Wyo. Code R. 044-0002-54
General Agency, Board or Commission Rules
Chapter 54: Privacy of Consumer Financial and Health Information
Effective Date: 04/25/2023 to Current
Rule Type: Current Rules & Regulations
Reference Number: 044.0002.54.04252023
Section 1. Authority. This regulation is promulgated pursuant to Wyoming Statutes §§ 26-2-110, 26-2-133, and 26-13-101 et seq.
(a) This regulation applies to:
(i) Nonpublic personal financial information about individuals who obtain or are claimants or beneficiaries of products or services primarily for personal, family, or household purposes. This regulation does not apply to information about companies or about individuals who obtain products or services for business, commercial, or agricultural purposes; and
(ii) All nonpublic personal health information.
(b) A licensee domiciled in Wyoming who is in compliance with this regulation in a state that has not enacted laws or regulations meeting the requirements of Title V of the Gramm-Leach-Bliley Act (PL 102-106) may nonetheless be deemed as in compliance with Title V of the Gramm-Leach-Bliley Act in the other state.
(a) 'Affiliate' means a company that controls, is controlled by, or is under common control with another company.
(b) 'Clear and conspicuous' means a notice is reasonably understandable and designed to call attention to the nature and significance of the information contained therein.
(i) A licensee makes its notice reasonably understandable if it:
(A) Presents the information in the notice in clear, concise sentences, paragraphs, and sections;
(B) Uses short explanatory sentences or bullet lists;
(C) Uses definite, concrete, everyday words, and active voice;
(D) Avoids multiple negatives;
(E) Avoids legal and highly technical business terminology; and
(F) Avoids explanations that are imprecise and readily subject to different interpretations.
(ii) A licensee shall design its notice to call attention to the nature and significance of the information by using:
(A) Plain language headings to call attention to the notice;
(B) Typeface, type size, style, and graphic devices that are distinctive and easy to read;
(C) Wide margins and ample line spacing; and
(D) Boldface or italics for key words.
(iii) Notices on web sites shall call attention to the nature and significance of the information by using text or visual cues to encourage scrolling down the page to view the entire notice and to ensure other elements on the web site (such as text, graphics, hyperlinks, or sound) do not distract from the notice. The licensee shall either:
(A) Place the notice on a screen consumers frequently access, such as a page on which transactions are conducted; or
(B) Place a link on a screen consumers frequently access that connects directly to the notice and is labeled appropriately.
(c) “Collect” means to obtain information that the licensee can organize or retrieve by name of an individual, identifying number, symbol, or other identifying particular assigned to an individual, regardless of the underlying source of the information.
(d) “Company” means a corporation, limited liability company, business trust, general or limited partnership, association, sole proprietorship, or similar organization.
(e) “Consumer” means an individual or that individual’s legal representative who is seeking or who has obtained an insurance product or service from a licensee to be used primarily for personal, family, or household purposes, and about whom the licensee has nonpublic personal information and includes:
(i) An individual who provides nonpublic personal information to a licensee in connection with seeking or obtaining financial, investment, or economic advisory services relating to an insurance product or service regardless of whether the licensee establishes an ongoing advisory relationship.
(ii) An applicant for insurance prior to the inception of insurance coverage.
(iii) A consumer of another financial institution is not a licensee's consumer solely because the licensee is acting as agent for, or provides processing or other services to, that financial institution.
(iv) An individual is a licensee's consumer if the individual is:
(A) A beneficiary of a life insurance policy underwritten by the licensee;
(B) A claimant under an insurance policy issued by the licensee;
(C) An insured or an annuitant under an insurance policy or an annuity issued by the licensee; or
(D) A mortgagor of a mortgage covered under a mortgage insurance policy.
(v) Provided the licensee provides the initial, annual, and revised notices to the plan sponsor, group, or blanket insurance policyholder, group annuity contract holder, or workers' compensation policyholder, and the licensee does not disclose to a nonaffiliated third party nonpublic personal financial information about an individual other than as permitted under this regulation, an individual is not the consumer of the licensee solely because he or she is:
(A) A participant or a beneficiary of an employee benefit plan the licensee administers or sponsors or for which the licensee acts as a trustee, insurer, or fiduciary;
(B) Covered under a group or blanket insurance policy or group annuity contract issued by the licensee; or
(C) A claimant covered by a workers' compensation plan.
(vi) The individuals described in the above subparagraphs (v)(A) through (C) are consumers of a licensee if the licensee does not meet all the conditions of paragraph (v).
(vii) In no event shall the individuals, solely by virtue of the status described in subparagraphs (v)(A) through (C) be deemed customers for purposes of this regulation.
(viii) An individual is not a licensee's consumer solely because he or she is a beneficiary or named trustee for a trust.
(f) 'Consumer reporting agency' has the same meaning as in Section 603(f) of the federal Fair Credit Reporting Act (15 U.S.C. 1681a(f)).
(g) 'Control' means:
(i) Ownership, control, or power to vote twenty-five percent (25%) or more of the outstanding shares of any class of voting security of the company, directly or indirectly, or acting through one or more other persons;
(ii) Control in any manner over the election of a majority of the directors, trustees, or general partners (or individuals exercising similar functions) of the company; or
(iii) The power to exercise, directly or indirectly, a controlling influence over the management or policies of the company, as determined by the Commissioner.
(h) 'Customer' means a consumer who has a customer relationship with a licensee.
(i) 'Customer information' means nonpublic personal information, whether in paper, electronic, or other form, maintained by or on behalf of the licensee.
(j) 'Customer information systems' means the electronic or physical methods used to access, collect, store, use, transmit, protect, or dispose of customer information.
(k) 'Customer relationship' means a continuing relationship between a consumer and a licensee under which the licensee provides one or more insurance products or services to the consumer to be used primarily for personal, family, or household purposes.
(i) A consumer has a continuing relationship with a licensee if the consumer:
(A) Is a current policyholder of an insurance product issued by or through the licensee; or
(B) Obtains financial, investment, or economic advisory services relating to an insurance product or service from the licensee for a fee.
(ii) A consumer does not have a continuing relationship with a licensee if the consumer:
(A) Applies for insurance but does not purchase the insurance;
(B) Purchases airline travel insurance from the licensee in an isolated transaction;
(C) Is no longer a current policyholder of an insurance product or no longer obtains insurance services with or through the licensee;
(D) Is a beneficiary or claimant under a policy and has submitted a claim under a policy choosing a settlement option involving an ongoing relationship with the licensee;
(E) Is a beneficiary or a claimant under a policy and has submitted a claim under that policy choosing a lump sum settlement option;
(F) Had a policy that lapsed, expired, or otherwise inactive or dormant under the licensee's business practices, and the licensee has not communicated with the customer about the relationship for a period of twelve (12) consecutive months, other than providing annual privacy notices, material required by law or regulation, communication at the direction of a state or federal authority, or promotional materials;
(G) Is an insured or an annuitant under an insurance policy or annuity, respectively, but is not the policyholder or owner of the insurance policy or annuity; or
(H) Has a last known address according to the licensee's records that is invalid.
(I) 'Financial institution' means any institution whose business is engaging in activities that are financial in nature or incidental to such financial activities as described in Section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. 1843(k)). Financial institution does not include:
(i) Any person or entity with respect to any financial activity that is subject to the jurisdiction of the Commodity Futures Trading Commission under the Commodity Exchange Act (7 U.S.C. 1 et seq.);
(ii) The Federal Agricultural Mortgage Corporation or any entity charged and operating under the Farm Credit Act of 1971 (12 U.S.C. 2001 et seq.); or
(iii) Institutions chartered by Congress specifically to engage in securitizations, secondary market sales (including sales of servicing rights), or similar transactions related to a consumer transaction as long as the institutions do not sell or transfer nonpublic personal information to a nonaffiliated third party.
(m) 'Financial product or service' means a product or service a financial holding company could offer by engaging in an activity that is financial in nature or incidental to such a financial activity under Section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. 1843(k)).
(i) Financial service includes a financial institution's evaluation or brokerage of information that the financial institution collects in connection with a request or an application from a consumer for a financial product or service.
(n) “Health care” means preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, services, procedures, tests, or counseling that:
(i) Relates to the physical, mental, or behavioral condition of an individual;
(ii) Affects the structure or function of the human body or any part of the human body, including the banking of blood, sperm, organs, or any other tissue; or
(iii) Prescribing, dispensing, or furnishing to an individual drugs or biologicals, or medical devices, or health care equipment, and supplies.
(o) “Health care provider” means a physician or other health care practitioner licensed, accredited, or certified to perform specified health services consistent with state law, or a health care facility.
(p) “Health information” means any information or data except age or gender, whether oral or recorded in any form or medium, created by or derived from a health care provider or the consumer relating to:
(i) The past, present, or future physical, mental, or behavioral health or condition of an individual;
(ii) The provision of health care to an individual; or
(iii) Payment for the provision of health care to an individual.
(q) “Insurance product or service” means any product or service offered by a licensee pursuant to the Wyoming Insurance Code.
(i) Insurance service includes a licensee’s evaluation, brokerage, or distribution of information the licensee collects in connection with a request or an application from a consumer for an insurance product or service.
(r) “Licensee” means all licensed insurers, producers, and other persons licensed or required to be licensed pursuant to the Wyoming Insurance Code, except that “licensee” shall not include: a purchasing group; or an unauthorized insurer regarding surplus line business conducted pursuant to W.S. § 26-11-101 et seq.
(i) A licensee is not subject to the notice and opt-out requirements for nonpublic personal financial information set forth in Articles I, II, III, IV, and VII if the licensee is an employee, agent, or other representative of another licensee (the principal) and:
(A) The principal otherwise complies with and provides the notices required by this regulation; and
(B) The licensee does not disclose any nonpublic personal information to any person other than the principal or its affiliates in a manner permitted by this regulation.
(ii) Subject to subsection (iii) of this subsection, “licensee” shall also include an unauthorized insurer that accepts business placed through a licensed surplus lines broker in Wyoming, but only regarding the surplus lines placements placed pursuant to the Wyoming Insurance Code.
(iii) A surplus lines broker or insurer shall be deemed in compliance with the notice and opt-out requirements for nonpublic personal financial information set forth in Articles I, II, III, IV, and VII provided:
(A) The broker or insurer does not disclose nonpublic personal information of a consumer or a customer to nonaffiliated third parties for any purpose, including joint servicing or marketing under section 14 of this regulation, except as permitted by section 15 or 16 of this regulation; and
(B) The broker or insurer delivers a notice to the consumer at the time a customer relationship is established on which the following is printed in 16-point type:
“Neither the U.S. brokers that handled this insurance nor the insurers underwriting this insurance will disclose nonpublic personal information concerning the buyer to non-affiliates of the brokers or insurers except as permitted by law.”
(s) “Nonaffiliated third party” means any person except a licensee’s affiliate or a person employed jointly by a licensee and any company that is not the licensee’s affiliate (but nonaffiliated third party includes the other company that jointly employs the person).
(i) Nonaffiliated third party includes any company affiliated solely by virtue of the direct or indirect ownership or control of the company by the licensee or its affiliate in conducting merchant banking or investment banking activities of the type described in Section 4(k)(4)(H) or insurance company investment activities of the type described in Section 4(k)(4)(I) of the federal Bank Holding Company Act (12 U.S.C. 1843(k)(4)(H) and (I)) or as otherwise defined by Wyoming Statute.
(t) “Nonpublic personal information” includes nonpublic personal financial information and nonpublic personal health information.
(u) “Nonpublic personal financial information” means personally identifiable financial information and any list, description, or other grouping of consumers (and publicly available information pertaining to them) derived using any personally identifiable financial information that is not publicly available.
(i) Nonpublic personal financial information includes any list of individuals' names and street addresses derived in whole or in part using personally identifiable financial information that is not publicly available, such as account numbers.
(ii) Nonpublic personal financial information does not include:
(A) Health information;
(B) Publicly available information, except as included on a list described in subsection (3)(t) above; or
(C) Any list, description or other grouping of consumers (and publicly available information pertaining to them) derived without using any personally identifiable financial information that is not publicly available.
(D) Any list of individuals' names and addresses that contains only publicly available information, is not derived in whole or in part using personally identifiable financial information that is not publicly available, and is not disclosed in a manner indicating that any of the individuals on the list is a consumer of a financial institution.
(v) 'Nonpublic personal health information' means health information:
(i) That identifies an individual who is the subject of the information; or
(ii) With respect to which there is a reasonable basis to believe the information could be used to identify an individual.
(w) 'Personally identifiable financial information' means any information:
(i) A consumer provides to a licensee to obtain an insurance product or service from the licensee;
(ii) About a consumer resulting from a transaction involving an insurance product or service between a licensee and a consumer; or
(iii) The licensee otherwise obtains about a consumer in connection with providing an insurance product or service to that consumer.
(iv) Personally identifiable financial information includes:
(A) Information a consumer provides to a licensee on an application to obtain an insurance product or service;
(B) Account balance information and payment history;
(C) The fact an individual is or has been one of the licensee's customers or has obtained an insurance product or service from the licensee;
(D) Any information about the licensee's consumer if disclosed in a manner indicating that the individual is or has been the licensee's consumer;
(E) Any information a consumer provides to a licensee or that the licensee or its agent otherwise obtains in connection with collecting on a loan or servicing a loan;
(F) Any information the licensee collects through an Internet cookie (an information-collecting device from a web server); and
(G) Information from a consumer report.
(v) Personally identifiable financial information does not include:
(A) Health information;
(B) A list of names and addresses of customers of an entity that is not a financial institution; and
(C) Information that does not identify a consumer, such as aggregate information or blind data not containing personal identifiers such as account numbers, names or addresses.
(x) 'Publicly available information' means any information a licensee has a reasonable basis to believe is lawfully made available to the general public from:
(i) Federal, state, or local government records;
(ii) Widely distributed media; or
(iii) Disclosures to the general public required by federal, state, or local law.
(iv) A licensee has a reasonable basis to believe information is lawfully made available to the general public if the licensee has taken steps to determine:
(A) That the information is of the type available to the general public; and
(B) Whether an individual can direct that the information not be made available to the general public and, if so, that the licensee’s consumer has not done so.
“Publicly available information” includes:
(A) Information in government records including real estate records and security interest filings.
(B) Information from widely distributed media such as a telephone book, a television or radio program, a newspaper, or a web-site that is available to the general public on an unrestricted basis. A web site is not restricted merely because an Internet service provider or a site operator requires a fee or a password, if available to the general public.
(C) Information a licensee has a reasonable basis to believe is lawfully made available.
(I) Mortgage information is lawfully made available to the general public if the licensee has determined the information is of the type included on the public record in the jurisdiction where the mortgage would be recorded.
(II) An individual’s telephone number is lawfully made available to the general public if the licensee has located the telephone number in the telephone book or the consumer has informed licensee that the telephone number is not unlisted.
(a) A licensee shall provide a clear and conspicuous notice that accurately reflects its privacy policies and practices to:
(i) An individual who becomes the licensee’s customer, not later than when the licensee establishes a customer relationship, except as provided in subsection 4(e) of this section; and
(ii) A consumer, before the licensee discloses any nonpublic personal financial information to any nonaffiliated third party, if the licensee makes a disclosure other than as authorized by sections 15 and 16.
(b) A licensee is not required to provide an initial notice to a consumer under subsection 4(a)(ii) of this section if:
(i) The licensee does not disclose any nonpublic personal financial information about the consumer to any nonaffiliated third party, other than as authorized by sections 15 and 16, and the licensee does not have a customer relationship with the consumer; or
(ii) A notice has been provided by an affiliated licensee, as long as the notice clearly identifies all licensees to whom the notice applies and is accurate with respect to the licensee and the other institutions.
(c) A licensee establishes a customer relationship at the time the licensee and the consumer enter into a continuing relationship or when:
(i) The insurer delivers an insurance policy or contract to the consumer that was obtained through the licensee; or
(ii) The consumer agrees to obtain financial, economic, or investment advisory services relating to insurance products or services for a fee from the licensee.
(d) When an existing customer obtains a new insurance product or service to be used primarily for personal, family, or household purposes, the licensee satisfies the initial notice requirements of subsection 4(a) if the licensee:
(i) Provides a revised policy notice, under section 8 covering the customer’s new insurance product or service; or
(ii) Recently provided initial, revised, or annual notice to the customer that was accurate with respect to the new insurance product or service.
(e) Exceptions to allow subsequent delivery of notice.
(i) A licensee may provide the initial notice required by subsection 4(a) within a reasonable time after the licensee establishes a customer relationship if:
(A) Establishing the customer relationship is not at the customer’s election; or
(B) Providing notice not later than when the licensee establishes a customer relationship would substantially delay the customer’s transaction and the customer agrees to receive the notice at a later time.
(ii) Exceptions include:
(A) If a licensee acquires or is assigned a customer’s policy from another financial institution or residual market mechanism and the customer does not have a choice about the licensee’s acquisition or assignment.
(B) Providing notice would substantially delay the customer’s transaction when the licensee and the individual agree over the telephone to enter into a customer relationship involving prompt delivery of the insurance product or service.
(C) Providing notice would not substantially delay the customer's transaction when the relationship is initiated in person at the licensee's office or through other means by which the customer may view the notice, such as on a web site.
(f) When a licensee is required to deliver an initial privacy notice, the licensee shall deliver it according to section 10. If the licensee uses a short-form initial notice for non-customers according to section 6(c), the licensee may deliver its privacy notice according to section 6(c)(iii).
(a) Except as indicated below, a licensee shall provide a clear and conspicuous notice to customers that accurately reflects its privacy policies and practices not less than annually during the continuation of the customer relationship. A licensee may define the twelve-consecutive-month period, but the licensee shall apply it to the customer on a consistent basis. A licensee provides an annual notice if it provides notice in each calendar year following the year in which the licensee provided the initial notice.
(b) A licensee is not required to provide an annual notice if:
(i) The licensee only provides nonpublic personal information about its customers to nonaffiliated third parties pursuant to sections 14, 15, and 16; and
(ii) The licensee has not changed its privacy policies and practices relating to the disclosure of nonpublic personal information from those policies and practices that were set forth in the most recent notice sent to customers pursuant to this section or section 4.
(c) A licensee is not required to provide annual notice to a former customer.
(d) A licensee no longer has a continuing relationship with an individual if:
(i) The individual no longer holds a current policy or no longer uses insurance services with or through the licensee.
(ii) The individual's policy is lapsed, expired, or otherwise inactive and the licensee has not communicated with the customer about the relationship for a period of twelve (12) consecutive months, other than to provide material required by law.
(iii) The individual's last known address is deemed invalid or undeliverable and subsequent attempts by the licensee to obtain a current valid address for the individual have been unsuccessful.
(iv) In the case of providing real estate settlement services, at the time the customer completes execution of all documents related to the real estate closing, payment for those services has been received, or the licensee has completed all of its responsibilities with respect to the settlement, including filing documents on the public record, whichever is later.
(e) When a licensee is required by this section to deliver an annual privacy notice, the licensee shall deliver it according to section 10.
(a) The initial, annual, and revised privacy notices that a licensee provides under sections 4, 5, and 8 shall include each of the following items of information, in addition to any other information the licensee wishes to provide, that applies to the licensee and to the consumers to whom the licensee sends its privacy notice:
(i) The categories of nonpublic personal financial information the licensee collects;
(ii) The categories of nonpublic personal financial information the licensee discloses;
(iii) The categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal financial information, other than those parties to whom the licensee discloses information under sections 15 and 16;
(iv) The categories of nonpublic personal financial information about the licensee’s former customers the licensee discloses and the categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal financial information about the licensee’s former customers, other than those parties to whom the licensee discloses information under sections 15 and 16;
(v) If a licensee discloses nonpublic personal financial information to a nonaffiliated third party under section 15 (and no other exception in sections 15 and 16 applies to that disclosure), a separate description of the categories of information the licensee discloses and the categories of third parties with whom the licensee has contracted;
(vi) An explanation of the consumer’s right under section 11(a) to opt-out of the disclosure of nonpublic personal financial information to nonaffiliated third parties, including the methods by which the consumer may exercise that right at that time;
(vii) Any disclosures the licensee makes under Section 603(d)(2)(A)(iii) of the federal Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)(A)(iii)) (that is, notices regarding the ability to opt-out of disclosures of information among affiliates);
(viii) The licensee’s policies and practices with respect to protecting the confidentiality and security of nonpublic personal information; and (ix) Any disclosure the licensee makes under subsection (b) of this section.
(b) If a licensee discloses nonpublic personal financial information as authorized under sections 15 and 16, the licensee is not required to list those exceptions in the initial or annual privacy notices required by sections 4 and 5. When describing the categories of parties to whom disclosure is made, the licensee is required to state only that it makes disclosures to other affiliated or nonaffiliated third parties, as applicable, as permitted by law.
(c) A licensee may satisfy the initial notice requirements in sections 4(a)(ii) and 7 for a consumer who is not a customer by providing a short-form initial notice at the same time the licensee delivers an opt-out notice as required in section 7.
(i) A short-form initial notice shall:
(A) Be clear and conspicuous;
(B) State that the licensee’s privacy notice is available upon request; and
(C) Explain a reasonable means by which the consumer may obtain that notice.
(ii) The licensee shall deliver its short-form initial notice according to section 9. The licensee is not required to deliver its privacy notice with its short-form initial notice, but may provide to the consumer a reasonable means to obtain its privacy notice. If a consumer who receives the licensee’s short-form notice requests the licensee’s privacy notice, the licensee shall deliver its privacy notice according to section 10.
(iii) The licensee provides a reasonable means for a consumer to obtain a copy of its privacy notice if the licensee:
(A) Provides a toll-free telephone number the consumer may call to request the notice; or
(B) Maintains copies of the notice on hand that the licensee provides to consumers immediately upon request.
(d) The licensee’s notice for future disclosures may include:
(i) Categories of nonpublic personal financial information the licensee reserves the right to disclose in the future, but does not currently disclose; and
(ii) Categories of affiliated or nonaffiliated third parties to whom the licensee reserves the future right to disclose, but to whom the licensee does not currently disclose, nonpublic personal financial information.
(e) Sample clauses illustrating some of the notice content required by this section are included in the Sample Clauses Illustration, located on the Department of Insurance website at: DOI.wyo.gov.
(a) If a licensee is required to provide an opt-out notice under section 11(a), it shall provide a clear and conspicuous notice to each of its consumers accurately explaining the right to opt-out under that section and stating:
(i) That the licensee discloses or reserves the right to disclose nonpublic personal financial information about its consumer to a nonaffiliated third party;
(ii) That the consumer has the right to opt-out of that disclosure; and
(iii) A reasonable means by which the consumer may exercise the opt-out right.
(b) A licensee provides adequate opt-out notice to a nonaffiliated third party if the licensee:
(i) Identifies all categories of nonpublic personal financial information it discloses or reserves the right to disclose, and all categories of nonaffiliated third parties to which the licensee discloses the information, as described in paragraphs 6(a)(ii) and (iii), and states that the consumer can opt-out of the disclosure of that information; and
(ii) Identifies the insurance products or services the consumer obtains from the licensee, either singly or jointly, to which the opt-out direction would apply.
(iii) A licensee provides a reasonable means to exercise an opt-out right if it:
(A) Designates check-off boxes in a prominent position on the relevant forms with the opt-out notice;
(B) Includes a reply form together with the opt-out notice;
(C) Provides an electronic means to opt-out, such as a form that can be sent via electronic mail, or a process at the licensee’s website, if the consumer agrees to the electronic delivery of information; or
(D) Provides a toll-free telephone number consumers may call to opt-out.
consumer revokes it in writing or, if the consumer agrees, electronically.
(ii) When a customer relationship terminates, the customer’s opt-out direction continues to apply to the nonpublic personal financial information the licensee collected during or related to that relationship. If the individual subsequently establishes a new customer relationship with the licensee, the opt-out direction that applied to the former relationship does not apply to the new relationship.
(j) When a licensee is required to deliver an opt-out notice, the licensee shall deliver it according to section 10.
(a) Except as otherwise authorized in this regulation, a licensee shall not, directly or through an affiliate, disclose any nonpublic personal financial information about a consumer to a nonaffiliated third party other than as described in the initial notice that the licensee provided to that consumer under section 4, unless:
(i) The licensee has provided to the consumer a clear and conspicuous revised notice accurately describing its policies and practices;
(ii) The licensee has provided to the consumer a new opt-out notice;
(iii) The licensee has given the consumer a reasonable opportunity, before the licensee discloses the information to the nonaffiliated third party, to opt-out of the disclosure; and
(iv) The consumer does not opt-out.
(b) Except as otherwise permitted by sections 14, 15, and 16, a licensee shall provide a revised notice before it:
(i) Discloses a new category of nonpublic personal financial information to any nonaffiliated third party;
(ii) Discloses nonpublic personal financial information to a new category of nonaffiliated third party; or
(iii) Discloses nonpublic personal financial information about a former customer to a nonaffiliated third party, if that former customer has not had the opportunity to exercise an opt-out right regarding that disclosure.
(c) A revised notice is not required if the licensee discloses nonpublic personal financial information to a new nonaffiliated third party the licensee adequately described in its prior notice.
(d) When a licensee is required to deliver a revised privacy notice by this section, the licensee shall deliver it according to section 10.
Section 9. Privacy Notices to Group Policyholders. Unless a licensee is providing privacy notices directly to covered individuals described in section 3(e)(v)(A), (B), or (C), a licensee shall provide initial, annual, and revised notices to the plan sponsor, group or blanket insurance policyholder or group annuity contract holder, or workers' compensation policyholder, in the manner described in sections 4, 5, and 8 of this regulation, describing the licensee's privacy practices with respect to nonpublic personal information about individuals covered under the policies, contracts, or plans.
(a) A licensee shall provide any notices this regulation requires so that each consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, electronically.
(b) A licensee may reasonably expect a consumer will receive actual notice if the licensee:
(i) Hand-delivers a printed copy of the notice to the consumer;
(ii) Mails a printed copy of the notice to the last known address of the consumer separately, or in a policy, billing, or other written communication;
(iii) Posts the notice on the electronic site and requires the consumer to acknowledge receipt of the notice as a necessary step to obtaining a particular insurance product or service; or
(iv) For an isolated transaction with a consumer, such as the licensee providing an insurance quote or selling the consumer travel insurance, posts the notice and requires the consumer to acknowledge receipt of the notice as a necessary step to obtaining the particular insurance product or service.
(c) A licensee may not, however, reasonably expect that a consumer will receive actual notice of its privacy policies and practices if it:
(i) Only posts a sign in its office or generally publishes advertisements of its privacy policies and practices; or
(ii) Sends the notice via electronic mail to a consumer who does not obtain an insurance product or service from the licensee electronically.
(d) A licensee may reasonably expect that a customer will receive actual notice of the licensee's annual privacy notice if:
(i) The customer uses the licensee's website to access insurance products and services electronically and agrees to receive notices at the website and the licensee posts its current privacy notice continuously in a clear and conspicuous manner; or
(ii) The customer has requested that the licensee refrain from sending any information regarding the customer relationship, and the licensee's current privacy notice remains available to the customer upon request.
(e) A licensee may not provide any notice required by this regulation solely by orally explaining the notice, either in person or over the telephone.
(f) For customers only, a licensee shall provide the initial notice required by section 4(a), the annual notice required by section 5(a), and the revised notice required by section 8 so that the customer can retain them or obtain them later in writing or, if the customer agrees, electronically.
(g) A licensee may provide a privacy notice to the customer so the customer can retain it or obtain it later if the licensee:
(i) Hand-delivers a printed copy of the notice to the customer;
(ii) Mails a printed copy of the notice to the last known address of the customer; or
(iii) Makes its current privacy notice available on a website (or a link to another website) for the customer who obtains an insurance product or service electronically and agrees to receive the notice at the website.
(h) A licensee may provide a joint notice from the licensee and one or more of its affiliates or other financial institutions, as identified in the notice. A licensee also may provide accurate notice on behalf of another financial institution.
(i) If two (2) or more consumers jointly obtain an insurance product or service from a licensee, the licensee may satisfy the initial, annual, and revised notice requirements of sections 4(a), 5(a) and 8(a), respectively, by providing one notice to those consumers jointly.
(a) A licensee may not, directly or through any affiliate, disclose any nonpublic personal financial information about a consumer to a nonaffiliated third party unless:
(i) The licensee has provided to the consumer an initial notice as required under section 4;
(ii) The licensee has provided to the consumer an opt-out notice as required in section 7;
(iii) The licensee has given the consumer a reasonable opportunity, before it discloses the information to the nonaffiliated third party, to opt-out of the disclosure; and
(iv) The consumer does not opt-out.
(b) Opt-out means a direction by the consumer that the licensee not disclose nonpublic personal financial information about that consumer to a nonaffiliated third party, other than as permitted by sections 14, 15, and 16.
(c) A licensee provides a consumer with a reasonable opportunity to opt-out if:
(i) The licensee mails the required notices to the consumer and allows the consumer to opt-out by mailing a form, calling a toll-free telephone number, or any other reasonable means within thirty (30) days from the date the licensee mailed the notices.
(ii) A customer opens an on-line account with a licensee and agrees to receive the required notices electronically, and the licensee allows the customer to opt-out by any reasonable means within thirty (30) days after the date the customer acknowledges receipt of the notices in conjunction with opening the account.
(iii) For an isolated transaction such as providing the consumer with an insurance quote, a licensee provides the consumer with a reasonable opportunity to opt-out if the licensee provides the required notices at the time of the transaction and requests that the consumer decide, as a necessary part of the transaction, whether to opt-out before completing the transaction.
(iv) A licensee shall comply with this section, regardless of whether the licensee and the consumer have established a customer relationship.
(v) Unless a licensee complies with this section, the licensee may not, directly or through any affiliate, disclose any nonpublic personal financial information about a consumer the licensee has collected, regardless of whether the licensee collected it before or after receiving the direction to opt-out from the consumer.
(d) A licensee may allow a consumer to select certain nonpublic personal financial information or certain nonaffiliated third parties to which the consumer wishes to opt-out.
(a) If a licensee receives nonpublic personal financial information from a nonaffiliated financial institution under an exception in this regulation, the licensee's disclosure and use of that information is limited as follows. The licensee may disclose:
(i) Information to affiliates of the financial institution from which the licensee received the information;
(ii) Information to its affiliates, but the licensee's affiliates may, in turn, disclose and use the information only to the extent that the licensee may disclose and use the information; and
(iii) Information pursuant to an exception in this regulation, in the ordinary course of business to carry out the activity covered by the exception under which the licensee received the information.
(b) If a licensee receives information from a nonaffiliated financial institution for claims settlement purposes, the licensee may disclose the information for fraud prevention, or in response to a properly authorized subpoena. The licensee may not disclose that information to a third party for marketing purposes or use that information for its own marketing purposes.
(c) If a licensee receives nonpublic personal financial information from a nonaffiliated financial institution other than under an exception in this regulation, the licensee may disclose the information only:
(i) To affiliates of the financial institution from which the licensee received the information;
(ii) To its affiliates, but its affiliates may, in turn, disclose the information only to the extent that the licensee may disclose the information; and
(iii) To any other person, if the disclosure would be lawful if made directly to that person by the financial institution from which the licensee received the information.
(d) If a licensee obtains a customer list from a nonaffiliated financial institution outside of the exceptions in this regulation:
(i) The licensee may use that list for its own purposes; and
(ii) The licensee may disclose that list to another nonaffiliated third party only if the financial institution from which the licensee purchased the list could have lawfully disclosed the list to that third party. That is, the licensee may disclose the list in accordance with the privacy policy of the financial institution from which the licensee received the list, as limited by the opt-out direction of each consumer whose nonpublic personal financial information the licensee intends to disclose, and the licensee may disclose the list in accordance with an exception in this regulation, such as to the licensee's attorneys or accountants.
(iii) If a licensee discloses nonpublic personal financial information to a nonaffiliated third party under an exception, the third party may disclose and use that information only as follows. The third party may disclose the information:
(A) To the licensee's affiliates;
(B) To its affiliates, but its affiliates may, in turn, disclose and use the information only to the extent that the third party may disclose and use the information; and
(C) In the ordinary course of business to carry out the activity covered by the exception under which it received the information.
(iv) If a licensee discloses nonpublic personal financial information to a nonaffiliated third party other than under an exception in this regulation, the third party may disclose the information only:
(A) To the licensee's affiliates;
(B) To the third party's affiliates, but the third party's affiliates may disclose the information only to the extent the third party can disclose the information; and
(C) To any other person, if the disclosure would be lawful if the licensee made it directly to that person.
(a) A licensee shall not, directly or through an affiliate, disclose, other than to a consumer reporting agency, a policy number or similar form of access number or access code for a consumer's policy or transaction account to any nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer.
(b) Section 13(a) does not apply if a licensee discloses a policy number or similar form of access number or access code:
(i) To the licensee's service provider solely to perform marketing for the licensee's own products or services, as long as the service provider is not authorized to directly initiate charges to the account;
(ii) To a licensee who is a producer solely to perform marketing for the licensee's own products or services; or
(iii) To a participant in an affinity or similar program where the participants in the program are identified to the customer when the customer enters into the program.
(c) Policy number or transaction account.
(i) A policy number, or similar form of access number or access code, does not include a number or code in an encrypted form, as long as the licensee does not provide the recipient with a means to decode the number or code.
(ii) For purposes of this section, a policy or transaction account is an account other than a deposit account or a credit card account. A policy or transaction account does not include an account to which third parties cannot initiate charges.
(a) The opt-out requirements in sections 7 and 11 do not apply when a licensee provides nonpublic personal financial information to a nonaffiliated third party to perform services for the licensee or functions on the licensee's behalf, if the licensee:
(i) Provides the initial notice in accordance with section 4; and
(ii) Enters into a contractual agreement with the third party prohibiting the third party from disclosing or using the information other than to carry out the purposes for which the licensee disclosed the information, including use under an exception in the ordinary course of business to carry out those purposes.
(b) If a licensee discloses nonpublic personal financial information under this section to a financial institution with which the licensee performs joint marketing, the licensee's contractual agreement with that institution meets the requirements of section 14(a)(ii) if it prohibits the institution from disclosing or using the nonpublic personal financial information except as necessary to carry out the joint marketing or under an exception in the ordinary course of business to carry out that joint marketing.
(c) The services a nonaffiliated third party performs for a licensee under section 14(a) may include marketing the licensee's own products or services or marketing financial products or services offered pursuant to joint agreements between the licensee and one or more financial institutions.
(d) 'Joint agreement' means a written contract pursuant to which a licensee and one or more financial institutions jointly offer, endorse, or sponsor a financial product or service.
(a) The requirements for initial notice in section 4(a), the opt-out in sections 7 and 11, and service providers and joint marketing in section 14 do not apply if the licensee discloses nonpublic personal financial information as necessary to effect, administer, or enforce a transaction a consumer requests or authorizes, or in connection with:
(i) Servicing or processing an insurance product or service a consumer requests or authorizes;
(ii) Maintaining or servicing the consumer’s account with a licensee, or with another entity as part of a private label credit card program or other extension of credit on behalf of such entity;
(iii) A proposed or actual securitization, secondary market sale (including sales of servicing rights), or similar transaction related to a transaction of the consumer; or
(iv) Reinsurance, stop loss, or excess loss insurance.
“Necessary to effect, administer, or enforce a transaction” means the disclosure is:
(i) Required, or is one of the lawful or appropriate methods, to enforce the licensee’s rights or the rights of other persons engaged in carrying out the financial transaction or providing the product or service; or
(ii) Required, or is a usual, appropriate, or acceptable method:
(A) To carry out the transaction or the product or service business of which the transaction is a part, and record, service, or maintain the consumer’s account in the ordinary course of providing the insurance product or service;
(B) To administer or service benefits or claims relating to the transaction or the product or service business of which it is a part;
(C) To provide a confirmation, statement, or other record of the transaction, or information on the status or value of the insurance product or service to the consumer or the consumer’s agent or broker;
(D) To accrue or recognize incentives or bonuses provided by a licensee or any other party associated with the transaction;
(E) To underwrite insurance at the consumer’s request or for any of the following purposes as they relate to a consumer’s insurance: account administration, reporting, investigating or preventing fraud or material misrepresentation, processing premium payments, processing insurance claims, administering insurance benefits (including utilization review activities), participating in research projects, or as otherwise required or specifically permitted by federal or state law; or
(iii) In connection with:
(A) The authorization, settlement, billing, processing, clearing, transferring, reconciling, or collection of amounts charged, debited, or otherwise paid using a debit, credit, or other payment card, check or account number, or by other payment means;
(B) The transfer of receivables, accounts, or interests therein; or
(C) The audit of debit, credit, or other payment information.
(a) The requirements for initial notice to consumers in section 4(a), the opt-out in sections 7 and 11, and service providers and joint marketing in section 14 do not apply when a licensee discloses nonpublic personal financial information:
(i) With the consent or at the direction of the consumer, provided the consumer has not revoked the consent or direction:
(A) To protect the confidentiality or security of a licensee’s records pertaining to the consumer, service, product, or transaction;
(B) To protect against or prevent actual or potential fraud or unauthorized transactions;
(C) For required institutional risk control or for resolving consumer disputes or inquiries;
(D) To persons holding a legal or beneficial interest relating to the consumer; or
(E) To persons acting in a fiduciary or representative capacity on behalf of the consumer.
(ii) To provide information to insurance rate advisory organizations, guaranty funds or agencies, agencies rating a licensee, persons assessing the licensee’s compliance with industry standards, and the licensee’s attorneys, accountants, and auditors;
(iii) To the extent specifically permitted or required under other provisions of law and in accordance with the federal Right to Financial Privacy Act of 1978 (12 U.S.C. 3401 et seq.), to law enforcement agencies (including the Federal Reserve Board, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, National Credit Union Administration, the Securities and Exchange Commission, the Secretary of the Treasury, with respect to 31 U.S.C. Chapter 53, Subchapter II (Records and Reports on Monetary Instruments and Transactions) and 12 U.S.C. Chapter 21 (Financial Recordkeeping), a state insurance authority, and the Federal Trade Commission), self-regulatory organizations, or for an investigation on a matter related to public safety;
(iv) To a consumer reporting agency in accordance with the federal Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
(v) From a consumer report reported by a consumer reporting agency;
(vi) In connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit if the disclosure of nonpublic personal financial information concerns solely consumers of the business or unit;
(A) To comply with federal, state, or local laws, rules, and other applicable legal requirements;
(B) To comply with a properly authorized civil, criminal, or regulatory investigation, subpoena, or summons by federal, state, or local authorities; or
(C) To respond to judicial process or government regulatory authorities with jurisdiction over a licensee for examination, compliance, or other purposes as authorized by law; or
(vii) For purposes related to replacing a group benefit plan, group health plan, group welfare plan, or workers' compensation plan.
(b) A consumer may revoke consent by subsequently exercising the right to opt-out of future disclosures of nonpublic personal information as permitted under section 7.
(a) A licensee shall not disclose nonpublic personal health information about a consumer or customer unless an authorization is obtained from the consumer or customer whose nonpublic personal health information is sought to be disclosed.
(b) Nothing in this section shall prohibit, restrict, or require an authorization for the disclosure of nonpublic personal health information by a licensee for performance of insurance functions by or on behalf of the licensee: claims administration; claims adjustment and management; detection, investigation or reporting of actual and potential fraud, misrepresentation or criminal activity; underwriting; policy placement or issuance; loss control; ratemaking and guaranty fund functions; reinsurance and excess loss insurance; risk management; case management; disease management; quality assurance; quality improvement; performance evaluation; provider credentialing verification; utilization review; peer review activities; actuarial, scientific, medical or public policy research; grievance procedures; internal administration of compliance, managerial, and information systems; policyholder service functions; auditing; reporting; database security; administration of consumer disputes and inquiries; external accreditation standards; the replacement of a group benefit plan or workers compensation policy or program; activities in connection with a sale, merger, transfer or exchange of all or part of a business or operating unit; any activity that permits disclosure without authorization pursuant to the federal Health Insurance Portability and Accountability Act privacy rules promulgated by the U.S. Department of Health and Human Services; disclosure that is required, or is one of the lawful or appropriate methods, to enforce the licensee's rights or the rights of other persons engaged in carrying out a transaction or providing a product or service that a consumer requests or authorizes; and any activity otherwise permitted by law, required pursuant to governmental reporting authority or to comply with legal process. Health information may be shared by affiliates for the specific purpose of processing claims.-Additional insurance functions may be added with approval of the Commissioner to the extent they are necessary for appropriate performance of insurance functions and are fair and reasonable to the interest of consumers.
(a) A valid authorization to disclose nonpublic personal health information pursuant to this Article V shall be in written or electronic form and shall contain all of the following:
(i) The identity of the consumer or customer who is the subject of the nonpublic personal health information; and
(ii) A general description of the types of nonpublic personal health information to be disclosed.
(b) Requirements.
(i) The signature of the consumer or customer who is the subject of the nonpublic personal health information, or the individual legally empowered to grant authority, and the date signed and
(ii) Notice of the length of time the authorization is valid, that the consumer or customer may revoke the authorization at any time, and the procedure for making a revocation.
(c) An authorization for purposes of Article V shall specify a length of time the authorization shall remain valid, which in no event shall be for more than twenty-four (24) months.
(d) A consumer or customer who is the subject of nonpublic personal health information may revoke an authorization provided pursuant to Article V at any time, subject to the rights of an individual who acted in reliance on the authorization prior to notice of the revocation.
(e) A licensee shall retain the authorization or a copy thereof in the record of the individual who is the subject of nonpublic personal health information.
Section 20. Authorization Request Delivery. A request for authorization and an authorization form may be delivered to a consumer or a customer as part of an opt-out notice pursuant to section 10, provided the request and authorization form are clear and conspicuous. An authorization form is not required to be delivered to the consumer or customer or included in any other notices unless the licensee intends to disclose protected health information pursuant to section 17.
Section 20. Information Security Program. Each licensee shall implement a comprehensive written information security program that includes administrative, technical, and physical safeguards for protecting customer information. The information security program shall be appropriate to the size and complexity of the licensee and the nature and scope of its activities.
(a) A licensee’s information security program shall be designed to:
(i) Ensure the security and confidentiality of customer information;
(ii) Protect against any anticipated threats or hazards to the security or integrity of the information; and
(iii) Protect against unauthorized access to or use of the information that could result in substantial harm or inconvenience to any customer.
(a) In assessing the risk, the licensee:
(i) Identifies reasonably foreseeable internal or external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems;
(ii) Assesses the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information; and
(iii) Assesses the sufficiency of policies, procedures, customer information systems, and other safeguards in place to control risks.
(b) In managing and controlling the risk, the licensee:
(i) Designs its information security program to control the identified risks, commensurate with the sensitivity of the information, as well as the complexity and scope of the licensee’s activities;
(ii) Trains staff, as appropriate, to implement the licensee’s information security program; and
(iii) Regularly tests or otherwise regularly monitors the key controls, systems, and procedures of the information security program. The frequency and nature of these tests or other monitoring practices are determined by the licensee’s risk assessment.
(c) In overseeing the service provider arrangements, the licensee:
(i) Exercises appropriate due diligence in selecting its service providers; and
(ii) Requires its service providers to implement appropriate measures designed to meet the objectives of this regulation, and, where indicated by the licensee’s risk assessment, takes appropriate steps to confirm its service providers have satisfied these obligations.
(d) In adjusting the program, the licensee:
(i) Monitors, evaluates, and adjusts, as appropriate, the information security program in light of any relevant changes in technology, the sensitivity of its customer information, internal or external threats to information, and the licensee’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to customer information systems.
Section 24. Protection of Fair Credit Reporting Act. Nothing in this regulation shall be construed to modify, limit, or supersede the operation of the federal Fair Credit Reporting Act (15 U.S.C. 1681 et seq.).
(a) A licensee shall not unfairly discriminate against any consumer or customer who has opted-out from the disclosure of his nonpublic personal financial information pursuant to this regulation.
(b) A licensee shall not unfairly discriminate against a consumer or customer who has not granted authorization for the disclosure of his nonpublic personal health information pursuant to this regulation.
Section 26. Effective Date. This regulation shall be effective upon filing with the Secretary of State.