SB 386-4_ Filed 04/10/2001, 18:35


Text Box


    PREVAILED      Roll Call No. _______
    FAILED        Ayes _______
    WITHDRAWN        Noes _______
    RULED OUT OF ORDER


[

HOUSE MOTION ____

]

MR. SPEAKER:

    I move that Engrossed Senate Bill 386 be amended to read as follows:

SOURCE: Page 40, line 33; (01)MO038605.40. -->     Page 40, between lines 33 and 34, begin a new paragraph and insert:
SOURCE: IC 27-2-20; (01)MO038605.12. -->     "SECTION 12. IC 27-2-20 IS ADDED TO THE INDIANA CODE AS A NEW CHAPTER TO READ AS FOLLOWS [EFFECTIVE UPON PASSAGE]:
     Chapter 20. Privacy of Consumer Information
    Sec. 1. (a) This chapter applies to nonpublic personal financial information regarding individuals who:
        (1) obtain; or
        (2) are claimants or beneficiaries of;
products or services primarily for personal, family, or household purposes from licensees of the department of insurance.
    (b) This chapter does not apply to information regarding companies or regarding individuals who obtain products or services for business, commercial, or agricultural purposes.
    Sec. 2. The following definitions apply throughout this chapter:
        (1) "Affiliate" means a company that controls, is controlled by, or is under common control with, another company.
        (2) "Clear and conspicuous" means that a notice is reasonably understandable and designed to call attention to the nature and significance of the information in the notice. The following are examples:
            (A) A licensee makes the licensee's notice reasonably understandable if the licensee does the following:
                (i) Presents the information in the notice in clear, concise sentences, paragraphs, and sections.
                (ii) Uses short explanatory sentences or bullet lists whenever possible.
                (iii) Uses definite, concrete, everyday words and active voice whenever possible.
                (iv) Avoids multiple negatives.
                (v) Avoids legal and highly technical business terminology whenever possible.
                (vi) Avoids explanations that are imprecise and readily subject to different interpretations.
            (B) A licensee designs the licensee's notice to call attention to the nature and significance of the information in the notice if the licensee does the following:
                (i) Uses a plain-language heading to call attention to the notice.
                (ii) Uses a typeface and type size that are easy to read.
                (iii) Provides wide margins and ample line spacing.
                (iv) Uses boldface or italics for key words.
                (v) In a form that combines the licensee's notice with other information, uses distinctive type size, style, and graphic devices, such as shading or sidebars.
            (C) If a licensee provides a notice on a Web page, the licensee designs the licensee's notice to call attention to the nature and significance of the information in the notice if the licensee uses text or visual cues to encourage scrolling down the page if necessary to view the entire notice and ensure that other elements on the Web site, such as text, graphics, hyperlinks, or sound, do not distract attention from the notice, and the licensee does either of the following:
                (i) Places the notice on a screen that consumers frequently access, such as a page on which transactions are conducted.
                (ii) Places a link on a screen that consumers frequently access, such as a page on which transactions are conducted, that connects directly to the notice and is labeled appropriately to convey the importance, nature, and relevance of the notice.
        (3) "Collect" means to obtain information that a licensee organizes or can retrieve by the name of an individual or by identifying number, symbol, or other identifying particular assigned to the individual, regardless of the source of the underlying information.
        (4) "Commissioner" means the commissioner of the Indiana department of insurance.
        (5) "Company" means a corporation, limited liability company, business trust, general or limited partnership,

association, sole proprietorship, or similar organization.
        (6) "Consumer" means an individual who seeks to obtain, obtains, or has obtained an insurance product or service from a licensee that is to be used primarily for personal, family, or household purposes, and about whom the licensee has nonpublic personal information, or the individual's legal representative, including the following:
            (A) An individual provides nonpublic personal information to a licensee in connection with obtaining or seeking to obtain financial, investment or economic advisory services relating to an insurance product or service is a consumer regardless of whether the licensee establishes an ongoing advisory relationship.
            (B) An applicant for insurance prior to the inception of insurance coverage is a licensee's consumer.
            (C) An individual who is a consumer of another financial institution is not a licensee's consumer solely because the licensee is acting as an agent for, or provides processing or other services to, that financial institution.
            (D) An individual is a licensee's consumer if the individual is:
                (i) a beneficiary of a life insurance policy underwritten by the licensee;
                (ii) a claimant under an insurance policy issued by the licensee;
                (iii) an insured or an annuitant under an insurance policy or an annuity, respectively, issued by the licensee; or
                (iv) a mortgagor of a mortgage covered under a mortgage insurance policy;
            and the licensee discloses nonpublic personal financial information about the individual to a nonaffiliated third party other than as permitted under sections 12, 13, and 14 of this chapter.
            (E) If the licensee provides the initial, annual, and revised notices under sections 3, 4, and 7 of this chapter to the plan sponsor, group, or blanket insurance policyholder or group annuity contractholder, and if the licensee does not disclose to a nonaffiliated third party nonpublic personal financial information about the individual other than as permitted under sections 12, 13, and 14 of this chapter, an individual is not the consumer of the licensee solely because the individual is:


                (i) a participant or a beneficiary of an employee benefit plan that the licensee administers or sponsors or for which the licensee acts as a trustee, insurer, or fiduciary;
                (ii) covered under a group or blanket insurance policy or group annuity contract issued by the licensee; or
                (iii) a beneficiary in a workers' compensation plan.
            (F) The individuals described in clause (E)(i) through (E)(iii) are consumers of a licensee if the licensee does not meet all the conditions of this subdivision. In no event shall the individuals, solely by virtue of the status described in clause (E)(i) through (E)(iii), be considered to be customers.
            (G) An individual is not a licensee's consumer solely because the individual is a beneficiary of a trust for which the licensee is a trustee.
            (H) An individual is not a licensee's consumer solely because the individual has designated the licensee as trustee for a trust.
        (7) "Consumer reporting agency" has the meaning set forth in section 603(f) of the federal Fair Credit Reporting Act (15 U.S.C. 1681a(f)).
        (8) "Control" means any of the following:
            (A) Ownership, control, or power to vote twenty-five percent (25%) or more of the outstanding shares of any class of voting security of a company, directly or indirectly, or acting through one (1) or more other persons.
            (B) Control in any manner over the election of a majority of the directors, trustees, general partners, or individuals exercising similar functions, of a company.
            (C) The power to exercise, directly or indirectly, a controlling influence over the management or policies of a company, as determined by the commissioner.
        (9) "Customer" means a consumer who has a customer relationship with a licensee.
        (10) "Customer relationship" means a continuing relationship between a consumer and a licensee under which the licensee provides one (1) or more insurance products or services to the consumer that are to be used primarily for personal, family, or household purposes, including the following:
            (A) A consumer has a continuing relationship with a licensee if the consumer:
                (i) is a current policyholder of an insurance product issued by or through the licensee; or
                (ii) obtains financial, investment, or economic advisory services relating to an insurance product or service from the licensee for a fee.
            (B) A consumer does not have a continuing relationship with a licensee in any of the following circumstances:
                (i) The consumer applies for insurance but does not purchase the insurance.
                (ii) The licensee sells the consumer airline travel insurance in an isolated transaction.
                (iii) The individual is no longer a current policyholder of an insurance product or no longer obtains insurance services with or through the licensee.
                (iv) The consumer is a beneficiary or claimant under a policy and has submitted a claim under a policy choosing a settlement option involving an ongoing relationship with the licensee.
                (v) The consumer is a beneficiary or a claimant under a policy and has submitted a claim under that policy choosing a lump sum settlement option.
                (vi) The customer's policy is lapsed, expired, or otherwise inactive or dormant under the licensee's business practices, and the licensee has not communicated with the customer about the relationship for a period of twelve (12) consecutive months, other than annual privacy notices, material required by law or rule, communication at the direction of a state or federal authority, or promotional materials.
                (vii) The individual is an insured or an annuitant under an insurance policy or annuity, respectively, but is not the policyholder or owner of the insurance policy or annuity.
                (viii) For the purposes of this chapter, the individual's last known address, according to the licensee's records, is considered invalid. An address of record is considered invalid if mail sent to that address by the licensee has been returned by the postal authorities as undeliverable and if subsequent attempts by the licensee to obtain a current valid address for the individual have been unsuccessful.
        (11) "Financial institution" means an institution the business of which is engaging in activities that are financial in nature or incidental to financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C. 1843(k). The term does not include the following:
            (A) A person or entity with respect to any financial activity that is subject to the jurisdiction of the Commodity Futures Trading Commission under the Commodity Exchange Act, 7 U.S.C. 1 et seq.
            (B) The Federal Agricultural Mortgage Corporation or

any entity charged and operating under the Farm Credit Act of 1971, 12 U.S.C. 2001 et seq.
            (C) Institutions chartered by Congress specifically to engage in securitizations, secondary market sales (including sales of servicing rights), or similar transactions related to a transaction of a consumer, as long as the institutions do not sell or transfer nonpublic personal information to a nonaffiliated third party.
        (12) "Financial product or service" means a product or service that a financial holding company could offer by engaging in an activity that is financial in nature or incidental to such a financial activity under section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C. 1843(k). "Financial service" includes a financial institution's evaluation or brokerage of information that the financial institution collects in connection with a request or an application from a consumer for a financial product or service.
        (13) "Health information" means any information or data, except age or gender, whether oral or recorded in any form or medium, created by or derived from a health care provider or a consumer that relates to any of the following:
            (A) The past, present, or future physical, mental, or behavioral health or condition of an individual.
            (B) The provision of health care to an individual.
            (C) Payment for the provision of health care to an individual.
        (14) "Insurance product or service" means any product or service that is offered by a licensee under the insurance laws of Indiana. "Insurance service" includes a licensee's evaluation, brokerage, or distribution of information that the licensee collects in connection with a request or an application from a consumer for an insurance product or service.
        (15) "Licensee" means licensed insurers, health maintenance organizations, agents, producers, and other persons licensed or required to be licensed, or authorized or required to be authorized, or registered or required to be registered under IC 27. The following requirements apply:
            (A) A licensee is not subject to the notice and opt out requirements for nonpublic personal financial information set forth in section 1 of this chapter, this section, and sections 3 through 15 of this chapter if the licensee is an employee, agent, or other representative of another licensee and:
                (i) the other licensee otherwise complies with, and provides the notices required under this chapter; and
                (ii) the licensee does not disclose any nonpublic personal

information to any person other than the principal or affiliates of the principal in a manner permitted under this chapter.
            (B) A licensee includes an unauthorized insurer that accepts business placed through a licensed surplus lines broker in Indiana, but only with regard to the surplus lines placements placed under IC 27-1-15.5-5. A surplus lines broker or surplus lines insurer is considered to be in compliance with the notice and opt out requirements for nonpublic personal financial information set forth in section 1 of this chapter, this section, and sections 3 through 15 of this chapter if the surplus lines agent or insurer:
                (i) does not disclose nonpublic personal information of a consumer or a customer to a nonaffiliated third party for any purpose, including joint servicing or marketing under section 12 of this chapter, except as permitted under section 13 or 14 of this chapter; and
                (ii) delivers a notice to the consumer at the time a customer relationship is established on which the following is printed in 16 point type:

PRIVACY NOTICE

        NEITHER THE U.S. SURPLUS LINES AGENTS THAT HANDLED THIS INSURANCE NOR THE INSURERS THAT HAVE UNDERWRITTEN THIS INSURANCE WILL DISCLOSE NONPUBLIC PERSONAL INFORMATION CONCERNING THE BUYER TO NONAFFILIATES OF THE BROKERS OR INSURERS EXCEPT AS PERMITTED BY LAW.
        (16) "Nonaffiliated third party" means a person other than a licensee's affiliate or a person employed jointly by a licensee and any company that is not the licensee's affiliate. The term includes either of the following:
            (A) The other company that jointly employs the person.
            (B) A company that is an affiliate solely by virtue of the direct or indirect ownership or control of the company by the licensee or the licensee's affiliate in conducting merchant banking or investment banking activities or insurance company investment activities of the type described in the federal Bank Holding Company Act, 12 U.S.C. 1843(k)(4)(H) and 12 U.S.C. 1843(k)(4)(I).
        (17) "Nonpublic personal financial information" means personally identifiable financial information and a list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using a personally identifiable financial information that is

not publicly available, including a list of individuals' names and street addresses that is derived in whole or in part using personally identifiable financial information that is not publicly available, such as account numbers. The term does not include any of the following:
            (A) Health information.
            (B) Publicly available information, except as included on a list described in subdivision (23).
            (C) A list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived without using any personally identifiable financial information that is not publicly available.
            (D) A list of the names and addresses of individuals that contains only publicly available information, is not derived in whole or in part using personally identifiable financial information that is not publicly available, and is not disclosed in a manner that indicates that any of the individuals on the list is a consumer of a financial institution.
        (18) "Nonpublic personal information" means nonpublic personal financial information.
        (19) "Personally identifiable financial information" means information provided by a consumer to a licensee to obtain an insurance product or service from the licensee, information about a consumer resulting from a transaction involving an insurance product or service between a licensee and a consumer, or information a licensee otherwise obtains about a consumer in connection with providing an insurance product or service to the consumer, including the following:
            (A) Information a consumer provides to a licensee on an application to obtain an insurance product or service.
            (B) Account balance information and payment history.
            (C) The fact that an individual is or has been a customer of the licensee or has obtained an insurance product or service from the licensee.
            (D) Information about the licensee's consumer if it is disclosed in a manner that indicates that the individual is or has been a consumer of the licensee.
            (E) Information that a consumer provides to a licensee or that the licensee or an agent of the licensee otherwise obtains in connection with collecting on a loan or servicing a loan.
            (F) Information the licensee collects through an Internet cookie (an information-collecting device from a Web server).
            (G) Information from a consumer report.


        The term does not include health information, a list of names and addresses of customers of an entity that is not a financial institution, or information that does not identify a consumer, including aggregate information or blind data that does not contain personal identifiers, such as account numbers, names or addresses.
        (20) "Publicly available information" means information that a licensee has a reasonable basis to believe is lawfully made available to the general public from federal, state, or local government records, widely distributed media, or disclosures to the general public that are required to be made by federal, state, or local law. The following requirements apply:
            (A) A licensee has a reasonable basis to believe that information is lawfully made available to the general public if the licensee has taken steps to determine that the information is of the type that is available to the general public and whether an individual can direct that the information not be made available to the general public, and, if so, that the licensee's consumer has not done so.
            (B) Publicly available information in government records includes information in government real estate records and security interest filings.
            (C) Publicly available information from widely distributed media includes information from a:
                (i) telephone book;
                (ii) television;
                (iii) radio program,
                (iv) newspaper; or
                (v) Web site;
            that is available to the general public on an unrestricted basis. A Web site is not restricted merely because an Internet service provider or a site operator requires a fee or a password, so long as access is available to the general public.
            (D) A licensee has a reasonable basis to believe that mortgage information is lawfully made available to the general public if the licensee has determined that the information is of the type included on the public record in the jurisdiction where the mortgage would be recorded.
            (E) A licensee has a reasonable basis to believe that an individual's telephone number is lawfully made available to the general public if the licensee has located the telephone number in the telephone book or the consumer has informed you that the telephone number is not unlisted.
    Sec. 3. (a) A licensee shall provide a clear and conspicuous

notice that accurately reflects the privacy policies and practices of the licensee to the following:
        (1) An individual who becomes the licensee's customer, not later than when the licensee establishes a customer relationship, except as provided in subsection (e).
        (2) A consumer, before the licensee discloses any nonpublic personal financial information about the consumer to any nonaffiliated third party, if the licensee makes a disclosure other than as authorized under sections 13 and 14 of this chapter.
    (b) A licensee is not required to provide an initial notice to a consumer under subsection (a) in either of the following instances:
        (1) The licensee does not disclose any nonpublic personal financial information about the consumer to any nonaffiliated third party, other than as authorized under sections 13 and 14 of this chapter, and the licensee does not have a customer relationship with the consumer.
        (2) A notice has been provided by an affiliated licensee, as long as the notice clearly identifies all licensees to whom the notice applies and is accurate with respect to the licensee and the other institutions.
    (c) A licensee establishes a customer relationship at the time the licensee and the consumer enter into a continuing relationship. The following are examples of establishing customer relationship:
        (1) The consumer becomes a policyholder of a licensee that is an insurer when the insurer delivers an insurance policy or contract to the consumer, or in the case of a licensee that is an insurance producer or insurance agent, obtains insurance through that licensee.
        (2) The consumer agrees to obtain financial, economic, or investment advisory services relating to insurance products or services from the licensee for a fee.
    (d) When an existing customer obtains a new insurance product or service from a licensee that is to be used primarily for personal, family, or household purposes, the licensee satisfies the initial notice requirements of subsection (a) if:
        (1) the licensee provides a revised policy notice, under section 7 of this chapter, that covers the customer's new insurance product or service; or
        (2) the initial, revised, or annual notice that the licensee most recently provided to the customer was accurate with respect to the new insurance product or service.
    (e) The following are exceptions that allow subsequent delivery of the required notice:
        (1) A licensee may provide the initial notice required under subsection (a)(1) within a reasonable time after the licensee

establishes a customer relationship if:
            (A) establishing the customer relationship is not at the customer's election; or
            (B) providing notice not later than when the licensee establishes a customer relationship would substantially delay the customer's transaction and the customer agrees to receive the notice at a later time.
        (2) The following are examples of exceptions:
            (A) Establishing a customer relationship is not at the customer's election if a licensee acquires or is assigned a customer's policy from another financial institution or residual market mechanism and the customer does not have a choice about the licensee's acquisition or assignment.
            (B) Providing notice not later than when a licensee establishes a customer relationship would substantially delay the customer's transaction when the licensee and the individual agree over the telephone to enter into a customer relationship involving prompt delivery of the insurance product or service.
            (C) Providing notice not later than when a licensee establishes a customer relationship would not substantially delay the customer's transaction when the relationship is initiated in person at the licensee's office or through other means by which the customer may view the notice, such as on a Web site.
    (f) When a licensee is required to deliver an initial privacy notice under this section, the licensee shall deliver the notice as specified in section 8 of this chapter. If the licensee uses a short form initial notice for non-customers as specified in section 5 of this chapter, the licensee may deliver the privacy notice as specified in section 5(f) of this chapter.
    Sec. 4. (a) A licensee shall provide a clear and conspicuous notice to customers that accurately reflects the licensee's privacy policies and practices not less than annually during the continuation of the customer relationship.
        (1) As used in this section, "annually" means at least one (1) time in any period of twelve (12) consecutive months during which the relationship exists. A licensee may define the twelve (12) consecutive month period, but the licensee shall apply the period to the customer on a consistent basis.
        (2) A licensee provides a notice annually if the licensee defines the twelve (12) consecutive month period as a calendar year and provides the annual notice to the customer once in each calendar year following the calendar year in which the licensee provided the initial notice.


    (b) A licensee is not required to provide an annual notice to a former customer. As used in this section, "former customer" means an individual with whom a licensee no longer has a continuing relationship and includes the following:
        (1) The individual is not a current policyholder of an insurance product or no longer obtains insurance services with or through the licensee.
        (2) The individual's policy is lapsed, expired, or otherwise inactive or dormant under the licensee's business practices, and the licensee has not communicated with the customer about the relationship for a period of twelve (12) consecutive months, other than to provide annual privacy notices, material required by law or rule, or promotional materials.
        (3) An individual if the individual's last known address according to the licensee's records is considered invalid. An address of record is considered invalid if mail sent to that address by the licensee has been returned by the postal authorities as undeliverable and if subsequent attempts by the licensee to obtain a current valid address for the individual have been unsuccessful.
        (4) In the case of providing real estate settlement services, at the time the customer completes execution of all documents related to the real estate closing, payment for the services has been received, or the licensee has completed all of the licensee's responsibilities with respect to the settlement, including filing documents on the public record, whichever is later.
    (c) When a licensee is required under this section to deliver an annual privacy notice, the licensee shall deliver the notice as specified under section 8 of this chapter.
    Sec. 5. (a) The initial, annual, and revised privacy notices that a licensee provides under sections 3, 4, and 7 of this chapter must include each of the following items of information, in addition to any other information that the licensee provides, that applies to the licensee and to the consumers to whom the licensee sends the licensee's privacy notice:
        (1) The categories of nonpublic personal financial information that the licensee collects.
        (2) The categories of nonpublic personal financial information that the licensee discloses.
        (3) The categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal financial information, other than those parties to whom the licensee discloses information under sections 13 and 14 of this chapter.
        (4) The categories of nonpublic personal financial information about the licensee's former customers that the licensee

discloses and the categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal financial information about the licensee's former customers, other than the parties to whom the licensee discloses information under sections 13 and 14 of this chapter.
        (5) If a licensee discloses nonpublic personal financial information to a nonaffiliated third party under section 12 of this chapter (and no other exception in sections 13 and 14 of this chapter applies to the disclosure), a separate description of the categories of information that the licensee discloses and the categories of third parties with whom the licensee has contracted.
        (6) An explanation of the consumer's right under section 9(a) of this chapter to opt out of the disclosure of nonpublic personal financial information to nonaffiliated third parties, including the methods by which the consumer may exercise the right at that time.
        (7) Any disclosures that the licensee makes under section 603(d)(2)(A)(iii) of the federal Fair Credit Reporting Act, 15 U.S.C. 1681a(d)(2)(A)(iii), regarding the ability to opt out of disclosures of information among affiliates.
        (8) The licensee's policies and practices with respect to protecting the confidentiality and security of nonpublic personal information.
        (9) Any disclosure that the licensee makes under subsection (b).
    (b) If a licensee discloses nonpublic personal financial information as authorized under sections 13 and 14 of this chapter, the licensee is not required to list the exceptions in the initial or annual privacy notices required by sections 3 and 4 of this chapter. When describing the categories of parties to whom disclosure is made, the licensee shall state only that the licensee makes disclosures to other affiliated or nonaffiliated third parties, as applicable, as permitted by law.
    (c) The following are examples of compliance with this section:
        (1) A licensee satisfies the requirement to categorize the nonpublic personal financial information that the licensee collects if the licensee categorizes the information according to the source of the information, as applicable information:
            (A) from the consumer;
            (B) about the consumer's transactions with the licensee or its affiliates;
            (C) about the consumer's transactions with nonaffiliated third parties; and
            (D) from a consumer reporting agency.
        (2) A licensee satisfies the requirement to categorize

nonpublic personal financial information the licensee discloses if the licensee categorizes the information according to source, as described in subdivision (1), as applicable, and provides examples to illustrate the types of information in each category. The examples include the following:
            (A) Information from the consumer, including application information, such as assets and income and identifying information, such as name, address, and Social Security number.
            (B) Transaction information, such as information about balances, payment history, and parties to the transaction.
            (C) Information from consumer reports, such as a consumer's creditworthiness and credit history.
        (3) A licensee does not adequately categorize the information that the licensee discloses if the licensee uses only general terms, such as transaction information about the consumer. If a licensee reserves the right to disclose all of the nonpublic personal financial information about consumers that the licensee collects, the licensee may simply state that fact without describing the categories or examples of nonpublic personal information that the licensee discloses.
        (4) A licensee satisfies the requirement to categorize the affiliates and nonaffiliated third parties to which the licensee discloses nonpublic personal financial information about consumers if the licensee identifies the types of businesses in which they engage.
            (A) Types of businesses may be described by general terms only if the licensee uses a few illustrative examples of significant lines of business.
            (B) A licensee also may categorize the affiliates and nonaffiliated third parties to which the licensee discloses nonpublic personal financial information about consumers using more detailed categories.
        (5) If a licensee discloses nonpublic personal financial information under the exception in section 12 of this chapter to a nonaffiliated third party to market products or services that the licensee offers alone or jointly with another financial institution, the licensee satisfies the disclosure requirement of subsection (a)(5) if the licensee:
            (A) lists the categories of nonpublic personal financial information that the licensee discloses, using the same categories and examples the licensee used to meet the requirements of subsection (a)(2), as applicable; and
            (B) states whether the third party is a:
                (i) service provider that performs marketing services on the licensee's behalf or on behalf of the licensee and

another financial institution; or
                (ii) financial institution with whom the licensee has a joint marketing agreement.
        (6) If a licensee does not disclose, and does not reserve the right to disclose, nonpublic personal financial information about customers or former customers to affiliates or nonaffiliated third parties, except as authorized under sections 13 and 14 of this chapter, the licensee may state that fact, in addition to the information that the licensee shall provide under subsections (a)(1), (a)(8), (a)(9), and (b).
        (7) A licensee describes the licensee's policies and practices with respect to protecting the confidentiality and security of nonpublic personal financial information if the licensee does both of the following:
            (A) Describes in general terms who is authorized to have access to the information.
            (B) States whether the licensee has security practices and procedures in place to ensure the confidentiality of the information in accordance with the licensee's policy. The licensee is not required to describe technical information about the safeguards that the licensee uses.
    (d) A licensee may satisfy the initial notice requirements of sections 3(a)(2) and 6(d) of this chapter for a consumer who is not a customer by providing a short form initial notice at the same time that the licensee delivers an opt out notice as required under section 6 of this chapter. A short form notice must:
        (1) be clear and conspicuous;
        (2) state that the licensee's privacy notice is available upon request; and
        (3) explain a reasonable means by which the consumer may obtain the notice.
    (e) A licensee shall deliver the licensee's short form initial notice as specified under section 8 of this chapter. The licensee is not required to deliver the licensee's privacy notice with the licensee's short form initial notice. The licensee may provide the consumer a reasonable means to obtain the licensee's privacy notice. If a consumer who receives the licensee's short form notice requests the licensee's privacy notice, the licensee shall deliver the licensee's privacy notice as specified under section 8 of this chapter.
    (f) A licensee provides a reasonable means by which a consumer may obtain a copy of the licensee's privacy notice if the licensee does either of the following:
        (1) Provides a toll free telephone number that the consumer may call to request the notice.
        (2) For a consumer who conducts business in person at the licensee's office, maintains copies of the notice on hand that

the licensee provides to the consumer immediately upon request.
    (g) A licensee's notice may include the following:
        (1) Categories of nonpublic personal financial information that the licensee reserves the right to disclose in the future, but does not currently disclose.
        (2) Categories of affiliates or nonaffiliated third parties to whom the licensee reserves the right in the future to disclose, but to whom the license does not currently disclose, nonpublic financial information.
    Sec. 6. (a) If a licensee is required to provide an opt out notice under section 9(a) of this chapter, the licensee shall provide a clear and conspicuous notice to each of the licensee's consumers that accurately explains the right to opt out under section 9(a) of this chapter. The notice shall state all of the following:
        (1) The licensee discloses or reserves the right to disclose nonpublic personal financial information about its consumer to a nonaffiliated third party.
        (2) The consumer has the right to opt out of that disclosure.
        (3) A reasonable means by which the consumer may exercise the opt out right.
    (b) The following are examples of compliance with subsection (a):
        (1) A licensee provides adequate notice that a consumer can opt out of the disclosure of nonpublic personal financial information to a nonaffiliated third party if the licensee does all of the following:
            (A) Identifies all of the categories of nonpublic personal financial information that the licensee discloses or reserves the right to disclose, and all of the categories of nonaffiliated third parties to which the licensee discloses the information, as described in section 5(a)(2) and 5(a)(3) of this chapter.
            (B) States that the consumer can opt out of the disclosure of the information.
            (C) Identifies the insurance products or services that the consumer obtains from the licensee, either singly or jointly, to which the opt out direction would apply.
        (2) A licensee provides a reasonable means to exercise an opt out right if the licensee does any of the following:
            (A) Designates check-off boxes in a prominent position on the relevant forms with the opt out notice.
            (B) Includes a reply form together with the opt out notice.
            (C) Provides an electronic means to opt out, such as a form that can be sent via electronic mail or a process at the licensee's Web site, if the consumer agrees to the electronic

delivery of information.
            (D) Provides a toll free telephone number that consumers may call to opt out.
        (3) A licensee does not provide a reasonable means of opting out if the only means of opting out:
            (A) is for the consumer to write the consumer's own letter to exercise that opt out right; or
            (B) as described in any notice subsequent to the initial notice, is to use a check-off box that the licensee provided with the initial notice, but did not include with the subsequent notice.
        (4) A licensee may require each consumer to opt out through a specific means as long as the means is reasonable for the consumer.
    (c) A licensee may provide an opt out notice together with or on the same written or electronic form as the initial notice that the licensee provides in under section 3 of this chapter.
    (d) If a licensee provides an opt out notice later than required for the initial notice under section 3 of this chapter, the licensee shall include a copy of the initial notice with the opt out notice in writing or, if the consumer agrees, electronically.
    (e) The following apply to joint relationships:
        (1) If two (2) or more consumers jointly obtain an insurance product or service from a licensee, the licensee may provide a single opt out notice. The licensee's opt out notice shall explain how the licensee will treat an opt out direction by a joint consumer.
        (2) Any of the joint consumers may exercise the right to opt out. The licensee may either:
            (A) treat an opt out direction by a joint consumer as applying to all of the associated joint consumers; or
            (B) permit each joint consumer to opt out separately.
        (3) If a licensee permits each joint consumer to opt out separately, the licensee shall permit one (1) of the joint consumers to opt out on behalf of all of the joint consumers.
        (4) A licensee may not require all joint consumers to opt out before the licensee implements any opt out direction.
    (f) A licensee shall comply with a consumer's opt out direction as soon as reasonably practicable after the direction is received by the licensee.
    (g) A consumer may exercise the right to opt out at any time.
    (h) A consumer's direction to opt out under this section is effective until the consumer revokes the direction in writing or, if the consumer agrees, electronically. When a consumer relationship terminates, the customer's opt out direction continues to apply to the nonpublic personal financial information that the licensee

collected during or related to that relationship. If the individual subsequently establishes a new customer relationship with the licensee, the opt out direction that applied to the former relationship does not apply to the new relationship.
    (i) When a licensee is required to deliver an opt out notice under this section, the licensee shall deliver the notice as specified under section 8 of this chapter.
    Sec. 7. (a) Except as otherwise authorized in this chapter, a licensee shall not, directly or through an affiliate, disclose any nonpublic personal financial information about a consumer to a nonaffiliated third party other than as described in the initial notice that the licensee provided to the consumer under section 3 of this chapter unless the:
        (1) licensee has provided to the consumer a clear and conspicuous revised notice that accurately describes the licensee's policies and practices;
        (2) licensee has provided to the consumer a new opt out notice;
        (3) licensee has given the consumer a reasonable opportunity, before the licensee discloses the information to the nonaffiliated third party, to opt out of the disclosure; and
        (4) consumer does not opt out.
    (b) Except as otherwise permitted under sections 12 through 14 of this chapter, a licensee shall provide a revised notice before the licensee does any of the following:
        (1) Discloses a new category of nonpublic personal financial information to any nonaffiliated third party.
        (2) Discloses nonpublic personal financial information to a new category of nonaffiliated third party.
        (3) Discloses nonpublic personal financial information regarding a former customer to a nonaffiliated third party, if the former customer has not had the opportunity to exercise an opt out right regarding the disclosure.
    (c) A revised notice is not required if the licensee discloses nonpublic personal financial information to a new nonaffiliated third party that the licensee adequately described in the licensee's prior notice.
    (d) When a licensee is required to deliver a revised privacy notice under this section, the licensee shall deliver the notice as specified under section 8 of this chapter.
    Sec. 8. (a) A licensee shall provide notices required under this chapter so that each consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, electronically.
    (b) A licensee may reasonably expect that a consumer will receive actual notice if the licensee does any of the following:


        (1) Hand delivers a printed copy of the notice to the consumer.
        (2) Mails a printed copy of the notice to the last known address of the consumer separately, or in a policy, billing, or other written communication.
        (3) For a consumer who conducts transactions electronically, posts the notice on the electronic site and requires the consumer to acknowledge receipt of the notice as a necessary step to obtaining a particular insurance product or service.
        (4) For an isolated transaction with a consumer, such as the licensee providing an insurance quote or selling the consumer travel insurance, posts the notice and requires the consumer to acknowledge receipt of the notice as a necessary step to obtaining the particular insurance product or service.
    (c) A licensee may not reasonably expect that a consumer will receive actual notice of the licensee's privacy policies and practices if the licensee does either of the following:
        (1) Only posts a sign in the licensee's office or generally publishes advertisements of the licensee's privacy policies and practices.
        (2) Sends the notice via electronic mail to a consumer who does not obtain an insurance product or service from the licensee electronically.
    (d) A licensee may reasonably expect that a customer will receive actual notice of the licensee's annual privacy notice if the customer:
        (1) uses the licensee's Web site to access insurance products and services electronically and agrees to receive notices at the Web site and the licensee posts the licensee's current privacy notice continuously in a clear and conspicuous manner on the Web site; or
        (2) has requested that the licensee refrain from sending any information regarding the customer relationship, and the licensee's current privacy notice remains available to the customer upon request.
    (e) A licensee may not provide any notice required under this chapter solely by orally explaining the notice, either in person or over the telephone.
    (f) For customers only, a licensee shall provide the initial notice required under section 3(a)(1) of this chapter, the annual notice required under section 4(a) of this chapter, and the revised notice required under section 7 of this chapter so that the customer can retain them or obtain them later in writing or, if the customer agrees, electronically. A licensee provides a privacy notice to the customer so that the customer can retain the notice or obtain the notice later if the licensee does any of the following:
        (1) Hand delivers a printed copy of the notice to the customer.
        (2) Mails a printed copy of the notice to the last known address of the customer.
        (3) Makes the licensee's current privacy notice available on a Web site (or a link to another Web site) for the customer who obtains an insurance product or service electronically and agrees to receive the notice at the Web site.
    (g) A licensee may provide a joint notice from the licensee and one (1) or more of the licensee's affiliates or other financial institutions, as identified in the notice, as long as the notice is accurate with respect to the licensee and the other institutions. A licensee also may provide a notice on behalf of another financial institution.
    (h) If two (2) or more consumers jointly obtain an insurance product or service from a licensee, the licensee may satisfy the initial, annual, and revised notice requirements of sections 3(a), 4(a), and 7(a) of this chapter, by providing one (1) notice to the consumers jointly.
    Sec. 9. (a) Except as otherwise authorized in this chapter, a licensee may not, directly or through an affiliate, disclose any nonpublic personal financial information about a consumer to a nonaffiliated third party unless the:
        (1) licensee has provided to the consumer an initial notice as required under section 3 of this chapter;
        (2) licensee has provided to the consumer an opt out notice as required under section 6 of this chapter;
        (3) licensee has given the consumer a reasonable opportunity, before the licensee discloses the information to the nonaffiliated third party, to opt out of the disclosure; and
        (4) consumer does not opt out.
    (b) Opt out means a direction by the consumer that the licensee not disclose nonpublic personal financial information about the consumer to a nonaffiliated third party, other than as permitted under sections 12 through 14 of this chapter.
    (c) A licensee provides a consumer with a reasonable opportunity to opt out if the licensee does any of the following:
        (1) Mails the notices required under subsection (a) to the consumer and allows the consumer to opt out by mailing a form, calling a toll free telephone number or any other reasonable means within thirty (30) days from the date the licensee mailed the notices.
        (2) If a customer opens an on-line account with the licensee and agrees to receive the notices required under subsection (a) electronically, allows the customer to opt out by any reasonable means within thirty (30) days after the date that the customer acknowledges receipt of the notices in conjunction with opening the account.
        (3) For an isolated transaction, such as providing the consumer with an insurance quote, provides the consumer with a reasonable opportunity to opt out if the licensee provides the notices required under subsection (a) at the time of the transaction and requests that the consumer decide, as a necessary part of the transaction, whether to opt out before completing the transaction.
    (d) A licensee shall comply with this section, regardless of whether the licensee and the consumer have established a customer relationship. Unless a licensee complies with this section, the licensee may not, directly or through any affiliate, disclose any nonpublic personal financial information about a consumer that the licensee has collected, regardless of whether the licensee collected the information before or after receiving the direction to opt out from the consumer.
    (e) A licensee may allow a consumer to select certain nonpublic personal financial information or certain nonaffiliated third parties with respect to which the consumer wishes to opt out.
    Sec. 10. (a) If a licensee receives nonpublic personal financial information from a nonaffiliated financial institution under an exception under section 13 or 14 of this chapter, the licensee's disclosure and use of the information is limited as follows:
        (1) The licensee may disclose the information to the affiliates of the financial institution from which the licensee received the information.
        (2) The licensee may disclose the information to the licensee's affiliates, but the licensee's affiliates may, in turn, disclose and use the information only to the extent that the licensee may disclose and use the information.
        (3) The licensee may disclose and use the information under an exception in section 13 or 14 of this chapter, in the ordinary course of business to carry out the activity covered by the exception under which the licensee received the information.
    (b) If a licensee receives nonpublic personal financial information from a nonaffiliated financial institution other than under an exception under section 13 or 14 of this chapter, the licensee may disclose the information only to:
        (1) the affiliates of the financial institution from which the licensee received the information;
        (2) the licensee's affiliates, but the licensee's affiliates may, in turn, disclose the information only to the extent that the licensee may disclose the information; and
        (3) any other person, if the disclosure would be lawful if made directly to that person by the financial institution from which the licensee received the information.
    (c) If a licensee discloses nonpublic personal financial information to a nonaffiliated third party under an exception under section 13 or 14 of this chapter, the third party may disclose and use the information only as follows:
        (1) The third party may disclose the information to the licensee's affiliates.
        (2) The third party may disclose the information to the third party's affiliates, but the third party's affiliates may, in turn, disclose and use the information only to the extent that the third party may disclose and use the information.
        (3) The third party may disclose and use the information under an exception under section 13 or 14 of this chapter in the ordinary course of business to carry out the activity covered by the exception under which the third party received the information.
    (d) If a licensee discloses nonpublic personal financial information to a nonaffiliated third party other than under an exception under section 13 or 14 of this chapter, the third party may disclose the information only to:
        (1) the licensee's affiliates;
        (2) the third party's affiliates, but the third party's affiliates, in turn, may disclose the information only to the extent the third party can disclose the information; and
        (3) any other person, if the disclosure would be lawful if the licensee made the disclosure directly to the person.
    Sec. 11. (a) A licensee shall not, directly or through an affiliate, disclose, other than to a consumer reporting agency, a policy number or similar form of access number or access code for a consumer's policy or transaction account to any nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer.
    (b) Subsection (a) does not apply if a licensee discloses a policy number or similar form of access number or access code to any of the following:
        (1) The licensee's service provider solely in order to perform marketing for the licensee's own products or services, as long as the service provider is not authorized to directly initiate charges to the account.
        (2) A licensee who is a producer solely in order to perform marketing for the licensee's own products or services.
        (3) A participant in an affinity or similar program where the participants in the program are identified to the customer when the customer enters into the program.
    (c) A policy number, or similar form of access number or access code, does not include a number or code in an encrypted form, as long as the licensee does not provide the recipient with a means to

decode the number or code.
    (d) For purposes of this section, a policy or transaction account is an account other than a deposit account or a credit card account. A policy or transaction account does not include an account to which third parties cannot initiate charges.
    Sec. 12. (a) The opt out requirements under sections 6 and 9 of this chapter do not apply when a licensee provides nonpublic personal financial information to a nonaffiliated third party to perform services for the licensee or functions on the licensee's behalf, if the licensee:
        (1) provides the initial notice as provided under section 3 of this chapter; and
        (2) enters into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which the licensee disclosed the information, including use under an exception under section 13 or 14 of this chapter in the ordinary course of business to carry out those purposes.
    (b) The services a nonaffiliated third party performs for a licensee under subsection (a) may include marketing of the licensee's own products or services or marketing of financial products or services offered under joint agreements between the licensee and one (1) or more financial institutions.
    (c) For purposes of this section, "joint agreement" means a written contract under which a licensee and one (1) or more financial institutions jointly offer, endorse, or sponsor a financial product or service.
    Sec. 13. (a) The requirements for initial notice under section 3(a)(2) of this chapter, the opt out under sections 6 and 9 of this chapter, and service providers and joint marketing under section 12 of this chapter do not apply if a licensee discloses nonpublic personal financial information as necessary to effect, administer, or enforce a transaction that a consumer requests or authorizes, or in connection with any of the following:
        (1) Servicing or processing an insurance product or service that the consumer requests or authorizes.
        (2) Maintaining or servicing the consumer's account with a licensee, or with another entity as part of a private label credit card program or other extension of credit on behalf of such entity.
        (3) A proposed or actual securitization, secondary market sale, including sales of servicing rights, or similar transaction related to a transaction of the consumer.
        (4) Reinsurance or stop loss or excess loss insurance.
    (b) As used in this section, "necessary to effect, administer, or enforce a transaction" means that the disclosure is required, or is:


        (1) one (1) of the lawful or appropriate methods, to enforce the licensee's rights or the rights of other persons engaged in carrying out the financial transaction or providing the product or service; or
        (2) a usual, appropriate, or acceptable method to:
            (A) carry out the transaction or the product or service business of which the transaction is a part, and record, service, or maintain the consumer's account in the ordinary course of providing the insurance product or service;
            (B) administer or service benefits or claims relating to the transaction or the product or service business of which the transaction is a part;
            (C) provide a confirmation, statement, or other record of the transaction, or information on the status or value of the insurance product or service to the consumer or the consumer's agent or broker;
            (D) accrue or recognize incentives or bonuses associated with the transaction that are provided by a licensee or any other party; and
            (E) underwrite insurance at the consumer's request or for any of the following purposes as they relate to a consumer's insurance:
                (i) Account administration.
                (ii) Reporting.
                (iii) Investigating or preventing fraud or material misrepresentation.
                (iv) Processing premium payments.
                (v) Processing insurance claims.
                (vi) Administering insurance benefits, including utilization review activities.
                (vii) Participating in research projects.
                (viii) As otherwise required or specifically permitted by federal or state law.
                (ix) In connection with the authorization, settlement, billing, processing, clearing, transferring, reconciling, or collection of amounts charged, debited, or otherwise paid using a debit, credit, or other payment card, check, or account number, or by other payment means.
                (x) In connection with the transfer of receivables, accounts, or interests in the receivables or accounts.
                (xi) In connection with the audit of debit, credit, or other payment information.
    Sec. 14. (a) The requirements for initial notice to consumers under section 3(a)(2) of this chapter, the opt out under sections 6 and 9 of this chapter, and service providers and joint marketing

under section 12 of this chapter do not apply when a licensee discloses nonpublic personal financial information as follows:
        (1) With the consent or at the direction of the consumer, provided that the consumer has not revoked the consent or direction;
        (2) In any of the following situations:
            (A) To protect the confidentiality or security of a licensee's records pertaining to the consumer, service, product, or transaction.
            (B) To protect against or prevent actual or potential fraud or unauthorized transactions.
            (C) For required institutional risk control or for resolving consumer disputes or inquiries.
            (D) To persons holding a legal or beneficial interest relating to the consumer.
            (E) To persons acting in a fiduciary or representative capacity on behalf of the consumer.
        (3) To provide information to:
            (A) insurance rate advisory organizations;
            (B) guaranty funds or agencies;
            (C) agencies that are rating a licensee;
            (D) persons who are assessing the licensee's compliance with industry standards; and
            (E) the licensee's attorneys, accountants, and auditors.
        (4) To the extent specifically permitted or required under other provisions of law and in accordance with the federal Right to Privacy Act of 1978 (12 U.S.C. 3401 et seq.), to law enforcement agencies, including the Federal Reserve Board, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, Office of Thrift Supervision, National Credit Union Administration, the Securities and Exchange Commission, the Secretary of the Treasury, with respect to 31 U.S.C. Chapter 53, Subchapter II (Records and Reports on Monetary Instruments and Transactions) and 12 U.S.C. Chapter 21 (Financial Recordkeeping), a state insurance authority, and the Federal Trade Commission, self-regulatory organization or for an investigation on a matter related to public safety.
        (5) To a consumer reporting agency in accordance with the federal Fair Credit Reporting Act (15 U.S.C. 1681 et seq.) or from a consumer report reported by a consumer reporting agency.
        (6) In connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit if the disclosure of nonpublic personal financial information concerns solely consumers of the business or unit.


        (7) To comply with or respond to any of the following:
            (A) Federal, state, or local laws, rules, and other applicable legal requirements.
            (B) Properly authorized civil, criminal, or regulatory investigation, or subpoena, or summons by federal, state, or local authorities.
            (C) Judicial process or governmental regulatory authorities having jurisdiction over a licensee for examination, compliance, or other purposes as authorized by law.
        (8) For purposes related to the replacement of a group benefit plan, a group health plan, a group welfare plan, or a workers' compensation plan.
    (b) A consumer may revoke consent by subsequently exercising the right to opt out of future disclosures of nonpublic personal information as permitted under section 6(g) of this chapter.
    Sec. 15. This chapter shall not be construed to modify, limit, or supersede the operation of the federal Fair Credit Reporting Act, 15 U.S.C. 1681 et seq., and no inference shall be drawn on the basis of the provisions of this chapter regarding whether information is transaction or experience information under Section 603 of the Fair Credit Reporting Act.
    Sec. 16. A licensee shall not unfairly discriminate against any consumer or customer because that consumer or customer has opted out from the disclosure of the consumer's or customer's nonpublic personal financial information.
    Sec. 17. A violation of this chapter is an unfair method of competition and an unfair and deceptive act and practice in the business of insurance subject to IC 27-4-1.
".
SOURCE: Page 77, line 9; (01)MO038605.77. -->     Page 77, between lines 9 and 10, begin a new paragraph and insert:
SOURCE: ; (01)MO038605.47. -->     SECTION 47. [EFFECTIVE UPON PASSAGE]: (a) A licensee shall, not later than July 1, 2001, provide an initial notice, as required under IC 27-2-20-3, as added by this act, of this chapter, to consumers who are the licensee's customers on July 1, 2001.
    (b) Until July 1, 2002, a contract entered into before July 1, 2000, by a licensee with a nonaffiliated third party to perform services for the licensee or functions on behalf of the licensee is considered to be in compliance with the requirements of IC 27-2-20-12(a), as added by this act, regardless of whether the contract includes a requirement that the third party maintain the confidentiality of nonpublic personal information.
    (c) This SECTION expires July 1, 2005.
".
    Renumber all SECTIONS consecutively.
    (Reference is to ESB 386 as printed April 9, 2001.)



________________________________________

Representative Crooks


MO038605/DI 97     2001