FIRST REGULAR SESSION
SENATE BILL NO. 306
91ST GENERAL ASSEMBLY
INTRODUCED BY SENATOR JACOB.
Read 1st time January 16, 2001, and 1,000 copies ordered printed.
TERRY L. SPIELER, Secretary.
1045S.01I
AN ACT
To amend chapter 375, RSMo, by adding thereto twenty new sections relating to the financial information privacy protection model act, with penalty provisions and an effective date.
Section A. Chapter 375, RSMo, is amended by adding thereto twenty new sections, to be known as sections 375.1650, 375.1653, 375.1656, 375.1659, 375.1662, 375.1665, 375.1668, 375.1671, 375.1674, 375.1677, 375.1680, 375.1683, 375.1686, 375.1689, 375.1692, 375.1695, 375.1698, 375.1701, 375.1704 and 375.1710, to read as follows:
375.1650. Sections 375.1650 to 375.1710 shall be known and may be cited as the "Financial Information Privacy Protection Model Act".
375.1653. As used in sections 375.1650 to 375.1710, unless the context requires otherwise, the following terms shall mean:
(1) "Affiliate", any company that controls, is controlled by, or is under common control with another company;
(2) "Agent", any authorized agent of an insurer, or representative of the agent, who acts as an agent in the solicitation of, negotiation for, or procurement or making of, any insurance or annuity contract, other than the attorney in fact or a traveling salaried representative of a mutual, reciprocal, or stock insurer;
(3) "Clear and conspicuous", that a notice is reasonably understandable and designed to call attention to the nature and significance of the information in the notice;
(4) "Collect", to obtain information that the licensee organizes or can retrieve by the name of an individual or by identifying number, symbol, or other identifying particular assigned to the individual, irrespective of the source of the underlying information;
(5) "Company", any corporation, limited liability company, business trust, general or limited partnership, association, sole proprietorship or similar organization;
(6) "Consumer", an individual who seeks to obtain, obtains, or has obtained an insurance product or service in this state from a licensee that is to be used primarily for personal, family, household purposes, and about whom the licensee has nonpublic personal information, or that individual's legal representative, including, but not limited to:
(a) An individual who provides nonpublic personal information to a licensee in connection with seeking to obtain or obtaining financial, insurance, investment or economic advisory services regardless of whether the licensee establishes an ongoing relationship;
(b) An applicant for insurance prior to the inception of insurance coverage;
(c) An individual who provides nonpublic personal information to a licensee in order to obtain a determination about whether he or she may qualify for a loan to be used primarily for personal, family, or household purposes, regardless of whether the loan is extended;
(d) An individual is not a licensee's consumer, including but not limited to, because:
a. He or she is a beneficiary of a trust for which the licensee is a trustee;
b. He or she is a third party liability claimant;
c. He or she has designated the licensee as trustee for a trust;
d. He or she is a consumer of another financial institution to which the licensee acts as agent for, or provides processing or other services; and
(e) An individual is not a licensee's consumer because:
a. He or she is a participant or a beneficiary of an employee benefit plan that the licensee administers or sponsors or for which the licensee acts as a trustee, insurer or fiduciary; or
b. He or she is covered under a group or blanket insurance policy or group annuity contract issued by the licensee:
(i) Provided that the licensee provides the initial, annual and revised notices pursuant sections 375.1656, 375.1659 and 375.1662 to the plan sponsor, group or blanket insurance policyholder or group annuity contract holder, workers' compensation plan participant;
(ii) And further provided that the licensee does not disclose to a nonaffiliated third party nonpublic personal financial information about such an individual other than as permitted pursuant to section 375.1692.
(7) "Consumer reporting agency", has the same meaning as in section 603(f) of the Federal Fair Credit Reporting Act (15 U.S.C. 1681a(f));
(8) "Control":
(a) Ownership, control or power to vote twenty-five percent or more of the outstanding shares of any class of voting security of the company, directly or indirectly, or acting through one or more other persons;
(b) Control in any manner over the election of a majority of the directors, trustees or general partners (or individuals exercising similar functions) of the company; or
(c) The power to exercise, directly or indirectly, a controlling influence over the management or policies of the company, as the director determines;
(9) "Customer", a consumer who has a customer relationship with a licensee. In no event, however, shall a beneficiary or a claimant under a policy of insurance, solely by virtue of their status as a beneficiary or claimant, be deemed to be a customer for the purposes of sections 375.1650 to 375.1710;
(10) "Customer relationship", a continuing relationship between a consumer and a licensee under which the licensee provides one or more financial products or services to the consumer that are to be used primarily for personal, family, or household purposes, including, but not limited to, if the consumer:
(a) Is a current policyholder of an insurance product or other product from or through a licensee;
(b) Holds an investment product through a licensee;
(c) Obtains financial, insurance, investment or economic advisory services from a licensee for a fee;
(11) "Financial product or service", any product or service that is offered by a licensee pursuant to chapters 375 to 385, RSMo, including, but not limited to a licensee's evaluation or brokerage of information that the licensee collects in connection with a request or an application from a consumer for a financial product or service;
(12) "Financial institution", the same as that term is defined in Section 509(3) of Gramm-Lead-Bliley Act, and is as follows:
(a) In general: the term "financial institution" means any institution the business of which is engaging in financial activities as described in Section 4(k) of the Bank Holding Company Act of 1956;
(b) Persons subject to CFTC regulation: notwithstanding paragraph (a) of this subdivision, the term "financial institution" does not include any person or entity with respect to any financial activity that is subject to the jurisdiction of the Commodity Futures Trading Commission under the Commodity Exchange Act;
(c) Farm credit institutions: notwithstanding paragraph (a) of this subdivision, the term "financial institution" does not include the Federal Agricultural Mortgage Corporation or any entity chartered and operating under the Farm Credit Act of 1971;
(d) Other secondary market institutions: notwithstanding paragraph (a) of this subdivision, the term "financial institution" does not include institutions chartered by Congress specifically to engage in transactions described in Section 502(e)(1)(C), as long as such institutions do not sell or transfer nonpublic personal information to a nonaffiliated third party;
(13) "Health information", any information or data, except age or gender, whether oral or recorded in any form or medium, created by or derived from a health care provider or the consumer or customer that relates to:
(a) The past, present or future physical, mental or behavioral health or condition of a consumer or a member of the consumer's family;
(b) The provision of health care to a consumer; or
(c) Payment for the provision of health care to a consumer;
(14) "Licensee", a person licensed, or required to be licensed, or authorized, or required to be authorized, or registered, or required to be registered pursuant to this chapter, a health maintenance organization holding, or required to hold, a certificate of authority pursuant to chapter 354, RSMo, or other covered entities. A licensee that is a producer or independent insurance agent is subject to all the requirements of sections 375.1650 to 375.1710, except when the producer or agent is acting as agent for a licensee. In that case, the producer acting as agent for a licensee is exempt only from the notice requirements, rather than all requirements, of sections 375.1650 to 375.1710, and only if such producer does not disclose consumer information other than as permitted by sections 375.1686, 375.1689 and 375.1692;
(a) Subject to paragraph (b) of this subdivision, "covered entities" shall include unauthorized insurers who place business through licensed excess line brokers in Missouri, but only in regard to the excess line placements placed;
(b) Licensed excess line brokers placing business underwritten by covered entities and those covered entities shall be deemed to be in compliance with the notice and opt out requirements for nonpublic personal financial information pursuant to sections 375.1650 to 375.1710 provided:
a. Such licensed excess line brokers and covered entities do not disclose nonpublic personal information of a consumer or a customer to nonaffiliated third parties for any purpose, including joint servicing or marketing pursuant to section 375.1686, except as permitted by section 375.1689 or 375.1692; and
b. At the time the customer relationship is established, a single notice is delivered to the consumer on behalf of all such licensed excess line brokers and covered entities involved in the provision of a financial product or service to a consumer or customer on which the following is printed in 16-point type:
PRIVACY NOTICE
"NEITHER THE U.S. BROKER(S) THAT HANDLED THIS INSURANCE NOR THE INSURER(S) THAT HAVE UNDERWRITTEN THIS INSURANCE WILL DISCLOSE NONPUBLIC PERSONAL INFORMATION CONCERNING THE BUYER TO NONAFFILIATES OF SUCH BROKER(S) OR SUCH INSURER(S) EXCEPT AS PERMITTED BY LAW."
(15) "Nonaffiliated third party", any person, including, but not limited to any company that is an affiliate solely by virtue of the licensee's or its affiliate's direct or indirect ownership or control of the company conducting:
(a) Merchant banking or investment banking activities of the type described in Section 4(k)(4)(H) of the Federal Bank Holding Company Act; or
(b) Insurance company investment activities of the type described in Section 4(k)(4)(I) of the Federal Bank Holding Company Act (12 U.S.C. 1843(k)(4)(H) and (I), except:
a. The licensee's affiliate; or
b. A person employed jointly by a licensee and any company that is not the licensee's affiliate. Nonaffiliated third party includes the other company that jointly employs the person.
(16) "Nonpublic personal information", nonpublic personal financial information and nonpublic personal health information;
(17) "Nonpublic personal financial information":
(a) Personally identifiable financial information; and
(b) Any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available; and
(c) Any list of individual's names and street addresses that is derived in whole or in part using personally identifiable financial information that is not publicly available, such as policy or contract numbers;
(d) Nonpublic personal financial information does not include:
a. Health information;
b. Publicly available information, except as included on a list as described in subparagraph d. of this subdivision; or
c. Any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived without using any personally identifiable financial information that is not publicly available;
d. Any list of individual's names and addresses that contains only publicly available information, is not derived in whole or in part using personally identifiable information that is not publicly available, and is not disclosed in a manner that indicates that any of the individuals on the list is a consumer of a financial institution;
(18) "Nonpublic personal health information" means health information:
(a) That identifies an individual who is the subject of the information; or
(b) With respect to which there is a reasonable basis to believe that the information could be used to identify an individual;
(19) "Opt out", a direction by the consumer that a licensee not disclose nonpublic personal financial information about that consumer to a nonaffiliated third party, other than as permitted pursuant to sections 375.1650 to 375.1710.
(20) "Personally identifiable financial information", financial information:
(a) A consumer provides to a licensee to obtain a financial product or service from the licensee;
(b) About a consumer resulting from any transaction involving a financial product or service between a licensee and a consumer; or
(c) A licensee otherwise obtains about a consumer in connection with providing a financial product or service to that consumer;
(21) "Personally identifiable health information", health information:
(a) A consumer provides to a licensee to obtain a financial product or service from the licensee;
(b) About a consumer resulting from any transaction involving a financial product or service between a licensee and a consumer; or
(c) The licensee otherwise obtains about a consumer in connection with providing a financial product or service to that consumer; and
(d) That identifies a consumer who is the subject of the information; or
(e) With respect to which there is a reasonable basis to believe that the information could be used to identify a consumer;
Personally identifiable health information does not include personally identifiable, non-medical information such as name, address, social security number, age, gender, etc. if legally obtained by the licensee from a source other than the consumer's medical record, even if such information is also part of the consumer's medical record;
(22) "Publicly available information", any information that the licensee has a reasonable basis to believe is lawfully made available to the general public from:
(a) Federal, state or local government records;
(b) Widely distributed media; or
(c) Disclosures to the general public that are required to be made by federal, state or local law;
(23) "Reasonable basis", the licensee has a reasonable basis to believe that information is lawfully made available to the general public because the licensee has taken steps to determine:
(a) That the information is of the type that is available to the general public; and
(b) Whether an individual can direct that the information not be made available to the general public and, if so, that a licensee's consumer has not done so.
375.1656. 1. A licensee must provide a clear and conspicuous notice that accurately reflects the licensee's privacy policies and practices to:
(1) An individual who becomes a licensee's customer, not later than the time that the licensee establishes a customer relationship; and
(2) A consumer, before a licensee discloses any nonpublic personal financial information about the consumer to any nonaffiliated third party, if a licensee makes such a disclosure other than as authorized by sections 375.1650 to 375.1710.
2. A licensee is not required to provide an initial notice to a consumer pursuant to subsection 1 of this section if:
(1) The licensee does not disclose any nonpublic personal financial information about the consumer to any nonaffiliated third party, other than as authorized by sections 375.1650 to 375.1710;
(2) The licensee does not have a customer relationship with the consumer; or
(3) A notice has been provided by an affiliated licensee, as long as the notice clearly identifies all licensees to whom the notice applies or states that it applies to all affiliates of the named licensee, and is accurate with respect to the licensee and the other institutions.
3. A licensee establishes a customer relationship at the time the licensee and the consumer enter into a continuing relationship, other than solely as a beneficiary or claimant.
4. A licensee establishes a customer relationship under circumstances including, but not limited to the following:
(1) When the consumer becomes a policyholder. This occurs when an insurance policy or contract is delivered to the consumer;
(2) When the consumer agrees to obtain financial, insurance, economic, or investment advisory services from the licensee for a fee.
5. When an existing customer obtains a new financial product or service from a licensee that is to be used primarily for personal, family, or household purposes, a licensee satisfies the initial notice requirements of subsection 1 of this section as follows:
(1) A licensee may provide a revised policy notice, pursuant to section 375.1668, that covers the customer's new financial product or service; or
(2) If the initial, revised, or annual notice that a licensee most recently provided to that customer was accurate with respect to the new financial product or service, a licensee does not need to provide a new privacy notice under subsection 1 of this section.
6. A licensee may provide the initial notice required by subsection 1 of this section within a reasonable time after the licensee establishes a customer relationship if:
(1) Establishing the customer relationship is not at the customer's election, including but not limited to if the licensee acquires or is assigned the insurance policy or related records from another financial institution or residual market mechanism and the customer does not have a choice about such acquisition or assignment; or
(2) Providing notice not later than when the licensee establishes the customer relationship would substantially delay the customer's transaction, including but not limited to when the licensee and the individual agree over the telephone to enter into a customer relationship involving prompt delivery of the financial product or service, and the customer agrees to receive the notice at a later time.
7. If two or more consumers jointly obtain a financial product or service from a licensee, the licensee may satisfy the requirements of subsection 1 of this section by providing one initial notice to those consumers jointly.
8. When a licensee is required to deliver an initial privacy notice by this section, a licensee must deliver it according to section 375.1671. If a licensee uses a short-form initial notice for non-customers according to section 375.1662, the licensee may deliver its privacy notice according to section 375.1662.
375.1659. 1. A licensee must provide a clear and conspicuous notice to a customer that accurately reflects the licensee's privacy policies and practices not less than annually during the continuation of the customer relationship. Annually means at least once in any period of twelve consecutive months during which that relationship exists. A licensee may define the twelve-consecutive-month period, but the licensee must apply it to the customer on a consistent basis.
2. A licensee is not required to provide an annual notice to a former customer. A former customer is an individual with whom a licensee no longer has a continuing relationship. A licensee no longer has a continuing relationship with an individual:
(1) If the individual no longer is a current policyholder of an insurance product or no longer obtains insurance services with or through the licensee;
(2) If the individual's policy is lapsed, expired or otherwise inactive or dormant under the licensee's business practices, and the licensee has not communicated with the customer about the relationship for a period of twelve consecutive months, other than to provide annual privacy notices, materials required by law or regulation, or promotional materials;
(3) If the individual's last known address according to the licensee's records is deemed to be invalid. An address of record is deemed invalid if mail sent to that address by the licensee has been returned by the postal authorities as undeliverable and if subsequent attempts by the licensee to obtain a current valid address for the individual have been unsuccessful; or
(4) In the case of providing real estate settlement services, at the time the customer completes execution of all documents related to the real estate closing, payment for those services has been received, or the licensee has completed all of its responsibilities with respect to the settlement, including filing documents on the public record, whichever is later.
3. When the licensee is required to deliver an annual privacy notice by this section, the licensee must deliver it according to section 375.1671.
4. Such annual notice may be provided by an affiliated licensee, as long as the notice clearly identifies all licensees to which the notice applies or states that it applies to all affiliates of the named licensee, and is accurate with respect to the licensee and other institutions.
375.1662. 1. The initial, annual, and revised privacy notices that a licensee provides pursuant to sections 375.1650 to 375.1710 must include each of the following items of information that applies to the licensee or to the consumers to whom the licensee sends its privacy notice, in addition to any other information the licensee wishes to provide:
(1) The categories of nonpublic personal financial information that the licensee collects;
(2) The categories of nonpublic personal financial information that the licensee discloses;
(3) The categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal financial information, other than those parties to whom the licensee discloses information pursuant to sections 375.1689 and 375.1692;
(4) The categories of nonpublic personal financial information about the licensee's former customers that it discloses and the categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal financial information about its former customers, other than those parties to whom it discloses information pursuant to sections 375.1689 and 375.1692;
(5) If a licensee discloses nonpublic personal financial information to a nonaffiliated third party pursuant to section 375.1686 (and no other exception applies to that disclosure), a separate statement of the categories of information the licensee discloses and the categories of third parties with whom the licensee has contracted;
(6) An explanation of the right pursuant to section 375.1677 to opt out of the disclosure of nonpublic personal financial information to nonaffiliated third parties and pursuant to section 375.1695 to authorize the disclosure of personally identifiable health information for marketing purposes, including the methods by which the consumer may exercise those rights at that time;
(7) Any disclosures that the licensee makes under Section 603(d)(2)(A)(iii) of the Federal Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)(A)(iii))(that is, notices regarding the ability to opt out of disclosures of information among affiliates);
(8) The licensee's policies and practices with respect to protecting the confidentiality and security of nonpublic personal information; and
(9) A statement to the effect that the licensee makes disclosures under subsection 2 of this section, if such disclosures are made.
2. If a licensee discloses nonpublic personal financial information about a consumer to third parties only as authorized pursuant to section 375.1689 and 375.1692, the licensee is not required to list those exceptions in the initial or annual privacy notices required by sections 375.1650 to 375.1710. When describing the categories with respect to those parties, a licensee is only required to state that it makes disclosures to other nonaffiliated third parties as permitted by law.
3. The licensee may satisfy the initial notice requirements of sections 375.1650 to 375.1710 for a consumer who is not a customer by providing a short form initial notice at the same time as the licensee delivers an opt out notice as required in section 375.1671 and if appropriate, an authorization as required in section 375.1695.
4. A short form initial notice must:
(1) Be clear and conspicuous;
(2) State that a licensee's privacy notice is available upon request; and
(3) Explain a reasonable means by which the consumer may obtain that notice, including but not limited to providing a toll-free telephone number the consumer may call to request the notice or, for a consumer who conducts business in person in the licensee's office, providing notice to the consumer immediately upon request.
5. The licensee must deliver its short form notice according to section 375.1671. A licensee is not required to deliver its privacy notice with its short-form initial notice. A licensee may instead simply provide the consumer with a reasonable means to obtain the licensee's privacy notice. If a consumer who receives the licensee's short-form notice requests the licensee's privacy notice, the licensee must deliver its privacy notice according to section 375.1671.
6. A licensee's notice may include:
(1) Categories of nonpublic personal financial information that the licensee reserves the right to disclose in the future, but does not currently disclose; and
(2) Categories of affiliates or nonaffiliated third parties to whom the licensee reserves the right in the future to disclose, but to whom it does not currently disclose, nonpublic personal financial information.
375.1665. 1. If a licensee is required to provide an opt out notice pursuant to section 375.1677 the licensee must provide a clear and conspicuous notice to each of its consumers that accurately explains the right to opt out under that section. The notice must state:
(1) That the licensee discloses or reserves the right to disclose nonpublic personal financial information about its consumer to a nonaffiliated third party;
(2) That the consumer has the right to opt out of that disclosure; and
(3) A reasonable means by which the consumer may exercise the opt out right, provided that the licensee may require the consumer opt out through a specific means, as long as the means is reasonable for that consumer.
2. A licensee provides a reasonable means to exercise an opt out right if it:
(1) Designates check off boxes in a prominent position on the relevant forms with the opt out notice;
(2) Includes a reply form together with the opt out notice;
(3) Provides an electronic means to opt out, such as a form that can be sent via electronic mail or a process at the licensee's web site, if the consumer agrees to the electronic delivery of information;
(4) Provides a toll-free telephone number that consumers may call to opt out; or
(5) Provides the opt out notice together with or on the same written or electronic form as the initial notice the licensee provides in accordance with section 375.1656.
3. If a licensee provides the opt out notice later than required for the initial notice in accordance with section 375.1656, the licensee must also include a copy of the initial notice in writing or, if the consumer agrees, electronically.
4. If two or more consumers jointly obtain a financial product or service from a licensee, the licensee may provide a single opt out notice. The licensee's opt out notice must explain how the licensee will treat an opt out direction by a joint consumer.
5. Any of the joint consumers may exercise the right to opt out. The licensee may either:
(1) Treat an opt out direction by a joint consumer as applying to all of the associated joint consumers; or
(2) Permit each joint consumer to opt out separately.
6. If the licensee permits each joint consumer to opt out separately, the licensee must permit one of the joint consumers to opt out on behalf of all of the joint consumers.
7. A licensee may not require all joint consumers to opt out before the licensee implements any opt out direction.
8. A licensee must comply with a consumer's opt out direction as soon as reasonably practicable after the licensee receives it.
9. A consumer may exercise the right to opt out at any time.
10. A consumer's direction to opt out under this section is effective until the consumer revokes it in writing or, if the consumer agrees, electronically.
11. When a customer relationship terminates, the customer's opt out direction continues to apply to the nonpublic personal financial information the licensee collected during or related to that relationship. If the individual subsequently establishes a new customer relationship with the licensee, the opt out direction that applied to the former relationship does not apply to the new relationship.
12. When a licensee is required to deliver an opt out notice by this section, the licensee must deliver it according to section 375.1671.
375.1668. 1. Except as otherwise authorized in sections 375.1650 to 375.1710, a licensee shall not, directly or through any affiliate, disclose any nonpublic personal financial information about a consumer to a nonaffiliated third party other than as described in the initial notice that the licensee provided to that consumer pursuant to section 375.1656, unless:
(1) The licensee has provided to the consumer a revised notice that accurately describes the licensee's policies and practices;
(2) The licensee has provided to the consumer a new opt out notice and, if appropriate, an authorization as required in section 375.1686;
(3) The licensee has given the consumer a reasonable opportunity, before the licensee discloses the information to the nonaffiliated third party, to opt out of or, if appropriate, authorize the disclosure; and
(4) The consumer does not opt out or, if appropriate, the consumer authorizes the disclosure.
2. When the licensee is required to deliver a revised privacy notice by this section, the licensee must deliver it according to section 375.1671.
375.1671. 1. A licensee must provide any privacy notices and opt out notices, including short-form initial notices, that sections 375.1650 to 375.1710 requires so that each consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, electronically.
2. The licensee may reasonably expect that a consumer will receive actual notice if the licensee:
(1) Hand-delivers a printed copy of the notice to the consumer;
(2) Mails a printed copy of the notice to the last known address of the consumer separately, or in a policy, billing or other written communication; and
(3) Electronically, clearly and conspicuously posts the notice on the electronic site for the consumer who regularly accesses the licensee's web site to conduct transactions; or
(4) For an isolated transaction with the consumer, such as the licensee providing an insurance quote or selling the consumer travel insurance, requires the consumer to acknowledge receipt of the notice as a necessary step to obtaining the particular financial product or service.
3. A licensee may not reasonably expect that a consumer will receive actual notice of the licensee's privacy policies and practices if the licensee:
(1) Only posts a sign in its branch or office or generally publishes advertisements of its privacy policies and practices; or
(2) Sends the notice via electronic mail to a consumer who does not agree to receive the notice electronically.
4. A licensee may reasonably expect that a customer will receive actual notice of the licensee's annual privacy notice if:
(1) The customer agrees to receive notices at the web site, and the licensee posts its current privacy notice continuously in a clear and conspicuous manner on the web site; or
(2) The customer has requested that the licensee refrain from sending any information regarding the customer relationship, and the licensee's current privacy notice remains available to the customer upon request.
5. A licensee may not provide any notice required by sections 375.1650 to 375.1710 solely by orally explaining the notice, either in person or over the telephone.
6. For customers only, a licensee must provide the initial notice, the annual notice, and the revised notice required by sections 375.1650 to 375.1710, so that the customer can retain them or obtain them later in writing or, if the customer agrees, electronically, including, but not limited to hand-delivering a printed copy of the notice to the customer; mailing a printed copy of the notice to the last known address of the customer upon the request of the customer; or making the licensee's current privacy notice available on a web site (or a link to another web site) for the customer who agrees to receive the notice at the web site.
7. A licensee may provide a joint notice from the licensee and one or more of the licensee's affiliates, other licensees or other financial institutions, or on behalf of another financial institution, as long as the notice is accurate with respect to the licensee and the other institutions.
8. If two or more consumers jointly obtain a financial product or service from a licensee, the licensee may satisfy the initial and revised notice requirements by providing one notice to those consumers jointly.
375.1674. 1. No licensee shall unfairly discriminate against any customer or consumer on the basis of the customer's or consumer's exercise of his or her right to opt out of the sharing of his or her nonpublic personal information in the manner provided in sections 375.1650 to 375.1710. Nothing in this section shall prohibit licensees from engaging in their usual, appropriate, or acceptable method for insurance underwriting.
2. Nothing in sections 375.1650 to 375.1710 requires a licensee to provide a benefit or commence or continue payment of a claim in the absence of personally identifiable health information or nonpublic personal financial information to support or deny the claim.
375.1677. 1. Except as otherwise authorized in sections 375.1650 to 375.1710, a licensee may not, directly or through any affiliate, disclose any nonpublic personal financial information about a consumer to a nonaffiliated third party unless:
(1) The licensee has provided to the consumer an initial notice as required pursuant to section 375.1656;
(2) The licensee has provided to the consumer an opt out notice as required in section 375.1665;
(3) The licensee has given the consumer a reasonable opportunity, before the licensee discloses the information to the nonaffiliated third party, to opt out of the disclosure. Methods of complying with this provision include, but are not limited to:
(a) The licensee mails the notices required in this section to the consumer and allows the consumer to opt out by mailing a form, calling a toll free telephone number, or any other reasonable means within thirty days from the date the licensee mailed the notices;
(b) A customer opens an on-line account with the licensee and agrees to receive the notices required in this section electronically, and the licensee makes the notices available to the customer on its web site and the licensee allows the customer to opt out by any reasonable means within thirty days after the date that the customer acknowledges receipt of the notices in conjunction with opening the account; or
(c) For an isolated transaction, such as providing the consumer with an insurance quote, a licensee provides a reasonable opportunity to opt out if the licensee provides the consumer the notices required in this section at the time of the transaction and requests that the consumer decide, as a necessary act of the transaction, whether to opt out before completing the transaction; and
(4) The consumer does not opt out.
2. A licensee must comply with this section, regardless of whether the licensee and the consumer have established a customer relationship.
3. Unless a licensee complies with this section, the licensee may not, directly or through any affiliate, disclose any nonpublic personal financial information about a consumer that it has collected, regardless of whether the licensee collected it before or after receiving the direction to opt out from the consumer.
375.1680. 1. If the licensee receives nonpublic personal information from a nonaffiliated financial institution under an exception of sections 375.1650 to 375.1710 or pursuant to an authorization pursuant to section 375.1695, the licensee's disclosure and use of that information is limited as follows:
(1) The licensee may disclose the information to the affiliates of the financial institution from which the licensee received the information;
(2) The licensee may disclose the information to its affiliates and agents, but the affiliates and agents may, in turn, disclose and use the information only to the extent that the licensee may disclose and use the information; and
(3) The licensee may disclose and use the information pursuant to an exception in section 375.1689 or 375.1692, in the ordinary course of business to carry out the activity covered by the exception under which the licensee received the information.
2. If a licensee receives nonpublic personal information from a nonaffiliated financial institution other than under an exception in sections 375.1650 to 375.1710 or pursuant to an authorization pursuant to section 375.1695, the licensee may disclose the information only:
(1) To the affiliates of the financial institution from which the licensee received the information;
(2) To the licensee's affiliates and agents, but the licensee's affiliates and agents may, in turn, disclose the information only to the extent that the licensee can disclose the information; and
(3) To any other person, if the disclosure would be lawful if made directly to that person by the financial institution from which the licensee received the information.
3. If the licensee discloses nonpublic personal financial information to a nonaffiliated third party under an exception in section 375.1689 or 375.1692, the third party may disclose and use that information only as follows:
(1) The third party may disclose the information to the licensee's affiliates;
(2) The third party may disclose the information to its affiliates, but its affiliates may, in turn, disclose and use the information only to the extent that the third party may disclose and use the information; and
(3) The third party may disclose and use the information pursuant to an exception in section 375.1689 or 375.1692, in the ordinary course of business to carry out the activity covered by the exception under which it received the information.
4. If a licensee discloses nonpublic personal information to a nonaffiliated third party other than under an exception in section 375.1689 or 375.1692 or pursuant to an authorization pursuant to section 375.1695, the third party may disclose the information only:
(1) To the licensee's affiliates;
(2) To the third party's affiliates, but the third party's affiliates, in turn, may disclose the information only to the extent the third party can disclose the information; and
(3) To any other person, if the disclosure would be lawful if the licensee made it directly to that person.
375.1683. 1. A licensee must not, directly or through an affiliate, disclose, other than to a consumer reporting agency, a policy or contract number or similar form of access number or access code for a consumer's credit card account, deposit account, or transaction account to any nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer.
2. Subsection 1 of this section does not apply if the licensee discloses a policy or contract number or similar form of access number or access code:
(1) To the licensee's agent or service provider solely in order to perform marketing for the licensee's products or services, as long as the agent or service provider is not authorized to directly initiate charges to the account; or
(2) To a participant in a private label credit card program or an affinity or similar program where the participants in the program are identified to the customer when the customer enters into the program; or
(3) To a licensee who is a producer solely in order to perform marketing for the licensee's own products or services.
375.1686. 1. The opt out requirements of sections 375.1650 to 375.1710 do not apply when a licensee provides nonpublic personal financial information to a nonaffiliated third party to perform services for, or functions on behalf of the licensee, if the licensee:
(1) Provides the initial notice in accordance with sections 375.1650 to 375.1710; and
(2) Enters into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which the licensee disclosed the information, including use under an exception in section 375.1689 or 375.1692, in the ordinary course of business to carry out those purposes.
2. A licensee may use and disclose personally identifiable financial information to a person acting on behalf of or at the direction of the licensee to perform the licensee's insurance functions including, but not limited to, claims administration, claims adjustment and management, fraud investigation, underwriting, loss control, rate making functions, reinsurance, risk management, case management, disease management, quality assessment, quality improvement, provider credentialing verification, utilization review, peer review activities, grievance procedures, internal administration of compliance, managerial, and information systems, policyholder service functions, account administration, processing premium payments, processing insurance claims, administering insurance benefits (including utilization review activities), participating in research projects, and as otherwise required or specifically permitted by federal or state law.
3. The services performed for a licensee by a nonaffiliated third party pursuant to subsection 1 of this section may include marketing of the licensee's own products or services or marketing of financial products or services offered pursuant to joint agreements between the licensee and one or more financial institutions.
4. For purposes of this section, "joint agreement" means a written contract pursuant to which a licensee and one or more financial institutions jointly offer, endorse, or sponsor a financial product or service.
375.1689. 1. The requirements for initial notice to consumers in section 375.1656, providing the opt out opportunity to consumers and customers, and the application of sections 375.1650 to 375.1710 to service providers and joint marketing do not apply if a licensee discloses nonpublic personal financial information as necessary to effect, administer, or enforce a transaction requested or authorized by the consumer, or in connection with:
(1) Servicing or processing a financial product or service requested or authorized by the consumer, including such products or services under consideration by a consumer;
(2) Maintaining or servicing the consumer's account with the licensee or with another entity;
(3) Transactions involving a person acting as agent of the licensee, provided such agent agrees not to disclose said nonpublic personal financial information to additional third parties; or
(4) A proposed or actual securitization, secondary market sale (including sales of servicing rights), or similar transaction related to a transaction of the consumer.
2. The requirements of sections 375.1650 to 375.1710 do not apply if a licensee discloses nonpublic personal financial information and/or personally identifiable health information for any purpose related to effecting, administering or replacing a group benefit plan, a group health plan, or a group welfare plan.
3. Necessary to effect, administer, or enforce a transaction means, in this section, that the disclosure is:
(1) Required, or is one of the lawful or appropriate methods, to enforce the licensee's rights or the rights of other persons engaged in carrying out the financial transaction or providing the product or service; or
(2) Required, or is a usual, appropriate, or acceptable method:
(a) To carry out the transaction or the product or service business of which the transaction is a part, and record, service, or maintain the consumer's account in the ordinary course of providing the financial service or financial product;
(b) To administer, adjudicate or service benefits or claims relating to the transaction or the product or service business of which it is a part;
(c) To provide a confirmation, statement or other record of the transaction, or information on the status or value of the financial service or financial product to the consumer or the consumer's agent or broker;
(d) To accrue or recognize incentives or bonuses associated with the transaction that are provided by the licensee or any other party;
(e) To underwrite insurance at the consumer's request or for reinsurance purposes, or for any of the following purposes, as they relate to a consumer's insurance account administration, reporting, investigating, preventing fraud or material misrepresentation, processing premium payments, processing insurance claims, administering insurance benefits (including utilization review activities), participating in research projects, or as otherwise required or specifically permitted by Federal or state law;
(f) In connection with:
a. The authorization, settlement, billing, processing, clearing, transferring, reconciling or collection of amounts charged, debited, or otherwise paid using a debit, credit, or other payment card, check, or policy or contract number, or by other payment means;
b. The transfer of receivables, accounts, or interests therein; or
c. The audit of debit, credit, or other payment information.
375.1692. 1. The requirements for initial notice to consumers in section 375.1656, the opportunity to opt out, and the provisions applicable to service providers and joint marketing in sections 375.1650 to 375.1710 do not apply when a licensee discloses nonpublic personal financial information:
(1) With the consent or at the direction of the consumer, provided that the consumer has not revoked the consent or direction;
(2) (a) To protect the confidentiality or security of a licensee's records pertaining to the consumer, service, product or transaction;
(b) To protect against or prevent actual or potential fraud, unauthorized transactions, claims or other liability;
(c) For required institutional risk control or for resolving consumer disputes or inquiries;
(d) To persons holding a legal or beneficial interest relating to the consumer; or
(e) To persons acting in a fiduciary or representative capacity on behalf of the consumer;
(3) To provide information to insurance rate advisory organizations, guaranty funds or agencies, agencies that are rating the licensee, persons that are assessing the licensee's compliance with industry standards, and the licensee's attorneys, accountants, and auditors;
(4) To the extent specifically permitted or required under other provisions of law and in accordance with the Right to Financial Privacy Act of 1978 (12 U.S.C. 3401 et seq.), to law enforcement agencies (including a federal functional regulator, the Secretary of the Treasury, with respect to 31 U.S.C. Chapter 53, Subchapter II (Records and Reports on Monetary Instruments and Transactions) and 12 U.S.C. Chapter 21 (Financial Recordkeeping), a state insurance authority, with respect to any person domiciled in that insurance authority's state that is engaged in providing insurance, and the Federal Trade Commission, self-regulatory organizations, or for an investigation on a matter related to public safety;
(5) (a) To a consumer reporting agency in accordance with the Federal Fair Credit Reporting Act (15 U.S.C. 1681 et seq.) and the fair credit laws of this state; or
(b) From a consumer report reported by a consumer reporting agency;
(6) In connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit if the disclosure of nonpublic personal financial information concerns solely consumers of such business or unit; or
(7) (a) To comply with Federal, state, or local laws, rules and other applicable legal requirements;
(b) To comply with a properly authorized civil, criminal, or regulatory investigation, or subpoena or summons by Federal, state or local authorities; or
(c) To respond to judicial process or government regulatory authorities having jurisdiction over a licensee for examination, compliance or other purposes as authorized by law;
(8) Necessary to provide ongoing health care treatment;
(9) In connection with quality assessment evaluations or investigations;
(10) To reveal a consumer's presence in a facility owned by the licensee and the consumer's general health condition;
(11) To a reinsure, stop loss or excess loss carrier for the purpose of underwriting, claims adjudication and conducting claim file audits;
(12) Needed for one of the following purposes:
(a) To identify a deceased individual;
(b) To determine the cause and manner of death by a chief medical examiner or the medical examiner's designee; or
(c) To provide necessary protected health information about a deceased individual who is a donor of an anatomical gift;
(13) To a state department of insurance that is performing an examination, investigation, or audit of the licensee; or
(14) Pursuant to a court order issued after the court's determination that the public interest in disclosure outweighs the consumer's privacy interest and that the personally identifiable health information is not reasonably available by other means.
2. Nothing in sections 375.1650 to 375.1710 shall be construed as applicable to information disclosures by licensees in connection with the purchase of insurance coverage by the licensee or the arrangement of insurance coverage by the licensee for its employees.
375.1695. 1. A licensee shall obtain an authorization to disclose, prior to making such disclosure, any personally identifiable health information if the purpose of the disclosure is for the marketing of services or goods for personal, family or household purposes.
2. The notice required by this section may be included in the notice required by section 375.1656, provided that the notice shall comply with the following requirements:
(1) The purpose of the disclosure of personally identifiable health information shall be stated in clear and simple terms and shall appear as a separate paragraph;
(2) The request for authorization shall specify that the authorization shall remain valid for no more than twenty-four months and may be revoked at any time;
(3) The request for authorization shall specify that the terms and conditions of all insurance policies will not be affected in any way by a refusal to give authorization, as provided in section 375.1674.
3. The requirements of sections 375.1650 to 375.1710 do not apply and, thus, the authorization described by this section is not required, if a licensee discloses nonpublic personal information and/or personally identifiable health information for any purpose related to effecting, administering or replacing a group benefit plan, a group health plan, or a group welfare plan.
4. Nothing in this section shall prohibit, restrict, or require an authorization for the disclosure of nonpublic personal health information by a licensee for the performance of insurance functions by or on behalf of the licensee, including but not limited to: claims administration; claims adjustment and management; detection, investigation or reporting of actual or potential fraud, misrepresentation or criminal activity; underwriting; policy placement of issuance; loss control; ratemaking and guaranty fund functions; reinsurance and excess loss insurance; risk management; case management; disease management; quality assurance; quality improvement; performance evaluation; provider credentialing verification; utilization review; peer review activities; actuarial, scientific, medical or public policy research; grievance procedures; internal administration of compliance, managerial, and information systems; policyholder service functions; auditing; reporting; database security; administration of consumer disputes and inquiries; external accreditation standards; the replacement of a group benefit plan or workers compensation policy or program; activities in connection with a sale, merger, transfer or exchange of all or part of a business or operating unit; any activity that permits disclosure without authorization pursuant to the Federal Health Insurance Portability and Accountability Act privacy rules promulgated by the U.S. Department of Health and Human Services; disclosure that is required, or is one of the lawful or appropriate methods, to enforce the licensee's rights or rights of other persons engaged in carrying out a transaction or providing a product or service that a consumer requests or authorizes; and any activity otherwise permitted by law, required pursuant to governmental reporting authority, or to comply with legal process.
375.1698. 1. Nothing in sections 375.1650 to 375.1710 shall be construed to modify, limit, or supersede the operation of the Federal Fair Credit Reporting Act (15 U.S.C. 1681 et seq.), and no inference shall be drawn on the basis of the provisions of sections 375.1650 to 375.1710 regarding whether information is transaction or experience information pursuant to section 375.1704.
2. Nothing in sections 375.1650 to 375.1710 shall preempt or supercede existing state law related to medical records, health or insurance information privacy.
375.1701. Nothing in sections 375.1650 to 375.1710 shall be construed to limit, modify or supercede and does not modify, limit or supersede the standards governing the privacy of individually identifiable health information promulgated by the Secretary of Health and Human Services under the authority of Sections 262 and 264 of the Federal Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d-1320d-8).
375.1704. 1. No licensee shall knowingly or willfully violate the provisions of sections 375.1650 to 375.1710.
2. The director of the department of insurance is authorized to investigate any alleged violations of sections 375.1650 to 375.1710 and to impose fines and other sanctions. A violation of sections 375.1650 to 375.1710 shall be considered an unfair trade practice pursuant to section 375.934.
375.1710. 1. In order to provide sufficient time for insurers and other licensees to establish policies and systems to comply with the requirements of sections 375.1650 to 375.1710, time for compliance with sections 375.1650 to 375.1710 is extended until July 3, 2003.
2. By July 1, 2003, the licensee shall have provided an initial notice, as required by section 375.1656, to consumers who are the licensee's customers on July 1, 2003.
3. Until July 1, 2003, a contract that the licensee has entered into with a nonaffiliated third party to perform services for the licensee or functions on its behalf does not need to satisfy the provisions of section 375.1686 which provide that the third party maintain the confidentiality of nonpublic personal information, as long as the licensee entered into the agreement on or before July 1, 2003.
Section B. The enactment of sections 375.1650, 375.1653, 375.1656, 375.1659, 375.1662, 375.1665, 375.1668, 375.1671, 375.1674, 375.1677, 375.1680, 375.1683, 375.1686, 375.1689, 375.1692, 375.1695, 375.1698, 375.1701, 375.1704, 375.1707 and 375.1710 shall be effective on January 1, 2003.