Statutes, codes, and regulations
Delaware Administrative Code
Title 18 - InsuranceConsumer Rights
Privacy of Consumer Financial and Health Information
Section 904-1.0 - General Provisions

18 Del. Admin. Code § 904-1.0

Download
PDF
Current through Register Vol. 28, No. 5, November 1, 2024
Section 904-1.0 - General Provisions
1.1 Authority.

This regulation is promulgated pursuant to the authority granted by 18 Del.C. §§ 311 and 535.

1.2 Purpose.

The purpose of this regulation is to govern the treatment of nonpublic personal financial information about individuals by all licensees of the Delaware Department of Insurance. This regulation:

1.2.1 Requires a licensee to provide notice to individuals about its privacy policies and practices;
1.2.2 Describes the conditions under which a licensee may disclose nonpublic personal financial information about individuals to affiliates and nonaffiliated third parties; and
1.2.3 Provides methods for individuals to prevent a licensee from disclosing that information.
1.3 Applicability
1.3.1 This regulation applies to nonpublic personal financial information about individuals who obtain or are claimants or beneficiaries of products or services primarily for personal, family or household purposes from licensees.
1.3.2 A licensee is not subject to the notice and opt out requirements for nonpublic personal financial information set forth in Sections 1.0 through 11.0 of this regulation if the licensee is an employee, agent or other representative of another licensee ("the principal") and:
1.3.2.1 The principal otherwise complies with, and provides the notices required by, the provisions of this regulation; and
1.3.2.2 The licensee does not disclose any nonpublic personal information to any person other than the principal or its affiliates in a manner permitted by this regulation.
1.3.3 Examples of employee, agent or other representative of a principal include:
1.3.3.1 An insurance broker, public adjuster or other licensee who is employed by another insurance broker, public adjuster or other licensee;
1.3.3.2 An independent adjuster adjusting a claim or benefit on behalf of an insurer;
1.3.3.3 An insurance agent of an insurer;
1.3.3.4 An insurance producer that has binding authority for an insurer; or
1.3.3.5 A sublicensee of a licensee, whether or not the sublicensee is licensed in any other capacity.
1.3.4 This regulation does not apply to information about companies or about individuals who obtain products or services for business, commercial or agricultural purposes.
1.3.5 An excess lines broker or excess lines insurer shall be deemed to be in compliance with the notice and opt out requirements for nonpublic personal financial information set forth in Sections 1.0 through 11.0 of this regulation, provided that the broker or insurer:
1.3.5.1 Does not disclose nonpublic personal information of a consumer or a customer to nonaffiliated third parties for any purpose, including joint servicing or marketing under Section 9.0 of this regulation, except as permitted by Sections 10.0 or 11.0 of this regulation; and
1.3.5.2 Delivers a notice to the consumer at the time a customer relationship is established on which the following is printed in 16-point type:

PRIVACY NOTICE

NEITHER THE U.S. BROKERS THAT HANDLED THIS INSURANCE NOR THE INSURERS THAT HAVE UNDERWRITTEN THIS INSURANCE WILL DISCLOSE NONPUBLIC PERSONAL INFORMATION CONCERNING THE BUYER TO NON-AFFILIATES OF THE BROKERS OR INSURERS EXCEPT AS PERMITTED BY LAW.

1.4 Compliance. A licensee domiciled in this state that is in compliance with this regulation in a state that has not enacted laws or regulations that meet the requirements of Title V of the Gramm-Leach-Bliley Act (PL 102-106) may nonetheless be deemed to be in compliance with Title V of the Gramm-Leach-Bliley Act in such other state.
1.5 Rules of Construction
1.5.1 The examples in this regulation, the sample clauses in Appendix A of this regulation and the Federal Privacy Form in Appendix B of this regulation are not exclusive. Compliance with an example, use of a sample clause, or use of the Federal Privacy Model Form, to the extent applicable, constitutes compliance with this regulation.
1.5.2 A licensee may rely on use of the Federal Model Privacy Form in Appendix B of this regulation consistent with the attached instructions, as a safe harbor of compliance with the privacy notice content requirement in this regulation.
1.5.3 Use of the Federal Model Privacy Form is not required. Licensees may continue to use other types of privacy notices, including notices that contain the examples in Appendix A of this regulation, provided that such notices accurately describe the licensee's privacy practices and otherwise meet the notice content requirements of this regulation. However, while a licensee may continue to use privacy notices that contain the examples in this regulation and/or the sample clauses in Appendix A, a licensee may not rely on use of privacy notices with the sample clauses in Appendix A as a safe harbor of compliance with the notice content requirements of this regulation after July 1, 2019.
1.6 Definitions.

As used in this regulation, unless the context requires otherwise:

"Affiliate" means any company that controls, is controlled by or is under common control with another company.

"Clear and Conspicuous" means that a notice is reasonably understandable as provided in subsection 1.7 of this regulation and is designed to call attention to the nature and significance of the information in the notice as provided in subsection 1.8 of this regulation.

"Collect" means to obtain information that the licensee organizes or can retrieve by the name of an individual or by identifying number, symbol or other identifying particular assigned to the individual, irrespective of the source of the underlying information.

"Commissioner" means the Insurance Commissioner of Delaware.

"Company" means a corporation, limited liability company, business trust, general or limited partnership, association, sole proprietorship or similar organization.

"Consumer" means an individual who seeks to obtain, obtains or has obtained an insurance product or service from a licensee that is to be used primarily for personal, family or household purposes, and about whom the licensee has nonpublic personal information, or that individual's legal representative as set forth in the examples listed in subsection 1.9 of this regulation.

"Consumer reporting agency" has the same meaning as in Section 603(f) of the federal Fair Credit Reporting Act (15 U.S.C. 1681 a(f)).

"Control" means any action that meets the criteria set forth in subsection 1.10 of this regulation.

"Customer" means a consumer who has a customer relationship with a licensee.

"Customer relationship" means a continuing relationship between a consumer and a licensee under which the licensee provides one or more insurance products or services to the consumer that are to be used primarily for personal, family or household purposes. Examples of "customer relationship" are set forth in subsection 1.11 of this regulation.

"Financial institution" means any institution the business of which is engaging in activities that are financial in nature or incidental to such financial activities as described in Section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. 1843(k)). Financial institution does not include:

* Any person or entity with respect to any financial activity that is subject to the jurisdiction of the Commodity Futures Trading Commission under the Commodity Exchange Act (7 U.S.C. 1et seq.);

* The Federal Agricultural Mortgage Corporation or any entity charged and operating under the Farm Credit Act of 1971 (12 U.S.C. 2001et seq.); or

* Institutions chartered by Congress specifically to engage in securitizations, secondary market sales (including sales of servicing rights) or similar transactions related to a transaction of a consumer, as long as the institutions do not sell or transfer nonpublic personal information to a nonaffiliated third party.

"Financial product or service" means any product or service that a financial holding company could offer by engaging in an activity that is financial in nature or incidental to such a financial activity under Section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. 1843(k)). Financial service includes a financial institution's evaluation or brokerage of information that the financial institution collects in connection with a request or an application from a consumer for a financial product or service.

"Insurance product or service" means any product or service that is offered by a licensee pursuant to the insurance laws of this state. Insurance service includes a licensee's evaluation, brokerage or distribution of information that the licensee collects in connection with a request or an application from a consumer for a insurance product or service.

"Licensee" means all licensed insurers, producers and other persons licensed or required to be licensed, or authorized or required to be authorized, or registered or required to be registered pursuant to the Insurance Law of this state,. A licensee does not include a domestic insurer transacting insurance in foreign countries only, under the laws and regulations of a foreign country only, and not transacting insurance in any state as defined in 18 Del.C. § 103 of the Delaware Code. Subject to subsection 1.3.2, "licensee" shall also include an unauthorized insurer that accepts business placed through a licensed excess lines broker in this state, but only in regard to the excess lines placements placed pursuant to the Delaware Insurance Code.

"Nonaffiliated Third Party" means any person except a licensee's affiliate or a person employed jointly by a licensee and any company that is not the licensee's affiliate (but nonaffiliated third party includes the other company that jointly employs the person). Nonaffiliated third party includes any company that is an affiliate solely by virtue of the direct or indirect ownership or control of the company by the licensee or its affiliate in conducting merchant banking or investment banking activities of the type described in Section 4(k)(4)(H) or insurance company investment activities of the type described in Section 4(k)(4)(I) of the federal Bank Holding Company Act (12 U.S.C. 1843(k)(4)(H) and (I)).

"Nonpublic Personal Information" means nonpublic personal financial information and nonpublic personal health information.

"Nonpublic Personal Financial Information" means personally identifiable financial information; and any list, description or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available. Examples of lists of nonpublic personal financial information are set forth in subsection 1.12 of this regulation. Nonpublic personal financial information does not include:

* Health information;

* Publicly available information, except as included on a list that meets the definition of "nonpublic personal financial information; or

* Any list, description or other grouping of consumers (and publicly available information pertaining to them) that is derived without using any personally identifiable financial information that is not publicly available.

"Nonpublic Personal Health Information" means health information that identifies an individual who is the subject of the information; or with respect to which there is a reasonable basis to believe that the information could be used to identify an individual.

"Personally Identifiable Financial Information" means any information a consumer provides to a licensee to obtain an insurance product or service from the licensee; about a consumer resulting from a transaction involving an insurance product or service between a licensee and a consumer; or the licensee otherwise obtains about a consumer in connection with providing an insurance product or service to that consumer. Examples of "personally identifiable financial information" are set forth in subsection 1.13 of this regulation.

"Publicly Available Information" means any information that a licensee has a reasonable basis to believe is lawfully made available to the general public from federal, state or local government records; widely distributed media; or disclosures to the general public that are required to be made by federal, state or local law. A licensee has a reasonable basis to believe that information is lawfully made available to the general public if the licensee has taken steps to determine that 1) the information is of the type that is available to the general public; and 2) whether an individual can direct that the information not be made available to the general public and, if so, that the licensee's consumer has not done so. Examples of "publicly available information" are set forth in subsection 1.14 of this regulation.

1.7 A licensee makes its notice "reasonably understandable" for purposes of the defined phrase "clear and conspicuous" if it:
1.7.1 Presents the information in the notice in clear, concise sentences, paragraphs, and sections;
1.7.2 Uses short explanatory sentences or bullet lists whenever possible;
1.7.3 Uses definite, concrete, everyday words and active voice whenever possible;
1.7.4 Avoids multiple negatives;
1.7.5 Avoids legal and highly technical business terminology whenever possible; and
1.7.6 Avoids explanations that are imprecise and readily subject to different interpretations.
1.8 A licensee designs its notice to "call attention to the nature and significance of the information in it" for purposes of the defined phrase "clear and conspicuous" if the licensee:
1.8.1 Uses a plain-language heading to call attention to the notice;
1.8.2 Uses a typeface and type size that is easy to read;
1.8.3 Provides wide margins and ample line spacing;
1.8.4 Uses boldface or italics for key words;
1.8.5 Uses a form that combines the licensee's notice with other information, uses distinctive type size, style, and graphic devices, such as shading or sidebars; and
1.8.6 If applicable, when notice is provided on a web page, designs its notice to call attention to the nature and significance of the information in it if the licensee uses text or visual cues to encourage scrolling down the page if necessary to view the entire notice and ensure that other elements on the web site (such as text, graphics, hyperlinks or sound) do not distract attention from the notice, and the licensee either:
1.8.6.1 Places the notice on a screen that consumers frequently access, such as a page on which transactions are conducted; or
1.8.6.2 Places a link on a screen that consumers frequently access, such as a page on which transactions are conducted, that connects directly to the notice and is labeled appropriately to convey the importance, nature and relevance of the notice.
1.9 Examples of the defined term "consumer" include:
1.9.1 An individual who provides nonpublic personal information to a licensee in connection with obtaining or seeking to obtain financial, investment or economic advisory services relating to an insurance product or service is a consumer regardless of whether the licensee establishes an ongoing advisory relationship.
1.9.2 An applicant for insurance prior to the inception of insurance coverage is a licensee's consumer.
1.9.3 An individual who is a consumer of another financial institution is not a licensee's consumer solely because the licensee is acting as agent for, or provides processing or other services to, that financial institution.
1.9.4 An individual is a licensee's consumer if:
1.9.4.1 The individual is a beneficiary of a life insurance policy underwritten by the licensee;
1.9.4.2 The individual is a claimant under an insurance policy issued by the licensee;
1.9.4.3 The individual is an insured or an annuitant under an insurance policy or an annuity, respectively, issued by the licensee; or
1.9.4.4 The individual is a mortgagor of a mortgage covered under a mortgage insurance policy and the licensee discloses nonpublic personal financial information about the individual to a nonaffiliated third party other than as permitted under Sections 9.0, 10.0 and 11.0 of this regulation.
1.9.5 Provided that the licensee provides the initial, annual and revised notices under subsections 2.1 and 2.2 and Section 4.0 of this regulation to the plan sponsor, group or blanket insurance policyholder or group annuity contract holder, workers' compensation plan participant, and further provided that the licensee does not disclose to a nonaffiliated third party nonpublic personal financial information about such an individual other than as permitted under Sections 9.0, 10.0 and 11.0 of this regulation, an individual is not the consumer of the licensee solely because he or she is:
1.9.5.1 A participant or a beneficiary of an employee benefit plan that the licensee administers or sponsors or for which the licensee acts as a trustee, insurer or fiduciary;
1.9.5.2 Covered under a group or blanket insurance policy or group annuity contract issued by the licensee; or
1.9.5.3 A beneficiary in a workers' compensation plan.
1.9.6 The individuals described in subsections 1.9.5.1 through 1.9.5.3 are consumers of a licensee if the licensee does not meet all the conditions of subsection 1.9.5 of this regulation.
1.9.7 In no event shall the individuals, solely by virtue of the status described in subsections 1.9.5.1 through 1.9.5.3, be deemed to be customers for purposes of this regulation.
1.9.8 An individual is not a licensee's consumer solely because he or she is a beneficiary of a trust for which the licensee is a trustee.
1.9.9 An individual is not a licensee's consumer solely because he or she has designated the licensee as trustee for a trust.
1.10 Examples of the defined term "control" include:
1.10.1 Ownership, control or power to vote twenty-five percent (25%) or more of the outstanding shares of any class of voting security of the company, directly or indirectly, or acting through one or more other persons;
1.10.2 Control in any manner over the election of a majority of the directors, trustees or general partners (or individuals exercising similar functions) of the company; or
1.10.3 The power to exercise, directly or indirectly, a controlling influence over the management or policies of the company, as the commissioner determines.
1.11 Examples of the defined term "customer relationship" include:
1.11.1 A consumer has a continuing relationship with a licensee if:
1.11.1.1 The consumer is a current policyholder of an insurance product issued by or through the licensee; or
1.11.1.2 The consumer obtains financial, investment or economic advisory services relating to an insurance product or service from the licensee for a fee.
1.11.2 A consumer does not have a continuing relationship with a licensee if:
1.11.2.1 The consumer applies for insurance but does not purchase the insurance;
1.11.2.2 The licensee sells the consumer airline travel insurance in an isolated transaction;
1.11.2.3 The individual is no longer a current policyholder of an insurance product or no longer obtains insurance services with or through the licensee;
1.11.2.4 The consumer is a beneficiary or claimant under a policy and has submitted a claim under a policy choosing a settlement option involving an ongoing relationship with the licensee;
1.11.2.5 The consumer is a beneficiary or a claimant under a policy and has submitted a claim under that policy choosing a lump sum settlement option;
1.11.2.6 The customer's policy is lapsed, expired, or otherwise inactive or dormant under the licensee's business practices, and the licensee has not communicated with the customer about the relationship for a period of twelve (12) consecutive months, other than annual privacy notices, material required by law or regulation, communication at the direction of a state or federal authority, or promotional materials;
1.11.2.7 The individual is an insured or an annuitant under an insurance policy or annuity, respectively, but is not the policyholder or owner of the insurance policy or annuity;
1.11.2.8 For the purposes of this regulation, the individual's last known address according to the licensee's records is deemed invalid. An address of record is deemed invalid if mail sent to that address by the licensee has been returned by the postal authorities as undeliverable and if subsequent attempts by the licensee to obtain a current valid address for the individual have been unsuccessful; or
1.11.2.9 In the case of providing real estate settlement services, at the time the customer completes execution of all documents related to the real estate closing, payment for those services has been received, or the licensee has completed all of its responsibilities with respect to the settlement, including filing documents on the public record, whichever is later.
1.12 Examples of lists of "nonpublic personal financial information" as defined in this regulation include any list of individuals' names and street addresses that is derived in whole or in part using personally identifiable financial information that is not publicly available, such as account numbers; but does not include any list of individuals' names and addresses that:
1.12.1 Contains only publicly available information;
1.12.2 Is not derived in whole or in part using personally identifiable financial information that is not publicly available; and
1.12.3 Is not disclosed in a manner that indicates that any of the individuals on the list is a consumer of a financial institution.
1.13 Examples of the defined term "personally identifiable financial information" include:
1.13.1 Information a consumer provides to a licensee on an application to obtain an insurance product or service;
1.13.2 Account balance information and payment history;
1.13.3 The fact that an individual is or has been one of the licensee's customers or has obtained an insurance product or service from the licensee;
1.13.4 Any information about the licensee's consumer if it is disclosed in a manner that indicates that the individual is or has been the licensee's consumer;
1.13.5 Any information that a consumer provides to a licensee or that the licensee or its agent otherwise obtains in connection with collecting on a loan or servicing a loan;
1.13.6 Any information the licensee collects through an Internet cookie (an information-collecting device from a web server); and
1.13.7 Information from a consumer report; except that personally identifiable financial information does not include:
1.13.7.1 A list of names and addresses of customers of an entity that is not a financial institution; and
1.13.7.2 Information that does not identify a consumer, such as aggregate information or blind data that does not contain personal identifiers such as account numbers, names or addresses.
1.14 Examples of the defined term "publicly available information" include:
1.14.1 Government records - Publicly available information in government records includes information in government real estate records and security interest filings.
1.14.2 Widely distributed media - Publicly available information from widely distributed media includes information from a telephone book, a television or radio program, a newspaper or a web site that is available to the general public on an unrestricted basis. A web site is not restricted merely because an Internet service provider or a site operator requires a fee or a password, so long as access is available to the general public.
1.14.3 Mortgage information - A licensee has a reasonable basis to believe that mortgage information is lawfully made available to the general public if the licensee has determined that the information is of the type included on the public record in the jurisdiction where the mortgage would be recorded.
1.14.4 Telephone number - A licensee has a reasonable basis to believe that an individual's telephone number is lawfully made available to the general public if the licensee has located the telephone number in the telephone book or the consumer has informed the public that the telephone number is not unlisted.

18 Del. Admin. Code § 904-1.0

22 DE Reg. 1017 (6/1/2019) (final)