Website Main Menu

MONTANA PRODUCER INSURANCE PRIVACY GUIDELINES

  • The statute requiring that the signature of the insured or applicant be obtained before any personal information is collected about that person has been entirely and retroactively repealed.

  • The Montana law puts the primary burden of providing a notice of privacy rights to insureds and applicants on the insurance institution. The notice provisions in the Privacy Act were amended in order to comply with the federal Gramm Leach Bliley Act [GLBA]. Producers are responsible for providing notice only if they are going to collect or disclose information in ways that the company's notice does not describe or if the company fails to provide the producer with a notice to give the consumer at the time of application. Privacy notices must describe the categories of personal information that may be collected from third parties, the categories of information disclosed pursuant to disclosure exceptions and the categories of third parties that may receive those disclosures of personal information.

  • Insureds must receive a new notice every twelve months. There are some exceptions to this rule. The insurance institution should provide those notices. However, the producer may decide to send his or her own notices.

  • Applicants must receive a complete privacy notice at the time that application is made. Consumers who are applying for insurance over the telephone may receive an abbreviated, verbal notice. Existing policyholders and certificate holders must receive notice when their coverage renews after July 1, or if the coverage does not renew annually, at least every 12 months, (the date of the annual notice may be determined by the insurance institution).

  • Unlike GLBA, Montana's Privacy Act does not contain provisions for "opting-out." Under federal privacy law, if consumers do not take affirmative steps to exercise their right to "opt-out" their nonpublic personal information may be freely disclosed, with few exceptions. In GLBA terms, Montana's privacy law is "opt-in" only for both nonpublic personal financial information and nonpublic personal health information. Disclosures of personal information require written, signed authorization by the individual concerned, unless they fall within the parameters of the 19 disclosure exceptions listed in the statute.

  • The disclosure exceptions allow personal information to be disclosed without authorization when necessary to perform an insurance function, provide an insurance service or process an insurance transaction. The disclosure exceptions are specifically described in Section 33-19-306, MCA, 2001.

  • Disclosure of personal information for marketing purposes is not allowed, except as described in new section 8, Senate Bill 465. AN INSURANCE PRODUCER WHO DESCRIBES TO THE PRODUCER'S CLIENTS, PRODUCTS OR SERVICES AVAILABLE THROUGH THE PRODUCER, IS NOT ENGAGED IN MARKETING. Disclosure of personal information to other licensees [i.e. insurance institutions or insurance producers] or to affiliates for marketing purposes is allowed, but ONLY for the purposes of marketing insurance products and services or financial products and services.

  • This Act only applies to personal lines of insurance. It does not apply to commercial lines.

 

2001 Amendments to Montana's Insurance Information and Privacy Protection Act
[Title 33, Chapter 19, Montana Code Annotated]:
HIGHLIGHTS

During the 2001 legislative session, the Montana Department of Insurance successfully passed legislation amending Montana's existing Insurance Information and Privacy Protection Act, which was enacted in 1981 and is based on the old NAIC model Act. Most of the amendments are effective July 1, 2001. They incorporate changes required by the federal Gramm Leach Bliley Act [GLBA] and also correct problems created by 1999 amendments to the Act.

Section 33-19-202, Notice of Insurance Information Practices, was amended extensively. Notice must now be delivered every 12 months, as required by GLBA, instead of every 24 months. The primary responsibility for delivery of the notice is placed on the insurance institution. Generally speaking, after July 1, 2001, the notice must go to all policyholders and certificate holders when the policy or certificate is issued; for existing insureds, when the policy or certificate renews; and for policies or certificates that do not renew, at least annually, and the date of the annual notice may be defined by the insurance institution. Applicants must receive a complete privacy notice at the time of application, unless they are applying by telephone, and then they may receive an abbreviated, verbal notice pursuant to 33-19-202(7). Telephone applicants would receive a complete written notice at the time the policy is issued. Third- party claimants may also receive an abbreviated notice, as outlined in 33-19-202(4)(b). There are exceptions to the notice delivery requirements, which are described in 33-19-202(1) and (2). For instance, the notice requirement is postponed when an insurance institution does not have any personally identifiable information regarding a certificate holder.

Privacy notices must describe the categories of personal information that may be collected from third parties, the categories of information disclosed pursuant to 33-19-306 exceptions allowing disclosure without authorization, and the categories of third parties that may receive those disclosures of personal information. The types of information that must be contained in the privacy notice are outlined in detail in 33-19-202(3)(a) through (h).

Section 33-19-204 [requiring authorization signatures for the collection of personal information] has been repealed in its entirety, retroactively. An authorization from the insured no longer is required before a licensee may collect personal information about an individual. However, categories of personal information collected about individuals must be described in the privacy notice.

Disclosures of personal information require authorization signatures unless they fall within the parameters of the 19 disclosure exceptions listed in 33-19-306. Sections 33-19-306(3), (4) and (7) were amended to allow disclosures to be made more freely when related to the detection or prevention of criminal activity or fraud. Disclosures between licensees when performing routine insurance functions in connection with an insurance transaction do not require authorization [306(4)]. Disclosures to an insurance support organization in order to allow it to perform support services for the licensee are allowed without authorization, and the support organization may redisclose that information to its subscriber licensees (examples: CLUE and MIB) [306(13)]. Disclosure may be made to a group policyholder for the purpose of reporting claims experience or conducting an audit, but that information must be edited to prevent the identification of the insured individual [306(14)]. Other disclosure exceptions are briefly described as follows: (1) to medical care providers to verify insurance coverage or determine the necessity of medical services [306(5)]; (2) to insurance regulatory authorities [306(6)and (7)]; (3) for the purpose of conducting actuarial or research studies, under certain circumstances and if the information is de-identified [306(10)]; (4) to a party to a proposed sale, transfer, merger, or consolidation of the business of the licensee or insurance support organization (limited disclosure only) [306(11)]; (5) to an affiliate, in connection with an audit of the licensee, to enable the licensee to perform an insurance function, or as allowed by this Act's marketing disclosure provisions (limited disclosure only) [306(12)]; (6) to a professional peer review organization for the purpose of reviewing the service or conduct of a medical care institution or medical professional [306(15)]; (7) to a certificate holder or to a policyholder for the purpose of providing information regarding the status of an insurance transaction, EXCEPT no disclosures to a group policyholder without a separate, written authorization from the individual [306(17)]; (8) to a person contractually engaged to provide services to enable a licensee to perform an insurance function (limited disclosure only) [306(18)]; (9) if no other exception applies, to a person other than a licensee to enable that person to perform an insurance function on behalf of the license (limited disclosure) [306(19)]; (10) as required by the Montana Rules of Civil Procedure [306(21)].

Disclosure of personal information for marketing purposes is not allowed except as described in new section 8 of Senate Bill 465 [306(20)]. Disclosure of personal information to other licensees or to affiliates for marketing purposes is allowed, but ONLY when marketing insurance products or services OR financial products and services. The licensee or affiliate receiving the disclosures must agree in writing that they will not further disclose the information and will use the information only for marketing insurance products or services or financial products and services. Medical record information may not be disclosed without authorization for the purpose of marketing financial products and services. Disclosures pursuant to a joint marketing agreement are not allowed unless they otherwise fit within the exception. An insurance producer who describes to the producer's clients products or services available through the producer is not engaged in marketing. A licensee may make limited and restricted disclosures to enable a person contractually engaged to provide services for the licensee to market insurance or financial products and services. However, the licensee is responsible for maintaining procedures to ensure that the recipients of these disclosures are following the provisions of this Act. All other disclosures require the individual's separate, written, dated and signed authorization.

The civil penalties section of the Act was amended to allow fines as described in 33-1-317 for violations of this Act. This raises the maximum penalty from $500 to $25,000, ($5000 for producers). Other sections of the Act remain unchanged by these amendments, including provisions providing for the individual's right to access recorded personal information [33-19-301], correct, amend, or delete recorded personal information [33-19-302]; obtain a statement providing reasons for adverse underwriting decisions [33-19-303]; and pursue individual remedies for violations of this Act [33-19-407]. In addition, licensees are subject to certain underwriting restrictions regarding how they may use previous adverse underwriting decisions experienced by an individual [33-19-304 and 305].

Montana's Insurance Information and Privacy Protection Act provides all of the privacy protections contained in the GLBA, plus many additional protections. There are other differences between the two laws, especially in terminology. Montana's Act does not include distinctions that rely on the terms "customer" and "consumer" "opt-in" and "opt-out," and "nonpublic personal financial information" and "nonpublic personal health information". All personal information, as defined in 33-19-104(20) and all individuals, as defined in 33-19-104(8) are fully protected by the Act. "Opt-out" is not allowed or discussed. All disclosures of personal information require "opt-in" unless they are expressly allowed in the law. In the amendments, the term licensee (as used in the NAIC model privacy regulations) was adopted.