INSURANCE: PRIVACY REQUIREMENTS - S.B. 431: ENROLLED SUMMARY
Senate Bill 431 (as enrolled) - PUBLIC ACT 24 of 2001
Sponsor: Senator Bill Bullard, Jr.
Senate Committee: Financial Services
House Committee: Insurance and Financial Services
Date Completed: 3-8-02
CONTENT
The bill added Chapter 5 (Privacy of Financial Information) to the Insurance Code to provide for the treatment of nonpublic personal financial information about individuals who obtain or are claimants or beneficiaries of insurance products. The bill does the following:
-- Prohibits a licensee from disclosing nonpublic personal financial information about a consumer to a nonaffiliated third party unless the customer is notified of the licensee's privacy policies and has an opportunity to opt out of the disclosure.
-- Requires a licensed insurer or producer, beginning on July 1, 2001, to notify customers of its privacy policies and practices concerning the disclosure of nonpublic personal financial information.
-- Requires a licensee to notify customers of its privacy practices and policies at least annually, and to provide a revised policy notice when a customer obtains a new insurance product or service.
-- Requires a licensee to notify a consumer of his or her right to opt out of the licensee's disclosure of nonpublic personal financial information.
-- Provides that a licensee must give a required notice so that a customer can be reasonably expected to receive actual notice in writing or, if the customer agrees, electronically.
-- Provides for a limited disclosure of nonpublic personal financial information that a licensee receives from a nonaffiliated financial institution.
-- Prohibits a licensee from unfairly disclosing certain insurance policy and account information for use in telemarketing, direct mail marketing, or marketing through electronic mail.
-- Makes exceptions to the bill's consumer notification provisions if a licensee discloses nonpublic personal financial information to administer a transaction that a consumer has requested or with a consumer's consent.
-- Prohibits a licensee from unfairly discriminating against a consumer for opting out of the disclosure of his or her nonpublic personal financial information.
- Requires the Commissioner of the Office of Financial and Insurance Services to adopt guidelines for safeguards that will protect the security, confidentiality, and integrity of customer information.
Application
Chapter 5 applies to the treatment of nonpublic personal financial information about individuals who obtain or are claimants or beneficiaries of products or services primarily for personal, family, or household purposes from licensees whether through an individual or group plan. Chapter 5 does not apply to information about companies or individuals who obtain products or services for business, commercial, or agricultural purposes.
The bill specifies that it does not modify, limit, or supersede the Code's provisions on insurance agency licenses and the sale of insurance by a lender (a person who makes, arranges, or purchases and services a loan); or statute or rules governing the confidentiality or privacy of individually identifiable health and medical information, including specified confidentiality provisions in the Revised Judicature Act, the Public Health Code, the Nonprofit Health Care Corporation Reform Act, the Michigan Penal Code, the Freedom of Information Act, and the Third Party Administrator Act.
The bill defines "licensee" as a licensed insurer or producer (a person required to be licensed under the Code to sell, solicit, or negotiate insurance), and other persons licensed or required to be licensed, authorized or required to be authorized, registered or required to be registered, or holding or required to hold a certificate of authority under the Code. "Licensee" includes a nonprofit health care corporation operating under the Nonprofit Health Care Corporation Reform Act, which regulates Blue Cross and Blue Shield of Michigan (BCBSM). "Licensee" also includes an unauthorized insurer who placed business through a licensed surplus line agent or broker in the State, but only for the surplus line placements under Chapter 19 of the Code. "Licensee" does not include BCBSM regarding member personal data and information otherwise protected under the Nonprofit Health Care Corporation Reform Act; the Michigan Life and Health Guaranty Association and the Property and Casualty Guaranty Association; or the Michigan Automobile Insurance Placement Facility, the Michigan Worker's Compensation Placement Facility, or the Assigned Claims Facility created under the Code, except that servicing carriers for these facilities are licensees.
The bill defines "nonpublic personal financial information" as personally identifiable financial information and any list, description, or other grouping of consumers and publicly available information pertaining to them that is derived using any personally identifiable financial information that is not publicly available. The term does not include any of the following: health and medical information otherwise protected by State or Federal law, publicly available information, or any list, description, or other grouping of consumers and publicly available information pertaining to them that is derived without using any personally identifiable financial information that is not publicly available. "Personally identifiable financial information" means any of the following: information a consumer provides to a licensee to obtain an insurance product or service from the licensee; information about a consumer resulting from any transaction involving an insurance product or service between a licensee and a consumer; or information that the licensee otherwise obtains about a consumer in connection with providing an insurance product or service to that consumer.
The bill defines "publicly available information" as any information that a licensee has a reasonable basis to believe is lawfully made available to the general public from Federal, State, or local government records by wide distribution by the media or by disclosures to the general public that are required to be made by Federal, State, or local law. A licensee has a reasonable basis to believe that the information is lawfully made available to the general public if both of the following apply: the licensee has taken steps to determine that the information is of the type that is available to the general public; and, if a person can direct that the information not be made available to the general public, that the licensee's consumer has not done so.
Licensee Exceptions
The bill specifies that a licensee is not required to provide the notice and opt out requirements for nonpublic personal financial information if the licensee is an employee, agent, or other representative of a principal and all of the following are met: the principal is another licensee; the principal otherwise complies with and provides the notices required under the bill; and, the licensee does not disclose any nonpublic personal information to any person other than the principal or its affiliates as provided in the bill. ("Opt out" means a direction by the consumer that the licensee not disclose nonpublic personal financial information about that consumer to a nonaffiliated third party, other than as permitted in the bill.)
A surplus lines broker or surplus lines insurer will be considered in compliance with the notice and opt out requirements for nonpublic personal financial information if all of the following are met:
-- The broker or insurer does not disclose a consumer's or customer's nonpublic personal information to nonaffiliated third parties for any purpose, including joint servicing or marketing, except as permitted under the bill.
-- At the time a customer relationship is established, the broker or insurer gives the consumer a notice on which the privacy notice, as specified in the bill, is printed.
The bill defines "consumer" as an individual, or the individual's legal representative, who seeks to obtain, obtains, or has obtained an insurance product or service from a licensee that is to be used primarily for personal, family, or household purposes. "Consumer" includes all of the following:
-- An individual who provides nonpublic personal information to a licensee in connection with obtaining or seeking to obtain financial, investment, or economic advisory services relating to an insurance product or service. An individual is a consumer under this provision regardless of whether the licensed establishes an ongoing advisory relationship.
-- An applicant for insurance prior to the inception of insurance coverage.
-- An individual about whom a licensee discloses nonpublic personal information to a nonaffiliated third party other than as permitted under the bill, if the individual is any of the following: a beneficiary of a life insurance policy underwritten by the licensee; a claimant under an insurance policy issued by the licensee; an insured under an insurance policy or an annuitant under an annuity issued by the licensee; or, a mortgagor of a mortgage covered under a mortgage insurance policy.
So long as the licensee provides the initial, annual, and revised notices under Chapter 5 to the plan sponsor, group or blanket insurance policyholders, and group annuity contract holder and does not disclose to a nonaffiliated third party nonpublic personal financial information other than as permitted under the bill, "consumer" does not include an individual solely because he or she is a participant or a beneficiary of an employee benefit plan that the licensee administers or sponsors or for which the licensee acts as a trustee, insurer, or fiduciary; or is covered under a group or blanket insurance policy or group annuity contract issued by the licensee. "Consumer" also does not include an individual solely because he or she is a beneficiary of a trust for which the licensee is a trustee; or has designated the licensee as trustee for a trust.
The bill defines "customer" as a consumer who has a customer relationship with a licensee. "Customer" does not include an individual solely because he or she meets one of the following: is a participant or beneficiary of an employee benefit plan that the licensee administers or sponsors or for which the licensee acts as a trustee, insurer, or fiduciary; is covered under a group or blanket insurance policy or group annuity contract issued by the licensee; or is a beneficiary or claimant under a policy of insurance. "Customer relationship" means a continuing relationship between a consumer and a licensee under which the licensee provides one or more insurance products or services to the consumer that are to be used primarily for personal, family, or household purposes.
Privacy Notice
Beginning on July 1, 2001, a licensee must provide a clear and conspicuous notice that accurately reflects its privacy policies and practices to all of the following:
-- An individual who on or after July 1, 2001, becomes the licensee's customer, not later than when the licensee establishes a customer relationship, except as provided in the bill.
-- An individual who was the licensee's customer before July 1, 2001, at the next regularly scheduled contact with that customer but not later than July 1, 2002, so long as the licensee does not disclose any nonpublic personal financial information about the customer to any nonaffiliated third party other than as authorized by the bill, or annually in accordance with the bill if the licensee provided a notice before July 1, 2001, and that notice was consistent with the requirements of Chapter 5.
-- A consumer, before the licensee discloses any nonpublic personal financial information about the consumer to any nonaffiliated third party, if the licensee makes the disclosure other than as authorized under the bill.
A licensee is not required to provide an initial notice to a consumer if the licensee meets any of the following:
-- The licensee does not disclose any nonpublic personal financial information about that consumer to any nonaffiliated third party, other than as authorized under the bill, and does not have a customer relationship with the consumer.
-- An affiliated licensee has given the consumer a notice that clearly identifies all licensees to whom the notice applies and is accurate with respect to the licensee and the other institutions.
Customer Relationship
The bill specifies that a licensee establishes a customer relationship at the time the licensee and the consumer enter into a continuing relationship, which includes all of the following: for an insurer, when the consumer receives the delivery of an insurance policy or contract; for a producer, when the consumer obtains insurance through that licensee; and, when the consumer agrees to obtain financial, economic, or investment advisory services relating to insurance products or services for a fee from the licensee.
The bill specifies that an individual does not have a continuing relationship with a licensee under the following circumstances:
-- The individual's policy is lapsed, expired, or otherwise inactive or dormant under the licensee's business practices and the licensee has not communicated with the individual about the policy for 12 consecutive months, other than to provide annual privacy notices, material required by law or regulation, communication at the direction of a State or Federal authority, or promotional materials.
-- The individual is an insured or an annuitant under an insurance policy or annuity, but is not the policyholder or owner of the policy or annuity.
-- The individual's last known address according to the licensee's records is invalid.
When an existing customer obtains from a licensee a new insurance product or service that is to be used primarily for personal, family, or household purposes, the licensee must provide a revised privacy notice that meets the bill's requirements and that covers the customer's new insurance product or service. If the initial, revised, or annual notice that the licensee most recently provided to that customer is accurate with respect to the new insurance product or service, however, the licensee need not provide a new privacy notice.
A licensee may provide the initial notice within a reasonable time after the licensee establishes a customer relationship if establishing that relationship is not at the customer's election or providing notice not later than when the licensee establishes a customer relationship would substantially delay the customer's transaction and the customer agrees to receive the notice at a later time.
When a licensee is required to deliver an initial notice under these provisions, the licensee must deliver it according to the bill's requirements for notifying a consumer. If the licensee uses a short-term initial notice for noncustomers according to the bill, the licensee may deliver its privacy notice according to the bill's requirements for a short-term initial notice.
A licensee must provide a clear and conspicuous notice to customers that accurately reflects its privacy policies and practices at least annually during the continuation of the customer relationship. A licensee is not required to provide an annual notice to a former customer.
The initial, annual, and revised notices must include each of the following items of information, in addition to any other information the licensee wishes to provide, that apply to the licensee and to the consumers to whom the licensee sends its privacy notice: the categories of nonpublic personal financial information that the licensee collects; the categories of nonpublic personal financial information that the licensee discloses; and the categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal financial information, other than those parties to whom the licensee discloses information as permitted under the bill.
The notices also must include the categories of nonpublic personal financial information about the licensee's former customers that the licensee discloses and the categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal financial information about the licensee's former customers, other than those parties to whom the licensee discloses information as permitted under the bill. If a licensee discloses nonpublic personal financial information to a nonaffiliated third party as permitted by the bill and no other exception in the bill applies to that disclosure, the notice must include a separate description of the categories of information the licensee discloses and the categories of the third parties with whom the licensee has contracted.
In addition, the notices must include: an explanation of the consumer's right under the bill to opt out of the disclosure of nonpublic personal financial information to nonaffiliated third parties, including the method by which the consumer may exercise that right at that time; any disclosures that the licensee makes under the Federal Fair Credit Reporting Act, Title VI of the Consumer Credit Protection Act; the licensee's policies and practices with respect to protecting the confidentiality and security of nonpublic personal financial information; and any disclosure that the licensee makes under the following provision.
If a licensee discloses nonpublic financial information, as authorized under the bill, the licensee is not required to list those exceptions in the initial or annual notices. When describing the categories of parties to whom disclosure is made, the licensee must state only that it makes disclosures to other affiliated or nonaffiliated third parties, as applicable, as permitted by law.
Instead of providing the information required under these provisions, and if a licensee does not disclose and does not want to reserve the right to disclose nonpublic personal financial information about customers or former customers to affiliates or nonaffiliated third parties except as authorized under the bill, the licensee may state that fact as part of a simplified notice so long as the licensee provides the following information: categories of nonpublic personal financial information that the licensee collects; the licensee's policies and practices with respect to protecting the confidentiality and security of nonpublic personal financial information; any disclosure that the licensee makes under the bill; and a statement that the licensee makes disclosures to other affiliated or nonaffiliated third parties, as applicable, as permitted by law.
The licensee's initial notice may include categories of nonpublic personal financial information that the licensee reserves the right to disclose in the future but does not currently disclose; and categories of affiliates or nonaffiliated third parties to whom the licensee reserves the right in the future to disclose but does not currently disclose nonpublic personal financial information.
Short-Form Initial Notice
A licensee may satisfy the bill's initial notice requirements for a consumer who is not a customer by providing a short-form initial notice at the same time as the licensee delivers an opt out notice. A short-form initial notice must be clear and conspicuous, state that the licensee's privacy notice is available upon request, and explain a reasonable means by which the consumer may obtain that notice The licensee must deliver this notice according to the bill's requirements (described below), but is not required to deliver its privacy notice with its short-form initial notice and may provide the consumer a reasonable means to obtain its privacy notice. If a consumer who receives the licensee's short-form notice requests the privacy notice, the licensee must deliver it according to the bill.
Opt Out Notice
If a licensee is required to provide an opt out notice under the bill, it must provide to each of its consumers a clear and conspicuous notice that accurately explains the right to opt out. The notice must state all of the following: that the licensee discloses or reserves the right to disclose nonpublic personal financial information about its consumer to a nonaffiliated party; that the consumer has the right to opt out of that disclosure; and a reasonable means by which the consumer may exercise the opt out right.
A licensee may provide the required opt out notice together with or on the same written or electronic form as the initial notice. If a licensee provides the opt out notice later than required for the initial notice, the licensee also must include a copy of the initial notice with the opt out notice in writing or, if the consumer agrees, electronically.
If at least two consumers jointly obtain an insurance product or service from a licensee, the licensee may provide a single opt out notice. This notice must explain how the licensee will treat an opt out direction by a joint consumer, and may either treat an opt out direction by a joint consumer as applying to all of the associated joint consumers or permit each joint consumer to opt out separately. If each joint consumer may opt out separately, the licensee must permit one of the joint consumers to opt out on behalf of all of the joint consumers. A licensee may not require all joint consumers to opt out before it implements any opt out direction.
A licensee must comply with a consumer's opt out direction as soon as reasonably practicable after the licensee receives it. A consumer may exercise the right to opt out at any time. A consumer's direction to opt out will be in effect until he or she revokes it in writing or, if the consumer agrees, revokes it electronically. If a customer relationship terminates, the customer's opt out direction will continue to apply to the nonpublic personal financial information that the licensee collected during or related to the relationship. If the individual subsequently establishes a new customer relationship with the licensee, the opt out direction that applied to the former relationship will not apply to the new relationship.
Prohibited Disclosure
Except as otherwise authorized, a licensee may not, directly or through any affiliate, disclose any nonpublic personal financial information about a consumer to a nonaffiliated third party other than as described in the initial notice unless all of the following have been met: The licensee has given the consumer a clear and conspicuous revised notice that accurately describes its policies and practices; the licensee has given the consumer a new opt out notice; and the licensee has given the consumer a reasonable opportunity, before the licensee discloses the information to the nonaffiliated third party, to opt out of the disclosure, and the consumer does not opt out.
Delivery of Notice
A licensee must provide any notice required under the bill so that each consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, electronically. A licensee may reasonably expect that a consumer will receive actual notice if the licensee does any of the following: hand delivers a printed copy of the notice to the consumer; mails a printed copy to the last known address of the consumer separately, or in a policy, billing, or other written communication; for a consumer who conducts transactions electronically, posts the notice on the electronic site and requires the consumer to acknowledge receiving the notice as a necessary step to obtaining a particular insurance product or service; or, for an isolated transaction with a consumer, such as providing an insurance quote or selling travel insurance, posts the notice and requires the consumer to acknowledge receiving it as a necessary step to obtaining the particular insurance product or service.
The bill specifies that the following do not provide a reasonable expectation that a consumer will receive actual notice of a licensee's policies and practices: The licensee only posts a sign in its office or generally publishes advertisements of its privacy policies and practices; or, the licensee sends the notice via electronic mail to a consumer who does not electronically obtain an insurance product or service from the licensee.
A licensee may reasonably expect that a customer will receive actual notice in either of the following cases: The customer uses the licensee's website to gain access to insurance products and services electronically and agrees to receive notices at the website and the licensee posts its current privacy notice continuously in a clear and conspicuous manner on the website; or, the customer has requested that the licensee refrain from sending any information regarding the customer relationship, and the licensee's current privacy notice remains available to the customer upon request.
A licensee may not provide any notice required by the bill solely by orally explaining the notice, either in person or over the phone. For customers only, a licensee must provide the initial annual and revised notices so that the customer can retain them or obtain them later in writing or, if the customer agrees, electronically. The bill specifies that a licensee provides an initial, annual, or revised notice to the customer so that he or she can retain it or obtain it later if the licensee does any of the following: hand delivers a printed copy of the notice to the customer; mails a printed copy to the customer's last known address; or makes the notice available on a website or a link to another website for the customer who obtains an insurance product or service electronically and agrees to receive the notice at the website.
A licensee may provide a joint notice from the licensee and one or more of its affiliates or other financial institutions, as identified in the notice, if the notice is accurate with respect to the licensee and other institutions. A licensee also may provide a notice on behalf of another financial institution, as identified in the notice, if it is accurate with respect to the licensee and the other institution. If at least two consumers jointly obtain an insurance product or service from a licensee, the licensee may satisfy the initial, annual, and revised notice requirements by providing one notice to those consumers jointly.
Disclosure
Except as otherwise provided in the bill, a licensee may not, directly or through any affiliate, disclose any nonpublic personal financial information about a consumer to a nonaffiliated third party unless the licensee has given to the consumer an initial notice and an opt out notice, and has given the consumer a reasonable opportunity, before it discloses the information to the nonaffiliated third party, to opt out of the disclosure and the consumer does not opt out.
The bill specifies that a licensee provides a consumer with a reasonable opportunity to opt out in any of the following ways:
-- If the licensee mails the required notices to the consumer and allows the consumer to opt out by mailing a form, calling a toll-free telephone number, or any other reasonable means within 30 days from the date the licensee mails the notices.
-- A customer opens an on-line account with a licensee and agrees to receive the required notices electronically, and the licensee allows the customer to opt out by any reasonable means within 30 days after the date that the customer acknowledges receiving the notices in conjunction with opening the account.
-- For an isolated transaction such as providing the consumer with an insurance quote, if the licensee provides the required notices at the time of the transaction and requests that the consumer decide, as a necessary part of the transaction, whether to opt out before completing the transaction.
The bill specifies that these provisions apply to a licensee whether or not the licensee and the consumer have established a customer relationship. Unless a licensee complies with these provisions, the licensee may not, directly or through any affiliate, disclose any nonpublic personal financial information about a consumer that the licensee has collected, regardless of whether the licensee collected it before or after receiving the direction to opt out from the consumer. A licensee may allow a consumer to select certain nonpublic personal financial information or certain nonaffiliated third parties with respect to which the consumer wishes to opt out.
Limited Disclosure
If a licensee receives nonpublic personal financial information from a nonaffiliated financial institution under an exception permitted in the bill (described below), the licensee's disclosure and use of that information are limited as follows: The licensee may disclose the information to the affiliates of the financial institution from which the licensee received the information; and the licensee may disclose the information to its affiliates, but they, in turn, may disclose and use the information only to the extent that the licensee may disclose and use it. The licensee also may disclose and use the information pursuant to an exception in the bill, in the ordinary course of business to carry out the activity covered by the exception under which the licensee received the information.
If a licensee receives nonpublic personal financial information from a nonaffiliated financial institution other than under an exception, the licensee may disclose the information only as follows: to the affiliates of the financial institution from which the licensee received the information; to its affiliates, who in turn, may disclose the information only to the extent that the licensee may disclose the information; or to any other person, if the disclosure would be lawful if made directly to that person by the financial institution from which the licensee received the information.
If a licensee discloses nonpublic personal financial information to a nonaffiliated third party under an exception in the bill, the third party may disclose and use that information only as follows: to the licensee's affiliates; to its affiliates, who may disclose and use the information only to the extent that the third party may disclose and use it; and, pursuant to an exception in the bill, in the ordinary course of business to carry out the activity covered by the exception under which it received the information.
If a licensee discloses nonpublic personal financial information to a nonaffiliated third party other than under an exception in the bill, the third party may disclose the information only as follows: to the licensee's affiliates; to the third party's affiliates, who may disclose the information only to the extent that the third party may disclose it; and to any other person, if the disclosure would be lawful if the licensee made it directly to that person.
Prohibit Disclosure for Marketing
A licensee may not, directly or through an affiliate, disclose, other than to a consumer reporting agency, a policy or account number or other access number or access code for a consumer's policy, credit card account, deposit account, or transaction account to any nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer. These provisions do not apply if the policy or account number, or other access number or access code, is in an encrypted form, as long as the licensee does not give the recipient a means to decode the number or code.
Further, the prohibition does not apply if a licensee discloses a policy or account number or other access number or access code as follows: to the licensee's service provider solely in order to perform marketing for the licensee's own products or services, as long as the service provider is not authorized directly to initiate charges to the account; to a licensee who is a producer solely in order to perform marketing for the licensee's own products or services; or, to a participant in an affinity or similar program whose participants are identified to the customer when he or she enters into the program.
Exceptions
The bill's opt out requirements do not apply when a licensee provides nonpublic personal financial information to a nonaffiliated third party to perform services for the licensee or functions on the licensee's behalf, if the licensee provides the initial notice and enters into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which the licensee disclosed the information, including use under an exception provided in the bill in the ordinary course of business to carry out those purposes.
The services a nonaffiliated third party performs for a licensee under this provision may include marketing of the licensee's own products or services or marketing of insurance products or services offered pursuant to joint agreements between the licensee and one or more financial institutions.
The bill's privacy notice and opt out notice requirements do not apply if the licensee discloses nonpublic personal financial information as necessary to effect, administer, or enforce a transaction that a consumer requests or authorizes, or in connection with any of the following: servicing or processing an insurance product or service that a consumer requests or authorizes; maintaining or servicing the consumer's account with a licensee, or with another entity as part of a private label credit card program or other extension of credit on behalf of that entity; a proposed or actual securitization, secondary market sale including sales of servicing rights, or similar transaction related to a consumer's transaction; reinsurance or stop loss or excess loss insurance; or, servicing or processing an insurance product or service on behalf of the Michigan Automobile Insurance Placement Facility, the Michigan Worker's Compensation Placement Facility, or the Assigned Claims Facility.
In addition, the bill's provisions on consumer notification and opt out do not apply when a licensee discloses nonpublic personal financial information as follows: with the consent or at the direction of the consumer, provided that the consumer has not revoked the consent or direction; to protect the confidentiality or security of a licensee's records pertaining to the consumer, service, product, or transaction; to protect against or prevent actual or potential fraud or unauthorized transactions; for required institutional risk control or for resolving consumer disputes or inquiries; to persons holding a legal or beneficial interest relating to the consumer; to persons acting in a fiduciary or representative capacity on behalf of the consumer; or, to provide information to insurance rate advisory organizations, guaranty funds or agencies, agencies that are rating a licensee, persons that are assessing the licensee's compliance with industry standards, or the licensee's attorneys, accountants, and auditors.
Disclosure also is permitted to the extent specifically permitted or required under other provisions of law and in accordance with the Federal Right to Privacy Act; to law enforcement agencies including the Federal Reserve Board, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, Office of Thrift Supervision, National Credit Union Administration, the Securities and Exchange Commission, the Secretary of the Treasury, with respect to certain provisions of the U.S. Code, the Federal Trade Commission, a state insurance authority, self-regulatory organizations, or for an investigation on a matter related to public safety.
In addition, the notice and opt out requirements do not apply when a licensee discloses nonpublic personal financial information to a consumer reporting agency in accordance with the Federal Fair Credit Reporting Act; from a consumer report reported by a consumer reporting agency; in connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit of the licensee if the disclosure concerns solely consumers of that business or unit; to comply with Federal, State, or local laws, rules, and other applicable legal requirements; to comply with a properly authorized civil, criminal, or regulatory investigation, subpoena, or summons by a Federal, State, or local authority; to respond to judicial process or a government regulatory authority having jurisdiction over a licensee for examination, compliance, or other purposes as authorized by law; or, for purposes related to the replacement of a group benefit plan, a group health plan, a group welfare plan, or workers' compensation plan to the extent necessary to effectuate the replacement.
The Michigan Life and Health Guaranty Association, the Property and Casualty Guaranty Association, the Michigan Automobile Insurance Placement Facility, the Michigan Worker's Compensation Placement Facility, and the Assigned Claims Facility may not disclose or use nonpublic personal financial information, except pursuant to the bill's provisions permitting disclosure to administer or enforce a transaction requested or authorized by a consumer and authorizing a licensee to disclose this information under specified conditions.
Other Provisions
Credit Reporting. The bill specifies that nothing in Chapter 5 may be construed to modify, limit, or supersede the operation of the Fair Credit Reporting Act, Title VI of the Consumer Credit Protection Act, and no inference may be drawn on the basis of the provisions of the bill regarding whether information is transaction or experience information under the Fair Credit Reporting Act.
Prohibited Discrimination. A licensee may not unfairly discriminate against any consumer because the consumer has opted out or intends to opt out from the disclosure of his or her nonpublic personal financial information pursuant to the bill.
Third Party Contract. Until July 1, 2002, a contract that a licensee has entered into with a nonaffiliated third party to perform services for the licensee or functions on the licensee's behalf will satisfy the criteria for an opt out exception, even if the contract does not include a requirement that the third party maintain the confidentiality of nonpublic personal financial information, as long as the licensee entered into the agreement on or before July 1, 2000.
Guidelines for Safeguards. The Commissioner is required to adopt guidelines for administrative, technical, and physical safeguards that protect the security, confidentiality, and integrity of customer information pursuant to the Gramm-Leach-Bliley Act. Each licensee must adopt policies and procedures for administrative, technical, and physical safeguards for the protection of customer records and information. The policies and procedures must be based on the Commissioner's guidelines, and reasonably designed to do all of the following: ensure the security and confidentiality of customer records and information, protect against any anticipated threats or hazards to the security or integrity of customer records and information, and protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
Violation. The bill specifies that a violation of Chapter 5 or a rule promulgated under it is an unfair method of competition and an unfair or deceptive act or practice in the business of insurance.
MCL 500.115 et al.
BACKGROUND
In 1999, Congress passed and the President signed the Gramm-Leach-Bliley Financial Services Modernization Act. Title V of the Act requires financial institutions, including insurers, to protect the security and confidentiality of their customers' nonpublic personal financial information. The Act, however, leaves authority for overseeing privacy regulations involving the insurance industry to the states.
-
- Legislative Analyst: Suzanne Lowe
FISCAL IMPACT
According to the Office of Financial and Insurance Services, the bill increases the regulatory responsibilities of the Office by imposing additional requirements on the 1,500 insurance companies already regulated, which might increase costs. Additionally, the bill requires the promulgation of new guidelines, which involves implementation costs. There is no information available as to the amount of these costs.
- Fiscal Analyst: Maria TyszkiewiczS0102\s431es
This analysis was prepared by nonpartisan Senate staff for use by the Senate in its deliberations and does not constitute an official statement of legislative intent.