Montana State Auditor's Office

MONTANA CONSUMER INSURANCE PRIVACY GUIDELINES

• In 2001, the Montana legislature passed privacy legislation proposed by State Auditor John Morrison. It amends old privacy statutes and creates strong new protections for personal information.

• The amendments require that insurance consumers receive a full and complete notice of their privacy rights every 12 months, usually at the time the policy renews, or when a new policy is applied for or issued. There are some exceptions to that rule. The notice must describe the categories of personal information that may be collected about you from third parties (like consumer reporting agencies), the categories of information that are disclosed about you without your specific authorization pursuant to statutory exceptions and the categories of third parties that may receive those disclosures.

• You might receive two notices from your insurer: one that complies with the federal law and one that complies specifically with Montana law. The insurance privacy laws in Montana are generally more protective of consumers and will prevail over federal law for residents of this state. The federal law notices usually will offer you the opportunity to "opt-out" (not allow) certain disclosures of your personal information. Unless you want that information to be shared, you should always exercise your "opt-out" right promptly. You will be receiving similar privacy notices from other types of financial institutions besides insurance companies [i.e. banks and credit card companies.] Montana's insurance privacy laws apply only to entities licensed by the insurance department, such as insurance companies, insurance producers (agents) and third party administrators.

• Unlike some of the federally mandated privacy notices that you may have received, Montana's Privacy Act requires companies to get your permission before sharing your information. Under federal privacy law, if consumers do not take an affirmative action to exercise their right to "opt-out," their personal information may be freely disclosed, with few exceptions. Montana's law does not contain provisions for "opting-out" because disclosures of personal information in this state require written, signed authorization by the individual concerned, unless those disclosures fall within the parameters of the statutory exceptions. However, to be safe, Montanans wishing to limit disclosure of their personal information should still "opt-out" when they receive federally required notices.

• Some disclosures of your personal information are allowed when necessary to perform an insurance function, provide an insurance service or process an insurance transaction. These "disclosure exceptions" were drafted to permit the business of insurance to function efficiently and to allow consumers to receive insurance services promptly. Some disclosures of personal information for marketing purposes between insurance licensees and their affiliates are allowed, but only to facilitate the marketing of insurance products and services or financial products and services. In general, disclosures for marketing purposes are more restricted under Montana law than they are under federal law or the laws of most other states. In Montana, your permission is required before marketing disclosures may be made, except those specifically allowed by law.

• Individuals have additional rights under Montana's Privacy Act, including the right to access recorded personal information; correct, amend or delete recorded personal information; obtain a statement providing reasons for adverse underwriting decisions; and pursue individual remedies for violations of this Act.

• Companies may not cancel or non-renew your coverage or raise your premium because you refuse to authorize additional disclosures not allowed by the law.

• Penalties for violations of this act were raised from $500 maximum per violation to $25,000 maximum per violation

MONTANA PRODUCER INSURANCE PRIVACY GUIDELINES

• The statute requiring that the signature of the insured or applicant be obtained before any personal information is collected about that person has been entirely and retroactively repealed.

• The Montana law puts the primary burden of providing a notice of privacy rights to insureds and applicants on the insurance institution. The notice provisions in the Privacy Act were amended in order to comply with the federal Gramm Leach Bliley Act [GLBA]. Producers are responsible for providing notice only if they are going to collect or disclose information in ways that the company's notice does not describe or if the company fails to provide the producer with a notice to give the consumer at the time of application. Privacy notices must describe the categories of personal information that may be collected from third parties, the categories of information disclosed pursuant to disclosure exceptions and the categories of third parties that may receive those disclosures of personal information.

• Insureds must receive a new notice every twelve months. There are some exceptions to this rule. The insurance institution should provide those notices. However, the producer may decide to send his or her own notices.

• Applicants must receive a complete privacy notice at the time that application is made. Consumers who are applying for insurance over the telephone may receive an abbreviated, verbal notice. Existing policyholders and certificate holders must receive notice when their coverage renews after July 1, or if the coverage does not renew annually, at least every 12 months, (the date of the annual notice may be determined by the insurance institution).

• Unlike GLBA, Montana's Privacy Act does not contain provisions for "opting-out." Under federal privacy law, if consumers do not take affirmative steps to exercise their right to "opt-out" their nonpublic personal information may be freely disclosed, with few exceptions. In GLBA terms, Montana's privacy law is "opt-in" only for both nonpublic personal financial information and nonpublic personal health information. Disclosures of personal information require written, signed authorization by the individual concerned, unless they fall within the parameters of the 19 disclosure exceptions listed in the statute.

• The disclosure exceptions allow personal information to be disclosed without authorization when necessary to perform an insurance function, provide an insurance service or process an insurance transaction. The disclosure exceptions are specifically described in Section 33-19-306, MCA, 2001.

• Disclosure of personal information for marketing purposes is not allowed, except as described in new section 8, Senate Bill 465. AN INSURANCE PRODUCER WHO DESCRIBES TO THE PRODUCER'S CLIENTS, PRODUCTS OR SERVICES AVAILABLE THROUGH THE PRODUCER, IS NOT ENGAGED IN MARKETING. Disclosure of personal information to other licensees [i.e. insurance institutions or insurance producers] or to affiliates for marketing purposes is allowed, but ONLY for the purposes of marketing insurance products and services or financial products and services.

• This Act only applies to personal lines of insurance. It does not apply to commercial lines.

2001 Amendments to Montana's Insurance Information and Privacy Protection Act
[Title 33, Chapter 19, Montana Code Annotated]:
HIGHLIGHTS

During the 2001 legislative session, the Montana Department of Insurance successfully passed legislation amending Montana's existing Insurance Information and Privacy Protection Act, which was enacted in 1981 and is based on the old NAIC model Act. Most of the amendments are effective July 1, 2001. They incorporate changes required by the federal Gramm Leach Bliley Act [GLBA] and also correct problems created by 1999 amendments to the Act.

Section 33-19-202, Notice of Insurance Information Practices, was amended extensively. Notice must now be delivered every 12 months, as required by GLBA, instead of every 24 months. The primary responsibility for delivery of the notice is placed on the insurance institution. Generally speaking, after July 1, 2001, the notice must go to all policyholders and certificate holders when the policy or certificate is issued; for existing insureds, when the policy or certificate renews; and for policies or certificates that do not renew, at least annually, and the date of the annual notice may be defined by the insurance institution. Applicants must receive a complete privacy notice at the time of application, unless they are applying by telephone, and then they may receive an abbreviated, verbal notice pursuant to 33-19-202(7). Telephone applicants would receive a complete written notice at the time the policy is issued. Third- party claimants may also receive an abbreviated notice, as outlined in 33-19-202(4)(b). There are exceptions to the notice delivery requirements, which are described in 33-19-202(1) and (2). For instance, the notice requirement is postponed when an insurance institution does not have any personally identifiable information regarding a certificate holder.

Privacy notices must describe the categories of personal information that may be collected from third parties, the categories of information disclosed pursuant to 33-19-306 exceptions allowing disclosure without authorization, and the categories of third parties that may receive those disclosures of personal information. The types of information that must be contained in the privacy notice are outlined in detail in 33-19-202(3)(a) through (h).

Section 33-19-204 [requiring authorization signatures for the collection of personal information] has been repealed in its entirety, retroactively. An authorization from the insured no longer is required before a licensee may collect personal information about an individual. However, categories of personal information collected about individuals must be described in the privacy notice.

Disclosures of personal information require authorization signatures unless they fall within the parameters of the 19 disclosure exceptions listed in 33-19-306. Sections 33-19-306(3), (4) and (7) were amended to allow disclosures to be made more freely when related to the detection or prevention of criminal activity or fraud. Disclosures between licensees when performing routine insurance functions in connection with an insurance transaction do not require authorization [306(4)]. Disclosures to an insurance support organization in order to allow it to perform support services for the licensee are allowed without authorization, and the support organization may redisclose that information to its subscriber licensees (examples: CLUE and MIB) [306(13)]. Disclosure may be made to a group policyholder for the purpose of reporting claims experience or conducting an audit, but that information must be edited to prevent the identification of the insured individual [306(14)]. Other disclosure exceptions are briefly described as follows: (1) to medical care providers to verify insurance coverage or determine the necessity of medical services [306(5)]; (2) to insurance regulatory authorities [306(6)and (7)]; (3) for the purpose of conducting actuarial or research studies, under certain circumstances and if the information is de-identified [306(10)]; (4) to a party to a proposed sale, transfer, merger, or consolidation of the business of the licensee or insurance support organization (limited disclosure only) [306(11)]; (5) to an affiliate, in connection with an audit of the licensee, to enable the licensee to perform an insurance function, or as allowed by this Act's marketing disclosure provisions (limited disclosure only) [306(12)]; (6) to a professional peer review organization for the purpose of reviewing the service or conduct of a medical care institution or medical professional [306(15)]; (7) to a certificate holder or to a policyholder for the purpose of providing information regarding the status of an insurance transaction, EXCEPT no disclosures to a group policyholder without a separate, written authorization from the individual [306(17)]; (8) to a person contractually engaged to provide services to enable a licensee to perform an insurance function (limited disclosure only) [306(18)]; (9) if no other exception applies, to a person other than a licensee to enable that person to perform an insurance function on behalf of the license (limited disclosure) [306(19)]; (10) as required by the Montana Rules of Civil Procedure [306(21)].

Disclosure of personal information for marketing purposes is not allowed except as described in new section 8 of Senate Bill 465 [306(20)]. Disclosure of personal information to other licensees or to affiliates for marketing purposes is allowed, but ONLY when marketing insurance products or services OR financial products and services. The licensee or affiliate receiving the disclosures must agree in writing that they will not further disclose the information and will use the information only for marketing insurance products or services or financial products and services. Medical record information may not be disclosed without authorization for the purpose of marketing financial products and services. Disclosures pursuant to a joint marketing agreement are not allowed unless they otherwise fit within the exception. An insurance producer who describes to the producer's clients products or services available through the producer is not engaged in marketing. A licensee may make limited and restricted disclosures to enable a person contractually engaged to provide services for the licensee to market insurance or financial products and services. However, the licensee is responsible for maintaining procedures to ensure that the recipients of these disclosures are following the provisions of this Act. All other disclosures require the individual's separate, written, dated and signed authorization.

The civil penalties section of the Act was amended to allow fines as described in 33-1-317 for violations of this Act. This raises the maximum penalty from $500 to $25,000, ($5000 for producers). Other sections of the Act remain unchanged by these amendments, including provisions providing for the individual's right to access recorded personal information [33-19-301], correct, amend, or delete recorded personal information [33-19-302]; obtain a statement providing reasons for adverse underwriting decisions [33-19-303]; and pursue individual remedies for violations of this Act [33-19-407]. In addition, licensees are subject to certain underwriting restrictions regarding how they may use previous adverse underwriting decisions experienced by an individual [33-19-304 and 305].

Montana's Insurance Information and Privacy Protection Act provides all of the privacy protections contained in the GLBA, plus many additional protections. There are other differences between the two laws, especially in terminology. Montana's Act does not include distinctions that rely on the terms "customer" and "consumer" "opt-in" and "opt-out," and "nonpublic personal financial information" and "nonpublic personal health information". All personal information, as defined in 33-19-104(20) and all individuals, as defined in 33-19-104(8) are fully protected by the Act. "Opt-out" is not allowed or discussed. All disclosures of personal information require "opt-in" unless they are expressly allowed in the law. In the amendments, the term licensee (as used in the NAIC model privacy regulations) was adopted.

Please contact the State Auditor’s Office if you have additional questions: