sentences, paragraphs, and sections.
(ii) Uses short explanatory sentences or bullet lists
whenever possible.
(iii) Uses definite, concrete, everyday words and active
voice whenever possible.
(iv) Avoids multiple negatives.
(v) Avoids legal and highly technical business
terminology whenever possible.
(vi) Avoids explanations that are imprecise and readily
subject to different interpretations.
(B) A licensee designs the licensee's notice to call attention
to the nature and significance of the information in the
notice if the licensee does the following:
(i) Uses a plain-language heading to call attention to the
notice.
(ii) Uses a typeface and type size that are easy to read.
(iii) Provides wide margins and ample line spacing.
(iv) Uses boldface or italics for key words.
(v) In a form that combines the licensee's notice with
other information, uses distinctive type size, style, and
graphic devices, such as shading or sidebars.
(C) If a licensee provides a notice on a Web page, the
licensee designs the licensee's notice to call attention to the
nature and significance of the information in the notice if
the licensee uses text or visual cues to encourage scrolling
down the page if necessary to view the entire notice and
ensure that other elements on the Web site, such as text,
graphics, hyperlinks, or sound, do not distract attention
from the notice, and the licensee does either of the
following:
(i) Places the notice on a screen that consumers
frequently access, such as a page on which transactions
are conducted.
(ii) Places a link on a screen that consumers frequently
access, such as a page on which transactions are
conducted, that connects directly to the notice and is
labeled appropriately to convey the importance, nature,
and relevance of the notice.
(3) "Collect" means to obtain information that a licensee
organizes or can retrieve by the name of an individual or by
identifying number, symbol, or other identifying particular
assigned to the individual, regardless of the source of the
underlying information.
(4) "Commissioner" means the commissioner of the Indiana
department of insurance.
(5) "Company" means a corporation, limited liability
company, business trust, general or limited partnership,
association, sole proprietorship, or similar organization.
(6) "Consumer" means an individual who seeks to obtain,
obtains, or has obtained an insurance product or service from
a licensee that is to be used primarily for personal, family, or
household purposes, and about whom the licensee has
nonpublic personal information, or the individual's legal
representative, including the following:
(A) An individual provides nonpublic personal information
to a licensee in connection with obtaining or seeking to
obtain financial, investment or economic advisory services
relating to an insurance product or service is a consumer
regardless of whether the licensee establishes an ongoing
advisory relationship.
(B) An applicant for insurance prior to the inception of
insurance coverage is a licensee's consumer.
(C) An individual who is a consumer of another financial
institution is not a licensee's consumer solely because the
licensee is acting as an agent for, or provides processing or
other services to, that financial institution.
(D) An individual is a licensee's consumer if the individual
is:
(i) a beneficiary of a life insurance policy underwritten
by the licensee;
(ii) a claimant under an insurance policy issued by the
licensee;
(iii) an insured or an annuitant under an insurance
policy or an annuity, respectively, issued by the licensee;
or
(iv) a mortgagor of a mortgage covered under a
mortgage insurance policy;
and the licensee discloses nonpublic personal financial
information about the individual to a nonaffiliated third
party other than as permitted under sections 12, 13, and 14
of this chapter.
(E) If the licensee provides the initial, annual, and revised
notices under sections 3, 4, and 7 of this chapter to the plan
sponsor, group, or blanket insurance policyholder or group
annuity contractholder, and if the licensee does not disclose
to a nonaffiliated third party nonpublic personal financial
information about the individual other than as permitted
under sections 12, 13, and 14 of this chapter, an individual
is not the consumer of the licensee solely because the
individual is:
(i) a participant or a beneficiary of an employee benefit
plan that the licensee administers or sponsors or for
which the licensee acts as a trustee, insurer, or fiduciary;
(ii) covered under a group or blanket insurance policy or
group annuity contract issued by the licensee; or
(iii) a beneficiary in a workers' compensation plan.
(F) The individuals described in clause (E)(i) through
(E)(iii) are consumers of a licensee if the licensee does not
meet all the conditions of this subdivision. In no event shall
the individuals, solely by virtue of the status described in
clause (E)(i) through (E)(iii), be considered to be
customers.
(G) An individual is not a licensee's consumer solely
because the individual is a beneficiary of a trust for which
the licensee is a trustee.
(H) An individual is not a licensee's consumer solely
because the individual has designated the licensee as
trustee for a trust.
(7) "Consumer reporting agency" has the meaning set forth
in section 603(f) of the federal Fair Credit Reporting Act (15
U.S.C. 1681a(f)).
(8) "Control" means any of the following:
(A) Ownership, control, or power to vote twenty-five
percent (25%) or more of the outstanding shares of any
class of voting security of a company, directly or indirectly,
or acting through one (1) or more other persons.
(B) Control in any manner over the election of a majority
of the directors, trustees, general partners, or individuals
exercising similar functions, of a company.
(C) The power to exercise, directly or indirectly, a
controlling influence over the management or policies of a
company, as determined by the commissioner.
(9) "Customer" means a consumer who has a customer
relationship with a licensee.
(10) "Customer relationship" means a continuing relationship
between a consumer and a licensee under which the licensee
provides one (1) or more insurance products or services to the
consumer that are to be used primarily for personal, family,
or household purposes, including the following:
(A) A consumer has a continuing relationship with a
licensee if the consumer:
(i) is a current policyholder of an insurance product
issued by or through the licensee; or
(ii) obtains financial, investment, or economic advisory
services relating to an insurance product or service from
the licensee for a fee.
(B) A consumer does not have a continuing relationship
with a licensee in any of the following circumstances:
(i) The consumer applies for insurance but does not
purchase the insurance.
(ii) The licensee sells the consumer airline travel
insurance in an isolated transaction.
(iii) The individual is no longer a current policyholder of
an insurance product or no longer obtains insurance
services with or through the licensee.
(iv) The consumer is a beneficiary or claimant under a
policy and has submitted a claim under a policy choosing
a settlement option involving an ongoing relationship
with the licensee.
(v) The consumer is a beneficiary or a claimant under a
policy and has submitted a claim under that policy
choosing a lump sum settlement option.
(vi) The customer's policy is lapsed, expired, or
otherwise inactive or dormant under the licensee's
business practices, and the licensee has not
communicated with the customer about the relationship
for a period of twelve (12) consecutive months, other
than annual privacy notices, material required by law or
rule, communication at the direction of a state or federal
authority, or promotional materials.
(vii) The individual is an insured or an annuitant under
an insurance policy or annuity, respectively, but is not
the policyholder or owner of the insurance policy or
annuity.
(viii) For the purposes of this chapter, the individual's
last known address, according to the licensee's records,
is considered invalid. An address of record is considered
invalid if mail sent to that address by the licensee has
been returned by the postal authorities as undeliverable
and if subsequent attempts by the licensee to obtain a
current valid address for the individual have been
unsuccessful.
(11) "Financial institution" means an institution the business
of which is engaging in activities that are financial in nature
or incidental to financial activities as described in section 4(k)
of the Bank Holding Company Act of 1956, 12 U.S.C. 1843(k).
The term does not include the following:
(A) A person or entity with respect to any financial activity
that is subject to the jurisdiction of the Commodity
Futures Trading Commission under the Commodity
Exchange Act, 7 U.S.C. 1 et seq.
(B) The Federal Agricultural Mortgage Corporation or
any entity charged and operating under the Farm Credit
Act of 1971, 12 U.S.C. 2001 et seq.
(C) Institutions chartered by Congress specifically to
engage in securitizations, secondary market sales
(including sales of servicing rights), or similar transactions
related to a transaction of a consumer, as long as the
institutions do not sell or transfer nonpublic personal
information to a nonaffiliated third party.
(12) "Financial product or service" means a product or
service that a financial holding company could offer by
engaging in an activity that is financial in nature or incidental
to such a financial activity under section 4(k) of the Bank
Holding Company Act of 1956, 12 U.S.C. 1843(k). "Financial
service" includes a financial institution's evaluation or
brokerage of information that the financial institution collects
in connection with a request or an application from a
consumer for a financial product or service.
(13) "Health information" means any information or data,
except age or gender, whether oral or recorded in any form or
medium, created by or derived from a health care provider or
a consumer that relates to any of the following:
(A) The past, present, or future physical, mental, or
behavioral health or condition of an individual.
(B) The provision of health care to an individual.
(C) Payment for the provision of health care to an
individual.
(14) "Insurance product or service" means any product or
service that is offered by a licensee under the insurance laws
of Indiana. "Insurance service" includes a licensee's
evaluation, brokerage, or distribution of information that the
licensee collects in connection with a request or an application
from a consumer for an insurance product or service.
(15) "Licensee" means licensed insurers, health maintenance
organizations, agents, producers, and other persons licensed
or required to be licensed, or authorized or required to be
authorized, or registered or required to be registered under
IC 27. The following requirements apply:
(A) A licensee is not subject to the notice and opt out
requirements for nonpublic personal financial information
set forth in section 1 of this chapter, this section, and
sections 3 through 15 of this chapter if the licensee is an
employee, agent, or other representative of another
licensee and:
(i) the other licensee otherwise complies with, and
provides the notices required under this chapter; and
(ii) the licensee does not disclose any nonpublic personal
information to any person other than the principal or
affiliates of the principal in a manner permitted under
this chapter.
(B) A licensee includes an unauthorized insurer that
accepts business placed through a licensed surplus lines
broker in Indiana, but only with regard to the surplus lines
placements placed under IC 27-1-15.5-5. A surplus lines
broker or surplus lines insurer is considered to be in
compliance with the notice and opt out requirements for
nonpublic personal financial information set forth in
section 1 of this chapter, this section, and sections 3
through 15 of this chapter if the surplus lines agent or
insurer:
(i) does not disclose nonpublic personal information of a
consumer or a customer to a nonaffiliated third party for
any purpose, including joint servicing or marketing
under section 12 of this chapter, except as permitted
under section 13 or 14 of this chapter; and
(ii) delivers a notice to the consumer at the time a
customer relationship is established on which the
following is printed in 16 point type:
government records, widely distributed media, or disclosures
to the general public that are required to be made by federal,
state, or local law. The following requirements apply:
(A) A licensee has a reasonable basis to believe that
information is lawfully made available to the general
public if the licensee has taken steps to determine that the
information is of the type that is available to the general
public and whether an individual can direct that the
information not be made available to the general public,
and, if so, that the licensee's consumer has not done so.
(B) Publicly available information in government records
includes information in government real estate records and
security interest filings.
(C) Publicly available information from widely distributed
media includes information from a:
(i) telephone book;
(ii) television;
(iii) radio program,
(iv) newspaper; or
(v) Web site;
that is available to the general public on an unrestricted
basis. A Web site is not restricted merely because an
Internet service provider or a site operator requires a fee
or a password, so long as access is available to the general
public.
(D) A licensee has a reasonable basis to believe that
mortgage information is lawfully made available to the
general public if the licensee has determined that the
information is of the type included on the public record in
the jurisdiction where the mortgage would be recorded.
(E) A licensee has a reasonable basis to believe that an
individual's telephone number is lawfully made available
to the general public if the licensee has located the
telephone number in the telephone book or the consumer
has informed you that the telephone number is not
unlisted.
Sec. 3. (a) A licensee shall provide a clear and conspicuous
notice that accurately reflects the privacy policies and practices of
the licensee to the following:
(1) An individual who becomes the licensee's customer, not
later than when the licensee establishes a customer
relationship, except as provided in subsection (e).
(2) A consumer, before the licensee discloses any nonpublic
personal financial information about the consumer to any
nonaffiliated third party, if the licensee makes a disclosure
other than as authorized under sections 13 and 14 of this
chapter.
residual market mechanism and the customer does not
have a choice about the licensee's acquisition or
assignment.
(B) Providing notice not later than when a licensee
establishes a customer relationship would substantially
delay the customer's transaction when the licensee and the
individual agree over the telephone to enter into a
customer relationship involving prompt delivery of the
insurance product or service.
(C) Providing notice not later than when a licensee
establishes a customer relationship would not substantially
delay the customer's transaction when the relationship is
initiated in person at the licensee's office or through other
means by which the customer may view the notice, such as
on a Web site.
(f) When a licensee is required to deliver an initial privacy
notice under this section, the licensee shall deliver the notice as
specified in section 8 of this chapter. If the licensee uses a short
form initial notice for non-customers as specified in section 5 of
this chapter, the licensee may deliver the privacy notice as specified
in section 5(f) of this chapter.
Sec. 4. (a) A licensee shall provide a clear and conspicuous
notice to customers that accurately reflects the licensee's privacy
policies and practices not less than annually during the
continuation of the customer relationship.
(1) As used in this section, "annually" means at least one (1)
time in any period of twelve (12) consecutive months during
which the relationship exists. A licensee may define the twelve
(12) consecutive month period, but the licensee shall apply the
period to the customer on a consistent basis.
(2) A licensee provides a notice annually if the licensee defines
the twelve (12) consecutive month period as a calendar year
and provides the annual notice to the customer once in each
calendar year following the calendar year in which the
licensee provided the initial notice.
(b) A licensee is not required to provide an annual notice to a
former customer. As used in this section, "former customer"
means an individual with whom a licensee no longer has a
continuing relationship and includes the following:
(1) The individual is not a current policyholder of an
insurance product or no longer obtains insurance services
with or through the licensee.
(2) The individual's policy is lapsed, expired, or otherwise
inactive or dormant under the licensee's business practices,
and the licensee has not communicated with the customer
about the relationship for a period of twelve (12) consecutive
months, other than to provide annual privacy notices,
material required by law or rule, or promotional materials.
(3) An individual if the individual's last known address
according to the licensee's records is considered invalid. An
address of record is considered invalid if mail sent to that
address by the licensee has been returned by the postal
authorities as undeliverable and if subsequent attempts by the
licensee to obtain a current valid address for the individual
have been unsuccessful.
(4) In the case of providing real estate settlement services, at
the time the customer completes execution of all documents
related to the real estate closing, payment for the services has
been received, or the licensee has completed all of the
licensee's responsibilities with respect to the settlement,
including filing documents on the public record, whichever is
later.
(c) When a licensee is required under this section to deliver an
annual privacy notice, the licensee shall deliver the notice as
specified under section 8 of this chapter.
Sec. 5. (a) The initial, annual, and revised privacy notices that
a licensee provides under sections 3, 4, and
7 of this chapter must
include each of the following items of information, in addition to
any other information that the licensee provides, that applies to the
licensee and to the consumers to whom the licensee sends the
licensee's privacy notice:
(1) The categories of nonpublic personal financial information
that the licensee collects.
(2) The categories of nonpublic personal financial information
that the licensee discloses.
(3) The categories of affiliates and nonaffiliated third parties
to whom the licensee discloses nonpublic personal financial
information, other than those parties to whom the licensee
discloses information under sections 13 and 14 of this chapter.
(4) The categories of nonpublic personal financial information
about the licensee's former customers that the licensee
discloses and the categories of affiliates and nonaffiliated
third parties to whom the licensee discloses nonpublic
personal financial information about the licensee's former
customers, other than the parties to whom the licensee
discloses information under sections 13 and 14 of this chapter.
(5) If a licensee discloses nonpublic personal financial
information to a nonaffiliated third party under section 12 of
this chapter (and no other exception in sections 13 and 14 of
this chapter applies to the disclosure), a separate description
of the categories of information that the licensee discloses and
the categories of third parties with whom the licensee has
contracted.
(6) An explanation of the consumer's right under section 9(a)
of this chapter to opt out of the disclosure of nonpublic
personal financial information to nonaffiliated third parties,
including the methods by which the consumer may exercise
the right at that time.
(7) Any disclosures that the licensee makes under section
603(d)(2)(A)(iii) of the federal Fair Credit Reporting Act, 15
U.S.C. 1681a(d)(2)(A)(iii), regarding the ability to opt out of
disclosures of information among affiliates.
(8) The licensee's policies and practices with respect to
protecting the confidentiality and security of nonpublic
personal information.
(9) Any disclosure that the licensee makes under subsection
(b).
(b) If a licensee discloses nonpublic personal financial
information as authorized under sections 13 and 14 of this chapter,
the licensee is not required to list the exceptions in the initial or
annual privacy notices required by sections 3 and 4 of this chapter.
When describing the categories of parties to whom disclosure is
made, the licensee shall state only that the licensee makes
disclosures to other affiliated or nonaffiliated third parties, as
applicable, as permitted by law.
(c) The following are examples of compliance with this section:
(1) A licensee satisfies the requirement to categorize the
nonpublic personal financial information that the licensee
collects if the licensee categorizes the information according
to the source of the information, as applicable information:
(A) from the consumer;
(B) about the consumer's transactions with the licensee or
its affiliates;
(C) about the consumer's transactions with nonaffiliated
third parties; and
(D) from a consumer reporting agency.
(2) A licensee satisfies the requirement to categorize
nonpublic personal financial information the licensee discloses
if the licensee categorizes the information according to source,
as described in subdivision (1), as applicable, and provides
examples to illustrate the types of information in each
category. The examples include the following:
(A) Information from the consumer, including application
information, such as assets and income and identifying
information, such as name, address, and Social Security
number.
(B) Transaction information, such as information about
balances, payment history, and parties to the transaction.
(C) Information from consumer reports, such as a
consumer's creditworthiness and credit history.
(3) A licensee does not adequately categorize the information
that the licensee discloses if the licensee uses only general
terms, such as transaction information about the consumer.
If a licensee reserves the right to disclose all of the nonpublic
personal financial information about consumers that the
licensee collects, the licensee may simply state that fact
without describing the categories or examples of nonpublic
personal information that the licensee discloses.
(4) A licensee satisfies the requirement to categorize the
affiliates and nonaffiliated third parties to which the licensee
discloses nonpublic personal financial information about
consumers if the licensee identifies the types of businesses in
which they engage.
(A) Types of businesses may be described by general terms
only if the licensee uses a few illustrative examples of
significant lines of business.
(B) A licensee also may categorize the affiliates and
nonaffiliated third parties to which the licensee discloses
nonpublic personal financial information about consumers
using more detailed categories.
(5) If a licensee discloses nonpublic personal financial
information under the exception in section 12 of this chapter
to a nonaffiliated third party to market products or services
that the licensee offers alone or jointly with another financial
institution, the licensee satisfies the disclosure requirement of
subsection (a)(5) if the licensee:
(A) lists the categories of nonpublic personal financial
information that the licensee discloses, using the same
categories and examples the licensee used to meet the
requirements of subsection (a)(2), as applicable; and
(B) states whether the third party is a:
(i) service provider that performs marketing services on
the licensee's behalf or on behalf of the licensee and
another financial institution; or
(ii) financial institution with whom the licensee has a
joint marketing agreement.
(6) If a licensee does not disclose, and does not reserve the
right to disclose, nonpublic personal financial information
about customers or former customers to affiliates or
nonaffiliated third parties, except as authorized under
sections 13 and 14 of this chapter, the licensee may state that
fact, in addition to the information that the licensee shall
provide under subsections (a)(1), (a)(8), (a)(9), and (b).
(7) A licensee describes the licensee's policies and practices
with respect to protecting the confidentiality and security of
nonpublic personal financial information if the licensee does
both of the following:
(A) Describes in general terms who is authorized to have
access to the information.
(B) States whether the licensee has security practices and
procedures in place to ensure the confidentiality of the
information in accordance with the licensee's policy. The
licensee is not required to describe technical information
about the safeguards that the licensee uses.
(d) A licensee may satisfy the initial notice requirements of
sections 3(a)(2) and 6(d) of this chapter
for a consumer who is not
a customer by providing a short form initial notice at the same
time that the licensee delivers an opt out notice as required under
section 6 of this chapter. A short form notice must:
(1) be clear and conspicuous;
(2) state that the licensee's privacy notice is available upon
request; and
(3) explain a reasonable means by which the consumer may
obtain the notice.
(e) A licensee shall deliver the licensee's short form initial notice
as specified under section 8 of this chapter. The licensee is not
required to deliver the licensee's privacy notice with the licensee's
short form initial notice. The licensee may provide the consumer
a reasonable means to obtain the licensee's privacy notice. If a
consumer who receives the licensee's short form notice requests the
licensee's privacy notice, the licensee shall deliver the licensee's
privacy notice as specified under section 8 of this chapter.
(f) A licensee provides a reasonable means by which a consumer
may obtain a copy of the licensee's privacy notice if the licensee
does either of the following:
(1) Provides a toll free telephone number that the consumer
may call to request the notice.
(2) For a consumer who conducts business in person at the
licensee's office, maintains copies of the notice on hand that
the licensee provides to the consumer immediately upon
request.
(g) A licensee's notice may include the following:
(1) Categories of nonpublic personal financial information
that the licensee reserves the right to disclose in the future,
but does not currently disclose.
(2) Categories of affiliates or nonaffiliated third parties to
whom the licensee reserves the right in the future to disclose,
but to whom the license does not currently disclose, nonpublic
financial information.
Sec. 6. (a) If a licensee is required to provide an opt out notice
under section 9(a) of this chapter, the licensee shall provide a clear
and conspicuous notice to each of the licensee's consumers that
accurately explains the right to opt out under section 9(a) of this
chapter. The notice shall state all of the following:
(1) The licensee discloses or reserves the right to disclose
nonpublic personal financial information about its consumer
to a nonaffiliated third party.
(2) The consumer has the right to opt out of that disclosure.
(3) A reasonable means by which the consumer may exercise
the opt out right.
(b) The following are examples of compliance with subsection
(a):
(1) A licensee provides adequate notice that a consumer can
opt out of the disclosure of nonpublic personal financial
information to a nonaffiliated third party if the licensee does
all of the following:
(A) Identifies all of the categories of nonpublic personal
financial information that the licensee discloses or reserves
the right to disclose, and all of the categories of
nonaffiliated third parties to which the licensee discloses
the information, as described in section 5(a)(2) and 5(a)(3)
of this chapter.
(B) States that the consumer can opt out of the disclosure
of the information.
(C) Identifies the insurance products or services that the
consumer obtains from the licensee, either singly or jointly,
to which the opt out direction would apply.
(2) A licensee provides a reasonable means to exercise an opt
out right if the licensee does any of the following:
(A) Designates check-off boxes in a prominent position on
the relevant forms with the opt out notice.
(B) Includes a reply form together with the opt out notice.
(C) Provides an electronic means to opt out, such as a form
that can be sent via electronic mail or a process at the
licensee's Web site, if the consumer agrees to the electronic
delivery of information.
(D) Provides a toll free telephone number that consumers
may call to opt out.
(3) A licensee does not provide a reasonable means of opting
out if the only means of opting out:
(A) is for the consumer to write the consumer's own letter
to exercise that opt out right; or
(B) as described in any notice subsequent to the initial
notice, is to use a check-off box that the licensee provided
with the initial notice, but did not include with the
subsequent notice.
(4) A licensee may require each consumer to opt out through
a specific means as long as the means is reasonable for the
consumer.
(c) A licensee may provide an opt out notice together with or on
the same written or electronic form as the initial notice that the
licensee provides in under section 3 of this chapter.
nonaffiliated third party unless the:
(1) licensee has provided to the consumer an initial notice as
required under section 3 of this chapter;
(2) licensee has provided to the consumer an opt out notice as
required under section 6 of this chapter;
(3) licensee has given the consumer a reasonable opportunity,
before the licensee discloses the information to the
nonaffiliated third party, to opt out of the disclosure; and
(4) consumer does not opt out.
(b) Opt out means a direction by the consumer that the licensee
not disclose nonpublic personal financial information about the
consumer to a nonaffiliated third party, other than as permitted
under sections 12 through 14 of this chapter.
(c) A licensee provides a consumer with a reasonable
opportunity to opt out if the licensee does any of the following:
(1) Mails the notices required under subsection (a) to the
consumer and allows the consumer to opt out by mailing a
form, calling a toll free telephone number or any other
reasonable means within thirty (30) days from the date the
licensee mailed the notices.
(2) If a customer opens an on-line account with the licensee
and agrees to receive the notices required under subsection (a)
electronically, allows the customer to opt out by any
reasonable means within thirty (30) days after the date that
the customer acknowledges receipt of the notices in
conjunction with opening the account.
(3) For an isolated transaction, such as providing the
consumer with an insurance quote, provides the consumer
with a reasonable opportunity to opt out if the licensee
provides the notices required under subsection (a) at the time
of the transaction and requests that the consumer decide, as
a necessary part of the transaction, whether to opt out before
completing the transaction.
(d) A licensee shall comply with this section, regardless of
whether the licensee and the consumer have established a customer
relationship. Unless a licensee complies with this section, the
licensee may not, directly or through any affiliate, disclose any
nonpublic personal financial information about a consumer that
the licensee has collected, regardless of whether the licensee
collected the information before or after receiving the direction to
opt out from the consumer.
(e) A licensee may allow a consumer to select certain nonpublic
personal financial information or certain nonaffiliated third
parties with respect to which the consumer wishes to opt out.
Sec. 10. (a) If a licensee receives nonpublic personal financial
information from a nonaffiliated financial institution under an
exception under section 13 or 14 of this chapter, the licensee's
disclosure and use of the information is limited as follows:
(1) The licensee may disclose the information to the affiliates
of the financial institution from which the licensee received
the information.
(2) The licensee may disclose the information to the licensee's
affiliates, but the licensee's affiliates may, in turn, disclose and
use the information only to the extent that the licensee may
disclose and use the information.
(3) The licensee may disclose and use the information under
an exception in section 13 or 14 of this chapter, in the
ordinary course of business to carry out the activity covered
by the exception under which the licensee received the
information.
(b) If a licensee receives nonpublic personal financial
information from a nonaffiliated financial institution other than
under an exception under section 13 or 14 of this chapter, the
licensee may disclose the information only to:
(1) the affiliates of the financial institution from which the
licensee received the information;
(2) the licensee's affiliates, but the licensee's affiliates may, in
turn, disclose the information only to the extent that the
licensee may disclose the information; and
(3) any other person, if the disclosure would be lawful if made
directly to that person by the financial institution from which
the licensee received the information.
(c) If a licensee discloses nonpublic personal financial
information to a nonaffiliated third party under an exception
under section 13 or 14 of this chapter, the third party may disclose
and use the information only as follows:
(1) The third party may disclose the information to the
licensee's affiliates.
(2) The third party may disclose the information to the third
party's affiliates, but the third party's affiliates may, in turn,
disclose and use the information only to the extent that the
third party may disclose and use the information.
(3) The third party may disclose and use the information
under an exception under section 13 or 14 of this chapter in
the ordinary course of business to carry out the activity
covered by the exception under which the third party received
the information.
(d) If a licensee discloses nonpublic personal financial
information to a nonaffiliated third party other than under an
exception under section 13 or 14 of this chapter, the third party
may disclose the information only to:
(1) the licensee's affiliates;
(2) the third party's affiliates, but the third party's affiliates,
in turn, may disclose the information only to the extent the
third party can disclose the information; and
(3) any other person, if the disclosure would be lawful if the
licensee made the disclosure directly to the person.
Sec. 11. (a) A licensee shall not, directly or through an affiliate,
disclose, other than to a consumer reporting agency, a policy
number or similar form of access number or access code for a
consumer's policy or transaction account to any nonaffiliated third
party for use in telemarketing, direct mail marketing, or other
marketing through electronic mail to the consumer.
(b) Subsection (a) does not apply if a licensee discloses a policy
number or similar form of access number or access code to any of
the following:
(1) The licensee's service provider solely in order to perform
marketing for the licensee's own products or services, as long
as the service provider is not authorized to directly initiate
charges to the account.
(2) A licensee who is a producer solely in order to perform
marketing for the licensee's own products or services.
(3) A participant in an affinity or similar program where the
participants in the program are identified to the customer
when the customer enters into the program.
(c) A policy number, or similar form of access number or access
code, does not include a number or code in an encrypted form, as
long as the licensee does not provide the recipient with a means to
decode the number or code.
(d) For purposes of this section, a policy or transaction account
is an account other than a deposit account or a credit card account.
A policy or transaction account does not include an account to
which third parties cannot initiate charges.
Sec. 12. (a) The opt out requirements under sections 6 and 9 of
this chapter do not apply when a licensee provides nonpublic
personal financial information to a nonaffiliated third party to
perform services for the licensee or functions on the licensee's
behalf, if the licensee:
(1) provides the initial notice as provided under section 3 of
this chapter; and
(2) enters into a contractual agreement with the third party
that prohibits the third party from disclosing or using the
information other than to carry out the purposes for which
the licensee disclosed the information, including use under an
exception under section 13 or 14 of this chapter in the
ordinary course of business to carry out those purposes.
(b) The services a nonaffiliated third party performs for a
licensee under subsection (a) may include marketing of the
licensee's own products or services or marketing of financial
products or services offered under joint agreements between the
licensee and one (1) or more financial institutions.
other provisions of law and in accordance with the federal
Right to Privacy Act of 1978 (12 U.S.C. 3401 et seq.), to law
enforcement agencies, including the Federal Reserve Board,
Office of the Comptroller of the Currency, Federal Deposit
Insurance Corporation, Office of Thrift Supervision, National
Credit Union Administration, the Securities and Exchange
Commission, the Secretary of the Treasury, with respect to 31
U.S.C. Chapter 53, Subchapter II (Records and Reports on
Monetary Instruments and Transactions) and 12 U.S.C.
Chapter 21 (Financial Recordkeeping), a state insurance
authority, and the Federal Trade Commission, self-regulatory
organization or for an investigation on a matter related to
public safety.
(5) To a consumer reporting agency in accordance with the
federal Fair Credit Reporting Act (15 U.S.C. 1681 et seq.) or
from a consumer report reported by a consumer reporting
agency.
(6) In connection with a proposed or actual sale, merger,
transfer, or exchange of all or a portion of a business or
operating unit if the disclosure of nonpublic personal financial
information concerns solely consumers of the business or unit.
(7) To comply with or respond to any of the following:
(A) Federal, state, or local laws, rules, and other applicable
legal requirements.
(B) Properly authorized civil, criminal, or regulatory
investigation, or subpoena, or summons by federal, state,
or local authorities.
(C) Judicial process or governmental regulatory
authorities having jurisdiction over a licensee for
examination, compliance, or other purposes as authorized
by law.
(8) For purposes related to the replacement of a group benefit
plan, a group health plan, a group welfare plan, or a workers'
compensation plan.
(b) A consumer may revoke consent by subsequently exercising
the right to opt out of future disclosures of nonpublic personal
information as permitted under
section 6(g) of this chapter.
Sec. 15. This chapter shall not be construed to modify, limit, or
supersede the operation of the federal Fair Credit Reporting Act,
15 U.S.C. 1681 et seq., and no inference shall be drawn on the basis
of the provisions of this chapter regarding whether information is
transaction or experience information under Section 603 of the
Fair Credit Reporting Act.
Sec. 16. A licensee shall not unfairly discriminate against any
consumer or customer because that consumer or customer has
opted out from the disclosure of the consumer's or customer's
nonpublic personal financial information.