Act No. 24

Public Acts of 2001

Approved by the Governor

June 17, 2001

Filed with the Secretary of State

June 18, 2001

EFFECTIVE DATE: June 18, 2001

STATE OF MICHIGAN

91ST LEGISLATURE

REGULAR SESSION OF 2001

Introduced by Senator Bullard

ENROLLED SENATE BILL No. 431

AN ACT to amend 1956 PA 218, entitled "An act to revise, consolidate, and classify the laws relating to the insurance and surety business; to regulate the incorporation or formation of domestic insurance and surety companies and associations and the admission of foreign and alien companies and associations; to provide their rights, powers, and immunities and to prescribe the conditions on which companies and associations organized, existing, or authorized under this act may exercise their powers; to provide the rights, powers, and immunities and to prescribe the conditions on which other persons, firms, corporations, associations, risk retention groups, and purchasing groups engaged in an insurance or surety business may exercise their powers; to provide for the imposition of a privilege fee on domestic insurance companies and associations and the state accident fund; to provide for the imposition of a tax on the business of foreign and alien companies and associations; to provide for the imposition of a tax on risk retention groups and purchasing groups; to provide for the imposition of a tax on the business of surplus line agents; to provide for the imposition of regulatory fees on certain insurers; to modify tort liability arising out of certain accidents; to provide for limited actions with respect to that modified tort liability and to prescribe certain procedures for maintaining those actions; to require security for losses arising out of certain accidents; to provide for the continued availability and affordability of automobile insurance and homeowners insurance in this state and to facilitate the purchase of that insurance by all residents of this state at fair and reasonable rates; to provide for certain reporting with respect to insurance and with respect to certain claims against uninsured or self-insured persons; to prescribe duties for certain state departments and officers with respect to that reporting; to provide for certain assessments; to establish and continue certain state insurance funds; to modify and clarify the status, rights, powers, duties, and operations of the nonprofit malpractice insurance fund; to provide for the departmental supervision and regulation of the insurance and surety business within this state; to provide for regulation over worker's compensation self-insurers; to provide for the conservation, rehabilitation, or liquidation of unsound or insolvent insurers; to provide for the protection of policyholders, claimants, and creditors of unsound or insolvent insurers; to provide for associations of insurers to protect policyholders and claimants in the event of insurer insolvencies; to prescribe educational requirements for insurance agents and solicitors; to provide for the regulation of multiple employer welfare arrangements; to create an automobile theft prevention authority to reduce the number of automobile thefts in this state; to prescribe the powers and duties of the automobile theft prevention authority; to provide certain powers and duties upon certain officials, departments, and authorities of this state; to repeal acts and parts of acts; and to provide penalties for the violation of this act," by amending section 115 (MCL 500.115), as added by 1992 PA 182, and by adding section 2013 and chapter 5.

The People of the State of Michigan enact:

Sec. 115. As used in this act unless the context clearly indicates otherwise:

(a) "Affiliate" or a person "affiliated" with a specific person means a person that directly, or indirectly through 1 or more intermediaries, controls, is controlled by, or is under common control with the person specified.

(b) "Control" including the terms "controlling", "controlled by", and "under common control with" mean the following:

(i) Except as otherwise provided in subparagraph (ii), the possession or the contingent or noncontingent right to acquire possession, direct or indirect, of the power to direct or cause the direction of the management and policies of a person, whether through the ownership of voting securities, by contract including acquisition of assets or bulk reinsurance, other than a commercial contract for goods or nonmanagement services, by pledge of securities, or otherwise, unless the power is the result of an official position with or corporate office held by the person. Control is presumed to exist if any person, by formal or informal arrangement, device, or understanding, directly or indirectly, owns, controls, holds with the power to vote, or holds proxies representing 10% or more of the voting securities of any other person or for a mutual insurer owns 10% or more of the insurer's surplus through surplus notes, guarantee fund certificates or other evidence of indebtedness issued by the insurer. This presumption may be rebutted by a showing made in the manner provided by section 1332 that control does not in fact exist. The commissioner may determine after furnishing to all persons in interest notice and an opportunity to be heard and making specific findings of fact to support the determination that control in fact exists notwithstanding the absence of a presumption to that effect.

(ii) "Control", for the purpose of section 1243 and chapter 5 only, means 1 or more of the following:

(A) Ownership, control, or power to vote 25% or more of the outstanding shares of any class of voting security of the company, directly or indirectly, or acting through 1 or more other persons.

(B) Control in any manner over the election of a majority of the directors, trustees, or general partners or individuals exercising similar functions of the company.

(C) The power to exercise, directly or indirectly, a controlling influence over the management or policies of the company, as the commissioner determines.

(c) "Insurance holding company system" means 2 or more affiliated persons, 1 or more of which is an insurer.

(d) "Securityholder" of a specified person means a person who owns any security of the person, including common stock, preferred stock, debt obligations, and any other security convertible into or evidencing the right to acquire any of the foregoing.

(e) "Subsidiary" of a specified person means an affiliate controlled by that person directly or indirectly through 1 or more intermediaries.

(f) "Voting security" includes any security convertible into or evidencing a right to acquire a voting security.

CHAPTER 5

PRIVACY OF FINANCIAL INFORMATION

Sec. 501. (1) This chapter applies to the treatment of nonpublic personal financial information about individuals who obtain or are claimants or beneficiaries of products or services primarily for personal, family, or household purposes from licensees whether through an individual or group plan. This chapter does not apply to information about companies or about individuals who obtain products or services for business, commercial, or agricultural purposes.

(2) This chapter does not modify, limit, or supersede any provision of section 1243.

(3) This chapter does not modify, limit, or supersede statute or rules governing the confidentiality or privacy of individually identifiable health and medical information, including, but not limited to, all of the following:

(a) Section 2157 of the revised judicature act of 1961, 1961 PA 236, MCL 600.2157.

(b) Section 1750 of the mental health code, 1974 PA 258, MCL 330.1750.

(c) The public health code, 1978 PA 368, MCL 333.1101 to 333.25211.

(d) Section 406 of the nonprofit health care corporation reform act, 1980 PA 350, MCL 550.1406.

(e) Sections 410 and 492A of the Michigan penal code, 1931 PA 328, MCL 750.410 and 750.492a.

(f) Section 13 of the freedom of information act, 1976 PA 442, MCL 15.243.

(g) Section 34 of the third party administrator act, 1984 PA 218, MCL 550.934.

Sec. 503. As used in this chapter:

(a) "Affiliate" means any company that controls, is controlled by, or is under common control with another company.

(b) "Annual notice" means the privacy notice required in section 513.

(c) "Clear and conspicuous" means that a notice is reasonably understandable and designed to call attention to the nature and significance of the information in the notice.

(d) "Collect" means to obtain information that the licensee organizes or can retrieve by the name of an individual or by identifying number, symbol, or other identifying particular assigned to the individual, irrespective of the source of the underlying information.

(e) "Company" means any corporation, limited liability company, business trust, general or limited partnership, association, sole proprietorship, or similar organization.

(f) "Consumer" means an individual, or the individual's legal representative, who seeks to obtain, obtains, or has obtained an insurance product or service from a licensee that is to be used primarily for personal, family, or household purposes. As used in this chapter:

(i) "Consumer" includes, but is not limited to, all of the following:

(A) An individual who provides nonpublic personal information to a licensee in connection with obtaining or seeking to obtain financial, investment, or economic advisory services relating to an insurance product or service. An individual is a consumer under this subparagraph regardless of whether the licensee establishes an ongoing advisory relationship.

(B) An applicant for insurance prior to the inception of insurance coverage.

(C) An individual that a licensee discloses nonpublic, personal financial information about to a nonaffiliated third party other than as permitted under sections 535, 537, and 539, if the individual is any of the following:

(I) A beneficiary of a life insurance policy underwritten by the licensee.

(II) A claimant under an insurance policy issued by the licensee.

(III) An insured under an insurance policy or an annuitant under an annuity issued by the licensee.

(IV) A mortgagor of a mortgage covered under a mortgage insurance policy.

(ii) So long as the licensee provides the initial, annual, and revised notices under this chapter to the plan sponsor, group or blanket insurance policyholders, and group annuity contract holder and does not disclose to a nonaffiliated third party nonpublic personal financial information other than as permitted under sections 535, 537, and 539, "consumer" does not include an individual solely because he or she meets 1 of the following:

(A) Is a participant or a beneficiary of an employee benefit plan that the licensee administers or sponsors or for which the licensee acts as a trustee, insurer, or fiduciary.

(B) Is covered under a group or blanket insurance policy or group annuity contract issued by the licensee.

(iii) "Consumer" does not include an individual solely because he or she meets 1 of the following:

(A) Is a beneficiary of a trust for which the licensee is a trustee.

(B) Has designated the licensee as trustee for a trust.

(g) "Consumer reporting agency" has the same meaning as in section 603(f) of the federal fair credit reporting act, title VI of the consumer credit act, Public Law 90-321, 15 U.S.C. 1681a.

(h) "Customer" means a consumer who has a customer relationship with a licensee. However, customer does not include an individual solely because he or she meets 1 of the following:

(i) Is a participant or a beneficiary of an employee benefit plan that the licensee administers or sponsors or for which the licensee acts as a trustee, insurer, or fiduciary.

(ii) Is covered under a group or blanket insurance policy or group annuity contract issued by the licensee.

(iii) Is a beneficiary or claimant under a policy of insurance.

(i) "Customer relationship" means a continuing relationship between a consumer and a licensee under which the licensee provides 1 or more insurance products or services to the consumer that are to be used primarily for personal, family, or household purposes.

(j) "Initial notice" means the privacy notice required in section 507.

(k) "Insurance product or service" means any product or service that is offered by a licensee pursuant to the insurance laws of this state or pursuant to a federal insurance program. Insurance service includes a licensee's evaluation, brokerage, or distribution of information that the licensee collects in connection with a request or an application from a consumer for an insurance product or service.

(l) "Licensee" means a licensed insurer or producer, and other persons licensed or required to be licensed, authorized or required to be authorized, registered or required to be registered, or holding or required to hold a certificate of authority under this act. Licensee includes, except as otherwise provided, a nonprofit health care corporation operating pursuant to the nonprofit health care corporation reform act, 1980 PA 350, MCL 550.1101 to 550.1704, and a nonprofit dental care corporation operating pursuant to 1963 PA 125, MCL 550.351 to 550.373. Licensee includes an unauthorized insurer who places business through a licensed surplus line agent or broker in this state, but only for the surplus line placements placed under chapter 19. Licensee does not include any of the following:

(i) A nonprofit health care corporation for member personal data and information otherwise protected under section 406 of the nonprofit health care corporation reform act, 1980 PA 350, MCL 550.1406.

(ii) The Michigan life and health guaranty association and the property and casualty guaranty association.

(iii) The Michigan automobile insurance placement facility, the Michigan worker's compensation placement facility, and the assigned claims facility created under section 3171. However, servicing carriers for these facilities are licensees.

(m) "Nonaffiliated third party" means any person except a licensee's affiliate or a person employed jointly by a licensee and any company that is not the licensee's affiliate. Nonaffiliated third party includes the other company that jointly employs a person with a licensee. Nonaffiliated third party also includes any company that is an affiliate solely by virtue of the direct or indirect ownership or control of the company by the licensee or its affiliate in conducting merchant banking or investment banking activities of the type described in section 4(k)(4)(H) of the bank holding company act of 1956, chapter 240, 70 Stat. 135, 12 U.S.C. 1843, or insurance company investment activities of the type described in section 4(k)(4)(I) of the bank holding company act of 1956, chapter 240, 70 Stat. 135, 12 U.S.C. 1843.

(n) "Nonpublic personal financial information" means personally identifiable financial information and any list, description, or other grouping of consumers and publicly available information pertaining to them that is derived using any personally identifiable financial information that is not publicly available. Nonpublic personal financial information does not include any of the following:

(i) Health and medical information otherwise protected by state or federal law.

(ii) Publicly available information.

(iii) Any list, description, or other grouping of consumers and publicly available information pertaining to them that is derived without using any personally identifiable financial information that is not publicly available.

(o) "Opt out" means a direction by the consumer that the licensee not disclose nonpublic personal financial information about that consumer to a nonaffiliated third party, other than as permitted by sections 535, 537, and 539.

(p) "Personally identifiable financial information" means any of the following:

(i) Information a consumer provides to a licensee to obtain an insurance product or service from the licensee.

(ii) Information about a consumer resulting from any transaction involving an insurance product or service between a licensee and a consumer.

(iii) Information the licensee otherwise obtains about a consumer in connection with providing an insurance product or service to that consumer.

(q) "Producer" means a person required to be licensed under this act to sell, solicit, or negotiate insurance.

(r) "Publicly available information" means any information that a licensee has a reasonable basis to believe is lawfully made available to the general public from federal, state, or local government records by wide distribution by the media or by disclosures to the general public that are required to be made by federal, state, or local law. A licensee has a reasonable basis to believe that information is lawfully made available to the general public if both of the following apply:

(i) The licensee has taken steps to determine that the information is of the type that is available to the general public.

(ii) If an individual can direct that the information not be made available to the general public, that the licensee's consumer has not directed that the information not be made available to the general public.

(s) "Revised notice" means the privacy notice required in section 525.

Sec. 505. (1) A licensee is not required to provide the notice and opt out requirements for nonpublic personal financial information under this chapter if the licensee is an employee, agent, or other representative of a principal and all of the following are met:

(a) The principal is another licensee.

(b) The principal otherwise complies with and provides the notices required by this chapter.

(c) The licensee does not disclose any nonpublic personal information to any person other than the principal or its affiliates as provided in this chapter.

(2) A surplus lines broker or surplus lines insurer is considered to be in compliance with the notice and opt out requirements for nonpublic personal financial information under this chapter if all of the following are met:

(a) The broker or insurer does not disclose nonpublic personal information of a consumer or a customer to nonaffiliated third parties for any purpose, including joint servicing or marketing under section 535, except as permitted by section 537 or 539.

(b) The broker or insurer delivers a notice to the consumer at the time a customer relationship is established on which the following is printed in 16-point type:

PRIVACY NOTICE

"Neither the U.S. brokers that handled this insurance nor the insurers that have underwritten this insurance will disclose nonpublic personal information concerning the buyer to nonaffiliates of the brokers or insurers except as permitted by law.".

Sec. 507. (1) Beginning July 1, 2001, a licensee shall provide a clear and conspicuous notice that accurately reflects its privacy policies and practices to all of the following:

(a) An individual who on or after July 1, 2001 becomes the licensee's customer, not later than when the licensee establishes a customer relationship, except as provided in section 511.

(b) An individual who was the licensee's customer before July 1, 2001, either at the next regularly scheduled contact with that customer but not later than July 1, 2002, so long as the licensee does not disclose any nonpublic personal financial information about the customer to any nonaffiliated third party other than as authorized by sections 537 and 539 or annually in accordance with section 513 if the licensee provided a notice before July 1, 2001 and that notice was consistent with the requirements of this chapter.

(c) A consumer, before the licensee discloses any nonpublic personal financial information about the consumer to any nonaffiliated third party, if the licensee makes such a disclosure other than as authorized by sections 537 and 539.

(2) A licensee is not required to provide an initial notice to a consumer under subsection (1) if the licensee meets any of the following:

(a) The licensee does not disclose any nonpublic personal financial information about that consumer to any nonaffiliated third party, other than as authorized by sections 537 and 539, and the licensee does not have a customer relationship with the consumer.

(b) A notice has been provided to that consumer by an affiliated licensee, as long as the notice clearly identifies all licensees to whom the notice applies and is accurate with respect to the licensee and the other institutions.

Sec. 509. (1) A licensee establishes a customer relationship at the time the licensee and the consumer enter into a continuing relationship. A continuing relationship includes, but is not limited to, all of the following:

(a) For an insurer, when the consumer receives the delivery of an insurance policy or contract.

(b) For a producer, when the consumer obtains insurance through that licensee.

(c) When the consumer agrees to obtain financial, economic, or investment advisory services relating to insurance products or services for a fee from the licensee.

(2) An individual does not have a continuing relationship with a licensee as follows:

(a) If the individual's policy is lapsed, expired, or otherwise inactive or dormant under the licensee's business practices and the licensee has not communicated with the individual about the policy for a period of 12 consecutive months, other than to provide annual privacy notices, material required by law or regulation, communication at the direction of a state or federal authority, or promotional materials.

(b) If the individual is an insured or an annuitant under an insurance policy or annuity, but is not the policyholder or owner of the insurance policy or annuity.

(c) If the individual's last known address according to the licensee's records is invalid. An address of record is considered invalid if mail sent to that address by the licensee has been returned by the postal authorities as undeliverable and if subsequent attempts by the licensee to obtain a current, valid address for the individual have been unsuccessful.

(3) Except as otherwise provided in this subsection, when an existing customer obtains a new insurance product or service from a licensee that is to be used primarily for personal, family, or household purposes, the licensee shall provide a revised privacy notice that meets the requirements of section 525 and that covers the customer's new insurance product or service. If the initial, revised, or annual notice that the licensee most recently provided to that customer under this chapter is accurate with respect to the new insurance product or service, the licensee does not need to provide a new privacy notice under this subsection.

Sec. 511. (1) A licensee may provide the initial notice within a reasonable time after the licensee establishes a customer relationship if establishing the customer relationship is not at the customer's election or providing notice not later than when the licensee establishes a customer relationship would substantially delay the customer's transaction and the customer agrees to receive the notice at a later time.

(2) When a licensee is required to deliver an initial notice under this section, the licensee shall deliver it according to section 527. If the licensee uses a short-form initial notice for noncustomers according to section 517, the licensee may deliver its privacy notice according to section 517(3).

Sec. 513. (1) A licensee shall provide a clear and conspicuous notice to customers that accurately reflects its privacy policies and practices not less than annually during the continuation of the customer relationship. As used in this section, "annually" means at least once in any period of 12 consecutive months during which that customer relationship exists. A licensee may define the 12-consecutive-month period, but the licensee shall apply it to the customer on a consistent basis.

(2) A licensee is not required to provide an annual notice under subsection (1) to a former customer.

Sec. 515. (1) The initial, annual, and revised notices shall include each of the following items of information, in addition to any other information the licensee wishes to provide, that apply to the licensee and to the consumers to whom the licensee sends its privacy notice:

(a) The categories of nonpublic personal financial information that the licensee collects.

(b) The categories of nonpublic personal financial information that the licensee discloses.

(c) The categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal financial information, other than those parties to whom the licensee discloses information under sections 537 and 539.

(d) The categories of nonpublic personal financial information about the licensee's former customers that the licensee discloses and the categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal financial information about the licensee's former customers, other than those parties to whom the licensee discloses information under sections 537 and 539.

(e) If a licensee discloses nonpublic personal financial information to a nonaffiliated third party under section 535 and no other exception in section 537 or 539 applies to that disclosure, a separate description of the categories of information the licensee discloses and the categories of third parties with whom the licensee has contracted.

(f) An explanation of the consumer's right under section 529 to opt out of the disclosure of nonpublic personal financial information to nonaffiliated third parties, including the method by which the consumer may exercise that right at that time.

(g) Any disclosures that the licensee makes under section 603(d)(2)(A)(iii) of the fair credit reporting act, title VI of the consumer credit protection act, Public Law 90-321, 15 U.S.C. 1681a.

(h) The licensee's policies and practices with respect to protecting the confidentiality and security of nonpublic personal financial information.

(i) Any disclosure that the licensee makes under subsection (2).

(2) If a licensee discloses nonpublic personal financial information as authorized under sections 537 and 539, the licensee is not required to list those exceptions in the initial or annual notices. When describing the categories of parties to whom disclosure is made, the licensee is required to state only that it makes disclosures to other affiliated or nonaffiliated third parties, as applicable, as permitted by law.

(3) Instead of providing the information required under subsection (1) and if a licensee does not disclose and does not want to reserve the right to disclose nonpublic personal financial information about customers or former customers to affiliates or nonaffiliated third parties except as authorized under sections 537 and 539, the licensee may state that fact as part of a simplified notice so long as the licensee provides the information required under subsections (1)(a), (h), and (i) and (2).

(4) The licensee's initial notice may include categories of nonpublic personal financial information that the licensee reserves the right to disclose in the future but does not currently disclose, and categories of affiliates or nonaffiliated third parties to whom the licensee reserves the right in the future to disclose but to whom the licensee does not currently disclose, nonpublic personal financial information.

Sec. 517. (1) A licensee may satisfy the initial notice requirements in sections 507 and 519(3) for a consumer who is not a customer by providing a short-form initial notice at the same time as the licensee delivers an opt out notice as required in section 519.

(2) A short-form initial notice under subsection (1) shall be clear and conspicuous, state that the licensee's privacy notice is available upon request, and explain a reasonable means by which the consumer may obtain that notice.

(3) The licensee shall deliver its short-form initial notice according to section 527. The licensee is not required to deliver its privacy notice with its short-form initial notice and may provide the consumer a reasonable means to obtain its privacy notice. If a consumer who receives the licensee's short-form notice requests the licensee's privacy notice, the licensee shall deliver its privacy notice according to section 527.

Sec. 519. (1) If a licensee is required to provide an opt out notice under section 529, it shall provide a clear and conspicuous notice to each of its consumers that accurately explains the right to opt out under that section. The notice shall state all of the following:

(a) That the licensee discloses or reserves the right to disclose nonpublic personal financial information about its consumer to a nonaffiliated third party.

(b) That the consumer has the right to opt out of that disclosure.

(c) A reasonable means by which the consumer may exercise the opt out right.

(2) A licensee may provide the required opt out notice together with or on the same written or electronic form as the initial notice.

(3) If a licensee provides the opt out notice later than required for the initial notice, the licensee shall also include a copy of the initial notice with the opt out notice in writing or, if the consumer agrees, electronically.

Sec. 521. (1) If 2 or more consumers jointly obtain an insurance product or service from a licensee, the licensee may provide a single opt out notice. The licensee's opt out notice shall explain how the licensee will treat an opt out direction by a joint consumer and may either treat an opt out direction by a joint consumer as applying to all of the associated joint consumers or permit each joint consumer to opt out separately.

(2) If a licensee permits under subsection (1) each joint consumer to opt out separately, the licensee shall permit 1 of the joint consumers to opt out on behalf of all of the joint consumers. A licensee may not require all joint consumers to opt out before it implements any opt out direction.

Sec. 523. (1) A licensee shall comply with a consumer's opt out direction as soon as reasonably practicable after the licensee receives it.

(2) A consumer may exercise the right to opt out at any time. A consumer's direction to opt out under this subsection is effective until the consumer revokes it in writing or, if the consumer agrees, revokes it electronically.

(3) If a customer relationship terminates, the customer's opt out direction shall continue to apply to the nonpublic personal financial information that the licensee collected during or related to that relationship. If the individual subsequently establishes a new customer relationship with the licensee, the opt out direction that applied to the former relationship does not apply to the new relationship.

Sec. 525. Except as otherwise authorized in this chapter, a licensee shall not, directly or through any affiliate, disclose any nonpublic personal financial information about a consumer to a nonaffiliated third party other than as described in the initial notice unless all of the following have been met:

(a) The licensee has provided to the consumer a clear and conspicuous revised notice that accurately describes its policies and practices.

(b) The licensee has provided to the consumer a new opt out notice.

(c) The licensee has given the consumer a reasonable opportunity, before the licensee discloses the information to the nonaffiliated third party, to opt out of the disclosure, and the consumer does not opt out.

Sec. 527. (1) A licensee shall provide any notice required under this chapter so that each consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, electronically. A licensee may reasonably expect that a consumer will receive actual notice if the licensee does any of the following:

(a) Hand delivers a printed copy of the notice to the consumer.

(b) Mails a printed copy of the notice to the last known address of the consumer separately, or in a policy, billing, or other written communication.

(c) For a consumer who conducts transactions electronically, posts the notice on the electronic site and requires the consumer to acknowledge receipt of the notice as a necessary step to obtaining a particular insurance product or service.

(d) For an isolated transaction with a consumer, such as the licensee providing an insurance quote or selling the consumer travel insurance, posts the notice and requires the consumer to acknowledge receipt of the notice as a necessary step to obtaining the particular insurance product or service.

(2) The following do not provide a reasonable expectation that a consumer will receive actual notice of a licensee's privacy policies and practices under subsection (1):

(a) The licensee only posts a sign in its office or generally publishes advertisements of its privacy policies and practices.

(b) The licensee sends the notice via electronic mail to a consumer who does not obtain an insurance product or service from the licensee electronically.

(3) A licensee may reasonably expect that a customer will receive actual notice of the licensee's annual notice in either of the following cases:

(a) The customer uses the licensee's website to access insurance products and services electronically and agrees to receive notices at the website and the licensee posts its current privacy notice continuously in a clear and conspicuous manner on the website.

(b) The customer has requested that the licensee refrain from sending any information regarding the customer relationship, and the licensee's current privacy notice remains available to the customer upon request.

(4) A licensee shall not provide any notice required by this chapter solely by orally explaining the notice, either in person or over the telephone.

(5) For customers only, a licensee shall provide the initial annual and revised notices so that the customer can retain them or obtain them later in writing or, if the customer agrees, electronically. A licensee provides an initial, annual, or revised notice to the customer so that the customer can retain it or obtain it later if the licensee does any of the following:

(a) Hand delivers a printed copy of the notice to the customer.

(b) Mails a printed copy of the notice to the last known address of the customer.

(c) Makes the current initial, annual, or revised notice available on a website or a link to another website for the customer who obtains an insurance product or service electronically and agrees to receive the notice at the website.

(6) A licensee may provide a joint notice from the licensee and 1 or more of its affiliates or other financial institutions, as identified in the notice, if the notice is accurate with respect to the licensee and the other institutions. A licensee may also provide a notice on behalf of another financial institution, as identified in the notice, if the notice is accurate with respect to the licensee and the other institution.

(7) If 2 or more consumers jointly obtain an insurance product or service from a licensee, the licensee may satisfy the initial, annual, and revised notice requirements by providing 1 notice to those consumers jointly.

Sec. 529. (1) Except as otherwise provided in this chapter, a licensee shall not, directly or through any affiliate, disclose any nonpublic personal financial information about a consumer to a nonaffiliated third party unless all of the following are met:

(a) The licensee has provided to the consumer an initial notice.

(b) The licensee has provided to the consumer an opt out notice as required in section 519.

(c) The licensee has given the consumer a reasonable opportunity, before it discloses the information to the nonaffiliated third party, to opt out of the disclosure and the consumer does not opt out.

(2) A licensee provides a consumer with a reasonable opportunity to opt out under subsection (1) in any of the following ways:

(a) If the licensee mails the notices required in subsection (1) to the consumer and allows the consumer to opt out by mailing a form, calling a toll-free telephone number, or any other reasonable means within 30 days from the date the licensee mailed the notices.

(b) A customer opens an on-line account with a licensee and agrees to receive the notices required in subsection (1) electronically, and the licensee allows the customer to opt out by any reasonable means within 30 days after the date that the customer acknowledges receipt of the notices in conjunction with opening the account.

(c) For an isolated transaction such as providing the consumer with an insurance quote, if the licensee provides the notices required in subsection (1) at the time of the transaction and requests that the consumer decide, as a necessary part of the transaction, whether to opt out before completing the transaction.

(3) This section applies to a licensee whether or not the licensee and the consumer have established a customer relationship.

(4) Unless a licensee complies with this section, the licensee shall not, directly or through any affiliate, disclose any nonpublic personal financial information about a consumer that the licensee has collected, regardless of whether the licensee collected it before or after receiving the direction to opt out from the consumer.

(5) A licensee may allow a consumer to select certain nonpublic personal financial information or certain nonaffiliated third parties with respect to which the consumer wishes to opt out.

Sec. 531. (1) If a licensee receives nonpublic personal financial information from a nonaffiliated financial institution under an exception in section 537 or 539, the licensee's disclosure and use of that information is limited as follows:

(a) The licensee may disclose the information to the affiliates of the financial institution from which the licensee received the information.

(b) The licensee may disclose the information to its affiliates, but the licensee's affiliates may, in turn, disclose and use the information only to the extent that the licensee may disclose and use the information.

(c) The licensee may disclose and use the information pursuant to an exception in section 537 or 539 in the ordinary course of business to carry out the activity covered by the exception under which the licensee received the information.

(2) If a licensee receives nonpublic personal financial information from a nonaffiliated financial institution other than under an exception in section 537 or 539, the licensee may disclose the information only as follows:

(a) To the affiliates of the financial institution from which the licensee received the information.

(b) To its affiliates, but its affiliates may, in turn, disclose the information only to the extent that the licensee may disclose the information.

(c) To any other person, if the disclosure would be lawful if made directly to that person by the financial institution from which the licensee received the information.

(3) If a licensee discloses nonpublic personal financial information to a nonaffiliated third party under an exception in section 537 or 539, the third party may disclose and use that information only as follows:

(a) To the licensee's affiliates.

(b) To its affiliates, but its affiliates may, in turn, disclose and use the information only to the extent that the third party may disclose and use the information.

(c) Pursuant to an exception in section 537 or 539 in the ordinary course of business to carry out the activity covered by the exception under which it received the information.

(4) If a licensee discloses nonpublic personal financial information to a nonaffiliated third party other than under an exception in section 537 or 539, the third party may disclose the information only as follows:

(a) To the licensee's affiliates.

(b) To the third party's affiliates, but the third party's affiliates may, in turn, disclose the information only to the extent the third party can disclose the information.

(c) To any other person, if the disclosure would be lawful if the licensee made it directly to that person.

Sec. 533. (1) A licensee shall not, directly or through an affiliate, disclose, other than to a consumer reporting agency, a policy or account number or other access number or access code for a consumer's policy, credit card account, deposit account, or transaction account to any nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer.

(2) Subsection (1) does not apply if a licensee discloses a policy or account number or other access number or access code as follows:

(a) To the licensee's service provider solely in order to perform marketing for the licensee's own products or services, as long as the service provider is not authorized to directly initiate charges to the account.

(b) To a licensee who is a producer solely in order to perform marketing for the licensee's own products or services.

(c) To a participant in an affinity or similar program where the participants in the program are identified to the customer when the customer enters into the program.

(3) Subsection (1) does not apply if the policy or account number, or other access number or access code, is in an encrypted form, as long as the licensee does not provide the recipient with a means to decode the number or code.

(4) As used in this section, "transaction account" means an account other than a deposit account or a credit card account. A transaction account does not include an account to which third parties cannot initiate charges.

Sec. 535. (1) The opt out requirements in sections 519 and 529 do not apply when a licensee provides nonpublic personal financial information to a nonaffiliated third party to perform services for the licensee or functions on the licensee's behalf, if the licensee does both of the following:

(a) Provides the initial notice.

(b) Enters into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which the licensee disclosed the information, including use under an exception in section 537 or 539 in the ordinary course of business to carry out those purposes.

(2) The services a nonaffiliated third party performs for a licensee under subsection (1) may include marketing of the licensee's own products or services or marketing of insurance products or services offered pursuant to joint agreements between the licensee and 1 or more financial institutions.

(3) As used in this section, "joint agreement" means a written contract pursuant to which a licensee and 1 or more financial institutions jointly offer, endorse, or sponsor a financial product or service.

Sec. 537. (1) Sections 507(1)(c), 519, 529, and 535 do not apply if the licensee discloses nonpublic personal financial information as necessary to effect, administer, or enforce a transaction that a consumer requests or authorizes, or in connection with any of the following:

(a) Servicing, adjusting, or processing an insurance product or service that a consumer requests or authorizes.

(b) Maintaining or servicing the consumer's account with a licensee, or with another entity as part of a private label credit card program or other extension of credit on behalf of that entity.

(c) A proposed or actual securitization, secondary market sale including sales of servicing rights, or similar transaction related to a transaction of the consumer.

(d) Reinsurance or stop loss or excess loss insurance.

(e) Servicing or processing an insurance product or service on behalf of the Michigan automobile insurance placement facility, the Michigan worker's compensation placement facility, or the assigned claims facility created under section 3171.

(2) As used in subsection (1), "necessary to effect, administer, or enforce a transaction" means that the disclosure is either of the following:

(a) Required or is 1 of the lawful or appropriate methods to enforce the licensee's rights or the rights of other persons engaged in carrying out the financial transaction or providing the product or service.

(b) Required or is a usual, appropriate, or acceptable method for any of the following:

(i) To carry out the transaction or the product or service business of which the transaction is a part, and record, service, or maintain the consumer's account in the ordinary course of providing the insurance product or service.

(ii) To administer, adjust, or service benefits or claims relating to the transaction or the product or service business of which it is a part.

(iii) To provide a confirmation, explanation, statement, or other record of the transaction, or information on the status or value of the insurance product or service to the consumer, the consumer's agent or broker, or a policyholder or the policyholder's agent or broker with respect to a claim asserted by, or paid to, a consumer under the policy.

(iv) To accrue or recognize incentives or bonuses associated with the transaction that are provided by a licensee or any other party.

(v) To underwrite insurance at the consumer's request or for any of the following purposes as they relate to a consumer's insurance or to an insurance policy under which the consumer is a claimant: account administration, reporting, investigating, or preventing fraud or material misrepresentation, processing premium payments, processing, adjusting, settling, or paying insurance claims, administering insurance benefits including utilization review activities, participating in research projects, or as otherwise required or specifically permitted by federal or state law.

(vi) In connection with any of the following:

(A) The authorization, settlement, billing, processing, clearing, transferring, reconciling, or collection of amounts charged, debited, or otherwise paid using a debit, credit, or other payment card, check, or account number, or by other payment means.

(B) The transfer or collection of debts, receivables, accounts, or interests in receivables or accounts.

(C) The audit of debit, credit, or other payment information.

Sec. 539. Sections 507(1)(c), 519, 529, and 535 do not apply when a licensee discloses nonpublic personal financial information as follows:

(a) With the consent or at the direction of the consumer, provided that the consumer has not revoked the consent or direction.

(b) To protect the confidentiality or security of a licensee's records pertaining to the consumer, service, product, or transaction.

(c) To protect against or prevent actual or potential fraud or unauthorized transactions.

(d) For required institutional risk control or for resolving consumer disputes or inquiries.

(e) To persons holding a legal or beneficial interest relating to the consumer.

(f) To persons acting in a fiduciary or representative capacity on behalf of the consumer.

(g) To provide information to insurance rate advisory organizations, guaranty funds or agencies, agencies that are rating a licensee, persons that are assessing the licensee's compliance with industry standards, or the licensee's attorneys, accountants, and auditors.

(h) To the extent specifically permitted or required under other provisions of law and in accordance with the right to privacy act of 1978, title XI of the financial institutions regulatory and interest rate control act of 1978, Public Law 95-630, 12 U.S.C. 3401 to 3420 and 3422, to law enforcement agencies including the federal reserve board, office of the comptroller of the currency, federal deposit insurance corporation, office of thrift supervision, national credit union administration, the securities and exchange commission, the secretary of the treasury, with respect to subchapter II of chapter 53 of subtitle IV of title 31 of the United States code, 31 U.S.C. 5311 and 5330, and sections 121 to 129 of chapter 2 of title I of Public Law 91-508, 12 U.S.C. 1951 to 1959, the federal trade commission, a state insurance authority, self-regulatory organizations, or for an investigation on a matter related to public safety.

(i) To a consumer reporting agency in accordance with the fair credit reporting act, title VI of the consumer credit protection act, Public Law 90-321, 15 U.S.C. 1681 to 1681u.

(j) From a consumer report reported by a consumer reporting agency.

(k) In connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit of the licensee if the disclosure of nonpublic personal financial information concerns solely consumers of that business or unit.

(l) To comply with federal, state, or local laws, rules, and other applicable legal requirements.

(m) To comply with a properly authorized civil, criminal, or regulatory investigation, subpoena, or summons by a federal, state, or local authority.

(n) To respond to judicial process or a government regulatory authority having jurisdiction over a licensee for examination, compliance, or other purposes as authorized by law.

(o) For purposes related to the replacement of a group benefit plan, a group health plan, a group welfare plan, or worker's compensation plan to the extent necessary to effectuate the replacement.

Sec. 540. The Michigan life and health guaranty association, the property and casualty guaranty association, the Michigan automobile insurance placement facility, the Michigan worker's compensation placement facility, and the assigned claims facility created under section 3171 shall not disclose or use nonpublic personal financial information except as provided in section 537(1)(a) to (e) or section 539(a) to (o).

Sec. 541. Nothing in this chapter shall be construed to modify, limit, or supersede the operation of the fair credit reporting act, title VI of the consumer credit protection act, Public Law 90-321, 15 U.S.C. 1681 to 1681u, and no inference shall be drawn on the basis of the provisions of this chapter regarding whether information is transaction or experience information under section 603 of the fair credit reporting act, title VI of the consumer credit protection act, Public Law 90-321, 15 U.S.C. 1681a.

Sec. 543. A licensee shall not unfairly discriminate against any consumer because that consumer has opted out or intends to opt out from the disclosure of his or her nonpublic personal financial information pursuant to the provisions of this chapter.

Sec. 545. Until July 1, 2002, a contract that a licensee has entered into with a nonaffiliated third party to perform services for the licensee or functions on the licensee's behalf satisfies the provisions of section 535(1)(b), even if the contract does not include a requirement that the third party maintain the confidentiality of nonpublic personal financial information, as long as the licensee entered into the agreement on or before July 1, 2000.

Sec. 547. (1) The commissioner shall adopt guidelines for administrative, technical, and physical safeguards that protect the security, confidentiality, and integrity of customer information, pursuant to sections 501, 505(b), and 507 of the Gramm-Leach-Bliley act, Public Law 106-102, 113 Stat. 1338, 15 U.S.C. 6801, 6805, and 6807.

(2) Each licensee shall adopt policies and procedures for administrative, technical, and physical safeguards for the protection of customer records and information. The policies and procedures shall be based on the guidelines adopted under subsection (1) and shall be reasonably designed to do all of the following:

(a) Ensure the security and confidentiality of customer records and information.

(b) Protect against any anticipated threats or hazards to the security or integrity of customer records and information.

(c) Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.

Sec. 2013. A violation of chapter 5 or a rule promulgated under chapter 5 is an unfair method of competition and an unfair or deceptive act or practice in the business of insurance.

 

This act is ordered to take immediate effect.

Secretary of the Senate.

Clerk of the House of Representatives.

Approved

Governor.