Bulletin: NJ000087

Bulletins by State or Territory
Bulletins by Country

Bulletin: NJ000087

Bulletin Document
V 1
Date: June 02, 2004
To: All Issuing Offices in New Jersey
RE: Standards for Safeguarding Customer Information - N.J.A.C. 11:1-44.1 et seq.

Dear Associates:

The New Jersey Department of Banking and Insurance has promulgated new regulations concerning the Standards for Safeguarding Customer Information, which appear at N.J.A.C. 11:1-44.1 et seq. The new requirements become effective on October 19, 2004. The regulations establish standards for developing and implementing administrative, technical and physical safeguards to protect the security, confidentiality and integrity of customer information in accordance with the provisions of the Gramm-Leach-Bliley Act, and apply to all licensed insurers and producers.

A licensee must implement a comprehensive written information security program which includes administrative, technical and physical safeguards for the protection of Customer Information (defined below). The program can be appropriate to the size and complexity of the licensee. The program must be designed to ensure the security and confidentiality of Customer Information, as well as protecting against any anticipated threats or hazards to the information and protecting against unauthorized access to the Customer Information that could result in substantial harm or inconvenience to the customer. The licensee must maintain and make available appropriate records to enable DOBI to determine compliance with the requirements. The regulations apply to both electronic and physical data.

Some examples of methods of implementation are set forth in the Code, including:

  1. Assessment of internal and external threats which could result in unauthorized disclosures.

  2. Methods to manage and control the risk, including staff training, regular testing of key controls and design of the system to control the risks.

  3. Exercise of appropriate due diligence in selecting service providers and taking steps to insure that such service providers satisfy these obligations.

  4. Adjustment to the program when required and review on an appropriate basis.

Failure to comply with the requirements is a violation of the statutes governing trade practices and will result in the imposition of penalties as set forth in the Licensed Producer's Act or the imposition of files beginning at $1,000.

The following definitions apply to the regulations:

"Consumer" is defined as an individual who seeks or obtains an insurance product to be used primarily for personal, family or household purposes and about whom the licensee has personal information (or that individual's legal representative).

"Customer" means an individual with whom the licensee has a "Customer Relationship".

"Customer Information" means "Non-Public Personal Information" and "Privileged Information". "Non-Public Personal Information" means any individually identifiable information gathered in connection with an insurance transaction from which judgments can be made about an individual's character, habits, avocations, finances, occupation, general reputation, credit, health or any other personal characteristics. "Non-Public Personal information" includes an individual's name and address and medical-record information but does not include "Privileged Information". "Privileged Information" is defined as any individually identifiable information that relates to a claim for insurance benefits or a civil or criminal proceeding involving an individual, and is collected in connection with or in reasonable anticipation of a claim for insurance benefits or civil or criminal proceeding involving an individual.

A "Customer Relationship" is a continuing relationship between a Consumer and a licensee where the licensee provides one or more insurance products or services used primarily for personal, family or household purposes. A continuing relationship is defined as one with a current policy holder or one where the Consumer obtains financial, investment or economic advisory services relating to an insurance product for a fee. There is no continuing relationship if the Consumer applies for insurance but does not purchase the insurance, or where the Consumer is no longer a current policyholder, or where the Consumer has opted to settle a claim involving an on-going relationship with the licensee or has accepted a lump sum settlement option.

Please call the State Office if you have any questions.

THIS BULLETIN IS FURNISHED TO INFORM YOU OF CURRENT DEVELOPMENTS. AS A REMINDER, YOU ARE CHARGED WITH KNOWLEDGE OF THE CONTENT ON VIRTUAL UNDERWRITER  AS IT EXISTS FROM TIME TO TIME AS IT APPLIES TO YOU, AS WELL AS ANY OTHER INSTRUCTIONS. OUR UNDERWRITING AGREEMENTS DO NOT AUTHORIZE OUR ISSUING AGENTS TO ENGAGE IN SETTLEMENTS OR CLOSINGS ON BEHALF OF STEWART TITLE GUARANTY COMPANY. THIS BULLETIN IS NOT INTENDED TO DIRECT YOUR ESCROW OR SETTLEMENT PRACTICES OR TO CHANGE PROVISIONS OF APPLICABLE UNDERWRITING AGREEMENTS. CONFIDENTIAL, PROPRIETARY, OR NONPUBLIC PERSONAL INFORMATION SHOULD NEVER BE SHARED OR DISSEMINATED EXCEPT AS ALLOWED BY LAW. IF APPLICABLE STATE LAW OR REGULATION IMPOSES ADDITIONAL REQUIREMENTS, YOU SHOULD CONTINUE TO COMPLY WITH THOSE REQUIREMENTS.

NEW JERSEY ADMINISTRATIVE CODE
TITLE 11. DEPARTMENT OF BANKING AND INSURANCE DIVISION OF INSURANCE
CHAPTER 1. ADMINISTRATION

SUBCHAPTER 44. STANDARDS FOR SAFEGUARDING CUSTOMER INFORMATION
Current through April 19, 2004; 36 N.J. Reg. No. 8

11:1-44.1 Purpose and scope

(a) This subchapter establishes standards for developing and implementing administrative, technical and physical safeguards to protect the security, confidentiality and integrity of customer information, pursuant to Sections 501, 505(b) and 507 of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801, 6805(b) and 6807.
(b) This subchapter shall apply to all licensees as defined herein.
(c) This subchapter shall not be deemed to limit or affect the duty of a licensee to maintain the confidentiality of information required to be kept confidential pursuant to law, including, but not limited to, N.J.S.A. 17:23A-1 et seq.

11:1-44.2 Definitions

The following words and terms, when used in this subchapter, shall have the following meanings, unless the context clearly indicates otherwise:
"Consumer" means an individual who seeks to obtain, obtains or has obtained an insurance product or service from a licensee that is to be used primarily for personal, family or household purposes, and about whom the licensee has nonpublic personal information, or that individual's legal representative.
"Customer" means a consumer who has a customer relationship with a licensee.
"Customer information" means nonpublic personal information as defined in this section about a customer, whether in paper, electronic or other form, that is maintained by or on behalf of the licensee.
"Customer information systems" means the electronic or physical methods used to access, collect, store, use, transmit, protect or dispose of customer information.
"Customer relationship" means a continuing relationship between a consumer and a licensee under which the licensee provides one or more insurance products or services to the consumer that are to be used primarily for personal, family or household purposes.
1. A consumer has a continuing relationship with a licensee if:
i. The consumer is a current policyholder of an insurance product issued by or through the licensee; or
ii. The consumer obtains financial, investment or economic advisory services relating to an insurance product or service from the licensee for a fee.
2. A consumer does not have a continuing relationship with a licensee if:
i. The consumer applies for insurance but does not purchase the insurance;
ii. The licensee sells the consumer airline travel insurance in an isolated transaction;
iii. The individual is no longer a current policyholder of an insurance product or no longer obtains insurance services with or through the licensee;
iv. The consumer is a beneficiary or claimant under a policy and has submitted a claim under a policy choosing a settlement option involving an ongoing relationship with the licensee;
v. The consumer is a beneficiary or a claimant under a policy and has submitted a claim under that policy choosing a lump sum settlement option;
vi. The customer's policy lapsed, expired or otherwise became inactive or dormant under the licensee's business practices, and the licensee has not communicated with the customer about the relationship for a period of 12 consecutive months, except through annual privacy notices, material distributions or mass mailings required by law or regulation, communication at the direction of a State or Federal authority, or promotional materials;
vii. The individual is an insured or an annuitant under an insurance policy or annuity, respectively, but is not the policyholder or owner of the insurance policy or annuity; or

viii. The individual's last known address of record is deemed invalid for the purposes of this subchapter. An address of record is deemed invalid if mail sent to that address by the licensee has been returned by the postal authorities as undeliverable and if subsequent attempts by the licensee to obtain a current valid address for the individual have been unsuccessful.
"Licensee" means all licensed insurers, producers and other persons licensed or required to be licensed, or authorized or required to be authorized, or registered or required to be registered pursuant to Titles 17 and 17B of the New Jersey Statutes, health maintenance organizations holding a certificate of authority pursuant to N.J.S.A. 26:2J-1 et seq., and any other person or entity subject to the statute governing information practices at N.J.S.A. 17:23A-1 et seq. "Licensee" shall not include: a purchasing group; or an unauthorized insurer in regard to the surplus lines business conducted pursuant to N.J.S.A. 17:22-6.40 et seq.
"Nonpublic personal information" means "personal information" and "privileged information" as defined in N.J.S.A. 17:23A-2t and w, respectively.
"Service provider" means a person that maintains, processes or otherwise is permitted access to customer information through its provision of services directly to the licensee.

11:1-44.3 Information security program

(a) Each licensee shall implement a comprehensive written information security program that includes administrative, technical and physical safeguards for the protection of customer information. The administrative, technical and physical safeguards included in the information security program shall be appropriate to the size and complexity of the licensee and the nature and scope of its activities.
(b) A licensee shall maintain and make available appropriate records to enable the Department to determine compliance with the requirements of this subchapter.

11:1-44.4 Objectives of information security program

(a) A licensee's information security program shall be designed to:
1. Ensure the security and confidentiality of customer information;
2. Protect against any anticipated threats or hazards to the security or integrity of customer information; and
3. Protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer.

11:1-44.5 Examples of methods of development and implementation

The actions and procedures described in N.J.A.C.11:1-44.6 through 44.9 are examples of methods of implementation of the requirements of N.J.A.C. 11:1-44.3 and 44.4. These examples are non-exclusive illustrations of actions and procedures that licensees may follow to implement N.J.A.C. 11:1-44.3 and 44.4.

11:1-44.6 Assessment of risk

The licensee identifies reasonably foreseeable internal or external threats that could result in unauthorized disclosure, misuse, alteration or destruction of customer information or customer information systems; assesses the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information; and assesses the sufficiency of policies, procedures, customer information systems and other safeguards in place to control risks.

11:1-44.7 Management and control of risk

The licensee designs its information security program to control the identified risks, commensurate with the sensitivity of the information, as well as the complexity and scope of the licensee's activities; trains staff, as appropriate, to implement the licensee's information security program; and regularly tests or otherwise regularly monitors the key controls, systems and procedures of the information security program. The frequency and nature of these tests or other monitoring practices are determined by the licensee's risk assessment.

11:1-44.8 Service provider agreements

The licensee exercises appropriate due diligence in selecting its service providers; and requires its service providers to implement appropriate measures designed to meet the objectives of this subchapter, and, where indicated by the licensee's risk assessment, takes appropriate steps to confirm that its service providers have satisfied these obligations.

11:1-44.9 Adjustment of the program

The licensee monitors, evaluates and adjusts, as appropriate, the information security program in light of any relevant changes in technology, the sensitivity of its customer information, internal or external threats to information, and the licensee's own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements and changes to customer information systems.

11:1-44.10 Violations

Failure to comply with the provisions of this subchapter shall be deemed to constitute a violation of the statutes governing trade practices at N.J.S.A. 17:29B-1 et seq. and 17B:30-1 et seq., as applicable, and shall result in the imposition of penalties as provided in those statutes, N.J.S.A. 17:22A-26 et seq., 17:23A-1 et seq., 17:33-2, and any other provision of law.

11:1-44.11 Effective date

A licensee shall establish and implement an information security program, including appropriate policies and systems pursuant to this subchapter, by October 19, 2004.


References