Enforcing the Privacy of Non-Public Personal Financial Information


FAQ Main Page

General Issues

Q. Who is required to comply with the Regulation?
A. With some limited exceptions, all companies, producers and other persons, and entities licensed under Alabama insurance law must comply with Alabama Insurance Regulation 122, Alabama Administrative Code, Chapter 482-1-122 (the "Regulation"). All licensees, including health insurers and HMOs, are considered "financial institutions" under Title V of the Gramm-Leach-Bliley Act (15 U.S.C. §§ 6801-6827)("GLBA").

Q. My company provides title insurance. Are we required to comply with the new privacy Regulation?
A. Yes. All entities licensed under the insurance law are required to comply with the Regulation.

Q. I'm a surplus line broker. Does the privacy Regulation apply to me?
A. Yes, the Regulation applies to surplus line brokers; however, you are not required to comply with the financial information notice and opt out provisions if you do not disclose any nonpublic personal information for any purpose including joint marketing and servicing (except when the information is disclosed pursuant to the specific business and legal exceptions provided); and you deliver a notice to your consumers and customers stating that fact.

Q. Are insurance producers subject to the Regulation?
A. Yes, see the "Producer Issues" section for detailed information regarding the Regulation's applicability to producers.

Q. Are third party agents (TPAs) and managing general agents (MGAs) subject to the Regulation?
A. All entities that are licensed under the applicable state insurance law are required to comply with the Regulation, which would include licensed MGAs. Since Alabama does not license TPA's, the notice requirements do not apply to a TPA; however, the law and Regulation indirectly applies to a TPA since it would be applicable to the insurer.

Q. Are workers' compensation plans covered by the Regulation?
A. No, workers' compensation plans are not subject to the Insurance Commissioner's regulation, although they are presumably subject to the Federal law.

NOTE: Even under the NAIC model regulation, a workers' compensation plan is only required to provide privacy and opt out notices to a person who receives benefits from the plan (a "beneficiary") if the plan wishes to disclose the beneficiary's nonpublic personal financial information to a third party outside the extensive exceptions provided in the Regulation. In such a situation (under the NAIC model regulation), the beneficiary is the plan's "consumer." Workers' compensation plans are also required (under the NAIC model regulation) to provide annual privacy notices to all plan participants (employers).

Q. How does the new Regulation impact the disclosure of information about beneficiaries?
A.

  • For the treatment of workers' compensation beneficiaries, see the question above.
  • A beneficiary of a life insurance policy is considered a consumer under the Regulation if the insurer discloses nonpublic personal financial information about the beneficiary to a nonaffiliated third party other than as provided in the exceptions described in the Regulation. As a consumer, such a beneficiary is entitled to a privacy notice and the opportunity to opt out of the disclosure of nonpublic personal financial information.
  • A beneficiary of an employee benefit plan is considered a consumer if the insurer discloses nonpublic personal financial information about the beneficiary to a nonaffiliated third party other than as provided in the exceptions described in the Regulation. As a consumer, such a beneficiary is entitled to a privacy notice and the opportunity to opt out of the disclosure of nonpublic personal financial information. Insurers are also required to provide annual notices to plan sponsors, regardless of whether they disclose beneficiary information to nonaffiliated third parties.
  • Health Information: The Alabama Regulation does not apply to health information. Under the NAIC model regulation, insurers are required to get the consent of beneficiaries prior to disclosing nonpublic personal health information to any other party (except when information is shared pursuant to one or more of the exceptions set out in the regulation).

Q. How does the new Regulation impact the disclosure of information about claimants?
A. A claimant under any insurance policy is considered a consumer under the Regulation if the insurer discloses nonpublic personal financial information about the claimant to a nonaffiliated third party outside the exceptions provided in the Regulation. As a consumer, such a claimant is entitled to a privacy notice and the opportunity to opt out of the disclosure of nonpublic personal financial information.

Q. What if my company has nonpublic personal information about a claimant and does not share it?
A. If you do not share nonpublic personal information about a claimant, or if you share such information pursuant to the exceptions in the Regulation, you have no obligation to the claimant.

Q. What if my company has nonpublic personal information about a beneficiary and does not share it?
A. If you do not share nonpublic personal information about a beneficiary, or if you share such information pursuant to the exceptions in the Regulation, you have no obligation to the beneficiary.

Q. My company provides on-going settlement options for beneficiaries and claimants. If a beneficiary or claimant takes advantage of such an option, is that person a consumer or a customer?
A. Beneficiaries and claimants that submit a claim under a policy choosing a settlement option involving an on-going relationship with an insurer are considered consumers, not customers. Thus, the company will be required to provide the individuals with privacy notices and an opportunity to opt out if the company wishes to disclose the individual's nonpublic personal information to third parties. There are no on-going privacy policy notice requirements.

Q. Do I have to comply by July 1, 2001? If so, does this mean we have to have notified all of our clients by this time?
A. The Regulation was effective July 1, 2001, but compliance is not required until December 31, 2001.

Q. Can we send the privacy notice with renewals or other mailings we are sending out to consumers or customers, or do they need to be sent out immediately?
A. The GLBA became effective November 13, 2000. Alabama extended the compliance date to July 1, 2001, and then to December 31, 2001. In general, notices should have been sent out with renewals or other mailings to comply with these dates; however, as long as there appears to be intent to timely comply, and information has not been shared except when pursuant to one or more of the exceptions set out in the Regulation, no enforcement action would be initiated.

Q. My company is required to comply with the health information privacy regulations issued by the U.S. Department of Health and Human Services (HHS) pursuant to the Health Insurance Portability and Accountability Act (HIPAA). We are concerned about dual regulation and complying with both the HHS regulation and the NAIC model regulation. What should we do?
A. Alabama did not adopt the portion of the NAIC model regulation relating to health information. Additionally, the Alabama Regulation does not apply to entities that will become subject to the HHS regulations under HIPAA if the licensee:

  • does not obtain information about the income or assets of the consumer or customer,
  • does not disclose to a nonaffiliated third party nonpublic financial information other than as permitted under the Regulation, and
  • the licensee's activities regarding the policies or benefits is subject to the HHS regulations when they become effective.

Q. My company is not required to comply with the HHS regulation, but we prefer the HHS regulation to the Alabama Regulation. Do we have any options?
A. No. The exception mentioned above is only applicable if you are subject to the HHS regulation.

Q. To whom do we have to give annual privacy policy notices?
A. Insurers are required to provide their customers with annual privacy notices. "Customers" are individuals with whom you have on-going relationships. Policyholders are customers, for example. In contrast, applicants are consumers and are only entitled to privacy notices if you wish to share their protected financial information with third parties. Similarly, beneficiaries and claimants are only entitled to receive privacy notices if you wish to disclose their protected information to third parties.

Q. What happens if a company does not get privacy notices to all of our customers by July 1, 2001?
A. The Regulation became effective July 1, 2001, but does not require compliance until December 31, 2001. If you have not sent privacy notices to all your customers by December 31, 2001, you will be in violation of the Regulation.

Q. What happens if I forget to give a privacy notice to a consumer?
A. You are not required to give a privacy notice to a consumer unless you wish to disclose nonpublic personal financial information regarding that consumer to a nonaffiliated third party. So, if you do not give the consumer a notice and do not disclose his or her information to a third party, there is no problem. If, however, you do not give the consumer a notice and you do disclose his or her information to a third party, you would be in violation of the Regulation and subject to applicable enforcement actions.

Q. Can we send privacy notices, opt out notices and opt in notices together in the same mailing? Can they be sent with other customer mailings?
A. Privacy, opt out and opt in notices can be sent together or separately, and they can be sent with other customer mailings. In addition, affiliated companies may send notices together, or they can send combined notices. No matter how they are sent, however, all notices must identify the companies and policies to which they apply. They must be accurate, and they must be clear and conspicuous so that the customer can read and understand them.

Q. My company hires insurance producers to service transactions and perform services on our behalf. Can we disclose nonpublic personal information to such producers?
A. Yes. A company can share nonpublic personal information with service providers for a variety of purposes regardless of whether a consumer permits disclosure of his or her information.

Q. My company consists of many affiliated insurers. Some of our employees are actually employed by several of the affiliated companies at the same time. Suppose an employee works for Companies A, B, C and D, and holds protected information about a customer of company A. The customer has not consented to the disclosure of protected information. Is that employee in violation of the Regulation?
A. No, the employee is not in violation of the Regulation simply by virtue of his or her employment status and knowledge of information. However, the employee (and thus the insurer) would be in violation if the employee uses the protected information of Company A's customer on behalf of Company B, C or D outside one of the exceptions to the general rule. In that way, the employee would be "disclosing" the information to the other company.

Q. Is my company permitted to disclose information to an affiliated insurer without authorization from the consumer, when the affiliated insurer will use that information only for performance, on its own behalf of the services or functions specified in the Regulation?
A. Yes. If your company discloses the information pursuant to one of the exceptions in the Regulation, the affiliated company to which the information is disclosed may use the information for the purposes authorized pursuant to the exceptions.

Q. Does my company have any obligations once we have disclosed information to a third party?
A. No, but the third party’s use and disclosure of that information is limited.

Q. What are our obligations if we receive nonpublic personal information from another entity?
A. If your company receives nonpublic personal financial information from a nonaffiliated financial institution, your use and disclosure of that information is limited as follows:

  • You may disclose the information to the original financial institution’s affiliates.
  • You may disclose the information to your affiliates, but they, in turn, may only disclose the information to the extent you may disclose the information.
  • If you received the information pursuant to one of the exceptions in the Regulation, you may use and disclose the information pursuant to an exception in the ordinary course of business to carry out the activity covered by the exception under which you received the information.
  • If you received the information outside an exception, you may disclose the information to any other person if the original financial institution could lawfully disclose the information to that person.

Q. My company receives information from banks and securities firms that are subject to separate privacy regulations. What rules do we follow with respect to this information?
A. When you receive information from another financial institution, such as a bank or securities firm, that information may be subject to the regulations that govern that institution. The Federal Reserve Board, the Office of the Comptroller of the Currency, and the Federal Trade Commission are just three of the several federal government agencies that have promulgated privacy regulations for financial institutions under GLBA. All of the federal regulations contain provisions restricting the reuse and re-disclosure of protected information by parties that receive information from financial institutions. These provisions are identical in all material respects to the reuse and re-disclosure provisions in the Regulation. Generally, they permit you to disclose protected information received from another financial institution only to the extent the original financial institution could disclose the information. (See Question 24 for further details.) Note that receipt of such information could also give rise to obligations under the Regulation if the information involves one of your consumers or customers.

Q. If my company is unable to process a claim because an individual has "opted out" of disclosure, could we be in violation of the Regulation's discrimination provision?
A. These two issues are not related. The fact that an individual has "opted out" of disclosure will have no impact on your company’s ability to handle claims or do any other business activity related to servicing or processing a particular product or service. The extensive business exceptions to the rule ensure that companies can continue these standard business operations without interruption. Because your company will be able to process claims, the discrimination issue will never arise.

Q. Can my company charge lower rates to policyholders that permit their information to be shared?
A. No, premium rates cannot be based on an individual’s choice to prohibit or allow the sharing of his or her information. However, this does not prevent a company from offering discounts for other reasons.

Q. There is no non-discrimination clause in the federal privacy regulations. Why does the Alabama Regulation include such a provision?
A. By its nature, insurance treats people differently depending on their circumstances. For example, life insurance premium rates may differ depending on age, health, and gender. Homeowner's insurance rates may differ depending on the value and location of the home. An individual’s choice to protect his or her personal information, however, is not a legitimate factor in determining an appropriate underwriting rate. People should not feel pressured to "sell" their private information in order to get cheaper insurance. Note that the non-discrimination provision of the Regulation prohibits "unfair discrimination." Although insurers cannot discriminate against consumers and customers for prohibiting the disclosure of their personal information by raising rates or dropping coverage, insurers don’t have to offer them the special offers that are available to consumers and customers who permit their personal information to be disclosed.

Producer Issues

Q. Does the Regulation apply to producers?
A. Yes, the Regulation does apply to producers. However, a producer does not have to comply with the notice and opt out requirements of the Regulation if:

  • The producer is an employee, producer or other representative of another licensee (a "principal" or "company") that complies with, and provides the notices required by, the Regulation; and
  • The producer does not disclose protected information to any person other than the principal or its affiliates.

    To clarify, if a producer wishes to disclose a consumer’s protected information to an entity other than the insurance company or insurance companies that the producer is representing, the producer must give the consumer a copy of the producer’s privacy notice and an opportunity to prohibit the disclosure of that information to non-affiliated third parties ("opt out").

Q. I am a paid representative of one insurance company and I only represent that company and its line of insurance and financial services products. What are my responsibilities under this new privacy Regulation?
A. You are subject to the Regulation, but you are not required to comply with the notice and opt out requirements of the Regulation if:

  • The company for which you act as a producer complies with the Regulation; and
  • You do not disclose protected information to any person other than that company or its affiliates.

Q. I am an independent producer and therefore represent a variety of insurance companies. What are my responsibilities under the privacy Regulation?
A. Just like other producers, you are subject to the Regulation, but you are not required to comply with the notice and opt out requirements of the Regulation if:

  • The company (or companies) for which you are acting as a producer with respect to a particular consumer complies with the Regulation; and
  • You do not disclose protected information to any person other than that company (or companies) or the affiliates of that company (or companies).

Q. I am a licensed insurance producer and I sell variable annuities. Am I required to comply with the privacy Regulation?
A. Yes, you are subject to the Regulation; however, just like other producers, you are not required to comply with the notice and opt out requirements of the Regulation if:

  • The company (or companies) for which you are acting as a producer with respect to a particular consumer complies with the Regulation; and
  • You do not disclose protected information to any person other than that company (or companies) or the affiliates of that company (or companies).

Q. I am an independent producer and need to share consumer information with many insurers in order to get the best prices for my clients. Is this permissible under the privacy Regulation?
A. Yes, a producer may share protected information with multiple companies in an effort to compare prices. In such situations, the individual will be a consumer of each of the companies and will be entitled to privacy and opt out notices from any of the companies that wish to share the individual’s protected financial information with non-affiliated third parties. Note that these individuals may become your consumers – or customers – if you disclose their protected information (for other than normal business purposes outlined in the exceptions in the rule). (See Question 29.)

Q. Do I have to go back to every one of my existing clients and tell them about this new Regulation?
A. Not necessarily. You are required to provide privacy and opt out notices and opt out opportunities to a client if the client is your "customer." A client is considered your customer if he or she obtains financial, investment or economic advisory services relating to an insurance product or service from you for a fee, or if the individual obtains insurance through you. If you are acting as producer for another licensee (a "principal" or "company"), however, you are not required to provide privacy notices to your customer if:

  • The principal or company complies with the Regulation with respect to that customer; and
  • You do not disclose protected information about that customer to any person other than the principal or company or its affiliates.

If you are required to send privacy and opt out notices to existing clients, they must be sent by December 31, 2001, which is the compliance date set forth in the Regulation.

Q. Every company is different. Of the companies I represent, how am I supposed to know which ones sent out notices?
A. Like all aspects of the producer-principal relationship, effective compliance with privacy regulations will require on-going communication and coordination between the parties. See the next question for additional clarification.

Q. What if one of my clients didn’t receive a notice from a company? Who is responsible?
A. Specific compliance issues will be decided on a case-by-case basis; however, if a producer is acting in good faith and legitimately relies on a company to comply with the Regulation, the producer would have a good argument that he or she should not be held responsible.

Q. Our agency receives phone-in requests for information on the insurance products offered by the companies we represent. Do we have to tell these callers the privacy policy of each of the companies when they call in?
A. Not necessarily. If these individuals are simply requesting information and not purchasing a product, they are likely to be considered consumers – either your consumers or consumers of the companies for which you are acting as producer. If you collect protected personal information about these individuals and you are going to share that information with non-affiliated third parties, you will be required to provide them privacy and opt out notices prior to disclosure of any protected personal information. On the other hand, if you are not going to disclose any non-public personal information to non-affiliated third parties, you have no obligations to provide privacy and opt out notices to the individual. Finally, if you are going to disclose information only pursuant to a joint marketing or servicing agreement, a privacy notice is all that is required; the consumer is not entitled to opt out. If an individual actually purchases a product from you over the telephone, that individual is considered a customer. Normally, customers are entitled to privacy and opt out notices at the time the customer relationship is established. With a telephone transaction, however, delivery of notices can be delayed with the customer's consent. The same obligations would apply to the companies for which you are acting as agent.

Q. I am an independent producer and I perform servicing and processing functions for several insurers. Does the Regulation permit the exchange of information necessary for me to continue to perform these functions?
A. Yes. An insurer can share nonpublic personal information with producers acting as service providers for a variety of purposes regardless of whether a consumer permits disclosure of his or her information.

For more information, please call the Alabama Department of Insurance, Legal Division, at 334-241-4116, or visit us on the web at www.aldoi.gov.