Pennsylvania Code & Bulletin
COMMONWEALTH OF PENNSYLVANIA

• No statutes or acts will be found at this website.

The Pennsylvania Bulletin website includes the following: Rulemakings by State agencies; Proposed Rulemakings by State agencies; State agency notices; the Governor’s Proclamations and Executive Orders; Actions by the General Assembly; and Statewide and local court rules.

PA Bulletin, Doc. No. 18-1114

PROPOSED RULEMAKING

INSURANCE DEPARTMENT

[ 31 PA. CODE CH. 146a ]

Privacy of Consumer Financial Information

[48 Pa.B. 4258]
[Saturday, July 21, 2018]

 The Insurance Department (Department) proposes to amend Chapter 146a (relating to privacy of consumer financial information) to read as set forth in Annex A. This rulemaking is proposed under the Department's general rulemaking authority as set forth in sections 206, 506, 1501 and 1502 of The Administrative Code of 1929 (71 P.S. §§ 66, 186, 411 and 412) and the Department's rulemaking authority under the Unfair Insurance Practices Act (40 P.S. §§ 1171.1—1171.15). See PALU v. Insurance Department, 371 A.2d 564 (Pa. Cmwlth. 1977) (further explaining the Insurance Commissioner's authority to promulgate regulations under the Unfair Insurance Practices Act).

Purpose

 Chapter 146a governs the treatment of nonpublic personal financial information by various licensees of the Department. Among other requirements, Chapter 146a requires a licensee to provide notice to individuals about its privacy policies and practices; describes the conditions under which a licensee may disclose nonpublic personal financial information about individuals to affiliated and nonaffiliated parties; and provides methods for individuals to prevent a licensee from disclosing that information. Chapter 146a, adopted in 2001, is based upon National Association of Insurance Commissioners (NAIC) Model Regulation No. 672, ''Privacy of Consumer Financial and Health Information Regulation.'' NAIC Model Regulation No. 672 was originally designed to satisfy the minimum standards for financial information privacy in the Gramm-Leach-Bliley Act (GLBA) (15 U.S.C.A §§ 6801—6827). The NAIC Model Regulation was largely based upon privacy regulations promulgated by Federal banking regulatory agencies and sets forth similar standards for notice and opt out requirements.

 On December 4, 2015, President Obama signed the Fixing America's Surface Transportation Act (FAST Act) (Pub.L. No. 114-94) into law. Section 75001 of the FAST Act contains an amendment entitled ''Eliminate Privacy Notice Confusion,'' which amended section 503 of the GLBA (15 U.S.C.A. § 6803) to provide for exceptions to the requirement that financial institutions provide annual privacy notices to customers. In response to the changes to the GLBA, the NAIC amended NAIC Model Regulation No. 672. The amendments incorporate the exceptions to the privacy notice requirement and provide that if a licensee uses a sample privacy form in 16 CFR Part 313 (relating to privacy of consumer financial information), the licensee would be deemed compliant with the state's model regulation.

 The purpose of this proposed rulemaking is to update the Commonwealth's requirements for the treatment of nonpublic financial information in accordance with the changes made to the GLBA and the corresponding provisions of NAIC Model Regulation No. 672.

 A copy of the copyrighted NAIC Model Regulation was provided to the House Insurance Committee, the Senate Banking and Insurance Committee, the Independent Regulatory Review Commission (IRRC), the Governor's Office of Policy and Planning, the Governor's Office of General Counsel and the Office of Attorney General to assist in the analysis of this proposed rulemaking. Copies of the NAIC Model Regulation are available to the general public by contacting the NAIC.

Explanation of Regulatory Requirements

 Section 146a.1(d) (relating to purpose) is proposed to be deleted to accommodate changes made to the NAIC Model Regulation that would provide for a safe harbor for compliance for licensees who use the Federal model privacy form.

 Section 146a.2 (relating to definitions) is proposed to be amended to add a definition of ''Federal model privacy form'' to promote readability throughout Chapter 146a.

 Section 146a.3 (relating to examples and safe harbor) is proposed to be added in accordance with changes to the NAIC Model Regulation. Subsection (a) would provide that a licensee would be considered compliant with Chapter 146a if the licensee uses an example, a sample clause or the Federal model privacy form. Subsection (a) also provides that licensees may rely on the Federal model privacy form used consistently with its attached instructions as a safe harbor for compliance with the requirements of Chapter 146a regarding privacy notice content. Subsection (b) clarifies that the use of the examples in Chapter 146a, the sample clauses in Appendix A (relating to sample clauses), or the Federal model privacy form would not be the exclusive means of compliance with the requirements of the regulation. Additionally, subsection (c) provides that licensees may not rely on use of privacy notices containing the sample clauses in Appendix A as a safe harbor for compliance with the privacy notice content requirements of Chapter 146a after July 1, 2019.

 Proposed § 146a.12(b) (relating to annual privacy notice to customers required) would provide for an exemption from the annual privacy notice provisions if a licensee has not changed its policies and practices regarding nonpublic personal information for certain types of disclosures. Current subsections (b) and (c) are proposed to be renumbered as subsections (c) and (d), respectively.

 Section 146a.13(f) (relating to information to be included in privacy notices) is proposed to be amended to add language referencing the Federal model privacy form.

External Comments

 The Department circulated an exposure draft substantially similar to this proposed rulemaking to several industry participants including the Insurance Federation of Pennsylvania, the Pennsylvania Association of Mutual Insurance Companies, Insurance Agents and Brokers, and the American Insurance Association. The Department received six responses, four of which contained editorial comments with suggested edits that were carefully considered before initiating the regulatory process.

Affected Parties

 This proposed rulemaking applies to all entities that fall within the definition of a ''licensee'' in § 146a.2 including:

 • Licensed insurers as defined in section 201-A of The Insurance Department Act of 1921 (40 P.S. § 65.1-A) and entities doing the business of insurance under The Insurance Company Law of 1921 (40 P.S. §§ 341—991.2610).

 • Fraternal benefit societies licensed under sections 2401—2466 of The Insurance Company Law of 1921 (40 P.S. §§ 991.2401—991.2466).

 • Producers licensed under sections 601-A—699.1-A of The Insurance Department Act of 1921 (40 P.S. §§ 310.1—310.99a).

 • Reinsurance intermediaries licensed under sections 701—710 of The Insurance Department Act of 1921 (40 P.S. §§ 321.1—321.10); insurance administrators licensed under the Insurance Administrator Licensure Act (40 P.S. §§ 324.1—324.13); and other miscellaneous persons or entities licensed or required to be licensed, or authorized or required to be authorized, or registered or required to be registered under The Insurance Department Act of 1921 (40 P.S. §§ 1—326.7).

 • Health maintenance organizations holding a certificate of authority under section 201 of the Health Care Facilities Act (35 P.S. § 448.201).

 • Nonadmitted insurers that accept business placed through a surplus lines licensee (as defined in section 1602 of The Insurance Company Law of 1921 (40 P.S. § 991.1602)) in this Commonwealth with regard to surplus lines placements placed under sections 1601—1626 of The Insurance Company Law (40 P.S. §§ 991.1601—991.1626).

Fiscal Impact

State government

 There will not be fiscal impact to the Department as a result of this proposed rulemaking.

General public

 This proposed rulemaking will not have fiscal impact upon the general public.

Political subdivisions

 This proposed rulemaking will not have fiscal impact upon political subdivisions.

Private sector

 While the Department cannot quantify the exact savings to the private sector, the Department believes that the private sector will see savings due to a reduction in postage and printing costs associated with the annual disclosure.

Paperwork

 The proposed rulemaking would not impose additional paperwork on the Department because no filing is required to be made by licensees. The proposed rulemaking would reduce paperwork for the private sector because it would reduce the need to provide duplicative disclosures.

Effectiveness and Sunset Dates

 This proposed rulemaking will become effective immediately upon final-form publication in the Pennsylvania Bulletin. The Department continues to monitor the effectiveness of regulations on a triennial basis. Therefore, a sunset date has not been assigned.

Contact Person

 Questions or comments regarding this proposed rulemaking may be addressed in writing to Bridget Burke, Regulatory Coordinator, Insurance Department, 1341 Strawberry Square, Harrisburg, PA 17120, fax (717) 772-1969, briburke@pa.gov within 30 days following the publication of this proposed rulemaking in the Pennsylvania Bulletin.

Regulatory Review

 Under section 5(a) of the Regulatory Review Act (71 P.S. § 745.5(a)), on July 11, 2018, the Department submitted a copy of this proposed rulemaking and a copy of a Regulatory Analysis Form to IRRC and to the Chairpersons of the House Insurance Committee and the Senate Banking and Insurance Committee. A copy of this material is available to the public upon request.

 Under section 5(g) of the Regulatory Review Act, IRRC may convey comments, recommendations or objections to the proposed rulemaking within 30 days of the close of the public comment period. The comments, recommendations or objections must specify the regulatory review criteria in section 5.2 of the Regulatory Review Act (71 P.S. § 745.5b) which have not been met. The Regulatory Review Act specifies detailed procedures for review prior to final publication of the rulemaking by the Department, the General Assembly and the Governor.

JESSICA K. ALTMAN, 
Insurance Commissioner

Fiscal Note: 11-257. No fiscal impact; (8) recommends adoption.

Annex A

TITLE 31. INSURANCE

PART VIII. MISCELLANEOUS PROVISIONS

CHAPTER 146a. PRIVACY OF CONSUMER FINANCIAL INFORMATION

Subchapter A. GENERAL PROVISIONS

§ 146a.1. Purpose.

*  *  *  *  *

 (c) Compliance. A licensee domiciled in this Commonwealth that is in compliance with this chapter in a state that has not enacted laws or regulations that meet the requirements of Title V of the act of November 12, 1999 (Pub.L. No. 106-102, 113 Stat. 1338) known as the Gramm-Leach-Bliley Act (Financial Services Modernization Act of 1999) (15 U.S.C.A. §§ 6801—6827) may nonetheless be deemed to be in compliance with Title V of the Gramm-Leach-Bliley Act in the other state.

[(d) Examples. The examples provided in this chapter are for illustrative purposes only and do not otherwise limit or restrict the scope of this chapter.]

§ 146a.2. Definitions.

 The following words and terms, when used in this chapter, have the following meanings, unless the context requires otherwise:

*  *  *  *  *

Department—The Insurance Department of the Commonwealth.

Federal model privacy form—The model form in 16 CFR Part 313, Appendix A (relating to model privacy form), or a successor provision, which is determined by Federal regulation to be compliant with the requirements of the Gramm-Leach-Bliley Act (15 U.S.C.A. §§ 6801—6827).

Financial institution—An institution the business of which is engaging in activities that are financial in nature or incidental to the financial activities as described in section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C.A. § 1843(k)). The term does not include the following:

*  *  *  *  *

 (Editor's Note: The following section is proposed to be added and printed in regular type to enhance readability.)

§ 146a.3. Examples and safe harbor.

 (a) Compliance. If a licensee uses an example, sample clause or Federal model privacy form, the licensee shall be considered compliant with a corresponding requirement of this chapter to the extent applicable. Licensees may rely on the Federal model privacy form used in accordance with its attached instructions as a safe harbor for compliance with the requirements of this section related to privacy notice content.

 (b) Nonexclusive means of compliance. The examples in this chapter, the sample clauses in Appendix A (relating to sample clauses) and the Federal model privacy form are not the exclusive means of compliance with the requirements of this chapter. Licensees may continue to use other types of privacy notices, including notices that contain examples or the sample clauses in Appendix A, or both, provided that the notices accurately describe the licensee's privacy practices and otherwise meet the privacy notice content requirements of this chapter.

 (c) Sunset of safe harbor for sample clauses in Appendix A. While licensees may continue to use privacy notices that contain examples and the sample clauses in Appendix A, licensees may not rely on the use of privacy notices containing the sample clauses in Appendix A as a safe harbor for compliance with the privacy notice content requirements of this chapter after July 1, 2019.

Subchapter B. PRIVACY AND OPT OUT NOTICES FOR FINANCIAL INFORMATION

§ 146a.12. Annual privacy notice to customers required.

 (a) Notice.

 (1) General rule. A licensee shall provide a clear and conspicuous notice to customers that accurately reflects its privacy policies and practices not less than annually during the continuation of the customer relationship. Annually means at least once in any period of 12 consecutive months during which that relationship exists. A licensee may define the 12-consecutive-month period, but the licensee shall apply it to the customer on a consistent basis.

 (2) Example. A licensee provides a notice annually if it defines the 12-consecutive-month period as a calendar year and provides the annual notice to the customer once in each calendar year following the calendar year in which the licensee provided the initial notice. For example, if a customer opens an account on any day of year 1, the licensee shall provide an annual notice to that customer by December 31 of year 2.

(b) Exemption to general rule.

(1) A licensee is not required to provide an annual privacy notice under this section if all of the following apply:

(i) The licensee has not changed its policies or practices regarding disclosure of nonpublic personal financial information from those in the most recent notice sent to consumers.

(ii) The disclosure of nonpublic personal financial information is made to only nonaffiliated third parties and meets any of the following requirements:

(A) Is made in accordance with § 146a.31 (relating to exception to opt out requirements for disclosure of nonpublic personal financial information for service providers and joint marketing).

(B) Falls within the exceptions in § 146a.32 (relating to exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information for processing and servicing transactions).

(C) Falls within the exceptions in § 146a.33 (relating to other exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information).

(2) A licensee that no longer meets the criteria in paragraph (1) shall provide an annual privacy notice under this section.

[(b)] (c)Termination.

*  *  *  *  *

[(c)] (d)Delivery. When a licensee is required by this section to deliver an annual privacy notice, the licensee shall deliver it according to § 146a.16 (relating to delivery).

§ 146a.13. Information to be included in privacy notices.

*  *  *  *  *

 (f) Sample clauses and Federal model privacy form. Sample clauses illustrating some of the notice content required by this section are included in Appendix A (relating to sample clauses) and may be found in the Federal model privacy form in 16 CFR Part 313, Appendix A (relating to model privacy form).

[Pa.B. Doc. No. 18-1114. Filed for public inspection July 20, 2018, 9:00 a.m.]



No part of the information on this site may be reproduced for profit or sold for profit.

This material has been drawn directly from the official Pennsylvania Bulletin full text database. Due to the limitations of HTML or differences in display capabilities of different browsers, this version may differ slightly from the official printed version.