New York State Seal
STATE OF NEW YORK
INSURANCE DEPARTMENT
25 BEAVER STREET
NEW YORK, NEW YORK 10004

The Office of General Counsel issued the following informal opinion on June 29, 2001, representing the position of the New York State Insurance Department.

Re: Regulation 169 (Privacy)

Questions Presented:

1. What is an insurance agency’s obligations concerning privacy notices under N.Y. Comp. Codes R. & Regs. tit. 11, Part 420 (2001) (Regulation 169)?

2. Is there a template letter that an agency may use to notify consumers and customers under N.Y. Comp. Codes R. & Regs. tit. 11, Part 420 (2001) (Regulation 169)?

Conclusions:

1. An insurance agency’s obligations will vary, depending upon the particular circumstances.

2. Appendix A to N.Y. Comp. Codes R. & Regs. tit. 11, Part 420 (2001) (Regulation 169) contains sample clauses to be used in notifying consumers and customers about their privacy rights.

Facts:

No additional facts relating to this inquiry were given.

Analysis:

N.Y. Comp. Codes R. & Reg. tit. 11, § 420.0- 420.24 (2001) (Regulation 169) governs the treatment of nonpublic personal information concerning individuals (defined as consumers or customers) in New York by all licensees of the Insurance Department.

With respect to "nonpublic personal financial information," the regulation applies to individuals who obtain, seek to obtain or are claimants or beneficiaries of products or services primarily for personal, family or household purposes from licensees. It does not apply to companies or individuals who obtain products or services for business, commercial or agricultural purposes. N.Y. Comp. Codes R. & Reg. tit. 11, § 420.1(b) (2001).

Independent insurance agencies come within the definition of "licensee" in N.Y. Comp. Codes R. & Reg. tit. 11, § 420.3(p)(1) (2001). However, N.Y. Comp. Codes R. & Reg. tit. 11, § 420.3(p)(2) (2001) provides as follows:

(i) A licensee is not subject to the notice and opt out requirements for nonpublic personal financial information set forth in sections 420.4 through 420.9 of this Part if the licensee is an employee, agent, sublicensee, or other representative of another licensee ("the principal") and:

The principal otherwise complies with, and provides the notices required by, the provisions of this Part; and

The licensee does not disclose any nonpublic personal information of a consumer or customer to any person other than the principal from or through which such consumer or customer seeks to obtain or has obtained a product or service, or its affiliates in a manner permitted by this Part.

(ii) Examples of employee, agent or other representative of a principal:

An insurance broker, public adjuster or other licensee who is employed by another insurance broker, public adjuster or other licensee;

An independent adjuster adjusting a claim or benefit on behalf of an insurer;

An insurance agent of an insurer;

An insurance broker that has binding authority for an insurer; or

A sublicensee of a licensee, whether or not the sublicensee is licensed in any other capacity.

Thus, provided that an insurance agency meets the above conditions, it would not have to send out its own privacy notices. However, if an insurance agency does not meet the above conditions, it would have to send out its own privacy notices as follows:

N.Y. Comp. Codes R. & Regs. tit. 11, § 420.4(a) (2001) governs the initial notice requirement and states that, a "licensee shall provide a clear and conspicuous notice that accurately reflects the licensee’s privacy policies and practices" to the licensee’s customers and consumers.

N.Y. Comp. Codes R. & Reg. tit. 11, § 420.4(b) (2001) contains certain exceptions to the initial privacy notice requirements, including an exception for a licensee that does not disclose any nonpublic personal financial information about a consumer, with whom the licensee does not have a customer relationship, to any nonaffiliated third party, other than as authorized by sections 420.14 and 420.15 of the regulation.

N.Y. Comp. Codes R. & Regs. tit. 11, § 420.3(e) (2001) defines "consumer" to mean, "an individual who, in this State, seeks to obtain, obtains or has obtained an insurance product or service, directly or through a legal representative, from a licensee that is to be used primarily for personal, family, or household purposes, and about whom the licensee has nonpublic personal information."

If an insurance agency discloses nonpublic personal financial information about consumers to obtain quotes, then N.Y. Comp. Codes R. & Regs. tit. 11, § 420.14(a) (2001) is relevant because it lists exceptions for the initial privacy notice and includes an exception for "the solicitation of insurance quotes on behalf of a consumer by an insurance agent or broker."

N.Y. Comp. Codes R. & Regs. tit. 11, § 420.5(1) (2001) governs the annual privacy notice to customers and states that:

A licensee shall provide a clear and conspicuous notice to customers that accurately reflects its privacy policies and practices not less than annually during the continuation of the customer relationship. Annually means at least once in any period of 12 consecutive months during which that relationship exists. A licensee may define the 12-consecutive-month period, but the licensee must apply it to the customer on a consistent basis.

N.Y. Comp. Codes R. & Regs. tit. 11, § 420.3(h) (2001) defines "customer" to mean, "a consumer who has a customer relationship with a licensee." N.Y. Comp. Codes R. & Regs. tit. 11, § 420.3(i)(1) (2001) states that a "customer relationship" is "a continuing relationship between a consumer and a licensee under which the licensee provides one or more insurance products or services in this State to the consumer that are to be used primarily for personal, family, or household purposes." Section 420.3(i)(2) provides examples of when there is a continuing relationship and when there is not.

With respect to how the provisions requiring authorization for disclosure of nonpublic personal health information would apply, see N.Y. Comp. Codes R. & Regs. tit. 11, § § 420.17-420.21 (2001), which requires a licensee to obtain an authorization from a consumer or customer before disclosing such individual’s nonpublic personal health information, unless an exception applies. Section 420.1(b) states that this regulation applies to all nonpublic personal health information.

Appendix A to N.Y. Comp. Codes R. & Regs. tit. 11, Part 420 (2001) (Regulation 169) contains sample clauses to be used in notifying consumers and customers about their privacy rights.

For further information, you may contact Senior Attorney Meredith S. Kaufer at the New York City Office.