FINANCIAL INFORMATION PRIVACY PROTECTION ACT

NATIONAL CONFERENCE OF INSURANCE LEGISLATORS
FINANCIAL INFORMATION PRIVACY PROTECTION MODEL ACT

Adopted by the NCOIL Executive Committee on November 17, 2000.
Amended on March 2, 2001.
Amendments are in boldface.
TABLE OF CONTENTS

FINANCIAL INFORMATION PRIVACY PROTECTION MODEL ACT

CHAPTER ONE: TITLE, PURPOSE & DEFINITIONS 1

Section 101: Short Title 1

Section 102: Purpose 1

Section 103: Scope 2

Section 104: Definitions 2

Section 105: Nondiscrimination 9

CHAPTER TWO: PRIVACY AND OPT OUT NOTICES 10

Section 201: Initial privacy notice to consumers required 10

Section 202: Annual privacy notice to customers required 12

Section 203: Information to be included in privacy notices 13

Section 204: Form of opt out notice to consumers; opt out methods 15

Section 205: Revised privacy notices 17

Section 206: Delivering privacy and opt out notices 17

~~Section 207: Nondiscrimination 19~~

CHAPTER THREE: LIMITS ON DISCLOSURE 19

Section 301: Limits on disclosure of nonpublic personal financial information to

nonaffiliated third parties 19

Section 302: Limits on redisclosure and reuse of information 20

Section 303: Limits on sharing policy or contract number information for

marketing purposes 22

CHAPTER FOUR: EXCEPTIONS 22

Section 401: Exception to opt out requirements for service providers and joint

marketing 22

Section 402: Exceptions to notice and opt out requirements for processing and

servicing transactions 23

Section 403: Other exceptions to notice and opt out requirements 25

CHAPTER FIVE: PERSONALLY IDENTIFIABLE HEALTH INFORMATION 27

Section 501: Personally identifiable health information privacy notice and

disclosure authorization 27

CHAPTER SIX: RELATION TO OTHER LAWS; EFFECTIVE DATE 28

Section 601: Protection of Fair Credit Reporting Acts 28

Section 602: Protection of Health Insurance Portability and Accountability Act 29

Section 603: Determined violation 29

Section 604: Rules and Regulations 29

Section ~~605~~ 604: Effective date; transition rule 29

NATIONAL CONFERENCE OF INSURANCE LEGISLATORS

FINANCIAL INFORMATION PRIVACY PROTECTION MODEL ACT

CHAPTER ONE: TITLE, PURPOSE & DEFINITIONS

Section 101: Short Title

This Act shall be known and may be cited as the "Financial Information Privacy Protection Model Act."

Section 102: Purpose

This Act shall be liberally construed and applied to promote uniformity and functional regulation by:

A. implementing Title V of the Gramm-Leach-Bliley Act ("GLBA") (15 U.S.C. 6801, et.seq.,), that requires financial institutions, including insurers, to respect the privacy of their customers and to protect the security and confidentiality of those customers' nonpublic personal financial information;

B. establishing appropriate consumer privacy standards for insurance providers to be administered by this State's insurance regulatory authorities;

C. ensuring, pursuant to Section 6805(c) of GLBA, that this State shall be eligible to override, pursuant to Section 47(g)(2)(B)(iii) of the Federal Deposit Insurance Act, the insurance customer protections prescribed by a Federal banking agency under Section 45(a) of such Act;

D. requiring, pursuant to Sections 6802 and 6803 of GLBA that insurers maintain a privacy policy that is clearly communicated to customers and, under certain circumstances, to consumers and, that, subject to appropriate exceptions, no "nonpublic personal financial information" be disclosed to nonaffiliated third parties unless a consumer has been given a chance to "opt out" of having his or her information disclosed, that disclosure is authorized in the case of personally identifiable health information, and that no specific account information be given to direct marketing firms, as provided in Section 501;

E. providing for the enforcement of this Act by this State's insurance regulatory authorities; and

F. authorizing this State's insurance regulatory authorities to promulgate regulations as determined to be necessary to effectuate the purposes of this Act.

Section 103: Scope

This Act:

A. requires a licensee to provide notice to customers and, under certain

circumstances, to consumers about its privacy policies and practices;

B. describes the conditions under which a licensee may disclose nonpublic personal information about consumers and customers to nonaffiliated third parties;

C. provides a method for consumers and customers to prevent a licensee from

disclosing that information unless otherwise exempted as routine business disclosures in Sections 401, 402, 403 or 501;

D. establishes reasonable exceptions in Sections 401, 402, and 403 of this Act to the

notice requirements of licensees and the ability of consumers and customers to "opt out" of or to authorize certain disclosures; and

E. applies only to nonpublic personal information about individuals who obtain

financial products or services in this State from an insurer for personal, family or household purposes. This Act does not apply to information about companies or individuals who obtain financial products or services for business, commercial, or agricultural purposes. In particular, this Act does not apply to commercial insurance policies issued by the licensee.

Section 104: Definitions

As used in this Act, unless the context requires otherwise:

A. "Affiliate" means any company that controls, is controlled by, or is under

common control with another company.

B. “Agent” means [insert state definition].

C. "Clear and conspicuous" means that a notice is reasonably understandable and

designed to call attention to the nature and significance of the information in the notice.

D. "Collect" means to obtain information that the licensee organizes or can retrieve

by the name of an individual or by identifying number, symbol, or other identifying particular assigned to the individual, irrespective of the source of the underlying information.

E. "Company" means any corporation, limited liability company, business trust,

general or limited partnership, association, sole proprietorship or similar organization.

F. "Consumer" means an individual who seeks to obtain, obtains, or has obtained an

insurance product or service in this state from a licensee, or that individual's legal representative, that is to be used primarily for personal, family, or household purposes, and about whom the licensee has nonpublic personal information.

1. A consumer is, including but not limited to:

a.1. an individual who provides nonpublic personal information to a licensee in connection with seeking to obtain or obtaining financial, insurance, investment or economic advisory services regardless of whether the licensee establishes an ongoing relationship; or

b.2. an applicant for insurance prior to the inception of insurance coverage;.

3. an individual who provides nonpublic personal information to a licensee in order to obtain a determination about whether he or she may qualify for a loan to be used primarily for personal, family, or household purposes, regardless of whether the loan is extended;

2.4. ~~and, an~~ An individual is not a licensee's consumer for reasons including but not limited to~~, because~~:

(a) he or she is a beneficiary of a trust for which the licensee is a trustee,

(b) he or she is a third party liability claimant,

(c) he or she has designated the licensee as trustee for a trust, or

(d) he or she is a consumer of another financial institution to which the licensee acts as agent for, or provides processing or other services~~; and~~.

3.5. an An individual is also not a licensee’s consumer because:

(a) he or she is a participant or a beneficiary of an employee benefit plan that the licensee administers or sponsors or for which the licensee acts as a trustee, insurer or fiduciary; or

(b) he or she is covered under a group or blanket insurance policy or group annuity contract issued by the licensee:

(i) provided that the licensee provides the initial, annual and revised notices under Section 201, 202 and 203 of this Act to the plan sponsor, group or blanket insurance policyholder or group annuity

contractholder;

(ii) and further provided that the licensee does not disclose to a nonaffiliated third party nonpublic personal financial information about such an individual other than as permitted under Sections 401, 402 and 403 of this Act.

In no event shall the individuals, solely by virtue of the status described in subparagraphs 5(a) and (b) above, be deemed to be customers for purposes of this Act.

G. "Consumer reporting agency" has the same meaning as in Section 603(f) of the

Federal Fair Credit Reporting Act (15 U.S.C. 1681a(f)) and [insert reference to analogous state fair credit law, if applicable].

H. "Control" means :

1. ownership, control or power to vote twenty-five percent (25%) or more of the outstanding shares of any class of voting security of the company, directly or indirectly, or acting through one or more other persons;

2. control in any manner over the election of a majority of the directors, trustees or general partners (or individuals exercising similar functions) of the company; or

3. the power to exercise, directly or indirectly, a controlling influence over the management or policies of the company, as the Commissioner determines.

I. "Customer" means a consumer who has a customer relationship with a licensee.

In no event, however, shall a beneficiary or a claimant under a policy of insurance, solely by virtue of their status as a beneficiary or claimant, be deemed to be a customer for the purposes of this Act.

J. "Customer relationship" means a continuing relationship between a

consumer and a licensee under which the licensee provides one or more financial products

or services to the consumer that are to be used primarily for personal, family, or household

purposes, including, but not limited to, if the consumer:

1. is a current policyholder of an insurance product or other product issued by or through a licensee;

2. obtains financial, investment or economic advisory services relating to an insurance product or service from a licensee for a fee.

K. "Financial institution" means the same as that term is defined in Section 509(3) of GLBA, and is as follows:

1. IN GENERAL – The term ‘financial institution’ means any institution the business of which is engaging in financial activities as described in Section 4(k) of the Bank Holding Company Act of 1956.

2. PERSONS SUBJECT TO CFTC REGULATION – Notwithstanding subparagraph (1), the term ‘financial institution’ does not include any person or entity with respect to any financial activity that is subject to the jurisdiction of the Commodity Futures Trading Commission under the Commodity Exchange Act.

3. FARM CREDIT INSTITUTIONS – Notwithstanding subparagraph (1), the term ‘financial institution’ does not include the Federal Agricultural Mortgage Corporation or any entity chartered and operating under the Farm Credit Act of 1971.

4. OTHER SECONDARY MARKET INSTITUTIONS – Notwithstanding subparagraph (1), the term ‘financial institution’ does not include institutions chartered by Congress specifically to engage in transactions described in Section 502(e)(1)(C), as long as such institutions do not sell or transfer nonpublic personal information to a nonaffiliated third party.

L. "Financial product or service" means any product or service that is offered by a licensee pursuant to this State's insurance code, including, but not limited to a licensee's evaluation or brokerage of information that the licensee collects in connection with a request or an application from a consumer for a financial product or service.

M. "Health information" means any information or data, except age or gender, whether oral or recorded in any form or medium, created by or derived from a health care provider or the consumer or customer that relates to:

1. the past, present or future physical, mental or behavioral health or condition of a consumer ~~or a member of the consumer's family~~;

2. the provision of health care to a consumer; or

3. payment for the provision of health care to a consumer.

N. "Licensee" means a person licensed, or required to be licensed, or authorized, or

required to be authorized, or registered, or required to be registered pursuant to the Insurance Law of this state, [a health maintenance organization holding, or required to hold, a certificate of authority pursuant to the law governing such organizations in this State]; or other covered entities.

[Drafting Note: The term “health maintenance organization” has been bracketed because state laws treat HMOs in different ways. Individual states may want to decide whether to include HMOs.]

1. A licensee that is a producer or independent insurance agent is subject to all the requirements of this Act, except when the producer or agent is acting as agent for a licensee. In that case, the producer acting as agent for a licensee is exempt ~~only~~ from the notice and opt out requirements~~, rather than all requirements,~~ of the Act, and only if such producer does not disclose consumer information other than as permitted by Sections 401, 402 and 403.

2. Employees or other representatives acting on behalf of a licensee are also exempt from the notice and opt out requirements of the Act where (a) the licensee complies with the notice provisions of this Act and (b) the employee or other representative does not disclose nonpublic personal information other than to the licensee or its affiliates in a manner permitted by this Act.

1.3. Subject to subparagraph 2, ~~“covered entities”~~ a licensee shall also include unauthorized insurers who place business through licensed excess line brokers in this state, but only in regard to the excess line placements placed pursuant to Section [insert section] of this state’s laws.

2.4. Licensed excess line brokers ~~placing business underwritten by covered entities and those covered entities~~ shall be deemed to be in compliance with the notice and opt out requirements for nonpublic personal financial information set forth in Chapters One, Two, Three, Four, and Six of this Act provided:

(a) such licensed excess line brokers ~~and covered entities~~ do not disclose nonpublic personal information of a consumer or a customer to nonaffiliated third parties for any purpose, including joint servicing or marketing under Section 401 of this Act, except as permitted by Section 402 or 403 of this Act; and

(b) at the time the customer relationship is established, a single notice is delivered to the consumer on behalf of all such licensed excess line brokers ~~and covered entities~~ involved in the provision of a financial product or service to a consumer or customer on which the following is printed in 16-point type:

PRIVACY NOTICE

“NEITHER THE U.S. BROKER(S) THAT HANDLED THIS INSURANCE NOR THE INSURER(S) THAT HAVE UNDERWRITTEN THIS INSURANCE WILL DISCLOSE NONPUBLIC PERSONAL INFORMATION CONCERNING THE BUYER TO NONAFFILIATES OF SUCH BROKER(S) OR SUCH INSURER(S) EXCEPT AS PERMITTED BY LAW.”

O. "Nonaffiliated third party" means any person, including, but not limited to any

company that is an affiliate solely by virtue of the licensee's or its affiliate's direct or indirect ownership or control of the company conducting: (i) merchant banking or investment banking activities of the type described in Section 4(k)(4)(H) of the Federal Bank Holding Company Act ; or (ii) insurance company investment activities of the type described in Section 4(k)(4)(I) of the Federal Bank Holding Company Act. (12 U.S.C. 1843(k)(4)(H) and (I), except:

1. the licensee's affiliate; or

2. a person employed jointly by a licensee and any company that is not the

licensee's affiliate. Nonaffiliated third party includes the other company that jointly employs the person.

P. "Nonpublic personal information" means nonpublic personal financial information and nonpublic personal health information.

Q. "Nonpublic personal financial information" means:

1. personally identifiable financial information; and

2. any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available; and

3. any list of individual's names and street addresses that is derived in whole or in part using personally identifiable financial information that is not publicly available, such as policy or contract numbers.

4. Nonpublic personal financial information does not include:

(a) health information;

(b) publicly available information, except as included on a list as described in subsection 4(d) of this Section; or

(c) any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived without using any personally identifiable financial information that is not publicly available.

(d) any list of individual's names and addresses that contains only publicly available information that is not derived, in whole or in part, using personally identifiable information that is not publicly available, and that is not disclosed in a manner that indicates that any of the individuals on the list is a consumer of a financial institution.

R. "Nonpublic personal health information" means health information:

1. that identifies an individual who is the subject of the information; or

2. with respect to which there is a reasonable basis to believe that the information could be used to identify an individual.

S. "Opt out" means a direction by the consumer that a licensee not disclose

nonpublic personal financial information about that consumer to a nonaffiliated third party, other than as permitted by Sections 401, 402 and 403 of this Act.

T. "Personally identifiable financial information" means financial information:

1. a consumer provides to a licensee to obtain a financial product or service from

the licensee;

2. about a consumer resulting from any transaction involving a financial product or

service between a licensee and a consumer; or

3. a licensee otherwise obtains about a consumer in connection with providing a

financial product or service to that consumer.

U. "Personally identifiable health information" means health information:

1. (a) a consumer provides to a licensee to obtain a financial product or service from the licensee;

(b) about a consumer resulting from any transaction involving a financial product or service between a licensee and a consumer; or

(c) the licensee otherwise obtains about a consumer in connection with providing a financial product or service to that consumer; and

(d) that identifies a consumer who is the subject of the information; or

(e) with respect to which there is a reasonable basis to believe that the information could be used to identify a consumer.

2. Personally identifiable health information does not include personally identifiable, non-medical information such as name, address, social security number, age, gender, etc. if legally obtained by the licensee from a source other than the consumer's medical record, even if such information is also part of the consumer's medical record.

V. "Publicly available information" means any information that the licensee

has a reasonable basis to believe is lawfully made available to the general public from:

1. federal, state, or local government records;

2. widely distributed media; or

3. disclosures to the general public that are required to be made by Federal, state or local law.

W. "Reasonable basis" means the licensee has a reasonable basis to believe that

information is lawfully made available to the general public because the licensee has taken steps to determine:

1. that the information is of the type that is available to the general public; and

2. whether an individual can direct that the information not be made available to the

general public and, if so, that a licensee's consumer has not done so.

Section 105: Nondiscrimination

A. No licensee shall unfairly discriminate against any customer or consumer on the basis of the customer's or consumer's exercise of his or her right to opt out of the sharing of his or her nonpublic personal information in the manner provided in this Act. Nothing in this Section shall prohibit licensees from engaging in their usual, appropriate, or acceptable method for insurance underwriting.

B. Nothing in this Act requires a licensee to provide a benefit or commence or continue payment of a claim in the absence of nonpublic personal health information or nonpublic personal financial information to support or deny the claim.

that accurately reflects the licensee's privacy policies and practices to:

1. Customer. An individual who becomes a licensee's customer, not later than the

time that the licensee establishes a customer relationship, except as provided in subsection E of this Section; and

2. Consumer. A consumer, before a licensee discloses any nonpublic personal financial information about the consumer to any nonaffiliated third party, if a licensee makes such a disclosure other than as authorized by Sections 402, 403 and 501 of this Act.

B. When initial notice to a consumer is not required. A licensee is not required to provide an initial notice to a consumer under subsection A of this section if:

1. the licensee does not disclose any nonpublic personal financial information about the consumer to any nonaffiliated third party, other than as authorized by Sections 402, 403 and 501 of this Act;

2. the licensee does not have a customer relationship with the consumer; or

3. a notice has been provided by an affiliated licensee, as long as the notice clearly identifies all licensees to whom the notice applies or states that it applies to all affiliates of the named licensee, and is accurate with respect to the licensee and the other institutions.

C. When a licensee establishes a customer relationship.

1. General rule. A licensee establishes a customer relationship at the time the licensee and the consumer enter into a continuing relationship, other than solely as a beneficiary or claimant.

2. A licensee establishes a customer relationship under circumstances including, but

not limited to the following:

(a) when the consumer becomes a policyholder. This occurs when an insurance policy or contract is delivered to the consumer.

(b) when the consumer agrees to obtain financial, insurance, economic, or investment advisory services from the licensee for a fee.

D. Existing customers. When an existing customer obtains a new financial product

or service from a licensee that is to be used primarily for personal, family, or household purposes, a licensee satisfies the initial notice requirements of subsection A of this section as follows:

1. a licensee may provide a revised policy notice, under Section 205 of this Act,

that covers the customer's new financial product or service; or

2. if the initial, revised, or annual notice that a licensee most recently provided to

that customer was accurate with respect to the new financial product or service, a licensee does not need to provide a new privacy notice under subsection A of this section.

E. Exceptions to allow subsequent delivery of notice. A licensee may provide the initial notice required by subsection A.1. of this section within a reasonable time after the licensee establishes a customer relationship if:

1. establishing the customer relationship is not at the customer's election, including but not limited to if the licensee acquires or is assigned the insurance policy or related records from another financial institution or residual market mechanism and the customer does not have a choice about such acquisition or assignment; or

2. providing notice not later than when the licensee establishes the customer relationship would substantially delay the customer's transaction, including but not limited to when the licensee and the individual agree over the telephone to enter into a customer relationship involving prompt delivery of the financial product or service, and the customer agrees to receive the notice at a later time.

F. Joint relationships. If two or more consumers jointly obtain a financial product

or service from a licensee, the licensee may satisfy the requirements of subsection A. of this section by providing one initial notice to those consumers jointly.

G. Delivery. When a licensee is required to deliver an initial privacy notice by this

section, a licensee must deliver it according to Section 206 of this Act. If a licensee uses a short-form initial notice for non-customers according to Section 203.C. of this Act, the licensee may deliver its privacy notice according to Section 203.C.3. of this Act.

Section 202: Annual privacy notice to customers required

A. General rule. A licensee must provide a clear and conspicuous notice to a customer that accurately reflects the licensee's privacy policies and practices not less than annually during the continuation of the customer relationship. Annually means at least once in any period of 12 consecutive months during which that relationship exists. A licensee may define the 12-consecutive-month period, but the licensee must apply it to the customer on a consistent basis.

B. Termination of customer relationship. A licensee is not required to provide an

annual notice to a former customer. A former customer is an individual with whom a licensee no longer has a continuing relationship.

1. A licensee no longer has a continuing relationship with an individual:

(a) if the individual no longer is a current policyholder of an insurance product or no longer obtains insurance services with or through the licensee;

(b) if the individual's policy is lapsed, expired or otherwise inactive or dormant under the licensee's business practices, and the licensee has not communicated with the customer about the relationship for a period of twelve consecutive months, other than to provide annual privacy notices, materials required by law or regulation, or promotional materials;

(c) if the individual's last known address according to the licensee's records is deemed to be invalid. An address of record is deemed invalid if mail sent to that address by the licensee has been returned by the postal authorities as undeliverable and if subsequent attempts by the licensee to obtain a current valid address for the individual have been unsuccessful; or

(d) in the case of providing real estate settlement services, at the time the customer completes execution of all documents related to the real estate closing, payment for those services has been received, or the licensee has completed all of its responsibilities with respect to the settlement, including filing documents on the public record, whichever is later.

C. Delivery. When the licensee is required to deliver an annual privacy notice by this

section, the licensee must deliver it according to Section 206 of this Act.

D. Such annual notice may be provided by an affiliated licensee, as long as the notice clearly identifies all licensees to which the notice applies or states that it applies to all affiliates of the named licensee, and is accurate with respect to the licensee and other institutions.

Section 203: Information to be included in privacy notices

A. General rule. The initial, annual, and revised privacy notices that a licensee

provides under Sections 201, 202 and 205 of this Act must include each of the following items of information that applies to the licensee or to the consumers to whom the licensee sends its privacy notice, in addition to any other information the licensee wishes to provide:

1. the categories of nonpublic personal financial information that the licensee collects;

2. the categories of nonpublic personal financial information that the licensee discloses;

3. the categories of affiliates and nonaffiliated third parties to whom the licensee

discloses nonpublic personal financial information, other than those parties to whom the licensee discloses information under Sections 402 and 403 of this Act;

4. the categories of nonpublic personal financial information about the licensee's former customers that it discloses and the categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal financial information about its former customers, other than those parties to whom it discloses information under Sections 402 and 403 of this Act;

5. if a licensee discloses nonpublic personal financial information to a nonaffiliated third party under Section 401 of this Act (and no other exception applies to that disclosure), a separate statement of the categories of information the licensee discloses and the categories of third parties with whom the licensee has contracted;

6. an explanation of the right under Section 301 of this Act to opt out of the

disclosure of nonpublic personal financial information to nonaffiliated third parties and under Section 501 of this Act to authorize the disclosure of personally identifiable health information for marketing purposes, including the methods by which the consumer may exercise those rights at that time;

7. any disclosures that the licensee makes under Section 603(d)(2)(A)(iii) of the

Federal Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)(A)(iii))(that is, notices regarding the ability to opt out of disclosures of information among affiliates);

8. the licensee's policies and practices with respect to protecting the confidentiality

and security of nonpublic personal information; and

9. a statement to the effect that the licensee makes disclosures under subsection B.

of this section, if such disclosures are made.

B. Description of nonaffiliated third parties subject to exceptions. If a licensee

discloses nonpublic personal financial information about a consumer to third parties only as authorized under Sections 402 and 403 of this Act, the licensee is not required to list those exceptions in the initial or annual privacy notices required by this Act. When describing the categories with respect to those parties, a licensee is only required to state that it makes disclosures to other nonaffiliated third parties as permitted by law.

C. Short-form initial notice with opt out notice for non-customers.

1. The licensee may satisfy the initial notice requirements of this Act for a consumer

who is not a customer by providing a short form initial notice at the same time as the licensee delivers an opt out notice as required in Section 206 of this Act and, if appropriate, an authorization as required in Section 501 of this Act.

2. A short form initial notice must:

(a) be clear and conspicuous;

(b) state that a licensee's privacy notice is available upon request; and

(c) explain a reasonable means by which the consumer may obtain that notice, including but not limited to providing a toll-free telephone number the consumer may call to request the notice or, for a consumer who conducts business in person in the licensee's office, providing notice to the consumer immediately upon request.

3. The licensee must deliver its short form notice according to Section 206 of this

Act. A licensee is not required to deliver its privacy notice with its short-form initial notice. A licensee may instead simply provide the consumer with a reasonable means to obtain the licensee's privacy notice. If a consumer who receives the licensee's short-form notice requests the licensee's privacy notice, the licensee must deliver its privacy notice according to Section 206 of this Act.

D. Future disclosures. A licensee's notice may include:

1. categories of nonpublic personal financial information that the licensee reserves the right to disclose in the future, but does not currently disclose; and

2. categories of affiliates or nonaffiliated third parties to whom the licensee reserves

the right in the future to disclose, but to whom it does not currently disclose, nonpublic personal financial information.

E. Simplified notices. A licensee that does not disclose, and does not wish to reserve the right to disclose nonpublic personal financial information about customers or former customers to affiliates or nonaffiliated third parties except as authorized under Sections 402 and 403 of this Act, may simply state that fact, in addition to the information it shall provide under Subsections A(1), A(8), A(9) and Subsection B of this section.

Section 204: Form of opt out notice to consumers; opt out methods

A. Form of opt out notice. If a licensee is required to provide an opt out notice under

Section 301 of this Act, the licensee must provide a clear and conspicuous notice to each of its consumers that accurately explains the right to opt out under that section. The notice must state:

1. that the licensee discloses or reserves the right to disclose nonpublic personal financial information about its consumer to a nonaffiliated third party;

2. that the consumer has the right to opt out of that disclosure; and

3. a reasonable means by which the consumer may exercise the opt out right,

provided that the licensee may require the consumer opt out through a specific means, as long as the means is reasonable for that consumer.

(a) Reasonable opt out means. A licensee provides a reasonable means to exercise an opt out right if it:

(i) designates check off boxes in a prominent position on the relevant forms with the opt out notice;

(ii) includes a reply form together with the opt out notice;

(iii) provides an electronic means to opt out, such as a form that can be sent via electronic mail or a process at the licensee's web site, if the consumer agrees to the electronic delivery of information;

(iv) provides a toll-free telephone number that consumers may call to opt out; or

(v) provides the opt out notice together with or on the same written or electronic form as the initial notice the licensee provides in accordance with Section 201 of this Act.

B. Initial notice required when opt out notice delivered subsequent to initial notice.

If a licensee provides the opt out notice later than required for the initial notice in accordance with Section 201.E. of this Act, the licensee must also include a copy of the initial notice in writing or, if the consumer agrees, electronically.

C. Joint relationships.

1. If two or more consumers jointly obtain a financial product or service from a licensee, the licensee may provide a single opt out notice. The licensee's opt out notice must explain how the licensee will treat an opt out direction by a joint consumer (as explained in paragraph C.2. of this subsection).

2. Any of the joint consumers may exercise the right to opt out. The licensee may either:

(a) treat an opt out direction by a joint consumer as applying to all of the associated joint consumers; or

(b) permit each joint consumer to opt out separately.

3. If the licensee permits each joint consumer to opt out separately, the licensee must permit one of the joint consumers to opt out on behalf of all of the joint consumers.

4. A licensee may not require all joint consumers to opt out before the licensee

implements any opt out direction.

D. Time to comply with opt out. A licensee must comply with a consumer's opt out

direction as soon as reasonably practicable after the licensee receives it.

E. Continuing right to opt out. A consumer may exercise the right to opt out at any

time.

F. Duration of consumer's opt out direction.

1. A consumer's direction to opt out under this section is effective until the consumer

revokes it in writing or, if the consumer agrees, electronically.

2. When a customer relationship terminates, the customer's opt out direction

continues to apply to the nonpublic personal financial information the licensee collected during or related to that relationship. If the individual subsequently establishes a new customer relationship with the licensee, the opt out direction that applied to the former relationship does not apply to the new relationship.

G. Delivery. When a licensee is required to deliver an opt out notice by this section,

the licensee must deliver it according to Section 206 of this Act.

Section 205: Revised privacy notices

A. General rule. Except as otherwise authorized in this Act, a licensee shall not,

directly or through any affiliate, disclose any nonpublic personal financial information about a consumer to a nonaffiliated third party other than as described in the initial notice that the licensee provided to that consumer under Section 201 of this Act, unless:

1. the licensee has provided to the consumer a revised notice that accurately

describes the licensee's policies and practices;

2. the licensee has provided to the consumer a new opt out notice and, if appropriate, an authorization as required in Section ~~401~~ 501 of this Act;

3. the licensee has given the consumer a reasonable opportunity, before the licensee

discloses the information to the nonaffiliated third party, to opt out of or, if appropriate, authorize the disclosure; and

4. the consumer does not opt out or, if appropriate, the consumer authorizes the disclosure.

B. Delivery. When the licensee is required to deliver a revised privacy notice by this

Section, the licensee must deliver it according to Section 206 of this Act.

Section 206: Delivering privacy and opt out notices

A. Provision of notices. A licensee must provide any privacy notices and opt out notices, including short-form initial notices, that this Act requires so that each consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, electronically.

1. The licensee may reasonably expect that a consumer will receive actual notice if the licensee:

(a) hand-delivers a printed copy of the notice to the consumer;

(b) mails a printed copy of the notice to the last known address of the consumer separately, or in a policy, billing or other written communication; and

(c) electronically, clearly and conspicuously posts the notice on the electronic site for the consumer who regularly accesses the licensee's web site to conduct transactions; or

(d) for an isolated transaction with the consumer, such as the licensee providing an insurance quote or selling the consumer travel insurance, posts the notice and requires the consumer to acknowledge receipt of the notice as a necessary step to obtaining the particular financial product or service.

2. A licensee may not reasonably expect that a consumer will receive actual notice of the licensee’s privacy policies and practices if the licensee:

(a) only posts a sign in its branch or office or generally publishes advertisements of its privacy policies and practices; or

(b) sends the notice via electronic mail to a consumer who does not agree to receive the notice electronically or obtain a financial product or service from the licensee electronically.

B. Annual notices only. A licensee may reasonably expect that a customer will

receive actual notice of the licensee’s annual privacy notice if:

1. the customer agrees to receive notices at the web site, and the licensee posts its current privacy notice continuously in a clear and conspicuous manner on the web site; or

2. the customer has requested that the licensee refrain from sending any information regarding the customer relationship, and the licensee’s current privacy notice remains available to the customer upon request.

C. Oral description of notice insufficient. A licensee may not provide any notice required by this Act solely by orally explaining the notice, either in person or over the telephone.

D. Retention or accessibility of notices for customers. For customers only, a licensee must provide the initial notice, the annual notice, and the revised notice required by this Act, so that the customer can retain them or obtain them later in writing or, if the customer agrees, electronically, including, but not limited to hand-delivering a printed copy of the notice to the customer; mailing a printed copy of the notice to the last known address of the customer upon the request of the customer; or making the licensee’s current privacy notice available on a web site (or a link to another web site) for the customer who agrees to receive the notice at the web site.

E. Joint notice with other financial institutions. A licensee may provide a joint notice from the licensee and one or more of the licensee’s affiliates, other licensees or other financial institutions, or on behalf of another financial institution, as long as the notice is accurate with respect to the licensee and the other institutions.

F. Joint relationships. If two or more consumers jointly obtain a financial product or service from a licensee, the licensee may satisfy the initial, annual, and revised notice requirements of Sections 201, 202 and 205 irrespectively, by providing one notice to those consumers jointly.

~~Section 207: Nondiscrimination~~

CHAPTER THREE: LIMITS ON DISCLOSURE

Section 301: Limits on disclosure of nonpublic personal financial information to nonaffiliated third parties.

A. Conditions for disclosure. Except as otherwise authorized in this Act, a licensee may not, directly or through any affiliate, disclose any nonpublic personal financial information about a consumer to a nonaffiliated third party unless:

1. the licensee has provided to the consumer an initial notice as required under

Section 201 of this Act;

2. the licensee has provided to the consumer an opt out notice as required in Section

204 of this Act;

3. the licensee has given the consumer a reasonable opportunity, before the licensee

discloses the information to the nonaffiliated third party, to opt out of the disclosure. Methods of complying with this provision include, but are not limited to:

(a) By mail. The licensee mails the notices required in paragraph A.1. of this section to the consumer and allows the consumer to opt out by mailing a form, calling a toll free telephone number, or any other reasonable means within 30 days from the date the licensee mailed the notices;

(b) By electronic means. A customer opens an on-line account with the licensee and agrees to receive the notices required in paragraph A.1. of this section electronically, and the licensee makes the notices available to the customer on its web site and the licensee allows the customer to opt out by any reasonable means within 30 days after the date that the customer acknowledges receipt of the notices in conjunction with opening the account; or

(c) Isolated transaction with consumer. For an isolated transaction, such as providing the consumer with an insurance quote, a licensee provides a reasonable opportunity to opt out if the licensee provides the consumer the notices required in paragraph A.1. of this section at the time of the transaction and requests that the consumer decide, as a necessary act of the transaction, whether to opt out before completing the transaction; and

4. the consumer does not opt out.

B. Application of opt out to all consumers and all nonpublic personal financial information.

1. A licensee must comply with this section, regardless of whether the licensee and the consumer have established a customer relationship.

2. Unless a licensee complies with this section, the licensee may not, directly or through any affiliate, disclose any nonpublic personal financial information about a consumer that it has collected, regardless of whether the licensee collected it before or after receiving the direction to opt out from the consumer.

Section 302: Limits on redisclosure and reuse of information

A. Information a licensee receives under an exception. If the licensee receives nonpublic personal information from a nonaffiliated financial institution under an exception of this Act or pursuant to an authorization under Section 501 of this Act, the licensee’s disclosure and use of that information is limited as follows:

1. the licensee may disclose the information to the affiliates of the financial

institution from which the licensee received the information;

2. the licensee may disclose the information to its affiliates and agents, but the

affiliates and agents may, in turn, disclose and use the information only to the extent that the licensee may disclose and use the information; and

3. the licensee may disclose and use the information pursuant to an exception in

Section 402 or 403 of this Act, in the ordinary course of business to carry out the activity covered by the exception under which the licensee received the information.

B. Information a licensee receives outside of an exception. If a licensee receives

nonpublic personal information from a nonaffiliated financial institution other than under an exception in this Act or pursuant to an authorization under Section 501 of this Act, the licensee may disclose the information only:

1. to the affiliates of the financial institution from which the licensee received the

information;

2. to the licensee’s affiliates and agents, but the licensee’s affiliates and agents may, in turn, disclose the information only to the extent that the licensee can disclose the information; and

3. to any other person, if the disclosure would be lawful if made directly to that person by the financial institution from which the licensee received the information.

C. Information a licensee discloses under an exception. If the licensee discloses nonpublic personal financial information to a nonaffiliated third party under an exception in Section 402 or 403 of this Act, the third Party may disclose and use that information only as follows:

1. the third Party may disclose the information to the licensee’s affiliates;

2. the third Party may disclose the information to its affiliates, but its affiliates may, in turn, disclose and use the information only to the extent that the third Party may disclose and use the information; and

3. the third Party may disclose and use the information pursuant to an exception in Section 402 or 403 of this Act, in the ordinary course of business to carry out the activity covered by the exception under which it received the information.

D. Information a licensee discloses outside of an exception. If a licensee discloses nonpublic personal information to a nonaffiliated third Party other than under an exception in Section 402 or 403 of this Act or pursuant to an authorization under Section 501 of this Act, the third Party may disclose the information only:

1. to the licensee’s affiliates;

2. to the third Party’s affiliates, but the third Party’s affiliates, in turn, may disclose the information only to the extent the third Party can disclose the information; and

3. to any other person, if the disclosure would be lawful if the licensee made it directly to that person.

Section 303: Limits on sharing policy or contract number information for marketing purposes

A. General prohibition on disclosure of policy or contract numbers. A licensee ~~must~~ shall not, directly or through an affiliate, disclose, other than to a consumer reporting agency, a policy ~~or contract~~ number or similar form of access number or access code for a consumer’s ~~credit card account, deposit account,~~ policy or transaction account to any nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer.

B. Exceptions. Subsection A of this section does not apply if ~~the~~ a licensee discloses a policy ~~or contract~~ number or similar form of access number or access code:

1. to the licensee’s ~~agent or~~ service provider solely in order to perform marketing for the licensee’s own products or services, as long as the ~~agent or~~ service provider is not authorized to directly initiate charges to the account; or

2. to a participant in ~~a private label credit card program or~~ an affinity or similar program where the participants in the program are identified to the customer when the customer enters into the program; or

3. to a licensee who is a producer solely in order to perform marketing for the licensee's own products or services.

CHAPTER FOUR: EXCEPTIONS

Section 401: Exception to opt out requirements for service providers and joint

marketing

A. General rule. The opt out requirements of this Act do not apply when a licensee provides nonpublic personal financial information to a nonaffiliated third party to perform services for, or functions on behalf of the licensee, if the licensee:

(a) provides the initial notice in accordance with this Act; and

(b) enters into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which the licensee disclosed the information, including use under an exception in Section 402 or 403 of this Act, in the ordinary course of business to carry out those purposes.

B. Insurance functions. A licensee may use and disclose personally identifiable financial information to a person acting on behalf of or at the direction of the licensee to perform the licensee's insurance functions including, but not limited to, claims administration, claims adjustment and management, fraud investigation, underwriting, loss control, rate making functions, reinsurance, risk management, case management, disease management, quality assessment, quality improvement, provider credentialing verification, utilization review, peer review activities, grievance procedures, internal administration of compliance, managerial, and information systems, policyholder service functions, account administration, processing premium payments, processing insurance claims, administering insurance benefits (including utilization review activities), participating in research projects, and as otherwise required or specifically permitted by federal or state law.

C.B. Service may include joint marketing. The services performed for a licensee by a nonaffiliated third Party under subsection A of this section may include marketing of the licensee's own products or services or marketing of financial products or services offered

pursuant to joint agreements between the licensee and one or more financial institutions.

D.C. Definition of joint agreement. For purposes of this section, "joint agreement" means a written contract pursuant to which a licensee and one or more financial institutions jointly offer, endorse, or sponsor a financial product or service.

Section 402: Exceptions to notice and opt out requirements for processing

and servicing transactions

A. Exceptions for processing transactions at consumer’s request. The requirements

for initial notice to consumers in Section 201.A.2., providing the opt out opportunity to consumers and customers, and the application of this Act to service providers and joint marketing do not apply if a licensee discloses nonpublic personal financial information as necessary to effect, administer, or enforce a transaction requested or authorized by the consumer, or in connection with:

1. servicing or processing a financial product or service requested or authorized by the consumer, including such products or services under consideration by a consumer;

2. maintaining or servicing the consumer's account with the licensee or with another entity;

3. transactions involving a person acting as agent of the licensee, provided such agent agrees not to disclose said nonpublic personal financial information to additional third parties; or

4. a proposed or actual securitization, secondary market sale (including sales of servicing rights), or similar transaction related to a transaction of the consumer

B. Exceptions for the administration of an employer's benefit plan. The requirements of this Act do not apply if a licensee discloses nonpublic personal information for any purpose related to effecting, administering or replacing a group benefit plan, a group health plan, or a group welfare plan.

C. Insurance functions. A licensee may use and disclose personally identifiable financial information to a person acting on behalf of or at the direction of the licensee to perform the licensee's insurance functions including, but not limited to, claims administration, claims adjustment and management, fraud investigation, underwriting, loss control, rate making functions, reinsurance, risk management, case management, disease management, quality assessment, quality improvement, provider credentialing verification, utilization review, peer review activities, grievance procedures, internal administration of compliance, managerial, and information systems, policyholder service functions, account administration, processing premium payments, processing insurance claims, administering insurance benefits (including utilization review activities), participating in research projects, and as otherwise required or specifically permitted by federal or state law.

C.D. Necessary to effect, administer, or enforce a transaction means, in this section, that the disclosure is:

1. required, or is one of the lawful or appropriate methods, to enforce the licensee's rights or the rights of other persons engaged in carrying out the financial transaction or providing the product or service; or

2. required, or is a usual, appropriate, or acceptable method:

(a) to carry out the transaction or the product or service business of which the transaction is a part, and record, service, or maintain the consumer's account in the ordinary course of providing the financial service or financial product;

(b) to administer, adjudicate or service benefits or claims relating to the transaction or the product or service business of which it is a part;

(c) to provide a confirmation, statement or other record of the transaction, or information on the status or value of the financial service or financial product to the consumer or the consumer’s agent or broker;

(d) to accrue or recognize incentives or bonuses associated with the transaction that are provided by the licensee or any other Party;

(e) to underwrite insurance at the consumer’s request or for reinsurance purposes, or for any of the following purposes, as they relate to a consumer’s insurance: account administration, reporting, investigating, preventing fraud or material misrepresentation, processing premium payments, processing insurance claims, administering insurance benefits (including utilization review activities), participating in research projects, or as otherwise required or specifically permitted by Federal or state law;

(i) the authorization, settlement, billing, processing, clearing, transferring, reconciling or collection of amounts charged, debited, or otherwise paid using a debit, credit, or other payment card, check, or policy or contract number, or by other payment means;

consumers in Section 201.A.2., the opportunity to opt out, and the provisions applicable to service providers and joint marketing in this Act do not apply when a licensee discloses nonpublic personal financial information:

1. with the consent or at the direction of the consumer, provided that the consumer has not revoked the consent or direction;

2. (a) to protect the confidentiality or security of a licensee's records pertaining to the consumer, service, product or transaction;

(b) to protect against or prevent actual or potential fraud, unauthorized transactions, claims or other liability;

(d) to persons holding a legal or beneficial interest relating to the consumer; or

(e) to persons acting in a fiduciary or representative capacity on behalf of the consumer.

3. to provide information to insurance rate advisory organizations, guaranty funds or agencies, agencies that are rating the licensee, persons that are assessing the licensee's compliance with industry standards, and the licensee's attorneys, accountants, and auditors;

4. to the extent specifically permitted or required under other provisions of law and in accordance with the Right to Financial Privacy Act of 1978 (12 U.S.C. 3401 et seq.), to law enforcement agencies (including a federal functional regulator, the Secretary of the Treasury, with respect to 31 U.S.C. Chapter 53, Subchapter II (Records and Reports on Monetary Instruments and Transactions) and 12 U.S.C. Chapter 21 (Financial Recordkeeping), a state insurance authority, with respect to any person ~~domiciled~~ in that insurance authority's State that is engaged in providing insurance, and the Federal Trade Commission), self-regulatory organizations, or for an investigation on a matter related to public safety;

5. (a) to a consumer reporting agency in accordance with the Federal Fair Credit Reporting Act (15 U.S.C. 1681 et seq.) and the fair credit laws of this State; or

6. in connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit if the disclosure of nonpublic personal financial information concerns solely consumers of such business or unit; or

7. (a) to comply with Federal, state, or local laws, rules and other applicable legal requirements;

(b) to comply with a properly authorized civil, criminal, or regulatory investigation, or subpoena or summons by Federal, state or local authorities; or

(c) to respond to judicial process or government regulatory authorities having jurisdiction over a licensee for examination, compliance or other purposes as authorized by law.

10. to reveal a consumer's presence in a facility owned by the licensee and the consumer's general health condition;

11. to a reinsurer, stop loss or excess loss carrier for the purpose of underwriting, claims adjudication and conducting claim file audits;

(b) to determine the cause and manner of death by a chief medical examiner or the medical examiner's designee; or

13. to a state department of insurance that is performing an examination, investigation, or audit of the licensee or

14. pursuant to a court order issued after the court's determination that the public interest in disclosure outweighs the consumer's privacy interest and that the personally identifiable health information is not reasonably available by other means.

B. Licensees acting as employers or purchasers of insurance. Nothing in this Act shall be construed as applicable to information disclosures by licensees in connection with the purchase of insurance coverage by the licensee or the arrangement of insurance coverage by the licensee for its employees.

Section 501: Personally identifiable health information privacy notice and disclosure authorization

A. General Rule. A licensee shall obtain an authorization to disclose, prior to making such disclosure, any personally identifiable health information if the purpose of the disclosure is for the marketing of services or goods for personal, family or household purposes.

B. Form of ~~Notice and~~ Request for Authorization. ~~The notice~~ Where an authorization is required by this Section, the request for authorization may be included in the notice required by Section 201 of this Act, provided that ~~the notice~~ it shall comply with the following requirements:

1. a general description of the purpose of the disclosure of personally identifiable health information shall be stated in clear and simple terms and shall appear as a separate paragraph.

2. the request for authorization shall specify that the authorization shall remain valid for no more than twenty-four months and may be revoked at any time.

3. the request for authorization shall specify that the terms and conditions of all

insurance policies will not be affected in any way by a refusal to give authorization, as provided in Section ~~207~~ 105 of this Act.

C. Exceptions for the administration of an employer's benefit plan. The requirements of this Act do not apply and, thus, the authorization described by this Section is not required, if a licensee discloses nonpublic personal health information for any purpose related to effecting, administering or replacing a group benefit plan, a group health plan, or a group welfare plan.

D. Nothing in this section shall prohibit, restrict, or require an authorization for the disclosure of nonpublic personal health information by a licensee when sharing such information with a vendor who is acting on behalf of the company, or for the performance of insurance functions by or on behalf of the licensee, including but not limited to: claims administration; claims adjustment and management; detection, investigation or reporting of actual or potential fraud, misrepresentation or criminal activity; underwriting; policy placement of issuance; loss control; ratemaking and guaranty fund functions; reinsurance and excess loss insurance; risk management; case management; disease management; quality assurance; quality improvement; performance evaluation; provider credentialing verification; utilization review; peer review activities; actuarial, scientific, medical or public policy research; grievance procedures; internal administration of compliance, managerial, and information systems; policyholder service functions; auditing; reporting; database security; administration of consumer disputes and inquiries; external accreditation standards; the replacement of a group benefit plan; activities in connection with a sale, merger, transfer or exchange of all or part of a business or operating unit; any activity that permits disclosure without authorization pursuant to the federal Health Insurance Portability and Accountability Act privacy rules promulgated by the U.S. Department of Health and Human Services; disclosure that is required, or is one of the lawful or appropriate methods, to enforce the licensee's rights or rights of other persons engaged in carrying out a transaction or providing a product or service that a consumer requests or authorizes; and any activity otherwise permitted by law, required pursuant to governmental reporting authority, or to comply with legal process.

A. Nothing in this Act shall be construed to modify, limit, or supersede the operation of the Federal Fair Credit Reporting Act (15 U.S.C. 1681 et seq.), and no inference shall be drawn on the basis of the provisions of this Act regarding whether information is transaction or experience information under Section 603 of that Act.

B. Nothing in this Act shall be construed to modify, limit or supersede the operation of the fair credit law of this State.

C. Nothing in this Act shall preempt or supercede existing state law related to medical records, health or insurance information privacy.

Section 602: Protection of Health Insurance Portability and Accountability Act Nothing in

this Act shall be construed to limit, modify or supercede and does not limit, modify or supersede

the standards governing the privacy of individually identifiable health information promulgated by the Secretary of Health and Human Services under the authority of Sections 262 and 264 of the Federal Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d-1320d-8).

A. Prohibition. No licensee shall knowingly or willfully violate the provisions of this Act.

B. Violation. The insurance regulatory authorities of this State are authorized to investigate any alleged violations of this Act and to impose fines and other sanctions as lawfully determined to be appropriate in accordance with the applicable insurance laws of this State.

[Drafting Note: States may want to add their own language, stating that a violation of Chapters 1 to 6 of this Act shall be considered an Unfair Trade Practice pursuant to that state’s law and subject to the penalties provided by that state’s law.]

~~Section 604: Rules and Regulations.~~ This [Chapter] [Act] shall be enforced, under State insurance law, in the case of any person engaged in providing insurance, by the applicable State insurance authority of the State in which the person is domiciled.

~~[Drafting Note: States may want to add language to provide that this Chapter would take precedence in the case that this Act creates inconsistencies in the state.]~~

A. Effective date. This Act is effective on _____. In order to provide sufficient time for insurers and other licensees to establish policies and systems to comply with the requirements of this Act, time for compliance with this Act is extended until July 1, 2001.

compliance date. By July 1, 2001, the licensee shall have provided an initial notice, as required by Section 201 of this Act, to consumers who are the licensee’s customers on July 1, 2001.

C. Two year grandfathering of service agreements. Until July 1, 2002, a contract that the licensee has entered into with a nonaffiliated third party to perform services for the licensee or functions on its behalf does not need to satisfy the provisions of Section 401 of this Act which provide that the third Party maintain the confidentiality of nonpublic personal information, as long as the licensee entered into the agreement on or before July 1, 2000.