The Office of General Counsel issued the following informal opinion on March 18, 2003, representing the position of the New York State Insurance Department.

Re: Customer Records and N.Y. Comp. Codes R. & Regs. tit. 11, §§ 420.0-420.25 (2001) (Reg. 169).

Question Presented:

May a licensee donate former policyholders’ records that are several decades old, which the licensee considers to be of historical value, to a cultural institution without complying with N.Y. Comp. Codes R. & Regs. tit. 11, §§ 420.0-420.25 (2001) (Regulation 169)?

Conclusion:

No. There is no exception in Regulation 169 for the disclosure of nonpublic personal information that is of a certain age.

Facts:

An insurance agency that has been in operation for several decades has in its possession customer records, such as insurance policies, pertaining to former policyholders. These records are quite old - some going back to the early part of the 20th century. Because the agency considers these records to be of historical value, it would like to donate them to a local museum but is concerned that it would be constrained from doing so by Regulation 169.

Analysis;

Section 420.3(r) of Regulation 169 defines "Nonpublic personal information" as meaning nonpublic personal financial information and nonpublic personal health information.

Section 420.3(s)(1) of Regulation 169 defines "Nonpublic personal financial information" as:

(i) Personally identifiable financial information; and

(ii) Any list, description or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information other than publicly available information.

Section 420.3(u)(1) of Regulation 169 defines "Personally identifiable financial information" as meaning any information:

(i) A consumer provides to a licensee to obtain an insurance product or service from the licensee;

(ii) About a consumer resulting from a transaction involving an insurance product or service between a licensee and a consumer; or

(iii) A licensee otherwise obtains about a consumer in connection with providing an insurance product or service to that consumer.

Section 420.3(u)(2) provides examples of information included in the definition of "Personally identifiable financial information":

(a) Information a consumer provides to a licensee on an application to obtain an insurance product or service;

(b) Account balance information and payment history;

(c) The fact that an individual is or has been one of the licensee's customers or has obtained an insurance product or service from the licensee;

(d) Any information about a licensee's consumer if it is disclosed in a manner that indicates that the individual is or has been the licensee's consumer;

(e) Any information that a consumer provides to the licensee or that the licensee or its agent otherwise obtains in connection with collecting on a policy loan or servicing a policy loan;

(f) Any information the licensee collects through an Internet "cookie" (an

information collecting device from a web server) to the extent that such information constitutes personally identifiable information; and

(g) Information from a consumer report.

Section 420.3(t) of Regulation 169 defines "Nonpublic personal health information" as meaning health information:

(1) That identifies an individual who is the subject of the information; or

(2) With respect to which there is a reasonable basis to believe that the information could be used to identify an individual.

The former policyholders would be consumers under Section 420.3(e)(1), which defines a consumer" as:

(A)n individual who, in this State, seeks to obtain, obtains or has obtained an insurance product or service, directly or through a legal representative, from a licensee that is to be used primarily for personal, family or household purposes, and about whom the licensee has nonpublic personal information.

In accordance with the above provisions, these former policyholders’ records would come within the definition of "nonpublic personal information" and these former policyholders would come within the definition of "consumers". Disclosure of these records would be subject to the restrictions contained in Regulation 169. Accordingly, the licensee would have to comply with the initial privacy notice and opt-out requirement for financial information pertaining to consumers, as well as the opt-in notice requirement for health information.

Section 420(a)(2) provides:

Initial notice requirement.

A licensee shall provide a clear and conspicuous notice that accurately reflects the licensee’s privacy policies and practices to

(2) consumer - a consumer, before a licensee discloses any nonpublic personal financial information about the consumer to any nonaffiliated third party, if a licensee makes such a disclosure other than as authorized by sections 420.14 and 420.15 of this Part.

Section 420.10(a)(1) provides:

Condition for disclosure. Except as otherwise authorized in this Part, a licensee may not, directly or through any affiliate, disclose any nonpublic personal financial information about a consumer to a nonaffiliated third party unless:

(i) the licensee has provided to the consumer an initial notice as required under section 420.4 of this Part;

(ii) the licensee has provided to the consumer an opt out notice as required in section 420.7 of this Part;

(iii) the licensee has given the consumer a reasonable opportunity, before the licensee discloses the information to the nonaffiliated third party, to opt out of the disclosure; and

(iv) the consumer does not opt out.

Section 420.10(b)(2) provides:

Application of opt out to all consumers and all nonpublic personal financial information.

(2) Unless a licensee complies with this section, the licensee may not, directly or through any affiliate, disclose any nonpublic personal financial information about a consumer that the licensee has collected, regardless of whether the licensee collected it before or after receiving the direction to opt out from the consumer.

Accordingly, because the museum is a non-affiliated party and such disclosure is not included in either Section 420.14 or 420.15, the licensee could not donate the records containing nonpublic personal financial information to the museum without complying with the initial privacy notice requirement in Section 420(a)(2) and providing the opt-out notice, as required by Section 420.7.

Section 420.17(a) provides:

A licensee shall not disclose nonpublic personal health information about a consumer or customer unless an authorization is obtained from the consumer or customer whose nonpublic personal health information is sought to be disclosed.

Although Section 420.17(b) contains exceptions to this authorization requirement, none of the exceptions are applicable here. Accordingly, any record containing nonpublic personal health information could not be donated to the museum, unless an opt-in authorization was received from the former policyholder.

In conclusion, Regulation 169 is applicable to a licensee who wants to donate former policyholders’ records that contain nonpublic personal information. Accordingly, the licensee may not donate these records to a museum without the requisite notice and appropriate opt-in or opt-out. The only other alternative would be to redact certain information from the records so that they will not come within the definition of nonpublic personal information. This letter is limited to an analysis of Regulation 169. There may be other non-insurance statutes that address a person’s right to privacy.

For further information you may contact Supervising Attorney Joan Siegel at the New York City Office.