<<Prev Rule

Texas Administrative Code

Next Rule>>
TITLE 28INSURANCE
PART 1TEXAS DEPARTMENT OF INSURANCE
CHAPTER 22PRIVACY
SUBCHAPTER AINSURANCE CONSUMER FINANCIAL INFORMATION PRIVACY
RULE §22.10Information to be Included in Privacy Notices

(a) Simplified nondisclosure notice requirements. A covered entity that does not disclose, and does not reserve the right to disclose, nonpublic personal financial information about customers or former customers to nonaffiliated third parties except as authorized under §22.18 of this title (relating to Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Processing and Servicing Transactions) and §22.19 of this title (relating to Other Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information), may comply with this subchapter by providing a simplified notice that expresses:

  (1) the nondisclosure policy stated in this subsection, and

  (2) the information required by subsections (b)(1), (b)(8), (b)(9), and (c) of this section.

(b) Disclosure notice requirements. The initial, annual, and revised privacy notices a covered entity provides under §22.8 of this title (relating to Initial Privacy Notice), §22.9 of this title (relating to Annual Privacy Notice), and §22.12 of this title (relating to Revised Privacy Notices) must include the following items of information, in addition to any other information the covered entity wishes to provide, that applies to the covered entity and to the consumers to whom the covered entity sends its privacy notice.

  (1) The categories of nonpublic personal financial information the covered entity collects. A covered entity satisfies the requirement to categorize the nonpublic personal financial information it collects when the covered entity categorizes it according to the source of the information, as applicable, including:

    (A) information from the consumer;

    (B) information about the consumer's transactions with the covered entity or its affiliates;

    (C) information about the consumer's transactions with nonaffiliated third parties; and

    (D) information from a consumer reporting agency.

  (2) The categories of nonpublic personal financial information the covered entity discloses.

    (A) A covered entity satisfies the requirement to categorize nonpublic personal financial information it discloses when the covered entity categorizes the information according to source, as described in paragraph (1) of this subsection, as applicable, and provides examples to illustrate the types of information in each category, such as:

      (i) information from the consumer, including application information (such as assets and income) and identifying information (such as name, address, and social security number);

      (ii) transaction information (such as information about balances, payment history, and parties to the transaction); and

      (iii) information from consumer reports (such as a consumer's creditworthiness and credit history).

    (B) A covered entity does not adequately categorize the information it discloses when the covered entity uses only general terms (such as transaction information about the consumer).

    (C) A covered entity that reserves the right to disclose all the nonpublic personal financial information about consumers it collects may state that fact without describing the categories or examples of nonpublic personal financial information the covered entity discloses.

  (3) The categories of affiliates and nonaffiliated third parties to whom the covered entity discloses nonpublic personal financial information, other than those parties to whom the covered entity discloses information under §22.18 and §22.19 of this title.

  (4) The categories of nonpublic personal financial information about the covered entity's former customers that the covered entity discloses and the categories of affiliates and nonaffiliated third parties to whom the covered entity discloses nonpublic personal financial information about the covered entity's former customers, other than those parties to whom the covered entity discloses information under §22.18 and §22.19 of this title.

  (5) A separate description of the categories of information the covered entity discloses and the categories of third parties with whom the covered entity has contracted, if the covered entity discloses nonpublic personal financial information to a nonaffiliated third party under §22.17 of this title (relating to Exception to Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Service Providers and Joint Marketing) and no other exception in §22.18 and §22.19 of this title applies to that disclosure.

  (6) An explanation of the consumer's right under §22.14(a) of this title (relating to Limits on Disclosure of Nonpublic Personal Financial Information to Nonaffiliated Third Parties) to opt out of the disclosure of nonpublic personal financial information to nonaffiliated third parties, including the methods by which the consumer may exercise that right at that time.

  (7) Any disclosures the covered entity makes under §603(d)(2)(A)(iii) of the federal FCRA (15 U.S.C. §1681a(d)(2)(A)(iii)) (that is, notices regarding the ability to opt out of disclosures of information among affiliates).

  (8) The covered entity's policies and practices with respect to protecting the confidentiality and security of nonpublic personal financial information. A covered entity provides an adequate description of its policies and practices with respect to protecting the confidentiality and security of nonpublic personal financial information if it does both of the following:

    (A) describes in general terms who is authorized to have access to the information; and

    (B) states whether the covered entity has security practices and procedures in place to ensure the confidentiality of the information under the covered entity's policy. The covered entity is not required to describe technical information about the safeguards it uses.

  (9) Any disclosure the covered entity makes under subsection (c) of this section.

(c) Description of nonaffiliated third parties subject to exceptions. A covered entity that discloses nonpublic personal financial information to third parties as authorized under §22.18 and §22.19 of this title is not required to list those exceptions in the initial or annual privacy notices required by §22.8 and §22.9 of this title. When describing the categories of parties to whom the covered entity makes disclosures, it is sufficient for the covered entity to state that it makes disclosures to other nonaffiliated companies:

  (1) for the covered entity's everyday business purposes, such as (include all that apply) to process account transactions, maintain accounts, respond to court orders and legal investigations, or report to credit bureaus; or

  (2) as permitted by law.

(d) Appropriate methods of categorizing affiliates and nonaffiliated third parties.

  (1) A covered entity satisfies the requirement to categorize the affiliates and nonaffiliated third parties to which the covered entity discloses nonpublic personal financial information about consumers if the covered entity identifies the types of businesses in which they engage.

  (2) Types of businesses may be described by general terms only if the covered entity uses illustrative examples of significant lines of business. For example, a covered entity may use the term "financial products or services" if the notice includes appropriate examples of significant lines of businesses or services, such as life insurer, automobile insurer, consumer banking, or securities brokerage.

  (3) A covered entity also may categorize the affiliates and nonaffiliated third parties to which it discloses nonpublic personal financial information about consumers using more detailed categories.

(e) Disclosures under exception for service providers and joint marketers. A covered entity that discloses nonpublic personal financial information under the exception in §22.17 of this title to a nonaffiliated third party to market products or services it offers alone or jointly with another financial institution satisfies the disclosure requirement of subsection (b)(5) of this section if it:

  (1) lists the categories of nonpublic personal financial information it discloses, using the same categories and examples the covered entity used to meet the requirements of subsection (a)(2) of this section, as applicable; and

  (2) states whether the third party is:

    (A) a service provider that performs marketing services on the covered entity's behalf or on behalf of the covered entity and another financial institution; or

Cont'd...

Next Page

Link to Texas Secretary of State Home Page | link to Texas Register home page | link to Texas Administrative Code home page | link to Open Meetings home page