Privacy of Consumer Financial and Health Information: What To Know

1. Introduction

The Privacy of Consumer Financial and Health Information, also known as Model 672, is a model regulation developed by the National Association of Insurance Commissioners (NAIC) for insurance regulators operating in the United States.

This model regulation establishes various standards and procedures to govern how individuals and organizations collect, process, disclose, and protect consumers' nonpublic personal financial and health information.

Most of these standards relate to providing consumers with appropriate notice about privacy policies and practices, giving them the appropriate opportunity to opt out of any data disclosure, and limiting when and how organizations can disclose consumers’ nonpublic personal financial and health information.

Since these are model regulations, individual states may adopt them with various degrees of modifications to fit their specific legal and regulatory requirements.

Read on to learn more about the Privacy of Consumer Financial and Health Information and the obligations it places upon organizations.

2. Who Needs to Comply with Model 672

Model 672 applies to all licensed insurers, producers, and other persons licensed or required to be licensed, or authorized or required to be authorized, or registered or required to be registered (Licensees) pursuant to the insurance law of a state that has adopted the model regulation.

The provisions of the model regulation are applicable only in relation to:

• Nonpublic personal financial information about individuals who obtain or are claimants or beneficiaries of products or services primarily for personal, family, or household purposes from licensees; and
• All nonpublic personal health information.

However, the regulation does not apply to information about individuals or companies that obtain products or services for business, commercial, or agricultural purposes.

3. Definitions of Key Terms

Affiliate

A company that controls, is controlled by or is under common control with another company.

Consumer

An individual who obtains, seeks to obtain, or has obtained an insurance product or service from a licensee that is to be used primarily for personal, family, or household purposes, and about whom the licensee has nonpublic personal information, or that individual’s legal representative.

Customer

A consumer who has a consumer relationship with a licensee. The customer relationship means a continuous relationship between a consumer and a licensee under which the licensee provides one or more insurance products or services to the consumer that are to be used primarily for personal, family, or household purposes.

Nonaffiliated Third Party

Any person except:

• A licensee’s affiliate; or
• A person employed jointly by both a licensee and a company that is not the licensee’s affiliate (but a nonaffiliated third party includes the other company that jointly employs the person).

Nonaffiliated third parties may include any company that is an affiliate solely by virtue of the direct or indirect ownership or control of the company by the licensee or its affiliate in conducting merchant banking or investment banking activities.

4. Privacy Notice Requirements

Initial Privacy Notice to Consumers

A licensee shall provide a clear and conspicuous notice that accurately describes its practices and policies to both its customers and consumers;

An initial notice to a consumer is not required by the licensee if:

• The licensee does not disclose any nonpublic personal financial information about the consumer to any nonaffiliated third party, other than that authorized under the law, and the licensee does not have a customer relationship with the consumer; or
• An affiliated licensee has provided a notice that clearly identifies all the additional licensees to whom the notice applies and is accurate with respect to the licensee and other institutions.

In case an existing customer obtains a new insurance product or service from a licensee for personal, family, or household purposes,

1. the licensee may provide a revised policy notice that covers the customer’s new product or service. or
2. If the initial, revised, or annual notice that the licensee most recently provided to that customer covers all the information that may be provided to the customer about the new product or service, then a new privacy notice is unnecessary.

Exceptions

A licensee may provide an initial privacy notice within a reasonable period after a customer relationship has been established if:

1. Establishing the customer relationship is not per the customer’s election; or
2. Not providing the notice later than when the customer relationship is established ​​would substantially delay the customer’s transaction, and the customer has agreed to receive the notice at a later date.

Annual Privacy Notice to Customers

A licensee shall give their customers an annual clear and conspicuous privacy notice accurately reflecting their most recent privacy practices and policies throughout the ongoing customer relationship.

Exception

A licensee that provides nonpublic personal information to nonaffiliated parties per the provisions of this regulation and has not altered their practices or policies related to disclosing nonpublic personal information since the most recent notice sent to consumers is not required to send an annual disclosure until such a time when the licensee fails to comply with this criteria.

A licensee is not required to provide an annual notice to a former customer. A former customer is a person with whom a licensee no longer maintains an ongoing association.

Information to Include in Privacy Notice

The initial, annual, and revised policy notices that a licensee sends to its customers must include the following information in addition to any other information the licensee wishes to provide:

1. All categories of nonpublic personal financial information the licensee collects;
2. All categories of nonpublic personal financial information the licensee discloses;
3. All categories of affiliates and nonaffiliated third parties to whom the licensee discloses the nonpublic personal financial information, excluding those parties with whom the licensee discloses information under the provisions of this law;
4. All categories of nonpublic personal financial information about the licensee’s former customers that the licensee discloses, excluding permitted disclosures under this law;
5. If a licensee discloses personal financial information to a nonaffiliated third party under the exception to opt-out requirements for disclosure of nonpublic personal financial information for service providers and joint marketing, a separate description of the types of information disclosed by the licensee and the categories of third parties with whom the licensee has entered into agreements;
6. An explanation of the consumer’s right to opt out of the disclosure of their nonpublic personal financial information to nonaffiliated third parties, including the procedures through which the consumer can exercise this right at that particular moment;
7. Any disclosures the licensee makes under the federal Fair Credit Reporting Act;
8. The licensee’s policies and practices in place to protect the confidentiality and security of all nonpublic personal financial information it collects.

The licensee must ensure the privacy notice is reasonably easy to obtain for a consumer. The licensee should:

• Provide a toll-free telephone number that the consumer may call to request the notice; or
• For a person who conducts business in person at the licensee’s office, maintain copies of the notice available on hand to be provided to the consumer immediately upon request.
• Short-form initial notice with opt-out notice for non-customers
• A licensee may meet the initial notice obligations for a consumer who is not a customer by delivering a short-form initial notice concurrently with the provision of an opt-out notice. A short form initial notice shall:
  • Be clear and conspicuous;
  • State that the licensee’s privacy notice is available upon request;
  • Explain all the ways a consumer may obtain the notice.

Form of Opt-Out Notice to Consumers & Opt-Out Methods

If a licensee is obliged to provide an opt-out notice, it should provide a clear and conspicuous notice to each consumer. Such a notice should explain the right to opt-out clearly, as well as the following information:

1. The licensee currently discloses and maintains the right to disclose nonpublic personal financial information about its consumer to a nonaffiliated third party;
2. The consumer can exercise their right to opt out of the aforementioned disclosure;
3. All the reasonable means by which the consumer can exercise their right to opt-out.

Reasonable means to opt out include the following:

• Designated check-off boxes in prominent positions on all relevant forms with the opt-out notice;
• A reply form together with the opt-out notice;
• An electronic means to opt-out, such as a form that can be sent via electronic mail or a process at the licensee’s website;
• A toll-free telephone number that consumers may call to opt-out.

Joint Relationships

If two or more consumers have jointly obtained an insurance product or service from a licensee, the licensee may provide a single opt-out notice. The opt-out notice must address and explain how the licensee will treat an opt-out direction by such a consumer. Any of the joint consumers may exercise the right to opt-out. In such instances, the licensee may either:

1. Treat an opt-out direction by a joint consumer as applying to all of the associated joint consumers; or
2. Permit each joint consumer the chance to opt-out separately.

If a licensee permits each joint consumer to opt out separately, the licensee must permit one of the joint consumers to opt-out on behalf of all of the joint consumers. Before implementing any opt-out direction, the licensee may not require all joint consumers to opt-out.

Time to Comply with Opt-Out

The licensee shall promptly adhere to a consumer's opt-out request upon receiving it, and the consumer retains the right to opt-out at any given time.

Duration of the Opt-Out Decision

A consumer’s opt-out direction will remain effective until the consumer revokes it in writing or via electronic means. Once the customer relationship is terminated, the opt-out direction will continue to apply the nonpublic personal financial information that the licensee collected during or related to that relationship.

If the individual establishes a new customer relationship with the same licensee, the former relationship’s opt-out direction will not apply to the new relationship.

Revised Privacy Notices

Unless specifically authorized under provisions of this regulation, a licensee shall not, directly or through an affiliate, disclose any nonpublic personal financial information about a consumer to a nonaffiliated third party other than as described in the initial notice that the licensee provided to that consumer, unless:

1. The licensee has provided the consumer with a clear and conspicuous revised notice that describes this particular policy and practice;
2. The licensee has given the consumer a reasonable opportunity, before the licensee discloses the information to the nonaffiliated third party, to opt out of the disclosure;
3. The licensee has provided the consumer with a new opt-out notice;
4. The consumer does not opt-out.

However, a revised notice is not required if the licensee discloses nonpublic personal financial information to a new nonaffiliated third party adequately described in its previous notice.

Privacy Notices to Group Policyholders

Unless the licensee plans on providing privacy notices to all covered individuals, a licensee shall provide initial, annual, and revised notices to the plan sponsor, group or blanket insurance policyholder or group annuity contract holder, or workers’ compensation policyholder as prescribed within the regulation.

Such a notice must describe the licensee’s privacy practices with respect to nonpublic personal information about individuals covered under the policies, contracts, or plans.

Privacy Notice Delivery

A licensee must provide any necessary notices per the requirements of this regulation to each customer who is reasonably expected to receive an annual notice, either in writing or electronically.

A customer can be reasonably expected to receive an annual notice if:

1. They use the licensee’s website to access insurance products and services electronically and agree to receive notices at the website, and the licensee posts its current privacy notice continuously in a clear and conspicuous manner on their website;
2. They have requested that the licensee refrain from sending any information regarding the customer relationship, and the licensee’s current privacy notice remains available to the customer upon request.

A licensee is prohibited from fulfilling any notice requirements specified by this regulation exclusively through oral explanation, whether in person or over the telephone.

Joint Notices

A licensee may provide a joint notice from the licensee and one or more of its affiliates or other financial institutions as long as the notice is accurate with respect to the licensee and the other institutions. A licensee is also allowed to issue a notice on behalf of another financial institution.

When two or more consumers jointly acquire an insurance product or service from a licensee, the licensee can fulfill the initial, annual, and revised notice requirements by issuing a single notice to those consumers jointly.

5. Limits on Disclosure of Financial Information

Limits on Disclosure of Nonpublic Personal Financial Information to Nonaffiliated Third Parties

Unless authorized by the law, a licensee must not, directly or through any affiliate, disclose any nonpublic personal financial information about a consumer to a nonaffiliated third party unless:

1. The licensee has provided an initial notice to the consumer;
2. The licensee has provided an opt-out notice to the consumer;
3. The licensee has given the consumer a reasonable opportunity to opt out of the disclosure before its disclosure to the nonaffiliated third part;
4. The consumer does not opt-out.

Reasonable Opportunity to Opt-Out

A licensee provides a fair opportunity to opt-out to the consumer if:

By Mail

The licensee mails notices to the consumer and provides the consumer with the option to opt-out within 30 days from the date of mailing. This can be done by mailing a form, calling a toll-free telephone number, or utilizing any other reasonable means.

By Electronic Means

A customer who opens an online account with a licensee and opts to receive notices electronically is permitted to opt-out using any reasonable means within 30 days after acknowledging the receipt of notices during the account opening process.

Isolated Transaction with Consumer

In the case of an isolated transaction, such as furnishing a consumer with an insurance quote, a licensee provides the consumer with a fair chance to opt out by presenting the notices during the transaction. The consumer is then asked, as an integral part of the transaction, to decide whether to opt out before concluding the transaction.

Application of Opt-Out

A consumer’s opt-out request will apply to all consumers and nonpublic personal financial information. As a result, the licensee must:

1. Comply with the aforementioned requirements regardless of whether the licensee and the consumer have established a customer relationship;
2. Not disclose any nonpublic personal financial information about a consumer, either directly or through any affiliate, that the licensee has collected, regardless of whether the licensee collected it before or after receiving the direction to opt-out from the consumer.

A licensee has the option to permit a consumer to choose specific nonpublic personal financial information or particular nonaffiliated third parties from which the consumer wishes to opt-out.

Limits on Redisclosure and Reuse of Nonpublic Personal Financial Information

In case a licensee has received nonpublic personal financial information from a nonaffiliated financial institution under the law, the licensee’s disclosure and use of that information must be limited to the following:

1. The licensee may disclose the information to the affiliates of the financial institution from whom the licensee has received the information;
2. The licensee may disclose the information to its affiliates, but these affiliates can disclose and use the information only to the extent that the licensee may disclose and use the information;
3. The licensee may disclose and use the information under an exception but must limit the use of such information strictly to the provisions provided by the exception.

If a licensee obtains information from a nonaffiliated financial institution for the purpose of claims settlement, the licensee is allowed to disclose the information for fraud prevention or in response to a duly authorized subpoena. However, the licensee is prohibited from disclosing this information to a third party for marketing purposes or using it for its own marketing purposes.

Information a Licensee Receives Outside of an Exception

For nonpublic personal financial information a licensee receives outside of an exception under the law from a nonaffiliated financial institution, the licensee may only disclose the following information to:

1. The affiliates of the financial institution from which the licensee received the information;
2. Its own affiliates, but these affiliates may only disclose the information to the extent permissible for the licensees themselves;
3. Any other person, the disclosure will only be lawful if made directly to that entity by the financial institution from which the licensee received the information.

Information a Licensee Discloses under an Exception

If a licensee discloses nonpublic personal financial information to a nonaffiliated third party under an exception under the law, the third party can only use and disclose such information as follows:

1. Information can be disclosed to the licensee’s affiliates;
2. The third-party may disclose such information to its own affiliates, but these affiliates can disclose and use the information only to the extent that the third party may disclose and use the information;
3. The third party may disclose and use the information under an exception of this regulation but must limit the use of such information strictly to the provisions provided by the exception.

Information a Licensee Discloses outside of an Exception

Lastly, if a licensee discloses nonpublic personal financial information to a nonaffiliated third party other than under an exception under the law, the third party may only disclose the information:

• To the licensee’s affiliates;
• To its affiliates, but these affiliates can disclose and use the information only to the extent that the third party may disclose and use the information;
• To any other person, any disclosure will only be lawful if made directly to that person.

Exceptions

The aforementioned opt-out requirements do not apply when a licensee provides nonpublic personal financial information to a nonaffiliated third party to perform services for the licensee or functions on the licensee’s behalf if the licensee:

1. Has provided the initial notice per the requirements of this regulation;
2. Has entered a contractual agreement with the third party that prohibits the third party from disclosing or using the information in any context other than to carry out the purposes for which the licensee originally disclosed the information.

Limits on Sharing Account Number Information for Marketing Purposes

Other than to a consumer reporting agency, a licensee cannot disclose a policy number or similar form of access number or access code for a consumer’s policy or transaction account to any nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing via electronic mail to the consumer.

However, the aforementioned rule does not apply if a licensee discloses a policy number or similar form of access number or access code to:

1. The licensee’s service provider solely in order to perform marketing for the licensee’s own products or services as long as the service provider does not have the authorization to initiate charges directly to the account;
2. A licensee who is a producer solely in order to perform marketing for the licensee’s own products or services;
3. A participant in an affinity or similar program where the participants in the program are identified to the customer when the customer enters into the program.

6. Provisions for Health Information

Authorization Required for Disclosure of Nonpublic Personal Health Information

A licensee must never disclose any nonpublic personal health information about a customer or consumer unless that particular customer or consumer provides specific authorization allowing for their information to be disclosed;

However, the law does not restrict, prohibit, or require authorization related to the disclosure of nonpublic personal health information by a licensee for the performance of the insurance functions outlined in the law by or on behalf of the licensee. These insurance functions may include, but are not limited to, the claim administrations, adjustments and management, detection, investigation, or reporting of actual or potential fraud, etc.

Authorization

A valid authorization under the law to disclose nonpublic personal health information must be in written or electronic form and should contain all of the following information:

1. Identity of the consumer or customer who is the subject of the nonpublic personal health information;
2. A general description of the categories of nonpublic personal health information to be disclosed;
3. General descriptions of the parties to whom the licensee discloses nonpublic personal health information, the purpose of the disclosure, and how the information will be used;
4. The signature of the consumer or customer who is the subject of the nonpublic personal health information or the individual who is legally empowered to grant authority and the dated signature; and
5. Notice of the length of time for which the authorization is valid and that the consumer or customer may have the authority to revoke the authorization at any time, and the procedure to revoke such authorization.

The authorization must specify the length of time for which the authorization will remain valid.

However, this period cannot be longer than twenty-four (24) months. The customer or consumer subject to the nonpublic personal health information can revoke this authorization at any time.

The licensee must retain a copy of the authorization in the record of the individual who is subject of nonpublic personal health information. Additionally, the consumer or customer may request authorization, and an authorization form can be delivered to them as part of the opt-out notice. An authorization form does not need to be provided to the consumer or customer or included in any other notices unless the licensee intends to disclose protected health information under this regulation.

7. How Securiti Can Help

Securiti is the pioneer of the Data Command Center, a centralized platform that enables the safe use of data and GenAI. It provides unified data intelligence, controls, and orchestration across hybrid multicloud environments. Large global enterprises rely on Securiti's Data Command Center for data security, privacy, governance, and compliance.

This Data Command Center comes equipped with several individual modules that can help organizations effectively manage their compliance efforts. One such module is the privacy notice management solution, which offers organizations a dynamic built-in integration with the rest of their privacy stack to automate updates to privacy policy & notice by tracking changes in cookie consent, universal consent, data processing, and data subject rights activities.

Request a demo and learn more about how Securiti can help you comply with the Privacy of Consumer Financial and Health Information regulation today.