21-016 Code Vt. R. 21-010-016-X

Current through August, 2024

Section 21 010 016 - PRIVACY OF CONSUMER FINANCIAL AND HEALTH INFORMATION

REGULATION IH-2001-01 (Revised)

ARTICLE I. GENERAL PROVISIONS

Section 1. Authority.

This regulation is promulgated pursuant to the authority granted by 8 V.S.A. §§ 10, 15, 3381, 3541-3543, 3688, 3858, 4062, 4108, 4113, 4201, 4362, 4373, 4464, 4480, 4481, 4515a, 4587, 4690, Chapter 129, 4812, 4836, 4902, 4990, 5104, 5111, 6 015, 8005, 8014, and 8084, and 1972, Act No. 72 (Adj. Sess.), § 1.

Section 2. Purpose; Scope; Compliance.

A. Purpose. This regulation governs the treatment of nonpublic personal financial information and nonpublic personal health information about individuals by all licensees under part 3 of Title 8 V.S.A. This regulation:

(1) Requires a licensee to provide notice to individuals about its privacy policies and practices;

(2) Describes the conditions under which a licensee may disclose nonpublic personal financial information and nonpublic personal health information about individuals to nonaffiliated third parties; and

(3) Requires licensees to obtain consumer consent prior to disclosing that information, subject to the exceptions in sections 14, 15, 16, and 17 of this regulation and subject to the federal Fair Credit Reporting Act and Vermont Fair Credit Reporting Act.

B. Scope.

(1) This regulation applies to:

(a) Nonpublic personal financial information about individuals who obtain or are claimants or beneficiaries of products or services from licensees primarily for personal, family, or household purposes; and

(b) All nonpublic personal health information.

(2) This regulation does not apply to information about companies or individuals who obtain financial products or services for business, commercial, or agricultural purposes.

C. Compliance.

(1) A licensee subject to this regulation, regardless of its jurisdiction of domicile, shall comply with the provisions of this regulation for transactions with Vermont consumers.

(2) For a consumer who is not a Vermont resident, a licensee domiciled in this State shall be deemed to be in compliance with Title V of the Gramm-Leach-Bliley Act in this State with respect to that consumer if the licensee is in compliance with a law or regulation enacted in the state of the consumer's domicile that meets the requirements of Title V of the Gramm-Leach-Bliley Act (PL 106-102).

Section 3. Rule of Construction.

The examples in this regulation and the sample clauses in Appendix A are guidance concerning this regulation's application in ordinary circumstances but are not exclusive. The facts and circumstances of each individual situation will determine whether compliance with an example or use of a sample clause constitutes compliance with this regulation.

Section 4. Definitions.

As used in this regulation, unless the context requires otherwise:

A. "Affiliate" has the same meaning as in 8 V.S.A. § 3681(1).

B. "Clear and conspicuous" means that a notice is reasonably understandable and designed to call attention to the nature and significance of the information in the notice.

(1) Examples.

(a) Reasonably understandable. A licensee makes its notice reasonably understandable if it:

i. Presents the information in the notice in clear, concise sentences, paragraphs, and sections;

ii. Uses short explanatory sentences or bullet lists whenever possible;

iii. Uses definite, concrete, everyday words and active voice whenever possible;

iv. Avoids multiple negatives;

v. Avoids legal and highly technical business terminology whenever possible;

vi. Avoids explanations that are imprecise and readily subject to different interpretations; and

vii. Avoids contradictory, confusing, and misleading language.

(b) Designed to call attention. A licensee designs its notice to call attention to the nature and significance of the information in it if the licensee:

i. Uses a plain-language heading to call attention to the notice;

ii. Uses a typeface and type size that are easy to read;

iii. Provides wide margins and ample line spacing;

iv. Uses boldface or italics for key words; and

v. In a form that combines the licensee's notice with other information, uses distinctive type size, style, and graphic devices, such as shading or sidebars.

(c) Notices on websites. If a licensee provides a notice on a web page, the licensee designs its notice to call attention to the nature and significance of the information in it if the licensee:

i. Uses text or visual cues to encourage scrolling down the page if necessary to view the entire notice and ensure that other elements on the website (such as text, graphics, hyperlinks, or sound) do not distract attention from the notice; and

ii. Places the notice on a screen that consumers frequently access, such as a page on which transactions are conducted or that connects directly to the notice and is labeled appropriately to convey the importance, nature, and relevance of the notice.

C. "Collect" means to obtain information that the financial institution organizes or can retrieve by the name of an individual or by identifying number, symbol, or other identifying particular assigned to the individual, irrespective of the source of the underlying information.

D. "Commissioner" means the commissioner of the Department of Financial Regulation.

E. "Company" means any corporation, limited liability company, business trust, general or limited partnership, association, sole proprietorship or similar organization.

F.

(1) "Consumer" means an individual who seeks to obtain, obtains or has obtained a financial product or service from a financial institution that is to be used primarily for personal, family, or household purposes, or that individual's legal representative.

(2) Examples.

(a) An individual who provides nonpublic personal information to a licensee in connection with obtaining or seeking to obtain financial, investment, or economic advisory services relating to an insurance product or service is a consumer regardless of whether the licensee establishes an ongoing advisory relationship.

(b) An applicant for insurance prior to the inception of insurance coverage is a licensee's consumer.

(c) An individual who is a consumer of another financial institution is not a licensee's consumer solely because the licensee is acting as agent for, or provides processing or other services to, that financial institution.

(d) An individual is a licensee's consumer if the licensee discloses nonpublic personal financial information about the individual to a nonaffiliated third party and one of the following exist:

i. The individual is a beneficiary of a life insurance policy underwritten by the licensee;

ii. The individual is a claimant under an insurance policy issued by the licensee;

iii. The individual is an insured or an annuitant under an insurance policy or an annuity, respectively, issued by the licensee; or

iv. The individual is a mortgagor of a mortgage covered under a mortgage insurance policy.

(e) Provided that the licensee provides the initial, annual, and revised notices under sections 5, 6, and 9 to the plan sponsor, group or blanket insurance policyholder, group annuity contract holder, or workers' compensation plan participant, and further provided that the licensee does not disclose to a nonaffiliated third party nonpublic personal financial information about such an individual other than as permitted under sections 14, 15, and 16, an individual is not a consumer of the licensee solely because he or she is:

i. A participant in or beneficiary of an employee benefit plan that the licensee administers or sponsors or for which the licensee acts as a trustee, insurer, or fiduciary;

ii. Covered under a group or blanket insurance policy or group annuity contract issued by the licensee; or

iii. A claimant covered by a workers' compensation plan.

(f) The individuals described in subdivisions (e)(i) through (iii) of this subsection F are consumers of a licensee if the licensee does not meet all the conditions of subdivision (e).

(g) In no event shall the individuals, solely by virtue of the status described in subdivisions (e)(i) through (iii) of this subsection F, be deemed to be customers for purposes of this regulation.

(h) An individual is not a licensee's consumer solely because he or she is a beneficiary of a trust for which the licensee is a trustee.

(i) An individual is not a licensee's consumer solely because he or she has designated the licensee as trustee for a trust.

G. "Consumer reporting agency" has the same meaning as in section 603(f) of the federal Fair Credit Reporting Act (15 U.S.C. § 1681a(f)) and shall include any "credit reporting agency" within the meaning of 9 V.S.A. § 2480a(4).

H. "Control" has the same meaning as in 8 V.S.A. § 3681(3).

I. "Customer" means a consumer who has a customer relationship with a licensee.

J. "Customer relationship" means a continuing relationship between a consumer and a licensee under which the licensee provides one or more insurance products or services to the consumer that are to be used primarily for personal, family, or household purposes.

(1) Examples.

(a) A consumer has a continuing relationship with a licensee if:

i. The consumer is a current policyholder of an insurance product issued by or through the licensee; or

ii. The consumer obtains financial, investment, or economic advisory services relating to an insurance product or service from the licensee for a fee.

(b) A consumer does not have a continuing relationship with a licensee if:

i. The consumer applies for but does not purchase insurance from the licensee;

ii. The licensee sells the consumer travel insurance in an isolated transaction;

iii. The consumer is no longer a current policyholder of an insurance product or no longer obtains insurance services with or through the licensee;

iv. The consumer is a beneficiary or claimant under a policy and has submitted a claim under a policy choosing a settlement option involving an ongoing relationship with the licensee;

v. The consumer is a beneficiary or claimant under a policy and has submitted a claim under that policy choosing a lump sum settlement option;

vi. The consumer's policy is lapsed, expired, or otherwise inactive or dormant under the licensee's business practices, and the licensee has not communicated with the consumer about the relationship for a period of 12 consecutive months, other than annual privacy notices, material required by law or regulation, communication at the direction of a state or federal authority, or promotional materials;

vii. The consumer is an insured or annuitant under an insurance policy or annuity, respectively, but is not the policyholder or owner of the insurance policy or annuity; or

viii. The consumer's last known address according to the licensee's records is invalid. For purposes of this regulation, an address of record is invalid if mail sent to that address by the licensee has been returned by the postal authorities as undeliverable and if subsequent attempts by the licensee to obtain a current valid address for the consumer have been unsuccessful.

K. "Financial institution" means any institution the business of which is engaging in activities that are financial in nature or incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. § 1843(k)).

(1) Financial institution does not include:

(a) Any person or entity with respect to any financial activity that is subject to the jurisdiction of the Commodity Futures Trading Commission under the Commodity Exchange Act (7 U.S.C. § 1 et seq.);

(b) The Federal Agricultural Mortgage Corporation or any entity charged and operating under the Farm Credit Act of 1971 (12 U.S.C. § 2001 et seq.); or

(c) Any institution chartered by Congress specifically to engage in securitizations, secondary market sales (including sales of servicing rights), or similar transactions related to a transaction of a consumer, as long as the institution does not sell or transfer nonpublic personal information to a nonaffiliated third party.

L. "Financial product or service" means any product or service that a financial holding company could offer by engaging in an activity that is financial in nature or incidental to such a financial activity under section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. § 1843(k)).

(1) Financial service includes a financial institution's evaluation or brokerage of information that the financial institution collects in connection with a request or an application from a consumer for a financial product or service.

M. "Health care" means:

(1) Preventive, diagnostic, therapeutic, rehabilitative, maintenance or palliative care, services, procedures, tests or counseling that:

(a) Relates to the physical, mental or behavioral condition of an individual; or

(b) Affects the structure or function of the human body or any part of the human body, including the banking of blood, sperm, organs or any other tissue; or

(c) Prescribing, dispensing, or furnishing to an individual drugs or biologicals, medical devices, or health care equipment and supplies.

N. "Health care provider" means a physician or other health care practitioner licensed, accredited or certified to perform specified health services consistent with state law, or a health care facility.

O. "Health information" means any information or data except age or gender, whether oral or recorded in any form or medium, created by or derived from a health care provider or the consumer that relates to:

(1) The past, present or future physical, mental or behavioral health or condition of an individual;

(2) The provision of health care to an individual; or

(3) Payment for the provision of health care to an individual.

P. "Insurance product or service" means any product or service that is offered by a licensee pursuant to Part 3 of Title 8 V.S.A.

(1) Insurance service includes a licensee's evaluation, brokerage, or distribution of information that the licensee collects in connection with a request or an application from a consumer for an insurance product or service.

Q. "Licensee" means any licensed insurer, producer, or other person licensed or required to be licensed, authorized or required to be authorized, or registered or required to be registered pursuant to Part 3 of Title 8 V.S.A., except for a person registered under 8 V.S.A. § 4248.

(1) "Licensee" also means an unauthorized insurer that accepts business placed through a licensed surplus lines broker in this State, but only in regard to the surplus lines insurance placed pursuant to Chapter 138 of Title 8 V.S.A.

(2) A licensee is not subject to the notice and opt-in requirements for nonpublic personal financial information set forth in Articles 1, II, III and IV if the licensee is an employee, agent, or other representative of another licensee ("the principal") and:

(a) The principal otherwise complies with and provides the notices required by this regulation; and

(b) The licensee does not disclose any nonpublic personal financial information to any person other than the principal or its affiliates except in a manner permitted by this regulation.

(3) A surplus lines broker or surplus lines insurer shall be deemed to be in compliance with the notice and opt- in requirements for nonpublic personal financial information set forth in Articles I, II, III and IV provided that:

(a) The broker or insurer does not disclose nonpublic personal information of a consumer or customer to nonaffiliated third parties for any purpose, including joint servicing or marketing under section 14, except as permitted by section 15 or 16; and

(b) The broker or insurer delivers a notice to the consumer at the time a customer relationship is established on which the following is printed in 16 -point type:

PRIVACY NOTICE

"Neither the U.S. brokers that handled this insurance nor the insurers that have underwritten this insurance will disclose nonpublic personal information concerning the buyer to nonaffiliates of the brokers or insurers except as permitted by law."

R. "Nonaffiliated third party" means any person except a licensee's affiliate or a person employed jointly by a licensee and any company that is not the licensee's affiliate (but nonaffiliated third party includes the other company that jointly employs the person).

(1) "Nonaffiliated third party" includes any company that is an affiliate solely by virtue of the direct or indirect ownership or control of the company by the licensee or its affiliate in conducting merchant banking or investment banking activities of the type described in section 4(k)(4)(H) of the federal Bank Holding Company Act and 8 V.S.A. § 12603 or insurance company investment activities of the type described in section 4(k)(4)(I) of the federal Bank Holding Company Act (12 U.S.C. § 1843(k)(4)(H) and (I)).

S. "Nonpublic personal health information" means health information:

T. "Nonpublic personal financial information" means personally identifiable financial information and any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available.

(1) "Nonpublic personal financial information" does not include:

(a) Health information;

(b) Publicly available information, except as included on a list described in subdivision (1)(c) of this subsection 1T; or

(c) Any list, description or other grouping of consumers (and publicly available information pertaining to them) that is derived without using any personally identifiable financial information that is not publicly available.

(2) Examples.

(a) Nonpublic personal financial information includes any list of individuals' names and street addresses that is derived in whole or in part using personally identifiable financial information that is not publicly available, such as account numbers.

(b) Nonpublic personal financial information does not include any list of individuals' names and addresses that contains only publicly available information, is not derived in whole or in part using personally identifiable financial information that is not publicly available, and is not disclosed in a manner that indicates that any of the individuals on the list is a consumer of a financial institution.

U. "Nonpublic personal health information" means health information that identifies an individual who is the subject of the information or with respect to which there is a reasonable basis to believe that the information could be used to identify an individual.

V. "Opt in" or "Opt-in" means the written or, if the consumer agrees, electronic authorization of the consumer allowing a licensee to disclose nonpublic personal financial information to a nonaffiliated third party, other than as permitted under sections 14, 15, or 16.

W. "Personally identifiable financial information" means any information that a consumer provides to a licensee to obtain an insurance product or service from the licensee, that is about a consumer a n d results from a transaction involving an insurance product or service between a licensee and a consumer, or that the licensee otherwise obtains about a consumer in connection with providing an insurance product or service to that consumer.

(1) Examples.

(a) Information included. Personally identifiable financial information includes:

i. Information a consumer provides to a licensee on an application to obtain an insurance product or service;

ii. Account balance information and payment history;

iii. The fact that an individual is or has been one of the licensee's customers or has obtained an insurance product or service from the licensee;

iv. Any information about the licensee's consumer if it is disclosed in a manner that indicates that the individual is or has been the licensee's consumer;

v. Any information that a consumer provides to a licensee or that the licensee or its agent otherwise obtains in connection with collecting on a loan or servicing a loan;

vi. Any information the licensee collects through an Internet cookie (an information-collecting device from a web server); and

vii. Any information from a consumer report.

(b) Information not included. Personally identifiable financial information does not include:

i. Health information;

ii. A list of names and addresses of customers of an entity that is not a financial institution; or

iii. Information that does not identify a consumer, such as aggregate information or blind data that does not contain personal identifiers such as account numbers, names, or addresses.

X. "Publicly available information" means any information that a licensee has a reasonable basis to believe is lawfully made available to the general public from federal, state, or local government records, widely distributed media, or disclosures to the general public that are required to be made by federal, state, or local law.

(1) Reasonable basis. A licensee has a reasonable basis to believe that information is lawfully made available to the general public if the licensee has taken steps to determine:

(a) That the information is of the type that is available to the general public; and

(b) Whether an individual can direct that the information not be made available to the general public and, if so, that the licensee's consumer has not done so.

(2) Examples.

(a) Government records. Publicly available information in government records includes information in government real estate records and security interest filings.

(b) Widely distributed media. Publicly available information from widely distributed media includes information from a telephone book, television or radio program, newspaper, or website that is available to the general public on an unrestricted basis. A website is not restricted merely because an Internet service provider or site operator requires a fee or password, so long as access is available to the general public.

(c) Reasonable basis.

i. A licensee has a reasonable basis to believe that mortgage information is lawfully made available to the general public if the licensee has determined that the information is of the type included on the public record in the jurisdiction where the mortgage would be recorded.

ii. A licensee has a reasonable basis to believe that an individual's telephone number is lawfully made available to the general public if the licensee has located the telephone number in the telephone book or the consumer has informed the licensee that the telephone number is not unlisted.

ARTICLE II. PRIVACY AND OPT IN NOTICES FOR NONPUBLIC PERSONAL INFORMATION

Section 5. Initial Privacy Notice to Consumers Required.

A. Initial notice requirement. A financial institution shall provide a clear and conspicuous notice that accurately reflects its privacy policies and practices with respect to nonpublic personal information to:

(1) Customer. An individual who becomes the financial institution's customer, not later than when the financial institution establishes a customer relationship, except as provided in subsection E of this section; and

(2) Consumer. A consumer, before the financial institution discloses any nonpublic personal information about the consumer to any nonaffiliated third party, if the financial institution makes a disclosure other than as authorized by Sections 15, 16 and 17.

B. When initial notice to a consumer is not required. A financial institution is not required to provide an initial notice to a consumer under subsection A(2) of this section if:

(1) the financial institution does not disclose any nonpublic personal information about the consumer to any nonaffiliated third party, other than as authorized by Sections 15, 16 and 17, and the financial institution does not have a customer relationship with the consumer; or

(2) a notice has been provided by an affiliate, as long as the notice clearly identifies all affiliates to whom the notice applies and is accurate with respect to the financial institution and the other affiliates.

C. When the financial institution establishes a customer relationship.

(1) General rule. A licensee establishes a customer relationship at the time the licensee and the consumer enter into a continuing relationship.

(2) Examples of establishing customer relationship. A licensee establishes a customer relationship when the consumer:

(a) Becomes a policyholder of a licensee that is an insurer when the insurer delivers an insurance policy or contract to the consumer, or in the case of a licensee that is an insurance producer or insurance broker, obtains insurance through that licensee; or

(b) Agrees to obtain financial, economic, or investment advisory services relating to insurance products or services for a fee from the licensee.

D. Existing customers. When an existing customer obtains a new insurance product or service from a licensee that is to be used primarily for personal, family, or household purposes, the licensee satisfies the initial notice requirements of subsection A of this section 5 as follows:

(1) The licensee provides a revised policy notice under section 9 that covers the customer's new insurance product or service; or

(2) If the initial, revised, or annual notice that the licensee most recently provided to the customer was accurate with respect to the new insurance product or service, the licensee does not need to provide a new privacy notice under subsection A of this section 5.

E. Exceptions to allow subsequent delivery of notice.

(1) A licensee may provide the initial notice required by subdivision A(1) of this section 5 within a reasonable time after the licensee establishes a customer relationship if:

(a) Establishing the customer relationship is not at the customer's election; or

(b) Providing notice not later than when the financial institution establishes a customer relationship would substantially delay the customer's transaction and the customer agrees to receive the notice at a later time.

(2) Examples.

(a) Not at customer's election. Establishing a customer relationship is not at the customer's election if the licensee acquires or is assigned the customer's policy from another financial institution or residual market mechanism and the customer does not have a choice about the licensee's acquisition or assignment.

(b) Substantial delay of customer's transaction. Providing notice not later than when a licensee establishes a customer relationship would substantially delay the customer's transaction when the licensee and the individual agree over the phone to enter into a customer relationship involving prompt delivery of the insurance product or service.

(c) No substantial delay of customer's transaction. Providing notice not later than when the licensee establishes a customer relationship would not substantially delay the customer's transaction when the relationship is initiated in person at the licensee's office or through other means by which the customer may view the notice, such as on a website.

F. Delivery. When a financial institution is required to deliver an initial privacy notice by this section, the financial institution shall deliver it according to Section 10. If the financial institution uses a short-form initial notice for non-customers according to Section 7D, the financial institution may deliver its privacy notice according to Section 7D(3).

Section 6. Annual Privacy Notice to Customers Required.

A. General rule. Except as provided in subsection D of this section 6, a licensee shall provide a clear and conspicuous notice to customers that accurately reflects its privacy policies and practices with respect to nonpublic personal information not less than annually during the continuation of the customer relationship. Annually means at least once in any period of 12 consecutive months during which that relationship exists. A licensee may define the 12 consecutive-month period, but the licensee shall apply it to the customer on a consistent basis.

(1) Example. A licensee provides a notice annually if it defines the 12 consecutive-month period as a calendar year and provides the annual notice to the customer once in each calendar year following the calendar year in which the licensee provided the initial notice. For example, if a customer opens an account on any day of year one, the licensee shall provide an annual notice to that customer by December 31 of year two.

B. Termination of customer relationship. A licensee is not required to provide an annual notice to a former customer. A former customer is an individual with whom a licensee no longer has a continuing relationship.

(1) Examples. A licensee no longer has a continuing relationship with an individual in any of the following circumstances:

(a) The individual no longer is a current policyholder of an insurance product or no longer obtains insurance services with or through the licensee.

(b) The individual's policy is lapsed, expired, or otherwise inactive or dormant under the licensee's business practices, and the licensee has not communicated with the individual about the relationship for a period of twelve (12) consecutive months, other than to provide annual privacy notices, material required by law or regulation, or promotional materials.

(c) The individual's last known address according to the licensee's records is deemed invalid. An address of record is deemed invalid if mail sent to that address by the licensee has been returned by the postal authorities as undeliverable and if subsequent attempts by the licensee to obtain a current valid address for the individual have been unsuccessful.

(d) In the case of providing real estate settlement services, at the time the individual completes execution of all documents related to the real estate closing, payment for those services has been received, or the licensee has completed all of its responsibilities with respect to the settlement, including filing documents on the public record, whichever is later.

C. Delivery. When a licensee is required by this section to deliver an annual privacy notice, the licensee shall deliver it according to section 10.

D. Exception to general rule.

(1) When exception available. A licensee is not required to deliver an annual privacy notice to a customer if the licensee:

(a) Provides nonpublic personal information to nonaffiliated third parties only in accordance with sections 14, 15, and 16;

(b) Has not changed its policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed in the most recent privacy notice (whether initial, annual, or revised) provided pursuant to this regulation;

(c) Posts its current privacy notice continuously and in a clear and conspicuous manner on a page of its website on which the only content is the privacy notice and instructions for a consumer to revoke a prior opt-in direction with respect to the licensee's sharing of the consumer's nonpublic personal information, if applicable, and which is accessible without requiring a consumer to provide any information such as a login name or password or agree to any conditions to access the page; and

(d) Maintains availability of its current privacy notice to customers upon request.

(2) Delivery of annual privacy notice after licensee no longer meets the requirements for the exception. If a licensee has been excepted from delivering an annual privacy notice pursuant to subsection D(1) of this section 6 and changes its policies and practices in such a way that it no longer meets the requirements for the exception, the licensee must deliver a new privacy notice to customers at least 6 0 days prior to the effective date of the change in its policies or practices. The new privacy notice will be treated as an initial privacy notice for purposes of this regulation and the licensee's obligation to provide an annual privacy notice thereafter shall be determined in accordance with the requirements and exceptions of this section.

Section 7. Information to be Included in Privacy Notices.

A. General rule. The initial, annual, and revised privacy notices that a licensee provides under sections 5, 6, and 9 shall include each of the following items of information, in addition to any other information the licensee wishes to provide, that applies to the licensee and to the consumers to whom the licensee sends its privacy notice:

(1) The categories of nonpublic personal information that the licensee collects;

(2) The categories of nonpublic personal information that the licensee discloses;

(3) The categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal information, other than those parties to whom the licensee discloses information under sections 14, 15 and 16;

(4) The categories of nonpublic personal information about the licensee's former customers that the licensee discloses and the categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal information about the licensee's former customers, other than those parties to whom the licensee discloses information under sections 14, 15 and 16;

(5) If a licensee discloses nonpublic personal financial information to a nonaffiliated third party under section 14 (and no other exception in section 15 or 16 applies to that disclosure), a separate description of the categories of information that the licensee discloses as modified by section 14 and the categories of nonaffiliated third parties with whom the licensee has contracted;

(6) An explanation of the consumer's right to opt in under subsection 11A prior to the disclosure of nonpublic personal financial information to nonaffiliated third parties, including the methods by which the consumer may exercise that right at any time;

(7) Any disclosures that the licensee makes under section 603(d)(2)(A) (iii) of the federal Fair Credit Reporting Act (15 U.S.C. § 1681a(d)(2)(A)(iii)) and the federal implementing regulations, as modified by 15 U.S.C. § 1681t(b)(2) and the Vermont Fair Credit Reporting Act, 9 V.S.A. § 2480e (those that, under Vermont law, require that consumers consent prior to disclosures of information among affiliates);

(8) The licensee's policies and practices with respect to protecting the confidentiality and security of nonpublic personal information; and

(9) Any disclosure that the licensee makes under subsection B of this section 7.

B. Description of parties subject to exceptions. If a financial institution discloses nonpublic personal information as authorized under Sections 15, 16 and 17, the financial institution is not required to list those exceptions in the initial or annual privacy notices required by Sections 5 and 6. When describing the categories of parties to whom disclosure is made, the financial institution is required to state only that it makes disclosures to other affiliated or nonaffiliated third parties, as applicable, as permitted by law.

C. Examples.

(1) Categories of nonpublic personal information that the financial institution collects. A financial institution satisfies the requirement to categorize the nonpublic personal information it collects if the financial institution categorizes it according to the source of the information, as applicable:

(a) Information from the consumer;

(b) Information about the consumer's transactions with the financial institution or its affiliates;

(c) Information about the consumer's transactions with nonaffiliated third parties; and

(d) Information from a consumer reporting agency.

(2) Categories of nonpublic personal financial information a financial institution discloses.

(a) A financial institution satisfies the requirement to categorize nonpublic personal information it discloses if the financial institution categorizes the information according to source, as described in subdivision (1) of this subsection C, as applicable, and provides a few examples to illustrate the types of information in each category. These might include:

(i) Information from the consumer, including application information, such as assets and income and identifying information, such as name, address and social security number;

(ii) Transaction information, such as information about balances, payment history and parties to the transaction; and

(iii) Information from consumer reports, such as a consumer's creditworthiness and credit history.

(b) A financial institution does not adequately categorize the information that it discloses if the financial institution uses only general terms, such as transaction information about the consumer.

(c) If a financial institution reserves the right to disclose all of the nonpublic personal financial information about consumers that it collects, the financial institution may simply state that fact without describing the categories or examples of nonpublic personal financial information that the financial institution discloses.

(3) Categories of affiliates and nonaffiliated third parties to whom the financial institution discloses.

(a) A licensee satisfies the requirement to categorize the affiliates and nonaffiliated third parties to which the licensee discloses nonpublic personal financial information about consumers if the licensee identifies the types of businesses in which they engage.

(b) Types of businesses may be described by general terms only if the licensee uses a few illustrative examples of significant lines of business. For example, a licensee may use the term financial products or services if it includes appropriate examples of significant lines of businesses, such as life insurer, automobile insurer, consumer banking, or securities brokerage.

(c) A licensee also may categorize the affiliates and nonaffiliated third parties to which it discloses nonpublic personal financial information about consumers using more detailed categories.

(4) Disclosures under exception for service providers and joint marketers. If a financial institution discloses nonpublic personal financial information under the exception in Section 14 to a nonaffiliated third party to market products or services that it offers alone or jointly with another financial institution, the financial institution satisfies the disclosure requirement of Subsection A(5) of this section if it:

(a) Subject to the limitations in Section 14, lists the categories of nonpublic personal financial information it discloses, using the same categories and examples the financial institution used to meet the requirements of Subsection A(2) of this section, as applicable; and

(b) States whether the third party is:

(i) A service provider that performs marketing services on the financial institution's behalf or on behalf of the financial institution and another financial institution; or

(ii) A financial institution with whom the financial institution has a joint marketing agreement.

(5) Simplified notices. If a licensee does not disclose, and does not wish to reserve the right to disclose, nonpublic personal financial information about customers or former customers to affiliates or nonaffiliated third parties except as authorized under sections 14, 15, and 16, the licensee may simply state that fact, in addition to the information it must provide under subsections A(1), A(8), A(9), and B of this section 7.

(6) Confidentiality and security. A financial institution describes its policies and practices with respect to protecting the confidentiality and security of nonpublic personal information if it does both of the following:

(a) Describes in general terms who is authorized to have access to the information; and

(b) States whether the financial institution has security practices and procedures in place to ensure the confidentiality of the information in accordance with the financial institution's policy. The financial institution is not required to describe technical information about the safeguards it uses.

D. Short-form initial notice with opt in notice for non-customers.

(1) A financial institution may satisfy the initial notice requirements in Sections 5A(2) and 8C for a consumer who is not a customer by providing a short-form initial notice at the same time as the financial institution delivers an opt in notice under Section 8.

(2) A short-form initial notice shall:

(a) Be clear and conspicuous;

(b) State that the licensee's privacy notice is available upon request; and

(c) Explain a reasonable means by which the consumer may obtain that notice.

(3) The licensee shall deliver its short-form initial notice according to section 10. The licensee is not required to deliver its privacy notice with its short-form initial notice. The licensee instead may simply provide the consumer a reasonable means to obtain its privacy notice. If a consumer who receives the licensee's short-form notice requests the licensee's privacy notice, the licensee shall deliver its privacy notice according to section 10.

(4) Examples of obtaining privacy notice. The licensee provides a reasonable means by which a consumer may obtain a copy of its privacy notice if the licensee:

(a) Provides a toll-free telephone number that the consumer may call to request the notice; or

(b) For a consumer who conducts business in person at the financial institution's office, maintains copies of the notice on hand that the financial institution provides to the consumer immediately upon request.

E. Future disclosures. The financial institution's notice may include:

(1) Categories of nonpublic personal financial information that the financial institution reserves the right to disclose in the future, but does not currently disclose; and

(2) Categories of affiliates or nonaffiliated third parties to whom the financial institution reserves the right in the future to disclose, but to whom the financial institution does not currently disclose, nonpublic personal financial information.

F. Sample clauses. Sample clauses illustrating some of the notice content required by this section are included in Appendix A.

G. Federal Model Privacy Form.

(1) Vermont statutes and regulations relating to consumer privacy contain privacy notice content requirements with significant differences from federal content requirements. Among other differences, Vermont is an "opt-in" state.

(2) Federal Regulation P (Privacy of Consumer Financial Information), 12 C.F.R. Part 1016, contains a model privacy form at Appendix to Part 1016 - Model Privacy Form ("Federal Model Privacy Form").

(3) A licensee that uses the Federal Model Privacy Form in accordance with the instructions for use of the Federal Model Privacy Form as set forth in the Appendix to Part 1016, as supplemented by the requirements of this subsection, is in compliance with the content notice requirements of this regulation. Use of the Federal Model Privacy Form is not required. Licensees may use other types of privacy notices so long as the notices comply with this regulation.

(4) Vermont laws and regulations require licensees to obtain an "opt-in" consent from a consumer prior to sharing nonpublic personal information with an affiliate or nonaffiliated third party, except as otherwise specifically permitted by this regulation. A licensee may use the Federal Model Privacy Form to comply with this regulation in one of the following ways:

Option 1. A licensee may provide a generalized notice to its Vermont consumers that answers "no" to each of the questions about whether it shares information:

(i) "For our affiliates' everyday business purposes - information about your creditworthiness;" and

(ii) "for nonaffiliates to market to you;" OR

Option 2. A licensee may provide a generalized notice to consumers across a number of states, including Vermont, and answer "yes" to the questions in Option 1 above, provided it includes a discussion on the application of Vermont law in the "Other Important Information" box on page 2 of the Federal Model Privacy Form and complies with the requirements in subdivision (5) of this subsection 7G.

(5) A financial institution that chooses to use the Federal Model Privacy Form as provided in Option 2 above shall provide the following information:

(a) The "Other Important Information" box on the Federal Model Privacy Form contains statements that convey the following information:

Other Important Information

For Vermont Members/Customers.

We will not disclose information about your creditworthiness to our affiliates and will not disclose your personal information, financial information, credit report, or health information to nonaffiliated third parties to market to you, other than as permitted by Vermont law, unless you authorize us to make those disclosures.

Additional information concerning our privacy policies can be found at [website link] or call [telephone number].

AND

(b) The additional information provided on the financial institution's website contains the information required by this regulation; to the extent such information is not already included in the financial institution's privacy notice.

Section 8. Form of Opt in Notice to Consumers and Opt in Methods.

A. Form of opt- in notice. A licensee required to provide an opt-in notice under subsection 11A may not disclose any nonpublic personal financial information pertaining to a consumer to a nonaffiliated third party unless the licensee:

(1) Has provided to the consumer a clear and conspicuous notice, in writing or electronic form, of the categories of nonpublic personal financial information that may be disclosed and the categories of nonaffiliated third parties to whom the licensee discloses nonpublic personal financial information;

(2) Has identified the financial products or services that the consumer obtains from the licensee, either singly or jointly, to which the opt-in direction would apply;

(3) Has identified the methods by which the consumer may subsequently revoke the opt-in direction;

(4) Has clearly and conspicuously requested in writing or electronic form that the consumer affirmatively authorizes such disclosure; and

(5) Has obtained from the consumer such affirmative consent and such consent has not been withdrawn.

B. Unreasonable revocation of opt-in direction. The licensee does not provide a reasonable means of revoking an opt- in direction if the only means is for the consumer to write his or her own letter or use a check-off box that was provided with the initial notice but is not included with subsequent notices.

C. Duration and withdrawal of consent. A consumer's direction to opt in under this subsection is effective until the consumer revokes it in writing or, if the consumer agrees, electronically; provided, however, that any withdrawal or revocation of consent is subject to the rights of a licensee that acted reasonably in reliance on the consent prior to knowledge of its withdrawal or revocation. When a customer relationship terminates, the customer's opt-in direction continues to apply to the nonpublic personal financial information collected during or related to that relationship. If the individual subsequently establishes a new customer relationship with the licensee, the opt-in direction that applied to the former relationship does not apply to the new relationship.

D. A licensee may not disclose any aggregate list of consumers containing or derived from nonpublic personal financial information to a nonaffiliated third party unless the licensee has satisfied, for each consumer on the list, the requirements of subdivisions (1) through (5) of subsection 8A.

E. This section shall not restrict a licensee from disclosing nonpublic personal financial information as authorized in sections 14, 15, and 16.

F. A licensee shall retain the opt-in direction in the record of the individual who is the subject of nonpublic personal financial information.

G. Joint relationships. If two or more consumers jointly obtain an insurance product or service from a licensee, the licensee may only disclose nonpublic personal financial information of a consumer to a nonaffiliated third party after obtaining an affirmative consent notice from that consumer. Joint information may only be disclosed after obtaining the affirmative consent notice from all joint consumers of the product or service.

H. Same form as initial notice permitted. A licensee may provide the opt- in notice required by this section together with or on the same written or electronic form as the

initial notice the licensee provide in accordance with Section 5.

I. Initial notice required when opt- in notice under this section delivered subsequent to initial notice. If a licensee provides the opt-in notice later than required for the initial notice in accordance with Section 5, the licensee shall also include a copy of the initial notice with the opt- in notice in writing or, if the consumer agrees, electronically.

J. Delivery. When a licensee is required to deliver an opt- in notice by this section, the licensee shall deliver it according to section 10.

Section 9. Revised Privacy Notices.

A. General rule. Except as otherwise authorized in this regulation, a financial institution shall not, directly or through an affiliate, disclose any nonpublic personal information about a consumer to any nonaffiliated third party other than as described in the initial notice that the financial institution provided to that consumer under Section 5, unless:

(1) The financial institution has provided to the consumer a clear and conspicuous revised notice that accurately describes its policies and practices;

(2) The financial institution has provided to the consumer a new opt in notice; and

(3) The consumer has provided affirmative consent to the disclosure described in the notice.

B. Examples.

(1) Except as otherwise permitted by Sections 14, 15 and 16, a financial institution shall provide a revised notice before it:

(a) Discloses a new category of nonpublic personal financial information to any nonaffiliated third party;

(b) Discloses nonpublic personal financial information to a new category of nonaffiliated third party; or

(c) Discloses nonpublic personal financial information about a former customer to a nonaffiliated third party, if that former customer has not given affirmative consent regarding that disclosure.

(2) A revised notice is not required if the financial institution discloses nonpublic personal financial information to a new nonaffiliated third party that the financial institution adequately described in its prior notice.

C. Delivery. When a financial institution is required to deliver a revised privacy notice by this section, the financial institution shall deliver it according to Section 10.

D. Nothing in this regulation shall relieve any financial institution of any requirement under the federal or Vermont Fair Credit Reporting Acts or regulations promulgated thereunder with respect to notice and consumer consent for disclosures to affiliates.

Section 10. Delivery.

A. How to provide notices. A licensee shall provide any notices that this regulation requires so that each consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees to electronic receipt, transmit them electronically.

B. Examples of reasonable expectation of actual notice. A licensee may reasonably expect that a consumer will receive actual notice if the licensee:

(1) Hand-delivers a printed copy of the notice to the consumer;

(2) Mails a printed copy of the notice to the last known address of the consumer separately, or in a policy, billing, or other written communication;

(3) For a consumer who conducts transactions electronically, posts the notice on the electronic site and requires the consumer to acknowledge receipt of the notice as a necessary step to obtaining a particular insurance product or service; or

(4) For an isolated transaction with a consumer, such as the licensee providing an insurance quote or selling the consumer travel insurance, posts the notice and requires the consumer to acknowledge receipt of the notice as a necessary step to obtaining the particular insurance product or service.

C. Examples of unreasonable expectation of actual notice. A licensee may not, however, reasonably expect that a consumer will receive actual notice of its privacy policies and practices if it:

(1) Only posts a sign in its office or generally publishes advertisements of its privacy policies and practices; or

(2) Sends the notice via electronic mail to a consumer who does not obtain an insurance product or service from the licensee electronically.

D. Annual notices only. A licensee may reasonably expect that a customer will receive actual notice of the licensee's annual privacy notice if:

(1) The customer uses the licensee's website to access insurance products and services electronically and agrees to receive notices at the website and the licensee posts its current privacy notice continuously in a clear and conspicuous manner on the website; or

(2) The customer has requested that the licensee refrain from sending any information regarding the customer relationship, and the licensee's current privacy notice remains available to the customer upon request.

E. Oral description of notice insufficient. A licensee may not provide any notice required by this regulation solely by orally explaining the notice, either in person or over the phone.

F. Retention or accessibility of notices for customers.

(1) For customers only, a licensee shall provide the initial notice required by subsection 5A, the annual notice required by subsection 6A, and the revised notice required by section 9 so that the customer can retain them or obtain them later in writing or, if the customer agrees, electronically.

(2) Examples of retention or accessibility. A licensee provides a privacy notice to the customer so that the customer can retain it or obtain it later if the licensee:

(a) Hand-delivers a printed copy of the notice to the customer;

(b) Mails a printed copy of the notice to the last known address of the customer; or

(c) Makes its current privacy notice available on a website (or a link to another website) for the customer who obtains an insurance product or service electronically and agrees to receive the notice at the website.

G. Joint notice with other financial institutions. A licensee may provide a joint notice from the licensee and one or more of its affiliates or other financial institutions, as identified in the notice, as long as the notice is accurate with respect to the licensee and the other institutions. A licensee also may provide a notice on behalf of another financial institution.

H. Joint relationships. If two or more consumers jointly obtain an insurance product or service from a licensee, the licensee may satisfy the initial, annual, and revised notice requirements of sub sections 5A, 6A, and 9A, respectively, by providing one notice to those consumers jointly.

ARTICLE III. LIMITS ON DISCLOSURES OF FINANCIAL INFORMATION

Section 11. Limits on Disclosure of Nonpublic Personal Financial Information to Nonaffiliated Third Parties.

A. Conditions for disclosure. Except as otherwise authorized in this regulation, a licensee may not, directly or through any affiliate, disclose any nonpublic personal financial information about a consumer to a nonaffiliated third party unless:

(1) The licensee has provided to the consumer an initial notice as required under section 5;

(2) The licensee has provided to the consumer an opt- in notice under section 8; and

(3) The consumer has authorized the disclosure in writing or electronically.

B. Application of opt- in to all consumers and all nonpublic personal financial information.

(1) A licensee shall comply with this section, regardless of whether the licensee and the consumer have established a customer relationship.

(2) Unless a licensee complies with this section, the licensee may not, directly or through any affiliate, disclose any nonpublic personal financial information about a consumer that the licensee has collected, regardless of whether the licensee collected it before or after providing the opt-in notice.

C. Partial opt-in. A licensee may allow a consumer to select certain nonpublic personal financial information or certain nonaffiliated third parties with respect to which the consumer wishes to opt in.

Section 12. Limits on Redisclosure and Reuse of Nonpublic Personal Financial Information.

A. Information the licensee receives under an exception.

(1) If a licensee receives nonpublic personal financial information from a nonaffiliated financial institution under an exception in section 15 or 16, the licensee's disclosure and use of that information is limited as follows:

(a) The licensee may disclose the information to the affiliates of the financial institution from which the licensee received the information;

(b) The licensee may disclose the information to its affiliates, but the licensee's affiliates may, in turn, disclose and use the information only to the extent that the licensee may disclose and use the information; and

(c) The licensee may disclose and use the information pursuant to an exception in section 15 or 16 in the ordinary course of business to carry out the activity covered by the exception under which the licensee received the information.

(2) Example. If a licensee receives information from a nonaffiliated financial institution for claims settlement purposes, the licensee may disclose the information for fraud prevention or in response to a properly authorized subpoena. The licensee may not disclose that information to a third party for marketing purposes or use that information for its own marketing purposes.

B. Information a licensee receives outside of an exception.

(1) If a licensee receives nonpublic personal financial information from a nonaffiliated financial institution other than pursuant to an exception in section 15 or 16, the licensee may disclose the information only:

(a) To the affiliates of the financial institution from which the licensee received the information;

(b) To its affiliates, but its affiliates may, in turn, disclose the information only to the extent that the licensee may disclose the information; and

(c) To any other person, if the disclosure would be lawful if made directly to that person by the financial institution from which the licensee received the information.

(2) Example. If a licensee obtains a customer list from a nonaffiliated financial institution outside of the exceptions in section 15 and 16:

(a) The licensee may use that list for its own purposes; and

(b) The licensee may disclose that list to another nonaffiliated third party only if the financial institution from which the licensee purchased the list could have lawfully disclosed the list to that third party. That is, the licensee may disclose the list in accordance with the privacy policy of the financial institution from which the licensee received the list, as limited by the absence or limitation of the opt-in direction of each consumer whose nonpublic personal financial information the licensee intends to disclose, and the licensee may disclose the list in accordance with an exception in section 15 or 16, such as to the licensee's attorneys or accountants.

C. Information a licensee discloses under an exception. If a licensee discloses nonpublic personal financial information to a nonaffiliated third party under an exception ins Section 15 or 16, the third party may disclose and use that information only as follows:

(1) The third party may disclose the information to the licensee's affiliates;

(2) The third party may disclose the information to its affiliates, but its affiliates may, in turn, disclose and use the information only to the extent that the third party may disclose and use the information; and

(3) The third party may disclose and use the information pursuant to an exception in section 15 or 16 in the ordinary course of business to carry out the activity covered by the exception under which it received the information.

D. Information a licensee discloses outside of an exception. If a licensee discloses nonpublic personal financial information to a nonaffiliated third party other than under an exception in section 15 or 16, the third party may disclose the information only:

(1) To the licensee's affiliates;

(2) To the third party's affiliates, but the third party's affiliates, in turn, may disclose the information only to the extent the third party can disclose the information; and

(3) To any other person, if the disclosure would be lawful if the licensee made it directly to that person.

E. Nothing in this regulation shall authorize any licensee to make any disclosure to an affiliate not otherwise in compliance with the requirements of the federal Fair Credit Reporting Act or regulations promulgated thereunder or the Vermont Fair Credit Reporting Acts, including, but not limited to, notice and consumer consent.

Section 13. Limits on Sharing Account Number Information for Marketing Purposes.

A. General prohibition on disclosure of policy or account numbers. A licensee shall not, directly or through an affiliate, disclose, other than to a consumer reporting agency, a policy number or similar form of access number or access code for a consumer's policy or transaction account to any nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer. A licensee shall not provide a policy number or similar form of access number or access code to any nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer.

B. Exceptions. Subsection A of this section 13 does not apply if a licensee discloses a policy number or similar form of access number or access code:

(1) To the licensee's service provider solely in order to perform marketing for the licensee's own products or services, as long as the service provider is not authorized to directly initiate charges to the account;

(2) To a licensee who is a producer solely to perform marketing for the licensee's own products or services; or

(3) To a participant in an affinity or similar program where the participants in the program are identified to the customer when the customer enters into the program.

C. Examples.

(1) Policy number. A policy number or similar form of access number or access code includes a number or code in an encrypted form.

(2) Policy or transaction account. For the purposes of this section, a policy or transaction account is an account other than a deposit account or a credit card account. An account is not a transaction account if a third party cannot initiate charges to it.

ARTICLE IV. EXCEPTIONS TO LIMITS ON DISCLOSURES OF NONPUBLIC PERSONAL INFORMATION

Section 14. Exception to Opt In Requirements for Disclosure of Nonpublic Personal Information for Service Providers and Joint Marketing.

A. General rule.

(1) The opt in requirements in Sections 8 and 11 do not apply when a financial institution provides nonpublic personal information to a nonaffiliated third party to perform services for the financial institution or functions on the financial institution's behalf, if the financial institution:

(a) Provides the initial notice in accordance with subsection 5A;

(b) Enters into a contractual agreement with the third party that prohibits the nonaffiliated third party from disclosing or using the information other than to carry out the purposes for which the financial institution disclosed the information, including use under an exception in Sections 15 or 16 in the ordinary course of business to carry out those purposes; and,

(c) For joint agreements for marketing, provides only the consumer's name, contact information, and own transaction and experience information within the meaning of the federal Fair Credit Reporting Act (15 U.S.C. § 1681a(d)(2)(A)(i)) and the Vermont Fair Credit Reporting Act (9 V.S.A. § 2480a(2)(A)).

(2) Examples.

(a) If a licensee discloses nonpublic personal financial information under this section to a financial institution with which the licensee performs joint marketing, the licensee's contractual agreement with that institution meets the requirements of subdivision (1)(b) of subsection A of this section if it prohibits the institution from disclosing or using the nonpublic personal financial information except as necessary to carry out the joint marketing or under an exception in Section 15 or 16 in the ordinary course of business to carry out that joint marketing.

(b) A licensee that complies with the provisions of subdivisions A(1)(a) and (b) of this section 14 may provide nonpublic personal financial information to a service provider that is a nonaffiliated third party agent of that licensee (e.g. an insurance agent who is an independent contractor as to the licensee) to enable the agent to offer, renew, or service products on behalf of the licensee.

Such disclosure shall not be subject to the limitations of subdivision A(1)(c) of this section 14.

B. Service may include joint marketing. The services a nonaffiliated third party performs for a financial institution under subsection A of this section may include marketing of the financial institution's own products or services or marketing of financial products or services offered pursuant to joint agreements between the financial institution and one or more financial institutions.

C. Definition of "joint agreement." "Joint agreement" means a written contract pursuant to which a financial institution and one or more financial institutions jointly offer, endorse or sponsor a financial product or service.

Section 15. Exceptions to Notice and Opt In Requirements for Disclosure of Nonpublic Personal Financial Information for Processing and Servicing Transactions.

A. Exceptions for processing transactions at consumer's request. The requirements for initial notice in Section 5A(2), the opt in requirements in Sections 8 and 11, and service providers and joint marketing in Section 14 do not apply if the financial institution discloses nonpublic personal financial information as necessary to effect, administer or enforce a transaction that a consumer requests or authorizes, or in connection with:

(1) Servicing or processing an insurance product or service that a consumer requests or authorizes;

(2) Maintaining or servicing the consumer's account with a licensee or with another entity as part of a private label credit card program or other extension of credit on behalf of such entity;

(3) A proposed or actual securitization, secondary market sale (including sales of servicing rights), or similar transaction related to a transaction of the consumer;

(4) Reinsurance or stop loss or excess loss insurance; or

(5) Administering a workers compensation claim.

B. Definition of "necessary to effect, administer, or enforce a transaction." For purposes of this section, "necessary to effect, administer, or enforce a transaction" means that the disclosure is:

(1) Required, or is one of the lawful or appropriate methods, to enforce the licensee's rights or the rights of other persons engaged in carrying out the transaction or providing the product or service; or

(2) Required, or is a usual, appropriate, or acceptable method:

(a) To carry out the transaction or the product or service business of which the transaction is a part, and record, service, or maintain the consumer's account in the ordinary course of providing the insurance product or service;

(b) To administer or service benefits or claims relating to the transaction or the product or service business of which it is a part;

(c) To provide a confirmation, statement, or other record of the transaction or information on the status or value of the insurance product or service to the consumer or the consumer's agent or broker;

(d) To accrue or recognize incentives or bonuses associated with the transaction that are provided by a licensee or any other party;

(e) To underwrite insurance at the consumer's request or for any of the following purposes as they relate to a consumer's insurance: account administration; reporting, investigating, or preventing fraud or material misrepresentation; processing premium payments; processing insurance claims; administering insurance benefits (including utilization review activities); participating in research projects; or as otherwise required or specifically permitted by federal or state law; or

(f) In connection with:

i. The authorization, settlement, billing, processing, clearing, transferring, reconciling, or collection of amounts charged, debited, or otherwise paid using a debit, credit, or other payment card, check, or account number, or by other payment means;

ii. The transfer of receivables, accounts, or interests therein; or

iii. The audit of debit, credit, or other payment information.

Section 16. Other Exceptions to Notice and Opt In Requirements for Disclosure of Nonpublic Personal Financial Information.

A. Exceptions to opt-in requirements. The requirements for initial notice to consumers in subdivision 5A(2), opt-in in sections 8 and 11, and service providers and joint marketing in section 14 do not apply when a licensee discloses nonpublic personal financial information:

(1) With the consent or at the direction of the consumer, provided that the consumer has not revoked the consent or direction;

(2) In one of the following circumstances:

(a) To protect the confidentiality or security of a licensee's records pertaining to the consumer, service, product, or transaction;

(b) To protect against or prevent actual or potential fraud or unauthorized transactions;

(c) For required institutional risk control or for resolving consumer disputes or inquiries;

(d) To persons holding a legal or beneficial interest relating to the consumer; or

(e) To persons acting in a fiduciary or representative capacity on behalf of the consumer;

(3) To provide information to insurance rate advisory organizations, guaranty funds or agencies, agencies that are rating a licensee, persons that are assessing the licensee's compliance with industry standards, or the licensee's attorneys, accountants, and auditors;

(4) To the extent specifically permitted or required under other provisions of law and in accordance with the federal Right to Financial Privacy Act of 1978 (12 U.S.C. § 3401 et seq.), to law enforcement agencies (including the Federal Reserve Board, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, Office of Thrift Supervision, National Credit Union Administration, Securities and Exchange Commission, Secretary of the Treasury, with respect to 31 U.S.C. Chapter 53, Subchapter II (Records and Reports on Monetary Instruments and Transactions) and 12 U.S.C. Chapter 21 (Financial Recordkeeping), and Federal Trade Commission), to state or federal civil or administrative authorities (including, but not limited to, a state insurance authority, a state banking authority, and a state securities authority), self-regulatory organizations, or for an investigation on a matter related to public safety;

(5) In one of the following circumstances:

(a) To a consumer reporting agency in accordance with the federal Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.); or

(b) From a consumer report reported by a consumer reporting agency;

(6) In connection with a proposed or actual affiliation, reorganization, sale, merger, transfer, or exchange of all or a portion of a business or operating unit if the disclosure of nonpublic personal financial information concerns solely consumers of the business or unit;

(7) In one of the following circumstances:

(a) To comply with federal, state, or local laws, rules, and other applicable legal requirements;

(b) To comply with a properly authorized civil, criminal, or regulatory investigation, or a subpoena or summons by federal, state, or local authorities; or

(c) To respond to judicial process or government regulatory authorities having jurisdiction over a licensee for examination, compliance, or other purposes as authorized by law;

(8) For purposes related to the replacement of a group benefit plan, group health plan, group welfare plan, or workers' compensation plan; or

(9) In the administration of an order or proceeding under chapter 145 of Title 8 V.S.A.

B. Revocation of consent. A consumer may revoke any authorization given to a licensee at any time, subject to the rights of any person that acted in reliance on the authorization prior to notice of the revocation.

ARTICLE V. RULES FOR HEALTH INFORMATION

Section 17. When Authorization Required for Disclosure of Nonpublic Personal Health Information.

A. General rule. A licensee shall not disclose nonpublic personal health information about a consumer or customer unless an authorization is obtained from the consumer or customer whose nonpublic personal health information is sought to be disclosed.

B. Exceptions.

(1) Nothing in this section shall prohibit, restrict, or require an authorization for the disclosure of nonpublic personal health information by a licensee for the performance of the following insurance functions by or on behalf of the licensee:

(a) claims administration;

(b) claims adjustment and management;

(c) underwriting;

(d) policy placement or issuance;

(e) loss control;

(f) ratemaking and guaranty fund functions;

(g) reinsurance and excess loss insurance;

(h) risk management;

(i) case management;

(j) disease management;

(k) quality assurance;

(l) quality improvement;

(m) performance evaluation;

(n) provider credentialing verification;

(o) utilization review;

(p) peer review activities;

(q) actuarial, scientific, medical or public policy research;

(r) grievance procedures;

(s) internal administration of compliance, managerial and information systems;

(t) policyholder service functions;

(u) auditing;

(v) reporting;

(w) database security;

(x) administration of consumer disputes and inquiries;

(y) external accreditation standards;

(z) the replacement of a group benefit plan or workers compensation policy or program;

(aa) activities in connection with a proposed or actual affiliation, reorganization, sale, merger, transfer, or exchange of all or part of a business or operating unit if the disclosure concerns solely consumers of the business or unit;

(bb) disclosure that is required, or is one of the lawful or appropriate methods, to enforce the licensee's rights or the rights of other persons engaged in carrying out a transaction or providing a product or service that a consumer requests or authorizes; or

(cc) any activity otherwise authorized by law.

(2) Nothing in this regulation shall prohibit, restrict, or require an authorization for the disclosure of nonpublic personal health information by a licensee for the following:

(a) detection, investigation, or reporting of actual or potential fraud, misrepresentation, or criminal activity;

(b) detection, investigation, or reporting of actual or potential violations of law or examinations by a civil or administrative agency;

(c) any activity that permits disclosure without authorization pursuant to the federal Health Insurance Portability and Accountability Act privacy rules promulgated by the U.S. Department of Health and Human Services, except as provided in section 20; or

(d) any activity required pursuant to governmental reporting authority or to comply with legal process.

C. Additional insurance functions may be added with the approval of the Commissioner to the extent they are necessary for appropriate performance of insurance functions and are fair and reasonable to the interest of consumers.

Section 18. Authorizations.

A. A valid authorization to disclose nonpublic personal health information pursuant to this Article V shall be in written or electronic form and shall contain all of the following:

(1) The identity of the consumer or customer who is the subject of the nonpublic personal health information;

(2) A general description of the types of nonpublic personal health information to be disclosed;

(3) General descriptions of the parties to whom the licensee discloses nonpublic personal health information, the purpose of the disclosure, and how the information will be used;

(4) The signature of the consumer or customer who is the subject of the nonpublic personal health information or the individual who is legally empowered to grant authority and the date signed;

(5) The length of time for which the authorization is valid, which in no event shall be more than 24 months; and

(6) Notice that the consumer or customer may revoke the authorization at any time and the procedure for making a revocation.

B. A consumer or customer who is the subject of nonpublic personal health information may revoke an authorization provided pursuant to this section at any time, subject to the rights of an individual who acted in reliance on the authorization prior to notice of the revocation.

C. A licensee shall retain the authorization or a copy thereof in the record of the individual who is the subject of nonpublic personal health information.

Section 19. Authorization Request Delivery.

A request for authorization and an authorization form may be delivered to a consumer or a customer as part of an opt in notice pursuant to Section 10, provided that the request and the authorization form are clear and conspicuous. An authorization form is not required to be delivered to the consumer or customer unless the financial institution intends to disclose protected health information pursuant to Section 17A.

Section 20. Relationship to Federal Rules.

Irrespective of whether a licensee is subject to the federal Health Insurance Portability and Accountability Act privacy rule as promulgated by the U.S. Department of Health and Human Services, 45 C.F.R. Parts 16 0 and 16 4, (the "federal rule"), if a licensee complies with all requirements of the federal rule and its effective date provision, the licensee shall be deemed to be in compliance with the provisions of this Article; provided, however, that a licensee shall be prohibited from making disclosures under the provisions of 45 C.F.R § 164.514(e)(2) without the consumer's prior written consent.

Section 21. Relationship to State Laws.

Nothing in this regulation shall preempt or supersede existing state law related to medical records, health or insurance information privacy.

ARTICLE VI. ADDITIONAL PROVISIONS

Section 22. Protection and Application of Fair Credit Reporting Acts.

A. No inference shall be drawn on the basis of the provisions of this regulation regarding whether information is transaction or experience information under Section 603 of the federal Fair Credit Reporting Act (15 U.S.C. § 1681a).

B. Nothing in this regulation shall be construed to modify, limit, or supersede the operation of the Vermont Fair Credit Reporting Act (9 V.S.A. §§ 2480a-2480g). No inference shall be drawn on the basis of the provisions of this regulation regarding whether information is transaction or experience information under 9 V.S.A. § 2480a(2). These rules shall not be construed to extend the application of the Vermont Fair Credit Reporting Act to persons who are not residents of Vermont.

Section 23. Nondiscrimination.

A. A licensee shall not unfairly discriminate against a consumer or customer because that consumer or customer has not opted in to the disclosure of his or her nonpublic personal financial information pursuant to the provisions of this regulation.

B. A licensee shall not unfairly discriminate against a consumer or customer because that consumer or customer has not opted in to the disclosure of his or her nonpublic personal health information pursuant to the provisions of this regulation.

Section 24. Violations.

In addition to any other sanctions available to the Commissioner under Vermont law for violations of this regulation, any violation of this regulation shall be deemed to be an unfair method of competition or an unfair or deceptive act or practice in the conduct of the business of insurance in this State for the purposes of chapter 129 of Title 8 V.S.A.

Section 25. Severability.

If any provision of this regulation or its applicability to any person or circumstance is held invalid by a court, the remainder of the regulation or the applicability of the provision to other persons or circumstances shall not be affected.

Section 26. Effective Date.

This revised regulation is effective as of June 20, 2023. Appendix A. Sample Clauses.

Licensees, including a group of financial holding company affiliates that use a common privacy notice, may use the following sample clauses, if the clause is accurate for each institution that uses the notice. Note that disclosure of certain information, such as assets, income, and information from a consumer reporting agency, may give rise to obligations under the federal Fair Credit Reporting Act and Vermont Fair Credit Reporting Act, such as a requirement to permit a consumer to opt in to disclosures to affiliates or designation as a consumer reporting agency if disclosures are made to nonaffiliated third parties.

A-1-Categories of information a financial institution collects (all institutions)

A licensee may use this clause, as applicable, to meet the requirement of subdivision 7A(1) to describe the categories of nonpublic personal information the licensee collects.

Sample Clause A-1:

We collect nonpublic personal information about you from the following sources:

-- Information we receive from you on applications or other forms;

-- Information about your transactions with us, our affiliates or others; and

-- Information we receive from a consumer reporting agency.

A-2-Categories of information a financial institution discloses (institutions that disclose outside of the exceptions)

A licensee may use one of these clauses, as applicable, to meet the requirement of subdivision 7A(2) to describe the categories of nonpublic personal financial information the licensee discloses. The licensee may use these clauses if it discloses nonpublic personal financial information other than as permitted by the exceptions in sections 14, 15, and 16.

Sample Clause A-2, Alternative 1:

We may disclose the following kinds of nonpublic personal financial information about you:

-- Information we receive from you on applications or other forms, such as [provide illustrative examples, such as "your name, address, social security number, assets and income"];

-- Information about your transactions with us, our affiliates or others, such as [provide illustrative examples, such as "your account balance, payment history, parties to transactions and credit card usage"]; and

-- Information we receive from a consumer reporting agency, such as [provide illustrative examples, such as "your creditworthiness and credit history"].

Sample Clause A-2, Alternative 2:

We may disclose all of the information that we collect, as described [describe location in the notice, such as "above" or "below"].

A-3-Categories of information a financial institution discloses and parties to whom the financial institution discloses (institutions that do not disclose outside of the exceptions)

A licensee may use this clause, as applicable, to meet the requirements of subdivisions 7A(2), (3), and (4) to describe the categories of nonpublic personal information about customers and former customers that the licensee discloses and the categories of affiliates and nonaffiliated third parties to whom the licensee discloses. A licensee may use this clause if the licensee does not disclose nonpublic personal financial information to any party, other than as permitted by the exceptions in sections 15 and 16.

Sample Clause A-3:

We do not disclose any nonpublic personal financial information about our customers or former customers to anyone, except as permitted by law.

A-4-Categories of parties to whom a licensee discloses (institutions that disclose outside of the exceptions)

A licensee may use this clause, as applicable, to meet the requirement of subdivision 7A(3) to describe the categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal information. This clause may be used if the licensee discloses nonpublic personal financial information other than as permitted by the exceptions in sections 14, 15, and 16, as well as when permitted by the exceptions in sections 15 and 16.

Sample Clause A-4:

We may disclose nonpublic personal information about you to the following types of third parties:

-- Financial service providers, such as [provide illustrative examples, such as "mortgage bankers, securities broker-dealers, and insurance agents"];

-- Non-financial companies, such as [provide illustrative examples, such as "retailers, direct marketers, airlines, and publishers"]; and

-- Others, such as [provide illustrative examples, such as "non-profit organizations"].

We may also disclose nonpublic personal information about you to third parties as permitted by law.

A-5-Service provider/joint marketing exception

A licensee may use one of these clauses, as applicable, to meet the requirements of subdivision 7A(5) related to the exception for service providers and joint marketing in Section 1 4. If a licensee discloses nonpublic personal financial information under this exception, the licensee shall describe the categories of nonpublic personal financial information the licensee discloses and the categories of third parties with which the licensee has contracted.

Sample Clause A-5, Alternative 1:

We may disclose the following information to companies that perform marketing services on our behalf:

-- Information we receive from you on applications or other forms, such as [provide illustrative examples, such as "your name, address, social security number, assets, and income"];

-- Information about your transactions with us, our affiliates or others, such as [provide illustrative examples, such as "your account balance, payment history, parties to transactions, and credit card usage"]; and

-- Information we receive from a consumer reporting agency, such as [provide illustrative examples, such as "your creditworthiness and credit history"].

Sample Clause A-5, Alternative 2:

We may disclose all of the information we collect, as described [describe location in the notice, such as "above" or "below"] to companies that perform marketing services on our behalf.

Sample Clause A-5, Alternative 3:

We may disclose the following information to other financial institutions with which we have joint marketing agreements:

-- The following information we receive from you: "your name and contact information";

-- Information about your transactions with us or our affiliates, such as [provide illustrative examples of own transaction and experience information, such as "your account balance, payment history, parties to transactions, and credit card usage"].

A-6-Explanation of opt in (institutions that disclose to nonaffiliates outside of the exceptions)

A licensee may use this clause, as applicable, to meet the requirement of subdivision 7A(6) to provide an explanation of the consumer's right to authorize the disclosure of nonpublic personal financial information to nonaffiliated third parties, including the method(s) by which the consumer may exercise those rights. The licensee may use this clause if the licensee discloses nonpublic personal financial information to nonaffiliated third parties other than as permitted by the exceptions in sections 14, 15, and 16.

Sample Clause A-6:

We will not disclose nonpublic personal financial information about you to nonaffiliated third parties (other than as permitted by law) unless you authorize us to make that disclosure. Your authorization must be in writing or, if you agree, in electronic form. If you wish to authorize us to disclose your nonpublic personal financial information to nonaffiliated third parties, you may [describe the means to opt in, such as "complete and sign the enclosed, postage prepaid card and mail it to us."]

A-7-Confidentiality and security (all institutions)

A licensee may use this clause, as applicable, to meet the requirement of subdivision 7A(8) to describe its policies and practices with respect to protecting the confidentiality and security of nonpublic personal information.

Sample Clause A-7:

We restrict access to nonpublic personal information about you to [provide an appropriate description, such as "those employees who need to know that information to provide products or services to you"]. We maintain physical, electronic, and procedural safeguards that comply with state and federal regulations to guard your nonpublic personal information.

21-016 Code Vt. R. 21-010-016-X

EFFECTIVE DATE:
November 17, 2001 Secretary of State Rule Log #01-60
AMENDED:
December 28, 2015 Secretary of State Rule Log #15-054; March 15, 2018 Secretary of State Rule Log #18-010; 6/20/2023 Secretary of State Rule Log #23-015

STATUTORY AUTHORITY:

8 V.S.A. §§ 10, 15, 2214, 2766, 2914, 10201 et seq., 30203