Current through Register Vol. 63, No. 12, December 1, 2024
(1) This rule implements the requirement of
the annual notice under OAR
836-080-0645, describes the
contents of the annual notice and provides examples of categories of nonpublic
personal financial information required in the annual notice.
(2) The following are examples of categories
of nonpublic personal financial information collected by a licensee. A licensee
satisfies the requirement of categorizing the nonpublic personal financial
information it collects if the licensee categorizes it according to the source
of the information, as applicable:
(a)
Information from the consumer;
(b)
Information about the consumer's transactions with the licensee or its
affiliates;
(c) Information about
the consumer's transactions with nonaffiliated third parties; and
(d) Information from an insurance support
organization.
(3) The
following are examples of categories of nonpublic personal financial
information disclosed by a licensee:
(a) A
licensee satisfies the requirement of categorizing nonpublic personal financial
information it discloses if the licensee categorizes the information according
to source, as described in section (2) of this rule, as applicable, and
provides a few examples to illustrate the types of information in each
category. These may include:
(A) Information
from the consumer, including application information such as assets and income
and identifying information such as name, address and social security
number;
(B) Transaction
information, such as information about balances, payment history and parties to
the transaction; and
(C)
Information from consumer reporting agencies, such as a consumer's
creditworthiness and credit history.
(b) A licensee does not adequately categorize
the information that it discloses if the licensee uses only general terms, such
as transaction information about the consumer.
(c) If a licensee may disclose all of the
nonpublic personal financial information about consumers that it collects, the
licensee may simply state that fact without describing the categories or
examples of nonpublic personal financial information that the licensee
discloses.
(4) The
following are examples for describing categories of affiliated and
nonaffiliated third parties to which a licensee discloses information:
(a) A licensee satisfies the requirement of
categorizing the affiliates and nonaffiliated third parties to which the
licensee discloses nonpublic personal financial information about consumers if
the licensee identifies the types of business in which they engage.
(b) Types of businesses may be described by
general terms only if the licensee uses a few illustrative examples of
significant lines of business. For example, a licensee may use the term
financial products or services if it includes appropriate examples of
significant lines of businesses, such as life insurer, automobile insurer,
consumer banking or securities brokerage.
(c) A licensee may also categorize the
affiliates and nonaffiliated third parties to which it discloses nonpublic
personal financial information about consumers using more detailed
categories.
(5) An
annual notice shall include an explanation of the consumer's right under OAR
836-080-0675 to opt out of the
disclosure of nonpublic personal financial information to nonaffiliated third
parties, including the method by which the consumer may exercise the right at
that time. An annual notice that contains such an explanation satisfies the
requirement of 836-080-0615. If a licensee
discloses nonpublic personal financial information under the exception in
836-080-0675 to a nonaffiliated
third party to market products or services that it offers alone or jointly with
another financial institution, the licensee satisfies the applicable disclosure
requirement of this rule if the licensee:
(a)
Lists the categories of nonpublic personal financial information it discloses,
using the same categories and examples the licensee used to meet the
requirements of section (1) of this rule.
(b) States whether the third party is:
(A) A service provider that performs
marketing services on the licensee's behalf or on behalf of the licensee and
another financial institution; or
(B) A financial institution with whom the
licensee has a joint marketing agreement.
(6) If a licensee does not disclose nonpublic
personal financial information about customers or former customers to
affiliates or nonaffiliated third parties except as authorized under OAR
836-080-0670(1),
the licensee may state that fact, in addition to the information it is required
to provide under 836-080-0615(4).
(7) A licensee describes its policies and
practices relating to protection of the confidentiality and security of
nonpublic personal financial information if it does both of the following:
(a) Describes in general terms who is
authorized to have access to the information; and
(b) States whether the licensee has security
practices and procedures in place to ensure the confidentiality of the
information in accordance with the licensee's policy. The licensee is not
required to describe technical information about the safeguards it
uses.
(8) A licensee's
notice may include any of the following:
(a)
Categories of nonpublic personal financial information that the licensee
reserves the right to disclose in the future but does not currently disclose;
and
(b) Categories of affiliates or
nonaffiliated third parties to whom the licensee reserves the right in the
future to disclose, but to whom the licensee does not currently disclose,
nonpublic personal financial information.
Stat. Auth.: ORS
731.244 &
746.608
Stats. Implemented: ORS
746.600 &
746.607
