Honorable Calvin K.Y. Say

Speaker, House of Representatives

Twenty-First State Legislature

Regular Session of 2001

State of Hawaii

Sir:

Your Committees on Consumer Protection and Commerce and Judiciary and Hawaiian Affairs, to which was referred S.B. No. 1550, S.D. 2, entitled:

beg leave to report as follows:

The purpose of this bill is to enact a new insurance article governing the disclosure of nonpublic personal financial information held by persons or entities licensed, registered, or subject to certificate of authority requirements under chapters 431, 432, and 432D, Hawaii Revised Statutes (HRS).

Testimony in support of this bill was received from the Insurance Division of the Department of Commerce and Consumer Affairs, American Council of Life Insurers, American Family Life Assurance Company of Columbus, Association of Insurance and Financial Advisors, and State Farm Insurance Companies.

Hawaii Insurers Council testified in support of the intent of the bill. Comments on the bill were submitted by Alohacare.

Testimony in opposition to the bill was received from Office of Information Practices, Common Cause Hawaii, Hawaii Medical Service Association, University Health Alliance, Royal State National Insurance Company, and Mutual Benefit Association of Hawaii.

This bill applies to insurers, insurance producers, and other persons and entities that are subject to licensing, registration, or certificate of authority requirements under chapters 431, 432, or 432D, HRS. This measure restricts "licensee" disclosures of information about a consumer that the licensee obtains as a result of insurance transactions, and transactions where licensees provide a service to the consumer. Information obtained in this manner is considered personally identifiable financial information about the consumer.

Under the bill, "personally identifiable financial information" is subject to regulation under the bill when it is information that is not publicly available. "Publicly available information" is defined as information reasonably believed to be available to the public from government records, legally required disclosures, and the widely distributed media. The category of regulated, "nonpublic personally identifiable financial information" also includes any list, description, or other grouping of consumers, and publicly available information pertaining to them, that is derived from nonpublic personally identifiable financial information.

Prior to disclosing this regulated information to nonaffiliated third parties, the bill requires licensees that hold or maintain the regulated information to provide consumers with a notice of the licensee's privacy policies and practices. Among the exceptions to this prohibition against disclosure are disclosure consented to by the consumer, authorized by law, and to resolve consumer disputes.

The privacy notice must be provided when the licensee establishes a customer relationship with the consumer, and must include information about the types of information collected by the licensee, the type of information disclosed to nonaffiliated third parties, and a list of the categories of nonaffiliated third parties that will receive the information. The notice must also explain the consumer's right to opt out of the disclosure of regulated information to nonaffiliated third parties.

The bill also prohibits licensees from disclosing to a nonaffiliated third party, other than to a consumer reporting agency, the policy number or other access code for a consumer's policy or transaction account for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer.

Your Committees find that enactment of this measure, which is based on the National Association of Insurance Commissioners Model Regulations, will preserve the State's ability to avoid federal preemption of state financial information privacy laws under the Gramm-Leach-Bliley Act.

Your Committees note that Kaiser Permanente and other health insurers voiced the concern that this bill, as received, would subject them to dual regulation under state law and the federal Health Insurance Portability and Accountability Act. Your Committees find that the regulation of health care information privacy was not contemplated by Gramm-Leach-Bliley.

Your Committees have amended this bill to ensure that only licensees who hold or maintain nonpublic personal financial information are required to comply with this law. Other technical, nonsubstantive amendments were made for style and clarity.

As affirmed by the records of votes of the members of your Committees on Consumer Protection and Commerce and Judiciary and Hawaiian Affairs that are attached to this report, your Committees are in accord with the intent and purpose of S.B. No. 1550, S.D. 2, as amended herein, and recommend that it pass Second Reading in the form attached hereto as S.B. No. 1550, S.D. 2, H.D. 1, and be placed on the calendar for Third Reading.