TITLE 28. INSURANCE

PART 1. TEXAS DEPARTMENT OF INSURANCE

CHAPTER 22. PRIVACY

SUBCHAPTER A. INSURANCE CONSUMER FINANCIAL INFORMATION PRIVACY

28 TAC §22.9

The Texas Department of Insurance adopts amendments to 28 TAC §22.9, concerning annual privacy notices. TDI adopts the amendments with nonsubstantive grammar and style changes to the proposed text published in the December 2, 2016, issue of the Texas Register (41 TexReg 9444).

REASONED JUSTIFICATION. Insurance Code Chapter 601 requires individuals and entities that receive an authorization from TDI to comply with 15 U.S.C. §6803, concerning disclosures of privacy policies. Chapter 601 directs the commissioner to adopt rules to implement the chapter, and in doing so, attempt to keep state privacy requirements consistent with federal law. In 2001, TDI adopted rules in 28 TAC Chapter 22 substantially similar to the NAIC Model Privacy of Consumer Financial and Health Information Regulation. The rules were updated in 2014.

In December of 2015, the president signed the Fixing America's Surface Transportation (FAST) Act, which included an amendment to the privacy notice requirements in 15 U.S.C. §6803. FAST Act Title LXXV, "Eliminate Privacy Notice Confusion," added an exception to the general requirement that privacy notices must be sent to consumers annually even when a financial institution has not changed its privacy policies and procedures since privacy notices were last sent, and the financial institution discloses nonpublic personal information only in accordance with certain provisions of the Gramm-Leach-Bliley Act (GLBA) and related regulations.

Amendments to §22.9 are necessary to reduce privacy notice confusion by eliminating the requirement for covered entities to send out redundant privacy notices and aligning the rule with recent changes to federal requirements regarding disclosures of privacy policies found in 15 U.S.C. §6803 (part of GLBA), as provided in Insurance Code Chapter 601. The amendment to §22.9(a) references the new exception to the annual privacy notice requirement in subsection (d). New §22.9(d) provides that a covered entity excepted from providing an annual privacy notice under 15 U.S.C. §6803(f), or that would be excepted if it were a financial institution, is not required to provide an annual privacy notice under the section. The definition of "covered entity" in Insurance Code Chapter 601 and 28 TAC Chapter 22 is more broad than GLBA's definition of "financial institution." The phrase "or that would be excepted if it were a financial institution" is intended to make clear that a covered entity that is not a financial institution subject to GLBA can make use of the new exception if it otherwise meets the criteria. New §22.9(d) also provides that the covered entity must provide the notice in accordance with §22.9(a) when both criteria for the exception under 15 U.S.C. §6803(f) are not met. When a covered entity has not sent out a privacy notice within the previous period of 12 consecutive months because of the exception in §22.9(d), and the exception ceases to apply to the covered entity, the covered entity must promptly provide a privacy notice to customers under §22.9(a). The covered entity may also be subject to the requirements of §22.12, relating to revised privacy notices, depending on the nature of the change that made the exception cease to apply.

TDI made nonsubstantive grammatical changes to the text as proposed in §22.9(b).

SUMMARY OF COMMENTS AND AGENCY RESPONSE. TDI received three written comments in support of the proposed amendments. The commenters were: American Insurance Association, National Association of Mutual Insurance Companies, and Property Casualty Insurers Association of America.

Comments on §22.9: Three commenters expressed support for §22.9 as proposed with no changes.

Agency response: TDI appreciates the supportive comments.

STATUTORY AUTHORITY. The commissioner adopts the amendments under Insurance Code §§601.002, 601.051, and 36.001.

Section 601.002 requires individuals and entities that receive an authorization from TDI to comply with 15 U.S.C. §6803, concerning privacy policy disclosures to consumers.

Section 601.051 directs the commissioner to adopt rules to implement the chapter, and in doing so, attempt to keep state privacy requirements consistent with federal law.

Section 36.001 provides that the commissioner may adopt any rules necessary and appropriate to implement the powers and duties of TDI under the Insurance Code and other laws of this state.

§22.9.Annual Privacy Notice.

(a) A covered entity must provide a clear and conspicuous notice to customers that accurately reflects its privacy policies and practices not less than annually during the continuation of the customer relationship, except as provided in subsection (d) of this section. "Annually" means at least once in any period of 12 consecutive months during which that relationship exists. A covered entity may define the 12-consecutive-month period, but the covered entity must apply it to the customer on a consistent basis. A covered entity provides a notice annually if it defines the 12-consecutive-month period as a calendar year and provides the annual notice to the customer once in each calendar year following the calendar year in which the covered entity provided the initial notice. For example, if a customer opens an account on any day of year 1, the covered entity must provide an annual notice to that customer by December 31 of year 2.

(b) A covered entity is not required to provide an annual notice to a former customer. A former customer is an individual with whom a covered entity no longer has a continuing relationship. A covered entity no longer has a continuing relationship with an individual:

(1) if the individual no longer is a current policyholder of an insurance product or no longer obtains insurance services with or through the covered entity;

(2) if the individual's policy is lapsed, expired, or otherwise not in force, and the covered entity has not communicated with the customer about the relationship for a period of 12 consecutive months, other than to provide annual privacy notices, material required by law or regulation, communication at the direction of a state or federal authority, or promotional materials;

(3) for the purposes of this subchapter, if:

(A) the covered entity sends mail to the individual's last known address, according to the covered entity's records, and the postal authorities return that mail as undeliverable, and

(B) subsequent attempts by the covered entity to obtain a current valid address for the individual are unsuccessful; or

(4) in the case of providing real estate settlement services, at the later of the following events:

(A) the customer completes execution of all documents related to the real estate closing;

(B) payment for those services has been received; or

(C) the covered entity has completed all of its responsibilities with respect to the settlement, including filing documents in the public record.

(c) A covered entity must deliver any annual privacy notices required by this section according to §22.13 of this title (relating to Delivery).

(d) A covered entity that is excepted from annual privacy notice requirements under 15 U.S.C. §6803(f), or one that would be excepted if it were a financial institution, is not required to provide an annual privacy notice under this section. At any time the covered entity fails to meet both criteria for the exception under §6803(f), the covered entity is subject to the annual notice requirement in this section.

The agency certifies that legal counsel has reviewed the adoption and found it to be a valid exercise of the agency's legal authority.

Filed with the Office of the Secretary of State on April 20, 2017.

TRD-201701640

Norma Garcia

General Counsel

Texas Department of Insurance

Effective date: May 10, 2017

Proposal publication date: December 2, 2016

For further information, please call: (512) 676-6584