INDEPENDENT REGULATORY REVIEW COMMISSION
Notice of Comments Issued
[31 Pa.B. 3257]
Sections 5(d) and (g) of the Regulatory Review Act (71 P. S. § 745.5(d) and (g)) provide that the designated standing committees may issue comments within 20 days of the close of the public comment period, and the Independent Regulatory Review Commission (Commission) may issue comments within 10 days of the close of the committees' comment period. The Commission's Comments are based upon the criteria contained in section 5.1(h) and (i) of the Regulatory Review Act (71 P. S. § 745.5a(h) and (i)).
The Commission issued comments on the following proposed regulation. The agency must consider these comments in preparing the final-form regulation. The final-form regulation must be submitted by the date indicated.
Final-form Submission Reg. No. Agency/Title Issued Deadline 11-206 Insurance Department 05/31/01 04/30/03 Privacy of Consumer Financial Information 31 Pa.B. 1748 (March 30, 2001)
Regulation No. 11-206
Privacy of Consumer Financial Information
May 31, 2001
We submit for consideration the following objections and recommendations regarding this regulation. Each objection or recommendation includes a reference to the criteria in the Regulatory Review Act (71 P. S. § 745.5a(h) and (i)) which have not been met. The Insurance Department (Department) must respond to these Comments when it submits the final-form regulation. If the final-form regulation is not delivered by April 30, 2003, the regulation will be deemed withdrawn.
1. Applicability of proposed regulation to the sharing of information between affiliates.--Consistency with the Statute; Reasonableness; Clarity.
The Department's stated goal in the Preamble is to implement the National Association of Insurance Commissioners (NAIC) model regulation ''as closely as possible.'' The proposed regulation requires an opt out notice to be sent to consumers before affiliates share nonpublic personal financial information. This requirement conflicts with the NAIC model regulation which permits the sharing of information among affiliates without providing consumers an opportunity to opt out.
In the Preamble to the proposed regulation, the Department explains it departed from the NAIC model on this issue due to ''the statutory framework established by Act 40 (of 1997).'' However, the privacy provisions of Act 40 (40 P. S. § 288) apply exclusively to financial institutions. It is unclear how Act 40 can be controlling for licensees which are not financial institutions. Furthermore, Act 40 limits the definition of ''customer information'' to ''. . . information concerning the terms and conditions of insurance coverage, insurance expirations, insurance claims or insurance history of an individual.'' The final-form regulation should be consistent with the NAIC model relating to sharing of information among affiliates.
2. Requirement for a second opt out notice.--Consistency with the Statute; Reasonableness.
Section 146a.21(c)(3) requires a second opt out notice if the consumer or customer does not respond to the initial notice within 30 days. The Department cites the privacy provisions of Act 40 as the basis for this requirement. For the reasons discussed in Issue #1, Act 40 does not appear to be controlling. Therefore, the second opt out notice should be deleted.
3. Section 146a.1. Purpose.--Need; Clarity.
This subsection states the regulation ''governs the treatment of nonpublic personal financial information about individuals. . . .'' (Emphasis added.) Similarly, subsection (b) relating to the scope of the regulation states, ''This chapter applies to nonpublic personal financial information. . . .'' (Emphasis added.) However, the term ''nonpublic personal financial information'' is not defined in § 146a.2 (relating to definitions). Instead, the terms ''nonpublic personal information'' and ''personally identifiable financial information'' are defined. Given the stated purpose and scope of the regulation, the term ''nonpublic personal financial information'' should be defined in § 146a.2 and used consistently throughout the regulation.
Under this subsection, the scope of Chapter 146a extends to individuals who are claimants or beneficiaries under a policy. Commentators have questioned the inclusion of claimants and beneficiaries, since these individuals do not directly obtain any products from insurers. We request the Department explain the basis for including claimants and beneficiaries within the scope of this regulation.
This subsection clarifies that the examples contained in the regulation are illustrative and do not restrict the scope of Chapter 146a. The language in this subsection, however, varies from section 3 of the NAIC model. Given the Department's stated goal of implementing the NAIC model ''as closely as possible,'' why is the proposed language different from the NAIC model language?
4. Section 146a.2. Definitions.--Reasonableness; Need; Clarity.
In this definition, the terms ''nonpublic personal information'' and ''nonpublic personal financial information'' are both used. The concern discussed in Issue #3 regarding § 146a.1(a), also applies to this definition.
Subsections (iv)(A) and (B) include beneficiaries and claimants as examples of consumers. However, a ''consumer'' is defined, in part, as ''an individual who seeks to obtain, obtains or has obtained an insurance product or service from a licensee. . . .'' Claimants and beneficiaries do not ''obtain'' the insurance product or service. Consistent with our comment on § 146a.1(b) (Issue #3), why are beneficiaries and claimants included as consumers?
Subsection (iv) differs from the NAIC model rule in two ways. First, it is structured differently. Subsection (iv) contains five paragraphs, whereas the parallel provision of the NAIC model rule has two paragraphs. Second, subsection (iv) omits the conjunction ''or'' which appears after NAIC model rule § 4(F)(2)(d)(i)(III), and omits the conjunction ''and'' that requires both conditions to be met in §§ 4(F)(2)(d)(i) and (ii). As a result of this inconsistency, subsection (iv) of the Department's regulation is unclear. Subsection (iv) of the Department's regulation should be amended to be consistent with the NAIC model rule.
Subsection (v) of this definition references ''workers' compensation plan participant.'' We have three concerns.
First, why is workers' compensation included? The definition of ''consumer'' is limited to services and products that are used ''primarily for personal, family or household purposes.'' Since workers' compensation coverage does not appear to fit these criteria, its inclusion in the regulation should be explained or deleted.
Second, if workers' compensation is retained in the final-form regulation, the term ''plan participant'' should be defined.
Third, the word ''or'' should be inserted after the end of the sentence in subparagraph (v)(B) for consistency with the NAIC model.
The NAIC model contains a definition of this term. However, the proposed regulation does not. This definition should be added to the final-form regulation.
The term ''producer'' used in subsection (i) is unclear. It should be defined in the final-form regulation.
Personally identifiable financial information
The definition of this term in the NAIC model specifically excludes health information. Why isn't this exclusion contained in the definition in the proposed regulation?
5. Section 146a.11. Initial privacy notice to consumers required.--Clarity.
Subsection (e)(ii) permits the initial notice to be provided at a later time, after the licensee establishes a customer relationship, if the customer agrees. The final-form regulation should clarify what constitutes customer agreement.
6. Section 146a.13. Information to be included in privacy notices.--Clarity.
The term ''nonpublic personal financial information'' is used throughout subsection (a). However, paragraph (a)(8) omits the word ''financial'' and uses the term ''nonpublic personal information.'' This should be corrected consistent with Issue #3.
Subsection (c)(2)(i) states a requirement is satisfied if a licensee ''provides a few examples.'' Similar language is used in subsection (c)(3)(ii) that requires ''a few illustrative examples.'' These requirements are vague. The regulation should specify the minimum number of examples required.
7. Section 146a.14. Form of opt out notice to consumers and opt out methods.--Clarity.
Paragraph (a)(1) requires a notice to be ''clear and conspicuous'' and provide a ''reasonable opt out means.'' Subparagraphs (a)(2)(ii) and (iii) provide examples of reasonable and unreasonable opt out means that clearly relate to paragraph (a)(1). However, subparagraphs (a)(2)(i) and (iv) provide examples that describe ''adequate opt out notice'' and ''specific opt out means.'' The regulation is unclear regarding what requirement the examples in subparagraphs (a)(2)(i) and (iv) are describing.
Subparagraph (a)(2)(iv) is an example based upon its placement under paragraph (a)(2) relating to examples. However, subparagraph (a)(2)(iv) states ''a licensee may require each consumer to opt out through a specific means, as long as that means is reasonable for that consumer.'' This is phrased as a requirement for ''specific opt out means,'' not an example. Subparagraph (a)(2)(iv) should be moved out of paragraph (a)(2) and clarified.
8. Section 146a.31. Exception to opt out requirements for disclosure of nonpublic personal financial information for service providers and joint marketing.--Need; Clarity.
Section 146a.31(a)(i) requires initial notice under § 146a.11. However, similar requirements in §§ 146a.32 and 146a.33 do not require initial notice under § 146a.11. Why is initial notice under § 146a.11 required in § 146a.31?
Commentators stated the exceptions from the opting out requirement should include claims processing and fraud investigation as third party exceptions in this section and § 146a.33(a)(7). Why didn't the Department include them?
9. Format of lists throughout the regulation.--Clarity.
One goal the Department stressed in the Preamble to this proposed regulation is the need for consistent regulations among the states. To accomplish this goal, most of the regulation follows the NAIC model rule word for word.
However, the regulation uses a different format for lists than the format used in the NAIC model rule. The regulation omits the conjunctions ''and'' and ''or'' following the next to last item in lists. Commentators expressed concern that the regulation does not provide sufficient direction as to whether these lists are inclusive due to the omission of these conjunctions.
For added clarity, the Department should revise the format used for lists in §§ 146a.2, 146a.11, 146a.13, 146a.14, 146a.15, 146a.16, 146a.21, 146a.23, 146a.31, 146a.32 and 146a.33 to match the NAIC model rule. In addition, the Department should review the NAIC model rule to make sure the conjunctions used reflect the Department's intent.
JOHN R. MCGINLEY, Jr.,
[Pa.B. Doc. No. 01-1062. Filed for public inspection June 15, 2001, 9:00 a.m.]
No part of the information on this site may be reproduced for profit or sold for profit.
This material has been drawn directly from the official Pennsylvania Bulletin full text database. Due to the limitations of HTML or differences in display capabilities of different browsers, this version may differ slightly from the official printed version.