right to financial privacy should not be diminished simply because an individual receives an insurance benefit through a policy held by another person or a commercial enterprise. Specifically, the department disagrees with the commenters regarding the nature of workers’ compensation insurance. It is important to recognize the rule’s distinction between insurance products and services. While a business generally purchases a workers’ compensation insurance policy for a commercial purpose, an injured worker’s receipt of a workers’ compensation insurance benefit serves a personal, family, or household purpose, similar to an individual’s receipt of a disability insurance benefit. Because of the commercial nature of the policyholder’s contract with the covered entity, the rule, in accordance with the national model, does place simpler requirements on covered entities providing workers’ compensation insurance and some other group coverages than the rule’s general requirement for other types of coverage.
While it is true that some states have excluded these categories of individuals, they have done so under specific statutory direction. The Texas Legislature recognized no such exception in SB 712. Accordingly the department includes these individuals within the scope of the rule.
§22.2(8). Several commenters allege that the following sentence is confusing and recommend its deletion: "For purposes of this subchapter, all references to consumer include the term customer, unless the purpose of the reference is to make a distinction between applicability of the subchapter to a customer and a consumer."
Agency Response. The department disagrees that the sentence is confusing, but since it is an addition to the model rule, will defer to commenters and has deleted it to promote uniformity. The department reminds covered entities, however, that under the rule, simply becoming a customer does not forfeit an individual’s status or rights as a consumer.
§22.2(8). A commenter inquires whether, in the context of a credit insurance policy issued to cover a bank loan, a borrower or the bank is the consumer of an insurance product.
Agency Response. The department cannot make a determination on an inquiry of this sort without the specific facts surrounding a particular transaction. Generally, since the rule pertains primarily to insurance products or services issued for "personal, family, or household purposes," and does not apply to information about companies, or about individuals who obtain products or services for business or commercial purposes, it is difficult to envision a scenario in which a bank would have consumer status. On the other hand, a borrower protected by a policy of credit insurance for personal, family, or household purposes is a named insured, as well as a beneficiary, of the policy and thus is a consumer under the rule.
§22.2(12). A commenter recommends adding the following sentence to the definition of "customer": "In no event shall a beneficiary or claimant under a policy, solely by virtue of their status as a beneficiary or claimant, be deemed to be a customer for purposes of this regulation."
Agency Response. The department declines to make this change. While the rule deems certain beneficiaries and claimants to be consumers and not customers, it does so expressly where such limitation is applicable. See §22.4(c).
§22.2(20). Three commenters suggest amending the definition of "nonaffiliated third party" to state that it does not include a person employed jointly by a covered entity and a nonaffiliated third party.
Agency Response. The Texas Legislature included this definition in SB 712 and the department declines to change it. The department agrees, however, with the commenters that a joint employee of a covered entity and a nonaffiliated third party would be excluded from the definition of "nonaffiliated third party," consistent with the national model rule.
§22.3(a). A commenter suggests amending this subsection to clarify that the rule does not prohibit an agent from disclosing nonpublic personal financial information to nonaffiliated third parties in the course of providing routine policyholder services on behalf of a consumer.
Agency Response. The department declines to make this change as unnecessary. Section 22.18(a) permits covered entities, including agents, to perform acts at the request of a consumer without providing an initial privacy notice.
§22.3(b). A commenter indicates that, based on its review of Commissioner’s Bulletin No. B-0030-01, it does not believe that GLBA applies to reinsurers that do not write direct business in the State of Texas.
Agency Response. The purpose of the cited bulletin was to inform licensees generally of new laws concerning privacy and the department's plans for implementation. The department does not agree that a covered entity can determine, simply by reviewing the bulletin, whether the entity is in compliance with SB 712 or the rule. To the extent that a reinsurer is a covered entity that holds or collects nonpublic personal financial information under the rule, the rule requires appropriate compliance.
§22.3(c)(1). A commenter suggests changing "and" to "or."
Agency Response. The department disagrees. Both of the requirements of §22.3(c) must be met before a covered entity is considered to be in compliance with this paragraph.
§§22.3(c)(2) § 22.26(b)(8). A commenter prefers that the term "16 point type" be eliminated and that the text of the suggested privacy notice not be capitalized, as they believe these requirements differ from the national model rules.
Agency Response. The department disagrees. The 16 point type and capitalization of the notice are both specific requirements of the national model rule.
§22.4(c). A commenter asks for clarification on why the special requirements in §22.4(c) specify that certain persons are not consumers.
Agency Response. The rule provides that individuals in these specific circumstances, although similar in status to other consumers under the rule, are not treated as consumers if the covered entity provides required notices to group policyholders and does not disclose nonpublic personal financial information about the individuals to a nonaffiliated third party other than as permitted under §§22.17, 22.18, and 22.19.
§22.4(c)(1). A commenter asks whether a carrier must provide initial, annual and revised notices to an employer sponsoring an employee group health plan if it does not disclose protected financial information about plan enrollees other than as permitted by the exceptions enumerated in §§22.17, 22.18 and 22.19 of the rule.
Agency Response. Section 22.4(c)(1) provides that a covered entity is not required to provide notices to enrollees covered by an employer group health care plan if two conditions are met: (1) the covered entity does not share protected information about the individuals other than as exempted by the rule; and (2) the covered entity provides notices required by the rule to the employer sponsoring the plan. Section 22.9 requires a covered entity to send an annual notice to a customer and §22.8 requires the entity to send an initial notice to a customer and to a consumer if the covered entity discloses protected information about the consumer other than pursuant to an exception enumerated in §§22.18 and 22.19. If a covered entity does not comply with the requirements set forth in §22.4(c)(1), enrollees in the employer group health plan are considered to be "consumers" of the plan issuer. Section 22.4(e) dictates that an enrollee in an employer group health plan would not be considered to be a "customer" for purposes of the rule solely by virtue of his or her status as an enrollee. For purposes of §22.4(c)(1), however, the employer must receive an annual notice. The rule requires a revised notice only if the conditions set forth in §22.12 are applicable. If a covered entity discloses information about an enrollee in an employer group health plan that does not fall under an exception enumerated in §§22.17, 22.18 and 22.19, and this disclosure represents a change from the covered entity's previous privacy policy, the rule requires a revised notice to the employer. The rule would not require revised privacy notices for the plan enrollees since the employer, not the enrollees, would have received any previous notices. The rule would require initial notices for all enrollees about whom information may, as a result of the revision, be disclosed under the new privacy policy. The revision would also mean that the special requirements would no longer apply . If a covered entity were to fail to deliver or cease delivery of required notices to the employer, §22.4(c)(1) would no longer apply and the rule would require individual privacy and opt out notices for each enrollee pursuant to the requirements for each notice as applicable.
§22.4(c)(3). A commenter asks if a beneficiary of a workers’ compensation policy is considered to be a consumer who is entitled to initial and annual notices under the rule if a covered entity wishes to share the beneficiary's protected financial information. The commenter asks if a beneficiary is a consumer if the covered entity does not share such information.
Agency Response. If a covered entity wishes to share protected information about a beneficiary or claimant other than pursuant to an exception set forth in the rule, the beneficiary or claimant is considered to be a consumer of the covered entity and the rule requires an initial privacy notice as well as an opt out notice. The rule requires annual notices only for customers. A workers’ compensation insurance beneficiary would not be considered to be a customer of a covered entity by virtue of the covered entity's sharing of protected financial information outside of an enumerated exception. The sharing of such information would not trigger the annual notice requirement. However, the rule would require an annual notice to the employer that is the workers' compensation plan participant if a covered entity wishes to invoke §22.4(c)(3). See response to comment on §22.4(c)(1).
§22.4(c)(3). A commenter recommends changing the term "beneficiary of" to "claimant under" a workers' compensation policy as being consistent with common understanding in the industry.
Agency Response. The department has determined that both "claimants under" and "beneficiaries to" a workers' compensation policy accurately describe individuals protected by the rule and has changed the rule to include both terms.
§22.4(d). A commenter recommends changing the term "requirements" to "conditions" to clarify that covered entities have the option either to treat workers' compensation claimants as "consumers" or to comply with §22.4(c)(3).
Agency Response. The department does not believe this change is necessary. A covered entity that does not comply with the special requirement for workers' compensation set forth in §22.4(c)(3) would be required to treat the claimants as consumers pursuant to §22.4(d).
§22.5. A commenter asks that the rule be clarified as to whether a bank customer purchasing credit insurance in connection with a lending transaction establishes a customer relationship with the bank that is selling the insurance as an agent or with the insurance company that issues the policy. If notice is required of a bank, additional guidance is requested.
Agency Response. The rule treats a bank acting as an agent no differently than any other agent, and a bank formulating its privacy policy with regard to required notices should comply with the provisions of the rule. The bank’s issuance of a loan to the credit insured does not necessarily create a customer relationship, under this rule, between the bank and the insured. The rule clearly details certain factors and transactions which will establish a customer relationship between an individual and a covered entity, whether the entity is an insurance carrier, an agent, or other entity. Whether a particular transaction creates a customer relationship under the rule will depend on the facts surrounding the transaction.
§§22.5(b)(6) § 22.9(b)(2). Several commenters believe these sections should track the national model rule’s use of the phrase "inactive or dormant under the licensee’s business practices" rather than the phrase "not in force."
Agency Response. The department believes that the term "not in force" is less confusing and more precise. Neither "inactive" nor "dormant" are terms of art and there does not appear to be a quantifiable distinction between the two words. In addition, the department believes that the use of this objective standard, rather than one which may vary from company to company, will promote a uniform interpretation of the rule and will simplify compliance issues.
§22.7(a)(2)(A). A commenter proposes deleting the word "nonconfidential."
Agency Response. The department disagrees. If a government record is confidential then it could not be considered to be "publicly available."
§22.8. A commenter asserts that where an insurer providing credit insurance has notified the creditor that the insurer does not share the borrower’s nonpublic personal financial information except as necessary to administer the insurance policies, the privacy notice creditors are required to send to customers suffices to comply with this rule.
Agency Response. The department’s response to this comment differs based on the type of insurance issued. Where the policy of credit insurance is a group policy subject to the requirements of §22.4(c)(2), the rule requires the insurer to send notice only to the group policyholder. For individual policies of credit insurance, however, notice to the creditor would not extinguish the carrier’s duties under the rule. While it is possible the referenced privacy notice would satisfy the requirements of the rule, the department cannot make that determination without examining the notice.
§22.8. A commenter requests that the rule provide a consistent standard concerning when the duty to provide an initial privacy notice arises.
Agency Response. A covered entity’s duty to provide an initial notice differs as to customers and consumers. For customers, §22.8 generally requires the notice not later than when the covered entity establishes a customer relationship. In an insurance context, the customer relationship will generally begin no later than when coverage attaches or when the policy is delivered. While most customer relationships will fall within this general rule, other facts and circumstances may affect the inception of customer relationships. For example, a covered entity may create a customer relationship by extending coverage prior to delivery of the policy. Accordingly, a covered entity must establish a consistent standard to determine when customer relationships commence. In the case of a consumer, an initial notice and opportunity to opt out is required prior to the release of any protected information other than as authorized under §§22.18 and 22.19.
§22.8(a). A commenter inquires whether an insurer acquiring another insurer’s book of business must then provide its own "initial notice."
Agency Response. The answer to this question depends on the acquiring entity’s privacy policy. If the privacy policy of the new entity differs from the privacy policy of the previous insurer, the new entity should provide a new statement of privacy policy. In addition, if the new entity plans to disclose nonpublic personal financial information to a new category of nonaffiliated third party, the entity must provide a revised notice pursuant to §22.12, along with the opportunity to opt out of this new disclosure. If the customer has previously elected to opt out in response to a notice delivered by the previous insurer, the new entity must continue to honor the customer’s election as to those specific categories.
§§22.8(a) § 22.9(a). A commenter asks what steps a bank, providing notices on behalf of an issuing insurance company, must take to determine that the provided notice is accurate. Another commenter inquires as to what a bank, acting as an agent, must do to determine whether its covered entity principal is providing required notices under the rule. The commenter wonders whether it may rely on representations from the entity or whether it must conduct an audit.
Agency Response. The rule treats a bank acting as an agent no differently than any other agent, and a bank formulating its own privacy policy regarding required notices should thus comply with all applicable provisions of the TIC and departmental rules. A bank delivering notices on behalf of an insurance company presumably would be doing so in the capacity of an agent for the insurance company. A bank functioning for insurance business purposes as the agent of a principal insurance company would be subject to regulation under the Texas Insurance Code to the same extent as any other agent. A bank will have to exercise independent judgment to determine the measures necessary to assure itself that its principal is complying with the applicable rules. Even if an insurance company were to delegate a responsibility under the rule to an agent, however, the insurance company would remain responsible for its own compliance with the rule.
§22.8(b). A commenter proposes inserting "to a consumer" into the subheading. Agency Response. The department does not believe this change is necessary since the full sentence following the subheading establishes that the section concerns notice to a consumer.
§22.8(b)(1). A commenter asks about applicability of the rule to a third party administrator (TPA).
Agency Response. A TPA, regardless of whether it is providing services on behalf of a self-funded plan or a commercial carrier, does not have to comply with the initial notice requirements for consumers under the rule as long as the TPA does not disclose information to a nonaffiliated third party for any reason other than an exemption permitted under §§22.18 or 22.19. A TPA would not be considered to have a "customer relationship" with a plan enrollee for whom the TPA is performing an administrative function on behalf of an insurer or an HMO and would not be subject to the annual notice requirement under §22.9.
§22.8(e). A commenter proposes supplementing the heading to clarify that this subsection contains exceptions.
Agency Response. The department declines to make this change, as the subsection contains a general rule as well as exceptions.
§22.8(f). A commenter proposes insertion of "initial" into the delivery requirement.
Agency Response. The department does not believe that this change is necessary, as the only notices required by this section are initial notices.
§§22.9 § 22.13(a). A commenter asks when a bank should deliver the various privacy notices required by the rule. The commenter specifically asks whether an initial privacy notice may accompany the delivery of the policy. The commenter indicated that the department had informed some insurers that a privacy notice could not be printed on a policy jacket. Another commenter asks whether a privacy notice can be delivered simultaneously with an insurance policy, billing notices, statements, or newsletter.
Agency Response. The rule treats a bank, whether acting as a covered entity or the agent of a covered entity, no differently than any other similarly situated entity, and a bank formulating its privacy policy regarding delivery of notices should thus comply with the applicable provisions of the rule. Generally, an entity may deliver any required notice either in a separate transmission or along with any other delivery to the consumer/customer, so long as the notice is in a format that meets all applicable requirements under the rule, including the requirement that the notice be clear and conspicuous. The department did state, in response to a similar query, that printing an opt out form on a policy jacket could discourage opting out as the consumer would be forced to copy the form or cut it off of the jacket to use it. Regarding initial privacy notices that do not include an opt out, a covered entity that elects to include this notice on a policy jacket must ensure that the notice meets all requirements under the rule, again with particular attention to the requirement that the notice be clear and conspicuous.
§22.10(a). A commenter proposes insertion of "simplified" into this description since the order was changed from the national model rule.
Agency Response. The department agrees and has made this change.
§22.10(a). A commenter questioned the meaning of the reference to "this subsection" in §22.10(a)(1).
Agency Response. The reference to this subsection means §22.10(a).
§22.10(b)(8). A commenter inquires whether the department intends to issue a separate rule with regard to necessary security procedures, and whether a covered entity must obtain agreements from parties with which it contracts to establish that the third parties have security procedures in place.
Agency Response. A proposed model rule addressing specific security procedures for covered entities is currently under consideration at the national level. The department may accordingly propose a conforming rule in the future. In the interim, covered entities should develop and follow their own security procedures to prevent the unauthorized disclosure of protected information. A covered entity remains responsible for any unauthorized disclosure of information or other rule violations that occur through its relationships with third parties. Entities should use their own judgment to guide their practices in this area and take necessary action to ensure that third parties properly secure protected information. It should be noted that SB 712 (TIC Art. 20A.02(b)) requires nonaffiliated third parties, in relation to a covered entity, to comply with the privacy requirements of GLBA.
§22.11(c)(1). A commenter proposes insertion of "and" at the end of this paragraph as a connector.
Agency Response. The word "and" is already included at the end of §22.11(c)(1) as a connector to indicate that a covered entity must comply with (c)(1) and either (c)(2), (c)(3), or (c)(4).
§22.11(l). A commenter proposes removing the term "to conduct business electronically."
Agency Response. The department disagrees. A consumer must agree to conduct business with a covered entity electronically before the entity can require the consumer to use an electronic means to perform any act relating to the rule. The requested change could be interpreted to enable a covered entity to condition a consumer's ability to exercise his or her rights under the rule by requiring the consumer to do so only electronically.
§22.13(a). A commenter asks what obligation a covered entity assuming the business of other institutions has to send notices to consumers/customers for whom it has a name but not an address.
Agency Response. Section 22.13(a) requires covered entities to provide any notices that this subchapter requires in such a way that each consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, electronically. Section 22.13(b) describes ways entities may satisfy this requirement. The department will have to examine situations falling outside these parameters on a case-by-case basis. Certainly since a covered entity cannot share information without providing a reasonable opportunity to opt out, a covered entity should not share a consumer/customer’s information if the entity has no address for the consumer/customer and knows it has not contacted the consumer/customer.
§22.13(b)(3). A commenter proposes placing the connector "or" at the end of this paragraph.
Agency Response. The department agrees and has made this change.
§22.15. A commenter proposes replacing "and" with "or" in subsections (a) and (c) - (f).
Agency Response. The department disagrees. Compliance with each of these provisions is mandatory.
§22.16(b). Two commenters propose that a covered entity should be permitted to provide account numbers to service providers for marketing purposes as long as the service provider is not authorized to directly initiate charges to the account.
Agency Response. The department agrees that this comment is consistent with the national model rule and has made this change. Transactions of this type would fall under §22.17, which establishes standards for contractual limitation of a third party's use of nonpublic personal financial information disclosed to it by a covered entity.
§22.17. A commenter inquires whether a covered entity may share information with a joint employee without concern for the opt out requirements of GLBA.
Agency Response. The department believes that a covered entity that shares information with a joint employee in compliance with the rule is in compliance with the privacy requirements of GLBA.
§22.17(a). A commenter inquires as to the steps a covered entity must take to assure that a joint marketer or other shared servicer does not use shared information for purposes unrelated to the contract or other permitted use.
Agency Response. Section 22.17(a)(2) requires the covered entity to enter into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which the covered entity disclosed the information, including use under an exception in §22.18 and §22.19 in the ordinary course of business to carry out those purposes. If an entity shares information with another financial institution, the covered entity must also comply with §22.17(b) as well.
§22.17(a)(2) and §22.17(b). A commenter proposes replacing "and" with "or" in §22.17(a)(2) and (b).
Agency Response. Replacement of "and" with "or" within §22.17(a)(2) would have no effect on the rule’s meaning. Moreover, the word "and" is not used in §22.17(b).
§22.17(c). A commenter asks which exception covers a data processing company’s handling of statements and other materials for an insurance company, if the statements include marketing materials.
Agency Response. Section 22.17(c) states that "[t]he services a nonaffiliated third party performs for a covered entity under subsection (a) of this section may include marketing of (the covered entity's own products or services…." (emphasis added). The described transaction appears to involve an insurer using a third party firm both to market to its customers and to deliver statements and other customary business documents. This type of transaction is within the scope of the rule and would require appropriate compliance under this section.
§§22.18(b) § 22.18(c)(2)(C). A commenter believes these exceptions must be expanded to permit a covered entity to share with a policyholder or policyholder’s representative specific protected financial information about claims asserted by consumers under a commercial liability or workers’ compensation policy.
Agency Response. The department disagrees that this expansion is necessary. Disclosure of information to workers’ compensation and commercial liability policyholders regarding details of the claims made against them would be considered to be integral to servicing or processing the claim made by the consumer and thus already permitted under the existing exemption in §22.18. Additionally, TIC Art. 5.65A(a) mandates that carriers notify workers’ compensation policyholders of any claim filed against the policy, proposals to settle a claim, and, upon policyholder request, any administrative or judicial proceeding relating to the resolution of a claim. TIC Art. 5.65A(b) requires carriers, again upon policyholder request, to provide policyholders with a list of claims charged against the policy, payments made and reserves established on each claim, and a statement explaining the effect of claims on premium rates. The department reminds covered entities, however, that any such disclosure must be limited to information necessary to process the claim, and the recipient must use the information only for the purpose for which it was disclosed. To the extent that such information is requested to aid in replacement of coverage, see comment regarding §22.19(a)(14).
§22.18(c)(2)(B). A commenter believes the exception must be expanded to include the term "adjust."
Agency Response. The department disagrees that this expansion is necessary. Adjustment of a claim is commonly understood to be included within the administration and processing of a claim.
22.18(c)(2)(E). A commenter believes expansion of this exception is necessary to include specific actions relating to the payments of claims to claimants and beneficiaries.
Agency Response. The department disagrees that this expansion is necessary. The acts of adjusting, settling, or paying insurance claims are commonly understood to be included within the administration and processing of a claim.
§22.18(c)(2)(E). A commenter believes expansion of this exception is necessary to allow specific financial information about a workers' compensation or third party claimant to be shared at the request of a policyholder in order to underwrite insurance at the policyholder’s request.
Agency Response. The department disagrees that this expansion is necessary. TIC Art. 5.65A(b) requires carriers, upon policyholder request, to provide policyholders with a list of claims charged against the policy, payments made and reserves established on each claim, and a statement explaining the effect of claims on premium rates. The department reminds covered entities, however, that any such disclosure must be limited to information necessary to achieve the purpose for which it was disclosed, and the recipient must use the information only for that purpose as well. A covered entity can facilitate the underwriting process for policies of this nature, without need of specific exception, by disclosing only claim information that does not identify or provide a means to identify individual claimants under the policy. The department also notes that the Texas Legislature has consistently taken a similar approach regarding disclosure of claim data; see TIC Art. 26.96(f) and HB 2146, 77 th Texas Legislature.
§22.18(c)(2)(F)(ii). A commenter believes that expansion of this exception is necessary to allow the collection of debts by a covered entity in connection with processing a claim by a workers' compensation or third party claimant.
Agency Response. The department disagrees that this expansion is necessary. Disclosure of information to workers’ compensation and commercial liability policyholders for retroactive billing purposes would be a part of servicing or processing the claim made by the consumer and thus covered under the exemption in §22.18(b). Additionally, TIC Art. 5.65A mandates such disclosure to workers’ compensation policyholders at their request. The department reminds covered entities that any such disclosure must be limited to information necessary to the purpose of the exception, and the recipient must use the information only for the purpose for which it was disclosed.
§22.19(a)(14). A commenter requests that this exception be expanded to include replacement of an insurance policy under which a consumer’s claim was asserted or paid.
Agency Response. The department declines to make this change. If required to aid the replacement process, a covered entity can disclose pertinent claim information, that is also protected financial information, in the aggregate, or in such other manner that does not identify or provide the means to identify individual claimants under a policy, to protect the identity of and other protected information about individual claimants. The rule provides flexibility for situations where an entity is being asked to cover a defined group. The requested change would expand the exception to include policies where the claimants are not known prior to the date of coverage. The department also notes that the Texas Legislature has consistently taken a similar approach regarding disclosure of claim data; see TIC Art. 26.96(f) and HB 2146, 77 th Texas Legislature.
§22.21. A commenter suggests deletion of §22.21, arguing that it conflicts with Congress's exclusion of "usual, appropriate, or acceptable methods for insurance underwriting" from the scope of GLBA.
Agency Response. The department declines to make this change. The department disagrees with the commenter's assessment of the effect of this section. Section 22.21 does not prohibit "usual, appropriate, or acceptable methods" for insurance underwriting. It prohibits unfair methods of insurance underwriting. Accordingly, §22.21 does not conflict with GLBA's exception regarding appropriate insurance practices. Moreover, §22.21 is substantively identical to the antidiscrimination provision in the national model. Deleting the section would be detrimental to uniform state enforcement of GLBA.
§22.22(b). Several commenters recommend elimination of the reference to TIC Art. 21.21. Some commenters suggest that the reference to TIC Art. 21.21 in this subsection exceeds the department’s statutory authority. Another commenter suggests that the provision is unnecessary as Chapters 82 § 84, TIC, contain adequate penalties. Another commenter suggests that if the reference remains, the department should add an amendment expressly prohibiting private causes of action for rule violations. Another commenter suggests that the reference puts insurers doing business in Texas at a competitive disadvantage vis-à-vis other financial service industries. Another commenter requests that this section be amended to clarify that the department is the sole source of remedy for violations. Another commenter supported the rule’s incorporation of TIC Art. 21.21.
Agency Response. SB 712 directs the commissioner to adopt rules necessary to make Texas eligible, under GLBA, to override federal regulation. A second statutory provision directs the commissioner to attempt to keep state privacy requirements consistent with federal regulations adopted under GLBA. The legislative analysis of SB 712 references the NAIC privacy model regulation as a guide for the department’s adoption of rules. The NAIC privacy model regulation specifically directs states to include their unfair trade practices act or other applicable state law as a remedy for violation of the rule.
While the proposal incorporated the TIC’s unfair trade practices act as an enforcement mechanism, the department has deleted this subsection from the adopted rule, while retaining enforcement authority under other TIC chapters. Analysis of newly-enacted TIC Art. 28A.102 was the most critical factor in this determination. This section provides that in addition to departmental enforcement of GLBA, the attorney general, after conferring with the commissioner, may institute actions for injunctive or declaratory relief or for civil penalties in response to violations of TIC Chapter 28A. This specific enforcement authority for the attorney general, in addition to the department’s authority under TIC Chapters 82, 83, § 84, provides an alternate statutory enforcement mechanism sufficient to comply with the Legislature’s mandate to enforce GLBA in a manner consistent with federal regulations. In addition, this deviation from the specific penalty provisions of the model rule will not affect a covered entity’s ability to comply with both the substantive provisions of the department’s rule and the national model rule as adopted in other jurisdictions.
Since new TIC Art. 28A.102 specifically authorizes the attorney general to institute actions in response to violations of this chapter, the department disagrees with the comment that suggested it is the sole source of remedy for violations of the statute. The department also disagrees with the comment that suggested the inclusion of TIC Art. 21.21 in this subsection would have put insurers at a competitive disadvantage to other entities. The penalties available to federal regulators under GLBA are of comparable severity to those available under TIC Art. 21.21. See 12 USC §1818. It is also important to remember that TIC Art. 21.21 places no additional burden on covered entities in compliance with the rule, nor would it penalize inadvertent violators that are dealing in good faith with consumers. Finally, the department also disagrees with commenters that suggested that including TIC Art. 21.21 in the rule would create a private right of action. HB 668, enacted by the 74 th Texas Legislature, amended TIC Art. 21.21 to delete the provision in Sec. 16 that gave rise to a private cause of action for a violation of departmental rules.
§22.24. A commenter requests that the compliance date for notices be extended for an additional 30 days. In the alternative, the commenter requests that extensions be considered on a case-by-case basis.
Agency Response. The department declines to extend the compliance date. The department does not have the authority to waive application of any rule on a case-by-case basis.
§22.26. A commenter recommends that the word "broker" be used in place of "agent."
Agency Response. The department declines to make the suggested change as neither the TIC nor any other rules in TAC Chapter 28 use or define the term "broker."
For: Office of Public Insurance Counsel.
For with changes: American Council of Life Insurers; American Family Life Assurance Company of Columbus; American Insurance Association; Alliance of American Insurers; American General Financial Group; Amerisure Companies; Alliance for Responsible Insurance Practices; Association of Fire and Casualty Companies of Texas; Independent Bankers Association of Texas; National Association of Independent Insurers; Sneed, Vine, § Perry; Texas Association of Insurance Officials; Texas Association of Life and Health Insurers; Viaticare; Texas Windstorm Insurance Association.
Against: Folksamerica Reinsurance Company.
Neither for nor against: Fulbright § Jaworski, LLP.
The new sections are adopted under the TIC Art. 28A.51 and §36.001. TIC Art. 28A.51 provides that the Commissioner shall adopt rules to implement this chapter, as well as any other rules necessary to carry out 15 U.S.C. Subchapter I, Chapter 94 (15 U.S.C. Section 6801 et seq.), as amended. TIC Section 36.001 provides that the Commissioner of Insurance may adopt rules to execute the duties and functions of the Texas Department of Insurance only as authorized by statute.
§22.1. Purpose and Scope.
(a) Purpose. This subchapter governs the treatment of nonpublic personal financial information about individuals by all covered entities. This subchapter:
(1) requires a covered entity to provide notice to individuals about its privacy policies and practices;
(2) describes the conditions under which a covered entity may disclose nonpublic personal financial information about individuals to nonaffiliated third parties; and
(3) provides methods for individuals to prevent a covered entity from disclosing that information to nonaffiliated third parties.
(b) Scope. This subchapter applies to nonpublic personal financial information about individuals who obtain or are claimants or beneficiaries, primarily for personal, family or household purposes, of products or services from covered entities. This subchapter does not apply to information about companies or about individuals who obtain products or services for business, commercial or agricultural purposes.
§22.2. Definitions. The following words and terms, when used in this chapter, shall have the following meanings, unless the context clearly indicates otherwise.
(1) Affiliate – Any company that controls, is controlled by, or is under common control with another company.
(2) Agent – As set forth in the Insurance Code, Articles 9.36, 9.36A, and 21.02.
(3) Authorization – As set forth in the Insurance Code, Section 82.001.
(4) Clear and conspicuous – A notice which is reasonably understandable and designed to call attention to the nature and significance of the information in the notice.
(5) Collect – To obtain information that the covered entity organizes or can retrieve by the name of an individual or by identifying number, symbol or other identifying particular assigned to the individual, irrespective of the source of the underlying information.
(6) Commissioner – The Commissioner of Insurance.
(7) Company – A corporation, limited liability company, business trust, general or limited partnership, association, sole proprietorship or other similar organization.
(8) Consumer – An individual or that individual’s representative who seeks to obtain, obtains or has obtained an insurance product or service from a covered entity that is to be used primarily for personal, family or household purposes, and about whom the covered entity has nonpublic personal financial information.
(9) Consumer reporting agency – As defined in Section 603(f) of the federal Fair Credit Reporting Act (15 U.S.C. 1681a(f)).
(10) Control – Includes the terms "controls," "controlled by," and "under common control," and has the meaning assigned that term by the Insurance Code, Article 21.49-1, Section 2(d).
(11) Covered entity – An individual or entity who receives an authorization from the Texas Department of Insurance. The term includes any individual or entity described by the Insurance Code, Section 82.002.
(12) Customer – A consumer who has a customer relationship with a covered entity.
(13) Customer relationship – A continuing relationship, as described in §22.5 of this subchapter (relating to Determination of Continuing Relationship), between a consumer and a covered entity under which the covered entity provides one or more insurance products or services to the consumer that are to be used primarily for personal, family or household purposes.
(14) Financial institution – Any institution the business of which is engaging in activities that are financial in nature or incidental to such financial activities as described in Section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. 1843(k)). Financial institution does not include:
(A) any person or entity with respect to any financial activity that is subject to the jurisdiction of the Commodity Futures Trading Commission under the Commodity Exchange Act (7 U.S.C. 1 et seq.);
(B) the Federal Agricultural Mortgage Corporation or any entity charged and operating under the Farm Credit Act of 1971 (12 U.S.C. 2001 et seq.); or
(C) institutions chartered by Congress specifically to engage in securitizations, secondary market sales (including sales of servicing rights) or similar transactions related to a transaction of a consumer, as long as the institutions do not sell or transfer nonpublic personal financial information to a nonaffiliated third party.
(15) Financial product or service – Any product or service that a financial holding company could offer by engaging in an activity that is financial in nature or incidental to such a financial activity under Section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. 1843(k)). Financial service includes a financial institution’s evaluation or brokerage of information that the financial institution collects in connection with a request or an application from a consumer for a financial product or service.
(16) Health care –
(A) preventive, diagnostic, therapeutic, rehabilitative, maintenance or palliative care, services, procedures, tests or counseling that:
(i) relates to the physical, mental or behavioral condition of an individual; or
(ii) affects the structure or function of the human body or any part of the human body, including the banking of blood, sperm, organs or any other tissue; or
(B) prescribing, dispensing or furnishing drugs or biologicals, or medical devices or health care equipment and supplies to an individual.
(17) Health care provider – A physician or other health care practitioner licensed, accredited or certified to perform specified health services consistent with state law, or a health care facility.
(18) Health information – Any information or data except age or gender, whether oral or recorded, in any form or medium, created by or derived from a health care provider or the consumer that relates to:
(A) the past, present or future physical, mental or behavioral health or condition of an individual;
(B) the provision of health care to an individual; or
(C) payment for the provision of health care to an individual.
(19) Insurance product or service – Any product or service that is offered by a covered entity pursuant to the Insurance Code and other insurance laws of this state. Insurance service includes a covered entity's evaluation, brokerage or distribution of information that the covered entity collects in connection with a request or an application from a consumer for an insurance product or service.
(20) Nonaffiliated third party – An entity that is not an affiliate of, or related to by common ownership or affiliated by corporate control with, the covered entity. The term does not include a joint employee of the entity.
(21) Nonpublic personal financial information – Information which:
(A) includes:
(i) personally identifiable financial information;
(ii) any list, description or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available; and
(iii) any list of individuals' names and street addresses that is derived in whole or in part using personally identifiable financial information that is not publicly available, such as account numbers.
(B) does not include:
(i) health information;
(ii) publicly available information unless it is derived from a non-public source as described in subparagraphs (A)(ii) and (A)(iii) of this paragraph;
(iii) any list, description or other grouping of consumers (and publicly available information pertaining to them) that is derived without using any personally identifiable financial information that is not publicly available; and
(iv) any list of individuals' names and addresses that:
(I) contains only publicly available information,
(II) is wholly derived using personally
identifiable financial information that is publicly available, and
(III) does not disclose that any of the individuals on the list is a consumer of a financial institution.
(22) Opt out – A direction by the consumer that the covered entity not disclose nonpublic personal financial information about that consumer to a nonaffiliated third party, other than as permitted by §22.17 of this title (relating to Exception to Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Service Providers and Joint Marketing), §22.18 of this title (relating to Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Processing and Servicing Transactions), and §22.19 of this title (relating to Other Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information).
(23) Personally identifiable financial information –
(A) The term includes:
(i) any information a consumer provides to a covered entity to obtain an insurance product or service from the covered entity;
(ii) any information about a consumer resulting from a transaction involving an insurance product or service between a covered entity and a consumer;
(iii) any information the covered entity otherwise obtains about a consumer in connection with providing an insurance product or service to that consumer;
(iv) account balance information and payment history;
(v) the fact that an individual is or has been one of the covered entity’s customers or has obtained an insurance product or service from the covered entity;
(vi) any information about the covered entity’s consumer if it is disclosed in a manner that indicates that the individual is or has been the covered entity’s consumer;
(vii) any information that a consumer provides to a covered entity or that the covered entity or its agent otherwise obtains in connection with collecting on a loan or servicing a loan;
(viii) any information the covered entity collects through an information-collecting device from an Internet web server; and
(ix) information from a consumer report.
(B) The term does not include:
(i) health information;
(ii) a list of names and addresses of customers of an entity that is not a financial institution; and
(iii) information that does not identify a consumer, such as aggregate information or blind data that does not contain personal identifiers such as account numbers, names or addresses.
(24) Publicly available information – Any information that a covered entity has a reasonable basis to believe is lawfully made available to the general public from:
(A) federal, state or local government records;
(B) widely distributed media; or
(C) disclosures to the general public that are required to be made by federal, state or local law.
§22.3 Exceptions to Applicability of Subchapter.
(a) A covered entity is not subject to the notice and opt out requirements for nonpublic personal financial information set forth in this subchapter if the covered entity is an employee, agent or other representative of another covered entity ("a principal") and:
(1) the principal otherwise complies with, and provides the notices required by, the provisions of this subchapter; and
(2) the covered entity does not disclose any nonpublic personal financial information to any person other than the principal or its affiliates in a manner permitted by this subchapter.
(b) Subject to subsection (c) of this section, covered entity shall also include an eligible surplus lines insurer to the extent that insurer accepts business placed through a person subject to the Insurance Code, Article 1.14-2.
(c) A person transacting surplus lines business shall be deemed to be in compliance with the notice and opt out requirements for nonpublic personal financial information set forth in this subchapter provided:
(1) the person does not disclose nonpublic personal financial information of a consumer or a customer to nonaffiliated third parties for any purpose, including joint servicing or marketing under §22.17 of this title (relating to Exception to Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Service Providers and Joint Marketing), except as permitted by §22.18 of this title (relating to Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Processing and Servicing Transactions) and §22.19 of this title (relating to Other Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information); and
(2) the person delivers to the consumer at the time a customer relationship is established Form Number FNPRV DSC/SRPLN provided at Figure 8 of §22.26(b) of this title (relating to Forms), in at least 16 point type.
§22.4. Determination of Consumer Status.
(a) The term consumer includes, but is not limited to:
(1) an individual who provides nonpublic personal financial information to a covered entity in connection with obtaining or seeking to obtain financial, investment or economic advisory services relating to an insurance product or service regardless of whether the covered entity establishes an ongoing relationship.
(2) an applicant for insurance prior to the inception of insurance coverage.
(3) an individual, if the covered entity discloses nonpublic personal financial information about the individual to a nonaffiliated third party other than as permitted under §22.17 of this title (relating to Exception to Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Service Providers and Joint Marketing), §22.18 of this title (relating to Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Processing and Servicing Transactions) and §22.19 of this title (relating to Other Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information), and:
(A) the individual is a beneficiary of a life insurance policy underwritten by the covered entity;
(B) the individual is a claimant under an insurance policy issued by the covered entity;
(C) the individual is an insured or an annuitant under an insurance policy or an annuity, respectively, issued by the covered entity; or
(D) the individual is a mortgagor of a mortgage covered under a mortgage insurance policy.
(b) Examples of when individuals will not be considered consumers of a covered entity:
(1) an individual who is a consumer of another financial institution is not a covered entity’s consumer solely because the covered entity is acting as agent for, or provides processing or other services to, that financial institution.
(2) an individual is not a covered entity’s consumer solely because he or she is a beneficiary of a trust for which the covered entity is a trustee.
(3) an individual is not a covered entity’s consumer solely because he or she has designated the covered entity as trustee for a trust.
(c) Special requirements for employee benefit plans, group or blanket insurance policies, group annuity contracts, or workers’ compensation policies.
(1) An individual who is a participant or a beneficiary of an employee benefit plan that a covered entity administers or sponsors or for which the covered entity acts as a trustee, insurer or fiduciary is not the consumer of a covered entity that:
(A) provides all initial, annual and revised notices required by this subchapter to the employer or other entity establishing the plan; and
(B) does not disclose nonpublic personal financial information about the individual to a nonaffiliated third party other than as permitted under §§22.17, 22.18, and 22.19 of this title.
(2) An individual who is covered under a group or blanket insurance policy or group annuity contract issued by a covered entity is not the consumer of a covered entity that:
(A) provides all initial, annual and revised notices required by this subchapter to the policyholder or contractholder; and
(B) does not disclose nonpublic personal financial information about the individual to a nonaffiliated third party other than as permitted under §§22.17, 22.18, and 22.19 of this title.
(3) An individual that is a claimant under or beneficiary of a workers’ compensation policy issued by a covered entity is not the consumer of a covered entity that:
(A) provides all initial, annual and revised notices required by this subchapter to the plan participant; and
(B) does not disclose nonpublic personal financial information about the individual to a nonaffiliated third party other than as permitted under §§22.17, 22.18, and 22.19 of this title.
(d) An individual described in subsection (c) of this section is the consumer of a covered entity that does not comply with the applicable notice and nondisclosure requirements of that subsection.
(e) In no event shall an individual, solely by virtue of his status described in subsection (c) of this section, be deemed to be the customer of a covered entity for purposes of this subchapter.
§22.5. Examples of Continuing Relationship.
(a) The following examples illustrate situations where a consumer has a continuing relationship with a covered entity:
(1) the consumer is a current policyholder of an insurance product issued by or through the covered entity; or
(2) the consumer obtains financial, investment or economic advisory services relating to an insurance product or service from the covered entity for a fee.
(b) The following examples illustrate situations where a consumer does not have a continuing relationship with a covered entity:
(1) the consumer applies for insurance but does not purchase the insurance;
(2) the covered entity sells the consumer insurance in an isolated transaction involving single-event types of coverage including, but not limited to, auto rental liability, travel, and short-term non-resident auto liability insurance;
(3) the individual is no longer a current policyholder of an insurance product or no longer obtains insurance services with or through the covered entity;
(4) the consumer is a beneficiary or claimant under a policy even though the consumer has submitted a claim under a policy choosing a settlement option involving an ongoing relationship with the covered entity;
(5) the consumer is a beneficiary or a claimant under a policy and has submitted a claim under that policy choosing a lump sum settlement option;
(6) the customer’s policy is lapsed, expired, or otherwise not in force, and the covered entity has not communicated with the customer about the relationship for a period of 12 consecutive months, other than annual privacy notices, material required by law or regulation, communication at the direction of a state or federal authority, or promotional materials;
(7) the individual is an insured or an annuitant under an insurance policy or annuity, respectively, but is not the policyholder or owner of the insurance policy or annuity; or
(8) the individual’s last known address according to the covered entity’s records is deemed invalid, which occurs when:
(A) mail sent to that address by the covered entity has been returned by the postal authorities as undeliverable, and
(B) subsequent attempts by the covered entity to obtain a current valid address for the individual have been unsuccessful.
§22.6. Notice Requirements. Any notice required by this subchapter must comply with the following standards.
(1) Designed to call attention. A covered entity designs its notice to call attention to the nature and significance of the information in it, if:
(A) with regard to all notices, the covered entity:
(i) uses a plain-language heading to call attention to the notice;
(ii) uses a typeface and type size that are easy to read;
(iii) provides wide margins and ample line spacing;
(iv) uses boldface or italics for key words; and
(v) uses distinctive type size, style, and graphic devices, such as shading or sidebars, when the covered entity combines its notice in a form with other information, in order to emphasize the privacy component of the form.
(B) on a notice on a Web page, the covered entity uses text or visual cues to encourage scrolling down the page if necessary to view the entire notice and to ensure that other elements on the Web site (such as text, graphics, hyperlinks or sound) do not distract attention from the notice, and the covered entity either:
(i) places the notice on a screen that consumers frequently access, such as a page on which transactions are conducted; or
(ii) places a link on a screen that consumers frequently access, such as a page on which transactions are conducted, that connects directly to the notice and is labeled appropriately to convey the importance, nature and relevance of the notice.
(2) Reasonably understandable. A covered entity makes its notice reasonably understandable if it:
(A) presents the information in the notice in clear, concise sentences, paragraphs, and sections;
(B) uses short explanatory sentences or bullet lists
whenever possible;
(C) uses definite, concrete, everyday words and active voice whenever possible;
(D) avoids multiple negatives;
(E) avoids legal and highly technical business terminology whenever possible; and
(F) avoids explanations that are imprecise and readily subject to different interpretations.
§22.7. Determination of Reasonable Basis.
(a) For purposes of determining if information is publicly available as defined in this subchapter:
(1) a covered entity has a reasonable basis to believe that information is lawfully made available to the general public if the covered entity has taken steps to determine:
(A) that the information is of the type that is available to the general public; and
(B) whether an individual can direct that the information not be made available to the general public, and
(C) if an option as described in subparagraph (1)(B) of this section is available, that the covered entity’s consumer has not made such a direction.
(2) The following examples illustrate whether a reasonable basis exists to believe that information is publicly available.
(A) A covered entity has a reasonable basis to believe that information is publicly available if the information comes from nonconfidential government records, such as information in real estate records and security interest filings.
(B) A covered entity has a reasonable basis to believe that information is publicly available if the information comes from widely distributed media, such as information from a telephone book, a television or radio program, a newspaper or a Web site that is available to the general public on an unrestricted basis. A Web site is not restricted merely because an Internet service provider or a site operator requires a fee or a password, so long as access is available to the general public.
(C) A covered entity has a reasonable basis to believe that mortgage information is lawfully made available to the general public if the covered entity has determined that the information is of the type included in the public record in the jurisdiction where the mortgage would be recorded.
(D) A covered entity has a reasonable basis to believe that an individual’s telephone number is lawfully made available to the general public if the covered entity has located the telephone number in the telephone book or the consumer has informed the covered entity that the telephone number is not unlisted.
§22.8. Initial Privacy Notice.
(a) Initial notice requirement. A covered entity shall provide a clear and conspicuous notice that accurately reflects its privacy policies and practices to:
(1) an individual who becomes the covered entity’s customer, not later than when the covered entity establishes a customer relationship, except as provided in subsection (e) of this section; and
(2) a consumer, before the covered entity discloses any nonpublic personal financial information about the consumer to any nonaffiliated third party, if the covered entity makes a disclosure other than as authorized by §22.18 of this title (relating to Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Processing and Servicing Transactions) and §22.19 of this title (relating to Other Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information).
(b) Initial notice not required. A covered entity is not required to provide an initial notice to a consumer under subsection (a)(2) of this section if:
(1) the covered entity does not disclose any nonpublic personal financial information about the consumer to any nonaffiliated third party, other than as authorized by §22.18 and §22.19 of this title, and the covered entity does not have a customer relationship with the consumer; or
(2) a notice has been provided by an affiliated covered entity, so [as] long as the notice clearly identifies all covered entities to whom the notice applies and is accurate with respect to the covered entity and the other institutions.
(c) Establishment of a customer relationship.
(1) Generally, a covered entity establishes a customer relationship at the time the covered entity and the consumer enter into a continuing relationship.
(2) Some examples of a covered entity establishing a customer relationship occur when the consumer:
(A) becomes a policyholder of a covered entity that is an insurer when the insurer delivers an insurance policy or contract to the consumer, or in the case of a covered entity that is an insurance agent, obtains insurance through that covered entity; or
(B) agrees to obtain financial, economic or investment advisory services relating to insurance products or services for a fee from the covered entity.
(d) Existing customers. When an existing customer obtains a new insurance product or service from a covered entity that is to be used primarily for personal, family or household purposes, if the initial, revised or annual notice that the covered entity most recently provided to that customer was inaccurate with respect to the new insurance product or service, the covered entity shall, in accordance with the initial notice requirements of subsection (a) of this section, provide a revised privacy notice, under §22.12 of this title (relating to Revised Privacy Notices), that covers the customer’s new insurance product or service. If the initial, revised or annual notice that the covered entity most recently provided to that customer was accurate with respect to the new insurance product or service, the covered entity does not need to provide a new privacy notice under subsection (a) of this section.
(e) Subsequent delivery of notice.
(1) General rule. A covered entity may provide the initial notice required by subsection (a)(1) of this section within a reasonable time after the covered entity establishes a customer relationship if:
(A) establishing the customer relationship is not at the customer’s election; or
(B) providing notice not later than when the covered entity establishes a customer relationship would substantially delay the customer’s transaction and the customer agrees to receive the notice at a later time.
(2) Not at customer’s election. Establishing a customer relationship is not at the customer’s election if a covered entity acquires or is assigned a customer’s policy from another financial institution or residual market mechanism and the customer does not have a choice about the covered entity’s acquisition or assignment.
(3) Substantial delay of customer’s transaction. Providing notice not later than when a covered entity establishes a customer relationship would substantially delay the customer’s transaction when the covered entity and the individual agree over the telephone to enter into a customer relationship involving prompt delivery of the insurance product or service.
(4) No substantial delay of customer’s transaction. Providing notice not later than when a covered entity establishes a customer relationship would not substantially delay the customer’s transaction when the relationship is initiated in person at the covered entity’s office or through other means by which the customer may view the notice, such as on a Web site.
(f) Delivery. A covered entity shall deliver any notices required by this section according to §22.13 of this title (relating to Delivery). If the covered entity uses a short-form initial notice for non-customers according to §22.10(d) of this title (relating to Information to be Included in Privacy Notices), the covered entity may deliver its privacy notice according to §22.10(d)(3) of this title.
§22.9. Annual Privacy Notice.
(a) A covered entity shall provide a clear and conspicuous notice to customers that accurately reflects its privacy policies and practices not less than annually during the continuation of the customer relationship. "Annually" means at least once in any period of 12 consecutive months during which that relationship exists. A covered entity may define the 12-consecutive-month period, but the covered entity shall apply it to the customer on a consistent basis. A covered entity provides a notice annually if it defines the 12-consecutive-month period as a calendar year and provides the annual notice to the customer once in each calendar year following the calendar year in which the covered entity provided the initial notice. For example, if a customer opens an account on any day of year 1, the covered entity shall provide an annual notice to that customer by December 31 of year 2.
(b) A covered entity is not required to provide an annual notice to a former customer. A former customer is an individual with whom a covered entity no longer has a continuing relationship.
(1) A covered entity no longer has a continuing relationship with an individual if the individual no longer is a current policyholder of an insurance product or no longer obtains insurance services with or through the covered entity.
(2) A covered entity no longer has a continuing relationship with an individual if the individual’s policy is lapsed, expired or otherwise not in force, and the covered entity has not communicated with the customer about the relationship for a period of 12 consecutive months, other than to provide annual privacy notices, material required by law or regulation, communication at the direction of a state or federal authority, or promotional materials.
(3) For the purposes of this subchapter, a covered entity no longer has a continuing relationship with an individual if:
(A) the covered entity sends mail to the individual’s last known address, according to the covered entity’s records, and the postal authorities return that mail as undeliverable, and
(B) subsequent attempts by the covered entity to obtain a current valid address for the individual are unsuccessful.
(4) A covered entity no longer has a continuing relationship with a customer, in the case of providing real estate settlement services, at the later of the following events:
(A) the customer completes execution of all documents related to the real estate closing;
(B) payment for those services has been received; or
(C) the covered entity has completed all of its responsibilities with respect to the settlement, including filing documents in the public record.
(c) A covered entity shall deliver any annual privacy notices required by this section according to §22.13 of this title (relating to Delivery).
§22.10. Information to be Included in Privacy Notices.
(a) Simplified nondisclosure notice requirements. A covered entity that does not disclose, and does not reserve the right to disclose, nonpublic personal financial information about customers or former customers to nonaffiliated third parties except as authorized under §22.18 of this title (relating to Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Processing and Servicing Transactions) and §22.19 of this title (relating to Other Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information), may comply with this subchapter by providing a simplified notice which expresses:
(1) the nondisclosure policy stated in this subsection, and
(2) the information required by subsections (b)(1), (b)(8), (b)(9), and (c) of this section.
(b) Disclosure notice requirements. The initial, annual and revised privacy notices that a covered entity provides under §22.8 of this title (relating to Initial Privacy Notice), §22.9 of this title (relating to Annual Privacy Notice) and §22.12 of this title (relating to Revised Privacy Notices) shall include the following items of information, in addition to any other information the covered entity wishes to provide, that applies to the covered entity and to the consumers to whom the covered entity sends its privacy notice.
(1) The categories of nonpublic personal financial information that the covered entity collects. A covered entity satisfies the requirement to categorize the nonpublic personal financial information it collects when the covered entity categorizes it according to the source of the information, as applicable, including:
(A) information from the consumer;
(B) information about the consumer’s transactions with the covered entity or its affiliates;
(C) information about the consumer’s transactions with
nonaffiliated third parties; and
(D) information from a consumer reporting agency.
(2) The categories of nonpublic personal financial information that the covered entity discloses.
(A) A covered entity satisfies the requirement to categorize nonpublic personal financial information it discloses when the covered entity categorizes the information according to source, as described in paragraph (1) of this subsection, as applicable, and provides examples to illustrate the types of information in each category, such as:
(i) information from the consumer, including
application information (such as assets and income) and identifying information (such as name, address and social security number);
(ii) transaction information (such as information about balances, payment history and parties to the transaction); and
(iii) information from consumer reports (such as a consumer’s creditworthiness and credit history).
(B) A covered entity does not adequately categorize the information that it discloses when the covered entity uses only general terms (such as transaction information about the consumer).
(C) A covered entity that reserves the right to disclose all of the nonpublic personal financial information about consumers that it collects may state that fact without describing the categories or examples of nonpublic personal financial information that the covered entity discloses.
(3) The categories of affiliates and nonaffiliated third parties to whom the covered entity discloses nonpublic personal financial information, other than those parties to whom the covered entity discloses information under §§22.18 and 22.19 of this title.
(4) The categories of nonpublic personal financial information about the covered entity’s former customers that the covered entity discloses and the categories of affiliates and nonaffiliated third parties to whom the covered entity discloses nonpublic personal financial information about the covered entity’s former customers, other than those parties to whom the covered entity discloses information under §§22.18 and 22.19 of this title.
(5) A separate description of the categories of information the covered entity discloses and the categories of third parties with whom the covered entity has contracted, if the covered entity discloses nonpublic personal financial information to a nonaffiliated third party under §22.17 of this title (relating to Exception to Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Service Providers and Joint Marketing) and no other exception in §§22.18 and 22.19 of this title applies to that disclosure.
(6) An explanation of the consumer’s right under §22.14(a) of this title (relating to Limits on Disclosure of Nonpublic Personal Financial Information to Nonaffiliated Third Parties) to opt out of the disclosure of nonpublic personal financial information to nonaffiliated third parties, including the methods by which the consumer may exercise that right at that time.
(7) Any disclosures that the covered entity makes under Section 603(d)(2)(A)(iii) of the federal Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)(A)(iii)) (that is, notices regarding the ability to opt out of disclosures of information among affiliates).
(8) The covered entity’s policies and practices with respect to protecting the confidentiality and security of nonpublic personal financial information. A covered entity provides an adequate description of its policies and practices with respect to protecting the confidentiality and security of nonpublic personal financial information if it does both of the following:
(A) describes in general terms who is authorized to have access to the information; and
(B) states whether the covered entity has security practices and procedures in place to ensure the confidentiality of the information in accordance with the covered entity’s policy. The covered entity is not required to describe technical information about the safeguards it uses.
(9) Any disclosure that the covered entity makes under subsection (c) of this section.
(c) Description of parties subject to exceptions. A covered entity that discloses nonpublic personal financial information as authorized under §§22.18 and 22.19 of this title is not required to list those exceptions in the initial or annual privacy notices required by §§22.8 and 22.9 of this title. When describing the categories of parties to whom disclosure is made, the covered entity shall state that it makes disclosures to other affiliated or nonaffiliated third parties, as applicable, as permitted by law.
(d) Appropriate methods of categorizing affiliates and nonaffiliated third parties.
(1) A covered entity satisfies the requirement to categorize the affiliates and nonaffiliated third parties to which the covered entity discloses nonpublic personal financial information about consumers if the covered entity identifies the types of businesses in which they engage.
(2) Types of businesses may be described by general terms only if the covered entity uses illustrative examples of significant lines of business. For example, a covered entity may use the term "financial products or services" if the notice includes appropriate examples of significant lines of such businesses or services, such as life insurer, automobile insurer, consumer banking or securities brokerage.
(3) A covered entity also may categorize the affiliates and nonaffiliated third parties to which it discloses nonpublic personal financial information about consumers using more detailed categories.
(e) Disclosures under exception for service providers and joint marketers. A covered entity that discloses nonpublic personal financial information under the exception in §22.17 of this title to a nonaffiliated third party to market products or services that it offers alone or jointly with another financial institution satisfies the disclosure requirement of subsection (b)(5) of this section if it:
(1) lists the categories of nonpublic personal financial information it discloses, using the same categories and examples the covered entity used to meet the requirements of subsection (a)(2) of this section, as applicable; and
(2) states whether the third party is:
(A) a service provider that performs marketing services on the covered entity’s behalf or on behalf of the covered entity and another financial institution; or
(B) a financial institution with whom the covered entity has a joint marketing agreement.
(f) Short-form initial notice with opt out notice for non-customers.
(1) A covered entity may satisfy the initial notice requirements in §22.8(a)(2) and §22.11(c) of this title (relating to Form of Opt Out Notice to Consumers and Opt Out Methods) for a consumer who is not a customer by providing a short-form initial notice at the same time as the covered entity delivers an opt out notice as required in §22.11 of this title.
(2) A short-form initial notice shall:
(A) be clear and conspicuous;
(B) state that the covered entity’s privacy notice is available upon request; and
(C) explain a reasonable means by which the consumer may obtain that notice.
(3) The covered entity shall deliver its short-form initial notice according to §22.13 of this title (relating to Delivery). The covered entity is not required to deliver its privacy notice with its short-form initial notice. The covered entity instead may simply provide the consumer a reasonable means to obtain its privacy notice. If a consumer who receives the covered entity’s short-form notice requests the covered entity’s privacy notice, the covered entity shall deliver its privacy notice according to §22.13 of this title.
(4) The covered entity provides a reasonable means by which a consumer may obtain a copy of its privacy notice if the covered entity:
(A) provides a toll-free telephone number that the consumer may call to request the notice; or
(B) for a consumer who conducts business in person at the covered entity’s office, maintains copies of the notice on hand that the covered entity provides to the consumer immediately upon request.
(g) Reservation of right to disclose. The covered entity’s notice may include:
(1) categories of nonpublic personal financial information that the covered entity reserves the right to disclose in the future, but does not currently disclose; and
(2) categories of affiliates or nonaffiliated third parties to whom the covered entity reserves the right in the future to disclose, but to whom the covered entity does not currently disclose, nonpublic personal financial information.
(h) Forms. A covered entity may use the forms provided in §22.26 of this title (relating to Forms), as applicable, to meet the requirements of this section as follows:
(1) Form Number FNPRV INFO/COL provided at Figure 1 of §22.26(b)(1) of this title is intended to meet the requirement of subsection (b)(1) of this section to describe the categories of nonpublic personal financial information the covered entity collects.
(2) Form Number FNPRV INFO/DSC provided at Figure 2 of §22.26(b)(1) of this title is intended to meet the requirement of subsection (b)(2) of this section to describe the categories of nonpublic personal financial information the covered entity discloses. The covered entity may use these clauses if it discloses nonpublic personal financial information other than as permitted by the exceptions in §§22.17, 22.18, and 22.19 of this title.
(3) Form Number FNPRV INFO/NODSC provided at Figure 3 of §22.26(b)(3) of this subchapter is intended to meet the requirements of subsections (b)(2), (3), and (4) of this section to describe the categories of nonpublic personal financial information about customers and former customers that the covered entity discloses and the categories of affiliates and nonaffiliated third parties to whom the covered entity discloses this information. A covered entity may use this clause if the covered entity does not disclose nonpublic personal financial information to any party, other than as permitted by the exceptions in §§22.18 and 22.19 of this title.
(4) Form Number FNPRV INFO/TPDSC provided at Figure 4 of §22.26(b)(4) of this title is intended to meet the requirements of subsection (b)(3) of this section to describe the categories of affiliates and nonaffiliated third parties to whom the covered entity discloses nonpublic personal financial information. A covered entity may use this clause if the covered entity discloses nonpublic personal financial information other than as permitted by the exceptions in §§22.17, 22.18, and 22.19 of this title.
(5) Form Number FNPRV INFO/SPJMDSC provided at Figure 5 of §22.26(b)(5) of this title is intended to meet the requirements of subsection (b)(5) of this section related to the exception for service providers and joint marketers in §22.17 of this title. If a covered entity discloses nonpublic personal financial information under this exception, the covered entity shall describe the categories of nonpublic personal financial information the covered entity discloses and the categories of third parties with which the covered entity has contracted.
(6) Form Number FNPRV INFO/OPT provided at Figure 6 of §22.26(b)(6) of this title is intended to meet the requirements of subsection (b)(6) of this section to provide an explanation of the consumer’s right to opt out of the disclosure of nonpublic personal financial information to nonaffiliated third parties, including the method(s) by which the consumer may exercise that right. A covered entity may use this clause if the covered entity discloses nonpublic personal financial information other than as permitted by the exceptions in §§22.17, 22.18, and 22.19 of this title.
(7) Form Number FNPRV INFO/SEC provided at Figure 7 of §22.26(b)(7) of this subchapter is intended to meet the requirements of subsection (b)(8) of this section to describe the covered entity’s policies and practices with respect to protecting the confidentiality and security of nonpublic personal financial information.
§22.11. Form of Opt Out Notice to Consumers and Opt Out Methods.
(a) If a covered entity is required to provide an opt out notice under §22.14(a) of this title (relating to Limits on Disclosure of Nonpublic Personal Financial Information to Nonaffiliated Third Parties), it shall provide a clear and conspicuous notice to each of its consumers that accurately explains the right to opt out. The notice shall state:
(1) that the covered entity discloses or reserves the right to disclose nonpublic personal financial information about its consumer to a nonaffiliated third party;
(2) that the consumer has the right to opt out of that disclosure; and
(3) a reasonable means by which the consumer may opt out.
(b) Adequate opt out notice. A covered entity provides adequate notice that the consumer can opt out of the disclosure of nonpublic personal financial information to a nonaffiliated third party if the covered entity:
(1) identifies all of the categories of nonpublic personal financial information that it discloses or reserves the right to disclose, and all of the categories of nonaffiliated third parties to which the covered entity discloses the information, as described in §22.10(a)(2) and (3) of this title (relating to Information to be Included in Privacy Notices), and states that the consumer can opt out of the disclosure of that information; and
(2) identifies the insurance products or services that the consumer obtains from the covered entity, either singly or jointly, to which the opt out direction would apply.
(c) Reasonable opt out means. A covered entity provides a reasonable means to exercise an opt out right if it:
(1) designates check-off boxes in a prominent position on the relevant forms with the opt out notice; and
(2) includes the reply form together with the opt out notice; or
(3) provides an electronic means to opt out, such as a form that can be sent via electronic mail or a process at the covered entity’s Web site, if the consumer agrees to the electronic delivery of information; or
(4) provides a toll-free telephone number that consumers may call to opt out.
(d) A covered entity does not provide a reasonable means of opting out if:
(1) the only means of opting out is for the consumer to write his or her own letter to exercise that opt out right; or
(2) the only means of opting out as described in any notice subsequent to the initial notice is to use a check-off box that the covered entity provided with the initial notice but did not include with the subsequent notice. (e) A covered entity may require each consumer to opt out through a specific means, so long as that means is reasonable for that consumer.
(f) A covered entity may provide the opt out notice together with, or on the same written or electronic form as, the initial notice the covered entity provides in accordance with §22.8 of this title (relating to Initial Privacy Notice).
(g) If a covered entity provides the opt out notice later than required for the initial notice in accordance with §22.8 of this title, the covered entity shall also include a copy of the initial notice with the opt out notice in writing or, if the consumer agrees, electronically.
(h) A covered entity shall utilize the procedures set forth in paragraphs (1) - (4) of this subsection when joint relationships between consumers are involved.
(1) If two or more consumers jointly obtain or seek to obtain an insurance product or service from a covered entity, the covered entity may provide a single opt out notice. The covered entity’s opt out notice shall explain how the covered entity will treat an opt out direction by a joint consumer (as explained in subsection (i) of this section).
(2) Any of the joint consumers may exercise the right to opt out. The covered entity may either:
(A) treat an opt out direction by a joint consumer as applying to all of the associated joint consumers; or
(B) permit each joint consumer to opt out separately.
(3) If a covered entity permits each joint consumer to opt out separately, the covered entity shall permit one of the joint consumers to opt out on behalf of all of the joint consumers.
(4) A covered entity may not require all joint consumers to opt out before it implements any opt out direction.
(i) The following are examples of how a covered entity should treat a joint relationship. If John and Mary are both named policyholders on a homeowner’s insurance policy issued by a covered entity and the covered entity sends policy statements to John’s address, the covered entity may do any of the following, but it shall explain in its opt out notice which opt out policy the covered entity will follow:
(1) send a single opt out notice to John’s address, but the covered entity shall accept an opt out direction from either John or Mary.
(2) treat an opt out direction by either John or Mary as applying to the entire policy. If the covered entity does so and John opts out, the covered entity may not require Mary to opt out as well before implementing John’s opt out direction.
(3) permit John and Mary to make different opt out directions. If the covered entity does so:
(A) it shall permit John and Mary to opt out for each other;
(B) if both opt out, the covered entity shall permit both of them to notify it in a single response (such as on a form or through a telephone call); and
(C) if John opts out and Mary does not, the covered entity may only disclose nonpublic personal financial information about Mary, but not about John and not about John and Mary jointly.
(j) A covered entity shall comply with a consumer’s opt out direction as soon as reasonably practicable after the covered entity receives it.
(k) A consumer may exercise the right to opt out at any time.
(l) A consumer’s direction to opt out under this section is effective until the consumer revokes it in writing or, if the consumer has agreed to conduct business electronically, electronically.
(m) When a customer relationship terminates, the customer’s opt out direction continues to apply to the nonpublic personal financial information that the covered entity collected during or related to that relationship. If the individual subsequently establishes a new customer relationship with the covered entity, the opt out direction that applied to the former relationship does not apply to the new relationship.
(n) When a covered entity is required to deliver an opt out notice by this section, the covered entity shall deliver it according to §22.13 of this title (relating to Delivery).
§22.12. Revised Privacy Notices.
(a) Except as otherwise authorized in this subchapter, a covered entity shall not, directly or through an affiliate, disclose any nonpublic personal financial information about a consumer to a nonaffiliated third party other than as described in the initial notice that the covered entity provided to that consumer under §22.8 of this title (relating to Initial Privacy Notice), unless:
(1) the covered entity has provided to the consumer a clear and conspicuous revised notice that accurately describes its policies and practices;
(2) the covered entity has provided to the consumer a new opt out notice;
(3) the covered entity has given the consumer a reasonable opportunity, before the covered entity discloses the information to the nonaffiliated third party, to opt out of the disclosure; and
(4) the consumer does not opt out.
(b) Except as otherwise permitted by §22.17 of this title (relating to Exception to Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Service Providers and Joint Marketing), §22.18 of this title (relating to Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Processing and Servicing Transactions) and §22.19 of this title (relating to Other Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information), a covered entity shall provide a revised notice before it:
(1) discloses a new category of nonpublic personal financial information to any nonaffiliated third party;
(2) discloses nonpublic personal financial information to a new category of nonaffiliated third party; or
(3) discloses nonpublic personal financial information about a former customer to a nonaffiliated third party, if that former customer has not had the opportunity to exercise an opt out right regarding that disclosure.
(c) A revised notice is not required if the covered entity discloses nonpublic personal financial information to a new nonaffiliated third party that the covered entity adequately described in its prior notice.
(d) When a covered entity is required to deliver a revised privacy notice by this section, the covered entity shall deliver it according to §22.13 of this title (relating to Delivery).
§22.13. Delivery.
(a) How to provide notices. A covered entity shall provide any notices that this subchapter requires so that each consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, electronically.
(b) Examples of reasonable expectation of actual notice. A covered entity satisfies the reasonable expectation that a consumer will receive actual notice if the covered entity:
(1) hand-delivers a printed copy of the notice to the consumer;
(2) mails a printed copy of the notice to the last known address of the consumer separately, or in a policy, billing or other written communication;
(3) for a consumer who conducts transactions electronically, posts the notice on the electronic site and requires the consumer to acknowledge receipt of the notice as a necessary step to obtaining a particular insurance product or service; or
(4) for an isolated transaction with a consumer, such as the covered entity providing an insurance quote or selling the consumer single-event types of coverage including, but not limited to, auto rental liability, travel, and short-term non-resident auto liability insurance, presents the notice and requires the consumer to acknowledge receipt of the notice as a necessary step to obtaining the particular insurance product or service.
(c) Examples of unreasonable expectation of actual notice. A covered entity has not met the reasonable expectation that a consumer will receive actual notice of its privacy policies and practices if it:
(1) only posts a sign in its office or generally publishes advertisements of its privacy policies and practices; or
(2) sends the notice via electronic mail to a consumer who does not obtain an insurance product or service from the covered entity electronically.
(d) Annual notices only. A covered entity satisfies the reasonable expectation that a customer will receive actual notice of the covered entity’s annual privacy notice if:
(1) the customer uses the covered entity’s Web site to access insurance products and services electronically and agrees to receive notices at the Web site and the covered entity posts its current privacy notice continuously in a clear and conspicuous manner on the Web site; or
(2) the customer has requested that the covered entity refrain from sending any information regarding the customer relationship, and the covered entity’s current privacy notice remains available to the customer upon request.
(e) Oral description of notice insufficient. A covered entity may not provide any notice required by this subchapter solely by orally explaining the notice, either in person or over the telephone.
(f) Retention or accessibility of notices for customers.
(1) For customers only, a covered entity shall provide the initial notice required by §22.8(a)(1) of this title (relating to Initial Privacy Notice), the annual notice required by §22.9(a) of this title (relating to Annual Privacy Notice), and the revised notice required by §22.12 of this title (relating to Revised Privacy Notices) so that the customer can retain them or obtain them later in writing or, if the customer agrees, electronically.
(2) A covered entity provides a privacy notice to the customer so that the customer can retain it or obtain it later if the covered entity:
(A) hand-delivers a printed copy of the notice to the customer;
(B) mails a printed copy of the notice to the last known address of the customer; or
(C) makes its current privacy notice available on a Web site (or a link to another Web site) for the customer who obtains an insurance product or service electronically and agrees to receive the notice at the Web site.
(g) Joint notice with other financial institutions. A covered entity may provide a joint notice from the covered entity and one or more of its affiliates or other financial institutions, as identified in the notice, so long as the notice is accurate with respect to the covered entity and the other institutions. A covered entity also may provide a notice on behalf of another financial institution.
(h) Joint relationships. If two or more consumers jointly obtain an insurance product or service from a covered entity, the covered entity may satisfy the initial, annual and revised notice requirements of §§22.8(a), 22.9(a), and 22.12(a) of this title, respectively, by providing one notice to those consumers jointly.
§22.14. Limits on Disclosure of Nonpublic Personal Financial Information to Nonaffiliated Third Parties.
(a) Conditions for disclosure. Except as otherwise authorized in this subchapter, a covered entity may not, directly or through any affiliate, disclose any nonpublic personal financial information about a consumer to a nonaffiliated third party unless:
(1) the covered entity has provided to the consumer an initial notice as required under §22.8 of this title (relating to Initial Privacy Notice);
(2) the covered entity has provided to the consumer an opt out notice as required in §22.11 of this title (relating to Form of Opt Out Notice to Consumers and Opt Out Methods);
(3) the covered entity has given the consumer a reasonable opportunity, before it discloses the information to the nonaffiliated third party, to opt out of the disclosure; and
(4) the consumer does not opt out.
(b) Examples of reasonable opportunity to opt out. A covered entity provides a consumer with a reasonable opportunity to opt out if:
(1) the covered entity mails the notices required in subsection (a) of this section to the consumer and allows the consumer to opt out by mailing a form, calling a toll-free telephone number or any other reasonable means within 30 days from the date the covered entity mailed the notices.
(2) a customer opens an on-line account with a covered entity and agrees to receive the notices required in subsection (a) of this section electronically, and the covered entity allows the customer to opt out by any reasonable means within 30 days after the date that the customer acknowledges receipt of the notices in conjunction with opening the account.
(3) for an isolated transaction such as providing the consumer with an insurance quote, a covered entity provides the consumer with a reasonable opportunity to opt out if the covered entity provides the notices required in subsection (a) of this section at the time of the transaction and requests that the consumer decide, as a necessary part of the transaction, whether to opt out before completing the transaction.
(d) Application of opt out to all consumers and all nonpublic personal financial information.
(1) A covered entity shall comply with this section, regardless of whether the covered entity and the consumer have established a customer relationship.
(2) Unless a covered entity complies with this section, the covered entity may not, directly or through any affiliate, disclose any nonpublic personal financial information about a consumer that the covered entity has collected, regardless of whether the covered entity collected it before or after receiving the direction to opt out from the consumer.
(e) Partial opt out. A covered entity may allow a consumer to select certain nonpublic personal financial information or certain nonaffiliated third parties with respect to which the consumer wishes to opt out.
§22.15. Limits on Redisclosure and Reuse of Nonpublic Personal Financial Information.
(a) If a covered entity receives nonpublic personal financial information from a nonaffiliated financial institution under an exception in §22.18 of this title (relating to Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Processing and Servicing Transactions) and §22.19 of this title (relating to Other Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information), the covered entity’s disclosure and use of that information is limited as follows:
(1) the covered entity may disclose the information to the affiliates of the financial institution from which the covered entity received the information;
(2) the covered entity may disclose the information to its affiliates, but the covered entity’s affiliates may, in turn, disclose and use the information only to the extent that the covered entity may disclose and use the information; and
(3) the covered entity may disclose and use the information pursuant to an exception in §22.18 and §22.19 of this title in the ordinary course of business to carry out the activity covered by the exception under which the covered entity received the information.
(b) If a covered entity receives information from a nonaffiliated financial institution for claims settlement purposes, the covered entity may disclose the information for fraud prevention, or in response to a properly authorized subpoena. The covered entity may not disclose that information to a third party for marketing purposes or use that information for its own marketing purposes.
(c) If a covered entity receives nonpublic personal financial information from a nonaffiliated financial institution other than under an exception in §22.18 and §22.19 of this title, the covered entity may disclose the information only:
(1) to the affiliates of the financial institution from which the covered entity received the information;
(2) to its affiliates, but its affiliates may, in turn, disclose the information only to the extent that the covered entity may disclose the information; and
(3) to any other person, if the disclosure would be lawful if made directly to that person by the financial institution from which the covered entity received the information.
(d) If a covered entity obtains a customer list from a nonaffiliated financial institution outside of the exceptions in §22.18 and §22.19 of this title:
(1) the covered entity may use that list for its own purposes; and
(2) the covered entity may disclose that list to another nonaffiliated third party only if the financial institution from which the covered entity purchased the list could have lawfully disclosed the list to that third party. That is, the covered entity may disclose the list in accordance with the privacy policy of the financial institution from which the covered entity received the list, as limited by the opt out direction of each consumer whose nonpublic personal financial information the covered entity intends to disclose, and the covered entity may disclose the list in accordance with an exception in §22.18 and §22.19 of this title, such as to the covered entity’s attorneys or accountants.
(e) If a covered entity discloses nonpublic personal financial information to a nonaffiliated third party under an exception in §22.18 and §22.19 of this title, the third party may disclose and use that information only as follows:
(1) the third party may disclose the information to the covered entity’s affiliates;
(2) the third party may disclose the information to its affiliates, but its affiliates may, in turn, disclose and use the information only to the extent that the third party may disclose and use the information; and
(3) the third party may disclose and use the information pursuant to an exception in §22.18 or §22.19 of this title in the ordinary course of business to carry out the activity covered by the exception under which it received the information.
(f) If a covered entity discloses nonpublic personal financial information to a nonaffiliated third party other than under an exception in §22.18 and §22.19 of this title, the third party may disclose the information only:
(1) to the covered entity’s affiliates;
(2) to the third party's affiliates, but the third party's affiliates, in turn, may disclose the information only to the extent the third party can disclose the information; and
(3) to any other person, if the disclosure would be lawful if the covered entity made it directly to that person.
§22.16. Limits on Sharing Account Number Information for Marketing Purposes.
(a) A covered entity shall not, directly or through an affiliate, disclose, other than to a consumer reporting agency, a policy number or similar form of access number or access code for a consumer’s policy or transaction account to any nonaffiliated third party for use in telemarketing, direct mail marketing or other marketing through electronic mail to the consumer.
(b) Subsection (a) of this section does not apply if a covered entity discloses a policy number or similar form of access number or access code:
(1) to a service provider, including another covered entity , solely for the purpose of marketing the sharing covered entity’s own products or services, so long as the receiving covered entity is not authorized to initiate charges directly to the account; or
(2) to a participant in an affinity or similar program as set forth in 12 CFR §40.12(b)(2), 12 CFR §216.12(b)(2), 12 CFR §332.12(b)(2), 12 CFR §573.12(b)(2), and 12 CFR §716.12(b)(2), where the participants in the program are identified to the customer when the customer enters into the program.
(c) A policy number, or similar form of access number or access code, does not include a number or code in an encrypted form, so long as the covered entity does not provide the recipient with a means to decode the number or code.
(d) For the purposes of this section, a policy or transaction account is an account other than a deposit account or a credit card account. A policy or transaction account does not include an account to which third parties cannot initiate charges.
§22.17. Exception to Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Service Providers and Joint Marketing.
(a) The opt out requirements in §22.11 of this title (relating to Form of Opt Out Notice to Consumers and Opt Out Methods) and §22.14 of this title (relating to Limits on Disclosure of Nonpublic Personal Financial Information to Nonaffiliated Third Parties) do not apply when a covered entity provides nonpublic personal financial information to a nonaffiliated third party to perform services for the covered entity or functions on the covered entity’s behalf, if the covered entity:
(1) provides the initial notice in accordance with §22.8 of this title (relating to Initial Privacy Notice); and
(2) enters into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which the covered entity disclosed the information, including use under an exception in §22.18 of this title (relating to Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Processing and Servicing Transactions) and §22.19 of this title (relating to Other Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information) in the ordinary course of business to carry out those purposes.
(b) If a covered entity discloses nonpublic personal financial information under this section to a financial institution with which the covered entity performs joint marketing, the covered entity's contractual agreement with that institution meets the requirements of subsection (a)(2) of this section if it prohibits the institution from disclosing or using the nonpublic personal financial information except as necessary to carry out the joint marketing or under an exception set forth in §22.18 and §22.19 of this title in the ordinary course of business to carry out that joint marketing.
(c) The services a nonaffiliated third party performs for a covered entity under subsection (a) of this section may include marketing of the covered entity’s own products or services or marketing of financial products or services offered pursuant to joint agreements between the covered entity and one or more financial institutions.
(d) For purposes of this section, "joint agreement" means a written contract pursuant to which a covered entity and one or more financial institutions jointly offer, endorse or sponsor a financial product or service.
§22.18. Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Processing and Servicing Transactions.
(a) If the covered entity discloses nonpublic personal financial information as necessary to effect, administer or enforce a transaction that a consumer requests or authorizes, or in connection with a transaction listed in subsection (b) of this section, the following do not apply:
(1) provision of the initial notice in §22.8(a)(2) of this title (relating to Initial Privacy Notice),
(2) the opt out requirements in §22.11 of this title (relating to Form of Opt Out Notice to Consumers and Opt Out Methods) and the limitations on disclosure in §22.14 of this title (relating to Limits on Disclosure of Nonpublic Personal Financial Information to Nonaffiliated Third Parties), and
(3) the requirements pertaining to service providers and joint marketing in §22.17 of this title (relating to Exception to Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Service Providers and Joint Marketing).
(b) Applicable transactions include:
(1) servicing or processing an insurance product or service that a consumer requests or authorizes;
(2) maintaining or servicing the consumer’s account with a covered entity, or with another entity as part of a private label credit card program or other extension of credit on behalf of such entity;
(3) a proposed or actual securitization, secondary market sale (including sales of servicing rights) or similar transaction related to a transaction of the consumer; or
(4) reinsurance or stop loss or excess loss insurance.
(c) A disclosure is necessary to effect, administer or enforce a transaction if it is:
(1) required, or is one of the lawful or appropriate methods, to enforce the covered entity’s rights or the rights of other persons engaged in carrying out the financial transaction or providing the product or service; or
(2) required, or is a usual, appropriate or acceptable method:
(A) to carry out the transaction or the product or service business of which the transaction is a part, and record, service or maintain the consumer’s account in the ordinary course of providing the insurance product or service;
(B) to administer or service benefits or claims relating to the transaction or the product or service business of which it is a part;
(C) to provide a confirmation, statement or other record of the transaction, or information on the status or value of the insurance product or service to the consumer or the consumer’s agent or broker;
(D) to accrue or recognize incentives or bonuses associated with the transaction that are provided by a covered entity or any other party;
(E) to underwrite insurance at the consumer’s request or for any of the following purposes as they relate to a consumer’s insurance: account administration, reporting, investigating or preventing fraud or material misrepresentation, processing premium payments, processing insurance claims, administering insurance benefits (including utilization review activities), participating in research projects or as otherwise required or specifically permitted by federal or state law; or
(F) in connection with:
(i) the authorization, settlement, billing, processing, clearing, transferring, reconciling or collection of amounts charged, debited or otherwise paid using a debit, credit or other payment card, check or account number, or by other payment means;
(ii) the transfer of receivables, accounts or interests therein; or
(iii) the audit of debit, credit or other payment information.
§22.19. Other Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information.
(a) The requirements for initial notice to consumers in §22.8(a)(2) of this title (relating to Initial Privacy Notice), the opt out in §22.11 of this title (relating to Form of Opt Out Notice to Consumers and Opt Out Methods) and §22.14 of this title (relating to Limits on Disclosure of Nonpublic Personal Financial Information to Nonaffiliated Third Parties), and service providers and joint marketing in §22.17 of this title (relating to Exception to Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Service Providers and Joint Marketing) do not apply when a covered entity discloses nonpublic personal financial information:
(1) with the consent or at the direction of the consumer, provided that the consumer has not revoked the consent or direction;
(2) to protect the confidentiality or security of a covered entity’s records pertaining to the consumer, service, product or transaction;
(3) to protect against or prevent actual or potential fraud or unauthorized transactions;
(4) for required institutional risk control or for resolving consumer disputes or inquiries;
(5) to persons holding a legal or beneficial interest relating to the consumer;
(6) to persons acting in a fiduciary or representative capacity on behalf of the consumer;
(7) to provide information to insurance rate advisory organizations, guaranty funds or agencies, agencies that are rating a covered entity, persons that are assessing the covered entity’s compliance with industry standards, and the covered entity’s attorneys, accountants and auditors;
(8) to the extent specifically permitted or required under other provisions of law and in accordance with the federal Right to Financial Privacy Act of 1978 (12 U.S.C. 3401 et seq.), to law enforcement agencies (including the Federal Reserve Board, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, Office of Thrift Supervision, National Credit Union Administration, the Securities and Exchange Commission, the Secretary of the Treasury, with respect to 31 U.S.C. Chapter 53, Subchapter II (Records and Reports on Monetary Instruments and Transactions) and 12 U.S.C. Chapter 21 (Financial Recordkeeping), a state insurance authority, and the Federal Trade Commission), self-regulatory organizations or for an investigation on a matter related to public safety;
(9) to a consumer reporting agency in accordance with the federal Fair Credit Reporting Act (15 U.S.C. 1681 et seq.); or from a consumer report reported by a consumer reporting agency;
(10) in connection with a proposed or actual sale, merger, transfer or exchange of all or a portion of a business or operating unit if the disclosure of nonpublic personal financial information concerns solely consumers of the business or unit;
(11) to comply with federal, state or local laws, rules and other applicable legal requirements;
(12) to comply with a properly authorized civil, criminal or regulatory investigation, or subpoena or summons by federal, state or local authorities;
(13) to respond to judicial process or government regulatory authorities having jurisdiction over a covered entity for examination, compliance or other purposes as authorized by law; or
(14) for purposes related to the replacement of a group benefit plan, a group health plan, a group welfare plan or a workers’ compensation policy.
(b) A consumer may revoke consent by subsequently exercising the right to opt out of future disclosures of nonpublic personal financial information as permitted under §22.11(f) of this title.
§22.20. Protection of Fair Credit Reporting Act. Nothing in this subchapter shall be construed to modify, limit or supersede the operation of the federal Fair Credit Reporting Act (15 U.S.C. 1681 et seq.), and no inference shall be drawn on the basis of the provisions of this subchapter regarding whether information is transaction or experience information under Section 603 of that Act.
§22.21. Nondiscrimination. A covered entity shall not unfairly discriminate against any consumer or customer because that consumer or customer has opted out from the disclosure of his or her nonpublic personal financial information pursuant to the provisions of this subchapter.
§22.22. Violation.
A violation of any section of this subchapter shall subject the covered entity to the disciplinary and enforcement sanctions and penalties provided in the Insurance Code, Chapters 28A, 82, 83, and 84.
§22.23. Severability. If any section or portion of a section of this subchapter or its applicability to any person or circumstance is held invalid by a court, the remainder of the subchapter or the applicability of the provision to other persons or circumstances shall not be affected.
§22.24. Effective Date.
(a) This subchapter is effective July 12, 2001.
(b) By September 10, 2001, a covered entity shall provide an initial notice, as required by §22.8 of this title (relating to Initial Privacy Notice), to consumers who are the covered entity’s customers on September 10, 2001. For example, a covered entity provides an initial notice to consumers who are its customers on September 10, 2001, if, by that date, the covered entity has established a system for providing an initial notice to all new customers and has mailed the initial notice to all the covered entity’s existing customers.
(c) Until September 10, 2002, a contract that a covered entity has entered into with a nonaffiliated third party to perform services for the covered entity or functions on the covered entity’s behalf satisfies the provisions of §22.17(a)(1)(B) of this title (relating to Exception to Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Service Providers and Joint Marketing), even if the contract does not include a requirement that the third party maintain the confidentiality of nonpublic personal financial information, so long as the covered entity entered into the agreement on or before September 10, 2000.
§22.25. Preservation of existing privacy law. Nothing in this subchapter shall preempt or supersede existing state law related to nonpublic personal financial information.
§22.26. Forms.
(a) The forms identified in this subchapter for covered entities referenced in this chapter are included in subsection (b) of this section in their entirety. The forms can be obtained from the Texas Department of Insurance, P.O. Box 149104, Austin, Texas 78714-9104. Covered entities, including a group of financial holding company affiliates that use a common privacy notice, may use the following forms, if the clause is accurate for each institution that uses the notice. Note that disclosure of certain information, such as assets, income and information from a consumer reporting agency, may give rise to obligations under the federal Fair Credit Reporting Act, such as a requirement to permit a consumer to opt out of disclosures to affiliates or designation as a consumer reporting agency if disclosures are made to nonaffiliated third parties.
(b) The forms referenced in this subchapter are as follows:
(1) Figure Number 1: Form Number FNPRV INFO/COL:
We collect nonpublic personal financial information about you from the following sources:
• Information we receive from you on applications or other forms;
• Information about your transactions with us, our affiliates or others; and
• Information we receive from a consumer reporting agency.
(2) Figure Number 2: Form Number FNPRV INFO/DSC:
(A) Alternative 1
We may disclose the following kinds of nonpublic personal financial information about you:
• Information we receive from you on applications or other forms, such as [provide illustrative examples, such as "your name, address, social security number, assets, income, and beneficiaries"];
• Information about your transactions with us, our affiliates or others, such as [provide illustrative examples, such as "your policy coverage, premiums, and payment history"]; and
• Information we receive from a consumer reporting agency, such as [provide illustrative examples, such as "your creditworthiness and credit history"].
(B) Alternative 2
We may disclose all of the information that we collect, as described [describe location in the notice, such as "above" or "below"].
(3) Figure Number 3: Form Number: FNPRV INFO/NODSC
We do not disclose any nonpublic personal financial information about our customers or former customers to anyone, except as permitted by law.
(4) Figure Number 4: Form Number FNPRV INFO/TPDSC:
We may disclose nonpublic personal financial information about you to the following types of third parties:
• Financial service providers, such as [provide illustrative examples, such as "life insurers, automobile insurers, mortgage bankers, securities broker-dealers, and insurance agents"];
• Non-financial companies, such as [provide illustrative examples, such as "retailers, direct marketers, airlines, and publishers"]; and
• Others, such as [provide illustrative examples, such as "non-profit organizations"].
We may also disclose nonpublic personal financial information about you to nonaffiliated third parties as permitted by law.
(5) Figure Number 5: Form Number FNPRV INFO/SPJMDSC:
(A) Alternative 1:
We may disclose the following information to companies that perform marketing services on our behalf or to other financial institutions with which we have joint marketing agreements:
• Information we receive from you on applications or other forms, such as [provide illustrative examples, such as "your name, address, social security number, assets, income, and beneficiaries"];
• Information about your transactions with us, our affiliates or others, such as [provide illustrative examples, such as "your policy coverage, premium, and payment history"]; and
• Information we receive from a consumer reporting agency, such as [provide illustrative examples, such as "your creditworthiness and credit history"].
(B) Alternative 2:
We may disclose all of the information we collect, as described [describe location in the notice, such as "above" or "below"] to companies that perform marketing services on our behalf or to other financial institutions with whom we have joint marketing agreements.
(6) Figure Number 6: Form Number FNPRV INFO/OPT:
If you prefer that we not disclose nonpublic personal financial information about you to nonaffiliated third parties, you may opt out of those disclosures, that is, you may direct us not to make those disclosures (other than disclosures permitted by law). If you wish to opt out of disclosures to nonaffiliated third parties, you may [describe a reasonable means of opting out, such as "call the following toll-free number: (insert number)].
(7) Figure Number 7: Form Number FNPRV INFO/SEC:
We restrict access to nonpublic personal financial information about you to [provide an appropriate description, such as "those employees who need to know that information to provide products or services to you"]. We maintain physical, electronic, and procedural safeguards that comply with federal regulations to guard your nonpublic personal financial information.
(8) Figure Number 8: Form Number FNPRV DSC/SRPLN:
PRIVACY NOTICE
NEITHER THE U.S. AGENTS THAT HANDLED THIS INSURANCE NOR THE INSURERS THAT HAVE UNDERWRITTEN THIS INSURANCE WILL DISCLOSE NONPUBLIC PERSONAL FINANCIAL INFORMATION CONCERNING THE BUYER TO NONAFFILIATES OF THE AGENTS OR INSURERS EXCEPT AS PERMITTED BY LAW.