RULES AND REGULATIONS
[31 PA. CODE CH. 146c]
Standards for Safeguarding Customer Information
[34 Pa.B. 4146]
The Insurance Department (Department) amends Chapter 146c (relating to standards for safeguarding customer information) to read as set forth in Annex A.
The final-form rulemaking is adopted under the general authority of sections 205, 506, 1501 and 1502 of The Administrative Code of 1929 (71 P. S. §§ 66, 186, 411 and 412) and under the guidance of section 648 of The Insurance Department Act of 1921 (40 P. S. § 288). Likewise, this final-form rulemaking is made under the Department's rulemaking authority under the Unfair Insurance Practices Act (40 P. S. §§ 1171.1--1171.15) (the authority is further explained in PALU v. Insurance Department, 371 A.2d 564 (Pa. Cmwlth. 1977)), because the Insurance Commissioner (Commissioner) has determined that the improper disclosure or marketing, or both, of nonpublic personal financial and health information by members of the insurance industry constitutes an unfair method of competition and an unfair or deceptive act or practice.
Comments and Response
Notice of proposed rulemaking was published at 33 Pa.B. 4917 (October 4, 2003) with a 30-day comment period. During the 30-day comment period, comments were received from the American Council of Life Insurers, the American Insurance Association (AIA), the Alliance of American Insurers (AAI) and the Insurance Federation of Pennsylvania, Inc. (IFP). During its regulatory review, the Independent Regulatory Review Commission (IRRC) submitted comments to the Department. The following is a response to the comments that raised concerns with regard to this final-form rulemaking.
The AIA and the AAI noted the Department's definition of ''customer'' used in the proposed rulemaking goes well beyond the parameters of the National Association of Insurance Commissioners Model Privacy of Consumer Financial and Health Information Regulation (NAIC Model) and effectively applies the data security standards to all types of nonpublic personal information, including information on applicants and claimants with whom the insurers have no continuing business relationship. Similarly, the IFP noted that including ''consumers,'' as defined in Chapter 146a (relating to privacy of consumer financial information), would require insurers to apply the required information security system to individuals that do not have an ongoing relationship with the insurer, including rejected applicants and third party claimants. In addition, IRRC, during its review, questioned why the Department expanded the definitions in this regulation beyond those found in the NAIC Model.
The Department's intent was not to expand the definition of ''customer'' beyond the definition found in the NAIC Model. Therefore, upon review of the comments, the Department agrees that the definition of ''customer'' in this final-form rulemaking should read as follows:''Either a 'customer' as defined in § 146a.2 (relating to definitions) or a 'consumer' as defined in § 146b.2 (relating to definitions).''
The IFP, as noted in its comments on an initial exposure draft of this final-form rulemaking, again noted its concern that the Department's health privacy regulation provision regarding insurer responsibility for third party service provider misconduct is not clear. The IFP proposed that the Department amend the regulation to provide that a licensee would be responsible for third party privacy breaches only if it knowingly played a role in the disclosure or failed to report a disclosure of which it became aware. Although the Department has attempted to address the IFP's concerns by including provisions that utilize a ''knew or reasonably should have known'' standard for the imposition of penalties and insurers will only be liable for patterns or practices of misconduct by service providers, the IFP seeks further amendment and a bright line standard. The AAI opposes any inclusion of a standard regarding third party service providers.
The Department believes that Chapter 146b (relating to privacy of consumer health information) and Chapter 146c, especially when read in conjunction with each other, are sufficiently clear with regard to the liability of insurers for violations by third party service providers. In addition, the Department believes that the bright line rule sought by the IFP will be administratively unworkable in that it lacks flexibility, and will not afford sufficient protections for insurance consumers. In addition, the Department does not believe that it is appropriate to attempt to revise or amend its health privacy regulation though this final-form rulemaking.
The final-form rulemaking will affect all licensed insurers doing the business of insurance in this Commonwealth.
There is no anticipated fiscal impact as a result of the final-form rulemaking. Insurers already need to comply with the Gramm-Leach-Bliley Act (15 U.S.C.A. §§ 6801--6827) and Chapters 146a and 146b. Therefore, most, if not all, of the information security methods required by this final-form rulemaking should be in place.
There is no anticipated additional paperwork expected as a result of this final-form rulemaking.
The final-form rulemaking will become effective March 1, 2005. The Department continues to monitor the effectiveness of regulations on a triennial basis. Therefore, no sunset date has been assigned.
Questions regarding this final-form rulemaking should be directed to Peter J. Salvatore, Regulatory Coordinator, Office of Special Projects, 1326 Strawberry Square, Harrisburg, PA 17120, (717) 787-4429, fax (717) 705-3873, email@example.com.
Under section 5(a) of the Regulatory Review Act (71 P. S. § 745.5(a)), on May 21, 2004, the Department submitted a copy of the notice of proposed rulemaking, published at 33 Pa.B. 4917, to IRRC and the Chairpersons of the House Insurance Committee and the Senate Banking and Insurance Committee for review and comment.
Under section 5(c) of the Regulatory Review Act, IRRC and the Committees were provided with copies of the comments received during the public comment period, as well as other documents when requested. In preparing the final-form rulemaking, the Department has considered all comments from IRRC, the House and Senate Committees and the public.
Under section 5.1(j.2) of the Regulatory Review Act (71 P. S. § 745.5a(j.2)), on June 23, 2004, the final-form rulemaking was deemed approved by the House and Senate Committees. In accordance with section 5a(d) of the Regulatory Review Act (71 P. S. § 745.5a(d)), IRRC met on June 24, 2004, and approved the final-form rulemaking in accordance with section 5a(e) of the Regulatory Review Act.
The Commissioner finds that:
(1) Public notice of intention to adopt this rulemaking as amended by this order has been given under sections 201 and 202 of the act of July 31, 1968 (P. L. 769, No. 240) (45 P. S. §§ 1201 and 1202) and the regulations thereunder, 1 Pa. Code §§ 7.1 and 7.2.
(2) The adoption of this rulemaking in the manner provided in this order is necessary and appropriate for the administration and enforcement of the authorizing statutes.
The Commissioner, acting under the authorizing statutes, orders that:
(a) The regulations of the Department, 31 Pa. Code Chapter 146c, are amended by adding §§ 146c.1 and 146c.3--146c.10 to read as set forth at 33 Pa.B. 4917 and by adding §§ 146c.2 and 146c.11 to read as set forth in Annex A.
(b) The Commissioner shall submit this order, 33 Pa.B. 4917 and Annex A to the Office of General Counsel and Office of Attorney General for approval as to form and legality as required by law.
(c) The Commissioner shall certify this order, 33 Pa.B. 4917 and Annex A and deposit them with the Legislative Reference Bureau as required by law.
(d) This order shall take effect March 1, 2005.
M. DIANE KOKEN,
(Editor's Note: For the text of the order of the Independent Regulatory Review Commission, relating to this document, see 34 Pa.B. 3652 (June 26, 2004).)
Fiscal Note: Fiscal Note 11-215 remains valid for the final adoption of the subject regulations.
TITLE 31. INSURANCE
PART VIII. MISCELLANEOUS PROVISIONS
CHAPTER 146c. STANDARDS FOR SAFEGUARDING CUSTOMER INFORMATION
§ 146c.2. Definitions.
The following words and terms, when used in this chapter, have the following meanings, unless the context clearly indicates otherwise:
Act--The Insurance Department Act of 1921 (40 P. S. §§ 1--321)
Customer--Either a ''customer'' as defined in § 146a.2 (relating to definitions) or a ''consumer'' as defined in § 146b.2 (relating to definitions).
Customer information--Either ''nonpublic personal financial information'' as defined in § 146a.2 or ''nonpublic personal health information'' as defined in § 146b.2 about a customer, whether in paper, electronic or other form that is maintained by or on behalf of the licensee.
Customer information systems--The electronic or physical methods used to access, collect, store, use, transmit, protect or dispose of customer information.
Department--The Insurance Department of the Commonwealth.
Licensee--As defined in either § 146a.2 or § 146b.2, except that the term shall not include a purchasing group or a nonadmitted insurer in regard to the surplus lines business conducted pursuant to sections 1601--1625 of The Insurance Company Law of 1921 (40 P. S. §§ 991.1601--991.1625).
Service provider--A person that maintains, processes or otherwise is permitted access to customer information through its provision of services directly to the licensee.
§ 146c.11. Effective date.
Each licensee shall establish and implement an information security program, including appropriate policies and systems under this chapter by March 1, 2005.
[Pa.B. Doc. No. 04-1439. Filed for public inspection August 6, 2004, 9:00 a.m.]
No part of the information on this site may be reproduced for profit or sold for profit.
This material has been drawn directly from the official Pennsylvania Bulletin full text database. Due to the limitations of HTML or differences in display capabilities of different browsers, this version may differ slightly from the official printed version.