Current through Register Vol. 46, No. 39, September 25, 2024
As used in this Part, unless the context requires
otherwise:
(a)
Affiliate means any company that controls, is controlled by,
or is under common control with another company.
(b)
(1)
Clear and conspicuous means that a notice is reasonably
understandable and designed to call attention to the nature and significance of
the information in the notice.
(2)
Examples.
(i) Reasonably understandable. A
licensee makes its notice reasonably understandable if it:
(a) presents the information contained in the
notice in clear, concise sentences, paragraphs and sections;
(b) uses short explanatory sentences or
bullet lists whenever possible;
(c)
uses definite, concrete, everyday words and active voice whenever
possible;
(d) avoids multiple
negatives;
(e) avoids legal and
highly technical business terminology whenever possible; and
(f) avoids explanations that are imprecise
and readily subject to different interpretations.
(ii) Designed to call attention. A licensee
designs its notice to call attention to the nature and significance of the
information in it if the licensee:
(a) uses a
plain-language heading to call attention to the notice;
(b) uses a typeface and type size that are
easy to read;
(c) provides wide
margins and ample line spacing;
(d)
uses boldface or italics for key words; and
(e) in a form that combines the licensee's
notice with other information, uses distinctive type size, style, and graphic
devices, such as shading or sidebars.
(iii) Notices on web sites. If a licensee
provides a notice on a web page, the licensee designs its notice to call
attention to the nature and significance of the information in it if the
licensee uses text or visual cues to encourage scrolling down the page if
necessary to view the entire notice and ensure that other elements on the web
site (such as text, graphics, hyperlinks, or sound) do not distract attention
from the notice, and the licensee either:
(a)
places the notice on a web page that consumers frequently access, such as a
homepage or a page on which transactions are conducted; or
(b) places a link on a web page that
consumers frequently access, such as a homepage or a page on which transactions
are conducted, that connects directly to the notice and is labeled
appropriately to convey the importance, nature, and relevance of the
notice.
(c)
Collect means to obtain
information that the licensee organizes or can retrieve by the name of an
individual or by identifying number, symbol or other identifying particular
assigned to the individual, irrespective of the source of the underlying
information.
(d)
Company means a corporation, limited liability company,
business trust, general or limited partnership, association, sole
proprietorship or similar organization.
(e)
(1)
Consumer means an individual who, in this State, seeks to
obtain, obtains or has obtained an insurance product or service, directly or
through a legal representative, from a licensee that is to be used primarily
for personal, family, or household purposes, and about whom the licensee has
nonpublic personal information.
(2)
Examples.
(i) An individual who provides
nonpublic personal information to a licensee in connection with seeking to
obtain or obtaining financial, investment or economic advisory services in this
State relating to an insurance product or service is a consumer regardless of
whether the licensee establishes an ongoing advisory relationship.
(ii) An applicant for insurance prior to the
inception of insurance coverage is a licensee's consumer.
(iii) An individual who is a consumer of
another financial institution is not a licensee's consumer solely because the
licensee is acting as agent for, or provides processing or other services to,
that financial institution.
(iv) An
individual is a licensee's consumer if:
(a)
(1) the individual is a beneficiary of a life
insurance policy underwritten by the licensee;
(2) the individual is a claimant under an
insurance policy issued by the licensee;
(3) the individual is an insured or an
annuitant under an insurance policy or annuity, respectively, issued by the
licensee; or
(4) the individual is
a mortgagor of a mortgage covered under a mortgage insurance policy issued by
the licensee; and
(b) the
licensee discloses nonpublic personal financial information about the
individual to a nonaffiliated third party other than as permitted under section
420.13, 420.14 or
420.15 of this
Part.
(v) Provided that
the licensee provides the initial, annual and revised notices under sections
420.4, 420.5 and
420.8 of this Part to the plan
sponsor, workers' compensation plan participant, group or blanket insurance
policyholder or group annuity contract holder, and further provided that the
licensee does not disclose to a nonaffiliated third party nonpublic personal
financial information about such an individual other than as permitted under
section 420.13, 420.14 or
420.15 of this Part, an individual
is not the licensee's consumer solely because he or she is:
(a) a participant or a beneficiary of an
employee benefit plan that the licensee administers or sponsors or for which
the licensee acts as a trustee, insurer or fiduciary;
(b) covered under a group or blanket
insurance or group annuity contract issued by the licensee; or
(c) a beneficiary in a workers' compensation
plan.
(vi)
(a) The individuals described in clauses
(v)(a), (b) and (c) of this
paragraph are consumers of a licensee if the licensee does not meet all the
conditions of subparagraph (v) of this paragraph.
(b) In no event shall the individuals, solely
by virtue of the status described in clause (v)(a),
(b) or (c) of this paragraph, be deemed to be
customers for purposes of this Part.
(vii) An individual is not a licensee's
consumer solely because he or she is a beneficiary of a trust for which the
licensee is a trustee.
(viii) An
individual is not a licensee's consumer solely because he or she has designated
the licensee as trustee for a trust.
(f)
Consumer reporting
agency has the same meaning as in section 603(f) of the Federal Fair
Credit Reporting Act (15 U.S.C.
1681a [f]) and section 380-a(e) of the New
York Fair Credit Reporting Act (General Business Law, article 25).
(g)
Control means:
(1) ownership, control or power to vote 25
percent or more of the outstanding shares of any class of voting security of
the company, directly or indirectly, or acting through one or more other
persons;
(2) control in any manner
over the election of a majority of the directors, trustees or general partners
(or individuals exercising similar functions) of the company; or
(3) the power to exercise, directly or
indirectly, a controlling influence over the management or policies of the
company, as the superintendent determines.
(h)
Customer means a
consumer who has a customer relationship with a licensee.
(i)
(1)
Customer relationship means a continuing relationship between
a consumer and a licensee under which the licensee provides one or more
insurance products or services in this State to the consumer that are to be
used primarily for personal, family, or household purposes.
(2) Examples.
(i) Continuing relationship. A consumer has a
continuing relationship with a licensee if:
(a) the consumer is a current policyholder of
an insurance product issued by or through the licensee; or
(b) the consumer obtains financial,
investment or economic advisory services relating to an insurance product or
service from the licensee for a fee.
(ii) No continuing relationship. A consumer
does not have a continuing relationship with a licensee if:
(a) the consumer applies for insurance but
does not purchase the insurance;
(b) the licensee sells the consumer airline
travel insurance in an isolated transaction;
(c) the individual is no longer a current
policyholder of an insurance product or no longer obtains insurance services
with or through the licensee;
(d)
the consumer is a beneficiary or claimant under a policy;
(e) the customer's policy is lapsed, expired,
or otherwise inactive or dormant under the licensee's business practices, and
the licensee has not communicated with the customer about the relationship for
a period of 12 consecutive months, other than annual privacy notices, material
required by law or regulation, communication at the direction of a State or
Federal authority, or promotional materials; or
(f) the individual is an insured or an
annuitant under an insurance policy or annuity, respectively, but is not the
policyholder or owner of the insurance policy or annuity.
(j)
(1)
Financial institution
means any institution the business of which is engaging in activities that are
financial in nature or incidental to such financial activities as described in
section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C.
1843 [k]).
(2) Financial institution does not include:
(i) any person or entity with respect to any
financial activity that is subject to the jurisdiction of the Commodity Futures
Trading Commission under the Commodity Exchange Act (7 U.S.C.
1
et seq.);
(ii) the Federal Agricultural Mortgage
Corporation or any entity charged and operating under the Farm Credit Act of
1971 (12 U.S.C.
2001
et seq.); or
(iii) institutions chartered by Congress
specifically to engage in securitizations, secondary market sales (including
sales of servicing rights) or similar transactions related to a transaction of
a consumer, as long as the institutions do not sell or transfer nonpublic
personal information to a nonaffiliated third party.
(k)
(1)
Financial product or
service means any product or service that a financial holding company
could offer by engaging in an activity that is financial in nature or
incidental to such a financial activity under section 4(k) of the Bank Holding
Company Act of 1956 (12 U.S.C.
1843 [k]).
(2)
Financial service
includes a financial institution's evaluation or brokerage of information that
the financial institution collects in connection with a request or an
application from a consumer for a financial product or service.
(l)
Health care
means:
(1) preventive, diagnostic,
therapeutic, rehabilitative, maintenance, or palliative care, services,
procedures, tests or counseling that:
(i)
relates to the physical, mental or behavioral condition of an individual;
or
(ii) affects the structure or
function of the human body or any part of the human body, including the banking
of blood, sperm, organs, or any other tissue; or
(2) prescribing, dispensing, or furnishing to
an individual drugs or biologicals, or medical devices or health care equipment
and supplies.
(m)
Health care provider means a physician or other health care
practitioner licensed, accredited or certified to perform specified health
services consistent with State law, or a health care facility.
(n)
Health information means
any information or data except age or gender, whether oral or recorded in any
form or medium, created by or derived from a health care provider or the
consumer that relates to:
(1) the past,
present or future physical, mental or behavioral health or condition of any
individual or a member of the individual's family;
(2) the provision of health care to any
individual; or
(3) payment for the
provision of health care to any individual.
(o)
(1)
Insurance product or service means any product or service that
is offered by a licensee pursuant to the insurance laws of this
State.
(2)
Insurance
service includes a licensee's evaluation, brokerage or distribution of
information that the licensee collects in connection with a request or an
application from a consumer for an insurance product or service.
(p)
(1)
Licensee means a person
licensed, or required to be licensed, or authorized, or required to be
authorized, or registered, or required to be registered pursuant to the
Insurance Law of this State; a health maintenance organization holding, or
required to hold, a certificate of authority pursuant to article 44 of the
Public Health Law; or an unauthorized insurer in regard to the excess line
business conducted pursuant to section
2118 of the
Insurance Law and Part 27 of this Title (Regulation 41); but shall not include
a registered service contract provider, charitable annuity society, or a
licensed viatical settlement company or viatical settlement broker.
(2)
(i) A
licensee is not subject to the notice and opt out requirements for nonpublic
personal financial information set forth in sections 420.4 through
420.9 of this Part if the licensee
is an employee, agent, sublicensee, or other representative of another licensee
(the principal) and:
(a) the principal
otherwise complies with, and provides the notices required by, the provisions
of this Part; and
(b) the licensee
does not disclose any nonpublic personal information of a consumer or customer
to any person other than the principal from or through which such consumer or
customer seeks to obtain or has obtained a product or service, or its
affiliates in a manner permitted by this Part.
(ii) Examples of employee, agent or other
representative of a principal:
(a) an
insurance broker, public adjuster or other licensee who is employed by another
insurance broker, public adjuster or other licensee;
(b) an independent adjuster adjusting a claim
or benefit on behalf of an insurer;
(c) an insurance agent of an
insurer;
(d) an insurance broker
that has binding authority for an insurer; or
(e) a sublicensee of a licensee, whether or
not the sublicensee is licensed in any other capacity.
(3) An excess line broker or
unauthorized insurer shall be deemed to be in compliance with the notice and
opt out requirements for nonpublic personal financial information set forth in
sections 420.4 through
420.9 of this Part provided:
(i) the broker or insurer does not disclose
nonpublic personal information of a consumer or a customer to nonaffiliated
third parties for any purpose, including joint servicing or marketing under
section 420.13 of this Part, except as
permitted by sections 420.14 and
420.15 of this Part; and
(ii) the broker or insurer delivers a notice
to the consumer at the time a customer relationship is established on which the
following clear and conspicuous notice is set forth:
PRIVACY NOTICE
"NEITHER THE U.S. BROKER(S) THAT HANDLED THIS INSURANCE NOR
THE INSURER(S) THAT HAS (HAVE) UNDERWRITTEN THIS INSURANCE WILL DISCLOSE
NONPUBLIC PERSONAL INFORMATION CONCERNING THE BUYER TO NONAFFILIATES OF THE
BROKER(S) OR THE INSURER(S) EXCEPT AS PERMITTED BY LAW."
(q)
(1)
Nonaffiliated third
party means any person except:
(i) a
licensee's affiliate; or
(ii) a
person employed jointly by a licensee and any company that is not the
licensee's affiliate (but nonaffiliated third party includes
the other company that jointly employs the person).
(2)
Nonaffiliated third
party includes any company that is an affiliate solely by virtue of
the licensee's or its affiliate's direct or indirect ownership or control of
the company in conducting:
(i) merchant
banking or investment banking activities of the type described in section
4(k)(4)(H) of the Federal Bank Holding Company Act of 1956 (12 U.S.C.
1843 [k][4][H]); or
(ii) insurance company investment activities
of the type described in section 4(k)(4)(I) of the Federal Bank Holding Company
Act of 1956 (12 U.S.C.
1843
[k][4][I]).
(r)
Nonpublic personal information means nonpublic personal
financial information and nonpublic personal health information.
(s)
(1)
Nonpublic personal financial information means:
(i) personally identifiable financial
information; and
(ii) any list,
description or other grouping of consumers (and publicly available information
pertaining to them) that is derived using any personally identifiable financial
information other than publicly available information.
(2) Nonpublic personal financial information
does not include:
(i) health
information;
(ii) publicly
available information, except as included on a list described in subparagraph
(1)(ii) of this subdivision; or
(iii) any list, description or other grouping
of consumers (and publicly available information pertaining to them) that is
derived without using any personally identifiable financial information other
than publicly available information.
(3) Examples of lists.
(i)
Nonpublic personal financial
information includes any list of individuals' names and street
addresses that is derived in whole or in part using personally identifiable
financial information other than publicly available information, such as
account numbers.
(ii) Nonpublic
personal financial information does not include any list of individuals' names
and addresses that contains only publicly available information, is not derived
in whole or in part using personally identifiable financial information other
than publicly available information, and is not disclosed in a manner that
indicates that any of the individuals on the list is a consumer of a financial
institution.
(t)
Nonpublic personal health
information means health information:
(1) that identifies an individual who is the
subject of the information; or
(2)
with respect to which there is a reasonable basis to believe that the
information could be used to identify an individual.
(u)
(1)
Personally identifiable financial information means any
information:
(i) a consumer provides to a
licensee to obtain an insurance product or service from the licensee;
(ii) about a consumer resulting from a
transaction involving an insurance product or service between a licensee and a
consumer; or
(iii) a licensee
otherwise obtains about a consumer in connection with providing an insurance
product or service to that consumer.
(2) Examples.
(i) Information included.
Personally
identifiable financial information includes:
(a) information a consumer provides to a
licensee on an application to obtain an insurance product or service;
(b) account balance information and payment
history;
(c) the fact that an
individual is or has been one of the licensee's customers or has obtained an
insurance product or service from the licensee;
(d) any information about a licensee's
consumer if it is disclosed in a manner that indicates that the individual is
or has been the licensee's consumer;
(e) any information that a consumer provides
to the licensee or that the licensee or its agent otherwise obtains in
connection with collecting on a policy loan or servicing a policy
loan;
(f) any information the
licensee collects through an Internet "cookie" (an information collecting
device from a web server) to the extent that such information constitutes
personally identifiable information; and
(g) information from a consumer
report.
(ii) Information
not included. Personally identifiable financial information does not include:
(a) health information;
(b) a list of names and addresses of
customers of an entity that is not a financial institution; and
(c) information that does not identify a
consumer, such as aggregate information or blind data that does not contain
personal identifiers such as account numbers, names or addresses.
(v)
(1)
Publicly available
information means any information that a licensee has a reasonable
basis to believe is lawfully made available to the general public from:
(i) Federal, State or local government
records;
(ii) widely distributed
media; or
(iii) disclosures to the
general public that are required to be made by Federal, State or local
law.
(2) Reasonable
basis. A licensee has a reasonable basis to believe that information is
lawfully made available to the general public if the licensee has taken steps
to determine:
(i) that the information is of
the type that is available to the general public; and
(ii) whether an individual can direct that
the information not be made available to the general public and, if so, that
the licensee's consumer has not done so.
(3) Examples.
(i) Government records. Publicly available
information in government records includes information in Department of Motor
Vehicles records that are made available to the public (even if such access
requires the payment of a fee), government real estate records and security
interest filings.
(ii) Widely
distributed media. Publicly available information from widely distributed media
includes information from a telephone book, a television or radio program, a
newspaper or a web site that is available to the general public on an
unrestricted basis. A web site is not restricted merely because an Internet
service provider or a site operator requires a fee or a password, so long as
access is available to the general public.
(iii) Reasonable basis.
(a) A licensee has a reasonable basis to
believe that motor vehicle or mortgage information is lawfully made available
to the general public if the licensee has determined that the information is of
the type made available to the public as part of the public record.
(b) The licensee has a reasonable basis to
believe that an individual's telephone number is lawfully made available to the
general public if the licensee has located the telephone number in the
telephone book or the consumer has informed the licensee that the telephone
number is not unlisted.