DEPARTMENT OF INSURANCE
Office of the Commissioner
PROPOSED
PUBLIC NOTICE
904 Privacy of Consumer Financial and Health Information
A. Type of Regulatory Action Required
Proposed amendments to an existing Regulation.
B. Synopsis of Subject Matter of the Regulation
1. Background on the Federal Gramm-Leach Bliley Act and subsequent FAST Act Amendments
The Federal Gramm-Leach Bliley Act (GLBA) governs the treatment of nonpublic personal financial information. The GLBA was enacted in 1999 and governs the privacy practices of a broad range of financial institutions. State insurance departments are the functional regulators of all financial firms engaged in the business of insurance. See Proceedings of the NAIC, 1999 Proc. 4th Quarter I 33-34.
Title V, Subtitle A of the GLBA requires financial institutions to provide to each of their customers an annual notice regarding those institutions' privacy policies. If financial institutions share certain consumer information with particular types of third parties, the annual notices must also provide customers with an opportunity to opt out of having their information shared.
Federal Regulation P, which implements the GLBA, sets forth requirements for how financial institutions must deliver these annual privacy notices. In certain circumstances, Regulation P permits financial institutions to use an alternative delivery method to provide annual notices. This method requires, among other things, that the annual notice be posted on a financial institution's website. For more information on Regulation P see 81 FR 44801 (July 11, 2016) and 83 FR 40945 et seq. (August 17, 2018).
On December 4, 2015, Congress amended the GLBA as part of the Fixing America's Surface Transportation Act (FAST Act). This amendment, entitled “Eliminate Privacy Notice Confusion” (see P.L. 114-94, section 75001), added new GLBA section 503(f). This new section provides an exception under which financial institutions that meet certain conditions are not required to provide annual privacy notices to customers. To qualify for this exception, a financial institution: 1) must not share nonpublic personal information about customers except as described in certain statutory exceptions; and 2) must not have changed its policies and practices with regard to disclosing nonpublic personal information from those that the institution disclosed in the most recently distributed privacy notice. Id. The amendment was effective upon enactment. Regulation P was subsequently amended to implement the FAST Act amendments, effective on September 17, 2018.
2. NAIC Model Regulation 672 and subsequent amendments
In response to the GLBA, the National Association of Insurance Commissioners (NAIC) convened a Privacy Issues Working Group in 2000 to discuss how the NAIC and the State Departments of Insurance should proceed with respect to drafting a model privacy regulation. Proceedings of the NAIC, 2000 Proc. 1st Quarter 978. Note that NAIC Model Regulations are for the use of State Departments of Insurance in their state regulatory initiatives.
The resulting Model Regulation 672, Privacy of Consumer Financial and Health Information Regulation, was adopted by the NAIC at its third quarterly meeting in 2000. See Proceedings of the NAIC, 2000 Proc. 3rd Quarter 7, 10. The Model Regulation includes an Appendix A, which contains a series of sample clauses for use by licensees in their privacy notices.
After the Federal FAST Act Amendments were enacted in 2015, the NAIC once again responded by convening the Privacy Disclosures (D) Working Group. The group was charged with 1) determining if Model Regulation 672 should be amended to make it more consistent with Federal Regulation P’s alternative electronic delivery option; and 2) reviewing the sample privacy notices set forth in Model 672 Appendix A for consistency with the Federal privacy model notice forms, and whether the Federal Model Privacy Notice should be added as an Appendix B and be used as a safe harbor of compliance with the privacy modification requirements of the GLBA. Proceedings of the NAIC, 2017 Proc. 1st Quarter 41.
At its Fall 2016 Meeting, the NAIC determined to adopt the following revisions to Model Regulation 672 (see id. at 42):
3. The purpose of this proposal
The primary purpose of this proposal is to incorporate the NAIC revisions adopted at the NAIC 2016 fall meeting. Specifically:
An additional purpose of this proposal is to correct codification style errors and erroneous cross references in Regulation 904. Regulation 904 was originally codified as Regulation 84 when it was first adopted in 2001 (see 4 DE Reg. 1752 (May 1, 2001) for the proposal and 5 DE Reg. 1752 (July 1, 2001) for the adoption). When the State of Delaware switched to a new regulatory codification system, Regulation 84 was recodified as Regulation 904 (18 DE Admin. Code 904), with new tabulation enumeration that purported to comply with the new codification system requirements. Even so, the regulation in its current form contains codification style errors and erroneous internal cross references that the Department is updating as a part of this proposal. Two items are of particular note. First, the Department is recodifying examples of defined terms from the definition of a particular term to separate, cross-referenced subsections within Section 1. Second, the Department is recodifying subsections 1.4.1.14.1 through 4 to applicability subsections 1.3.2 through 6, respectively.
The bulk of the codification style errors are in Section 1 of the regulation.
The Department does not plan to hold a public hearing on the proposed amendments to Regulation 904. The regulation with proposed amendments appears below and can also be viewed at the Department of Insurance website at http://insurance.delaware.gov/information/proposedregs/.
Any person may file written comments, suggestions, briefs, and compilations of data or other materials concerning the proposed amendments. Any written submission in response to this notice and relevant to the proposed amendments must be received by the Department of Insurance no later than 4:30 p.m. EST, the 1st day, April, 2019. Any such requests should be directed to:
Leslie W. Ledogar, Regulatory Specialist
Delaware Department of Insurance
841 Silver Lake Blvd.
Dover, DE 19904
(302) 674-7379
Email: Leslie.Ledogar@state.de.us
904 Privacy of Consumer Financial and Health Information [Formerly Regulation 84]
1.1 Authority Authority.
1.1.1 This regulation is promulgated pursuant to the authority granted by 18 Del.C. §§311 and 535.
1.2 Purpose and Scope Purpose.
1.2.1 Purpose. This The purpose of this regulation governs is to govern the treatment of nonpublic personal financial information about individuals by all licensees of the state insurance department Delaware Department of Insurance. This regulation:
1.2.1.11.2.1 Requires a licensee to provide notice to individuals about its privacy policies and practices;
1.2.1.21.2.2 Describes the conditions under which a licensee may disclose nonpublic personal financial information about individuals to affiliates and nonaffiliated third parties; and
1.2.1.31.2.3 Provides methods for individuals to prevent a licensee from disclosing that information.
1.2.2 Scope. This regulation applies to:
1.3 Applicability
1.2.2.1 1.3.1 Nonpublic This regulation applies to nonpublic personal financial information about individuals who obtain or are claimants or beneficiaries of products or services primarily for personal, family or household purposes from licensees and to all nonpublic personal health information. This regulation does not apply to information about companies or about individuals who obtain products or services for business, commercial or agricultural purposes.
1.3.2 A licensee is not subject to the notice and opt out requirements for nonpublic personal financial information set forth in Sections 1.0 through 11.0 of this regulation if the licensee is an employee, agent or other representative of another licensee (“the principal”) and:
1.3.2.1 The principal otherwise complies with, and provides the notices required by, the provisions of this regulation; and
1.3.2.2 The licensee does not disclose any nonpublic personal information to any person other than the principal or its affiliates in a manner permitted by this regulation.
1.3.3 Examples of employee, agent or other representative of a principal include:
1.3.3.1 An insurance broker, public adjuster or other licensee who is employed by another insurance broker, public adjuster or other licensee;
1.3.3.2 An independent adjuster adjusting a claim or benefit on behalf of an insurer;
1.3.3.3 An insurance agent of an insurer;
1.3.3.4 An insurance broker that has binding authority for an insurer; or
1.3.3.5 A sublicensee of a licensee, whether or not the sublicensee is licensed in any other capacity.
1.3.4 This regulation does not apply to information about companies or about individuals who obtain products or services for business, commercial or agricultural purposes.
1.3.5 An excess lines broker or excess lines insurer shall be deemed to be in compliance with the notice and opt out requirements for nonpublic personal financial information set forth in Sections 1.0 through 11.0 of this regulation, provided that the broker or insurer:
1.3.5.1 Does not disclose nonpublic personal information of a consumer or a customer to nonaffiliated third parties for any purpose, including joint servicing or marketing under Section 9.0 of this regulation, except as permitted by Sections 10.0 or 11.0 of this regulation; and
1.3.5.2 Delivers a notice to the consumer at the time a customer relationship is established on which the following is printed in 16-point type:
PRIVACY NOTICE
NEITHER THE U.S. BROKERS THAT HANDLED THIS INSURANCE NOR THE INSURERS THAT HAVE UNDERWRITTEN THIS INSURANCE WILL DISCLOSE NONPUBLIC PERSONAL INFORMATION CONCERNING THE BUYER TO NON-AFFILIATES OF THE BROKERS OR INSURERS EXCEPT AS PERMITTED BY LAW.
1.2.3 1.4 Compliance. A licensee domiciled in this state that is in compliance with this regulation in a state that has not enacted laws or regulations that meet the requirements of Title V of the Gramm-Leach-Bliley Act (PL 102-106) may nonetheless be deemed to be in compliance with Title V of the Gramm-Leach-Bliley Act in such other state.
1.3 1.5 Rule Rules of Construction
1.3.1 1.5.1 The examples in this regulation and regulation, the sample clauses in Appendix A of this regulation and the Federal Privacy Form in Appendix B of this regulation are not exclusive. Compliance with an example or example, use of a sample clause, or use of the Federal Privacy Model Form, to the extent applicable, constitutes compliance with this regulation.
1.5.2 A licensee may rely on use of the Federal Model Privacy Form in Appendix B of this regulation consistent with the attached instructions, as a safe harbor of compliance with the privacy notice content requirement in this regulation.
1.5.3 Use of the Federal Model Privacy Form is not required. Licensees may continue to use other types of privacy notices, including notices that contain the examples in Appendix A of this regulation, provided that such notices accurately describe the licensee’s privacy practices and otherwise meet the notice content requirements of this regulation. However, while a licensee may continue to use privacy notices that contain the examples in this regulation and/or the sample clauses in Appendix A, a licensee may not rely on use of privacy notices with the sample clauses in Appendix A as a safe harbor of compliance with the notice content requirements of this regulation after July 1, 2019.
1.4 1.6 Definitions Definitions.
1.4.1 As as used in this regulation, unless the context requires otherwise:
1.4.1.1 “Affiliate” means any company that controls, is controlled by or is under common control with another company.
1.4.1.2 “Clear and Conspicuous” means that a notice is reasonably understandable as provided in subsection 1.7 of this regulation and is designed to call attention to the nature and significance of the information in the notice as provided in subsection 1.8 of this regulation.
1.4.1.2.1 Examples.
1.4.1.2.1.1 Reasonably understandable. A licensee makes its notice reasonably understandable if it:
1.4.1.2.1.2 Presents the information in the notice in clear, concise sentences, paragraphs, and sections;
1.4.1.2.1.3 Uses short explanatory sentences or bullet lists whenever possible;
1.4.1.2.1.4 Uses definite, concrete, everyday words and active voice whenever possible;
1.4.1.2.1.5 Avoids multiple negatives;
1.4.1.2.1.6 Avoids legal and highly technical business terminology whenever possible; and
1.4.1.2.1.7 Avoids explanations that are imprecise and readily subject to different interpretations.
1.4.1.2.1.8 Designed to call attention. A licensee designs its notice to call attention to the nature and significance of the information in it if the licensee:
1.4.1.2.1.9 Uses a plain-language heading to call attention to the notice;
1.4.1.2.1.10 Uses a typeface and type size that is easy to read;
1.4.1.2.1.11 Provides wide margins and ample line spacing;
1.4.1.2.1.12 Uses boldface or italics for key words; and
1.4.1.2.1.13 In a form that combines the licensee’s notice with other information, uses distinctive type size, style, and graphic devices, such as shading or sidebars.
1.4.1.2.1.14 Notices on web sites. If a licensee provides a notice on a web page, the licensee designs its notice to call attention to the nature and significance of the information in it if the licensee uses text or visual cues to encourage scrolling down the page if necessary to view the entire notice and ensure that other elements on the web site (such as text, graphics, hyperlinks or sound) do not distract attention from the notice, and the licensee either:
1.4.1.2.1.15 Places the notice on a screen that consumers frequently access, such as a page on which transactions are conducted; or
1.4.1.2.1.16 Places a link on a screen that consumers frequently access, such as a page on which transactions are conducted, that connects directly to the notice and is labeled appropriately to convey the importance, nature and relevance of the notice.
1.4.1.3 “Collect” means to obtain information that the licensee organizes or can retrieve by the name of an individual or by identifying number, symbol or other identifying particular assigned to the individual, irrespective of the source of the underlying information.
1.4.1.4 “Commissioner” means the Insurance Commissioner of Delaware.
1.4.1.5 “Company” means a corporation, limited liability company, business trust, general or limited partnership, association, sole proprietorship or similar organization.
1.4.1.6 “Consumer” means an individual who seeks to obtain, obtains or has obtained an insurance product or service from a licensee that is to be used primarily for personal, family or household purposes, and about whom the licensee has nonpublic personal information, or that individual’s legal representative as set forth in the examples listed in subsection 1.9 of this regulation.
1.4.1.6.1 Examples.
1.4.1.6.1.1 An individual who provides nonpublic personal information to a licensee in connection with obtaining or seeking to obtain financial, investment or economic advisory services relating to an insurance product or service is a consumer regardless of whether the licensee establishes an ongoing advisory relationship.
1.4.1.6.1.2 An applicant for insurance prior to the inception of insurance coverage is a licensee’s consumer.
1.4.1.6.1.3 An individual who is a consumer of another financial institution is not a licensee’s consumer solely because the licensee is acting as agent for, or provides processing or other services to, that financial institution.
1.4.1.6.1.4 An individual is a licensee’s consumer if:
1.4.1.6.1.4.1 the individual is a beneficiary of a life insurance policy underwritten by the licensee;
1.4.1.6.1.4.2 the individual is a claimant under an insurance policy issued by the licensee;
1.4.1.6.1.4.3 the individual is an insured or an annuitant under an insurance policy or an annuity, respectively, issued by the licensee; or
1.4.1.6.1.4.4 the individual is a mortgagor of a mortgage covered under a mortgage insurance policy; and
1.4.1.6.1.4.5 the licensee discloses nonpublic personal financial information about the individual to a nonaffiliated third party other than as permitted under sections 14.0, 15.0 and 16.0 of this regulation.
1.4.1.6.1.5 Provided that the licensee provides the initial, annual and revised notices under sections 5.0, 6.0 and 9.0 of this regulation to the plan sponsor, group or blanket insurance policyholder or group annuity contract holder, workers’ compensation plan participant, and further provided that the licensee does not disclose to a nonaffiliated third party nonpublic personal financial information about such an individual other than as permitted under sections 14.0, 15.0 and 16.0 of this regulation, an individual is not the consumer of the licensee solely because he or she is:
1.4.1.6.1.5.1 A participant or a beneficiary of an employee benefit plan that the licensee administers or sponsors or for which the licensee acts as a trustee, insurer or fiduciary;
1.4.1.6.1.5.2 Covered under a group or blanket insurance policy or group annuity contract issued by the licensee; or
1.4.1.6.1.5.3 A beneficiary in a workers’ compensation plan.
1.4.1.6.1.6 The individuals described in sections 1.4.1.6.1.5.1 through 1.4.1.6.1.5.3 are consumers of a licensee if the licensee does not meet all the conditions of Subparagraph (e).
1.4.1.6.1.7 In no event shall the individuals, solely by virtue of the status described in sections 1.4.1.6.1.5.1 through 1.4.1.6.1.5.3, be deemed to be customers for purposes of this regulation.
1.4.1.6.1.8 An individual is not a licensee’s consumer solely because he or she is a beneficiary of a trust for which the licensee is a trustee.
1.4.1.6.1.9 An individual is not a licensee’s consumer solely because he or she has designated the licensee as trustee for a trust.
1.4.1.7 “Consumer reporting agency” has the same meaning as in Section 603(f) of the federal Fair Credit Reporting Act (15 U.S.C. 1681a(f)).
1.4.1.8 “Control” means: means any action that meets the criteria set forth in subsection 1.10 of this regulation.
1.4.1.8.1 Ownership, control or power to vote twenty-five percent (25%) or more of the outstanding shares of any class of voting security of the company, directly or indirectly, or acting through one or more other persons;
1.4.1.8.2 Control in any manner over the election of a majority of the directors, trustees or general partners (or individuals exercising similar functions) of the company; or
1.4.1.8.3 The power to exercise, directly or indirectly, a controlling influence over the management or policies of the company, as the commissioner determines.
1.4.1.9 “Customer” means a consumer who has a customer relationship with a licensee.
1.4.1.10 “Customer relationship” means a continuing relationship between a consumer and a licensee under which the licensee provides one or more insurance products or services to the consumer that are to be used primarily for personal, family or household purposes. Examples of “customer relationship” are set forth in subsection 1.11 of this regulation.
1.4.1.10.1 Examples.
1.4.1.10.1.1 A consumer has a continuing relationship with a licensee if:
1.4.1.10.1.1.1 The consumer is a current policyholder of an insurance product issued by or through the licensee; or
1.4.1.10.1.1.2 The consumer obtains financial, investment or economic advisory services relating to an insurance product or service from the licensee for a fee.
1.4.1.10.1.2 A consumer does not have a continuing relationship with a licensee if:
1.4.1.10.1.2.1 The consumer applies for insurance but does not purchase the insurance;
1.4.1.10.1.2.2 The licensee sells the consumer airline travel insurance in an isolated transaction;
1.4.1.10.1.2.3 The individual is no longer a current policyholder of an insurance product or no longer obtains insurance services with or through the licensee;
1.4.1.10.1.2.4 The consumer is a beneficiary or claimant under a policy and has submitted a claim under a policy choosing a settlement option involving an ongoing relationship with the licensee;
1.4.1.10.1.2.5 The consumer is a beneficiary or a claimant under a policy and has submitted a claim under that policy choosing a lump sum settlement option;
1.4.1.10.1.2.6 The customer’s policy is lapsed, expired, or otherwise inactive or dormant under the licensee’s business practices, and the licensee has not communicated with the customer about the relationship for a period of twelve (12) consecutive months, other than annual privacy notices, material required by law or regulation, communication at the direction of a state or federal authority, or promotional materials;
1.4.1.10.1.2.7 The individual is an insured or an annuitant under an insurance policy or annuity, respectively, but is not the policyholder or owner of the insurance policy or annuity; or
1.4.1.10.1.2.8 For the purposes of this regulation, the individual’s last known address according to the licensee’s records is deemed invalid. An address of record is deemed invalid if mail sent to that address by the licensee has been returned by the postal authorities as undeliverable and if subsequent attempts by the licensee to obtain a current valid address for the individual have been unsuccessful.
1.4.1.11 “Financial institution” means any institution the business of which is engaging in activities that are financial in nature or incidental to such financial activities as described in Section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. 1843(k)). Financial institution does not include:
1.4.1.11.1 Financial institution does not include:
1.4.1.12 “Financial product or service” means any product or service that a financial holding company could offer by engaging in an activity that is financial in nature or incidental to such a financial activity under Section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. 1843(k)). Financial service includes a financial institution’s evaluation or brokerage of information that the financial institution collects in connection with a request or an application from a consumer for a financial product or service.
1.4.1.12.1 Financial service includes a financial institution’s evaluation or brokerage of information that the financial institution collects in connection with a request or an application from a consumer for a financial product or service.
1.4.1.13 “Insurance product or service” means any product or service that is offered by a licensee pursuant to the insurance laws of this state. Insurance service includes a licensee's evaluation, brokerage or distribution of information that the licensee collects in connection with a request or an application from a consumer for a insurance product or service.
1.4.1.13.1 Insurance service includes a licensee's evaluation, brokerage or distribution of information that the licensee collects in connection with a request or an application from a consumer for a insurance product or service.
1.4.1.14 “Licensee” means all licensed insurers, producers and other persons licensed or required to be licensed, or authorized or required to be authorized, or registered or required to be registered pursuant to the Insurance Law of this state, and health maintenance organizations holding a certificate of authority pursuant 16 Del.C. Ch. 91. A licensee does not include a domestic insurer transacting insurance in foreign countries only, under the laws and regulations of a foreign country only, and not transacting insurance in any state as defined in 18 Del.C. §103 of the Delaware Code. Subject to subsection 1.3.2, “licensee” shall also include an unauthorized insurer that accepts business placed through a licensed excess lines broker in this state, but only in regard to the excess lines placements placed pursuant to the Delaware Insurance Code.
1.4.1.14.1 A licensee is not subject to the notice and opt out requirements for nonpublic personal financial information set forth in Articles I, II, III and IV of this regulation if the licensee is an employee, agent or other representative of another licensee (“the principal”) and:
1.4.1.14.1.1 The principal otherwise complies with, and provides the notices required by, the provisions of this regulation; and
1.4.1.14.1.2 The licensee does not disclose any nonpublic personal information to any person other than the principal or its affiliates in a manner permitted by this regulation.
1.4.1.14.2 Examples of employee, agent or other representative of a principal:
1.4.1.14.2.1 An insurance broker, public adjuster or other licensee who is employed by another insurance broker, public adjuster or other licensee;
1.4.1.14.2.2 An independent adjuster adjusting a claim or benefit on behalf of an insurer;
1.4.1.14.2.3 An insurance agent of an insurer;
1.4.1.14.2.4 An insurance broker that has binding authority for an insurer; or
1.4.1.14.2.5 A sublicensee of a licensee, whether or not the sublicensee is licensed in any other capacity.
1.4.1.14.3 Subject to section 1.4.1.14.2, “licensee” shall also include an unauthorized insurer that accepts business placed through a licensed excess lines broker in this state, but only in regard to the excess lines placements placed pursuant to the Delaware Insurance Code.
1.4.1.14.4 An excess lines broker or excess lines insurer shall be deemed to be in compliance with the notice and opt out requirements for nonpublic personal financial information set forth in Articles I, II, III and IV of this regulation provided:
1.4.1.14.4.1 The broker or insurer does not disclose nonpublic personal information of a consumer or a customer to nonaffiliated third parties for any purpose, including joint servicing or marketing under section 14.0 of this regulation, except as permitted by section 15.0 or 16.0 of this regulation; and
1.4.1.14.4.2 The broker or insurer delivers a notice to the consumer at the time a customer relationship is established on which the following is printed in 16-point type:
PRIVACY NOTICE
NEITHER THE U.S. BROKERS THAT HANDLED THIS INSURANCE NOR THE INSURERS THAT HAVE UNDERWRITTEN THIS INSURANCE WILL DISCLOSE NONPUBLIC PERSONAL INFORMATION CONCERNING THE BUYER TO NONAFFILIATES OF THE BROKERS OR INSURERS EXCEPT AS PERMITTED BY LAW.
1.4.1.15 “Nonaffiliated Third Party” means any person except: except a licensee's affiliate or a person employed jointly by a licensee and any company that is not the licensee's affiliate (but nonaffiliated third party includes the other company that jointly employs the person). Nonaffiliated third party includes any company that is an affiliate solely by virtue of the direct or indirect ownership or control of the company by the licensee or its affiliate in conducting merchant banking or investment banking activities of the type described in Section 4(k)(4)(H) or insurance company investment activities of the type described in Section 4(k)(4)(I) of the federal Bank Holding Company Act (12 U.S.C. 1843(k)(4)(H) and (I)).
1.4.1.15.1 A licensee’s affiliate; or
1.4.1.15.2 A person employed jointly by a licensee and any company that is not the licensee’s affiliate (but nonaffiliated third party includes the other company that jointly employs the person).
1.4.1.15.3 Nonaffiliated third party includes any company that is an affiliate solely by virtue of the direct or indirect ownership or control of the company by the licensee or its affiliate in conducting merchant banking or investment banking activities of the type described in Section 4(k)(4)(H) or insurance company investment activities of the type described in Section 4(k)(4)(I) of the federal Bank Holding Company Act (12 U.S.C. 1843(k)(4)(H) and (I)).
1.4.1.16 “Nonpublic Personal Information” means nonpublic personal financial information and nonpublic personal health information.
1.4.1.17 “Nonpublic Personal Financial Information” means: means personally identifiable financial information; and any list, description or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available. Examples of lists of nonpublic personal financial information are set forth in subsection 1.12 of this regulation. Nonpublic personal financial information does not include:
1.4.1.17.1 Personally identifiable financial information; and
1.4.1.17.2 Any list, description or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available.
1.4.1.17.3 Nonpublic personal financial information does not include:
1.4.1.17.3.1 Publicly available information, except as included on a list described in section 1.4.1.17; or
1.4.1.17.3.2 Any list, description or other grouping of consumers (and publicly available information pertaining to them) that is derived without using any personally identifiable financial information that is not publicly available.
1.4.1.17.4 Examples of lists.
1.4.1.17.4.1 Nonpublic personal financial information includes any list of individuals’ names and street addresses that is derived in whole or in part using personally identifiable financial information that is not publicly available, such as account numbers.
1.4.1.17.4.2 Nonpublic personal financial information does not include any list of individuals’ names and addresses that contains only publicly available information, is not derived in whole or in part using personally identifiable financial information that is not publicly available, and is not disclosed in a manner that indicates that any of the individuals on the list is a consumer of a financial institution.
“Nonpublic Personal Health Information” means health information that identifies an individual who is the subject of the information; or with respect to which there is a reasonable basis to believe that the information could be used to identify an individual.
1.4.1.18 “Personally Identifiable Financial Information” means any information: information a consumer provides to a licensee to obtain an insurance product or service from the licensee; about a consumer resulting from a transaction involving an insurance product or service between a licensee and a consumer; or the licensee otherwise obtains about a consumer in connection with providing an insurance product or service to that consumer. Examples of “personally identifiable financial information” are set forth in subsection 1.13 of this regulation.
1.4.1.18.1 A consumer provides to a licensee to obtain an insurance product or service from the licensee;
1.4.1.18.2 About a consumer resulting from a transaction involving an insurance product or service between a licensee and a consumer; or
1.4.1.18.3 The licensee otherwise obtains about a consumer in connection with providing an insurance product or service to that consumer.
1.4.1.18.4 Examples.
1.4.1.18.4.1 Information included. Personally identifiable financial information includes:
1.4.1.18.4.1.1 Information a consumer provides to a licensee on an application to obtain an insurance product or service;
1.4.1.18.4.1.2 Account balance information and payment history;
1.4.1.18.4.1.3 The fact that an individual is or has been one of the licensee’s customers or has obtained an insurance product or service from the licensee;
1.4.1.18.4.1.4 Any information about the licensee’s consumer if it is disclosed in a manner that indicates that the individual is or has been the licensee’s consumer;
1.4.1.18.4.1.5 Any information that a consumer provides to a licensee or that the licensee or its agent otherwise obtains in connection with collecting on a loan or servicing a loan;
1.4.1.18.4.1.6 Any information the licensee collects through an Internet cookie (an information-collecting device from a web server); and
1.4.1.18.4.1.7 Information from a consumer report.
1.4.1.18.4.2 Information not included. Personally identifiable financial information does not include:
1.4.1.18.4.2.1 A list of names and addresses of customers of an entity that is not a financial institution; and
1.4.1.18.4.2.2 Information that does not identify a consumer, such as aggregate information or blind data that does not contain personal identifiers such as account numbers, names or addresses.
1.4.1.19 “Publicly Available Information” means any information that a licensee has a reasonable basis to believe is lawfully made available to the general public from: from federal, state or local government records; widely distributed media; or disclosures to the general public that are required to be made by federal, state or local law. A licensee has a reasonable basis to believe that information is lawfully made available to the general public if the licensee has taken steps to determine that 1) the information is of the type that is available to the general public; and 2) whether an individual can direct that the information not be made available to the general public and, if so, that the licensee's consumer has not done so. Examples of “publicly available information” are set forth in subsection 1.14 of this regulation.
1.4.1.19.1 Federal, state or local government records;
1.4.1.19.2 Widely distributed media; or
1.4.1.19.3 Disclosures to the general public that are required to be made by federal, state or local law.
1.4.1.19.4 Reasonable basis. A licensee has a reasonable basis to believe that information is lawfully made available to the general public if the licensee has taken steps to determine:
1.4.1.19.4.1 That the information is of the type that is available to the general public; and
1.4.1.19.4.2 Whether an individual can direct that the information not be made available to the general public and, if so, that the licensee’s consumer has not done so.
1.4.1.19.5 Examples.
1.4.1.19.5.1 Government records. Publicly available information in government records includes information in government real estate records and security interest filings.
1.4.1.19.5.2 Widely distributed media. Publicly available information from widely distributed media includes information from a telephone book, a television or radio program, a newspaper or a web site that is available to the general public on an unrestricted basis. A web site is not restricted merely because an Internet service provider or a site operator requires a fee or a password, so long as access is available to the general public.
1.4.1.19.6 Reasonable basis.
1.4.1.19.6.1 A licensee has a reasonable basis to believe that mortgage information is lawfully made available to the general public if the licensee has determined that the information is of the type included on the public record in the jurisdiction where the mortgage would be recorded.
1.4.1.19.6.2 A licensee has a reasonable basis to believe that an individual’s telephone number is lawfully made available to the general public if the licensee has located the telephone number in the telephone book or the consumer has informed you that the telephone number is not unlisted.
1.7 A licensee makes its notice “reasonably understandable” for purposes of the defined phrase “clear and conspicuous” if it:
1.7.1 Presents the information in the notice in clear, concise sentences, paragraphs, and sections;
1.7.2 Uses short explanatory sentences or bullet lists whenever possible;
1.7.3 Uses definite, concrete, everyday words and active voice whenever possible;
1.7.4 Avoids multiple negatives;
1.7.5 Avoids legal and highly technical business terminology whenever possible; and
1.7.6 Avoids explanations that are imprecise and readily subject to different interpretations.
1.8 A licensee designs its notice to “call attention to the nature and significance of the information in it” for purposes of the defined phrase “clear and conspicuous” if the licensee:
1.8.1 Uses a plain-language heading to call attention to the notice;
1.8.2 Uses a typeface and type size that is easy to read;
1.8.3 Provides wide margins and ample line spacing;
1.8.4 Uses boldface or italics for key words;
1.8.5 Uses a form that combines the licensee's notice with other information, uses distinctive type size, style, and graphic devices, such as shading or sidebars; and
1.8.6 If applicable, when notice is provided on a web page, designs its notice to call attention to the nature and significance of the information in it if the licensee uses text or visual cues to encourage scrolling down the page if necessary to view the entire notice and ensure that other elements on the web site (such as text, graphics, hyperlinks or sound) do not distract attention from the notice, and the licensee either:
1.8.6.1 Places the notice on a screen that consumers frequently access, such as a page on which transactions are conducted; or
1.8.6.2 Places a link on a screen that consumers frequently access, such as a page on which transactions are conducted, that connects directly to the notice and is labeled appropriately to convey the importance, nature and relevance of the notice.
1.9 Examples of the defined term “consumer” include:
1.9.1 An individual who provides nonpublic personal information to a licensee in connection with obtaining or seeking to obtain financial, investment or economic advisory services relating to an insurance product or service is a consumer regardless of whether the licensee establishes an ongoing advisory relationship.
1.9.2 An applicant for insurance prior to the inception of insurance coverage is a licensee's consumer.
1.9.3 An individual who is a consumer of another financial institution is not a licensee's consumer solely because the licensee is acting as agent for, or provides processing or other services to, that financial institution.
1.9.4 An individual is a licensee's consumer if:
1.9.4.1 The individual is a beneficiary of a life insurance policy underwritten by the licensee;
1.9.4.2 The individual is a claimant under an insurance policy issued by the licensee;
1.9.4.3 The individual is an insured or an annuitant under an insurance policy or an annuity, respectively, issued by the licensee; or
1.9.4.4 The individual is a mortgagor of a mortgage covered under a mortgage insurance policy and the licensee discloses nonpublic personal financial information about the individual to a nonaffiliated third party other than as permitted under Sections 9.0, 10.0 and 11.0 of this regulation.
1.9.5 Provided that the licensee provides the initial, annual and revised notices under subsections 2.1 and 2.2 and Section 4.0 of this regulation to the plan sponsor, group or blanket insurance policyholder or group annuity contract holder, workers' compensation plan participant, and further provided that the licensee does not disclose to a nonaffiliated third party nonpublic personal financial information about such an individual other than as permitted under Sections 9.0, 10.0 and 11.0 of this regulation, an individual is not the consumer of the licensee solely because he or she is:
1.9.5.1 A participant or a beneficiary of an employee benefit plan that the licensee administers or sponsors or for which the licensee acts as a trustee, insurer or fiduciary;
1.9.5.2 Covered under a group or blanket insurance policy or group annuity contract issued by the licensee; or
1.9.5.3 A beneficiary in a workers' compensation plan.
1.9.6 The individuals described in subsections 1.9.5.1 through 1.9.5.3 are consumers of a licensee if the licensee does not meet all the conditions of subsection 1.9.5 of this regulation.
1.9.7 In no event shall the individuals, solely by virtue of the status described in subsections 1.9.5.1 through 1.9.5.3, be deemed to be customers for purposes of this regulation.
1.9.8 An individual is not a licensee's consumer solely because he or she is a beneficiary of a trust for which the licensee is a trustee.
1.9.9 An individual is not a licensee's consumer solely because he or she has designated the licensee as trustee for a trust.
1.10 Examples of the defined term “control” include:
1.10.1 Ownership, control or power to vote twenty-five percent (25%) or more of the outstanding shares of any class of voting security of the company, directly or indirectly, or acting through one or more other persons;
1.10.2 Control in any manner over the election of a majority of the directors, trustees or general partners (or individuals exercising similar functions) of the company; or
1.10.3 The power to exercise, directly or indirectly, a controlling influence over the management or policies of the company, as the commissioner determines.
1.11 Examples of the defined term “customer relationship” include:
1.11.1 A consumer has a continuing relationship with a licensee if:
1.11.1.1 The consumer is a current policyholder of an insurance product issued by or through the licensee; or
1.11.1.2 The consumer obtains financial, investment or economic advisory services relating to an insurance product or service from the licensee for a fee.
1.11.2 A consumer does not have a continuing relationship with a licensee if:
1.11.2.1 The consumer applies for insurance but does not purchase the insurance;
1.11.2.2 The licensee sells the consumer airline travel insurance in an isolated transaction;
1.11.2.3 The individual is no longer a current policyholder of an insurance product or no longer obtains insurance services with or through the licensee;
1.11.2.4 The consumer is a beneficiary or claimant under a policy and has submitted a claim under a policy choosing a settlement option involving an ongoing relationship with the licensee;
1.11.2.5 The consumer is a beneficiary or a claimant under a policy and has submitted a claim under that policy choosing a lump sum settlement option;
1.11.2.6 The customer's policy is lapsed, expired, or otherwise inactive or dormant under the licensee's business practices, and the licensee has not communicated with the customer about the relationship for a period of twelve (12) consecutive months, other than annual privacy notices, material required by law or regulation, communication at the direction of a state or federal authority, or promotional materials;
1.11.2.7 The individual is an insured or an annuitant under an insurance policy or annuity, respectively, but is not the policyholder or owner of the insurance policy or annuity;
1.11.2.8 For the purposes of this regulation, the individual's last known address according to the licensee's records is deemed invalid. An address of record is deemed invalid if mail sent to that address by the licensee has been returned by the postal authorities as undeliverable and if subsequent attempts by the licensee to obtain a current valid address for the individual have been unsuccessful; or
1.11.2.9 In the case of providing real estate settlement services, at the time the customer completes execution of all documents related to the real estate closing, payment for those services has been received, or the licensee has completed all of its responsibilities with respect to the settlement, including filing documents on the public record, whichever is later.
1.12 Examples of lists of “nonpublic personal financial information” as defined in this regulation include any list of individuals' names and street addresses that is derived in whole or in part using personally identifiable financial information that is not publicly available, such as account numbers; but does not include any list of individuals' names and addresses that:
1.12.1 Contains only publicly available information;
1.12.2 Is not derived in whole or in part using personally identifiable financial information that is not publicly available; and
1.12.3 Is not disclosed in a manner that indicates that any of the individuals on the list is a consumer of a financial institution.
1.13 Examples of the defined term “personally identifiable financial information” include:
1.13.1 Information a consumer provides to a licensee on an application to obtain an insurance product or service;
1.13.2 Account balance information and payment history;
1.13.3 The fact that an individual is or has been one of the licensee's customers or has obtained an insurance product or service from the licensee;
1.13.4 Any information about the licensee's consumer if it is disclosed in a manner that indicates that the individual is or has been the licensee's consumer;
1.13.5 Any information that a consumer provides to a licensee or that the licensee or its agent otherwise obtains in connection with collecting on a loan or servicing a loan;
1.13.6 Any information the licensee collects through an Internet cookie (an information-collecting device from a web server); and
1.13.7 Information from a consumer report; except that personally identifiable financial information does not include:
1.13.7.1 A list of names and addresses of customers of an entity that is not a financial institution; and
1.13.7.2 Information that does not identify a consumer, such as aggregate information or blind data that does not contain personal identifiers such as account numbers, names or addresses.
1.14 Examples of the defined term “publicly available information” include:
1.14.1 Government records - Publicly available information in government records includes information in government real estate records and security interest filings.
1.14.2 Widely distributed media - Publicly available information from widely distributed media includes information from a telephone book, a television or radio program, a newspaper or a web site that is available to the general public on an unrestricted basis. A web site is not restricted merely because an Internet service provider or a site operator requires a fee or a password, so long as access is available to the general public.
1.14.3 Mortgage information - A licensee has a reasonable basis to believe that mortgage information is lawfully made available to the general public if the licensee has determined that the information is of the type included on the public record in the jurisdiction where the mortgage would be recorded.
1.14.4 Telephone number - A licensee has a reasonable basis to believe that an individual's telephone number is lawfully made available to the general public if the licensee has located the telephone number in the telephone book or the consumer has informed the public that the telephone number is not unlisted.
2.1 Initial Privacy Notice to Consumers Required
2.1.1 Initial notice requirement. A licensee shall provide a clear and conspicuous notice that accurately reflects its privacy policies and practices to:
2.1.1.1 Customer. An individual who becomes the licensee’s customer, not later than when the licensee establishes a customer relationship, except as provided in Subsection E subsection 2.1.5 of this section regulation; and
2.1.1.2 Consumer. A consumer, before the licensee discloses any nonpublic personal financial information about the consumer to any nonaffiliated third party, if the licensee makes a disclosure other than as authorized by sections 15.0 and 16.0 Sections 10.0 and 11.0 of this regulation.
2.1.2 When initial notice to a consumer is not required. A licensee is not required to provide an initial notice to a consumer under section 2.1.1 of this section if:
2.1.2.1 The licensee does not disclose any nonpublic personal financial information about the consumer to any nonaffiliated third party, other than as authorized by sections 15.0 and 16.0 Sections 10.0 and 11.0 of this regulation, and the licensee does not have a customer relationship with the consumer; or
2.1.2.2 A notice has been provided by an affiliated licensee, as long as the notice clearly identifies all licensees to whom the notice applies and is accurate with respect to the licensee and the other institutions.
2.1.3 When the licensee establishes a customer relationship.
2.1.3.1 General rule. A licensee establishes a customer relationship at the time the licensee and the consumer enter into a continuing relationship.
2.1.3.2 Examples of establishing customer relationship. A licensee establishes a customer relationship when the consumer:
2.1.3.2.1 Becomes a policyholder of a licensee that is an insurer when the insurer delivers an insurance policy or contract to the consumer, or in the case of a licensee that is an insurance producer or insurance broker, obtains insurance through that licensee; or
2.1.3.2.2 Agrees to obtain financial, economic or investment advisory services relating to insurance products or services for a fee from the licensee.
2.1.4 Existing customers. When an existing customer obtains a new insurance product or service from a licensee that is to be used primarily for personal, family or household purposes, the licensee satisfies the initial notice requirements of section 2.1 subsection 2.1.1 of this regulation as follows:
2.1.4.1 The licensee may provide a revised policy notice, under section 9.0 Section 4.0 of this regulation, that covers the customer’s new insurance product or service; or
2.1.4.2 If the initial, revised or annual notice that the licensee most recently provided to that customer was accurate with respect to the new insurance product or service, the licensee does not need to provide a new privacy notice under section 2.1 subsection 2.1.1 of this regulation.
2.1.5 Exceptions to allow subsequent delivery of notice.
2.1.5.1 A licensee may provide the initial notice required by Subsection A(1) subsection 2.1.1.1 of this section regulation within a reasonable time after the licensee establishes a customer relationship if:
2.1.5.1.1 Establishing the customer relationship is not at the customer’s election; or
2.1.5.1.2 Providing notice not later than when the licensee establishes a customer relationship would substantially delay the customer’s transaction and the customer agrees to receive the notice at a later time.
2.1.5.2 Examples of exceptions.
2.1.5.2.1 Not at customer’s election. Establishing a customer relationship is not at the customer’s election if a licensee acquires or is assigned a customer’s policy from another financial institution or residual market mechanism and the customer does not have a choice about the licensee’s acquisition or assignment.
2.1.5.2.2 Substantial delay of customer’s transaction. Providing notice not later than when a licensee establishes a customer relationship would substantially delay the customer’s transaction when the licensee and the individual agree over the telephone to enter into a customer relationship involving prompt delivery of the insurance product or service.
2.1.5.3 No substantial delay of customer’s transaction. Providing notice not later than when a licensee establishes a customer relationship would not substantially delay the customer’s transaction when the relationship is initiated in person at the licensee’s office or through other means by which the customer may view the notice, such as on a web site.
2.1.6 Delivery. When a licensee is required to deliver an initial privacy notice by this section, the licensee shall deliver it according to section 10.0 Section 5.0 of this regulation. If the licensee uses a short-form initial notice for non-customers according to section subsection 2.4 of this regulation, the licensee may deliver its privacy notice according to section subsection 2.4.3 of this regulation.
2.2 Annual Privacy Notice to Customers Required
2.2.1 General rule. A licensee shall provide a clear and conspicuous notice to customers that accurately reflect reflects its privacy policies and practices not less than annually during the continuation of the customer relationship. Annually means at least once in any period of twelve (12) consecutive months during which that relationship exists. A licensee may define the twelve-consecutive-month period, but the licensee shall apply it to the customer on a consistent basis.
2.2.1.1 Example. A licensee provides a notice annually if it defines the twelve-consecutive-month period as a calendar year and provides the annual notice to the customer once in each calendar year following the calendar year in which the licensee provided the initial notice. For example, if a customer opens an account on any day of year 1, the licensee shall provide an annual notice to that customer by December 31 of year 2.
2.2.1.2 Exception to General Rule. A licensee is not required to provide an annual notice under this subsection if the licensee is subject to the federal Gramm-Leach-Bliley Act as amended by the Fixing America’s Surface Transportation Act, (P.L. 114-94, section 75001) provided that the licensee:
2.2.1.2.1 Provides nonpublic personal information to nonaffiliated third parties only in accordance with Sections 9.0, 10.0 and 11.0 of this regulation; and
2.2.1.2.2 Has not changed its policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed in the most recent notice sent to consumers in accordance with this subsection or with subsection 2.1 of this regulation.
2.2.2 Termination of customer relationship. A licensee is not required to provide an annual notice to a former customer. A former customer is an individual with whom a licensee no longer has a continuing relationship.
2.2.2.1 Examples.
2.2.2.1.1 A licensee no longer has a continuing relationship with an individual if the individual no longer is a current policyholder of an insurance product or no longer obtains insurance services with or through the licensee.
2.2.2.1.2 A licensee no longer has a continuing relationship with an individual if the individual’s policy is lapsed, expired or otherwise inactive or dormant under the licensee’s business practices, and the licensee has not communicated with the customer about the relationship for a period of twelve (12) consecutive months, other than to provide annual privacy notices, material required by law or regulation, or promotional materials.
2.2.2.1.3 For the purposes of this regulation, a licensee no longer has a continuing relationship with an individual if the individual’s last known address according to the licensee’s records is deemed invalid. An address of record is deemed invalid if mail sent to that address by the licensee has been returned by the postal authorities as undeliverable and if subsequent attempts by the licensee to obtain a current valid address for the individual have been unsuccessful.
2.2.2.1.4 A licensee no longer has a continuing relationship with a customer in the case of providing real estate settlement services, at the time the customer completes execution of all documents related to the real estate closing, payment for those services has been received, or the licensee has completed all of its responsibilities with respect to the settlement, including filing documents on the public record, whichever is later.
2.2.3 Delivery. When a licensee is required by this section to deliver an annual privacy notice, the licensee shall deliver it according to section 10.0 Section 5.0 of this regulation.
2.3 Information to be Included in Privacy Notices
2.3.1 General rule. The initial, annual and revised privacy notices that a licensee provides under sections 5.0, 6.0 and 9.0 subsections 2.1 and 2.2 and Section 4.0 of this regulation shall include each of the following items of information, in addition to any other information the licensee wishes to provide, that applies to the licensee and to the consumers to whom the licensee sends its privacy notice:
2.3.1.1 The categories of nonpublic personal financial information that the licensee collects;
2.3.1.2 The categories of nonpublic personal financial information that the licensee discloses;
2.3.1.3 The categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal financial information, other than those parties to whom the licensee discloses information under sections 15.0 and 16.0 Sections 10.0 and 11.0 of this regulation;
2.3.1.4 The categories of nonpublic personal financial information about the licensee’s former customers that the licensee discloses and the categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal financial information about the licensee’s former customers, other than those parties to whom the licensee discloses information under sections 15.0 and 16.0 Sections 10.0 and 11.0 of this regulation;
2.3.1.5 If a licensee discloses nonpublic personal financial information to a nonaffiliated third party under section 14.0 Section 9.0 (and no other exception in sections 15.0 and 16.0 Sections 10.0 and 11.0 of this regulation applies to that disclosure), a separate description of the categories of information the licensee discloses and the categories of third parties with whom the licensee has contracted;
2.3.1.6 An explanation of the consumer’s right under section 11.1 subsections 6.1 through 6.3 of this regulation to opt out of the disclosure of nonpublic personal financial information to nonaffiliated third parties, including the methods by which the consumer may exercise that right at that time;
2.3.1.7 Any disclosures that the licensee makes under Section 603(d)(2)(A)(iii) of the federal Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)(A)(iii)) (that is, notices regarding the ability to opt out of disclosures of information among affiliates);
2.3.1.8 The licensee’s policies and practices with respect to protecting the confidentiality and security of nonpublic personal information; and
2.3.1.9 Any disclosure that the licensee makes under Subsection B subsection 2.3.2 of this section regulation.
2.3.2 Description of parties subject to exceptions. If a licensee discloses nonpublic personal financial information as authorized under sections 15.0 and 16.0 Sections 10.0 and 11.0 of this regulation, the licensee is not required to list those exceptions in the initial or annual privacy notices required by sections 5.0 and 6.0 subsections 2.1 and 2.2 of this regulation. When describing the categories of parties to whom disclosure is made, the licensee is required to state only that it makes disclosures to other affiliated or nonaffiliated third parties, as applicable, as permitted by law.
2.3.3 Examples.
2.3.3.1 Categories of nonpublic personal financial information that the licensee collects. A licensee satisfies the requirement to categorize the nonpublic personal financial information it collects if the licensee categorizes it according to the source of the information, as applicable:
2.3.3.1.1 Information from the consumer;
2.3.3.1.2 Information about the consumer’s transactions with the licensee or its affiliates;
2.3.3.1.3 Information about the consumer’s transactions with nonaffiliated third parties; and
2.3.3.1.4 Information from a consumer reporting agency.
2.3.3.2 Categories of nonpublic personal financial information a licensee discloses.
2.3.3.2.1 A licensee satisfies the requirement to categorize nonpublic personal financial information it discloses if the licensee categorizes the information according to source, as described in section 2.3.3 subsection 2.3.3.1 of this regulation, as applicable, and provides a few examples to illustrate the types of information in each category. These might include:
2.3.3.2.1.1 Information from the consumer, including application information, such as assets and income and identifying information, such as name, address and social security number;
2.3.3.2.1.2 Transaction information, such as information about balances, payment history and parties to the transaction; and
2.3.3.2.1.3 Information from consumer reports, such as a consumer’s creditworthiness and credit history.
2.3.3.2.2 A licensee does not adequately categorize the information that it discloses if the licensee uses only general terms, such as transaction information about the consumer.
2.3.3.2.3 If a licensee reserves the right to disclose all of the nonpublic personal financial information about consumers that it collects, the licensee may simply state that fact without describing the categories or examples of nonpublic personal information that the licensee discloses.
2.3.3.3 Categories of affiliates and nonaffiliated third parties to whom the licensee discloses.
2.3.3.3.1 A licensee satisfies the requirement to categorize the affiliates and nonaffiliated third parties to which the licensee discloses nonpublic personal financial information about consumers if the licensee identifies the types of businesses in which they engage.
2.3.3.3.2 Types of businesses may be described by general terms only if the licensee uses a few illustrative examples of significant lines of business. For example, a licensee may use the term financial products or services if it includes appropriate examples of significant lines of businesses, such as life insurer, automobile insurer, consumer banking or securities brokerage.
2.3.3.3.3 A licensee also may categorize the affiliates and nonaffiliated third parties to which it discloses nonpublic personal financial information about consumers using more detailed categories.
2.3.3.3.4 Disclosures under exception for service providers and joint marketers. If a licensee discloses nonpublic personal financial information under the exception in Section 14 9.0 to a nonaffiliated third party to market products or services that it offers alone or jointly with another financial institution, the licensee satisfies the disclosure requirement of section subsection 2.3.1.5 of this section regulation if it:
2.3.3.3.4.1 Lists the categories of nonpublic personal financial information it discloses, using the same categories and examples the licensee used to meet the requirements of Subsection A(2) subsection 2.3.1.2 of this section regulation, as applicable; and
2.3.3.3.4.2 States whether the third party is:
2.3.3.3.4.2.1 A service provider that performs marketing services on the licensee’s behalf or on behalf of the licensee and another financial institution; or
2.3.3.3.4.2.2 A financial institution with whom the licensee has a joint marketing agreement.
2.3.3.3.5 Simplified notices. If a licensee does not disclose, and does not wish to reserve the right to disclose, nonpublic personal financial information about customers or former customers to affiliates or nonaffiliated third parties except as authorized under Sections 15 10.0 and 16 11.0 of this regulation, the licensee may simply state that fact, in addition to the information it shall provide under sections 2.3.1.1, 2.3.1.8, 2.3.1.9 and 2.3.2 of this regulation.
2.3.3.62.3.3.4 Confidentiality and security. A licensee describes its policies and practices with respect to protecting the confidentiality and security of nonpublic personal financial information if it does both of the following:
2.3.3.6.12.3.3.4.1 Describes in general terms who is authorized to have access to the information; and
2.3.3.6.22.3.3.4.2 States whether the licensee has security practices and procedures in place to ensure the confidentiality of the information in accordance with the licensee’s policy. The licensee is not required to describe technical information about the safeguards it uses.
2.4 Short-form initial notice with opt out notice for non-customers.
2.4.1 A licensee may satisfy the initial notice requirements in sections subsections 2.1.1.2 and 3.4 of this regulation for a consumer who is not a customer by providing a short-form initial notice at the same time as the licensee delivers an opt out notice as required in section 8.0 Section 3.0 of this regulation.
2.4.2 A short-form initial notice shall:
2.4.2.1 Be clear and conspicuous;
2.4.2.2 State that the licensee’s privacy notice is available upon request; and
2.4.2.3 Explain a reasonable means by which the consumer may obtain that notice.
2.4.3 The licensee shall deliver its short-form initial notice according to section 10.0 Section 5.0 of this regulation. The licensee is not required to deliver its privacy notice with its short-form initial notice. The licensee instead may simply provide the consumer a reasonable means to obtain its privacy notice. If a consumer who receives the licensee’s short-form notice requests the licensee’s privacy notice, the licensee shall deliver its privacy notice according to section 10.0 Section 5.0 of this regulation.
2.4.4 Examples of obtaining privacy notice. The licensee provides a reasonable means by which a consumer may obtain a copy of its privacy notice if the licensee:
2.4.4.1 Provides a toll-free telephone number that the consumer may call to request the notice; or
2.4.4.2 For a consumer who conducts business in person at the licensee’s office, maintains copies of the notice on hand that the licensee provides to the consumer immediately upon request.
2.5 Future disclosures. The licensee’s notice may include:
2.5.1 Categories of nonpublic personal financial information that the licensee reserves the right to disclose in the future, but does not currently disclose; and
2.5.2 Categories of affiliates or nonaffiliated third parties to whom the licensee reserves the right in the future to disclose, but to whom the licensee does not currently disclose, nonpublic personal financial information.
2.6 Sample clauses and Federal Model Privacy Form. Sample clauses illustrating some of the notice content required by this section are included in Appendix A of this regulation. The Federal Model Privacy Form is codified at 16 CFR Part 313 Appendix A, incorporated herein by reference, as may, from time to time, be amended.
3.1 Form of opt out notice. If a licensee is required to provide an opt out notice under section 11.1 subsections 6.1 through 6.3 of this regulation, it shall provide a clear and conspicuous notice to each of its consumers that accurately explains the right to opt out under that section. The notice shall state:
3.1.1 That the licensee discloses or reserves the right to disclose nonpublic personal financial information about its consumer to a nonaffiliated third party;
3.1.2 That the consumer has the right to opt out of that disclosure; and
3.1.3 A reasonable means by which the consumer may exercise the opt out right.
3.2 Examples.
3.2.1 Adequate opt out notice. A licensee provides adequate notice that the consumer can opt out of the disclosure of nonpublic personal financial information to a nonaffiliated third party if the licensee:
3.2.1.1 Identifies all of the categories of nonpublic personal financial information that it discloses or reserves the right to disclose, and all of the categories of nonaffiliated third parties to which the licensee discloses the information, as described in sections subsections 2.3.1.2 and 2.3.1.3, and states that the consumer can opt out of the disclosure of that information; and
3.2.1.2 Identifies the insurance products or services that the consumer obtains from the licensee, either singly or jointly, to which the opt out direction would apply.
3.2.2 Reasonable opt out means. A licensee provides a reasonable means to exercise an opt out right if it:
3.2.2.1 Designates check-off boxes in a prominent position on the relevant forms with the opt out notice;
3.2.2.2 Includes a reply form together with the opt out notice;
3.2.2.3 Provides an electronic means to opt out, such as a form that can be sent via electronic mail or a process at the licensee’s web site, if the consumer agrees to the electronic delivery of information; or
3.2.2.4 Provides a toll-free telephone number that consumers may call to opt out.
3.2.3 Unreasonable opt out means. A licensee does not provide a reasonable means of opting out if:
3.2.3.1 The only means of opting out is for the consumer to write his or her own letter to exercise that opt out right; or
3.2.3.2 The only means of opting out as described in any notice subsequent to the initial notice is to use a check-off box that the licensee provided with the initial notice but did not include with the subsequent notice.
3.2.4 Specific opt out means. A licensee may require each consumer to opt out through a specific means, as long as that means is reasonable for that consumer.
3.3 Same form as initial notice permitted. A licensee may provide the opt out notice together with or on the same written or electronic form as the initial notice the licensee provides in accordance with section 5.0 subsection 2.1.
3.4 Initial notice required when opt out notice delivered subsequent to initial notice. If a licensee provides the opt out notice later than required for the initial notice in accordance with section 5.0 subsection 2.1, the licensee shall also include a copy of the initial notice with the opt out notice in writing or, if the consumer agrees, electronically.
3.5 Joint relationships.
3.5.1 If two (2) or more consumers jointly obtain an insurance product or service from a licensee, the licensee may provide a single opt out notice. The licensee’s opt out notice shall explain how the licensee will treat an opt out direction by a joint consumer (as explained in Paragraph (5) of this subsection 3.5.5 of this regulation).
3.5.2 Any of the joint consumers may exercise the right to opt out. The licensee may either:
3.5.2.1 Treat an opt out direction by a joint consumer as applying to all of the associated joint consumers; or
3.5.2.2 Permit each joint consumer to opt out separately.
3.5.3 If a licensee permits each joint consumer to opt out separately, the licensee shall permit one of the joint consumers to opt out on behalf of all of the joint consumers.
3.5.4 A licensee may not require all joint consumers to opt out before it implements any opt out direction.
3.5.5 Example. If John and Mary are both named policyholders on a homeowner’s insurance policy issued by a licensee and the licensee sends policy statements to John’s address, the licensee may do any of the following, but it shall explain in its opt out notice which opt out policy the licensee will follow:
3.5.5.1 Send a single opt out notice to John’s address, but the licensee shall accept an opt out direction from either John or Mary.
3.5.5.2 Treat an opt out direction by either John or Mary as applying to the entire policy. If the licensee does so and John opts out, the licensee may not require Mary to opt out as well before implementing John’s opt out direction.
3.5.5.3 Permit John and Mary to make different opt out directions. If the licensee does so:
3.5.5.3.1 It shall permit John and Mary to opt out for each other;
3.4.5.3.2 If both opt out, the licensee shall permit both of them to notify it in a single response (such as on a form or through a telephone call); and
3.4.5.3.3 If John opts out and Mary does not, the licensee may only disclose nonpublic personal financial information about Mary, but not about John and not about John and Mary jointly.
3.6 Time to comply with opt out. A licensee shall comply with a consumer’s opt out direction as soon as reasonably practicable after the licensee receives it.
3.7 Continuing right to opt out. A consumer may exercise the right to opt out at any time.
3.8 Duration of consumer’s opt out direction.
3.8.1 A consumer’s direction to opt out under this section is effective until the consumer revokes it in writing or, if the consumer agrees, electronically.
3.8.2 When a customer relationship terminates, the customer’s opt out direction continues to apply to the nonpublic personal financial information that the licensee collected during or related to that relationship. If the individual subsequently establishes a new customer relationship with the licensee, the opt out direction that applied to the former relationship does not apply to the new relationship.
3.9 Delivery. When a licensee is required to deliver an opt out notice by this section, the licensee shall deliver it according to section 10.0 Section 5.0 of this regulation.
4.1 General rule. Except as otherwise authorized in this regulation, a licensee shall not, directly or through an affiliate, disclose any nonpublic personal financial information about a consumer to a nonaffiliated third party other than as described in the initial notice that the licensee provided to that consumer under section 5.0 subsection 2.1 of this regulation, unless:
4.1.1 The licensee has provided to the consumer a clear and conspicuous revised notice that accurately describes its policies and practices;
4.1.2 The licensee has provided to the consumer a new opt out notice;
4.1.3 The licensee has given the consumer a reasonable opportunity, before the licensee discloses the information to the nonaffiliated third party, to opt out of the disclosure; and
4.1.4 The consumer does not opt out.
4.2 Examples.
4.2.1 Except as otherwise permitted by sections 14.0, 15.0 and 16.0 Sections 9.0, 10.0 and 11.0 of this regulation, a licensee shall provide a revised notice before it:
4.2.1.1 Discloses a new category of nonpublic personal financial information to any nonaffiliated third party;
4.2.1.2 Discloses nonpublic personal financial information to a new category of nonaffiliated third party; or
4.2.1.3 Discloses nonpublic personal financial information about a former customer to a nonaffiliated third party, if that former customer has not had the opportunity to exercise an opt out right regarding that disclosure.
4.2.2 A revised notice is not required if the licensee discloses nonpublic personal financial information to a new nonaffiliated third party that the licensee adequately described in its prior notice.
4.3 Delivery.
4.3.1 When a licensee is required to deliver a revised privacy notice by this section, the licensee shall deliver it according to section 10.0 Section 5.0 of this regulation.
4.3.2 Unless a licensee is providing privacy notices directly to covered individuals described in subsections 1.9.5.1, 1.9.5.2 or 1.9.5.3 of this regulation, a licensee shall provide initial, annual and revised notices to the plan sponsor, group or blanket insurance policyholder or group annuity contract holder, or workers’ compensation policyholder, in the manner described in Sections 2.0 through 4.0 of this regulation, describing the licensee’s privacy practices with respect to nonpublic personal information about individuals covered under the policies, contracts or plans.
5.1 How to provide notices. A licensee shall provide any notices that this regulation requires so that each consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, electronically.
5.2 Examples of reasonable expectation of actual notice. A licensee may reasonably expect that a consumer will receive actual notice if the licensee:
5.2.1 Hand-delivers a printed copy of the notice to the consumer;
5.2.2 Mails a printed copy of the notice to the last known address of the consumer separately, or in a policy, billing or other written communication;
5.2.3 For a consumer who conducts transactions electronically, posts the notice on the electronic site and requires the consumer to acknowledge receipt of the notice as a necessary step to obtaining a particular insurance product or service;
5.2.4 For an isolated transaction with a consumer, such as the licensee providing an insurance quote or selling the consumer travel insurance, posts the notice and requires the consumer to acknowledge receipt of the notice as a necessary step to obtaining the particular insurance product or service.
5.3 Examples of unreasonable expectation of actual notice. A licensee may not, however, reasonably expect that a consumer will receive actual notice of its privacy policies and practices if it:
5.3.1 Only posts a sign in its office or generally publishes advertisements of its privacy policies and practices; or
5.3.2 Sends the notice via electronic mail to a consumer who does not obtain an insurance product or service from the licensee electronically.
5.4 Annual notices only. A licensee may reasonably expect that a customer will receive actual notice of the licensee’s annual privacy notice if:
5.4.1 The customer uses the licensee’s web site to access insurance products and services electronically and agrees to receive notices at the web site and the licensee posts its current privacy notice continuously in a clear and conspicuous manner on the web site; or
5.4.2 The customer has requested that the licensee refrain from sending any information regarding the customer relationship, and the licensee’s current privacy notice remains available to the customer upon request.
5.5 Oral description of notice insufficient. A licensee may not provide any notice required by this regulation solely by orally explaining the notice, either in person or over the telephone.
5.6 Retention or accessibility of notices for customers.
5.6.1 For customers only, a licensee shall provide the initial notice required by section 5.1.1 subsection 2.1.1.2 of this regulation, the annual notice required by section 6.1 subsection 2.2.1 of this regulation, and the revised notice required by section 9.0 Section 4.0 of this regulation so that the customer can retain them or obtain them later in writing or, if the customer agrees, electronically.
5.6.2 Examples of retention or accessibility. A licensee provides a privacy notice to the customer so that the customer can retain it or obtain it later if the licensee:
5.6.2.1 Hand-delivers a printed copy of the notice to the customer;
5.6.2.2 Mails a printed copy of the notice to the last known address of the customer; or
5.6.2.3 Makes its current privacy notice available on a web site (or a link to another web site) for the customer who obtains an insurance product or service electronically and agrees to receive the notice at the web site.
5.7 Joint notice with other financial institutions. A licensee may provide a joint notice from the licensee and one or more of its affiliates or other financial institutions, as identified in the notice, as long as the notice is accurate with respect to the licensee and the other institutions. A licensee also may provide a notice on behalf of another financial institution.
5.8 Joint relationships. If two (2) or more consumers jointly obtain an insurance product or service from a licensee, the licensee may satisfy the initial, annual and revised notice requirements of sections 5.1, 6.1 and 9.1 subsections 2.1.1, 2.2.1 and 4.1 of this regulation, respectively, by providing one notice to those consumers jointly.
6.1 Conditions for disclosure. Except as otherwise authorized in this regulation, a licensee may not, directly or through any affiliate, disclose any nonpublic personal financial information about a consumer to a nonaffiliated third party unless:
6.1.1 The licensee has provided to the consumer an initial notice as required under Section 5.0 subsection 2.1 of this regulation;
6.1.2 The licensee has provided to the consumer an opt out notice as required in Section 8.0 3.0 of this regulation;
6.1.3 The licensee has given the consumer a reasonable opportunity, before it discloses the information to the nonaffiliated third party, to opt out of the disclosure; and
6.1.4 The consumer does not opt out.
6.2 Opt out definition. Opt out means a direction by the consumer that the licensee not disclose nonpublic personal financial information about that consumer to a nonaffiliated third party, other than as permitted by sections 14.0, 15.0 and 16.0 Sections 9.0, 10.0 and 11.0 of this regulation.
6.3 Examples of reasonable opportunity to opt out. A licensee provides a consumer with a reasonable opportunity to opt out if:
6.3.1 By mail. The licensee mails the notices required in section 6.1 to the consumer and allows the consumer to opt out by mailing a form, calling a toll-free telephone number or any other reasonable means within thirty (30) days from the date the licensee mailed the notices.
6.3.2 By electronic means. A customer opens an on-line account with a licensee and agrees to receive the notices required in section 6.1 electronically, and the licensee allows the customer to opt out by any reasonable means within thirty (30) days after the date that the customer acknowledges receipt of the notices in conjunction with opening the account.
6.3.3 Isolated transaction with consumer. For an isolated transaction such as providing the consumer with an insurance quote, a licensee provides the consumer with a reasonable opportunity to opt out if the licensee provides the notices required in section 6.1 at the time of the transaction and requests that the consumer decide, as a necessary part of the transaction, whether to opt out before completing the transaction.
6.4 Application of opt out to all consumers and all nonpublic personal financial information.
6.4.1 A licensee shall comply with this section, regardless of whether the licensee and the consumer have established a customer relationship.
6.4.2 Unless a licensee complies with this section, the licensee may not, directly or through any affiliate, disclose any nonpublic personal financial information about a consumer that the licensee has collected, regardless of whether the licensee collected it before or after receiving the direction to opt out from the consumer.
6.5 Partial opt out. A licensee may allow a consumer to select certain nonpublic personal financial information or certain nonaffiliated third parties with respect to which the consumer wishes to opt out.
7.1 Information the licensee receives under an exception. If a licensee receives nonpublic personal financial information from a nonaffiliated financial institution under an exception in sections 15.0 Sections 10.0 or 16.0 11.0 of this regulation, the licensee’s disclosure and use of that information is limited as follows:
7.1.1 The licensee may disclose the information to the affiliates of the financial institution from which the licensee received the information;
7.1.2 The licensee may disclose the information to its affiliates, but the licensee’s affiliates may, in turn, disclose and use the information only to the extent that the licensee may disclose and use the information; and
7.1.3 The licensee may disclose and use the information pursuant to an exception in Sections 15 10.0 or 16 11.0 of this regulation, in the ordinary course of business to carry out the activity covered by the exception under which the licensee received the information.
7.2 Example. If a licensee receives information from a nonaffiliated financial institution for claims settlement purposes, the licensee may disclose the information for fraud prevention, or in response to a properly authorized subpoena. The licensee may not disclose that information to a third party for marketing purposes or use that information for its own marketing purposes.
7.3 Information a licensee receives outside of an exception. If a licensee receives nonpublic personal financial information from a nonaffiliated financial institution other than under an exception in sections 15.0 Sections 10.0 or 16.0 11.0 of this regulation, the licensee may disclose the information only:
7.3.1 To the affiliates of the financial institution from which the licensee received the information;
7.3.2 To its affiliates, but its affiliates may, in turn, disclose the information only to the extent that the licensee may disclose the information; and
7.3.3 To any other person, if the disclosure would be lawful if made directly to that person by the financial institution from which the licensee received the information.
7.4 Example. If a licensee obtains a customer list from a nonaffiliated financial institution outside of the exceptions in sections 15.0 Sections 10.0 or 16.0 11.0 of this regulation:
7.4.1 The licensee may use that list for its own purposes; and
7.4.2 The licensee may disclose that list to another nonaffiliated third party only if the financial institution from which the licensee purchased the list could have lawfully disclosed the list to that third party. That is, the licensee may disclose the list in accordance with the privacy policy of the financial institution from which the licensee received the list, as limited by the opt out direction of each consumer whose nonpublic personal financial information the licensee intends to disclose, and the licensee may disclose the list in accordance with an exception in sections 15.0 Sections 10.0 or 16.0 11.0 of this regulation, such as to the licensee’s attorneys or accountants.
7.5 Information a licensee discloses under an exception. If a licensee discloses nonpublic personal financial information to a nonaffiliated third party under an exception in sections 15.0 Sections 10.0 or 16.0 11.0 of this regulation, the third party may disclose and use that information only as follows:
7.5.1 The third party may disclose the information to the licensee’s affiliates;
7.5.2 The third party may disclose the information to its affiliates, but its affiliates may, in turn, disclose and use the information only to the extent that the third party may disclose and use the information; and
7.5.3 The third party may disclose and use the information pursuant to an exception in sections 15.0 Sections 10.0 or 16.0 11.0 of this regulation in the ordinary course of business to carry out the activity covered by the exception under which it received the information.
7.6 Information a licensee discloses outside of an exception. If a licensee discloses nonpublic personal financial information to a nonaffiliated third party other than under an exception in Sections 15 10.0 or 16 11.0 of this regulation, the third party may disclose the information only:
7.6.1 To the licensee’s affiliates;
7.6.2 To the third party's affiliates, but the third party's affiliates, in turn, may disclose the information only to the extent the third party can disclose the information; and
7.6.3 To any other person, if the disclosure would be lawful if the licensee made it directly to that person.
8.1 General prohibition on disclosure of account numbers. A licensee shall not, directly or through an affiliate, disclose, other than to a consumer reporting agency, a policy number or similar form of access number or access code for a consumer’s policy or transaction account to any nonaffiliated third party for use in telemarketing, direct mail marketing or other marketing through electronic mail to the consumer.
8.2 Exceptions. Section Subsection 8.1 of this section regulation does not apply if a licensee discloses a policy number or similar form of access number or access code:
8.2.1 To the licensee’s service provider solely in order to perform marketing for the licensee’s own products or services, as long as the service provider is not authorized to directly initiate charges to the account;
8.2.2 To a licensee who is a producer solely in order to perform marketing for the licensee’s own products or services; or
8.2.3 To a participant in an affinity or similar program where the participants in the program are identified to the customer when the customer enters into the program.
8.3 Examples.
8.3.1 Policy number. A policy number, or similar form of access number or access code, does not include a number or code in an encrypted form, as long as the licensee does not provide the recipient with a means to decode the number or code.
8.3.2 Policy or transaction account. For the purposes of this section, a policy or transaction account is an account other than a deposit account or a credit card account. A policy or transaction account does not include an account to which third parties cannot initiate charges.
9.1 General rule.
9.1.1 The opt out requirements in sections 8.0 and 11.0 Sections 3.0 and 5.0 of this regulation do not apply when a licensee provides nonpublic personal financial information to a nonaffiliated third party to perform services for the licensee or functions on the licensee’s behalf, if the licensee:
9.1.1.1 Provides the initial notice in accordance with section 5.0 subsection 2.1 of this regulation; and
9.1.1.2 Enters into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which the licensee disclosed the information, including use under an exception in sections 15.0 Sections 10.0 or 16.0 11.0 of this regulation in the ordinary course of business to carry out those purposes.
9.1.2 Example. If a licensee discloses nonpublic personal financial information under this section to a financial institution with which the licensee performs joint marketing, the licensee's contractual agreement with that institution meets the requirements of section subsection 9.1.2 of this regulation if it prohibits the institution from disclosing or using the nonpublic personal financial information except as necessary to carry out the joint marketing or under an exception in Sections 15 10.0 or 16 11.0 of this regulation in the ordinary course of business to carry out that joint marketing.
9.2 Service may include joint marketing. The services a nonaffiliated third party performs for a licensee under section subsection 9.1 may include marketing of the licensee’s own products or services or marketing of financial products or services offered pursuant to joint agreements between the licensee and one or more financial institutions.
9.3 Definition of “joint agreement.” For purposes of this section, “joint agreement” means a written contract pursuant to which a licensee and one or more financial institutions jointly offer, endorse or sponsor a financial product or service.
10.1 Exceptions for processing transactions at consumer’s request. The requirements for initial notice in section subsection 2.1.1.2, the opt out in sections 8.0 Sections 3.0 and 11.0 5.0 of this regulation, and service providers and joint marketing in section 14.0 Section 8.0 of this regulation do not apply if the licensee discloses nonpublic personal financial information as necessary to effect, administer or enforce a transaction that a consumer requests or authorizes, or in connection with:
10.1.1 Servicing or processing an insurance product or service that a consumer requests or authorizes;
10.1.2 Maintaining or servicing the consumer’s account with a licensee, or with another entity as part of a private label credit card program or other extension of credit on behalf of such entity;
10.1.3 A proposed or actual securitization, secondary market sale (including sales of servicing rights) or similar transaction related to a transaction of the consumer; or
10.1.4 Reinsurance or stop loss or excess loss insurance.
10.2 “Necessary to effect, administer or enforce a transaction” means that the disclosure is:
10.2.1 Required, or is one of the lawful or appropriate methods, to enforce the licensee’s rights or the rights of other persons engaged in carrying out the financial transaction or providing the product or service; or
10.2.2 Required, or is a usual, appropriate or acceptable method:
10.2.2.1 To carry out the transaction or the product or service business of which the transaction is a part, and record, service or maintain the consumer’s account in the ordinary course of providing the insurance product or service;
10.2.2.2 To administer or service benefits or claims relating to the transaction or the product or service business of which it is a part;
10.2.2.3 To provide a confirmation, statement or other record of the transaction, or information on the status or value of the insurance product or service to the consumer or the consumer’s agent or broker;
10.2.2.4 To accrue or recognize incentives or bonuses associated with the transaction that are provided by a licensee or any other party;
10.2.2.5 To underwrite insurance at the consumer’s request or for any of the following purposes as they relate to a consumer’s insurance: account administration, reporting, investigating or preventing fraud or material misrepresentation, processing premium payments, processing insurance claims, administering insurance benefits (including utilization review activities), participating in research projects or as otherwise required or specifically permitted by federal or state law; or
10.2.2.6 In connection with:
10.2.2.6.1 The authorization, settlement, billing, processing, clearing, transferring, reconciling or collection of amounts charged, debited or otherwise paid using a debit, credit or other payment card, check or account number, or by other payment means;
10.2.2.6.2 The transfer of receivables, accounts or interests therein; or
10.2.2.6.3 The audit of debit, credit or other payment information.
11.1 Exceptions to opt out requirements. The requirements for initial notice to consumers in section subsection 2.1.1.2, the opt out in sections 8.0 Sections 3.0 and 11.0 5.0 of this regulation, and service providers and joint marketing in Section 14 8.0 of this regulation do not apply when a licensee discloses nonpublic personal financial information:
11.1.1 With the consent or at the direction of the consumer, provided that the consumer has not revoked the consent or direction;
11.1.2 To protect the confidentiality or security of a licensee’s records pertaining to the consumer, service, product or transaction;
11.1.3 To protect against or prevent actual or potential fraud or unauthorized transactions;
11.1.4 For required institutional risk control or for resolving consumer disputes or inquiries;
11.1.5 To persons holding a legal or beneficial interest relating to the consumer; or
11.1.6 To persons acting in a fiduciary or representative capacity on behalf of the consumer;
11.1.7 To provide information to insurance rate advisory organizations, guaranty funds or agencies, agencies that are rating a licensee, persons that are assessing the licensee’s compliance with industry standards, and the licensee’s attorneys, accountants and auditors;
11.1.8 To the extent specifically permitted or required under other provisions of law and in accordance with the federal Right to Financial Privacy Act of 1978 (12 U.S.C. 3401 et seq.), to law enforcement agencies (including the Federal Reserve Board, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, Office of Thrift Supervision, National Credit Union Administration, the Securities and Exchange Commission, the Secretary of the Treasury, with respect to 31 U.S.C. Chapter 53, Subchapter II (Records and Reports on Monetary Instruments and Transactions) and 12 U.S.C. Chapter 21 (Financial Recordkeeping), a state insurance authority, and the Federal Trade Commission), self-regulatory organizations or for an investigation on a matter related to public safety;
11.1.9 To a consumer reporting agency in accordance with the federal Fair Credit Reporting Act (15 U.S.C. 1681 et seq.); or
11.1.10 From a consumer report reported by a consumer reporting agency;
11.1.11 In connection with a proposed or actual sale, merger, transfer or exchange of all or a portion of a business or operating unit if the disclosure of nonpublic personal financial information concerns solely consumers of the business or unit;
11.1.12 To comply with federal, state or local laws, rules and other applicable legal requirements;
11.1.13 To comply with a properly authorized civil, criminal or regulatory investigation, or subpoena or summons by federal, state or local authorities;
11.1.14 To respond to judicial process or government regulatory authorities having jurisdiction over a licensee for examination, compliance or other purposes as authorized by law; or
11.1.15 For purposes related to the replacement of a group benefit plan, a group health plan, a group welfare plan or a workers’ compensation plan.
11.1.16 When the licensee is in liquidation or receivership.
11.2 Example of revocation of consent. A consumer may revoke consent by subsequently exercising the right to opt out of future disclosures of nonpublic personal information as permitted under Section 8F subsection 3.7 of this regulation.
12.1 Nothing in this regulation shall be construed to modify, limit or supersede the operation of the federal Fair Credit Reporting Act (15 U.S.C. 1681 et seq.), and no inference shall be drawn on the basis of the provisions of this regulation regarding whether information is transaction or experience information under Section 603 of that Act.
13.1 A licensee shall not unfairly discriminate against any consumer or customer because that consumer or customer has opted out from the disclosure of his or her nonpublic personal financial information pursuant to the provisions of this regulation.
14.1 Repeated failure to comply with this Regulation will be grounds for investigation and enforcement as unfair practices in the insurance business pursuant to 18 Del.C. Ch. 23.
If any section or portion of a section of this regulation or its applicability to any person or circumstance is held invalid by a court, the remainder of the regulation or the applicability of the provision to other persons or circumstances shall not be affected.
16.1 Effective date. This regulation is effective as of July 1, 2001.
16.2 Notice requirement for consumers who are the licensee’s customers on the compliance date. By November 1, 2001, a licensee shall provide an initial notice, as required by section 5.0 subsection 2.1 of this regulation, to consumers who are the licensee’s customers on July 1, 2001.
16.3 Example. A licensee provides an initial notice to consumers who are its customers on November 1, 2001, if, by the licensee has established a system for providing an initial notice to all new customers and has mailed the initial notice to all the licensee’s existing customers.
16.4 Two-year grandfathering of service agreements. Until July 1, 2002, a contract that a licensee has entered into with a nonaffiliated third party to perform services for the licensee or functions on the licensee’s behalf satisfies the provisions of section subsection 9.1.1.2 of this regulation, even if the contract does not include a requirement that the third party maintain the confidentiality of nonpublic personal information, as long as the licensee entered into the agreement on or before July 1, 2000.
16.5 The amendments to subsections 1.5 and 2.6 of this regulation shall be effective on July 1, 2019.
16.6 The exception to the annual notice requirement set forth in subsection 2.2.1.2 of this regulation shall be effective {fill in the date that is 10 days after the publication date of the notice of adoption of that requirement}.
APPENDIX A – SAMPLE CLAUSES
Licensees, including a group of financial holding company affiliates that use a common privacy notice, may use the following sample clauses, if the clause is accurate for each institution that uses the notice. (Note that disclosure of certain information, such as assets, income and information from a consumer reporting agency, may give rise to obligations under the federal Fair Credit Reporting Act, such as a requirement to permit a consumer to opt out of disclosures to affiliates or designation as a consumer reporting agency if disclosures are made to nonaffiliated third parties.)
A-1–Categories of information a licensee collects (all institutions)
A licensee may use this clause, as applicable, to meet the requirement of Section 7A(1) 18 DE Admin. Code 904-2.3.1.1 to describe the categories of nonpublic personal information the licensee collects.
Sample Clause A-1:
We collect nonpublic personal information about you from the following sources:
A-2–Categories of information a licensee discloses (institutions that disclose outside of the exceptions)
A licensee may use one of these clauses, as applicable, to meet the requirement of Section 7A(2) 18 DE Admin. Code 904-2.3.1.2 to describe the categories of nonpublic personal information the licensee discloses. The licensee may use these clauses if it discloses nonpublic personal information other than as permitted by the exceptions in Sections 14, 15 and 16 18 DE Admin. Code 904-9.0, 10.0 and 11.0.
Sample Clause A-2, Alternative 1:
We may disclose the following kinds of nonpublic personal information about you:
Sample Clause A-2, Alternative 2:
We may disclose all of the information that we collect, as described [describe location in the notice, such as “above” or “below”].
A-3–Categories of information a licensee discloses and parties to whom the licensee discloses (institutions that do not disclose outside of the exceptions)
A licensee may use this clause, as applicable, to meet the requirements of Sections 7A(2), (3), and (4) 18 DE Admin. Code 904-2.3.1.2 through 2.3.1.4 to describe the categories of nonpublic personal information about customers and former customers that the licensee discloses and the categories of affiliates and nonaffiliated third parties to whom the licensee discloses. A licensee may use this clause if the licensee does not disclose nonpublic personal information to any party, other than as permitted by the exceptions in Sections 15 and 16 18 DE Admin. Code 10.0 and 11.0.
Sample Clause A-3:
We do not disclose any nonpublic personal information about our customers or former customers to anyone, except as permitted by law.
A-4–Categories of parties to whom a licensee discloses (institutions that disclose outside of the exceptions)
A licensee may use this clause, as applicable, to meet the requirement of Section 7A(3) 18 DE Admin. Code 904-2.3.1.3 to describe the categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal information. This clause may be used if the licensee discloses nonpublic personal information other than as permitted by the exceptions in Sections 14, 15 and 16 18 DE Admin. Code 904-9.0, 10.0 and 11.0, as well as when permitted by the exceptions in Sections 15 and 16 18 DE Admin. Code 904-10.0 and 11.0.
Sample Clause A-4:
We may disclose nonpublic personal information about you to the following types of third parties:
We may also disclose nonpublic personal information about you to nonaffiliated third parties as permitted by law.
A-5–Service provider/joint marketing exception
A licensee may use one of these clauses, as applicable, to meet the requirements of Section 7A(5) 18 DE Admin. Code 904-2.3.1.5 related to the exception for service providers and joint marketers in Section 14 18 DE Admin. Code 904-9.0. If a licensee discloses nonpublic personal information under this exception, the licensee shall describe the categories of nonpublic personal information the licensee discloses and the categories of third parties with which the licensee has contracted.
Sample Clause A-5, Alternative 1:
We may disclose the following information to companies that perform marketing services on our behalf or to other financial institutions with which we have joint marketing agreements:
Sample Clause A-5, Alternative 2:
We may disclose all of the information we collect, as described [describe location in the notice, such as “above” or “below”] to companies that perform marketing services on our behalf or to other financial institutions with whom we have joint marketing agreements.
A-6–Explanation of opt out right (institutions that disclose outside of the exceptions)
A licensee may use this clause, as applicable, to meet the requirement of Section 7A(6) 18 DE Admin. Code 904-2.3.1.6 to provide an explanation of the consumer’s right to opt out of the disclosure of nonpublic personal information to nonaffiliated third parties, including the method(s) by which the consumer may exercise that right. The licensee may use this clause if the licensee discloses nonpublic personal information other than as permitted by the exceptions in Sections 14, 15 and 16 18 DE Admin. Code 904-9.0, 10.0 and 11.0.
Sample Clause A-6:
If you prefer that we not disclose nonpublic personal information about you to nonaffiliated third parties, you may opt out of those disclosures, that is, you may direct us not to make those disclosures (other than disclosures permitted by law). If you wish to opt out of disclosures to nonaffiliated third parties, you may [describe a reasonable means of opting out, such as “call the following toll-free number: (insert number)].
A-7–Confidentiality and security (all institutions)
A licensee may use this clause, as applicable, to meet the requirement of Section 7A(8) 18 DE Admin. Code 904-2.3.1.8 to describe its policies and practices with respect to protecting the confidentiality and security of nonpublic personal information.
Sample Clause A-7:
We restrict access to nonpublic personal information about you to [provide an appropriate description, such as “those employees who need to know that information to provide products or services to you”]. We maintain physical, electronic, and procedural safeguards that comply with federal regulations to guard your nonpublic personal information.
APPENDIX B. FEDERAL SAMPLE CLAUSES
The Federal sample forms and instructions, as codified at 16 C.F.R. Pt. 313, App. A. (adopted at 74 FR 63966 (Dec. 1, 2009)), as may, from time to time, be amended, are incorporated herein by reference as 18 DE Admin. Code 904 Appendix B.