Privacy Notices

Background and Basics of the Gramm-Leach-Bliley Act

The insurance, banking and security industries were dramatically changed with the U.S. Congress passage of the Gramm-Leach-Bliley Act (GLBA) in November 1999. The new law repealed prohibitions against the merger of banks and securities firms and overturned the 1956 Bank Holding Company Act that required the separation of banking and insurance. This act was the subject of much debate and many compromises.

While recognizing the benefits to be realized by the integration of these services, Congress was also concerned with the sharing of nonpublic financial information. Consequently, late in the summer of 1999, privacy provisions were added to the bill. These privacy requirements are found in Title V of the GLBA. Title V of the GLBA creates two new privacy-related requirements that states are required to implement and apply to insurance agencies: The notice requirement and the opt-out requirement.

The Texas Legislature enacted legislation in 2001 to implement GLBA in Texas, and the Texas Department of Insurance enacted rules for this purpose, now part of the Texas Administrative Code, Title 28, Part 1, Chapter 22, Subchapter A.

Under TDI rules, agencies that disclose non-public private financial information to third parties, other than insurance companies for the purpose of placing insurance, are required to comply with the federal notice and opt out requirements.

For agencies that don’t share private information with third parties, other than insurance companies for the purpose of placing insurance, TDI rules require them to develop a privacy policy.

Requirements for Agencies

An agent that discloses protected financial information only to the insurance company on whose behalf the information was collected does not have to comply with the notice and opt out requirements so long as the company itself complies with the notice requirements.

However, all agencies are required by TDI rules to develop and maintain a Privacy Policy in their procedures. See the IIAT Privacy Policy for Independent Insurance Agencies below.

If the agent shares the information with anyone other than an insurance company, the agent must provide separate notices and opt out opportunities as required by the rules.

The notice must be provided when a new customer buys the first policy and annually thereafter, and must be provided annually to existing customers. The notice must:

  • describe the categories of information your agency collects;
  • describe the categories of information disclosed to third parties (affiliates and nonaffiliates); describe the parties to whom nonpublic personal information is disclosed;
  • include a right to opt-out if information is shared with nonaffiliated third parties; and
  • describe how the agency protects the confidentiality and security of this information

In addition, if an agent, for a fee, provides any other services to an individual such as financial, investment or economic advisory services relating to an insurance product, that individual becomes the agent's customer and must be provided with all required notices about the agent's privacy policy and, if the agent plans to share information with any third party, the opportunity to opt out.

The Opt-Out Provision

Agencies that share their customer information with another unrelated business face a separate requirement. These agencies must, before any of this nonpublic information is disclosed, notify the individual of the information sharing and advise the individual of their right to prevent the disclosure (known as the right to opt-out of the information sharing). The company with which the agency shares this information cannot reuse or re-disclose this information unless the consumer agrees to the re-disclosure.

Under the opt-out provision, the right to opt-out is qualified to the extent that it does not prohibit financial institutions from sharing the information for the purposes of completing the transaction for which the information was provided (i.e. when quoting or servicing an insurance policy), or a related transaction. There are two major exceptions:

  • Financial institutions are not required to let customers opt-out of information sharing between the financial institution and a third -party that is done under a joint marketing agreement.
  • The financial institution is permitted to disclose customer information to unaffiliated third parties to market the institution's own products and services.

IIAT Sample Privacy Policy for Independent Agencies

NOTE: All agencies are required by TDI rules to develop and maintain a Privacy Policy in their procedures. However, the rules do not specifically require agencies to do anything with this policy.

This information is for educational purposes only. This is not a model policy to be adopted by any agency. The sample privacy policy is to be used only as a guide in developing a privacy policy for an agency. The sample privacy policy should be adapted to the individual practices of an agency.

The sample privacy policy is for an agency that does not disclose nonpublic information to unaffiliated third parties except as a part of a customer’s requested transaction. Agents are exempt from a requirement that an initial “opt out” notice be provided to the customer and the requirement to send an annual privacy notice which describes their privacy policy.

Any agency that shares nonpublic information with unaffiliated third parties outside of the normal business relationship with its customers should obtain legal advice to comply with the laws and rules.

Privacy Policy (sample)

This agency and staff are committed to maintaining the confidentiality of nonpublic, personal information. We do not disclose any nonpublic, personal information about our customers to anyone, except as permitted by law. We do not sell any information abo0ut our customers to mailing list companies or mass marketing organizations.

We collect nonpublic financial information about you from the following sources:

• Information we receive from you on applications or other forms;

• Information about your transactions with us, our affiliates or others;

• Information we receive from a consumer reporting agency.

We restrict access to nonpublic personal information to [provide an appropriate description, such as “those employees who need to know that information to provide products or services to you”].

We maintain physical, electronic, and procedural safeguards that comply with federal regulations to guard your nonpublic personal financial information.

The Texas Identity Theft Enforcement and Protection Act became law Sept. 1, 2005, codified as Chapter 48 of the Texas Business and Commerce Code. While insurance agents are exempt from most of the requirements because they are subject to the federal Gramm-Leach-Bliley Act and Texas Insurance Code provisions regarding privacy, they are not exempt from a provision in the law that requires notification to anyone whose sensitive personal information “was, or is reasonably believed to have been, acquired by an unauthorized person.”