TITLE 13 INSURANCE
CHAPTER 1 INSURANCE GENERAL PROVISIONS
PART 3 PRIVACY OF NONPUBLIC PERSONAL
INFORMATION
13.1.3.1 ISSUING
AGENCY: New Mexico Public Regulation Commission
Insurance Division.
[13.1.3.1 NMAC - N, 2/25/2002]
13.1.3.2 SCOPE: This rule applies
to:
A. Nonpublic personal
financial information about individuals who obtain or are claimants or
beneficiaries of products or services primarily for personal, family or
household purposes from licensees. This
rule does not apply to information about companies or about individuals who
obtain products or services for business, commercial or agricultural purposes;
and
B. All nonpublic personal
health information.
[13.1.3.2
NMAC - N, 2/25/2002]
13.1.3.3 STATUTORY AUTHORITY: Section 59A-2-9 (1997) NMSA
1978 and Section 59A-2-9.3 (2001) NMSA 1978.
[13.1.3.3
NMAC - N, 2/25/2002]
13.1.3.4 DURATION: Permanent.
[13.1.3.4
NMAC - N, 2/25/2002]
13.1.3.5 EFFECTIVE DATE: February
25, 2002 unless a later date is cited in the history note at the end of a
section.
[13.1.3.4
NMAC - N, 2/25/2002]
13.1.3.6 OBJECTIVE: This rule governs the treatment of nonpublic personal
health information and nonpublic personal financial information about
individuals by all licensees of the NMPRC insurance division and is intended to
afford individuals greater privacy protections than those provided in the
Gramm-Leach-Bliley Financial Modernization Act (GLBA), Pub. L. 106-102, 113
Stat. 1338, 1415-17 (1999) (codified at 15 U.S.C.A. Section 6716). This rule:
A. Requires a licensee to provide notice to individuals about its privacy
policies and practices;
B. Describes the conditions under
which a licensee may disclose nonpublic personal health information and
nonpublic personal financial information about individuals to affiliates or
nonaffiliated third parties without authorization from the affected individual;
and
C. Provides methods for individuals to authorize
a licensee to disclose nonpublic personal information to affiliates or
nonaffiliated third parties.
D. The
examples in this rule and the sample clauses in 13.1.3.28 NMAC are not
exclusive. Compliance with an example or
use of a sample clause, to the extent applicable, constitutes compliance with
this rule.
[13.1.3.6
NMAC - N, 2/25/2002]
13.1.3.7 DEFINITIONS: As used in
this rule, unless the context requires otherwise:
A. “Affiliate” means a company that controls, is controlled by or is
under common control with another company.
B. “Clear and conspicuous” means that a
notice is reasonably understandable and designed to call attention to the
nature and significance of the information in the notice. Examples:
(1) Reasonably understandable. A licensee makes its notice reasonably
understandable if it:
(a) presents
the information in the notice in clear, concise sentences, paragraphs and
sections;
(b) uses
short explanatory sentences or bullet lists whenever possible;
(c) uses
definite, concrete, everyday words and active voice whenever possible;
(d) avoids multiple
negatives;
(e) avoids
legal and highly technical business terminology whenever possible; and
(f) avoids
explanations that are imprecise and readily subject to different
interpretations.
(2) Designed
to call attention. A licensee
designs its notice to call attention to the nature and significance of the
information in it if the licensee:
(a) uses
a plain-language heading to call attention to the notice;
(b) uses
a typeface and type size that are easy to read;
(c) provides
wide margins and ample line spacing;
(d) uses
boldface or italics for key words; and
(e) in
a form that combines the licensee’s notice with other information, uses
distinctive type size, style, and graphic devices, such as shading or sidebars.
(3) Notices
on web sites. If a licensee provides
a notice on a web page, the licensee designs its notice to call attention to
the nature and significance of the information in it if the licensee uses text
or visual cues to encourage scrolling down the page if necessary to view the
entire notice and ensure that other elements on the web site (such as text,
graphics, hyperlinks or sound) do not distract attention from the notice, and
the licensee either:
(a) places
the notice on a screen that consumers frequently access, such as a page on
which transactions are conducted; or
(b) places
a link on a screen that consumers frequently access, such as a page on which
transactions are conducted, that connects directly to the notice and is labeled
appropriately to convey the importance, nature and relevance of the notice.
C. “Collect” means to obtain information
that the licensee organizes or can retrieve by the name of an individual or by
identifying number, symbol or other identifying particular assigned to the
individual, irrespective of the source of the underlying information.
D. “Superintendent” means the New Mexico superintendent
of insurance.
E. “Company” means a corporation, limited
liability company, business trust, general or limited partnership, association,
sole proprietorship or similar organization.
F. “Consumer” means an individual who
seeks to obtain, obtains or has obtained an insurance product or service from a
licensee that is to be used primarily for personal, family or household purposes,
and about whom the licensee has nonpublic personal information, or that
individual’s legal representative.
Examples:
(1) An
individual who provides nonpublic personal information to a licensee in
connection with obtaining or seeking to obtain financial, investment or
economic advisory services relating to an insurance product or service is a
consumer regardless of whether the licensee establishes an ongoing advisory
relationship.
(2) An
applicant for insurance prior to the inception of insurance coverage is a
licensee’s consumer.
(3) An
individual who is a consumer of another financial institution is not a
licensee’s consumer solely because the licensee is acting as agent for, or
provides processing or other services to, that financial institution.
(4) An
individual is a licensee’s consumer if:
(a) the
individual is a beneficiary of a life insurance policy underwritten by the
licensee; the individual is a claimant under an insurance policy issued by the
licensee; the individual is an insured or an annuitant under an insurance
policy or an annuity, respectively, issued by the licensee; or the individual
is a mortgagor of a mortgage covered under a mortgage insurance policy; and
(b) the
licensee discloses nonpublic personal financial information about the
individual to a nonaffiliated third party other than as permitted under
13.1.3.17 NMAC, 13.1.3.18 NMAC, and 13.1.3.19 NMAC.
(5) Provided
that the licensee provides any initial, annual and revised notices required
under 13.1.3.8 NMAC, 13.1.3.9 NMAC and 13.1.3.12 NMAC to the plan sponsor,
group or blanket insurance policyholder, group annuity contractholder, or
workers’ compensation policyholder, and further provided that the licensee does
not disclose nonpublic personal information about such an individual other than
as permitted under 13.1.3.17 NMAC, 13.1.3.18 NMAC and 13.1.3.19 NMAC, an
individual is not the consumer of the licensee solely because he or she is:
(a) a
participant or a beneficiary of an employee benefit plan that the licensee
administers or sponsors or for which the licensee acts as a trustee, insurer or
fiduciary;
(b) covered
under a group or blanket insurance policy or group annuity contract issued by
the licensee; or
(c) a
claimant under a workers’ compensation policy.
(6) The
individuals described in Subparagraphs (a) through (c) of Paragraph (5) of Subsection
F of 13.1.3. 7 NMAC are consumers of a licensee if the licensee does not meet
all the conditions of Paragraph (5) of Subsection F of 13.1.3.7 NMAC. In no event shall the individuals, solely by
virtue of the status described in Subparagraphs (a) through (c) of Paragraph
(5) of Subsection F of 13.1.3.7 NMAC, be deemed to be customers for purposes of
this rule.
(7) An
individual is not a licensee’s consumer solely because he or she is a
beneficiary of a trust for which the licensee is a trustee.
(8) An
individual is not a licensee’s consumer solely because he or she has designated
the licensee as trustee for a trust.
G. “Consumer reporting agency” has the
same meaning as in Section 603(f) of the federal Fair Credit Reporting Act (15
U.S.C. 1681a(f)).
H. “Control” means:
(1) Ownership,
control or power to vote twenty-five percent (25%) or more of the outstanding
shares of any class of voting security of the company, directly or indirectly,
or acting through one or more other persons;
(2) control
in any manner over the election of a majority of the directors, trustees or
general partners (or individuals exercising similar functions) of the company;
or
(3) the
power to exercise, directly or indirectly, a controlling influence over the
management or policies of the company, as the superintendent determines.
I. “Customer” means a consumer who has a
customer relationship with a licensee.
J. “Customer relationship” means a
continuing relationship between a consumer and a licensee under which the
licensee provides one or more insurance products or services to the consumer that
are to be used primarily for personal, family or household purposes. Examples:
(1) A
consumer has a continuing relationship with a licensee if:
(a) the
consumer is a current policyholder of an insurance product issued by or through
the licensee; or
(b) the
consumer obtains financial, investment or economic advisory services relating
to an insurance product or service from the licensee for a fee.
(2) A
consumer does not have a continuing relationship with a licensee if:
(a) the
consumer applies for insurance but does not purchase the insurance;
(b) the
licensee sells the consumer travel insurance in an isolated transaction;
(c) the
individual is no longer a current policyholder of an insurance product or no
longer obtains insurance services with or through the licensee;
(d) the
consumer is a beneficiary or claimant under a policy and has submitted a claim
under a policy choosing a settlement option involving an ongoing relationship
with the licensee;
(e) the
consumer is a beneficiary or a claimant under a policy and has submitted a
claim under that policy choosing a lump sum settlement option;
(f) the
customer’s policy is lapsed, expired, or otherwise inactive or dormant under
the licensee’s business practices, and the licensee has not communicated with
the customer about the relationship for a period of twelve (12) consecutive
months, other than annual privacy notices, material required by law or rule,
communication at the direction of a state or federal authority, or promotional
materials;
(g) the
individual is an insured or an annuitant under an insurance policy or annuity,
respectively, but is not the policyholder or owner of the insurance policy or
annuity; or
(h) for the purposes of this rule, the individual’s last
known address according to the licensee’s records is deemed invalid. An address
of record is deemed invalid if mail sent to that address by the licensee has
been returned by the postal authorities as undeliverable and if subsequent
attempts by the licensee to obtain a current valid address for the individual
have been unsuccessful.
K. “Financial institution” means any
institution the business of which is engaging in activities that are financial
in nature or incidental to such financial activities as described in Section
4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. 1843(k)). Financial institution does not include:
(1) Any
person or entity with respect to any financial activity that is subject to the
jurisdiction of the Commodity Futures Trading Commission under the Commodity
Exchange Act (7 U.S.C. 1 et seq.);
(2) the
federal agricultural mortgage corporation or any entity charged and operating
under the Farm Credit Act of 1971 (12 U.S.C. 2001 et seq.); or
(3) Institutions
chartered by congress specifically to engage in securitizations, secondary
market sales (including sales of servicing rights) or similar transactions
related to a transaction of a consumer, as long as the institutions do not sell
or transfer nonpublic personal information to a nonaffiliated third party.
L. “Financial
product or service” means a product or service that a financial holding company could offer
by engaging in an activity that is financial in nature or incidental to such a
financial activity under Section 4(k) of the Bank Holding Company Act of 1956
(12 U.S.C. 1843(k)). Financial service
includes a financial institution’s evaluation or brokerage of information that
the financial institution collects in connection with a request or an
application from a consumer for a financial product or service.
M. “Health care” means:
(1) Preventive, diagnostic, therapeutic,
rehabilitative, maintenance or palliative care, services, procedures, tests or
counseling that:
(a) relates to the
physical, mental or behavioral condition of an individual; or
(b) affects the
structure or function of the human body or any part of the human body,
including the banking of blood, sperm, organs or any other tissue; or
(2) prescribing, dispensing or furnishing
to an individual drugs or biologicals, or medical devices or health care
equipment and supplies.
N. “Health care provider” means a physician or other health care practitioner
licensed, accredited or certified to perform specified health services
consistent with state law, or a health care facility.
O. “Health information” means any information or data except age or gender,
whether oral or recorded in any form or medium, created by or derived from a
health care provider or the consumer that relates to:
(1) the past, present or future physical,
mental or behavioral health or condition of an individual;
(2) the provision of health care to an
individual; or
(3) payment for the provision of health
care to an individual.
P. “Insurance
product or service” means any
product or service that is offered by a licensee pursuant to the insurance laws
of this state. Insurance service
includes a licensee's evaluation, brokerage or distribution of information that
the licensee collects in connection with a request or an application from a
consumer for a insurance product or service.
Q. “Licensee” means all licensed insurers, agents, brokers,
solicitors, producers and other persons licensed or required to be licensed, or
authorized or required to be authorized, or registered or required to be
registered pursuant to the New Mexico Insurance Code other than pursuant to
Chapter 206 of the Laws of 2001 (Senate Bill 556, as amended).
(1) A licensee is not subject to the notice and authorization requirements for nonpublic personal financial information set
forth in 13.1.3.8 NMAC through 13.1.3.21 NMAC if the licensee is an employee, agent or other representative of another
licensee (“the principal”) and:
(a) the
principal otherwise complies with, and provides the notices required by, the
provisions of this rule; and
(b) the
licensee does not disclose any nonpublic personal information to any person
other than the principal or its affiliates in a manner permitted by this rule.
(2) Subject
to the provisions of this paragraph, “licensee” shall also include an
unauthorized insurer that accepts business placed through a licensed surplus
lines broker in this state, but only in regard to the surplus lines placements
placed pursuant to NMSA 59A-14-1 et seq. A surplus lines broker or
surplus lines insurer shall be deemed to be in compliance with the notice and
authorization requirements for nonpublic personal financial information set
forth in 13.1.3.8 NMAC through 13.1.3.19 NMAC
provided:
(a) the
broker or insurer does not disclose nonpublic personal information of a
consumer or a customer to nonaffiliated third parties for any purpose,
including joint servicing or marketing under 13.1.3.17 NMAC, except as
permitted by 13.1.3.18 NMAC or 13.1.3.19 NMAC; and
(b) the
broker or insurer delivers a notice to the consumer at the time a customer
relationship is established on which the following is printed in 16-point type:
PRIVACY NOTICE
“Neither
the U.S. brokers that handled this insurance nor the insurers that have
underwritten this insurance will disclose nonpublic personal information
concerning the buyer to nonaffiliates of the brokers or insurers except as
permitted by law.”
R. “Nonaffiliated third party” means any person except a licensee’s affiliate; or a person employed jointly by a
licensee and any company that is not the licensee’s affiliate (but nonaffiliated
third party includes the other company that jointly employs the person). Nonaffiliated third party includes any
company that is an affiliate solely by virtue of the direct or indirect
ownership or control of the company by the licensee or its affiliate in
conducting merchant banking or investment banking activities of the type
described in Section 4(k)(4)(H) or insurance company investment activities of
the type described in Section 4(k)(4)(I) of the federal Bank Holding Company
Act (12 U.S.C. 1843(k)(4)(H) and (I)).
S. “Nonpublic personal information” means
nonpublic personal financial information and nonpublic personal health
information.
T. “Nonpublic
personal financial information” means personally identifiable financial information; and
any list, description or other grouping of consumers (and publicly available
information pertaining to them) that is derived using any personally
identifiable financial information that is not publicly available.
(1) Nonpublic
personal financial information does not include:
(a) health
information;
(b) publicly
available information, except as included on a list described above in this
section; or
(c) any
list, description or other grouping of consumers (and publicly available
information pertaining to them) that is derived without using any personally
identifiable financial information that is not publicly available.
(2) Examples of lists.
(a) Nonpublic
personal financial information includes any list of individuals’ names and
street addresses that is derived in whole or in part using personally
identifiable financial information that is not publicly available, such as
account numbers.
(b) Nonpublic
personal financial information does not include any list of individuals’ names
and addresses that contains only publicly available information, is not derived
in whole or in part using personally identifiable financial information that is
not publicly available, and is not disclosed in a manner that indicates that
any of the individuals on the list is a consumer of a financial institution.
U. “Nonpublic personal health information”
means health information:
(1) that identifies an individual who is
the subject of the information; or
(2) with respect to which there is a
reasonable basis to believe that the information could be used to identify an
individual.
V. “Personally
identifiable financial information” means any information a consumer provides to a
licensee to obtain an insurance product or service from the licensee; about a
consumer resulting from a transaction involving an insurance product or service
between a licensee and a consumer; or the licensee otherwise obtains about a
consumer in connection with providing an insurance product or service to that
consumer. Examples:
(1) Information included. Personally identifiable financial information includes:
(a) information
a consumer provides to a licensee on an application to obtain an insurance
product or service;
(b) account
balance information and payment history;
(c) the
fact that an individual is or has been one of the licensee’s customers or has
obtained an insurance product or service from the licensee;
(d) any
information about the licensee’s consumer if it is disclosed in a manner that
indicates that the individual is or has been the licensee’s consumer;
(e) any
information that a consumer provides to a licensee or that the licensee or its
agent otherwise obtains in connection with collecting on a loan or servicing a
loan;
(f) any
information the licensee collects through an Internet cookie (an
information-collecting device from a web server); and
(g) information
from a consumer report.
(2) Information not included. Personally
identifiable financial information does not include:
(a) health
information;
(b) a
list of names and addresses of customers of an entity that is not a financial
institution; and
(c) Information
that does not identify a consumer, such as aggregate information or blind data
that does not contain personal identifiers such as account numbers, names or
addresses.
W. “Publicly
available information” means any information that a licensee has a reasonable
basis to believe is lawfully made available to the general public from federal,
state or local government records; widely distributed media; or disclosures to
the general public that are required to be made by federal, state or local law.
(1) Reasonable basis. A licensee has a
reasonable basis to believe that information is lawfully made available to the
general public if the licensee has taken steps to determine:
(a) that
the information is of the type that is available to the general public; and
(b) whether
an individual can direct that the information not be made available to the
general public and, if so, that the licensee’s consumer has not done so.
(2) Examples.
(a) Government records. Publicly available
information in government records includes information in government real
estate records and security interest filings.
(b) Widely distributed media. Publicly
available information from widely distributed media includes information from a
telephone book, a television or radio program, a newspaper or a web site that
is available to the general public on an unrestricted basis. A web site is not
restricted merely because an Internet service provider or a site operator
requires a fee or a password, so long as access is available to the general
public.
(c) Reasonable basis. A licensee has a reasonable basis to believe
that mortgage information is lawfully made available to the general public if
the licensee has determined that the information is of the type included on the
public record in the jurisdiction where the mortgage would be recorded. A licensee has a reasonable basis to believe
that an individual’s telephone number is lawfully made available to the general
public if the licensee has located the telephone number in the telephone book
or the consumer has informed you that the telephone number is not unlisted.
[13.1.3.7
NMAC - N, 2/25/2002]
13.1.3.8 INITIAL PRIVACY NOTICE TO CONSUMERS REQUIRED FOR NONPUBLIC PERSONAL
FINANCIAL INFORMATION:
A. Initial notice requirement. A licensee shall provide a clear and
conspicuous notice that accurately reflects its privacy policies and practices
to:
(1) Customer. An individual who becomes the licensee’s
customer, not later than when the licensee establishes a customer relationship,
except as provided in Subsection E of 13.1.3.8 NMAC; and
(2) Consumer. A consumer, when the licensee requests
authorization to disclose any nonpublic personal financial information about
the consumer to any nonaffiliated third party other than disclosures listed in
13.1.3.18 NMAC and 13.1.3.19 NMAC for which no authorization is required.
B. When
initial notice to a consumer is not required.
A licensee is not required to provide an initial notice to a consumer
under Paragraph (2) of Subsection A of 13.1.3.8 NMAC if:
(1) the
licensee does not request authorization to disclose any nonpublic personal
information about the consumer to any nonaffiliated third party, other than
disclosures listed in 13.1.3.18 NMAC and 13.1.3.19 NMAC for which no
authorization is required, and the licensee does not have a customer relationship
with the consumer; or
(2) a
notice has been provided by an affiliated licensee, as long as the notice
clearly identifies all
licensees
to whom the notice applies and is accurate with respect to the licensee and the
other institutions.
C. When the licensee establishes a customer
relationship.
(1) General rule. A licensee establishes a customer
relationship at the time the licensee and the consumer enter into a continuing
relationship.
(2) Examples of establishing customer
relationship. A licensee establishes
a customer relationship when the consumer:
(a) becomes
a policyholder of a licensee that is an insurer when the insurer delivers an
insurance policy or contract to the consumer, or in the case of a licensee that
is an insurance producer or insurance broker, obtains insurance through that
licensee; or
(b) agrees
to obtain financial, economic or investment advisory services relating to
insurance products or services for a fee from the licensee.
D. Existing
customers. When an existing customer obtains
a new insurance product or service from a licensee that is to be used primarily
for personal, family or household purposes, the licensee satisfies the initial
notice requirements of subsection A of 13.1.3.8 NMAC as follows:
(1) The
licensee may provide a revised policy notice, under 13.1.3.12 NMAC, that covers
the customer’s new insurance product or service; or
(2) if
the initial, revised or annual notice that the licensee most recently provided
to that customer was accurate with respect to the new insurance product or
service, the licensee does not need to provide a new privacy notice under
subsection A of 13.1.3.8 NMAC.
E. Exceptions
to allow subsequent delivery of notice.
(1) A
licensee may provide the initial notice required by Paragraph (1) of Subsection
A of 13.1.3.8 NMAC within a reasonable time after the licensee establishes a
customer relationship if:
(a) establishing
the customer relationship is not at the customer’s election; or
(b) providing
notice not later than when the licensee establishes a customer relationship
would substantially delay the customer’s transaction and the customer agrees to
receive the notice at a later time.
(2) Examples of exceptions.
(a) Not at customer’s election. Establishing a customer relationship is not
at the customer’s election if a licensee acquires or is assigned a customer’s
policy from another financial institution or residual market mechanism and the
customer does not have a choice about the licensee’s acquisition or assignment.
(b) Substantial delay of customer’s transaction. Providing notice not later than when a
licensee establishes a customer relationship would substantially delay the
customer’s transaction when the licensee and the individual agree over the
telephone to enter into a customer relationship involving prompt delivery of
the insurance product or service.
(c) No substantial delay of customer’s
transaction. Providing notice not
later than when a licensee establishes a customer relationship would not
substantially delay the customer’s transaction when the relationship is
initiated in person at the licensee’s office or through other means by which
the customer may view the notice, such as on a web site.
F. Delivery.
When a licensee is required to deliver an initial privacy notice by this
section, the licensee shall deliver it according to 13.1.3.13 NMAC.
[13.1.3.8
NMAC - N, 2/25/2002]
13.1.3.9 ANNUAL PRIVACY NOTICE TO CUSTOMERS REQUIRED FOR
NONPUBLIC PERSONAL FINANCIAL INFORMATION:
A. General
rule. A licensee shall provide a clear and
conspicuous notice to customers that accurately reflects its privacy policies
and practices not less than annually during the continuation of the customer
relationship. Annually means at least
once in any period of 12 consecutive months during which that relationship
exists. A licensee may define the 12 consecutive-month
period, but the licensee shall apply it to the customer on a consistent
basis. Example: A licensee provides a notice annually if it
defines the 12 consecutive-month period as a calendar year and provides the
annual notice to the customer once in each calendar year following the calendar
year in which the licensee provided the initial notice. For example, if a customer opens an account
on any day of year one, the licensee shall provide an annual notice to that
customer by December 31 of year two.
B. Exception to the general rule. A licensee that provides nonpublic personal
information in accordance with Sections 13.1.3.17 NMAC, 13.1.3.18 NMAC, and
13.1.3.19 NMAC and has not changed its policies and practices with regard to
disclosing nonpublic personal information from the policies and practices that
were disclosed in the most recent notice sent to consumers in accordance with
13.1.3.8 NMAC shall not be required to provide a subsequent annual notice under
this section until such time as the licensee fails to comply with any criteria
described in this subsection. Notice of
a change in a licensee’s privacy policy shall be sent 90 days after the effective
date of the change.
C. Termination of customer relationship.
A licensee is not required to provide a privacy notice to a former
customer. A former customer is an
individual with whom a licensee no longer has a continuing relationship. Examples:
(1) A
licensee no longer has a continuing relationship with an individual if the
individual no longer is a current policyholder of an insurance product or no
longer obtains insurance services with or through the licensee.
(2) A licensee no longer has a continuing
relationship with an individual if the individual’s policy is lapsed, expired
or otherwise inactive or dormant under the licensee’s business practices, and
the licensee has not communicated with the customer about the relationship for
a period of 12 consecutive months,
other than to provide privacy notices, material
required by law or rule, or promotional materials.
(3) For the purposes of this rule, a
licensee no longer has a continuing relationship with an individual if the
individual’s last known address according to the licensee’s records is deemed
invalid. An address of record is deemed
invalid if mail sent to that address by the licensee has been returned by the
postal authorities as undeliverable and if subsequent attempts by the licensee
to obtain a current valid address for the individual have been unsuccessful.
(4) A licensee no longer has a continuing
relationship with a customer in the case of providing real estate settlement
services, at the time the customer completes execution of all documents related
to the real estate closing, payment for those services has been received, or
the licensee has completed all of its responsibilities with respect to the
settlement, including filing documents on the public record, whichever is later.
D. Delivery. When a licensee is required by this section
to deliver a privacy notice, the licensee shall deliver it according to
13.1.3.13 NMAC.
[13.1.3.9
NMAC - N, 2/25/2002; A, 3/1/2022]
13.1.3.10 INFORMATION TO BE INCLUDED IN
PRIVACY NOTICES REQUIRED FOR NONPUBLIC PERSONAL FINANCIAL INFORMATION:
A. General
rule. The initial, annual and revised privacy
notices that a licensee provides under 13.1.3.8 NMAC, 13.1.3.9 NMAC and
13.1.3.12 NMAC shall include each of the following items of information, in
addition to any other information the licensee wishes to provide, that applies
to the licensee and to the consumers to whom the licensee sends its privacy
notice:
(1) the
categories of nonpublic personal financial information that the licensee collects;
(2) the categories of
nonpublic personal financial information that the licensee will disclose if
authorization is obtained from the consumer whose nonpublic personal financial
information is sought to be disclosed;
(3) the categories of
affiliates and nonaffiliated third parties to whom the licensee discloses
nonpublic personal financial information, other than those parties to whom the
licensee discloses information under 13.1.3.18 NMAC and 13.1.3.19 NMAC;
(4) the
categories of nonpublic personal financial information about the licensee’s
former customers that the licensee discloses and the categories of affiliates
and nonaffiliated third parties to whom the licensee discloses nonpublic
personal financial information about the licensee's former customer, other than
those parties to whom the licensee discloses information under 13.1.3.18 NMAC
and 13.1.3.19 NMAC;
(5) if
a licensee discloses nonpublic personal financial information to a
nonaffiliated third party under
13.1.3.17 NMAC (and no other exception in 13.1.3.18 NMAC and 13.1.3.19
NMAC applies to that disclosure), a separate description of the categories of
information the licensee discloses and the categories of third parties with
whom the licensee has contracted;
(6) an
explanation of the consumer’s right under Subsection A of 13.1.3.14 NMAC to
authorize or not to authorize the disclosure of nonpublic financial personal
information to nonaffiliated third parties;
(7) any
disclosures that the licensee makes under Section 603(d)(2)(A)(iii) of the
federal Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)(A)(iii)) (that is,
notices regarding the ability to opt out of disclosures of information among
affiliates);
(8) the
licensee’s policies and practices with respect to protecting the
confidentiality and security of nonpublic personal financial information; and
(9) any
disclosure that the licensee makes under Subsection B of 13.1.3.10 NMAC.
B. Description
of parties subject to exceptions. If a licensee
discloses nonpublic personal financial information as authorized under
13.1.3.18 NMAC and 13.1.3.19 NMAC, the licensee is not required to list those
exceptions in the initial or annual privacy notices required by 13.1.3.8 NMAC
and 13.1.3.9 NMAC. When describing the categories of parties to whom disclosure
is made, the licensee is required to state only that it makes disclosures to
other affiliated or nonaffiliated third parties, as applicable, as permitted by
law.
C. Examples.
(1) Categories of nonpublic personal financial information
that the licensee collects. A
licensee satisfies the requirement to categorize the nonpublic personal
financial information it collects if the licensee categorizes it according to
the source of the information, as applicable:
(a) information
from the consumer;
(b) information
about the consumer’s transactions with the licensee or its affiliates;
(c) information
about the consumer’s transactions with nonaffiliated third parties; and
(d) information
from a consumer reporting agency.
(2) Categories of nonpublic personal financial
information a licensee discloses.
(a) A licensee
satisfies the requirement to categorize nonpublic personal financial
information it discloses if the licensee categorizes the information according
to source, as described in Paragraph (1) of Subsection C of 13.1.3.10 NMAC, as
applicable, and provides a few examples to illustrate the types of information
in each category. These might
include: information from the consumer,
including application information, such as assets and income and identifying
information, such as name, address and social security number; transaction
information, such as information about balances, payment history and parties to
the transaction; and information from consumer reports, such as a consumer’s
creditworthiness and credit history.
(b) A
licensee does not adequately categorize the information that it discloses if
the licensee uses only general terms, such as transaction information about the
consumer.
(3) Categories
of affiliates and nonaffiliated third parties.
(a) A
licensee satisfies the requirement to categorize the affiliates and
nonaffiliated third parties if the licensee identifies the types of businesses
in which they engage.
(b) Types
of businesses may be described by general terms only if the licensee uses a few
illustrative examples of significant lines of business. For example, a licensee
may use the term financial products or services if it includes appropriate
examples of significant lines of businesses, such as life insurer, automobile
insurer, consumer banking or securities brokerage.
(c) A
licensee also may categorize the affiliates and nonaffiliated third parties
using more detailed categories.
(4) Disclosures under exception for service
providers and joint marketers. If a
licensee discloses nonpublic personal financial information under the exception
in 13.1.3.17 NMAC to a nonaffiliated third party to market products or services
that it offers alone or jointly with another financial institution, the
licensee satisfies the disclosure requirement of Paragraph (5) of Subsection A
of 13.1.3.10 NMAC if it:
(a) lists
the categories of nonpublic personal financial information it will disclose if
authorization is obtained from the consumer whose nonpublic personal
information is sought to be disclosed, using the same categories and examples
the licensee used to meet the requirements of paragraph 2 of subsection A of
13.1.3.10 NMAC, as applicable; and
(b) states
whether the third party is a service provider that performs marketing services
on the licensee’s behalf or on behalf of the licensee and another financial
institution; or a financial institution with whom the licensee has a joint
marketing agreement.
(5) Simplified
notices. If a licensee does not disclose, and
does not wish to reserve the right to disclose, nonpublic personal financial
information about customers or former customers to affiliates or nonaffiliated
third parties except as authorized under 13.1.3.18 NMAC and 13.1.3.19 NMAC, the
licensee may simply state the fact, in addition to the information it shall
provide under Paragraphs (1), (8) and (9) of Subsection A of 13.1.3.10 NMAC and
Subsection B of 13.1.3.10 NMAC.
(6) Confidentiality and security. A licensee describes its policies and
practices with respect to protecting the confidentiality and security of
nonpublic personal financial information if it does both of the following:
(a) describes
in general terms who is authorized to have access to the information; and
(b) states
whether the licensee has security practices and procedures in place to ensure
the confidentiality of the information in accordance with the licensee’s
policy. The licensee is not required to
describe technical information about the safeguards it uses.
D. Short-form initial notice with notice
regarding request for authorization for non-customers.
(1) A
licensee may satisfy the initial notice requirements in Paragraph (2) of Subsection
A of 13.1.3.8 NMAC and Subsection C of
13.1.3.11 NMAC for a consumer who is not a customer by providing a short-form
initial notice at the same time as the licensee delivers a notice regarding
request for authorization as required in 13.1.3.11 NMAC.
(2) A
short-form initial notice shall:
(a) be
clear and conspicuous;
(b) state
that the licensee’s privacy notice is available upon request; and
(c) explain
a reasonable means by which the consumer may obtain that notice.
(3) The
licensee shall deliver its short-form initial notice according to 13.1.3.13 NMAC.
The licensee is not required to deliver its privacy notice with its short-form
initial notice. The licensee instead may simply provide the consumer a
reasonable means to obtain its privacy notice. If a consumer who receives the
licensee’s short-form notice requests the licensee’s privacy notice, the
licensee shall deliver its privacy notice according to 13.1.3.13 NMAC.
(4) Examples of obtaining privacy notice. The licensee provides a reasonable means by
which a consumer may obtain a copy of its privacy notice if the licensee:
(a) provides
a toll-free telephone number that the consumer may call to request the notice;
or
(b) for
a consumer who conducts business in person at the licensee’s office, maintains
copies of the notice on hand that the licensee provides to the consumer
immediately upon request.
E. Future disclosures. The licensee’s notice may include:
(1) categories
of nonpublic personal financial information that the licensee reserves the
right to disclose in the future, but does not currently disclose; and
(2) categories
of affiliates or nonaffiliated third parties to whom the licensee reserves the
right in the future to disclose, but to whom the licensee does not currently
disclose, nonpublic personal financial information.
F. Sample
clauses. Sample clauses illustrating some of the
notice content required by this section are included in 13.1.3.28 NMAC.
[13.1.3.10
NMAC - N, 2/25/2002]
13.1.3.11 NOTICE TO CONSUMERS REGARDING REQUEST FOR
AUTHORIZATION:
A. Form
of notice. If a licensee is required to
provide notice under subsection A of 13.1.3.14 NMAC, it shall provide a clear
and conspicuous notice to each of its consumers that accurately explains the
right to authorize disclosures under that section. The notice shall state:
(1) that
the licensee may only disclose nonpublic personal information about its
consumer if the licensee first obtains authorization from the consumer; and
(2) that
the consumer has the right to authorize or not to authorize the disclosure.
B. Examples.
A licensee provides adequate notice that the consumer has the right to
authorize or not to authorize the disclosure of nonpublic personal information
if the licensee:
(1) Identifies
all of the categories of nonpublic personal information the licensee will disclose if authorization
is obtained from the consumer whose nonpublic personal information is sought to
be disclosed and all of the categories of affiliated and nonaffiliated third
parties to whom the licensee will disclose the information, as described in Paragraphs
(2) and (3) of Subsection A of 13.1.3.10 NMAC, and states that the consumer has
the right to authorize or not to authorize the disclosure of that information;
and
(2) Identifies
the insurance products or services that the consumer obtains from the licensee,
either singly or jointly, to which the authorization would apply.
C. Notice required when request for
authorization delivered subsequent to initial notice. If a licensee provides the notice to
consumers regarding request for authorization later than required for the
initial notice in accordance with 13.1.3.8 NMAC, the licensee shall also
include a copy of the initial notice with the request for authorization in
writing or, if the consumer agrees, electronically.
D. Joint
relationships.
(1) If two or more consumers jointly obtain an insurance
product or service from a licensee, the licensee shall provide notices and an
authorization form to each joint consumer.
(2) An
authorization signed by all joint consumers must be obtained by the licensee
before it may disclose any nonpublic personal information, except as otherwise
authorized in this rule or in accordance with an exception in 13.1.3.17 NMAC,
13.1.3.18 NMAC or 13.1.3.19 NMAC.
E. Delivery.
When a licensee is required to deliver a notice by this section, the
licensee shall deliver it according to 13.1.3.13 NMAC.
[13.1.3.11
NMAC - N, 2/25/2002]
13.1.3.12 REVISED PRIVACY NOTICES FOR NONPUBLIC PERSONAL
FINANCIAL INFORMATION:
A. General rule. Except as otherwise authorized in this rule,
a licensee shall not, directly or through an affiliate, disclose any nonpublic
personal financial information about a consumer other than as described in the
initial notice that the licensee provided to that consumer under 13.1.3.8 NMAC
or in the authorization obtained from the consumer, unless:
(1) The
licensee has provided to the consumer a clear and conspicuous revised notice
that accurately describes its policies and practices;
(2) The
licensee has provided to the consumer a new notice to consumers regarding
request for authorization and a new authorization; and
(3) The
licensee has obtained authorization from the consumer whose nonpublic personal
financial information is sought to be disclosed.
B. Examples. Except as otherwise permitted by 13.1.3.17
NMAC, 13.1.3.18 NMAC and 13.1.3.19 NMAC, a licensee shall provide a revised
notice if it requests authorization to disclose:
(1) a
new category of nonpublic personal information;
(2) nonpublic
personal information to a new category of nonaffiliated third party; or
(3) nonpublic
personal information about a former customer to a nonaffiliated third party, if
that former customer has not previously authorized the disclosure.
C. Delivery. When a licensee is required to deliver a
revised privacy notice by this section, the licensee shall deliver it according
to 13.1.3.13 NMAC.
[13.1.3.12
NMAC - N, 2/25/2002]
13.1.3.13 DELIVERY:
A. How to provide notices. A licensee shall provide any notices that
this rule requires so that each consumer can reasonably be expected to receive
actual notice in writing or, if the consumer agrees, electronically.
(1) Examples of reasonable expectation of
actual notice. A licensee may
reasonably expect that a consumer will receive actual notice if the licensee:
(a) hand-delivers
a printed copy of the notice to the consumer;
(b) mails
a printed copy of the notice to the last known address of the consumer
separately, or in a policy, billing or other written communication;
(c) for
a consumer who conducts transactions electronically, posts the notice on the
electronic site and requires the consumer to acknowledge receipt of the notice
as a necessary step to obtaining a particular insurance product or service; or
(d) for
an isolated transaction with a consumer, such as the licensee providing an
insurance quote or selling the consumer travel insurance, posts the notice and
requires the consumer to acknowledge receipt of the notice as a necessary step
to obtaining the particular insurance product or service.
(2) Examples of unreasonable expectation of
actual notice. A licensee may not,
however, reasonably expect that a consumer will receive actual notice of its
privacy policies and practices if it:
(a) only
posts a sign in its office or generally publishes advertisements of its privacy
policies and practices; or
(b) sends
the notice via electronic mail to a consumer who does not obtain an insurance
product or service from the licensee electronically.
B. Annual notices only. A licensee may reasonably expect that a
customer will receive actual notice of the licensee’s annual privacy notice if:
(1) the
customer uses the licensee’s web site to access insurance products and services
electronically and agrees to receive notices at the web site and the licensee
posts its current privacy notice continuously in a clear and conspicuous manner
on the web site; or
(2) the
customer has requested that the licensee refrain from sending any information
regarding the customer relationship, and the licensee’s current privacy notice
remains available to the customer upon request.
C. Oral description of notice insufficient. A licensee may not provide any notice
required by this rule solely by orally explaining the notice, either in person
or over the telephone.
D. Retention or accessibility of notices for
customers.
(1) For
customers only, a licensee shall provide the initial notice required by Paragraph
(1) of Subsection A of 13.1.3.8 NMAC, the annual notice required by Subsection
A of 13.1.3.9 NMAC, and the revised notice required by 13.1.3.12 NMAC so that the customer can retain them or
obtain them later in writing or, if the customer agrees, electronically.
(2) Examples of retention or accessibility. A licensee provides a privacy notice to the
customer so that the customer can retain it or obtain it later if the licensee:
(a) hand-delivers
a printed copy of the notice to the customer;
(b) mails
a printed copy of the notice to the last known address of the customer; or
(c) makes
its current privacy notice available on a web site (or a link to another web
site) for the customer who obtains an insurance product or service
electronically and agrees to receive the notice at the web site.
E. Joint notice with other financial
institutions. A licensee may provide
a joint notice from the licensee and one or more of its affiliates or other
financial institutions, as identified in the notice, as long as the notice is
accurate with respect to the licensee and the other institutions. A licensee also may provide a notice on
behalf of another financial institution.
F. Joint relationships. If two or more consumers jointly obtain an
insurance product or service from a licensee, the licensee may satisfy the
initial, annual and revised notice requirements of Subsection A of 13.1.3.8
NMAC, Subsection A of 13.1.3.9 NMAC and Subsection
A of 13.1.3.12 NMAC, respectively, by
providing one notice to those consumers jointly.
[13.1.3.13
NMAC - N, 2/25/2002]
13.1.3.14 LIMITS ON DISCLOSURE OF NONPUBLIC PERSONAL INFORMATION:
A. Conditions
for disclosure. Except as otherwise authorized in
this rule, a licensee may not, directly or through any affiliate, disclose any
nonpublic personal health information to any party, including affiliates, and
may not, directly or through an affiliate, disclose any nonpublic personal
financial information about a consumer to a nonaffiliated third party unless:
(1) the
licensee has provided to the consumer any initial notice as required under
13.1.3.8 NMAC regarding nonpublic personal financial information;
(2) the
licensee has provided to the consumer a notice as required in 13.1.3.11 NMAC;
and
(3) an
authorization is obtained from the consumer whose nonpublic personal
information is sought to be disclosed.
B. Application
to all consumers and all nonpublic personal information.
(1) A
licensee shall comply with this section, regardless of whether the licensee and
the consumer have established a customer relationship.
(2) Unless a licensee complies with this
section, the licensee may not, directly or through any affiliate, disclose any
nonpublic personal information about a consumer that the licensee has
collected, regardless of whether the licensee collected it before or after
receiving authorization from the consumer.
C. Partial authorization. A licensee may allow a consumer to select
certain nonpublic personal information or certain affiliates or nonaffiliated
third parties with respect to which the consumer wishes to authorize disclosure
of specified nonpublic personal information.
[13.1.3.14
NMAC - N, 2/25/2002]
13.1.3.15 LIMITS ON REDISCLOSURE AND REUSE OF NONPUBLIC PERSONAL
INFORMATION:
A. Nonpublic
personal financial information the licensee receives under an exception.
If a licensee receives nonpublic personal financial information from a
nonaffiliated financial or other institution under an exception in 13.1.3.18
NMAC or 13.1.3.19 NMAC, the licensee’s disclosure and use of that information
is limited as follows:
(1) the
licensee may disclose the information to the affiliates of the financial or
other institution from which the licensee received the information;
(2) the
licensee may disclose the information to its affiliates, but the licensee’s
affiliates may, in turn, disclose and use the information only to the extent
that the licensee may disclose and use the information; and
(3) the
licensee may disclose and use the information pursuant to an exception in
13.1.3.18 NMAC or 13.1.3.19 NMAC, in the ordinary course of business to carry
out the activity covered by the exception under which the licensee received the
information.
(4) Example. If a licensee receives information from a
nonaffiliated financial or other institution for claims settlement purposes,
the licensee may disclose the information for fraud prevention, or in response
to a properly authorized subpoena. The
licensee may not disclose that information to a third party for marketing
purposes or use that information for its own marketing purposes.
B. Nonpublic
personal financial information a licensee receives outside of an exception.
If a licensee receives nonpublic personal financial information from a
nonaffiliated financial institution other than under an exception in 13.1.3.18
NMAC or 13.1.3.19 NMAC, the licensee may disclose the information only:
(1) To
the affiliates of the financial or other institution from which the licensee
received the information;
(2) To
its affiliates, but its affiliates may, in turn, disclose the information only
to the extent that the licensee may disclose the information; and
(3) To
any other person, if the disclosure would be lawful if made directly to that
person by the financial institution from which the licensee received the
information.
(4) Example. If a licensee obtains a customer list from a
nonaffiliated financial or other institution outside of the exceptions in
13.1.3.18 NMAC or 13.1.3.19 NMAC:
(a) the
licensee may use that list for its own purposes; and
(b) the
licensee may disclose that list to another nonaffiliated third party only if
the financial or other institution from which the licensee purchased the list
could have lawfully disclosed the list to that third party. That is, the licensee may disclose the list
in accordance with the privacy policy of the financial or other institution
from which the licensee received the list, consistent with the authorization of
each consumer whose nonpublic personal financial information the licensee
intends to disclose, and the licensee may disclose the list in accordance with
an exception in 13.1.3.18 NMAC or 13.1.3.19 NMAC, such as to the licensee’s
attorneys or accountants.
C. Nonpublic
personal financial information a
licensee discloses under an exception.
If a licensee discloses nonpublic personal financial information to a
nonaffiliated third party under an exception in 13.1.3.18 NMAC or 13.1.3.19
NMAC, the third party may disclose and use that information only as follows:
(1) the
third party may disclose the information to the licensee’s affiliates;
(2) the
third party may disclose the information to its affiliates, but its affiliates
may, in turn, disclose and use the information only to the extent that the
third party may disclose and use the information; and
(3) the
third party may disclose and use the information pursuant to an exception in
13.1.3.18 NMAC or 13.1.3.19 NMAC in the ordinary course of business to carry
out the activity covered by the exception under which it received the
information.
D. Nonpublic
personal financial information a
licensee discloses pursuant to consumer authorization outside of an exception. If a licensee discloses nonpublic personal
information to a nonaffiliated third party pursuant to 13.1.3.14 NMAC, the
third party may disclose the information only:
(1) to
the licensee’s affiliates;
(2) to
the third party's affiliates, but the third party's affiliates, in turn, may
disclose the information only to the extent the third party can disclose the
information; and
(3) to
any other person, if the disclosure would be lawful if the licensee made it
directly to that person.
E. Nonpublic
personal health information.
(1) If a licensee receives nonpublic personal health
information from an affiliate or a nonaffiliated third party under an exception
in 13.1.3.18 NMAC or 13.1.3.19 NMAC, the licensee may disclose and use the
information pursuant to an exception in 13.1.3.18 NMAC or 13.1.3.19 NMAC in the
ordinary course of business to carry out the activity covered by the exception
under which the licensee received the information.
(2) If
a licensee receives nonpublic personal health information other than under an
exception in 13.1.3.18 NMAC or 13.1.3.19 NMAC, the licensee may disclose the
information only to any other person, if the disclosure would be lawful if made
directly to that person by the individual from whom the licensee received the
information.
(3) If a licensee discloses nonpublic
personal health information to an affiliate or to a nonaffiliated third party
under an exception in 13.1.3.18 NMAC or 13.1.3.19 NMAC, the affiliate or third
party may only disclose and use that information pursuant to an exception in
13.1.3.18 NMAC or 13.1.3.19 NMAC in the ordinary course of business to carry
out the activity covered by the exception under which it received the
information.
(4) If a licensee discloses nonpublic
personal health information to an affiliate or a nonaffiliated third party
pursuant to 13.1.3.14 NMAC, the affiliate or third party may disclose the
information only to any other person if the disclosure would be lawful if the
licensee made it directly to that person.
[13.1.3.15
NMAC - N, 2/25/2002]
13.1.3.16 LIMITS ON SHARING ACCOUNT NUMBER INFORMATION FOR
MARKETING PURPOSES:
A. General
prohibition on disclosure of account numbers. A licensee shall not, directly or through an affiliate, disclose,
other than to a consumer reporting agency, a policy number or similar form of
access number or access code for a consumer’s policy or transaction account to
any nonaffiliated third party for use in telemarketing, direct mail marketing
or other marketing through electronic mail to the consumer.
B. Exceptions. Subsection A of 13.1.3.16 NMAC does not apply
if a licensee discloses a policy number or similar form of access number or
access code:
(1) to
the licensee’s service provider solely in order to perform marketing for the
licensee’s own products or services, as long as the service provider is not
authorized to directly initiate charges to the account;
(2) to
a licensee who is a producer solely in order to perform marketing for the
licensee’s own products or services; or
(3) to
a participant in an affinity or similar program where the participants in the
program are identified to the customer when the customer enters into the
program.
C. Examples.
(1) Policy number. A policy number, or similar form of access
number or access code, does not include a number or code in an encrypted form,
as long as the licensee does not provide the recipient with a means to decode
the number or code.
(2) Policy or transaction account. For the purposes of this section, a policy or
transaction account is an account other than a deposit account or a credit card
account. A policy or transaction account
does not include an account to which third parties cannot initiate charges.
[13.1.3.16
NMAC - N, 2/25/2002]
13.1.3.17 EXCEPTION TO AUTHORIZATION
REQUIREMENT FOR DISCLOSURE OF NONPUBLIC PERSONAL FINANCIAL INFORMATION FOR
SERVICE PROVIDERS AND JOINT MARKETING:
A. General rule.
(1) The
notice and authorization requirements in 13.1.3.11 NMAC and 13.1.3.14 NMAC do
not apply when a licensee provides nonpublic personal financial information to
a nonaffiliated third party to perform services for the licensee or functions
on the licensee’s behalf, if the licensee:
(a) provides
the initial notice in accordance with 13.1.3.8 NMAC; and
(b) enters
into a contractual agreement with the third party that prohibits the third
party from disclosing or using the information other than to carry out the
purposes for which the licensee disclosed the information, including use under
an exception in 13.1.3.18 NMAC or 13.1.3.19 NMAC in the ordinary course of
business to carry out those purposes.
(2) Example. If a licensee discloses nonpublic personal financial information under this section to a financial institution with which the licensee performs joint marketing, the licensee’s contractual agreement with that institution meets the requirements of Subparagraph (b) of Paragraph (1) of Subsection A of 13.1.3.17 NMAC if it prohibits the institution from disclosing or using the nonpublic personal financial information except as necessary to carry out the joint marketing or under an exception in 13.1.3.18 NMAC or 13.1.3.19 NMAC in the ordinary course of business to carry out that joint marketing.
B. Joint marketing. The services a nonaffiliated third party
performs for a licensee under Subsection A of 13.1.3.17 NMAC may include
disclosures of nonpublic personal financial information for the purpose of
marketing of the licensee’s own products or services or marketing of financial
products or services offered pursuant to joint agreements between the licensee
and one or more financial institutions.
A licensee shall not disclose nonpublic personal health information for
joint marketing pursuant to 13.1.3.17 NMAC unless the licensee has first
obtained authorization from the consumer whose nonpublic personal health
information is sought to be disclosed for joint marketing.
C. Definition of “joint agreement.” For purposes of this section, “joint
agreement” means a written contract pursuant to which a licensee and one or
more financial institutions jointly offer, endorse or sponsor a financial
product or service.
[13.1.3.17
NMAC - N, 2/25/2002]
13.1.3.18 EXCEPTIONS TO NOTICE AND AUTHORIZATION REQUIREMENTS
FOR DISCLOSURE OF NONPUBLIC PERSONAL INFORMATION FOR PROCESSING AND SERVICING
TRANSACTIONS:
A. Exceptions for processing transactions at
consumer’s request. The requirements
for initial notice in Paragraph (2) of Subsection A of 13.1.3.8 NMAC, for
notice and authorization in 13.1.3.11 NMAC and 13.1.3.14 NMAC, and service
providers and joint marketing in 13.1.3.17 NMAC do not apply if the licensee
discloses nonpublic personal information only to the extent necessary to
effect, administer or enforce a transaction that a consumer requests or
authorizes, or in connection with:
(1) servicing
or processing an insurance product or service that a consumer requests or
authorizes;
(2) maintaining
or servicing the consumer’s account with a licensee, or with another entity as
part of a private label credit card program or other extension of credit on
behalf of such entity;
(3) a
proposed or actual securitization, secondary market sale (including sales of
servicing rights) or similar transaction related to a transaction of the
consumer; or
(4) reinsurance
or stop loss or excess loss insurance.
B. “Necessary
to effect, administer or enforce a transaction” means that the disclosure is:
(1) required,
or is one of the lawful or appropriate methods, to enforce the licensee’s
rights or the rights of other persons engaged in carrying out the financial
transaction or providing the product or service; or
(2) required,
or is a usual, appropriate or acceptable method:
(a) to
carry out the transaction or the product or service business of which the
transaction is a part, and record, service or maintain the consumer’s account
in the ordinary course of providing the insurance product or service;
(b) to
administer, adjust, manage, or service benefits or claims relating to the
transaction or the product or service business of which it is a part;
(c) to
provide a confirmation, statement or other record of the transaction, or
information on the status or value of the insurance product or service to the
consumer or the consumer’s agent or broker;
(d) to
accrue or recognize incentives or bonuses associated with the transaction that
are provided by a licensee or any other party;
(e) to
underwrite insurance at the consumer’s request;
(f) to
perform the following insurance functions: policy placement or issuance,
account administration, detecting, reporting, investigating or preventing
actual or potential fraud, material misrepresentation or criminal activity,
processing premium payments, processing insurance claims, administering
insurance benefits (including utilization review activities), loss control,
risk management, case management, disease management, quality assurance,
quality improvement, performance evaluation, provider credentialing
verification, peer review activities, participating in research projects, grievance procedures; internal administration of
compliance, managerial, and information systems; policyholder service
functions; auditing; reporting; database security; administration of consumer
disputes and inquiries; external accreditation standards; the replacement of a
group benefit plan or workers compensation policy or program; activities in
connection with a sale, merger, transfer or exchange of all or part of a
business or operating unit; any activity that permits disclosure without
authorization pursuant to the federal Health Insurance Portability and
Accountability Act privacy rules promulgated by the U.S. department of health
and human services; disclosure that is required, or is one of the lawful or
appropriate methods, to enforce the licensee’s rights or the rights of other
persons engaged in carrying out a transaction or providing a product or service
that a consumer requests or authorizes; and any activity otherwise permitted by
law, required pursuant to governmental reporting authority, or to comply with
legal process; or
(g) in
connection with the authorization, settlement, billing, processing, clearing,
transferring, reconciling or collection of amounts charged, debited or
otherwise paid using a debit, credit or other payment card, check or account
number, or by other payment means; the transfer of receivables, accounts or
interests therein; or the audit of debit, credit or other payment information.
[13.1.3.18
NMAC - N, 2/25/2002]
13.1.3.19 OTHER EXCEPTIONS TO NOTICE AND
AUTHORIZATION REQUIREMENTS FOR DISCLOSURE OF NONPUBLIC PERSONAL INFORMATION:
A. Exceptions to authorization requirement. The requirements for initial notice to
consumers in Paragraph (2) of Subsection A of 13.1.3.8 NMAC, for notice and
authorization in 13.1.3.11 NMAC and 13.1.3.14 NMAC, and service providers and
joint marketing in 13.1.3.17 NMAC do not apply when a licensee discloses
nonpublic personal information:
(1) with the consent or at the direction
of the consumer, provided that the consumer has not revoked the consent or
direction;
(2) to
protect the confidentiality or security of a licensee’s records pertaining to
the consumer, service, product or transaction; to protect against or prevent
actual or potential fraud or unauthorized transactions; for required
institutional risk control or for resolving consumer disputes or inquiries; to
persons holding a legal or beneficial interest relating to the consumer; or to
persons acting in a fiduciary or representative capacity on behalf of the
consumer;
(3) to
provide information to insurance rate advisory organizations, guaranty funds or
agencies, agencies that are rating a licensee, persons that are assessing the
licensee’s compliance with industry standards, and the licensee’s attorneys,
accountants and auditors;
(4) to
the extent specifically permitted or required under other provisions of law and
in accordance with the federal Right to Financial Privacy Act of 1978 (12
U.S.C. 3401 et seq.), to law enforcement agencies (including the federal reserve
board, office of the comptroller of the currency, federal deposit insurance corporation,
office of thrift supervision, national credit union administration, the securities
and exchange commission, the secretary of the treasury, with respect to 31
U.S.C. Chapter 53, Subchapter II (Records and Reports on Monetary Instruments
and Transactions) and 12 U.S.C. Chapter 21 (Financial Recordkeeping), a state
insurance authority, and the federal trade commission), self-regulatory
organizations or for an investigation on a matter related to public safety;
(5) to
a consumer reporting agency in accordance with the federal Fair Credit
Reporting Act (15 U.S.C. 1681 et seq.); or
from a consumer report
reported by a consumer reporting agency;
(6) in
connection with a proposed or actual sale, merger, transfer or exchange of all
or a portion of a business or operating unit if the disclosure of nonpublic
personal financial information concerns solely consumers of the business or
unit;
(7) to
comply with federal, state or local laws, rules and other applicable legal
requirements; to comply with a properly authorized civil, criminal or regulatory
investigation, or subpoena or summons by federal, state or local authorities;
or to respond to judicial process or government regulatory authorities having
jurisdiction over a licensee for examination, compliance or other purposes as
authorized by law; or
(8) for
purposes related to the replacement of a group benefit plan, a group health
plan, a group welfare plan or a workers’ compensation policy.
B. Revocation of authorization. A consumer
may revoke an authorization at any time by informing the licensee in writing of
the revocation.
[13.1.3.19
NMAC - N, 2/25/2002]
13.1.3.20 AUTHORIZATIONS:
A. A
valid authorization to disclose nonpublic personal information pursuant to
13.1.3.14 NMAC shall be in written or electronic form separate from that used
for any other purpose and shall contain all of the following:
(1) the identity of the consumer or
customer who is the subject of the nonpublic personal information;
(2) a specific description of the types
of nonpublic personal information to be disclosed;
(3) specific descriptions of the parties
to whom the licensee discloses nonpublic personal information, the purpose of
the disclosure and how the information will be used;
(4) the signature of the consumer or
customer who is the subject of the nonpublic personal information or the
individual who is legally empowered to grant authority and the date signed; and
(5) notice of the length of time for
which the authorization is valid and that the consumer or customer may revoke
the authorization at any time and the procedure for making a revocation.
B. An
authorization for the purposes of this rule shall specify a length of time for
which the authorization shall remain valid, which in no event shall be for more
than twenty-four (24) months.
C. A consumer
or customer who is the subject of nonpublic personal information may revoke an
authorization provided pursuant to this rule at any time, subject to the rights
of an individual who acted in reliance on the authorization prior to notice of
the revocation.
D. A
licensee shall retain the authorization or a copy thereof in the record of the
individual who is the subject of nonpublic personal information.
[13.1.3.20 NMAC - N,
2/25/2002]
13.1.3.21 AUTHORIZATION
REQUEST DELIVERY: A notice to consumers regarding request for
authorization and an authorization form shall be delivered to a consumer
pursuant to 13.1.3.13 NMAC. A notice to
consumers regarding request for authorization and an authorization form are not
required to be delivered to a consumer or included in any other notices unless
the licensee intends to disclose nonpublic personal information pursuant to
13.1.3.14 NMAC.
[13.1.3.21 NMAC - N,
2/25/2002]
13.1.3.22 RELATIONSHIP
TO FEDERAL RULES: Irrespective of whether a licensee is subject
to the federal Health Insurance Portability and Accountability Act privacy rule
as promulgated by the U.S. department of health and human services (the
“federal rule”), if a licensee complies with all requirements of the federal
rule except for its effective date provision, the licensee shall not be subject
to the provisions of this rule with respect to nonpublic personal health
information.
[13.1.3.22 NMAC - N,
2/25/2002]
13.1.3.23 RELATIONSHIP
TO STATE LAWS: Nothing in this rule shall preempt or
supercede existing state law related to medical records, health or insurance
information privacy.
[13.1.3.23 NMAC - N,
2/25/2002]
13.1.3.24 PROTECTION
OF FAIR CREDIT REPORTING ACT: Nothing in this rule shall be construed to
modify, limit or supersede the operation of the federal Fair Credit Reporting
Act (15 U.S.C. 1681 et seq.), and no inference shall be drawn on the basis of
the provisions of this rule regarding whether information is transaction or
experience information under Section 603 of that Act.
[13.1.3.24
NMAC - N, 2/25/2002]
13.1.3.25 NONDISCRIMINATION: A licensee shall not unfairly discriminate against any
consumer because that consumer has not granted authorization for the disclosure
of his or her nonpublic personal information pursuant to the provisions of this
rule.
[13.1.3.25
NMAC - N, 2/25/2002]
13.1.3.26 SEVERABILITY: If any section or portion of a section of this rule or
its applicability to any person or circumstance is held invalid by a court, the
remainder of the rule or the applicability of the provision to other persons or
circumstances shall not be affected.
[13.1.3.26
NMAC - N, 2/25/2002]
13.1.3.27 TWO-YEAR GRANDFATHERING OF SERVICE AGREEMENTS:
Until December 31, 2002, a
contract that a licensee has entered into with a nonaffiliated third party to
perform services for the licensee or functions on the licensee’s behalf
satisfies the provisions of Subparagraph (b) of Paragraph (1) of Subsection A of
13.1.3.17 NMAC, even if the contract does not include a requirement that the
third party maintain the confidentiality of nonpublic personal information, as
long as the licensee entered into the agreement on or before December 31, 2000.
[13.1.3.27 NMAC - N,
2/25/2002]
13.1.3.28 SAMPLE CLAUSES: Licensees,
including a group of financial holding company affiliates that use a common
privacy notice, may use the following sample clauses, if the clause is accurate
for each institution that uses the notice. (Note that disclosure of certain
information, such as assets, income and information from a consumer reporting
agency, may give rise to obligations under the federal Fair Credit Reporting
Act, such as a requirement to permit a consumer to opt out of disclosures to
affiliates or designation as a consumer reporting agency if disclosures are
made to nonaffiliated third parties.)
A. Categories
of information a licensee collects (all institutions):
A licensee may use this clause, as
applicable, to meet the requirement of Paragraph (1) of Subsection A of
13.1.3.10 NMAC to describe the categories of nonpublic personal information the
licensee collects. Sample Clause:
We
collect nonpublic personal information about you from the following sources:
Information
we receive from you on applications or other forms;
Information
about your transactions with us, our affiliates or others; and
Information
we receive from a consumer reporting agency.
B. Categories
of information a licensee discloses with consumer authorization (institutions
that disclose outside of the exceptions):
A licensee may use one of these clauses, as applicable, to meet the
requirement of Paragraph (2) of Subsection A of 13.1.3.10 NMAC to describe the
categories of nonpublic personal information the licensee discloses with
consumer authorization. The licensee may
use these clauses if it discloses nonpublic personal information other than as
permitted by the exceptions in 13.1.3.17 NMAC, 13.1.3.18 NMAC and 13.1.3.19
NMAC.
(1) Alternative
1: If authorized by you, we
may disclose the following kinds of nonpublic personal information about you: Information
we receive from you on applications or other forms, such as [provide
illustrative examples, such as “your name, address, social security number,
assets, income, and beneficiaries”];
Information
about your transactions with us, our affiliates or others, such as [provide
illustrative examples, such as “your policy coverage, premiums, and payment
history”]; and
Information
we receive from a consumer reporting agency, such as [provide illustrative
examples, such as “your creditworthiness and credit history”].
(2) Alternative 2:
If authorized by you, we may disclose all of the information that we
collect, as described [describe location in the notice, such as “above” or
“below”].
C. Categories
of information a licensee discloses and parties to whom the licensee discloses
(institutions that do not disclose outside of the exceptions):
A licensee may use this clause, as
applicable, to meet the requirements of Paragraphs (2), (3), and (4) of Subsection
A of 13.1.3.10 NMAC to describe the categories of nonpublic personal
information about customers and former customers that the licensee discloses
with consumer authorization and the categories of affiliates and nonaffiliated
third parties to whom the licensee discloses with consumer authorization. A licensee may use this clause if the
licensee does not disclose nonpublic personal information to any party, other
than as permitted by the exceptions in 13.1.3.18 NMAC and 13.1.3.19 NMAC. Sample Clause:
We do not disclose any
nonpublic personal information about our customers or former customers to
anyone, except as permitted by law.
D. Categories
of parties to whom a licensee discloses with consumer authorization
(institutions that disclose outside of the exceptions):
A licensee may use this clause, as
applicable, to meet the requirement of Paragraph (3) of Subsection A of
13.1.3.10 NMAC to describe the categories of affiliates and nonaffiliated third
parties to whom the licensee discloses nonpublic personal information with
consumer authorization. This clause may
be used if the licensee discloses nonpublic personal information with consumer
authorization other than as permitted by the exceptions in 13.1.3.17 NMAC,
13.1.3.18 NMAC and 13.1.3.19 NMAC, as well as when permitted by the exceptions
in 13.1.3.18 NMAC and 13.1.3.19 NMAC. Sample Clause:
If
authorized by you, we may disclose nonpublic personal information about you to
the following types of third parties:
Financial
service providers, such as [provide illustrative examples, such as “life
insurers, automobile insurers, mortgage bankers, securities broker-dealers, and
insurance agents”];
Non-financial
companies, such as [provide illustrative examples, such as “retailers, direct
marketers, airlines, and publishers”]; and
Others,
such as [provide illustrative examples, such as “non-profit organizations”].
We may
also disclose nonpublic personal information about you to nonaffiliated third
parties as permitted by law.
E. Service
provider/joint marketing exception: A licensee may use one of these clauses, as
applicable, to meet the requirements of paragraph (5) of subsection A of
13.1.3.10 NMAC related to the exception for service providers and joint marketers
in 13.1.3.17 NMAC. If a licensee
discloses nonpublic personal information under this exception, the licensee
shall describe the categories of nonpublic personal information the licensee
discloses and the categories of third parties with which the licensee has
contracted.
(1) Alternative 1:
We may
disclose the following nonpublic personal financial information to companies
that perform marketing services on our behalf or to other financial
institutions with which we have joint marketing agreements:
Information
we receive from you on applications or other forms, such as [provide
illustrative examples, such as “your name, address, social security number,
assets, income, and beneficiaries”];
Information
about your transactions with us, our affiliates or others, such as [provide
illustrative examples, such as “your policy coverage, premium, and payment
history”]; and
Information
we receive from a consumer reporting agency, such as [provide illustrative
examples, such as “your creditworthiness and credit history”].
(2) Alternative 2: We may disclose all of the nonpublic personal
financial information we collect, as described [describe location in the
notice, such as “above” or “below”] to companies that perform marketing
services on our behalf or to other financial institutions with whom we have
joint marketing agreements.
F. Explanation
of authorization right (institutions that disclose outside of the exceptions):
A licensee may use this clause, as
applicable, to meet the requirement of Paragraph (6) of Subsection A of
13.1.3.10 NMAC to provide an explanation of the consumer’s right to authorize
or not to authorize the disclosure of nonpublic personal information to
nonaffiliated third parties, including the method(s) by which the consumer may
exercise that right. The licensee may
use this clause if the licensee requests authorization to disclose nonpublic
personal information other than as permitted by the exceptions in 13.1.3.17
NMAC, 13.1.3.18 NMAC and 13.1.3.19 NMAC.
Sample Clause:
We may only disclose
nonpublic personal information if you sign and return the enclosed
authorization. If you prefer that we not
disclose nonpublic personal information about you, you should not return the
enclosed authorization form.
G. Confidentiality
and security (all institutions): A licensee may
use this clause, as applicable, to meet the requirement of Paragraph (8) of Subsection
A of 13.1.3.10 NMAC to describe its policies and practices with respect to
protecting the confidentiality and security of nonpublic personal
information. Sample Clause:
We restrict access to
nonpublic personal information about you to [provide an appropriate
description, such as “those employees who need to know that information to
provide products or services to you”].
We maintain physical, electronic, and procedural safeguards that comply
with federal rules to guard your nonpublic personal information.
[13.1.3.28 NMAC - N,
2/25/2002]
HISTORY OF 13.1.3
NMAC: [RESERVED]