RULES AND REGULATIONS
[ 31 PA. CODE CH. 146a ]
Privacy of Consumer Financial Information
[49 Pa.B. 4109]
[Saturday, August 10, 2019]
The Insurance Department (Department) amends Chapter 146a (relating to privacy of consumer financial information) to read as set forth in Annex A. This final-form rulemaking is made under the Department's general rulemaking authority as set forth in sections 206, 506, 1501 and 1502 of The Administrative Code of 1929 (71 P.S. §§ 66, 186, 411 and 412) and the Department's rulemaking authority under the Unfair Insurance Practices Act (40 P.S. §§ 1171.1—1171.15). See PALU v. Insurance Department, 371 A.2d 564 (Pa. Cmwlth. 1977) (further explaining the Insurance Commissioner's authority to promulgate regulations under the Unfair Insurance Practices Act).
The purpose of this final-form rulemaking is to update the Commonwealth's requirements for the treatment of nonpublic financial information in accordance with the changes made to the National Association of Insurance Commissioners (NAIC) Model Regulation # 672, entitled ''Privacy of Consumer Financial and Health Information Regulation.'' The revisions to the NAIC model were precipitated by an amendment to section 503 of the Gramm-Leach-Bliley Act (GLBA) (15 U.S.C.A. § 6803) entitled ''Eliminate Privacy Notice Confusion,'' passed by Congress on December 4, 2015. See section 75001 of the Fixing America's Surface Transportation Act, Pub.L. No. 114-94. This final-form rulemaking incorporates exceptions to the privacy notice requirement and provides that if a licensee uses a sample privacy form as set forth in 16 CFR Part 313 (relating to privacy of consumer financial information), the licensee would be deemed compliant with the state's model regulation.
Comments and Responses
Notice of proposed rulemaking was published at 48 Pa.B. 4258 (July 21, 2018), with a 30-day public comment period. Insurance Agents and Brokers (IA&B), Pennsylvania Association of Mutual Insurance Companies (PAMIC), Capital Blue Cross, and the Insurance Federation of Pennsylvania (IFP) submitted comments during the comment period. All comments were taken into consideration.
IA&B and PAMIC submitted comments on August 15 and 16, 2018, respectively and expressed support for the Department's proposed rulemaking.
Capital Blue Cross expressed support for the Department's proposal to eliminate the requirement for annual GLBA notices. Capital Blue Cross did, however, express concerns regarding the proposal to sunset the safe harbor for the use of sample clauses. Capital Blue Cross was concerned that by sunsetting the safe harbor, this would force Capital Blue Cross to use the federal privacy form. The Department spoke with Capital Blue Cross representatives to clarify that notwithstanding the sunset of the safe harbor, a licensee may continue to incorporate the sample clauses into their disclosure notices and be determined by the Department to be in compliance with the requirements of the regulation based upon a review of the text of the notice itself.
IFP expressed support for the proposed rulemaking, however, IFP offered one editorial change. Specifically, IFP recommended a change to § 146a.13(f) (relating to information to be included in privacy notices) by adding ''or National Association of Insurance Commissioners Regulation # 672, Appendix B.'' The Department adopted the proposed language.
The Independent Regulatory Review Commission (IRRC) submitted two comments: (1) requesting that the Department address Capital Blue Cross's concern with regard to the sunsetting of the safe harbor; and (2) requesting the Department address the IFP's request with regard to adding language to § 146a.13(f). Both comments have been addressed as previously explained.
This final-form rulemaking applies to all entities that fall within the definition of a ''licensee'' in § 146a.2 (relating to definitions) including:
• Licensed insurers as defined in section 201-A of The Insurance Department Act of 1921 (40 P.S. § 65.1-A) and entities doing the business of insurance under The Insurance Company Law of 1921 (40 P.S. §§ 341—991.2610).
• Fraternal benefit societies licensed under sections 2401—2466 of The Insurance Company Law of 1921 (40 P.S. §§ 991.2401—991.2466).
• Producers licensed under sections 601-A—699.1-A of The Insurance Department Act of 1921 (40 P.S. §§ 310.1—310.99a).
• Reinsurance intermediaries licensed under sections 701—710 of The Insurance Department Act of 1921 (40 P.S. §§ 321.1—321.10); insurance administrators licensed under the Insurance Administrator Licensure Act (40 P.S. §§ 324.1—324.13); and other miscellaneous persons or entities licensed or required to be licensed, or authorized or required to be authorized, or registered or required to be registered under The Insurance Department Act of 1921 (40 P.S. §§ 1—326.7).
• Health maintenance organizations holding a certificate of authority under section 201 of the Health Care Facilities Act (35 P.S. § 448.201).
• Nonadmitted insurers that accept business placed through a surplus lines licensee (as defined in section 1602 of The Insurance Company Law of 1921 (40 P.S. § 991.1602)) in this Commonwealth with regard to surplus lines placements placed under sections 1601—1626 of The Insurance Company Law (40 P.S. §§ 991.1601—991.1626).
There will not be any fiscal impact to the Department as a result of this final-form rulemaking.
This final-form rulemaking will not impose costs and will not have a fiscal impact upon the general public.
This final-form rulemaking will not impose additional costs on political subdivisions.
While the Department cannot quantify the exact savings to the private sector, the Department believes that the private sector will see savings due to a reduction in postage and printing costs associated with the annual disclosure.
This final-form rulemaking will not impose additional paperwork on the Department, because no filing is required to be made by licensees. This final-form rulemaking will reduce paperwork for the private sector because it will reduce the need to provide duplicative disclosures.
Effectiveness and Sunset Date
This final-form rulemaking will become effective upon final-form publication in the Pennsylvania Bulletin. The Department continues to monitor the effectiveness of regulations on a triennial basis. Therefore, a sunset date has not been assigned.
Questions or comments regarding this final-form rulemaking may be addressed in writing to Bridget Burke, Regulatory Coordinator, Insurance Department, 1341 Strawberry Square, Harrisburg, PA 17120, fax (717) 772-1969, firstname.lastname@example.org.
Under section 5(a) of the Regulatory Review Act (71 P.S. § 745.5(a)), on July 11, 2018, the Department submitted a copy of the notice of proposed rulemaking, published at 48 Pa.B. 4258, to IRRC and the Chairpersons for the Senate Banking and Insurance Committee and the House Insurance Committee for review and comment.
Under section 5(c) of the Regulatory Review Act, IRRC and the House and Senate Committees were provided copies of comments received as well as other documents when requested. In preparing this final-form rulemaking, the Department has considered all comments from IRRC and the public.
Under section 5.1(j.2) of the Regulatory Review Act (71 P.S. § 745.5a(j.2)), on June 19, 2019, this final-form rulemaking was deemed approved by the House and Senate Committees. Under section 5.1(e) of the Regulatory Review Act, IRRC met on June 20, 2019, and approved this final-form rulemaking.
The Commissioner finds that:
(1) Public notice of proposed rulemaking was given under sections 201 and 202 of the act of July 31, 1968 (P.L. 769, No. 240) and the regulations thereunder, 1 Pa. Code §§ 7.1 and 7.2.
(2) A public comment period was provided as required by law and all comments were considered.
(3) This final-form rulemaking does not enlarge the purpose of the proposed rulemaking published at 48 Pa.B. 4258.
(2) This final-form rulemaking adopted by this order is necessary and appropriate for the administration and enforcement of the authorizing statutes.
The Commissioner, acting under the authorizing statutes, orders that:
(a) The regulations of the Department, 31 Pa. Code Chapter 146a, are amended by adding § 146a.3 and amending §§ 146a.1, 146a.2, 146a.12 and 146a.13 to read as set forth in Annex A, with ellipses referring to the existing text of the regulations.
(b) The Department shall submit this final-form rulemaking to IRRC and the House and Senate Committees as required by law.
(c) The Department shall submit this final-form rulemaking to the Office of General Counsel and Office of Attorney General for approval as to legality and form as required by law.
(d) The Department shall certify this final-form rulemaking, as approved for legality and form, and deposit them with the Legislative Reference Bureau, as required by law.
(e) This final-form rulemaking shall take effect immediately upon publication of the Pennsylvania Bulletin.
JESSICA K. ALTMAN,
(Editor's Note: See 49 Pa.B. 3546 (July 6, 2019) for IRRC's approval order.)
Fiscal Note: Fiscal Note 11-257 remains valid for the final adoption of the subject regulation.
TITLE 31. INSURANCE
PART VIII. MISCELLANEOUS PROVISIONS
CHAPTER 146a. PRIVACY OF CONSUMER FINANCIAL INFORMATION
Subchapter A. GENERAL PROVISIONS
§ 146a.1. Purpose.
* * * * *
(c) Compliance. A licensee domiciled in this Commonwealth that is in compliance with this chapter in a state that has not enacted laws or regulations that meet the requirements of Title V of the act of November 12, 1999 (Pub.L. No. 106-102, 113 Stat. 1338) known as the Gramm-Leach-Bliley Act (Financial Services Modernization Act of 1999) (15 U.S.C.A. §§ 6801—6827) may nonetheless be deemed to be in compliance with Title V of the Gramm-Leach-Bliley Act in the other state.
§ 146a.2. Definitions.
The following words and terms, when used in this chapter, have the following meanings, unless the context requires otherwise:
* * * * *
Department—The Insurance Department of the Commonwealth.
Federal model privacy form—The model form in 16 CFR Part 313, Appendix A (relating to model privacy form), or a successor provision, which is determined by Federal regulation to be compliant with the requirements of the Gramm-Leach-Bliley Act (15 U.S.C.A. §§ 6801—6827).
Financial institution—An institution the business of which is engaging in activities that are financial in nature or incidental to the financial activities as described in section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C.A. § 1843(k)). The term does not include the following:
* * * * *
§ 146a.3. Examples and safe harbor.
(a) Compliance. If a licensee uses an example, sample clause or Federal model privacy form, the licensee shall be considered compliant with a corresponding requirement of this chapter to the extent applicable. Licensees may rely on the Federal model privacy form used in accordance with its attached instructions as a safe harbor for compliance with the requirements of this section related to privacy notice content.
(b) Nonexclusive means of compliance. The examples in this chapter, the sample clauses in Appendix A (relating to sample clauses) and the Federal model privacy form are not the exclusive means of compliance with the requirements of this chapter. Licensees may continue to use other types of privacy notices, including notices that contain examples or the sample clauses in Appendix A, or both, provided that the notices accurately describe the licensee's privacy practices and otherwise meet the privacy notice content requirements of this chapter.
(c) Sunset of safe harbor for sample clauses in Appendix A. While licensees may continue to use privacy notices that contain examples and the sample clauses in Appendix A, licensees may not rely on the use of privacy notices containing the sample clauses in Appendix A as a safe harbor for compliance with the privacy notice content requirements of this chapter after July 1, 2019.
Subchapter B. PRIVACY AND OPT OUT NOTICES FOR FINANCIAL INFORMATION
§ 146a.12. Annual privacy notice to customers required.
(1) General rule. A licensee shall provide a clear and conspicuous notice to customers that accurately reflects its privacy policies and practices not less than annually during the continuation of the customer relationship. Annually means at least once in any period of 12 consecutive months during which that relationship exists. A licensee may define the 12-consecutive-month period, but the licensee shall apply it to the customer on a consistent basis.
(2) Example. A licensee provides a notice annually if it defines the 12-consecutive-month period as a calendar year and provides the annual notice to the customer once in each calendar year following the calendar year in which the licensee provided the initial notice. For example, if a customer opens an account on any day of year 1, the licensee shall provide an annual notice to that customer by December 31 of year 2.
(b) Exemption to general rule.
(1) A licensee is not required to provide an annual privacy notice under this section if all of the following apply:
(i) The licensee has not changed its policies or practices regarding disclosure of nonpublic personal financial information from those in the most recent notice sent to consumers.
(ii) The disclosure of nonpublic personal financial information is made to only nonaffiliated third parties and meets any of the following requirements:
(A) Is made in accordance with § 146a.31 (relating to exception to opt out requirements for disclosure of nonpublic personal financial information for service providers and joint marketing).
(B) Falls within the exceptions in § 146a.32 (relating to exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information for processing and servicing transactions).
(C) Falls within the exceptions in § 146a.33 (relating to other exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information).
(2) A licensee that no longer meets the criteria in paragraph (1) shall provide an annual privacy notice under this section.
* * * * *
(d) Delivery. When a licensee is required by this section to deliver an annual privacy notice, the licensee shall deliver it according to § 146a.16 (relating to delivery).
§ 146a.13. Information to be included in privacy notices.
* * * * *
(f) Sample clauses and Federal model privacy form. Sample clauses illustrating some of the notice content required by this section are included in Appendix A (relating to sample clauses) and may be found in the Federal model privacy form in 16 CFR Part 313, Appendix A (relating to model privacy form) or National Association of Insurance Commissioners Regulation # 672, Appendix B.
[Pa.B. Doc. No. 19-1206. Filed for public inspection August 9, 2019, 9:00 a.m.]
No part of the information on this site may be reproduced for profit or sold for profit.
This material has been drawn directly from the official Pennsylvania Bulletin full text database. Due to the limitations of HTML or differences in display capabilities of different browsers, this version may differ slightly from the official printed version.