Report Title:
Insurance; Privacy of Consumer Financial Information
Description:
Establishes requirements governing the treatment of consumer nonpublic personal financial information by insurers subject to regulation under chapters 431, 432, and 432D, HRS. Deems insurers in process of complying with HIPAA rules to be in compliance with Act for period ending July 1, 2002. (CD1)
|
THE SENATE |
S.B. NO. |
1550 |
|
TWENTY-FIRST LEGISLATURE, 2001 |
S.D. 2 |
|
|
STATE OF HAWAII |
H.D. 1 |
|
|
|
C.D. 1 |
A BILL FOR AN ACT
relating to insurance.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:
SECTION 1. The Hawaii Revised Statutes is amended by adding a new article to chapter 431 to be appropriately designated and to read as follows:
"ARTICLE
PRIVACY OF CONSUMER FINANCIAL INFORMATION
PART I. GENERAL PROVISIONS
§431: -101 Purpose; scope; applicability. (a) This article governs the treatment of nonpublic personal financial information about individuals by all insurance licensees. This article:
(1) Requires licensees to provide notice to individuals about its privacy policies and practices;
(2) Establishes the conditions under which a licensee may disclose nonpublic personal financial information about individuals to affiliates and nonaffiliated third parties; and
(3) Provides methods for individuals to prevent a licensee from disclosing that information.
(b) This article shall apply to nonpublic personal financial information about individuals who obtain or are claimants or beneficiaries of a licensee's products or services primarily for personal, family, or household purposes. This article shall not apply to information about companies or about individuals that obtain products or services for business, commercial, or agricultural purposes.
(c) Notice provisions under part II of this article shall not apply to licensees in liquidation or receivership.
§431: -102 Definitions. As used in this article:
"Affiliate" means any company that controls, is controlled by, or is under common control with another company.
"Clear and conspicuous" means reasonably understandable and designed to call attention to the nature and significance of the information in the notice.
"Collect" means to obtain information that the licensee organizes or can retrieve by the name of an individual or by identifying number, symbol, or other identifying particular assigned to the individual, without regard to the source of the underlying information.
"Commissioner" means the insurance commissioner of the State.
"Company" means a corporation, limited liability company, business trust, general or limited partnership, association, sole proprietorship, mutual benefit society, health maintenance organization, nonprofit corporation, or similar organization.
"Consumer" means an individual, or that individual’s legal representative, who seeks to obtain, obtains, or has obtained an insurance product or service from a licensee that is to be used primarily for personal, family, or household purposes, and about whom the licensee has nonpublic personal information.
"Consumer reporting agency" has the same meaning as in section 603(f) of the federal Fair Credit Reporting Act, title 15 United States Code section 168la(f), as amended.
"Control" means:
(1) Ownership, control, or power to vote twenty-five per cent or more of the outstanding shares of any class of voting security of the company, directly or indirectly, or acting through one or more other persons;
(2) Control in any manner over the election of a majority of the directors, trustees, or general partners or individuals exercising similar functions of the company; or
(3) The power to exercise, directly or indirectly, a controlling influence over the management or policies of the company, as the commissioner determines.
"Customer" means a consumer who has a customer relationship with a licensee.
"Customer relationship" means a continuing relationship between a consumer and a licensee under which the licensee provides one or more insurance products or services to the consumer that are to be used primarily for personal, family, or household purposes.
"Financial institution" means any institution in the business of engaging in activities that are financial in nature or incidental to financial activities as described in the Bank Holding Company Act of 1956, title 12 United States Code section 1843(k), as amended. "Financial institution" shall not include:
(1) Any person or entity with respect to any financial activity that is subject to the jurisdiction of the Commodity Futures Trading Commission under the Commodity Exchange Act, title 7 United States Code section 1, et seq., as amended;
(2) The Federal Agricultural Mortgage Corporation or any entity charged and operating under the Farm Credit Act of 1971, title 12 United States Code section 2001, et seq., as amended; or
(3) Institutions chartered by Congress specifically to engage in securitizations, secondary market sales (including sales of servicing rights), or similar transactions relating to a transaction of a consumer, if the institutions do not sell or transfer nonpublic personal information to a nonaffiliated third party.
"Financial product or service" means any product or service that a financial holding company could offer by engaging in an activity that is financial in nature or incidental to a financial activity under the Bank Holding Company Act of 1956, title 12 United States Code section 1843(k). "Financial product or service" includes a financial institution’s evaluation or brokerage of information that the financial institution collects in connection with a request or an application from a consumer for a financial product or service.
"Health information" means any information or data except age or gender, whether oral or recorded in any form or medium, created by or derived from a health care provider or the consumer that relates to:
(1) The past, present, or future physical, mental, or behavioral health or condition of an individual;
(2) The provision of health care to an individual; or
(3) Payment for the provision of health care to an individual.
"Insurance product or service" means any product or service that is offered by a licensee pursuant to the insurance laws of this State. "Insurance product or service" includes a licensee’s evaluation, brokerage, or distribution of information that the licensee collects in connection with a request or an application from a consumer for an insurance product or service.
"Licensee" means every licensed insurer, producer, and any other person licensed or required to be licensed, or authorized or required to be authorized, or registered or required to be registered, under chapter 431 or 432, or holding a certificate of authority under chapter 432D. A licensee shall not be subject to part II of this article if the licensee is an employee, agent, or other representative of another licensee acting as the principal if:
(1) The principal otherwise complies with, and provides the notices required by this article; and
(2) The licensee does not disclose any nonpublic personal financial information to any person other than to the principal or its affiliates in a manner permitted by this article.
"Licensee" includes an unauthorized insurer that accepts business placed through a licensed surplus lines broker in this State, but only in regard to the surplus lines placements under article 8, chapter 431. A surplus lines broker or surplus lines insurer shall be deemed to be in compliance with part II of this article if:
(1) The broker or insurer does not disclose nonpublic personal financial information of a consumer or a customer to nonaffiliated third parties for any purpose, including joint servicing or marketing under section 431: -401, except as permitted by sections 431: -402 and 431: -403; and
(2) The broker or insurer delivers a notice to the consumer at the time a customer relationship is established on which the following is printed in sixteen point type:
"PRIVACY NOTICE: NEITHER THE U.S. BROKERS THAT HANDLED THIS INSURANCE NOR THE INSURERS THAT HAVE UNDERWRITTEN THIS INSURANCE WILL DISCLOSE NONPUBLIC PERSONAL FINANCIAL INFORMATION CONCERNING THE BUYER TO NONAFFILIATES OF THE BROKERS OR INSURERS EXCEPT AS PERMITTED BY LAW."
"Nonaffiliated third party" means any person except:
(1) A licensee’s affiliate; or
(2) A person employed jointly by a licensee and any company that is not the licensee’s affiliate; provided that for purposes of this paragraph, a nonaffiliated third party includes the other company that jointly employs the person.
"Nonaffiliated third party" includes any company that is an affiliate solely by virtue of the direct or indirect ownership or control of the company by the licensee or its affiliate in conducting merchant banking or investment banking activities of the type described in section 4(k)(4)(H) of the federal Bank Holding Company Act, title 12 United States Code section 1843(k)(4)(H), as amended, or insurance company investment activities of the type described in the federal Bank Holding Company Act, title 12 United States Code section 1843(k)(4)(H) and (I).
"Nonpublic personal financial information" means:
(1) Personally identifiable financial information; and
(2) Any list, description, or other grouping of consumers and publicly available information pertaining to them, that is derived using any personally identifiable financial information that is not publicly available.
"Nonpublic personal financial information" shall not include health information, publicly available information except as included on a list described under paragraph (2) of this definition, or any list, description, or other grouping of consumers and publicly available information pertaining to them that is derived without using any personally identifiable financial information that is not publicly available.
"Opt out" means a direction by a consumer that a licensee not disclose nonpublic financial information about that consumer to a nonaffiliated third party, other than as permitted by part IV of this article.
"Personally identifiable financial information" means any information:
(1) Provided by a consumer to a licensee to obtain an insurance product or service from the licensee;
(2) About a consumer resulting from a transaction involving an insurance product or service between a licensee and a consumer; or
(3) The licensee otherwise obtains about a consumer in connection with providing a service to that consumer.
"Personally identifiable financial information" shall not include:
(1) Health information;
(2) A list of names and addresses of customers of an entity that is not a financial institution; or
(3) Information that does not identify a consumer, such as aggregate information or blind data that does not contain personal identifiers such as account numbers, names, or addresses.
"Producer" means a person required to be licensed under the laws of this State to sell, solicit, or negotiate insurance.
"Publicly available information" means any information that a licensee has a reasonable basis to believe is lawfully made available to the general public from:
(1) Federal, state, or local government records;
(2) Widely distributed media; or
(3) Disclosures to the general public that are required to be made by federal, state, or local law.
For purpose of this definition, a licensee has a reasonable basis to believe that information is lawfully made available to the general public if the licensee has taken steps to determine:
(1) That the information is of the type that is available to the general public; and
(2) That the licensee's consumer has not made the information available to the general public, for information that is of a nature that an individual can direct not be made available to the general public.
PART II. PRIVACY AND OPT OUT
NOTICES FOR FINANCIAL INFORMATION
§431: -201 Initial privacy notice to consumers required. (a) A licensee shall provide a clear and conspicuous notice that accurately reflects its privacy policies and practices to a consumer:
(1) Not later than when the licensee establishes a customer relationship, except as provided in subsection (d); and
(2) Before the licensee discloses any nonpublic personal financial information about the consumer to any nonaffiliated third party, if the licensee makes a disclosure other than as authorized by sections 431: -402 and 431: -403.
(b) A licensee shall not be required to provide an initial notice to a consumer under subsection (a)(2) if:
(1) The licensee does not disclose any nonpublic personal financial information about the consumer to any nonaffiliated third party, other than as authorized by sections 431: -402 and 431: -403, and the licensee does not have a customer relationship with the consumer; provided that for purpose of this paragraph, a licensee establishes a customer relationship at the time the licensee and the consumer enter into a continuing relationship; and
(2) A notice has been provided by an affiliated licensee, if the notice clearly identifies all licensees to whom the notice applies and is accurate with respect to the licensee and the other institutions.
(c) When an existing customer obtains a new insurance product or service from a licensee that is to be used primarily for personal, family, or household purposes, the licensee shall be deemed to satisfy the initial notice requirements of subsection (a) if:
(1) The licensee provides a revised policy notice, under section 431: -205, that covers the customer’s new insurance product or service; or
(2) The initial, revised, or annual notice that the licensee most recently provided to that customer was accurate with respect to the new insurance product or service, in which case the licensee does not need to provide a new privacy notice under subsection (a).
(d) A licensee may provide the initial notice under subsection (a)(1) within a reasonable time after the licensee establishes a customer relationship if:
(1) Establishing the customer relationship is not at the customer’s election; or
(2) Providing notice not later than when the licensee establishes a customer relationship would substantially delay the customer’s transaction and the customer agrees to receive the notice at a later time.
(e) When a licensee is required to deliver an initial privacy notice by this section, the licensee shall deliver it according to section 431: -206. If the licensee uses a short-form initial notice for noncustomers according to section 431: -203(c), the licensee may deliver its privacy notice according to section 431: -206.
§431: -202 Annual privacy notice to customers required. (a) A licensee shall provide a clear and conspicuous notice to customers that accurately reflects its privacy policies and practices not less than annually during the continuation of the customer relationship. Annually means at least once in any period of twelve consecutive months during which that relationship exists. A licensee may define the twelve consecutive month period, but the licensee shall apply it to the customer on a consistent basis.
(b) A licensee shall not be required to provide an annual notice to a former customer. A former customer is an individual with whom a licensee no longer has a continuing relationship.
(c) If a licensee is required under this section to deliver an annual privacy notice, the licensee shall deliver it according to section 431: -206.
§431: -203 Information to be included in privacy notices. (a) The initial, annual, and revised privacy notices that a licensee provides under sections 431: -201, 431: -202, and 431: -205 shall include the following information, in addition to any other information the licensee wishes to provide, that applies to the licensee and to the consumers to whom the licensee sends its privacy notice:
(1) The categories of nonpublic personal financial information that the licensee collects;
(2) The categories of nonpublic personal financial information that the licensee discloses;
(3) The categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal financial information, other than those parties to whom the licensee discloses information under sections 431: -402 and 431: -403;
(4) The categories of nonpublic personal financial information about the licensee’s former customers that the licensee discloses, and the categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal financial information about the licensee’s former customers, other than those parties to whom the licensee discloses information under sections 431: -402 and 431: -403;
(5) A separate description of the categories of information the licensee discloses and the categories of third parties with whom the licensee has contracted, if a licensee discloses nonpublic personal financial information to a nonaffiliated third party under section 431: -401 and no other exception in sections 431: -402 and 431: -403 applies to that disclosure;
(6) An explanation of the consumer’s right under section 431: -301(a) to opt out of the disclosure of nonpublic personal financial information to nonaffiliated third parties, including the methods by which the consumer may exercise that right at that time;
(7) Any disclosures that the licensee makes under section 603(d)(2)(A)(iii) of the federal Fair Credit Reporting Act, title 15 United States Code section 1681a(d)(2)(A)(iii), as amended;
(8) The licensee’s policies and practices with respect to protecting the confidentiality and security of nonpublic personal information; and
(9) Any disclosure that the licensee makes under subsection (b).
(b) If a licensee discloses nonpublic personal financial information under sections 431: -402 and 431: -403, the licensee is not required to list those exceptions in the initial or annual privacy notices required by sections 431: -201 and 431: -202. When describing the categories of parties to whom disclosure is made, the licensee shall state only that it makes disclosures to other affiliated or nonaffiliated third parties, as applicable, as permitted by law.
(c) A licensee may satisfy the initial notice requirements in sections 431: -201(a) and 431: -204(c) for a consumer who is not a customer by providing a short form initial notice at the same time the licensee delivers an opt out notice under section 431: -204. A short form initial notice shall:
(1) Be clear and conspicuous;
(2) State that the licensee’s privacy notice is available upon request; and
(3) Explain a reasonable means by which the consumer may obtain that notice.
The licensee shall deliver a short form initial notice in accordance with section 431: -206. The licensee shall not be required to deliver its privacy notice with its short form initial notice; provided that the licensee provides the consumer a reasonable means to obtain a privacy notice. If a consumer receives the licensee’s short form notice and requests a privacy notice, the licensee shall deliver a privacy notice under section 431: -206.
(d) The privacy notice may include:
(1) Categories of nonpublic personal financial information that the licensee reserves the right to disclose in the future, but does not currently disclose; and
(2) Categories of affiliates or nonaffiliated third parties to whom the licensee reserves the right in the future to disclose, but to whom the licensee does not currently disclose, nonpublic personal financial information.
§431: -204 Form of opt out notice to consumers and opt out methods. (a) A licensee shall provide an opt out notice to each of the licensee's consumers that is clear and conspicuous and accurately explains the right to opt out. The notice shall state:
(1) That the licensee discloses or reserves the right to disclose nonpublic personal financial information about its consumer to a nonaffiliated third party;
(2) That the consumer has the right to opt out of that disclosure; and
(3) A reasonable means by which the consumer may exercise the opt out right.
(b) A licensee may provide the opt out notice together with or on the same written or electronic form as the initial notice the licensee provides in accordance with section 431: -201.
(c) If a licensee provides the opt out notice later than required for the initial notice in accordance with section 431: -201, the licensee shall also include a copy of the initial notice with the opt out notice in writing or, if the consumer agrees, electronically.
(d) If two or more consumers jointly obtain an insurance product or service from a licensee, the licensee may provide a single opt out notice. The licensee’s opt out notice shall explain that any of the joint consumers may exercise the right to opt out; provided that the licensee may:
(1) Treat an opt out direction by a joint consumer as applying to all of the associated joint consumers; or
(2) Permit each joint consumer to opt out separately; provided that if a licensee permits each joint consumer to opt out separately, the licensee shall permit one of the joint consumers to opt out on behalf of all of the joint consumers.
A licensee may not require all joint consumers to opt out before it implements any opt out direction.
(e) A licensee shall comply with a consumer’s opt out direction as soon as reasonably practicable after the licensee receives it.
(f) A consumer may exercise the right to opt out at any time.
(g) A consumer’s direction to opt out under this section shall be effective until the consumer revokes it in writing or, if the consumer agrees, electronically. When a customer relationship terminates, the customer’s opt out direction shall continue to apply to the nonpublic personal financial information that the licensee collected during or related to that relationship. If the individual subsequently establishes a new customer relationship with the licensee, the opt out direction that applied to the former relationship shall not apply to the new relationship.
(h) If a licensee is required to deliver an opt out notice by this section, the licensee shall deliver it in accordance with section 431: -206.
§431: -205 Revised privacy notices. (a) Except as otherwise provided in this article, a licensee shall not, directly or through an affiliate, disclose any nonpublic personal financial information about a consumer to a nonaffiliated third party other than as described in the initial notice that the licensee provided to that consumer under section 431: -201, unless:
(1) The licensee has provided to the consumer a clear and conspicuous revised notice that accurately describes its policies and practices;
(2) The licensee has provided to the consumer a new opt out notice;
(3) The licensee has given the consumer a reasonable opportunity, before the licensee discloses the information to the nonaffiliated third party, to opt out of the disclosure; and
(4) The consumer does not opt out.
(b) If a licensee is required to deliver a revised privacy notice under subsection (a), the licensee shall deliver it in accordance with section 431: -206.
§431: -206 Delivery. (a) A licensee shall provide any notices required under this article so that each consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, electronically.
(b) A licensee may reasonably expect that a customer will receive actual notice of the licensee’s annual privacy notice if:
(1) The customer uses the licensee’s web site to access insurance products and services electronically and agrees to receive notices at the web site and the licensee posts its current privacy notice continuously in a clear and conspicuous manner on the web site; or
(2) The customer has requested that the licensee refrain from sending any information regarding the customer relationship, and the licensee’s current privacy notice remains available to the customer upon request.
(c) A licensee shall not provide any notice required under this article solely by oral explanation of the notice, either in person or over the telephone.
(d) For customers only, a licensee shall provide the initial notice required by section 431: -201(a), the annual notice required by section 431: -202(a), and the revised notice required by section 431: -205, so that the customer can retain them or obtain them later in writing or, if the customer agrees, electronically.
(e) A licensee may provide a joint notice from the licensee and one or more of its affiliates or other financial institutions, as identified in the notice, if the notice is accurate with respect to the licensee and the other institutions. A licensee also may provide a notice on behalf of another financial institution.
(f) If two or more consumers jointly obtain an insurance product or service from a licensee, the licensee may satisfy the initial, annual, and revised notice requirements of sections 431: -201(a), 431: -202(a), and 431: -205(a), by providing one notice to those consumers jointly.
PART III. LIMITS ON DISCLOSURES OF
FINANCIAL INFORMATION
§431: -301 Limits on disclosure of nonpublic personal financial information to nonaffiliated third parties. (a) Except as otherwise authorized under this article, a licensee may not disclose, directly or through any affiliate, any nonpublic personal financial information about a consumer to a nonaffiliated third party unless:
(1) The licensee has provided to the consumer an initial notice as required under section 431: -201;
(2) The licensee has provided to the consumer an opt out notice as required under section 431: -204;
(3) The licensee has given the consumer a reasonable opportunity, before it discloses the information to the nonaffiliated third party, to opt out of the disclosure; and
(4) The consumer does not opt out.
(b) A licensee shall comply with this section, whether or not the licensee and the consumer have established a customer relationship. If a licensee fails to comply with this section, the licensee may not disclose, directly or through any affiliate, any nonpublic personal financial information about a consumer that the licensee has collected, whether or not the licensee collected it before or after receiving the direction to opt out from the consumer.
(c) A licensee may allow a consumer to select certain nonpublic personal financial information or certain nonaffiliated third parties with respect to which the consumer wishes to opt out.
§431: -302 Limits on redisclosure and reuse of nonpublic personal financial information. (a) If a licensee receives nonpublic personal financial information from a nonaffiliated financial institution under an exception in sections 431: -402 and 431: -403, the licensee’s disclosure and use of that information shall be as follows:
(1) The licensee may disclose the information to the affiliates of the financial institution from which the licensee received the information;
(2) The licensee may disclose the information to its affiliates who may disclose and use the information only to the extent that the licensee may disclose and use the information; and
(3) The licensee may disclose and use the information pursuant to an exception under sections 431: -402 and 431: -403, in the ordinary course of business to carry out the activity covered by the exception under which the licensee received the information.
(b) If a licensee receives nonpublic personal financial information from a nonaffiliated financial institution other than under an exception in sections 431: -201 and 431: -202, the licensee may disclose the information only:
(1) To the affiliates of the financial institution from which the licensee received the information;
(2) To its affiliates who may disclose the information only to the extent that the licensee may disclose the information; and
(3) To any other person, if the disclosure would be lawful if made directly to that person by the financial institution from which the licensee received the information.
(c) If a licensee discloses nonpublic personal financial information to a nonaffiliated third party under an exception in sections 431: -201 and 431: -202, the third party may disclose and use that information, as follows:
(1) Disclose to the licensee’s affiliates;
(2) Disclose to its affiliates who may disclose and use the information only to the extent that the third party may disclose and use the information; and
(3) Disclose and use the information pursuant to an exception under sections 431: -201 and 431: -202 in the ordinary course of business to carry out the activity covered by the exception under which it received the information.
(d) If a licensee discloses nonpublic personal financial information to a nonaffiliated third party other than under an exception under sections 431: -201 and 431: -202, the third party may disclose the information only:
(1) To the licensee’s affiliates;
(2) To the third party’s affiliates who may disclose the information only to the extent the third party can disclose the information; and
(3) To any other person, if the disclosure would be lawful if the licensee made it directly to that person.
§431: -303 Limits on sharing account number information for marketing purposes. (a) A licensee shall not disclose, directly or through an affiliate other than to a consumer reporting agency, a policy number or similar form of access number or access code for a consumer’s policy or transaction account to any nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer.
(b) Subsection (a) does not apply if a licensee discloses a policy number or similar form of access number or access code:
(1) To the licensee’s service provider solely in order to perform marketing for the licensee’s own products or services, if the service provider is not authorized to directly initiate charges to the account;
(2) To a licensee who is a producer solely in order to perform marketing for the licensee’s own products or services; or
(3) To a participant in an affinity or similar program if the participants in the program are identified to the customer when the customer enters into the program.
PART IV. EXCEPTIONS TO LIMITS ON DISCLOSURES
OF FINANCIAL INFORMATION
§431: -401 Exception to opt out requirements for disclosure of nonpublic personal financial information for service providers and for joint marketing. (a) The opt out requirements in sections 431: -204 and 431: -301 shall not apply if a licensee provides nonpublic personal financial information to a nonaffiliated third party to perform services for the licensee or functions on the licensee’s behalf, if the licensee:
(1) Provides the initial notice in accordance with section 431: -201; and
(2) Enters into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which the licensee disclosed the information, including use under an exception in sections 431: -402 and 431: -403 in the ordinary course of business to carry out those purposes.
(b) The services a nonaffiliated third party performs for a licensee under subsection (a) include marketing of the licensee’s own products or services or marketing of financial products or services offered pursuant to joint agreements between the licensee and one or more financial institutions.
(c) For purposes of this section, "joint agreement" means a written contract pursuant to which a licensee and one or more financial institutions jointly offer, endorse, or sponsor a financial product or service.
§431: -402 Exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information for processing and servicing transactions. (a) The requirements for initial notice under section 431: -201, for the opt out in sections 431: -204 and 431: -301, and for service providers and joint marketing in sections 431: -401 shall not apply if the licensee discloses nonpublic personal financial information as necessary to effect, administer, or enforce a transaction that a consumer requests or authorizes, or in connection with:
(1) Servicing or processing an insurance product or service that a consumer requests or authorizes;
(2) Maintaining or servicing the consumer’s account with a licensee, or with another entity as part of a private label credit card program or other extension of credit on behalf of the entity;
(3) A proposed or actual securitization, secondary market sale including sales of servicing rights, or similar transaction related to a transaction of the consumer; or
(4) Reinsurance, stop loss, or excess loss insurance.
(b) As used in this section, "necessary to effect, administer, or enforce a transaction" means that the disclosure is:
(1) Required, or is one of the lawful or appropriate methods, to enforce the licensee’s rights or the rights of other persons engaged in carrying out the financial transaction or providing the product or service; or
(2) Required, or is a usual, appropriate, or acceptable method:
(A) To carry out the transaction or the product or service business of which the transaction is a part, and to record, service, or maintain the consumer’s account in the ordinary course of providing the insurance product or service;
(B) To administer, service the benefits, or process the claims relating to the transaction or the product or service business of which it is a part;
(C) To provide a confirmation, statement, or other record of the transaction or to provide information on the status or value of the insurance product, or to service to the consumer or the consumer’s agent or broker;
(D) To accrue or recognize incentives or bonuses associated with the transaction that are provided by a licensee or any other party;
(E) To underwrite insurance at the consumer’s request or for purposes, as they relate to the consumer's insurance, of account administration, reporting, investigating, or preventing fraud or material misrepresentation, processing premium payments, processing insurance claims, administering insurance benefits including utilization review activities, participating in research projects, or as otherwise required or specifically permitted by federal or state law; or
(F) In connection with:
(i) The authorization, settlement, billing, processing, clearing, transferring, reconciling, or collection of amounts charged, debited, or otherwise paid using a debit, credit or other payment card, check, or account number, or by other payment means;
(ii) The transfer of receivables, accounts, or interests therein; or
(iii) The audit of debit, credit, or other payment information.
§431: -403 Other exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information. (a) The requirements for initial notice in section 431: —201, the opt out in sections 431: -204, and 431: -301, and service providers and joint marketing in section 431: -401 shall not apply if a licensee discloses nonpublic personal financial information:
(1) With the consent or at the direction of the consumer, who has not revoked the consent or direction;
(2) To protect the confidentiality or security of a licensee’s records pertaining to the consumer, service, product, or transaction;
(3) To protect against or prevent actual or potential fraud or unauthorized transactions;
(4) For required institutional risk control;
(5) For resolving consumer disputes or inquiries;
(6) To persons holding a legal or beneficial interest relating to the consumer or to persons acting in a fiduciary or representative capacity on behalf of the consumer;
(7) To provide information to insurance rate advisory organizations, guaranty funds or agencies, agencies that are rating a licensee, persons that are assessing the licensee’s compliance with industry standards, or the licensee’s attorneys, accountants, and auditors;
(8) To the extent specifically permitted or required under other provisions of law and in accordance with the Right to Financial Privacy Act of 1978, title 12 United States Code section 3401 et seq., as amended, to law enforcement agencies including the Federal Reserve Board, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, Office of Thrift Supervision, National Credit Union Administration, the Securities and Exchange Commission, and the Secretary of the Treasury, with respect to title 31 United States Code chapter 53, subchapter II (Records and Reports on Monetary Instruments and Transactions), as amended, and title 12 United States Code chapter 21 (Financial Recordkeeping), as amended, a state insurance authority, and the Federal Trade Commission, self-regulatory organizations, or for an investigation on a matter related to public safety;
(9) To a consumer reporting agency in accordance with the federal Fair Credit Reporting Act, title 15 United States Code section 1681, et seq., as amended, or from a consumer report reported by a consumer reporting agency;
(10) In connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit if the disclosure of nonpublic personal financial information concerns solely consumers of the business or unit;
(11) To comply with federal, state, or local laws, rules, and other applicable legal requirements;
(12) To comply with a properly authorized civil, criminal, or regulatory investigation, or subpoena or summons by federal, state, or local authorities;
(13) To respond to judicial process or government regulatory authorities having jurisdiction over a licensee for examination, compliance, or other purposes as authorized by law; or
(14) For purposes related to the replacement of a group benefit plan, a group health plan, a group welfare plan, or a workers’ compensation plan.
(b) A consumer may revoke a consent by subsequently exercising the right to opt out of future disclosures of nonpublic personal information as permitted under section 431: -204.
PART V. ADDITIONAL PROVISIONS
§431: -501 Protection of Fair Credit Reporting Act. Nothing in this article shall be construed to modify, limit, or supersede the federal Fair Credit Reporting Act, title 15 United States Code section 1681, et seq., as amended, and no inference shall be drawn on the basis of the provisions of this article regarding whether information is transaction or experience information under title 15 United States Code section 602, et seq., as amended.
§431: -502 Nondiscrimination. A licensee shall not unfairly discriminate against any consumer or customer because that consumer or customer has opted out from the disclosure of nonpublic personal financial information under this article.
§431: -503 Violation. A violation of this article shall be deemed an unfair method of competition or unfair or deceptive trade act or practice in the business of insurance in violation of section 431:13-102.
§431: -504 Rules. The commissioner may adopt rules pursuant to chapter 91 to further the purposes of this article."
SECTION 2. A licensee in the process of conforming to the rules of the Health Insurance Portability and Accountability Act of 1996, P.L. 104-191, shall be deemed in compliance with this Act for the period ending on July 1, 2002.
SECTION 3. If any section or portion of a section of this Act or its applicability to any person or circumstance is held invalid by a court, the remainder of the Act or the applicability of the provision to other persons or circumstances shall not be affected.
SECTION 4. Upon approval of this Act, to provide sufficient time for licensees to establish policies and systems to comply with this Act, the commissioner may extend the time for compliance with this Act to July 1, 2002; provided that by July 1, 2001, a licensee shall provide an initial notice, as required by section 431: -201 of section 1 of this Act, to consumers who are the licensee’s customers on July 1, 2001. Until July 1, 2002, a contract that a licensee has entered into with a nonaffiliated third party to perform services for the licensee or functions on the licensee’s behalf shall be deemed to satisfy section 431: -401(a)(2) of section 1 of this Act, even if the contract does not include a requirement that the third party maintain the confidentiality of nonpublic personal information, if the licensee entered into the agreement on or before July 1, 2000.
SECTION 5. This Act shall take effect upon its approval.