INSURANCE: PRIVACY REQUIREMENTS - S.B. 431 & 432: COMMITTEE SUMMARY
Senate Bills 431 and 432 (as introduced 4-26-01)
Sponsor: Senator Bill Bullard, Jr.
Committee: Financial Services
Date Completed: 5-1-01
CONTENT
The bills would amend the Insurance Code to provide for the treatment of nonpublic personal financial information about individuals who obtained or were claimants or beneficiaries of insurance products.
Specifically, Senate Bill 431 would add Chapter 5 (Privacy of Financial Information) to do the following:
-- Prohibit a licensee from disclosing nonpublic personal financial information about a consumer to a nonaffiliated third party unless the customer were notified of the licensee's privacy policies and had an opportunity to opt out of the disclosure.
-- Require a licensed insurer or producer, beginning on July 1, 2001, to notify customers of its privacy policies and practices concerning the disclosure of nonpublic personal financial information.
-- Require a licensee to notify customers of its privacy practices and policies at least annually, and to provide a revised policy notice when a customer obtained a new insurance product or service.
-- Require a licensee to notify a consumer of his or her right to opt out of the licensee's disclosure nonpublic personal financial information.
-- Require a licensee to give a required notice so that a customer could be reasonably expected to receive actual notice in writing or, if the customer agreed, electronically.
-- Provide for a limited disclosure of nonpublic personal financial information that a licensee received from a nonaffiliated financial institution.
-- Prohibit a licensee from disclosing certain insurance policy and account information for use in telemarketing, direct mail marketing, or marketing through electronic mail.
-- Make exceptions to the bill's consumer notification provisions if a licensee disclosed nonpublic personal financial information to administer a transaction that a consumer requested or with a consumer's consent.
-- Prohibit a licensee from discriminating against a consumer for opting out of the disclosure of his or her nonpublic personal financial information.
-- Establish penalties for violating the bill and rules promulgated under it.
Senate Bill 432 would require the Commissioner of the Office of Financial and Insurance Services to promulgate rules pursuant to the Administrative Procedures Act to implement State requirements under the Federal Gramm-Leach-Bliley Act.
A more detailed description of Senate Bill 431 follows.
Application
The bill specifies that Chapter 5 would apply to the treatment of nonpublic personal financial information about individuals who obtained or were claimants or beneficiaries of products or services primarily for personal, family, or household purposes from licensees whether through an individual or group plan. Chapter 5 would not apply to information about companies or individuals who obtained products or services for business, commercial, or agricultural purposes.
The bill also specifies that it would not modify, limit, or supersede statute or rules governing the confidentiality or privacy of individually identifiable health and medical information, including specified confidentiality provisions, in the Revised Judicature Act, the Public Health Code, the Nonprofit Health Care Corporation Reform Act, the Michigan Penal Code, the Freedom of Information Act, and the Third Party Administrator Act.
"Licensee" would mean a licensed insurer or producer (a person required to be licensed under the Code to sell, solicit, or negotiate insurance), and other persons licensed or required to be licensed, authorized or required to be authorized, registered or required to be registered, or holding or required to hold a certificate of authority under the Code. "Licensee" would include a nonprofit health care corporation operating under the Nonprofit Health Care Corporation Reform Act (which regulates Blue Cross and Blue Shield of Michigan). "Licensee" also would include an unauthorized insurer who placed business through a licensed surplus line agent or broker in the State, but only for the surplus line placements under Chapter 19 (Surplus Lines Insurance Act) of the Code.
"Nonpublic personal financial information" would mean personally identifiable financial information and any list, description, or other grouping of consumers and publicly available information pertaining to them that was derived using any personally identifiable financial information that was not publicly available. The term would not include any of the following: health information, publicly available information, or any list, description, or other grouping of consumers and publicly available information pertaining to them that was derived without using any personally identifiable financial information that was not publicly available. "Personally identifiable financial information" would mean any of the following: information a consumer provided to a licensee to obtain an insurance product or service from the licensee; information about a consumer resulting from any transaction involving an insurance product or service between a licensee and a consumer; or information that the licensee otherwise obtained about a consumer in connection with providing an insurance product or service to that consumer.
"Publicly available information" would mean any information that a licensee had a reasonable basis to believe was lawfully made available to the general public from Federal, State, or local government records by wide distribution by the media or by disclosures to the general public that were required to be made by Federal, State, or local law. A licensee would have a reasonable basis to believe that the information was lawfully made available to the general public if both of the following applied: the licensee had taken steps to determine that the information was of the type that was available to the general public; and, if an individual could direct that the information not be made available to the general public, that the licensee's consumer had not directed that the information not be made available to the general public.)
Licensee Exceptions
A licensee that was a producer would be subject to all of the bill's requirements, except as follows: if the producer were employed by a licensee as a common law employee or a statutory employee as defined in the Federal Insurance Contributions Act under the Internal Revenue Code; or, if the producer disclosed nonpublic personal financial information on behalf of or at the direction of a licensee.
A licensee would not be required to provide the notice and opt out requirements for nonpublic personal financial information under the bill if the licensee were an employee, agent, or other representative of a principal and all of the following were met: the principal was another licensee; the principal otherwise complied with and provided the notices required under the bill; and, the licensee did not disclose any nonpublic personal information to any person other than the principal or its affiliates as provided in the bill. ("Opt out" would mean a direction by the consumer that the licensee not disclose nonpublic personal financial information about that consumer to a nonaffiliated third party, other than as permitted in the bill.)
A surplus lines broker or surplus lines insurer would be in compliance with the notice and opt out requirements for nonpublic personal financial information if all of the following were met:
-- The broker or insurer did not disclose a consumer's or customer's nonpublic personal information to nonaffiliated third parties for any purpose, including joint servicing or marketing, except as permitted under the bill.
-- At the time a customer relationship was established, the broker or insurer gave the consumer a notice on which the privacy notice, as specified in the bill, was printed.
("Consumer" would mean an individual, or the individual's legal representative, who sought to obtain, obtained, or had obtained an insurance product or service from a licensee that was to be used primarily for personal, family, or household purposes. "Consumer" would include all of the following:
-- An individual who provided nonpublic personal information to a licensee in connection with obtaining or seeking to obtain financial, investment, or economic advisory services relating to an insurance product or service. An individual would be a consumer under this provision regardless of whether the license established an ongoing advisory relationship.
-- An applicant for insurance prior to the inception of insurance coverage.
-- A beneficiary of a life insurance policy underwritten by the licensee.
-- A claimant under an insurance policy issued by the licensee.
-- An insured under an insurance policy or an annuitant under an annuity issued by the licensee.
-- A mortgagor of a mortgage covered under a mortgage insurance policy.
-- An individual about whom the licensee disclosed nonpublic personal financial information to a nonaffiliated third party other than as permitted under the bill.
Unless otherwise specifically provided, "consumer" would not include an individual solely because he or she met one of the following:
-- Was a participant or a beneficiary of an employee benefit plan that the licensee administered or sponsored or for which the licensee acted as a trustee, insurer, or fiduciary.
-- Was covered under a group or blanket insurance policy or group annuity contract issued by the licensee.
-- Was a beneficiary in a workers' compensation plan.
-- Was a beneficiary of a trust for which the licensee was a trustee.
-- Had designated the licensee as trustee for a trust.
"Customer" would mean a consumer who had a customer relationship with a licensee. "Customer" would not include a third party consumer solely by virtue of his or her status as a third party consumer. "Customer relationship" would mean a continuing relationship between a consumer and a licensee under which the licensee provided one or more insurance products or services to the consumer that were to be used primarily for personal, family, or household purposes.
Privacy Notice
Beginning on July 1, 2001, a licensee would have to provide a clear and conspicuous notice that accurately reflected its privacy policies and practices to all of the following:
-- An individual who on or after July 1, 2001, became the licensee's customer, not later than when the licensee established a customer relationship, except as provided in the bill.
-- An individual who had been the licensee's customer before July 1, 2001, at the next regularly scheduled contact with that customer but not later than July 1, 2002, so long as the licensee did not disclose any nonpublic personal financial information that the customer could opt out of under the bill.
-- A consumer, before the licensee disclosed any nonpublic personal financial information about the consumer to any nonaffiliated third party, if the licensee made a disclosure other than as authorized under the bill.
A licensee would not be required to provide an initial notice to a consumer if the licensee met any of the following:
-- The licensee did not disclose any nonpublic personal financial information about that consumer to any nonaffiliated third party, other than as authorized under the bill, and the licensee did not have a customer relationship with the consumer.
-- An affiliated licensee had given the consumer a notice that clearly identified all licensees to whom the notice applied and was accurate with respect to the licensee and the other institutions.
Customer Relationship
The bill specifies that a licensee would establish a customer relationship at the time the licensee and the consumer entered into a continuing relationship, which would include all of the following: for an insurer, when the consumer received the delivery of an insurance policy or contract; for a producer, when the consumer obtained insurance through that licensee; and, when the consumer agreed to obtain financial, economic, or investment advisory services relating to insurance products or services for a fee from the licensee.
When an existing customer obtained a new insurance product or service from a licensee that was to be used primarily for personal, family, or household purposes, the licensee would have to provide a revised privacy notice that met the bill's requirements and that covered the customer's new insurance product or service. If the initial, revised, or annual notice that the licensee most recently provided to that customer were accurate with respect to the new insurance product or service, however, the licensee would not have to provide a new privacy notice under this provision.
A licensee could provide the initial notice within a reasonable time after the licensee established a customer relationship if establishing that relationship were not at the customer's election or providing notice not later than when the licensee established a customer relationship would substantially delay the customer's transaction and the customer agreed to receive the notice at a later time.
When a licensee was required to deliver an initial notice under these provisions, the licensee would have to deliver it according to the bill's requirements for notifying a consumer. If the licensee used a short-term initial notice for noncustomers according to the bill, the licensee could deliver its privacy notice according to the bill's requirements for a short-term initial notice.
A licensee would have to provide a clear and conspicuous notice to customers that accurately reflected its privacy policies and practices at least annually during the continuation of the customer relationship. A licensee would not be required to provide an annual notice to a former customer.
The initial, annual, and revised notices would have to include each of the following items of information, in addition to any other information the licensee wished to provide, that applied to the licensee and to the consumers to whom the licensee sent its privacy notice: the categories of nonpublic personal financial information that the licensee collected; the categories of nonpublic personal financial information that the licensee disclosed; and the categories of affiliates and nonaffiliated third parties to whom the licensee disclosed nonpublic personal financial information, other than those parties to whom the licensee disclosed information as permitted under the bill.
The notice also would have to include the categories of nonpublic personal financial information about the licensee's former customers that the licensee disclosed and the categories of affiliates and nonaffiliated third parties to whom the licensee disclosed nonpublic personal financial information about the licensee's former customers, other than those parties to whom the licensee disclosed information as permitted under the bill. If a licensee disclosed nonpublic personal financial information to a nonaffiliated third party as permitted by the bill and no other exception in the bill applied to that disclosure, the notice would have to include a separate description of the categories of information the licensee disclosed and the categories of the third parties with whom the licensee had contracted.
In addition, the notice would have to include: an explanation of the consumer's right under the bill to opt out of the disclosure of nonpublic personal financial information to nonaffiliated third parties, including the method by which the consumer could exercise that right at that time; any disclosures that the licensee made under the Federal Fair Credit Reporting Act, Title VI of the Consumer Credit Protection Act; the licensee's policies and practices with respect to protecting the confidentiality and security of nonpublic personal financial information; and, any disclosure that the licensee made under the following provision.
If a licensee disclosed nonpublic financial information, as authorized under the bill, the licensee would not be required to list those exceptions in the initial or annual notices. When describing the categories of parties to whom disclosure was made, the licensee would be required to state only that it made disclosures to other affiliated or nonaffiliated third parties, as applicable, as permitted by law.
Short-Form Initial Notice
A licensee could satisfy the bill's initial notice requirements for a consumer who was not a customer by providing a short-form initial notice at the same time as the licensee delivered an opt out notice. A short-form initial notice would have to be clear and conspicuous, state that the licensee's privacy notice was available upon request, and explain a reasonable means by which the consumer could obtain that notice The licensee would have to deliver this notice according to the bill's requirements (described below), but would not be required to deliver its privacy notice with its short-form initial notice and could provide the consumer a reasonable means to obtain its privacy notice. If a consumer who received the licensee's short-form notice requested the privacy notice, the licensee would have to deliver the privacy notice according to the bill.
The short-form initial notice could include categories of nonpublic personal financial information that the licensee reserved the right to disclose in the future but did not currently disclose, and categories of affiliates or nonaffiliated third parties to whom the licensee reserved the right in the future to disclose but to whom the licensee did not currently disclose, nonpublic personal financial information.
Opt Out Notice
If a licensee were required to provide an opt out notice under the bill, it would have to provide a clear and conspicuous notice to each of its consumers that accurately explained the right to opt out. The notice would have to state all of the following: that the licensee disclosed or reserved the right to disclose nonpublic personal financial information about its consumer to a nonaffiliated party; that the consumer had the right to opt out of that disclosure; and, a reasonable means by which the consumer could exercise the opt out right.
A licensee could provide the required opt out notice together with or on the same written or electronic form as the initial notice. If a licensee provided the opt out notice later than required for the initial notice, the licensee also would have to include a copy of the initial notice with the opt out notice in writing or, if the consumer agreed, electronically.
If at least two consumers jointly obtained an insurance product or service from a licensee, the licensee could provide a single opt out notice. This notice would have to explain how the licensee would treat an opt out direction by a joint consumer and could either treat an opt out direction by a joint consumer as applying to all of the associated joint consumers or permit each joint consumer to opt out separately. If each joint consumer could opt out separately, the licensee would have to permit one of the joint consumers to opt out on behalf of all of the joint consumers. A licensee could not require all joint consumers to opt out before it implemented any opt out direction.
A licensee would have to comply with a consumer's opt out direction as soon as reasonably practicable after the licensee received it. A consumer could exercise the right to opt out at any time. A consumer's direction to opt out would be in effect until he or she revoked it in writing or, if the consumer agreed, revoked it electronically. If a customer relationship terminated, the customer's opt out direction would continue to apply to the nonpublic personal financial information that the licensee collected during or related to the relationship. If the individual subsequently established a new customer relationship with the licensee, the opt out direction that applied to the former relationship would not apply to the new relationship.
Prohibited Disclosure
Except as otherwise authorized, a licensee could not, directly or through any affiliate, disclose any nonpublic personal financial information about a consumer to a nonaffiliated third party other than as described in the initial notice unless all of the following had been met: the licensee had given the consumer a clear and conspicuous revised notice that accurately described its policies and practices; the licensee had given the consumer a new opt out notice; and, the licensee had given the consumer a reasonable opportunity, before he or she disclosed the information to the nonaffiliated third party, to opt out of the disclosure, and the consumer did not opt out.
Delivery of Notice
A licensee would have to provide any notice required under the bill so that each consumer could reasonably be expected to receive actual notice in writing or, if the consumer agreed, electronically. A licensee could reasonably expect that a consumer would receive actual notice if the licensee did any of the following: hand delivered a printed copy of the notice to the consumer; mailed a printed copy to the last known address of the consumer separately, or in a policy, billing, or other written communication; for a consumer who conducted transactions electronically, posted the notice on the electronic site and required the consumer to acknowledge receiving the notice as a necessary step to obtaining a particular insurance product or service; or, for an isolated transaction with a consumer, such as providing an insurance quote or selling travel insurance, posted the notice and required the consumer to acknowledge receiving it as a necessary step to obtaining the particular insurance product or service.
The bill specifies that the following would not provide a reasonable expectation that a consumer would receive actual notice of a licensee's policies and practices: The licensee only posted a sign in its office or generally published advertisements of its privacy policies and practices; or, the licensee sent the notice via electronic mail to a consumer who did not electronically obtain an insurance product or service from the licensee.
A licensee could reasonably expect that a customer would receive actual notice of the licensee's annual notice in either of the following cases: The customer used the licensee's website to gain access to insurance products and services electronically and agreed to receive notices at the website and the licensee posted its current privacy notice continuously in a clear and conspicuous manner on the website; or, the customer had requested that the licensee refrain from sending any information regarding the customer relationship, and the licensee's current privacy notice remained available to the customer upon request.
A licensee could not provide any notice required by the bill solely by orally explaining the notice, either in person or over the phone. For customers only, a licensee would have to provide the initial annual and revised notices so that the customer could retain them or obtain them later in writing or, if the customer agreed, electronically. The bill specifies that a licensee would provide an initial, annual, or revised notice to the customer so that he or she could retain it or obtain it later if the licensee did any of the following: hand delivered a printed copy of the notice to the customer; mailed a printed copy to the customer's last known address; or, made the current initial, annual, or revised notice available on a website or a link to another website for the customer who obtained an insurance product or service electronically and agreed to receive the notice at the website.
A licensee could provide a joint notice from the licensee and one or more of its affiliates or other financial institutions, as identified in the notice, if the notice were accurate with respect to the licensee and other institutions. A licensee also could provide a notice on behalf of another financial institution, as identified in the notice, if it were accurate with respect to the licensee and the other institution. If at least two consumers jointly obtained an insurance product or service from a licensee, the licensee could satisfy the initial, annual, and revised notice requirements by providing one notice to those consumers jointly.
Disclosure
Except as otherwise provided in the bill, a licensee could not, directly or through any affiliate, disclose any nonpublic personal financial information about a consumer to a nonaffiliated third party unless the licensee had provided to the consumer an initial notice and an opt out notice, and, the licensee had given the consumer a reasonable opportunity, before it disclosed the information to the nonaffiliated third party, to opt out of the disclosure and the consumer did not opt out.
The bill specifies that a licensee would provide a consumer with a reasonable opportunity to opt out in any of the following ways:
-- If the licensee mailed the required notices to the consumer and allowed the consumer to opt out by mailing a form, calling a toll-free telephone number, or any other reasonable means within 45 days from the date the licensee mailed the notices.
-- A customer opened an on-line account with a licensee and agreed to receive the notices required in the bill electronically, and the licensee allowed the customer to opt out by any reasonable means within 45 days after the date that the customer acknowledged receiving the notices in conjunction with opening the account.
-- For an isolated transaction such as providing the consumer with an insurance quote, if the licensee provided the required notices at the time of the transaction and requested that the consumer decide, as a necessary part of the transaction, whether to opt out before completing the transaction.
The bill specifies that these provisions would apply to a licensee whether or not the licensee and the consumer had established a customer relationship. Unless a licensee complied with these provisions, the licensee could not, directly or through any affiliate, disclose any nonpublic personal financial information about a consumer that the licensee had collected, regardless of whether the licensee collected it before or after receiving the direction to opt out from the consumer. A licensee could allow a consumer to select certain nonpublic personal financial information or certain nonaffiliated third parties with respect to which the consumer wished to opt out.
Limited Disclosure
If a licensee received nonpublic personal financial information from a nonaffiliated financial institution under an exception permitted in the bill (described below), the licensee's disclosure and use of that information would be limited as follows: The licensee could disclose the information to the affiliates of the financial institution from which the licensee received the information; and the licensee could disclose the information to its affiliates, but they could, in turn, disclose and use the information only to the extent that the licensee could disclose and use it. The licensee also could disclose and use the information pursuant to an exception in the bill, in the ordinary course of business to carry out the activity covered by the exception under which the licensee received the information.
If a licensee received nonpublic personal financial information from a nonaffiliated financial institution other than under an exception, the licensee could disclose the information only as follows: to the affiliates of the financial institution from which the licensee received the information; to its affiliates, who could, in turn, disclose the information only to the extent that the licensee could disclose the information; or, to any other person, if the disclosure would be lawful if made directly to that person by the financial institution from which the licensee received the information.
If a licensee disclosed nonpublic personal financial information to a nonaffiliated third party under an exception in the bill, the third party could disclose and use that information only as follows: to the licensee's affiliates; to its affiliates, who could disclose and use the information only to the extent that the third party could disclose and use it; and, pursuant to an exception in the bill, in the ordinary course of business to carry out the activity covered by the exception under which it received the information.
If a licensee disclosed nonpublic personal financial information to a nonaffiliated third party other than under an exception in the bill, the third party could disclose the information only as follows: to the licensee's affiliates; to the third party's affiliates, who could disclose the information only to the extent that the third party could disclose it; and, to any other person, if the disclosure would be lawful if the licensee made it directly to that person.
Prohibit Disclosure for Marketing
A licensee could not, directly or through an affiliate, disclose, other than to a consumer reporting agency, a policy or account number or other access number or access code for a consumer's policy, credit card account, deposit account, or transaction account to any nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer.
This prohibition would not apply if a licensee disclosed a policy or account number or other access number or access code as follows: to the licensee's service provider solely in order to perform marketing for the licensee's own products or services, as long as the service provider was not authorized directly to initiate charges to the account; to a licensee who was a producer solely in order to perform marketing for the licensee's own products or services; or, to a participant in an affinity or similar program whose participants were identified to the customer when he or she entered into the program.
The bill specifies that these provisions would not apply if the policy or account number, or other access number or access code, did not include a number or code in an encrypted form, as long as the licensee did not give the recipient a means to decode the number or code.
Exceptions
The bill's opt out requirements would not apply when a licensee provided nonpublic personal financial information to a nonaffiliated third party to perform services for the licensee or functioned on the licensee's behalf, if the licensee provided the initial notice and entered into a contractual agreement with the third party that prohibited the third party from disclosing or using the information other than to carry out the purposes for which the licensee disclosed the information, including use under an exception provided in the bill in the ordinary course of business to carry out those purposes.
The services a nonaffiliated third party performed for a licensee under this provision could include marketing of the licensee's own products or services or marketing of insurance products or services offered pursuant to joint agreements between the licensee and one or more financial institutions.
The bill's privacy notice and opt out notice requirements would not apply if the licensee disclosed nonpublic personal financial information as necessary to effect, administer, or enforce a transaction that a consumer requested or authorized, or in connection with any of the following: servicing or processing an insurance product or service that a consumer requested or authorized; maintaining or servicing the consumer's account with a licensee, or with another entity as part of a private label credit card program or other extension of credit on behalf of that entity; a proposed or actual securitization, secondary market sale including sales of servicing rights, or similar transaction related to a consumer's transaction; or, reinsurance or stop loss or excess loss insurance.
In addition, the bills provisions on consumer notification and opt out would not apply when a licensee disclosed nonpublic personal financial information as follows: with the consent or at the direction of the consumer, provided that the consumer had not revoked the consent or direction; to protect the confidentiality or security of a licensee's records pertaining to the consumer, service, product, or transaction; to protect against or prevent actual or potential fraud or unauthorized transactions; for required institutional risk control or for resolving consumer disputes or inquiries; to persons holding a legal or beneficial interest relating to the consumer; to persons acting in a fiduciary or representative capacity on behalf of the consumer; or, to provide information to insurance rate advisory organizations, guaranty funds or agencies, agencies that were rating a licensee, persons that were assessing the licensee's compliance with industry standards, or the licensee's attorneys, accountants, and auditors.
Disclosure also would be permitted to the extent specifically permitted or required under other provisions of law and in accordance with the Federal Right to Privacy Act, Title XI of the Financial Institutions Regulatory and Interest Rate Control Act; to law enforcement agencies including the Federal Reserve Board, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, Office of Thrift Supervision, National Credit Union Administration, the Securities and Exchange Commission, the Secretary of the Treasury, with respect to certain provisions of the U.S. Code, the Federal Trade Commission, a state insurance authority, self-regulatory organizations, or for an investigation on a matter related to public safety.
In addition, the notice and opt out requirements would not apply when a licensee disclosed nonpublic personal financial information to a consumer reporting agency in accordance with the Federal Fair Credit Reporting Act; from a consumer report reported by a consumer reporting agency; in connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit of the licensee if the disclosure concerned solely consumers of that business or unit; to comply with Federal, State, or local laws, rules, and other applicable legal requirements; to comply with a properly authorized civil, criminal, or regulatory investigation, subpoena, or summons by a Federal, State, or local authority; to respond to judicial process or a government regulatory authority having jurisdiction over a licensee for examination, compliance, or other purposes as authorized by law; or, for purposes related to the replacement of a group benefit plan, a group health plan, a group welfare plan, or workers' compensation plan to the extent necessary to effectuate the replacement.
Other Provisions
Credit Reporting. The bill specifies that nothing in Chapter 5 could be construed to modify, limit, or supersede the operation of the Fair Credit Reporting Act, Title VI of the Consumer Credit Protection Act, and no inference could be drawn on the basis of the provisions of the bill regarding whether information was transaction or experience information under the Fair Credit Reporting Act.
Prohibited Discrimination. A licensee could not discriminate against any consumer because the consumer had opted out or intended to opt out from the disclosure of his or her nonpublic personal financial information pursuant to the bill.
Third Party Contract. Until July 1, 2002, a contract that a licensee had entered into with a nonaffiliated third party to perform services for the licensee or functions on the licensee's behalf would satisfy the criteria for an opt out exception, even if the contract did not include a requirement that the third party maintain the confidentiality of nonpublic personal financial information, as long as the licensee entered into the agreement on or before July 1, 2000.
Rules Promulgation. The Commissioner of the Office of Financial and Insurance Services would be required to promulgate rules pursuant to the Administrative Procedures Act for administrative, technical, and physical safeguards that protected the security, confidentiality, and integrity of customer information, pursuant to provisions of the Federal Gramm-Leach-Bliley Act. Rules promulgated under this provision could not be more restrictive than the Federal interagency guidelines establishing standards for safeguarding customer information (February 1, 2001).
Penalties. The bill specifies that a violation of Chapter 5 or a rule promulgated under it would be considered an unfair method of competition and an unfair or deceptive act or practice under Chapter 20 (Unfair and Prohibited Trade Practices and Fraud) of the Code and would be subject to the procedures and penalties provided for in Chapter 20.
- Legislative Analyst: L. Arasim
FISCAL IMPACT
According to the Office of Financial and Insurance Services, these bills would increase the regulatory responsibilities of the Office by imposing additional requirements on the 1,500 insurance companies already regulated, which could increase costs. Additionally, the bills would require the promulgation of new rules, which would impose implementation costs. There is no information available as to what these costs would be.
- Fiscal Analyst: M. TyszkiewiczS0102\s431sa
This analysis was prepared by nonpartisan Senate staff for use by the Senate in its deliberations and does not constitute an official statement of legislative intent.