CHAPTER Ins 3000 PRIVACY OF CONSUMER FINANCIAL AND HEALTH
INFORMATION
Statutory Authority: RSA
400-A:15, I; RSA 406-C:16
PART Ins 3001 NONPUBLIC PERSONAL HEALTH AND FINANCIAL
INFORMATION
Ins 3001.01 Purpose.
(a) This rule
governs the treatment of nonpublic personal health information and nonpublic
personal financial information about individuals by all licensees of the state
insurance department. This rule:
(1) Requires a licensee to provide notice to
individuals about its privacy policies and practices;
(2) Describes the conditions
under which a licensee may disclose nonpublic personal health information and
nonpublic personal financial information about individuals to affiliates and
nonaffiliated third parties; and
(3) Provides methods for individuals to prevent a
licensee from disclosing that information.
Source. #7500, eff 7-1-01, EXIRED: 7-1-09
New.
#9922, eff 5-6-11; ss by #12749, eff 5-6-19
Ins 3001.02 Scope.
(a) This rule
applies to:
(1) Nonpublic personal financial information
about individuals who obtain or are claimants or beneficiaries of products or
services primarily for personal, family, or household purposes from
licensees. This rule does not apply to
information about companies or about individuals who obtain products or
services for business, commercial, or agricultural purposes; and
(2) All nonpublic personal health information.
(b) Compliance. A licensee domiciled in this state that is in
compliance with this rule in a state that has not enacted laws or regulations
that meet the requirements of Title V of the Gramm-Leach-Bliley Act (PL
102-106) may nonetheless be deemed to be in compliance with Title V of the
Gramm-Leach-Bliley Act in the other state.
Source. #7500, eff 7-1-01, EXIRED: 7-1-09
New. #9922, eff 5-6-11; ss by #12749, eff 5-6-19
Ins 3001.03 Rule
of Construction. The examples in
this rule and the sample clauses in Appendix A and the Federal Model Privacy
Form in Appendix B of this rule are not exclusive. Compliance with an example or use of a sample
clause or the Federal Privacy Model Form, to the extent applicable, constitutes
compliance with this rule. Licensees may
rely on use of the Federal Privacy Form in Appendix B, consistent with the
attached instructions, as a safe harbor of compliance with the privacy notice
content requirements of this regulation.
Use of the Federal Model Privacy Form is not required. Licensees may continue to use other types of
privacy notices, including notices that contain the examples in this regulation
and/or the sample clauses in Appendix A, provided that such notices accurately
describe the Licensee’s privacy practices and otherwise meet the notice content
requirements of this regulation.
However, while Licensees may continue to use privacy notices that
contain the examples in this regulation and/or the sample clauses in Appendix
A, Licensees may not rely on use of privacy notices with the sample clauses in
Appendix A as a safe harbor of compliance with the notice content requirements
of this regulation after July 1, 2019.
Source. #7500, eff 7-1-01, EXIRED: 7-1-09
New. #9922, eff 5-6-11; ss by #12749, eff 5-6-19
Ins 3001.04 Definitions. As used in this rule, unless the context
requires otherwise:
(a) “Affiliate”
means any company that controls, is controlled by, or is under common control
with another company.
(b) (1) “Clear and conspicuous” means that a notice
is reasonably understandable and designed to call attention to the nature and
significance of the information in the notice; and
(2) Examples:
a. Reasonably understandable. A licensee makes
its notice reasonably understandable if it:
1. Presents the information in the notice in
clear, concise sentences, paragraphs, and sections;
2. Uses short explanatory sentences or bullet lists
whenever possible;
3. Uses definite, concrete, everyday words and
active voice whenever possible;
4. Avoids multiple negatives;
5. Avoids legal and highly technical business
terminology whenever possible; and
6. Avoids explanations that are imprecise
and readily subject to different interpretations;
b. Designed to call attention. A licensee
designs its notice to call attention to the nature and significance of the
information in it if the licensee:
1. Uses a plain-language heading to call attention
to the notice;
2. Uses a typeface and type size that are easy
to read;
3. Provides wide margins and ample line spacing;
4. Uses boldface or italics for key words; and
5. In a form that combines the licensee’s notice
with other information, uses distinctive type size, style, and graphic devices,
such as shading or sidebars; and
c. Notices on web sites. If a licensee provides a notice on a web
page, the licensee designs its notice to call attention to the nature and
significance of the information in it if the licensee uses text or visual cues
to encourage scrolling down the page if necessary to view the entire notice and
ensure that other elements on the web site (such as text, graphics, hyperlinks,
or sound) do not distract attention from the notice, and the licensee either:
1. Places the notice on a screen that consumers
frequently access, such as a page on which transactions are conducted; or
2. Places a link on a screen that consumers
frequently access, such as a page on which transactions are conducted, that
connects directly to the notice and is labeled appropriately to convey the
importance, nature, and relevance of the notice.
(c) “Collect” means
to obtain information that the licensee organizes or can retrieve by the name
of an individual or by identifying number, symbol, or other identifying
particular assigned to the individual, irrespective of the source of the
underlying information.
(d) “Commissioner”
means the insurance commissioner of the state.
(e) “Company” means corporation,
limited liability company, business trust, general or limited partnership,
association, sole proprietorship, or similar organization.
(f) (1) “Consumer” means an individual who seeks to
obtain, obtains or has obtained an insurance product or service from a licensee
that is to be used primarily for personal, family, or household purposes, and
about whom the licensee has nonpublic personal information, or that
individual’s legal representative; and
(2) Examples:
a. An individual who provides nonpublic personal
information to a licensee in connection with obtaining or seeking to obtain
financial, investment or economic advisory services relating to an insurance
product or service is a consumer regardless of whether the licensee establishes
an ongoing advisory relationship;
b. An applicant for insurance prior to the
inception of insurance coverage is a licensee’s consumer;
c. An individual who is a consumer of another
financial institution is not a licensee’s consumer solely because the licensee
is acting as agent for, or provides processing or other services to, that
financial institution;
d. An individual is a licensee’s consumer if:
1. The individual is a beneficiary of a life
insurance policy underwritten by the licensee;
2. The individual is a claimant under an
insurance policy issued by the licensee;
3. The individual is an insured or an annuitant
under an insurance policy or an annuity, respectively, issued by the licensee;
or
4. The individual is a mortgagor of a mortgage
covered under a mortgage insurance policy; and
5. The licensee discloses
nonpublic personal financial information about the individual to a
nonaffiliated third party other than as permitted under Ins 3004.01, Ins
3004.02 and Ins 3004.03;
e. Provided that the licensee provides the
initial, annual and revised notices under Ins 3002.01, Ins 3002.02, and Ins
3002.05 to the plan sponsor, group or blanket insurance policyholder or group
annuity contractholder, or workers’ compensation
policyholder, and further provided that the licensee does not disclose to a
nonaffiliated third party nonpublic personal financial information about an
individual described in 1., 2., and 3. below, other than as permitted under Ins
3004.01, Ins 3004.02, and Ins 3004.03, such an individual is not the consumer
of the licensee solely because he or she is:
1. A participant or a beneficiary of an employee
benefit plan that the licensee administers or sponsors or for which the
licensee acts as a trustee, insurer or fiduciary;
2. Covered under a group or blanket insurance
policy or group annuity contract issued by the licensee; or
3. A claimant covered by a workers’ compensation
plan;
f. 1. The
individuals described in subparagraphs e.1. through 3. above are consumers of a
licensee if the licensee does not meet all the conditions of subparagraph e.
above;
2. In no event shall the individuals, solely by
virtue of the status described in subparagraphs e.1. through 3.
above, be deemed to be customers for purposes of this rule;
g. An individual is not a licensee’s consumer
solely because he or she is a beneficiary of a trust for which the licensee is
a trustee; and
h. An individual is not a licensee’s consumer
solely because he or she has designated the licensee as trustee for a trust.
(g) “Consumer
reporting agency” has the same meaning as in Section 603(f) of the federal Fair
Credit Reporting Act (15 U.S.C. 1681a(f)).
(h) “Control” means:
(1) Ownership, control, or power to vote 25
percent or more of the outstanding shares of any class of voting security of
the company, directly or indirectly, or acting through one or more other
persons;
(2) Control in any manner over the election of a
majority of the directors, trustees, or general partners (or individuals
exercising similar functions) of the company; or
(3) The power to exercise, directly or
indirectly, a controlling influence over the management of policies of the
company, as the commissioner determines.
(i) “Customer” means a consumer who has a
customer relationship with a licensee.
(j) (1) “Customer relationship” means a continuing
relationship between a consumer and a licensee under which the licensee
provides one or more insurance products or services to the consumer that are to
be used primarily for personal, family, or household purposes; and
(2) Examples:
a. A consumer has a continuing relationship with
a licensee if:
1. The consumer is a current policyholder of an
insurance product issued by or through the licensee; or
2. The consumer obtains financial, investment,
or economic advisory services relating to an insurance product or service from
the licensee for a fee; and
b. A consumer does not have a continuing
relationship with a licensee if:
1. The consumer applies for insurance but does
not purchase the insurance;
2. The licensee sells the consumer airline
travel insurance in an isolated transaction;
3. The individual is no longer a current
policyholder of an insurance product or obtains insurance services with or
through the licensee;
4. The consumer is a beneficiary or claimant
under a policy and has submitted a claim under a policy choosing a settlement
option involving an ongoing relationship with the licensee;
5. The consumer is a beneficiary or a claimant
under a policy and has submitted a claim under that policy choosing a lump sum
settlement option;
6. The customer’s policy is lapsed, expired, or
otherwise inactive or dormant under the licensee’s business practices, and the
licensee has not communicated with the customer about the relationship for a
period of 12 consecutive months, other than annual privacy notices, material
required by law or regulation, communication at the direction of a state or
federal authority, or promotional materials;
7. The individual is an insured or an annuitant
under an insurance policy or annuity, respectively, but is not the policyholder
or owner of the insurance policy or annuity; or
8. For the purposes of this rule, the
individual’s last known address according to the licensee’s records is deemed
invalid. An address of record is deemed
invalid if mail sent to that address by the licensee has been returned by the
postal authorities as undeliverable and if subsequent attempts by the licensee
to obtain a current valid address for the individual have been unsuccessful.
(k) (1) “Financial institution” means any institution
the business of which is engaging in activities that are financial in nature or
incidental to such financial activities as described in Section 4(k) of the
Bank Holding Company Act of 1956 (12 U.S.C. 1843 (k)).
(2) Financial institution does not include:
a. Any person or entity with respect to any
financial activity that is subject to the jurisdiction of the Commodity Futures
Trading Commission under the Commodity Exchange Act (7 U.S.C. 1 et seq.);
b. The Federal Agricultural Mortgage Corporation
or any entity charged and operating under the Farm Credit Act of 1971 (12
U.S.C. 2001 et seq.); or
c. Institutions chartered by Congress
specifically to engage in securitizations, secondary market sales (including
sales of servicing rights) or similar transactions related to a transaction of
a consumer, as long as the institutions do not sell or transfer nonpublic
personal information to a nonaffiliated third party.
(l) (1) “Financial product or service” means any
product or service that a financial holding company could offer by engaging in
an activity that is financial in nature or incidental to such a financial
activity under Section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. 1843
(k)); and
(2) Financial service includes a financial
institution’s evaluation or brokerage of information that the financial
institution collects in connection with a request or an application from a
consumer for a financial product or service.
(m) “Health care”
means:
(1) Preventive, diagnostic, therapeutic,
rehabilitative, maintenance, or palliative care, services, procedures, tests,
or counseling that:
a. Relates to the physical, mental, or
behavioral condition of an individual; or
b. Affects the structure or
function of the human body or any part of the human body, including the banking
of blood, sperm, organs, or any other tissues; or
(2) Prescribing, dispensing, or furnishing to an
individual drugs or biologicals, or medical devices or health care equipment
and supplies.
(n) “Health care
provider” means a physician or other health care practitioner licensed,
accredited or certified to perform specified health services consistent with
state law or a health care facility.
(o) “Health
information” means any information or data except age or gender, whether oral
or recorded in any form or medium, created by or derived from a health care
provider or the consumer that relates to:
(1) The past, present or future physical, mental
or behavioral health or condition of an individual;
(2) The provision of health care to an
individual; or
(3) Payment for the provisions of health care to
an individual.
(p) (1) “Insurance product or service” means any
product or service that is offered by a licensee pursuant to the insurance laws
of this state; and
(2) “Insurance services”
includes a licensee’s evaluation, brokerage, or distribution of information
that the licensee collects in connection with a request or an application from
a consumer for an insurance product or service.
(q) (1) “Licensee” means all licensed insurers,
producers and other persons licensed or required to be licensed or authorized
or required to be authorized, or registered or required to be registered
pursuant to the provisions of Title XXXVII;
(2) A licensee is not subject to the notice and
opt out requirements for nonpublic personal financial information set forth in
Ins 3001, Ins 3002, Ins 3003 and Ins 3004 of this rule if the licensee is an employee,
agent or other representative of another licensee (“the principal”) and:
a. The principal otherwise
complies with, and provides the notices required by, the provisions of this
rule; and
b. The licensee does not disclose any nonpublic
personal information to any person other than the principal or its affiliates
in a manner permitted by this rule; and
(3) a.
Subject to b. below, “licensee” shall also include an unauthorized
insurer that accepts business placed through a licensed excess lines broker in
this state, but only in regard to the excess lines placements placed pursuant
to RSA 405:24 through RSA 405:31 and RSA 405-A; and
b. An excess lines broker or excess lines
insurer shall be deemed to be in compliance with the notice and opt out requirements
for nonpublic personal financial information set forth in Ins 3001, Ins 3002,
Ins 3003, and Ins 3004 of this regulation provided:
1. The broker or insurer does not disclose
nonpublic personal information of a consumer or a customer to nonaffiliated
third parties for any purpose, including joint servicing or marketing under Ins
3004.01 of this rule, except as permitted by Ins 3004.02 and Ins 3004.03 of
this rule; and
2. The broker or insurer delivers a notice to
the consumer at the time a customer relationship is established on which the
following is printed in 16-point type:
PRIVACY NOTICE
“NEITHER THE U.S. BROKERS
THAT HANDLED THIS INSURANCE
NOR THE INSURERS THAT HAVE
UNDERWRITTEN THIS INSURANCE
WILL DISCLOSE NONPUBLIC
PERSONAL INFORMATION CONCERNING
THE BUYER TO NONAFFILIATES
OF THE BROKERS OR INSURERS EXCEPT AS PERMITTED BY LAW.
(r) (1) Nonaffiliated third party” means any person
except:
a. A licensee’s affiliate; or
b. A person employed jointly by a licensee and
any company that is not the licensee’s affiliate (but nonaffiliated third party
includes the other company that jointly employs the person); and
(2) Nonaffiliated third party includes any
company that is an affiliate solely by virtue of the direct or indirect
ownership or control of the company by the licensee or its affiliate in
conducting merchant banking or investment banking activities of the type
described in section 4(k)(4)(H) or insurance company investment activities of
the type described in section 4(k)(4)(I) of the federal Bank Holding Company
Act (12 U.S.C. 1843(k)(4)(H) and (I)).
(s) “Nonpublic
personal information” means nonpublic personal financial information and
nonpublic personal health information.
(t) (1) “Nonpublic personal financial information”
means:
a. Personally identifiable financial
information; and
b. Any list, description, or other grouping of
consumers (and publicly available information pertaining to them) that is
derived using any personally identifiable financial information that is not
publicly available; and
(2) Nonpublic personal financial information does
not include:
a. Health information;
b. Publicly available information, except as
included on a list described in paragraph (t) (1)b. above; or
c. Any list, description, or other grouping of
consumers (and publicly available information pertaining to them) that is
derived without using any personally identifiable financial information that is
not publicly available; and
(3) Examples of lists:
a. Nonpublic personal financial information
includes any list of individuals’ name and street addresses that is derived in
whole or in part using personally identifiable financial information that is
not publicly available, such as account numbers; and
b. Nonpublic personal financial information does
not include any list of individuals’ names and addresses that contains only
publicly available information, is not derived in whole or in part using
personally identifiable financial information that is not publicly available, and
is not disclosed in a manner that indicates that any of the individuals on the
list is a consumer of a financial institution.
(u) “Nonpublic
personal health information” means health information:
(1) That identifies an individual who is the
subject of the information; or
(2) With respect to which there is a reasonable
basis to believe that the information could be used to identify an individual.
(v) (1) “Personally identifiable financial
information” means any information:
a. A consumer provides to a licensee to obtain
an insurance product or service from the licensee;
b. About a consumer resulting from transaction
involving an insurance product or service between a licensee and a consumer; or
c. The licensee otherwise
obtains about a consumer in connection with providing an insurance product or
service to that consumer; and
(2) Examples:
a. Information included. Personally identifiable
financial information includes:
1. Information a consumer
provides to a licensee on an application to obtain an insurance product or
service;
2. Account balance information and payment
history;
3. The fact that an
individual is or has been one of the licensee’s customers or has obtained an
insurance product or service from the licensee;
4. Any information about the licensee’s consumer
if it is disclosed in a manner that indicates that the individual is or has
been the licensee’s consumer;
5. Any information that a consumer provides to a
licensee or that the licensee or its agent otherwise obtains in connection with
collecting on a loan or servicing a loan;
6. Any information the licensee collects through
an Internet “cookie” (an information collecting device from a web server); and
7. Information from a consumer report; and
b. Information not included. Personally identifiable financial information
does not include:
1. Health information;
2. A list of names and
addresses of customers of an entity that is not a financial institution; and
3. Information that does not identify a
consumer, such as aggregate information or blind data that does not contain
personal identifiers such as account numbers, names, or addresses.
(w) (1) “Publicly available information” means any
information that a licensee has a reasonable basis to believe is lawfully made
available to the general public from:
a. Federal, state or local government records;
b. Widely distributed media; or
c. Disclosures to the general public that are
required to be made by federal, state or local law;
(2) Reasonable basis. A licensee has a reasonable
basis to believe that information is lawfully made available to the general
public if the licensee has taken steps to determine:
a. That the information is of the type that is
available to the general public; and
b. Whether an individual can direct that the
information not be made available to the general public and, if so, that the
licensee’s consumer has not done so; and
(3) Examples:
a. Government records. Publicly available information in government
records includes information in government real estate records and security
interest filings;
b. Widely distributed media. Publicly available
information from widely distributed media includes information from a telephone
book, a television or radio program, a newspaper, or a web site that is
available to the general public on an unrestricted basis. A web site is not restricted merely because
an Internet service provider or a site operator requires a fee or a password,
so long as access is available to the general public;
c. Reasonable basis:
1. A licensee has a reasonable basis to believe
that mortgage information is lawfully made available to the general public if
the licensee has determined that the information is of the type included on the
public record in the jurisdiction where the mortgage would be recorded; and
2. A licensee has a reasonable basis to believe
that an individual’s telephone number is lawfully made available to the general
public if the licensee has located the telephone number in the telephone book
or the consumer has informed you that the telephone number is not unlisted.
Source. #7500, eff 7-1-01, EXPIRED: 7-1-09
New. #9922, eff 5-6-11; ss by #12749, eff 5-6-19
PART Ins 3002 PRIVACY, AND OPT OUT NOTICES FOR FINANCIAL
INFORMATION
Ins 3002.01 Initial
Privacy Notice to Consumers Required.
(a) Initial notice
requirement. A licensee shall provide a clear and conspicuous notice that
accurately reflects its privacy policies and practices to:
(1) Customer.
An individual who becomes the licensee’s customer, not later than when
the licensee establishes a customer relationship, except as provided in (e)
below; and
(2) Consumer. A consumer,
before the licensee discloses any nonpublic personal financial information
about the consumer to any nonaffiliated third party, if the licensee makes a
disclosure other than as authorized by Ins 3004.02 and Ins 3004.03.
(b) When initial
notice to a consumer is not required. A
licensee is not required to provide an initial notice to a consumer under (a)(2)
above if:
(1) The licensee does not
disclose any nonpublic personal financial information about the consumer to any
nonaffiliated third party, other than as authorized by Ins 3004.02 and Ins
3004.03, and the licensee does not have a customer relationship with the
consumer; or
(2) A notice has been provided by an affiliated
licensee, as long as the notice clearly identifies all licensees to whom the
notice applies and is accurate with respect to the licensee and the other
institutions.
(c) When the
licensee establishes a customer relationship:
(1) General rule.
A licensee establishes a customer relationship at the time the licensee
and the consumer enter into a continuing relationship;
(2)
Examples of establishing customer relationship.
A licensee establishes a customer relationship when the consumer:
a. Becomes a policyholder of a licensee that is
an insurer when the insurer delivers an insurance policy or contract to the
consumer, or in the case of a licensee that is an insurance producer or
insurance broker, obtains insurance through that licensee; or
b. Agrees to obtain financial, economic or
investment advisory services relating to insurance products or services for a
fee from the licensee.
(d) Existing
customers. When an existing customer
obtains a new insurance product or service from a licensee that is to be used
primarily for personal, family or household purposes, the licensee satisfies
the initial notice requirements of (a) above as follows:
(1) The licensee may provide
a revised policy notice, under Ins 3002.05, that covers the customer’s new
insurance product or service; or
(2) If the initial, revised,
or annual notice that the licensee most recently provided to that customer was
accurate with respect to the new insurance product or service, the licensee
does not need to provide a new privacy notice under (a) above.
(e) Exceptions to
allow subsequent delivery of notice:
(1) A licensee may provide the initial notice
required by (a) above within a reasonable time after the licensee establishes a
customer relationship if:
a. Establishing the customer relationship is not
at the customer’s election; or
b. Providing notice not
later than when the licensee establishes a customer relationship would
substantially delay the customer’s transaction and the customer agrees to
receive the notice at a later time; and
(2) Examples of exceptions:
a. Not at customer’s election. Establishing a customer relationship is not
at the customer’s election if a licensee acquires or is assigned a customer’s
policy from another financial institution or residual market mechanism and the
customer does not have a choice about the licensee’s acquisition or assignment;
b. Substantial delay of
customer’s transaction. Providing notice
not later than when a licensee establishes a customer relationship would
substantially delay the customer’s transaction when the licensee and the
individual agree over the telephone to enter into a customer relationship
involving prompt delivery of the insurance product or service; and
c. No substantial delay of customers
transaction. Providing notice not later
than when a licensee establishes a customer relationship would not
substantially delay the customer’s transaction when the relationship is
initiated in person at the licensee’s office or through other means by which
the customer may view the notice, such as on a web site.
(f) Delivery. When a licensee is required to deliver an
initial privacy notice by this section, the licensee shall deliver it according
to Ins 3002.06. If the licensee uses a
short-form initial notice for non-customers according to Ins 3002.03(d), the
licensee may deliver its privacy notice according to Ins 3002.03(d)(3).
Source. #7500, eff 7-1-01, EXPIRED: 7-1-09
New.
#9922, eff 5-6-11; ss by #12749, eff 5-6-19
Ins 3002.02 Annual
Privacy Notice to Customers Required.
(a) (1) General rule.
A licensee shall provide a clear and conspicuous notice to customers
that accurately reflects its privacy policies and practices not less than
annually during the continuation of the customer relationship. Annually means
at least once in any period of 12 consecutive months during which that
relationship exists. A licensee may
define the 12-consecutive-month period, but the licensee shall apply it to the
customer on a consistent basis; and
(2) Example:
A licensee provides a notice annually if it defines the
12-consecutive-month period as a calendar year and provides the annual notice
to the customer once in each calendar year following the calendar year in which
the licensee provided the initial notice.
For example, if a customer opens an account on any day of year 1, the
licensee shall provide an annual notice to that customer by December 31 of year
2.
(b) Exception to
general rule. A licensee that provides
nonpublic personal information to nonaffiliated third parties only in
accordance with Ins 3004.01, Ins 3004.02, or Ins 3004.03 and has not changed
its policies and practices with regard to disclosing nonpublic personal
information from the policies and practices that were disclosed in the most
recent disclosure sent to consumers in accordance with this section or Ins
3002.01 shall not be required to provide an annual disclosure under this
section until such time as the licensee fails to comply with any criteria
described in this paragraph.
(c) (1) Termination of customer relationship. A licensee is not required to provide an
annual notice to a former customer. A
former customer is an individual with whom a licensee no longer has a continuing
relationship; and
(2) Examples:
a. A licensee no longer has a continuing
relationship with an individual if the individual no longer is a current
policyholder of an insurance product or no longer obtains insurance services
with or through the licensee;
b. A licensee no longer has a continuing
relationship with an individual if the individual’s policy is lapsed, expired,
paid up or otherwise inactive or dormant under the licensee’s business
practices, and the licensee has not communicated with the customer about the
relationship for a period of 12 consecutive months, other than annual privacy
notices, material required by law or regulation, or promotional materials;
c. For the purposes of this rule, a licensee no
longer has a continuing relationship with an individual if the individual’s
last known address according to the licensee’s records is deemed invalid. An
address of record is deemed invalid if mail sent to that address by the
licensee has been returned by the postal authorities as undeliverable and if
subsequent attempts by the licensee to obtain a current valid address for the
individual have been unsuccessful; and
d. A licensee no longer has a continuing
relationship with a customer, in the case of providing real estate settlement
services, at the time the customer completes execution of all documents related
to the real estate closing, payment for those services has been received, or
the licensee has completed all of its responsibilities with respect to the
settlement, including filing documents on the public record, whichever is
later.
(d) Delivery. When a licensee is required by this section
to deliver an annual privacy notice, the licensee shall deliver it according to
Ins 3002.06.
Source. #7500, eff 7-1-01, EXPIRED: 7-1-09
New.
#9922, eff 5-6-11; ss by #12749, eff 5-6-19
Ins 3002.03 Information
to be Included in Privacy Notices.
(a) General
rule. The initial, annual and revised
privacy notices that a licensee provides under Ins 3002.01, Ins 3002.02, and
Ins 3002.05 shall include each of the following items of information, in
addition to any other information the licensee wishes to provide, that applies
to the licensee and to the consumers to whom the licensee sends it privacy
notice:
(1) The categories of nonpublic personal
financial information that the licensee collects;
(2) The categories of nonpublic personal
financial information that the licensee discloses;
(3) The categories of affiliates and
nonaffiliated third parties to whom the licensee discloses nonpublic personal
financial information, other than those parties to whom the licensee discloses
information under Ins 3004.02 and Ins 3004.03;
(4) The categories of
nonpublic personal financial information about the licensee’s former customers
that the licensee discloses and the categories of affiliates and nonaffiliated
third parties to whom the licensee discloses nonpublic personal financial
information about the licensee’s former customers, other than those parties to
whom the licensee discloses information under Ins 3004.02 and Ins 3004.03;
(5) If a licensee discloses nonpublic personal
financial information to a nonaffiliated third party under Ins 3004.01 (and no
other exception in Ins 3004.02 and Ins 3004.03 applies to that disclosure), a
separate description of the categories of information the licensee discloses
and the categories of third parties with whom the licensee has contracted;
(6) An explanation of the consumer’s rights under
Ins 3003.01(a) to opt out of the disclosure of nonpublic personal financial
information to nonaffiliated third parties, including the method(s) by which
the consumer may exercise that right at that time;
(7) Any disclosures that the licensee makes under
Section 603(d)(2)(A)(iii) of the federal Fair Credit Reporting Act (15 U.S.C.
1681a(d)(2)(A)(iii)) (that is, notices regarding the ability to opt out of
disclosures of information among affiliates);
(8) The licensee’s policies and practices with
respect to protecting the confidentiality and security of nonpublic personal
information; and
(9) Any disclosure that the licensee makes under
(b) below.
(b) Description of
parties subject to exceptions. If a
licensee discloses nonpublic personal financial information as authorized under
Ins 3004.02 and Ins 3004.03, the licensee is not required to list those
exceptions in the initial or annual privacy notices required by Ins 3002.01 and
Ins 3002.02. When describing the
categories of parties to whom disclosure is made, the licensee is required to
state only that it makes disclosures to other affiliated or nonaffiliated third
parties, as applicable, as permitted by law.
(c) Examples;
(1) Categories of nonpublic personal financial
information that the licensee collects.
A licensee satisfies the requirement to categorize nonpublic personal
financial information it collects if the licensee categorizes it according to
the source of the information, as applicable:
a. Information from the consumer;
b. Information about the consumer’s transactions
with the licensee or its affiliates;
c. Information about the consumer’s transactions
with nonaffiliated third parties; and
d. Information from a consumer reporting agency;
(2) Categories of nonpublic personal financial
information a licensee discloses.
a. A licensee satisfies the
requirement to categorize nonpublic personal financial information it discloses
if the licensee categorizes the information according to source, as described
in (c)(1) above, as applicable, and provides a few examples to illustrate the
types of information in each category.
These might include:
1. Information from the consumer, including
application information, such as assets and income and identifying information,
such as name, address, and social security number;
2. Transaction information, such as information
about balances, payment history, and parties to the transaction; and
3. Information from consumer reports, such as a
consumer’s creditworthiness and credit history;
b. A licensee does not adequately categorize the
information that it discloses if the licensee uses only general terms, such as
transaction information about the consumer; and
c. If a licensee reserves
the right to disclose all of the nonpublic personal financial information about
consumers that it collects, the licensee may simply state that fact without
describing the categories or examples of nonpublic personal information that
the licensee discloses;
(3) Categories of affiliates and nonaffiliated
third parties to whom the licensee discloses.
a. A licensee satisfies the requirement to
categorize the affiliates and nonaffiliated third parties to which the licensee
discloses nonpublic personal financial information about consumers if the
licensee identifies the types of businesses in which they engage;
b. Types of businesses may be described by
general terms only if the licensee uses a few illustrative examples of
significant lines of business. For
example, a licensee may use the term financial products or services if it includes
appropriate examples of significant lines of businesses, such as life insurer,
automobile insurer, consumer banking or securities brokerage; and
c. A licensee also may categorize the affiliates
and nonaffiliated third parties to which it discloses nonpublic personal
financial information about consumers using more detailed categories;
(4) Disclosures under exception for service
providers and joint marketers. If a
licensee discloses nonpublic personal financial information under the exception
in Ins 3004.01 to a nonaffiliated third party to market products or services
that it offers alone or jointly with another financial institution, the
licensee satisfies the disclosure requirement of (a)(5) above if it:
a. Lists the categories of nonpublic personal
financial information it discloses, using the same categories and examples the
licensee used to meet the requirements of (a)(2) above, as applicable; and
b. States whether the third party is:
1. A service provider that performs marketing
services on the licensee’s behalf or on behalf of the licensee and another
financial institution; or
2. A financial institution with whom the
licensee has a joint marketing agreement;
(5) Simplified notices. If a licensee does not disclose, and does not
wish to reserve the right to disclose, nonpublic personal financial information
about customers or former customers to affiliates or nonaffiliated third
parties except as authorized under Ins 3004.02 and Ins 3004.03, the licensee
may simply state that fact, in addition to the information it shall provide
under (a)(1), (a)(8), (a)(9) and (b) above; and
(6) Confidentiality and security. A licensee
describes its policies and practices with respect to protecting the
confidentiality and security of nonpublic personal financial information if it
does both of the following:
a. Describes in general terms who is authorized
to have access to the information; and
b. States whether the licensee has security
practices and procedures in place to ensure the confidentiality of the
information in accordance with the licensee’s policy. The licensee is not required to describe
technical information about the safeguards it uses.
(d) Short-form
initial notice with opt out notice for non-customers:
(1) A licensee may satisfy the initial notice
requirements in Ins 3002.01(a)(2) and Ins 3002.04(d) for a consumer who is not
a customer by providing a short-form initial notice at the same time as the
licensee delivers an opt out notice as required in Ins 3002.04;
(2) A short-form initial notice shall:
a. Be clear and conspicuous;
b. State that the licensee’s privacy notice is
available upon request; and
c. Explain a reasonable means by which the
consumer may obtain that notice;
(3) The licensee shall deliver its short-form
initial notice according to Ins 3002.06.
The licensee is not required to deliver its privacy notice with its
short-form initial notice. The licensee
instead may simply provide the consumer a reasonable means to obtain its
privacy notice. If a consumer who
receives the licensee’s short-form notice requests the licensee’s privacy
notice, the licensee shall deliver its privacy notice according to Ins 3002.06; and
(4) Examples of obtaining privacy notice. The licensee provides a reasonable means by
which a consumer may obtain a copy of its privacy notice if the licensee:
a. Provides a toll-free telephone number that
the consumer may call to request the notice; or
b. For a consumer who conducts business in
person at the licensee’s office, maintains copies of the notice on hand that
the licensee provides to the consumer immediately upon request.
(e) Future
disclosures. The licensee’s notice may
include:
(1) Categories of nonpublic personal financial
information that the licensee reserves the right to disclose in the future, but
does not currently disclose; and
(2) Categories of affiliates or nonaffiliated
third parties to whom the licensee reserves the right in the future to
disclose, but to whom the licensee does not currently disclose, nonpublic
personal financial information.
(f) Sample clauses
and Federal Model Privacy Form. Sample
clauses illustrating some of the notice content required by this section and
the Federal Model Privacy Form are included in Appendix A and Appendix B,
respectively, of this rule.
Source. #7500, eff 7-1-01, EXPIRED: 7-1-09
New. #9922, eff 5-6-11; ss by #12749, eff 5-6-19
Ins 3002.04 Form
of Opt Out Notice to Consumers and Opt Out Methods.
(a) (1) Form of opt out notice. If a licensee is
required to provide an opt out notice under Ins 3003.01(a), it shall provide a
clear and conspicuous notice to each of its consumers that accurately explains
the right to opt out under that section. The notice shall state:
a. That the licensee discloses or reserves the
right to disclose nonpublic personal financial information about its consumer
to a nonaffiliated third party;
b. That the consumer has the right to opt out of
that disclosure; and
c. A reasonable means by which the consumer may
exercise the opt out right; and
(2) Examples:
a. Adequate opt out notice. A licensee provides
adequate notice that the consumer can opt out of the disclosure of nonpublic
personal financial information to a nonaffiliated third party if the licensee:
1. Identifies all of the categories of nonpublic
personal financial information that it discloses or reserves the right to
disclose, and all of the categories of nonaffiliated third parties to which the
licensee discloses the information, as described in Ins 3002.03(a)(2) and (3)
above, and states that the consumer can opt out of the disclosure of that
information; and
2. Identifies the insurance products or services
that the consumer obtains from the licensee, either singly or jointly, to which
the opt out direction would apply;
b. Reasonable opt out means. A licensee provides a reasonable means to
exercise an opt out right if it:
1. Designates check-off boxes in a prominent
position on the relevant forms with the opt out notice;
2. Includes a reply form together with the opt
out notice;
3. Provides an electronic means to opt out, such
as a form that can be sent via electronic mail or a process at the licensee’s
web site, if the consumer agrees to the electronic delivery of information; or
4. Provides a toll-free telephone number that
consumers may call to opt out;
c. Unreasonable opt out means. A licensee does
not provide a reasonable means of opting out if:
1. The only means of opting out is for the
consumer to write his or her own letter to exercise that opt out right; or
2. The only means of opting out as described in
any notice subsequent to the initial notice is to use a check-off box that the
licensee provided with the initial notice but did not include with the
subsequent notice; and
d. Specific opt out means. A licensee may require each consumer to opt
out through a specific means, as long as that means is reasonable for that
consumer.
(b) Same form as
initial notice permitted. A licensee may provide the opt out notice together
with or on the same written or electronic form as the initial notice the
licensee provides in accordance with Ins 3002.01.
(c) Initial notice
required when opt out notice delivered subsequent to initial notice. If a licensee provides the opt out notice
later than required for the initial notice in accordance with Ins 3002.01, the
licensee shall also include a copy of the initial notice with the opt out
notice in writing or, if the consumer agrees, electronically.
(d) Joint
relationships:
(1) If 2 or more consumers jointly obtain an
insurance product or service from a licensee, the licensee may provide a single
opt out notice. The licensee’s opt out
notice shall explain how the licensee will treat an opt out direction by a
joint consumer (as explained in paragraph (5) below);
(2) Any of the joint consumers may exercise the
right to opt out. The licensee may
either:
a. Treat an opt out direction by a joint
consumer as applying to all of the associated joint consumers; or
b. Permit each joint consumer to opt out
separately;
(3) If a licensee permits each joint consumer to
opt out separately, the licensee shall permit one of the joint consumers to opt
out on behalf of all of the joint consumers;
(4) A licensee may not require all joint
consumers to opt out before it implements any opt out direction;
(5) Example.
If John and Mary are both named policyholders on a homeowner’s insurance
policy issued by a licensee and the licensee sends policy statements to John’s
address, the licensee may do any of the following, but it shall explain in its
opt out notice which opt out policy the licensee will follow:
a. Send a single opt out notice to John’s
address, but the licensee shall accept an opt out direction from either John or
Mary;
b. Treat an opt out direction by either John or
Mary as applying to the entire policy.
If the licensee does so and John opts out, the licensee may not require
Mary to opt out as well before implementing John’s opt out direction; and
c. Permit John and Mary to make different opt
out directions. If the licensee does so:
1. It shall permit John and Mary to opt out for
each other;
2. If both opt out, the licensee shall permit
both of them to notify it in a single response (such as on a form or through a
telephone call); and
3. If John opts out and Mary does not, the licensee
may only disclose nonpublic personal financial information about Mary, but not
about John and not about John and Mary jointly.
(e) Time to comply
with opt out. A licensee shall comply
with a consumer’s opt out direction as soon as reasonably practicable after the
licensee receives it.
(f) Continuing right
to opt out. A consumer may exercise the right to opt out at any time.
(g) Duration of
consumer’s opt out direction:
(1) A consumer’s direction to opt out under this
section is effective until the consumer revokes it in writing or, if the
consumer agrees, electronically; and
(2) When a customer relationship terminates, the
customer’s opt out direction continues to apply to the nonpublic personal
financial information that the licensee collected during or related to that
relationship. If the individual
subsequently establishes a new customer relationship with the licensee, the opt
out direction that applied to the former relationship does not apply to the new
relationship.
(h) Delivery. When a licensee is required to deliver an opt
out notice by this section, the licensee shall deliver it according to Ins
3002.06.
Source. #7500, eff 7-1-01, EXPIRED: 7-1-09
New. #9922, eff 5-6-11; ss by #12749, eff 5-6-19
Ins 3002.05 Revised Privacy
Notices.
(a) General rule.
Except as otherwise authorized in this rule, a licensee shall not, directly or
through an affiliate, disclose any nonpublic personal financial information
about a consumer to a nonaffiliated third party other than as described in the
initial notice that the licensee provided to that consumer under Ins 3002.01,
unless:
(1) The licensee has provided to the consumer a
clear and conspicuous revised notice that accurately describes its policies and
practices;
(2) The licensee has provided to the consumer a
new opt out notice;
(3) The licensee has given the consumer a
reasonable opportunity, before the licensee discloses the information to the
nonaffiliated third party, to opt out of the disclosure; and
(4) The consumer does not opt out.
(b) Examples:
(1) Except as otherwise permitted by Ins 3004.01,
Ins 3004.02, and Ins 3004.03, a licensee shall provide a revised notice before
it:
a. Discloses a new category of nonpublic
personal financial information to any nonaffiliated third party;
b. Discloses nonpublic personal financial
information to a new category of nonaffiliated third party; or
c. Discloses nonpublic
personal financial information about a former customer to a nonaffiliated third
party, if that former customer has not had the opportunity to exercise an opt
out right regarding that disclosure; and
(2) A revised notice is not required if the
licensee discloses nonpublic personal financial information to a new
nonaffiliated third party that the licensee adequately described in its prior
notice.
(c) Delivery. When a licensee is required to deliver a
revised privacy notice by this section, the licensee shall deliver it according
to Ins 3002.06.
Source. #7500, eff 7-1-01, EXPIRED: 7-1-09
New. #9922, eff 5-6-11; ss by #12749, eff 5-6-19
Ins 3002.06 Privacy
Notices to Group Policyholders.
Unless a licensee is providing privacy notices directly to covered
individuals described in Ins 3001.04 (f)(2)e.1., 2., or 3., a licensee shall
provide initial, annual and revised notices to the plan sponsor, group or
blanket insurance policyholder or group annuity contractholder,
or workers’ compensation policyholder, in the manner described in Ins 3001.05
through Ins 3002.05, describing the licensee’s privacy practices with respect
to nonpublic personal information about individuals covered under the policies,
contracts or plans.
Source. #7500, eff 7-1-01, EXPIRED: 7-1-09
New. #9922, eff 5-6-11; ss by #12749, eff 5-6-19
Ins 3002.07 Delivery.
(a) How to provide
notices. A licensee shall provide any notices that this rule requires so that
each consumer can reasonably be expected to receive actual notice in writing
or, if the consumer agrees, electronically.
(b) (1) Examples of reasonable expectation of actual
notice. A licensee may reasonably expect
that a consumer will receive actual notice if the licensee:
a. Hand-delivers a printed copy of the notice to
the consumer;
b. Mails a printed copy of the notice to the
last known address of the consumer separately or in a policy, billing, or other
written communication;
c. For a consumer who conducts transactions
electronically, posts the notice on the electronic site and requires the
consumer to acknowledge receipt of the notice as a necessary step to obtaining
a particular insurance product or service; and
d. For an isolated transaction with a consumer,
such as the licensee providing an insurance quote or selling the consumer
travel insurance, posts the notice and requires the consumer to acknowledge
receipt of the notice as a necessary step to obtaining the particular insurance
product or service; and
(2) Examples of unreasonable expectation of
actual notice. A licensee may not, however, reasonably expect that a consumer
will receive actual notice of its privacy policies and practices if it:
a. Only posts a sign in its office or generally
publishes advertisements of its privacy policies and practices; or
b. Sends the notice via electronic mail to a
consumer who does not obtain an insurance product or service from the licensee
electronically.
(c) Annual notices
only. A licensee may reasonably expect
that a customer will receive actual notice of the licensee’s annual privacy
notice if:
(1) The customer uses the
licensee’s web site to access insurance products and services electronically
and agrees to receive notices at the web site and the licensee posts its
current privacy notice continuously in a clear and conspicuous manner on the
web site; or
(2) The customer has requested that the licensee
refrain from sending any information regarding the customer relationship and
the licensee’s current privacy notice remains available to the customer upon
request.
(d) Oral description
of notice insufficient. A licensee may not provide any notice required by this
rule solely by orally explaining the notice, either in person or over the
telephone.
(e) Retention or
accessibility of notices for customers:
(1) For customers only, a licensee shall provide
the initial notice required by Ins 3002.01(a)(1), the annual notice required by
Ins 3002.02(a), and the revised notice required by Ins 3002.05 so that the
customer can retain them or obtain them later in writing or, if the customer
agrees, electronically; and
(2) Examples of retention or accessibility: A licensee
provides a privacy notice to the customer so that the customer can retain it or
obtain it later if the licensee:
a. Hand-delivers a printed copy of the notice to
the customer;
b. Mails a printed copy of the notice to the
last known address of the customer; or
c. Makes its current privacy notice available on
a web site (or a link to another web site) for the customer who obtains an
insurance product or service electronically and agrees to receive the notice at
the web site.
(f) Joint notice with
other financial institutions. A licensee
may provide a joint notice from the licensee and one or more of its affiliates
or other financial institutions, as identified in the notice, as long as the
notice is accurate with respect to the licensee and the other
institutions. A licensee also may
provide a notice on behalf of another financial institution.
(g) Joint
relationships. If 2 or more consumers
jointly obtain an insurance product or service from a licensee, the licensee
may satisfy the initial, annual, and revised notice requirements of Ins
3002.01(a), Ins 3002.02(a), and Ins 3002.05(a), respectively, by providing one
notice to those consumers jointly.
Source. #9922, eff 5-6-11 (from Ins 3002.06);
ss by #12749, eff 5-6-19
Ins 3003.01 Limits
on Disclosure of Nonpublic Personal Financial Information to Nonaffiliated
Third Parties.
(a) (1) Conditions for disclosure. Except as
otherwise authorized in this rule, a licensee may not, directly or through any
affiliate, disclose any nonpublic personal financial information about a
consumer to a nonaffiliated third party unless:
a. The licensee has provided to the consumer an
initial notice as required under Ins 3002.01;
b. The licensee has provided to the consumer an
opt out notice as required in Ins 3002.04;
c. The licensee has given the consumer a
reasonable opportunity, before it discloses the information to the
nonaffiliated third party, to opt out of the disclosure; and
d. The consumer does not opt out;
(2) Opt out definition:
Opt out means a direction by the consumer that the
licensee not disclose nonpublic personal financial information about that
consumer to a nonaffiliated third party, other than as permitted by Ins
3004.01, Ins 3004.02, and Ins 3004.03; and
(3) Examples of reasonable opportunity to opt
out: A licensee provides a consumer with a reasonable opportunity to opt out
if:
a. By mail. The licensee mails the notices
required in (a)(1) above to the consumer and allows the consumer to opt out by
mailing a form, calling a toll-free telephone number, or any other reasonable
means within 30 days from the date the licensee mailed the notices;
b. By electronic means. A customer opens an
on-line account with a licensee and agrees to receive the notices required in
(a)(1) above electronically, and the licensee allows the customer to opt out by
any reasonable means within 30 days after the date that the customer
acknowledges receipt of the notices in conjunction with opening the account; and
c. Isolated transaction with consumer. For an
isolated transaction such as providing the consumer with an insurance quote, a
licensee provides the consumer with a reasonable opportunity to opt out if the
licensee provides the notices required in (a)(1) above at the time of the
transaction and requests that the consumer decide, as a necessary part of the
transaction, whether to opt out before completing the transaction.
(b) Application of
opt out to all consumers and all nonpublic personal financial information:
(1) A licensee shall comply with this section,
regardless of whether the licensee and the consumer have established a customer
relationship; and
(2) Unless a licensee complies with this section,
the licensee may not, directly or through any affiliate, disclose any nonpublic
personal financial information about a consumer that the licensee has
collected, regardless of whether the licensee collected it before or after
receiving the direction to opt out from the consumer.
(c) Partial opt
out. A licensee may allow a consumer to
select certain nonpublic personal financial information or certain
nonaffiliated third parties with respect to which the consumer wishes to opt
out.
Source. #7500, eff 7-1-01, EXPIRED: 7-1-09
New. #9922, eff 5-6-11; ss by #12749, eff 5-6-19
Ins 3003.02 Limits
on Redisclosure and Reuse of Nonpublic Personal Financial Information.
(a) (1) Information the licensee receives under an
exception. If a licensee receives
nonpublic personal financial information from a nonaffiliated financial
institution under an exception in Ins 3004.02 or Ins 3004.03 of this rule, the
licensee’s disclosure and use of that information is limited as follows:
a. The licensee may disclose the information to
the affiliates of the financial institution from which the licensee received
the information;
b. The licensee may disclose the information to
its affiliates, but the licensee’s affiliates may, in turn, disclose and use
the information only to the extent that the licensee may disclose and use the
information; and
c. The licensee may disclose
and use the information pursuant to an exception in Ins 3004.02 or Ins 3004.03
of this rule in the ordinary course of business to carry out the activity
covered by the exception under which the licensee received the information; and
(2) Example: If a licensee receives information
from a nonaffiliated financial institution for claims settlement purposes, the
licensee may disclose the information for fraud prevention or in response to a
properly authorized subpoena. The
licensee may not disclose that information to a third party for marketing
purposes or use that information for its own marketing purposes.
(b) (1) Information a licensee receives outside of an
exception. If a licensee receives
nonpublic personal financial information from a nonaffiliated financial
institution other than under an exception in Ins 3004.02 or Ins 3004.03 of this
rule, the licensee may disclose the information only:
a. To the affiliates of the
financial institution from which the licensee received the information;
b. To its affiliates, but its affiliates may, in
turn, disclose the information only to the extent that the licensee may
disclose the information; and
c. To any other person, if the disclosure would
be lawful if made directly to that person by the financial institution from
which the licensee received the information; and
(2) Example:
If a licensee obtains a customer list from a nonaffiliated financial
institution outside of the exceptions in Ins 3004.02 or Ins 3004.03:
a. The licensee may use that list for its own
purposes; and
b. The licensee may disclose
that list to another nonaffiliated third party only if the financial
institution from which the licensee purchased the list could have lawfully
disclosed the list to that third party.
That is, the licensee may disclose the list in accordance with the
privacy policy of the financial institution from which the licensee received
the list, as limited by the opt out direction of each consumer whose nonpublic
personal financial information the licensee intends to disclose, and the
licensee may disclose the list in accordance with an exception in Ins 3004.02
or Ins 3004.03, such as to the licensee’s attorneys or accountants.
(c) Information a
licensee discloses under an exception. If
a licensee discloses nonpublic personal information to a nonaffiliated third
party under an exception in Ins 3004.02 or Ins 3004.03 of this rule, the third
party may disclose and use that information only as follows:
(1) The third party may disclose the information
to the licensee’s affiliates;
(2) The third party may disclose the information
to its affiliates, but its affiliates may, in turn, disclose and use the
information only to the extent that the third party may disclose and use the
information; and
(3) The third party may disclose and use the
information pursuant to an exception in Ins 3004.02 or Ins 3004.03 in the
ordinary course of business to carry out the activity covered by the exception
under which it received the information.
(d) Information a
licensee discloses outside of an exception.
If a licensee discloses nonpublic personal financial information to a
nonaffiliated third party other than under an exception in Ins 3004.02 or Ins
3004.03 of this rule, the third party may disclose the information only:
(1) To the licensee’s affiliates;
(2) To the third party’s
affiliates, but the third party’s affiliates, in turn, may disclose the
information only to the extent the third party can disclose the information;
and
(3) To any other person, if the disclosure would
be lawful if the licensee made it directly to that person.
Source. #7500, eff 7-1-01, EXPIRED: 7-1-09
New.
#9922, eff 5-6-11; ss by #12749, eff 5-6-19
Ins 3003.03 Limits on Sharing
Account Number Information for Marketing Purposes.
(a) General
prohibition on disclosure of account numbers.
A licensee shall not, directly or through an affiliate, disclose, other
than to a consumer reporting agency, a policy number or similar form of access
number or access code for a consumer’s policy or transaction account to any
nonaffiliated third party for use in telemarketing, direct mail marketing, or
other marketing through electronic mail to the consumer.
(b) Exceptions. Subsection (a) above does not apply if a
licensee discloses a policy number or similar form of access number or access
code:
(1) To the licensee’s service provider solely in
order to perform marketing for the licensee’s own products or services, as long
as the service provider is not authorized to directly initiate charges to the
account;
(2) To a licensee who is a producer solely in
order to perform marketing for the licensee’s own products or services; or
(3) To a participant in an affinity or similar
program where the participants in the program are identified to the customer
when the customer enters into the program.
(c) Examples:
(1) Policy number. A policy number, or similar
form of access number or access code, does not include a number or code in an
encrypted form, as long as the licensee does not provide the recipient with a
means to decode the number or code; and
(2) Policy or transaction account. For the purposes of this section, a policy or
transaction account is an account other than a deposit account or a credit card
account. A policy or transaction account
does not include an account to which third parties cannot initiate charges.
Source. #7500, eff 7-1-01, EXPIRED: 7-1-09
New. #9922, eff 5-6-11; ss by #12749, eff 5-6-19
PART Ins 3004 EXCEPTIONS TO LIMITS ON DISCLOSURES OF FINANCIAL
INFORMATION
Ins 3004.01 Exception
to Opt Out Requirements for Disclosure of Nonpublic
Personal Financial Information for Service Providers and Joint Marketing.
(a) General rule:
(1) The opt out requirements in Ins 3002.04 and
Ins 3003.01 do not apply when a licensee provides nonpublic personal financial
information to a nonaffiliated third party to perform services for the licensee
or functions on the licensee’s behalf, if the licensee:
a. Provides the initial notice in accordance
with Ins 3002.01; and
b. Enters into a contractual agreement with the
third party that prohibits the third party from disclosing or using the
information other than to carry out the purposes for which the licensee
disclosed the information, including use under an exception in Ins 3004.02 or
Ins 3004.03, in the ordinary course of business to carry out those purposes; and
(2) Example.
If a licensee discloses nonpublic personal financial information under
this section to a financial institution with which the licensee performs joint
marketing, the licensee’s contractual agreement with that institution meets the
requirements of (a)(1) b. above, if it prohibits the institution from
disclosing or using the nonpublic personal financial information except as
necessary to carry out the joint marketing or under an exception in Ins 3004.02
or Ins 3004.03 in the ordinary course of business to carry out that joint
marketing.
(b) Service may
include joint marketing. The services a
nonaffiliated third party performs for a licensee under subsection (a) above
may include marketing of the licensee’s own products or services or marketing
of financial products or services offered pursuant to joint agreements between
the licensee and one or more financial institutions.
(c) Definition of
“joint agreement”. For purposes of this
section, “joint agreement” means a written contract pursuant to which a
licensee and one or more financial institutions jointly offer, endorse or
sponsor a financial product or service.
Source. #7500, eff 7-1-01, EXPIRED: 7-1-09
New. #9922, eff 5-6-11; ss by #12749, eff 5-6-19
Ins 3004.02 Exceptions to
Notice and Opt Out Requirements for Disclosure of
Nonpublic Personal Financial Information for Processing and Servicing
Transactions.
(a) Exceptions for
processing transactions at consumer’s request.
The requirements for initial notice in Ins 3002.01(a)(2), the opt out in
Ins 3002.04 and Ins 3003.01 and service providers and joint marketing in Ins
3004.01 do not apply if the licensee discloses nonpublic personal financial
information as necessary to effect, administer or enforce a transaction that a
consumer requests or authorizes, or in connection with:
(1) Servicing or processing
an insurance product or service that a consumer requests or authorizes;
(2) Maintaining or servicing the consumer’s
account with a licensee, or with another entity as part of a private label
credit card program or other extension of credit on behalf of such entity;
(3) A proposed or actual securitization,
secondary market sale (including sales of servicing rights) or similar
transaction related to a transaction of the consumer; or
(4) Reinsurance or stop loss or excess loss
insurance.
(b) “Necessary to
effect, administer or enforce a transaction” means that the disclosure is:
(1) Required, or is one of the lawful or
appropriate methods, to enforce the licensee’s rights or the rights of other
persons engaged in carrying out the financial transaction or providing the
product or service; or
(2) Required, or is a usual, appropriate, or
acceptable method:
a. To carry out the transaction or the product
or service business of which the transaction is a part, and record, service, or
maintain the consumer’s account in the ordinary course of providing the
insurance product or service;
b. To administer or service benefits or claims
relating to the transaction or the product or service business of which it is a
part;
c. To provide a confirmation, statement or other
record of the transaction, or information on the status or value of the
insurance product or service to the consumer or the consumer’s agent or broker;
d. To accrue or recognize incentives or bonuses
associated with the transaction that are provided by a licensee or any other
party;
e. To underwrite insurance at the consumer’s
request or for any of the following purposes as they relate to a consumer’s
insurance: account administration, reporting, investigating, or preventing
fraud or material misrepresentation, processing premium payments, processing
insurance claims, administering insurance benefits (including utilization
review activities), participating in research projects, or as otherwise
required or specifically permitted by federal or state law; or
f. In connection with:
1. The authorization, settlement,
billing, processing, clearing, transferring, reconciling, or collection
of amounts charged, debited or otherwise paid using a debit, credit, or other
payment card, check or account number, or by other payment means;
2. The transfer of receivables, accounts or
interests therein; or
3. The audit of debit, credit, or other payment
information.
Source. #7500, eff 7-1-01, EXPIRED: 701-09
New. #9922, eff 5-6-11; ss by #12749, eff 5-6-19
Ins 3004.03 Other Exceptions
to Notice and Opt Out Requirements for Disclosure of
Nonpublic Personal Financial Information.
(a) Exceptions to
opt out requirements. The requirements
for initial notice to consumers in Ins 3002.01(a)(2), the opt out in Ins
3002.04 and Ins 3003.01, and service providers and joint marketing in Ins
3004.01 do not apply when a licensee discloses nonpublic personal financial
information:
(1) With the consent or at the direction of the
consumer, provided that the consumer has not revoked the consent or direction;
(2) a. To protect the confidentiality or security of
a licensee’s records pertaining to the consumer, service, product, or
transaction;
b. To protect against or prevent actual or
potential fraud or unauthorized transactions;
c. For required institutional risk control or
for resolving consumer disputes or inquiries;
d. To persons holding a legal or beneficial
interest relating to the consumer; or
e. To persons acting in a fiduciary or
representative capacity on behalf of the consumer;
(3) To provide information to insurance rate
advisory organizations, guaranty funds or agencies, agencies that are rating a
licensee, persons that are assessing the licensee’s compliance with industry
standards, and the licensee’s attorneys, accountants, and auditors;
(4) To the extent
specifically permitted or required under other provisions of law and in
accordance with the federal Right to Financial Privacy Act of 1978 (12 U.S.C.
3401 et seq.), to law enforcement agencies [including the Federal Reserve
Board, Office of the Comptroller of the Currency, Federal Deposit Insurance
Corporation, Office of Thrift Supervision, National Credit Union
Administration, the Securities and Exchange Commission, the Secretary of the
Treasury, with respect to 31 U.S. C. Chapter 53, Subchapter II (Records and
Reports on Monetary Instruments and Transactions) and 12 U.S.C. Chapter 21
(Financial Recordkeeping), a state insurance authority, and the Federal Trade
Commission], self-regulatory organizations, or for an investigation on a matter
related to public safety;
(5) a. To
a consumer reporting agency in accordance with the federal Fair Credit
Reporting Act (15 U.S.C. 1681 et seq.); or
b. From a consumer report reported by a consumer
reporting agency;
(6) In connection with a proposed or actual sale,
merger, transfer or exchange of all or a portion of a business or operating
unit if the disclosure of nonpublic personal financial information concerns
solely consumers of the business or unit;
(7) a. To
comply with federal, state or local laws, rules and other applicable legal
requirements;
b. To comply with a properly
authorized civil, criminal or regulatory investigation, or subpoena or summons
by federal, state or local authorities; or
c. To respond to judicial process or government
regulatory authorities having jurisdiction over a licensee for examination,
compliance, or other purposes as authorized by law; or
(8) For purposes related to the replacement of a
group benefit plan, a group health plan, a group welfare plan or a workers’
compensation plan.
(b) Examples of
revocation of consent. A consumer may
revoke consent by subsequently exercising the right to opt out of future
disclosures of nonpublic personal information as permitted under Ins
3002.04(g).
Source. #7500, eff 7-1-01, EXPIRED: 7-1-09
New. #9922, eff 5-6-11; ss by #12749, eff 5-6-19
PART Ins 3005 RULES FOR HEALTH INFORMATION
Ins 3005.01 When
Authorization Required for Disclosure of Nonpublic Personal Health Information.
(a) A licensee shall
not disclose nonpublic personal health information about a consumer or customer
unless an authorization is obtained from the consumer or customer whose
nonpublic personal health information is sought to be disclosed.
(b)
Nothing in this section shall prohibit, restrict, or require an
authorization for the disclosure of nonpublic personal health information by a
licensee for the performance of the following insurance functions by or on
behalf of the licensee: claims administration; claims adjustment and
management; detection, investigation, or reporting of actual or potential
fraud, misrepresentation, or criminal activity; underwriting; policy placement
or issuance; loss control; ratemaking and guaranty fund functions; reinsurance
and excess loss insurance; risk management; case management; disease
management; quality assurance; quality improvement; performance evaluation;
provider credentialing verification; utilization review; peer review
activities; actuarial, scientific, medical, or public policy research;
grievance procedures; internal administration of compliance, managerial, and
information systems; policyholder service functions; auditing; reporting;
database security; administration of consumer disputes and inquiries; external
accreditation standards; the replacement of a group benefit plan or workers’
compensation policy or program; activities in connection with a sale, merger,
transfer, or exchange of all or part of a business or operating unit; any
activity that permits disclosure without authorization pursuant to the federal
Health Insurance Portability and Accountability Act privacy rules promulgated
by the U.S. Department of Health and Human Services; disclosure that is
required, or is one of the lawful or appropriate methods, to enforce the
licensee’s rights or the rights of other persons engaged in carrying out a
transaction or providing a product or service that a consumer requests or
authorizes; and any activity otherwise permitted by law, required pursuant to
governmental reporting authority, or to comply with legal process. Additional insurance functions may be added
with the approval of the commissioner to the extent they are necessary for
appropriate performance of insurance functions and are fair and reasonable to
the interest of consumers.
Source. #7500, eff 7-1-01, EXPIRED: 7-1-09
New. #9922, eff 5-6-11; ss by #12749, eff 5-6-19
Ins 3005.02 Authorizations.
(a) A valid
authorization to disclose nonpublic personal health information pursuant to
this section shall be in written or electronic form and shall contain all of
the following:
(1) The identity of the consumer or customer who
is the subject of the nonpublic personal health information;
(2) A general description of the types of
nonpublic personal health information to be disclosed;
(3) General descriptions of the parties to whom
the licensee discloses nonpublic personal health information, the purpose of
the disclosure and how the information will be used;
(4) The signature of the consumer or customer who
is the subject of the nonpublic personal health information or the individual
who is legally empowered to grant authority and the date signed; and
(5) Notice of the length of time for which the
authorization is valid and that the consumer or customer may revoke the
authorization at any time and the procedure for making a revocation.
(b) An authorization
for the purposes of this section shall specify a length of time for which the
authorization shall remain valid, which in no event shall be for more than 24
months.
(c) A consumer or customer
who is the subject of nonpublic personal health information may revoke an
authorization provided pursuant to this section at any time, subject to the
rights of an individual who acted in reliance on the authorization prior to
notice of the revocation.
(d) A licensee shall
retain the authorization or a copy thereof in the record of the individual who
is the subject of nonpublic personal health information.
Source. #7500, eff 7-1-01, EXPIRED: 7-1-09
New. #9922, eff 5-6-11; ss by #12749, eff 5-6-19
Ins 3005.03 Authorization
Request Delivery. A request for
authorization and an authorization form may be delivered to a consumer or a
customer as part of an opt-out notice pursuant to Ins 3002.06, provided that
the request and the authorization form are clear and conspicuous. An authorization form is not required
to be delivered to the consumer or customer or included in any other notices
unless the licensee intends to disclose protected health information pursuant
to Ins 3005.01.
Source. #7500, eff 7-1-01, EXPIRED: 7-1-09
New.
#9922, eff 5-6-11; ss by #12749, eff 5-6-19
Ins 3005.04 Relationship
to Federal Rules. Irrespective of
whether a licensee is subject to the federal Health Insurance Portability and
Accountability Act privacy rule as promulgated by the U.S. Department of Health
and Human Services (the “federal rule”), if a licensee complies with all
requirements of the federal rule except for its effective date provision, the
licensee shall not be subject to the provisions of this section.
Source. #7500, eff 7-1-01, EXPIRED: 7-1-09
New. #9922, eff 5-6-11; ss by #12749, eff 5-6-19
Ins 3005.05 Relationship
to State Laws. Nothing in this
subpart shall preempt or supersede existing state law related to medical
records, health or insurance information privacy.
Source. #7500, eff 7-1-01, EXPIRED: 7-1-09
New.
#9922, eff 5-6-11; ss by #12749, eff 5-6-19
PART Ins 3006 ADDITIONAL PROVISIONS
Ins 3006.01 Protection
of Fair Credit Reporting Act.
Nothing in this rule shall be construed to modify, limit, or supersede
the operation of the federal Fair Credit Reporting Act (15 U.S.C. 1681 et
seq.), and no inference shall be drawn on the basis of the provisions of this
rule regarding whether information is transaction or experience information
under Section 603 of that Act.
Source. #7500, eff 7-1-01, EXPIRED: 7-1-09
New.
#9922, eff 5-6-11; ss by #12749, eff 5-6-19
Ins 3006.02 Nondiscrimination.
(a) A licensee shall
not unfairly discriminate against any consumer or customer because that
consumer or customer has opted out from the disclosure of his or her nonpublic
personal financial information pursuant to the provisions of this rule.
(b) A licensee shall
not unfairly discriminate against a consumer or customer because that consumer
or customer has not granted authorization for the disclosure of his or her
nonpublic personal health information pursuant to the provisions of this rule.
Source. #7500, eff 7-1-01, EXPIRED: 7-1-09
New. #9922, eff 5-6-11; ss by #12749, eff 5-6-19
Ins 3006.03 Violation. A violation of this rule shall be subject to
the penalty provisions of RSA 400-A:15, III and RSA 417:13.
Source. #7500, eff 7-1-01, EXPIRED: 7-1-09
New. #12749, eff 5-6-19
New. #9922, eff 5-6-11; ss by #12749, eff 5-6-19
PART Ins 3007 WAIVER OF RULES
Ins 3007.01 Waiver
of Rules.
(a) The
commissioner, upon the commissioner’s own initiative or upon request by an
insurer, shall waive any requirement of this chapter if such waiver does not
contradict the objective or intent of the rule and:
(1) Applying the rule provision would cause
confusion or would be misleading to consumers;
(2) The rule provision is in whole or in part
inapplicable to the given circumstances;
(3) There are specific circumstances unique to
the situation such that strict compliance with the rule would be onerous
without promoting the objective or intent of the rule
provision; or
(4) Any other similar extenuating circumstances
exist such that application of an alternative standard or procedure better
promotes the objective or intent of the rule provision.
(b) No requirement
prescribed by statute shall be waived unless expressly authorized by law.
(c) Any person or
entity seeking a waiver shall make a request in writing.
(d) A request for a
waiver shall specify the basis for the waiver and proposed alternative, if any.
Source. #12749, eff 5-6-19
APPENDIX A - SAMPLE CLAUSES
Licensees, including a group
of financial holding company affiliates that use a common privacy notice, may use
the following sample clauses, if the clause is accurate for each institution
that uses the notice. (Note that disclosure of certain information, such as
assets, income, and information from a consumer reporting agency, may give rise
to obligations under the federal Fair Credit Reporting Act, such as a
requirement to permit a consumer to opt out of disclosures to affiliates or
designation as a consumer reporting agency if disclosures are made to
nonaffiliated third parties.)
A-1-Categories of information a licensee collects (all institutions)
A licensee may use this
clause, as applicable, to meet the requirement of Ins 3002.03 to describe the
categories of nonpublic personal information the licensee collects.
Sample Clause A-1:
We collect nonpublic personal
information about you from the following sources:
·
Information we receive from you on applications or other forms;
·
Information about your transactions with us, our affiliates or others;
and
·
Information we receive from a consumer reporting agency.
A-2-Categories of information a licensee discloses (institutions that
disclose outside of the exceptions)
A licensee may use one of
these clauses, as applicable, to meet the requirement of Ins 3002.03 to
describe the categories of nonpublic personal information the licensee
discloses. The licensee may use these
clauses if it discloses nonpublic personal information other than as permitted
by the exceptions in Ins 3004.01, Ins 3004.02 and Ins 3004.03.
Sample Clause A-2,
Alternative 1:
We may disclose the
following kinds of nonpublic personal information about you:
·
Information we receive from you on applications or other forms, such as
[provide illustrative examples, such as “your name, address, social security
number, assets, income, and beneficiaries”];
·
Information about your transactions with us, our affiliates or others,
such as [provide illustrative examples, such as “your policy coverage,
premiums, and payment history”]; and
·
Information we receive from a consumer reporting agency, such as [provide
illustrative examples, such as “your creditworthiness and credit history”].
Sample Clause A-2,
Alternative 2:
We may disclose all of the
information that we collect, as described [describe location in the notice,
such as “above” or “below”].
A-3-Categories of information a licensee discloses and parties to whom
the licensee discloses (institutions that do not disclose outside of the
exceptions)
A licensee may use this
clause, as applicable, to meet the requirements of Ins 3002.03 to describe the
categories of nonpublic personal information about customers and former
customers that the licensee discloses and the categories of affiliates and
nonaffiliated third parties to whom the licensee discloses. A licensee may use this clause if the
licensee does not disclose nonpublic personal information to any party, other
than as permitted by the exceptions in Ins 3004.02 and Ins 3004.03.
Sample Clause A-3:
We do not disclose any
nonpublic personal information about our customers or former customers to
anyone, except as permitted by law.
A-4-Categories of parties to whom a licensee discloses (institutions
that disclose outside of the exceptions)
A licensee may use this
clause, as applicable, to meet the requirement of Ins 3002.03 to describe the
categories of affiliates and nonaffiliated third parties to whom the licensee
discloses nonpublic personal information.
This clause may be used if the licensee discloses nonpublic personal
information other than as permitted by the exceptions in Ins 3004.01, Ins 3004.02
and Ins 3004.03, as well as when permitted by the exceptions in Ins 3004.02 and
Ins 3004.03.
Sample Clause A-4:
We may disclose nonpublic
personal information about you to the following types of third parties:
·
Financial service providers, such as [provide illustrative examples,
such as “life insurers, automobile insurers, mortgage bankers, securities
broker-dealers, and insurance agents”];
·
Non-financial companies, such as [provide illustrative examples, such
as “retailers, direct marketers, airlines, and publishers”]; and
·
Others, such as [provide illustrative examples, such as “nonprofit
organizations”].
We may also disclose
nonpublic personal information about you to nonaffiliated third parties as
permitted by law.
A-5-Service provider/joint marketing exception
A licensee may use one of
these clauses, as applicable, to meet the requirements of Ins 3002.03 related
to the exception for service providers and joint marketers in Ins 3004.01. If a licensee discloses nonpublic personal
information under this exception, the licensee shall describe the categories of
nonpublic personal information the licensee discloses and the categories of
third parties with whom the licensee has contracted.
Sample Clause A-5,
Alternative 1:
We may disclose the following
information to companies that perform marketing services on our behalf or to
other financial institutions with whom we have joint marketing agreements:
·
Information we receive from you on applications or other forms, such as
[provide illustrative examples, such as “your name, address, social security
number, assets, income and beneficiaries”];
·
Information about your transactions with us, our affiliates or others,
such as [provide illustrative examples, such as “your policy coverage, premium,
and payment history”]; and
·
Information we receive from a consumer reporting agency, such as
[provide illustrative examples, such as “your creditworthiness and credit
history”].
Sample Clause A-5,
Alternative 2:
We may disclose all of the
information we collect, as described [describe location in the notice, such as
“above” or “below”] to companies that perform marketing services on our behalf
or to other financial institutions with whom we have joint marketing
agreements.
A-6-Explanation of opt out right (institutions that disclose outside of
the exceptions)
A licensee may use this
clause, as applicable, to meet the requirement of Ins 3002.03 to provide an
explanation of the consumer’s right to opt out of the disclosure of nonpublic
personal information to nonaffiliated third parties, including the method(s) by
which the consumer may exercise that right.
The licensee may use this clause if the licensee discloses nonpublic
personal information other than permitted by the exceptions in Ins 3004.01, Ins
3004.02 and Ins 3004.03.
Sample Clause A-6:
If you prefer that we do not
disclose nonpublic personal information about you to nonaffiliated third
parties, you may opt out of those disclosures, that is, you may direct us not
to make those disclosures (other than disclosures permitted by law). If you wish to opt out of disclosures to
nonaffiliated third parties, you may [describe a reasonable means of opting
out, such as “call the following toll-free number: (insert number)”].
A-7-Confidentiality and security (all institutions)
A licensee may use this
clause, as applicable, to meet the requirement of Ins 3002.03 to describe its
policies and practices with respect to protecting the confidentiality and
security of nonpublic personal information.
Sample Clause A-7:
We restrict access to
nonpublic personal information about you to [provide an appropriate
description, such as “those employees who need to know that information to
provide products or services to you”].
We maintain physical, electronic, and procedural safeguards that comply
with federal regulations to guard your nonpublic personal information.
APPENDIX B – FEDERAL MODEL PRIVACY FORM
Licensees, including a group
of financial holding company affiliates that use a common privacy notice, may
use the Federal Model Privacy Form, if the Form is accurate for each
institution that uses the Form. (Note
that disclosure of certain information, such as assets, income, and information
from a consumer reporting agency, may give rise to obligations under the federal
Fair Credit Reporting Act, such as a requirement to permit a consumer to opt of
disclosures to affiliates or designation as a consumer reporting agency if
disclosures are made to nonaffiliated third parties.)
A. General Instructions
1. How the Model Privacy Form is used.
(a) The Model Form
may be used, at the option of a “licensee”, including a group of licensees or
other financial institutions that use a common privacy notice, to meet the
content requirements of the privacy notice and opt-out notice set forth in Ins
3002.03 and Ins 3002.04.
(b) The Model Form
is a standardized form, including page layout, content, format, style,
pagination, and shading. Licensees seeking to obtain the safe harbor through
use of the Model Form may modify it only as described in these Instructions.
(c) Note that
disclosure of certain information, such as assets, income, and information from
a consumer reporting agency, may give rise to obligations under the federal
Fair Credit Reporting Act (FCRA), codified at 15 U.S.C. §§ 1681-1681x, such as
a requirement to permit a consumer to opt out of disclosures to affiliates, or
designation as a consumer reporting agency if disclosures are made to
nonaffiliated third parties.
(d) The word
“customer” may be replaced by the word “member,” whenever it appears in the
Model Form, as appropriate.
2. The Contents of the Model Privacy Form
The Model Form consists of
two pages, which may be printed on both sides of a single sheet of paper or may
appear on two separate pages. Where a licensee provides a long list of
licensees or financial institutions at the end of the Model Form in accordance
with Instruction B3(a)(i), or provides additional
information in accordance with Instruction B3(c) and such list or additional
information exceeds the space available on Page Two of the Model Form, such
list or additional information may extend to a third page.
(a) Page One. The
first page consists of the following components:
(1) Date last revised (upper right-hand corner)
(2) Title
(3) Key frame (Why? What? How?)
(4) Disclosure table (“Reasons we can share your
personal information”)
(5) “To limit our sharing” box, as needed, for
the licensee’s opt-out information
(6) “Questions” box, for customer service contact
information
(7) Mail-in opt-out form, as needed
(b) Page Two. The
second page consists of the following components:
(1) Heading (Page 2)
(2) Frequently Asked Questions (“Who we are” and
“What we do”)
(3) Definitions
(4) “Other important information” box, as needed
3. The format of the Model Privacy Form.
The format of the Model Form
may be modified only as described below.
(a) Easily readable
type font. Licensees that use the Model
Form must use an easily readable type font. While a number of factors together
produce easily readable font, licensees are required to use a minimum of 10-
point font (unless otherwise expressly permitted in these Instructions) and
sufficient spacing between lines.
(b) Logo. A licensee
may include a corporate logo on any page of the notice, so long as it does not
interfere with the readability of the Model Form or the space constraints of
each page.
(c) Page size and
orientation. Each page of the Model Form must be printed in portrait
orientation, the size of which must be sufficient to meet the layout and
minimum font size requirements, with sufficient white space on the top, bottom,
and sides of the content.
(d) Color. The Model
Form must be printed on white or light color paper (such as cream) with black
or other contrasting ink color. Spot color may be used to achieve visual
interest, so long as the color contrast is distinctive and the color does not
detract from the readability of the Model Form. Logos may also be printed in
color.
(e) Languages. The
Model Form may be translated into languages other than English.
B. Information Required in the Model Privacy
Form
The information in the Model
Form may be modified only as described below:
1. Name of licensee or group of affiliated
licensees or institutions providing the notice
Insert the name of the
licensee providing the notice, or a common identity of the affiliated licensees
or financial institutions jointly providing the notice on the form, wherever [name of licensee] appears.
2. Page One
(a) Last revised
date. The licensee must insert in the
upper right-hand corner the date on which the notice was last revised. The
information shall appear in minimum 8-point font as “rev. [month/year]” using
either the name or number of the month, such as “rev. July 2016” or “rev.
7/16.”
(b) General
instructions for the “What?” box
(i) The bulleted list identifies the types of
personal information that the licensee collects and shares. All licensees must use the term “Social
Security Number” in the first bullet.
(ii) A licensee must use five (5) of the following
terms, to complete the bulleted list: income; account balances; payment
history; transaction history; transaction or loss history; credit history;
credit scores; assets; investment experience; credit-based insurance scores;
insurance claim history; medical information; overdraft history; purchase
history; account transactions; risk tolerance; medical-related debts; credit
card or other debt; mortgage rates and payments; retirement assets; checking
account information; employment information; wire transfer instructions.
(c) General instructions for the disclosure
table. The left column lists reasons for sharing or using personal information.
Each reason correlates to a specific legal provision described in Paragraph
2(d) of this Instruction. In the middle
column, each licensee must provide a “Yes” or “No” response that accurately
reflects its information-sharing policies and practices with respect to the
reason listed on the left. In the right
column, each licensee must provide in each box one of the following three (3)
responses, as applicable, that reflects whether a consumer can limit such
sharing:
“Yes,” if it is required to
or voluntarily provides an opt-out; “No,” if it does not provide an opt-out; or
“We don’t share,” if it
answers “No” in the middle column.
Only the sixth row (“For our
affiliates to market to you”) may be omitted at the option of the
licensee. See Paragraph 2(d)(6) of this
instruction.
(d) Specific
disclosures and corresponding legal provisions
(i) For our everyday business purposes. This reason incorporates sharing information
under Ins 3004.02 and Ins 3004.03 and with service providers pursuant to Ins
3004.01 other than the disclosures
described in Paragraphs (2)(d)(ii) or (2)(d)(iii) of this instruction.
(ii) For our marketing purposes. This reason incorporates sharing information
with service providers by a licensee for its own marketing pursuant to Ins
3004.01. A licensee that shares for this
reason may choose to provide an opt-out.
(iii) For joint marketing with other financial
companies. This reason incorporates
sharing information under joint marketing agreements between 2 or more
licensees or financial institutions and with any service provider used in
conjunction with such agreement pursuant to Ins 3004.01. A licensee that shares for this reason may
choose to provide an opt-out.
(iv) For our affiliates’ everyday business
purposes – information about transactions and experiences. This reason incorporates sharing
information specified in Sections 603(d)(2)(A)(i) and
(ii) of the FCRA. A licensee that shares information for this reason may choose
to provide an opt-out.
(v) For our affiliates’ everyday business
purposes – information about creditworthiness. This reason incorporates
sharing information pursuant to Section 603(d)(2)(A)(iii) of the FCRA. A licensee that shares information for this
reason must provide an opt-out.
(vi) For our affiliates to market to you. This
reason incorporates sharing information specified in Section 624 of the
FCRA. This reason may be omitted from
the disclosure table when: the licensee does not have affiliates (or does not
disclose personal information to its affiliates); the licensee’s affiliates do
not use personal information in a manner that requires an opt-out; or the
licensee provides the affiliate marketing notice separately. Licensees that include this reason must
provide an opt-out of indefinite duration.
A licensee that is required to provide an affiliate marketing opt-out,
but does not include that opt-out in the Model Form under this part, must
comply with Section 624 of the FCRA and Ins 3000, with respect to the initial notice and opt-out and any subsequent
renewal notice and opt-out. A licensee
not required to provide an opt-out under this subparagraph may elect to include
this reason in the Model Form.
(vii) For nonaffiliates to market to you. This reason incorporates sharing described in
Ins 3002.04 and Ins 3003.01(a). A
licensee that shares personal information for this reason must provide an
opt-out.
(e) To limit our
sharing. A licensee must include this section of the Model Form only if it
provides an opt-out. The word “choice”
may be written in either the singular or plural, as appropriate. Licensees must
select one or more of the applicable opt-out methods described: telephone, such
as by a toll-free number; a web site; or use of a mail-in opt-out form.
Licensees may include the word “toll-free” before telephone, as appropriate. A
licensee that allows consumers to opt out online must provide either a specific
web address that takes consumers directly to the opt-out page or a general web
address that provides a clear and conspicuous direct link to the opt-out page. The opt-out choices made available to the
consumer who contacts the licensee through these methods must correspond
accurately to the “Yes” responses in the third column of the disclosure
table. In the part entitled “Please
note,” licensees may insert a number that is 30 days or greater in the space
marked “[30].” Instructions on voluntary or state privacy law opt-out
information are in Paragraph 2(g)(v) of these Instructions.
(f) Questions box.
Customer service contact information must be inserted as appropriate where
[phone number] or [web site] appear. Licensees may elect to provide either a
phone number, such as a toll-free number, or a web address, or both. Licensees
may include the words “toll-free” before the telephone number, as appropriate.
(g) Mail-in opt-out
form. Licensees must include this
mail-in form only if they state in the “To limit our sharing” box that
consumers can opt out by mail. The mail-in form must provide opt-out options
that correspond accurately to the “Yes” responses in the third column of the
disclosure table. Licensees that require consumers to provide only name and
address may omit the section identified as “[account #].” Licensees that require additional or
different information, such as a random opt-out number or a truncated account
number to implement an opt-out election should modify the “[account #]”
reference accordingly. This includes licensees that require customers with
multiple accounts to identify each account to which the opt-out should
apply. A licensee must enter its opt-out
mailing address in the far right of this form (see version 3); or below the
form (see version 4). The reverse side of the mail-in opt-out form must not
include any content of the Model Form.
(i) Joint accountholder. Only licensees that
provide their joint accountholders the choice to opt out for only one
accountholder, in accordance with Paragraph 3(a)(5) of these Instructions, must
include in the far left column of the mail-in form the following statement:
If you have a joint account,
your choice(s) will apply to everyone on your account unless you mark below.
□ Apply my choice(s) only to me.
The word “choice” may be
written in either the singular or plural, as appropriate. Licensees that
provide insurance products or services, provide this option, and elect to use
the Model Form may substitute the word “policy” for “account” in this
statement. Licensees that do not provide
this option may eliminate this left column from the mail-in form.
(ii) FCRA Section 603(d)(2)(A)(iii) opt-out. If
the licensee shares personal information pursuant to Section 603(d)(2)(A)(iii)
of the FCRA, it must include in the mail-in opt-out form the following
statement:
□ Do not share information about my creditworthiness
with your affiliates for their everyday business purposes.
(iii) FCRA Section 624 opt-out. If the licensee uses Section 624 of the FCRA,
in accord with paragraph 2(d)(6) of these Instructions, it must include in the
mail-in opt-out form the following statement:
□ Do not allow your affiliates to use my personal
information to market to me.
(iv) Nonaffiliate opt-out. If the licensee shares personal information
pursuant to Ins 3003.01(a), it must include in the mail-in opt-out form the
following statement:
□ Do not share my personal information with
nonaffiliates to market their products and services to me.
(v) Additional opt-outs. Licensees that use the disclosure table to
provide opt-out options beyond those required by Federal law must provide those
opt-outs in this section of the Model Form.
A licensee that chooses to offer an opt-out for its own marketing in the
mail-in opt-out form must include one of the two following statements:
□ Do not share my personal information to market to
me. or
□ Do not use my personal information to market to me.
A licensee that chooses to
offer an opt-out for joint marketing must include the following statement:
□ Do not share my personal information with other
financial institutions to jointly market to me.
(h) Barcodes. A
licensee may elect to include a barcode and/or “tagline” (an internal
identifier) in 6-point type at the bottom of page one, as needed for
information internal to the licensee, so long as these do not interfere with
the clarity or text of the form.
3. Page Two
(a) General
Instructions for the Questions. Certain Questions on the Model Form may be
customized as follows:
(i)
“Who is providing this notice?” This question may be omitted where only one
licensee provides the Model Form and that licensee is clearly identified in the
title on Page One. Two or more licensees
or financial institutions that jointly provide the Model Form must use this
question to identify themselves as required by Ins 3002.07(f). Where the list of licensees or financial
institutions exceeds four (4) lines, the licensee must describe in the response
to this question the general types of licensees or financial institutions
jointly providing the notice and must separately identify those licensees or
financial institutions, in minimum 8-point font, directly following the “Other
important information” box, or, if that box is not included in the licensee’s
form, directly following the “Definitions.”
The list may appear in a multi- column format.
(ii) “How does [name of licensee] protect my
personal information?” The licensee may
only provide additional information pertaining to its safeguards practices
following the designated response to this question. Such information may include information
about the licensee’s use of cookies or other measures it uses to safeguard
personal information. Licensees are
limited to a maximum of 30 additional words.
(iii) “How does [name of licensee] collect my
personal information?” Licensees must
use five (5) of the following terms to complete the bulleted list for this
question: open an account; deposit money; pay your bills; apply for a loan; use
your credit or debit card; seek financial or tax advice; apply for insurance;
pay insurance premiums; file an insurance claim; seek advice about your
investments; buy securities from us; sell securities to us; direct us to buy
securities; direct us to sell your securities; make deposits or withdrawals
from your account; enter into an investment advisory contract; give us your
income information; provide employment information; give us your employment
history; tell us about your investment or retirement portfolio; tell us about
your investment or retirement earnings; apply for financing; apply for a lease;
provide account information; give us your contact information; pay us by check;
give us your wage statements; provide your mortgage information; make a wire
transfer; tell us who receives the money; tell us where to send the money; show
your government-issued ID; show your driver’s license; order a commodity
futures or option trade.
Licensees that collect
personal information from their affiliates and/or credit bureaus must include
the following statement after the bulleted list: “We also collect your personal
information from others, such as credit bureaus, affiliates, or other
companies.” Licensees that do not
collect personal information from their affiliates or credit bureaus but do
collect information from other companies must include the following statement
instead: “We also collect your personal information from other companies.” Only licensees that do not collect any
personal information from affiliates, credit bureaus, or other companies can
omit both statements.
(iv) “Why can’t I limit all sharing?” Licensees that describe state privacy law
provisions in the “Other important information” box must use the bracketed
sentence: “See below for more on your rights under state law.” Other licensees
must omit this sentence.
(v) “What happens when I limit sharing for an
account I hold jointly with someone else?” Only licensees that provide opt-out
options must use this question. Other licensees must omit this question.
Licensees must choose one of the following two statements to respond to this
question: “Your choices will apply to everyone on your account.” or “Your
choices will apply to everyone on your account-unless you tell us
otherwise.” Licensees may substitute the
word “policy” for “account” in these statements.
(b) General
Instructions for the Definitions. The
licensee must customize the space below the responses to the three definitions
in this section. This specific
information must be in italicized lettering to set off the information from the
standardized definitions.
(i) Affiliates.
As required by Ins 3002.03(a)(3), where [affiliate information] appears, the licensee must:
a. If it has no affiliates, state: “[name of licensee] has no affiliates”;
b. If it has affiliates but does not share
personal information with them, state: “[name
of licensee] does not share with our affiliates”; or
c. If it shares with its affiliates, state, as
applicable: “Our affiliates include companies with a [common corporate identity of licensee] name; financial companies
such as [insert illustrative list of
companies]; nonfinancial companies, such as [insert illustrative list of companies]; and others, such as [insert illustrative list].”
(ii) Nonaffiliates. As required by Ins 3002.03(c)(3), where [nonaffiliate information] appears,
the licensee must:
a. If it does not share with nonaffiliated third parties, state: “[name of licensee] does not share with
nonaffiliates so they can market to you”; or
b. If it shares with nonaffiliated third
parties, state, as applicable: “Nonaffiliates we share with can include [list categories of companies such as
mortgage companies, insurance companies, direct marketing companies, and
nonprofit organizations].”
(iii) Joint Marketing. As required by Ins 3004.01, where [joint marketing] appears, the
licensee must:
a. If it does not engage in joint marketing,
state: “[name of licensee] doesn’t
jointly market”; or
b. If it shares personal information for joint
marketing, state, as applicable: “Our joint marketing partners include [list categories of companies such as credit
card companies].”
(c) General
instructions for the “Other important information” box. This box is optional. The space provided for information in this
box is not limited, and an additional page may be used if necessary. Only the following types of information can
appear in this box:
(i) State and/or international privacy law
information; and/or
(ii) A form by which the consumer may acknowledge
receipt of the notice.
APPENDIX I
Rule |
Specific State Statute the Rule Implements |
|
|
Ins 3001.01 |
RSA 400-A:15, I; RSA
406-C:9; RSA 406-C:16 |
Ins 3001.02 |
RSA 400-A:15, I; RSA
406-C:9; RSA 406-C:16 |
Ins 3001.03 |
RSA 400-A:15, I; RSA
406-C:9; RSA 406-C:16 |
Ins 3001.04 |
RSA 400-A:15, I; RSA
406-C:9; RSA 406-C:16 |
|
|
Ins 3002.01 |
RSA 400-A:15, I; RSA
406-C:9; RSA 406-C:16 |
Ins 3002.02 |
RSA 400-A:15, I; RSA
406-C:9; RSA 406-C:16 |
Ins 3002.03 |
RSA 400-A:15, I; RSA
406-C:9; RSA 406-C:16 |
Ins 3002.04 |
RSA 400-A:15, I; RSA
406-C:9; RSA 406-C:16 |
Ins 3002.05 |
RSA 400-A:15, I; RSA
406-C:9; RSA 406-C:16 |
Ins 3002.06 |
RSA 400-A:15, I; RSA
406-C:9; RSA 406-C:16 |
Ins 3002.07 |
RSA 400-A:15, I; RSA
406-C:9; RSA 406-C:16 |
|
|
Ins 3003.01 |
RSA 400-A:15, I; RSA
406-C:9; RSA 406-C:16 |
Ins 3003.02 |
RSA 400-A:15, I; RSA
406-C:9; RSA 406-C:16 |
Ins 3003.03 |
RSA 400-A:15, I; RSA
406-C:9; RSA 406-C:16 |
|
|
Ins 3004.01 |
RSA 400-A:15, I; RSA
406-C:9; RSA 406-C:16 |
Ins 3004.02 |
RSA 400-A:15, I; RSA
406-C:9; RSA 406-C:16 |
Ins 3004.03 |
RSA 400-A:15, I; RSA
406-C:9; RSA 406-C:16 |
|
|
Ins 3005.01 |
RSA 400-A:15, I; RSA
406-C:9; RSA 406-C:16 |
Ins 3005.02 |
RSA 400-A:15, I; RSA
406-C:9; RSA 406-C:16 |
Ins 3005.03 |
RSA 400-A:15, I; RSA
406-C:9; RSA 406-C:16 |
Ins 3005.04 |
RSA 400-A:15, I; RSA
406-C:9; RSA 406-C:16 |
Ins 3005.05 |
RSA 400-A:15, I; RSA
406-C:9; RSA 406-C:16 |
|
|
Ins 3006.01 |
RSA 400-A:15, I; RSA
406-C:9; RSA 406-C:16 |
Ins 3006.02 |
RSA 400-A:15, I; RSA
406-C:9; RSA 406-C:16 |
Ins 3006.03 |
RSA 400-A:15, I; RSA
406-C:9; RSA 406-C:16; RSA 417:13 |
|
|
Ins 3007.01 |
RSA 400-A:15, I; RSA
406-C:16; RSA 541-A:22, IV |
|
|
Appendix A |
RSA 400-A:15, I |
Appendix B |
RSA 400-A:15, I |