Virginia: Bureau of Insurance's Privacy Insurance Practices Page

Questions and Answers for House Bill No. 2157

1. Which terms do I need to know to understand this new law?

Personal information and financial information.

"Personal information" is defined in the law to mean individually identifiable information gathered in connection with an insurance transaction, such as your name, address, and social security number. Personal information also includes medical information, but it does not include privileged claim information or any information that is publicly available.

"Financial information" is defined as personal information except it does not include medical record information or payment records for health care to an individual.

Some examples of personal and financial information would be MVRs, credit reports, and Equifax reports.

2. Do the privacy protection laws apply to commercial policies?

No, just personal lines policies. The existing privacy laws in Chapter 6 have always applied to personal lines, and we have not changed this.

3. Does the agent have to give any of the notices required under § 38.2-604 and § 38.2-604.1 to an applicant?

It depends on the information the agent is collecting and/or disclosing. If the agent collects personal information from a source other than public records or the applicant, such as an MVR or a credit report, then the notice that has always been required under § 38.2-604 must be given. If financial information is disclosed to anyone other than the insurer or its affiliates except as permitted by the exceptions in § 38.2-613, then the notice required by § 38.2-604.1 must be given.

If the agent is not disclosing information to anyone other than the insurer or its affiliates, then the agent does not have to give an information practices notice as long as the insurer gives it. In this case, the insurer must give this notice on the application if information is being collected from an outside source at the time of application. If, however, information is not being collected from an outside source at the time of application, the insurer has to give the notice at the time the information is collected unless the notice was on the application.

Finally, if no information is collected from an outside source, the insurer must give the notice when the policy is issued.

4. Are the information practices notices under § 38.2-604 and § 38.2-604.1 required to be given to a policyholder even if the notice has already been given to the applicant? If so, when?

If the insurer or agent has given the notice required by § 38.2-604 at the time of application, the insurer would not have to provide another notice for 24 months. However, the notice required by § 38.2-604.1 pertaining to financial information must be given no later than the issuance of the policy even if the notice has already been given to the applicant. It must also be given annually.

5. If the insurer is not planning on disclosing any information to affiliates or nonaffiliated third parties except as permitted by § 38.2-613, does a financial information practices notice have to be given at all?

The only notice that has to be given in this case is one which (i) states that the insurer does not plan to disclose information to affiliates or nonaffiliated third parties; (ii) tells what information is being collected and how that information is going to be kept secure and confidential; and (iii) explains that the insurer makes other disclosures as permitted by law. This provision is found in § 38.2-604.1.

The insurer must still give the notice required by § 38.2-604 every 24 months unless the insurer has combined the notices required to be given under both § 38.2-604 and § 38.2-604.1 in which case, the one combined notice must be given annually.

6. What if the agent only gives a quote to someone over the phone…does the agent have to give that person an information practices notice?

No. An information practices notice does not have to be given in this case since that person has not yet become an applicant.

7. Does an insured have a choice of opting out before financial information is shared with affiliates?

No, financial information may be shared with affiliates without providing the insured with an opportunity to opt out. This is consistent with GLBA and the NAIC model. However, if financial information is shared with nonaffiliated third parties and this sharing is not one of the exceptions allowed in § 38.2-613, then an insured must be given an opportunity to opt out of this type of disclosure.

8. The law says that an insured does not have to be given an opportunity to opt out when financial information is shared with a nonaffiliated third party pursuant to a joint marketing agreement or when financial information is disclosed for the purpose of marketing the insurer's own products. What is a joint marketing agreement?

A joint marketing agreement is defined in the law as a formal written contract between an insurer and another financial institution which allows the insurer to endorse or sponsor a financial product.

9. How much time does the applicant or policyholder have to direct that he does not want his financial information disclosed to a nonaffiliated third party?

He has 30 days to opt out of this disclosure.

10. How long does the opt out remain in effect?

It remains in effect until revoked by the individual.

11. Does an explanation of the right to opt out have to be given when the information practices notice is given?

Yes, the explanation of the right to opt out must be given when the financial information practices notice is given.

12. May an insurer take any adverse action against an insured if the insured chooses to opt out (in other words, if the insured refuses to allow the insurer to disclose his financial information to a nonaffiliated third party)?

No, it is a violation of Chapter 6 if the insurer unfairly discriminates against an insured for opting out. This would include non-renewing the policy or charging higher rates for the policy just because the insured chooses to opt out.

13. Do group certificate holders have to be given the financial information practices notice and the opt out notice?

No, as long as the group insurance contract holder is given the notice and no financial information is disclosed about the certificate holder to nonaffiliated third parties (other than as permitted under § 38.2-613). If information is disclosed on individual certificate holders, the notice and opt out must be given.

14. Does an insurer have to give the opt out notice required by § 38.2-612.1 if the insurer discloses financial information to a nonaffiliated third party about one of its third party claimants or one of its life beneficiaries?

Yes, if the insurer wishes to disclose financial information about one of its third party claimants or one of its life beneficiaries outside of the exceptions in § 38.2-613, it must give that person an opportunity to opt out.

15. We have mentioned that insurers may share information without an opt out and without written authorization in certain situations permitted by law. What are some of these exceptions mentioned in § 38.2-613?

Insurers may share medical record, financial or privileged claim information with insurance support organizations, such as Equifax and ChoicePoint, to process claims, underwrite, investigate fraud, or to comply with a legal order.

16. May medical record information be shared with affiliates?

Not without the written authorization of the insured, except as permitted under the exceptions in § 38.2-613..

17. What are the responsibilities of the parties involved if financial information is given to a nonaffiliated third party?

In addition to providing the notice required by § 38.2-604.1, there has to be a contract whereby the person receiving the information agrees to keep the information confidential and not to use it except as agreed upon in the contract (such as for marketing).

18. What are an insurer's responsibilities if it receives financial information from one of its affiliates?

It may only disclose that information to the extent permitted to be disclosed by the affiliate.

19. When may the insurer send an abbreviated or short form information practices notice as opposed to sending the long form?

If the insurer wants to use a short form or abbreviated notice to explain the insurer's information practices applicable to financial information, it may only be given to applicants, not to policyholders. If an abbreviated notice is being given to explain the company's insurance information practices applicable to any other personal information such as medical record information, it may be given to policyholders as well as to applicants. Some companies may find it easier to comply with the law by giving the abbreviated notice only to applicants and not to policyholders.

20. May agents give a short form or abbreviated notice to the applicant?

Yes

21. What does the short form or abbreviated notice need to say?

Since there are now two information practices notice provisions, a company may give an abbreviated notice under § 38.2-604 and a short form notice under § 38.2-604.1.

Or, if the company wants to combine the requirements into one abbreviated form, this one notice may only go to the applicant and will have to tell the applicant that the long form is available upon request and explain the means by which the applicant may obtain the long form. It will also have to be given with the opt out notice required by § 38.2-612.1. It will have to inform the applicant that personal information may be collected and that such information may be disclosed in certain circumstances to nonaffiliated third parties without authorization, and that the right of access and correction exists with respect to all personal information collected.

22. If an insurer elects to combine the long form notices required by § 38.2-604 and § 38.2-604.1, may one notice be sent to policyholders?

Yes, however, to do this, the insurer will have to make sure that the one combined notice meets all of the requirements contained in § 38.2-604 and
§ 38.2-604.1. This also means that the one combined notice will have to be mailed every year.

23. Are the privacy protection laws applicable to surplus lines?

Yes, surplus lines brokers have always had to comply with the provisions of Chapter 6 of Title 38.2. Our regulatory authority extends to surplus lines brokers rather than surplus lines carriers.

24. How is the Virginia law different from the NAIC model and GLBA?

Conceptually, the changes to Virginia law have been made to be as consistent as possible with both the latest NAIC model regulation and GLBA. The format is different from GLBA and the latest NAIC model in that we kept the same format as the old NAIC model law. And, we did not use the terms "consumer" and "customer" which are used in the NAIC model and GLBA. Instead, we kept the current terms "applicant" and "policyholder."

25. With regard to the provisions in § 38.2-513.1, may a bank pay or receive a referral fee?

Yes, as long as the compensation is not based on the purchase of insurance by the customer, is a one-time nominal fee of a fixed dollar amount for each referral, and the referral does not include a discussion of specific insurance policy terms and conditions.

.26. Is this a new provision in the law?

Yes, and it is consistent with the Bureau's long standing position concerning referral fees.

27. May the disclosures required in § 38.2-513.1 be given electronically?

Yes, if the customer agrees.

28. May the Bureau investigate a bank selling insurance?

Yes, a bank selling insurance would be a licensed agent, and the Bureau has authority to investigate the affairs of any person to whom § 38.2-513.1 applies.