The Office of General Counsel issued the following opinion on February 15, 2002, representing the position of the New York State Insurance Department.

Re: Regulation 169 and Privacy of Consumer Financial Information/Opt out requirements.

Question Presented:

With regard to disclosure of nonpublic personal financial information, in what circumstances must a private passenger automobile insurer provide an "opt out" notice to an insured?

Conclusion:

An adequate opt out notice must be provided to the insured customer prior to the disclosure of nonpublic personal financial information about the insured customer to a nonaffiliated third party, other than in accordance with N.Y. Comp. Codes R. & Regs. tit. 11, §§ 420.13, 420.14 and 420.15 (2001).

Facts:

The inquirer has a policy of private passenger automobile insurance with an insurance company. On May 4, 2001, the insurer sent the inquirer a privacy notice. No opt out notice was included in the mailing. The inquirer wrote to the Insurance Department seeking clarification regarding whether or not the insurer was, under the circumstances, required to send an opt out notice. The inquirer also pursued the same issue directly with the insurer. By letter dated June 4, 2001 the insurer replied to the inquiry. In essence, the insurer’s letter states that the company only discloses a customers" personal information in those instances where such disclosure is permitted under the law, without requiring the insurer to provide an opt out notice. The letter recognizes that there are circumstances where disclosure of such information might require the insurer to provide an opt out notice to customers. However, the letter concludes by stating that the insurer does not make disclosure in such circumstances and, thus, is not required to provide such notice.

Analysis:

Insurance Department Regulation No. 169 (N.Y. Comp. Codes R. & Regs. tit. 11, §§ 420.0-420.24 (2001)) is entitled "Privacy of Consumer Financial and Health Information." The Part establishes, among other things, that insurers, as licensees of the Department, must maintain a privacy policy that is clearly communicated to consumers and customers and that no nonpublic personal financial information may be disclosed to nonaffiliated third parties unless (1) a customer has been given a chance to "opt out" of having his or her information disclosed and has not opted out or (2) subject to the conditions specified in the regulation under which a licensee may disclose such information to nonaffiliated third parties.

The regulation defines various terms that are of relevance to this inquiry. A "consumer" is defined as "... an individual who, in this State, seeks to obtain, obtains or has obtained an insurance product or service, directly or through a legal representative, from a licensee that is to be used primarily for personal, family, or household purposes, and about whom the licensee has nonpublic personal information." N.Y. Comp. Codes R. & Regs. tit. 11, § 420.3 (e)(1) (2001).

A "customer" is defined as a "...consumer who has a customer relationship with a licensee." N.Y. Comp. Codes R. & Regs. tit. 11, § 420.3 (h) (2001).

A "customer relationship" is defined as "...a continuing relationship between a consumer and a licensee under which the licensee provides one or more insurance products or services in this State to the consumer that are to be used primarily for personal, family, or household purposes." N.Y. Comp. Codes R. & Regs. tit. 11, § 420.3 (i)(1) (2001).

Based on the facts related in the inquirer’s correspondence with the Department, the inquirer would fall within the definition of a customer of the insurer.

The regulation defines an "Affiliate" to mean "...any company that controls, is controlled by or is under common control with another company." N.Y. Comp. Codes R. & Regs. tit. 11, § 420.3 (a) (2001). A "Nonaffiliated third party" is defined as follows:

...any person except:

(i) A licensee's affiliate; or

(ii) A person employed jointly by a licensee and any company that is not the licensee's affiliate (but nonaffiliated third party includes the other company that jointly employs the person).

N.Y. Comp. Codes R. & Regs. tit. 11, § 420.3 (q)(1) (2001).

N.Y. Comp. Codes R. & Regs. tit. 11, § 420.3 (s) (2001), regarding nonpublic personal financial information, reads in part as follows:

(s)(1) "Nonpublic personal financial information" means:

(i) Personally identifiable financial information; and

(ii) Any list, description or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information other than publicly available information.

(2) Nonpublic personal financial information does not include:

(i) Health information;

(ii) Publicly available information, except as included on a list described in subparagraph (ii) of paragraph (1) of this subdivision; or

(iii) Any list, description or other grouping of consumers (and publicly available information pertaining to them) that is derived without using any personally identifiable financial information other than publicly available information.

N.Y. Comp. Codes R. & Regs. tit. 11, § 420.10 (2001), regarding "Limits on disclosure of nonpublic financial information to nonaffiliated third parties" reads, in relevant part, as follows:

(a)(1) Conditions for disclosure. Except as otherwise authorized in this Part, a licensee may not, directly or through any affiliate, disclose any nonpublic personal financial information about a consumer to a nonaffiliated third party unless:

(i) The licensee has provided to the consumer an initial notice as required under section 420.4 of this Part;

(ii) The licensee has provided to the consumer an opt out notice as required in section 420.7 of this Part;

(iii) The licensee has given the consumer a reasonable opportunity, before the licensee discloses the information to the nonaffiliated third party, to opt out of the disclosure; and

(iv) The consumer does not opt out.

(2) Opt out definition. Opt out means a direction by the consumer that the licensee not disclose nonpublic personal financial information about that consumer to a nonaffiliated third party, other than as permitted by sections 420.13, 420.14 or 420.15 of this Part.1

The regulation provides that with respect to nonpublic personal financial information, unless the disclosure comes within one of the exceptions applicable to nonpublic personal financial information contained in §§ 420.13, 420.14 and 420.15 of the regulation, a licensee may not directly or through an affiliate disclose any nonpublic personal financial information about a customer to a nonaffiliated third party unless the licensee has provided the customer an opt out notice, and, after a reasonable amount of time, the customer has not opted out.

No opt out notice would be required if the licensee has not released nonpublic personal financial information to a nonaffiliated party other than as permitted by §§ 420.13, 420.14 and 420.15 of the regulation.

The insurer’s June 4th letter to the inquirer stated that the company only discloses customers" personal information in those instances where such disclosure is permitted under the law, without requiring the insurer to provide an opt out notice. The letter concludes that the insurer did not make disclosure in circumstances that would have required it to provide the inquirer with an opt out notice. This is in conformance with the Regulation.

This letter has focused specifically on the inquirer’s question as related to nonpublic personal financial information. The regulation also establishes requirements relating to the disclosure of nonpublic personal health information.

For further information, you may contact Associate Attorney Sam Wachtel at the New York City office.


1 The use of the term consumer in §420.10 includes customers.