The Office of General Counsel issued the following opinion on June 17, 2003 representing the position of the New York State Insurance Department.

Re: Request by the United States Department of Justice for Nonpublic Personal Information.

Question Presented

1. Is N.Y. Comp. Codes R. & Regs. tit. 11, §§ 420.0-420.25 (2002) (Reg. 169) applicable to the inquirer’s client’s disclosure to the United States Department of Justice of correspondence contained in his personal file?

2. Is N.Y. Comp. Codes R. & Regs. tit. 11, §§ 421.0-421.10 (2002) (Reg. 173) applicable to the inquirer’s client’s disclosure to the United States Department of Justice of correspondence contained in his personal file?

Conclusion

1. The information contained in the inquirer’s client’s personal files is not "nonpublic personal information" pertaining to "customers" or "consumers", as those terms are defined in Regulation 169. Accordingly, Regulation 169 is not applicable to the facts presented.

2. N.Y. Comp. Codes R. & Regs. tit. 11, §§ 421.0-421.10 (2002) (Reg. 173) addresses the physical security of customer records and information and, as such, is not relevant to the inquirer’s inquiry.

Facts

The inquirer’s client, a licensed excess line broker, received a request from the U.S. Department of Justice for copies of correspondence between the inquirer’s client and a sub-producing broker. The inquirer believes that this request arose from a letter that the inquirer wrote to the Arkansas Department of Insurance advising that premiums on a policy covering pregnancy crisis centers in various states had not been paid to the inquirer’s client by the sub-producing broker. The inquirer asks whether the inquirer’s client’s personal file can be disclosed without a court order or subpoena.

Analysis

N.Y. Comp. Codes R. & Regs. tit. 11, §§ 420.0-420.25 (2002) (Reg. 169), addresses privacy of consumers’ and customers’ nonpublic personal financial and health Information. The purpose and scope of the regulation are set forth in Section 420.1 as follow:

(a) Purpose. This Part governs the treatment of nonpublic personal information about individuals (defined in this Part as consumers or customers) in this State by all licensees of the Insurance Department. This Part:

(1) requires a licensee to provide notice to individuals about its privacy policies and practices;

(2) describes the conditions under which a licensee may disclose nonpublic personal health information and nonpublic personal financial information about individuals to nonaffiliated third parties;

(3) provides methods for individuals to prevent a licensee from disclosing that information; and

(4) provides a method for individuals to prevent a licensee from disclosing nonpublic personal health information by not affirmatively consenting to such disclosure, subject to the exceptions in section 420.17(b) of this Part.

(b) Scope. This Part applies to:

(1) nonpublic personal financial information about individuals who obtain, seek to obtain or are claimants or beneficiaries of products or services primarily for personal, family or household purposes from licensees. This Part does not apply to information about companies or about individuals who obtain products or services for business, commercial, or agricultural purposes; and

(2) all nonpublic personal health information.

The term "Nonpublic personal information" is defined in Section 420.3(r) of Regulation 169 as:

(r) Nonpublic personal information means nonpublic personal financial information and nonpublic personal health information.

The term "Nonpublic personal financial information is defined in Section 420.3(s) of Regulation 169 as:

(s) (1) Nonpublic personal financial information means:

(i) personally identifiable financial information; and

(ii) any list, description or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information other than publicly available information.

(2) Nonpublic personal financial information does not include:

(i) health information;

(ii) publicly available information, except as included on a list described in subparagraph (1)(ii) of this subdivision; or

(iii)any list, description or other grouping of consumers (and publicly available information pertaining to them) that is derived without using any personally identifiable financial information other than publicly available information.

(3) Examples of lists.

(i) Nonpublic personal financial information includes any list of individuals" names and street addresses that is derived in whole or in part using personally identifiable financial information other than publicly available information, such as account numbers.

(ii)Nonpublic personal financial information does not include any list of individuals" names and addresses that contains only publicly available information, is not derived in whole or in part using personally identifiable financial information other than publicly available information, and is not disclosed in a manner that indicates that any of the individuals on the list is a consumer of a financial institution.

Nonpublic personal health information is defined in Section 420.3(t) of Regulation 169 as:

(t) Nonpublic personal health information means health information:

(1) that identifies an individual who is the subject of the information; or

(2) with respect to which there is a reasonable basis to believe that the information could be used to identify an individual.

The term "consumer" is defined in Section 420.3(e)(1) of Regulation 169 as:

(e)(1) Consumer means an individual who, in this State, seeks to obtain, obtains or has obtained an insurance product or service, directly or through a legal representative, from a licensee that is to be used primarily for personal, family, or household purposes, and about whom the licensee has nonpublic personal information.

The term "customer" is defined in Section 420.3(h) as a "consumer who has a customer relationship with a licensee." The term "customer relationship" is defined in Section 420.3(i)(1) as:

(1) Customer relationship means a continuing relationship between a consumer and a licensee under which the licensee provides one or more insurance products or services in this State to the consumer that are to be used primarily for personal, family, or household purposes.

As was discussed during a telephone conversation, the information contained in the inquirer’s client’s personal files, rather than being about the inquirer’s client’s customer, relates to transactions between him and the sub-producing broker. As such, it is not "nonpublic personal information" pertaining to "customers" or "consumers", as those terms are defined in Regulation 169. Accordingly, Regulation 169 would not be applicable to the inquirer’s client’s disclosure of the correspondence in his personal files to the Department of Justice.

The inquirer also inquired whether N.Y. Comp. Codes R. & Regs. tit. 11, §§ 421.0-421.10 (2002) (Reg. 173) would be applicable to the inquirer’s facts. This regulation addresses the physical security of customer records and information and, as such, is not relevant to the inquirer’s inquiry.

For further information one may contact Supervising Attorney Joan Siegel at the New York City Office.