Article 39.

Consumer and Customer Information Privacy.

Part 1. Insurance Information and Privacy Protection.

§ 58-39-1.  Short titles.

This Article may be cited as the Consumer and Customer Information Privacy Act. Part 1 of this Article may be cited as the Insurance Information and Privacy Protection Act. Part 3 of this Article may be cited as the Customer Information Safeguards Act.  (1981, c. 846, s. 1; 2003-262, s. 3.)

 

§ 58-39-5.  Purpose.

The purpose of this Article is to establish standards for the collection, use, and disclosure of information gathered in connection with insurance transactions by insurance institutions, agents, or insurance-support organizations; to maintain a balance between the need for information by those conducting the business of insurance and the public's need for fairness in insurance information practices, including the need to minimize intrusiveness; to establish a regulatory mechanism to enable natural persons to ascertain what information is being or has been collected about them in connection with insurance transactions and to have access to such information for the purpose of verifying or disputing its accuracy; to limit the disclosure of information collected in connection with insurance transactions; and to enable insurance applicants and policyholders to obtain the reasons for any adverse underwriting decision. (1981, c. 846, s. 1;  2003-262, s. 2(1).)

 

§ 58-39-10.  Scope.

(a) The obligations imposed by this Article shall apply to those insurance institutions, agents, or insurance-support organizations that:

(1) In the case of life, health, or disability insurance:

a. Collect, receive, or maintain information in connection with insurance transactions that pertains to natural persons who are residents of this State; or

b. Engage in insurance transactions with applicants, individuals, or policyholders who are residents of this State; and

(2) In the case of property or casualty insurance:

a. Collect, receive, or maintain information in connection with insurance transactions involving policies, contracts, or certificates of insurance delivered, issued for delivery, or renewed in this State;

b. Engage in insurance transactions involving policies, contracts, or certificates of insurance delivered, issued for delivery, or renewed in this State; or

c. Engage in transactions involving mortgage guaranty insurance where the mortgage guaranty policies, contracts, or certificates of insurance are delivered, issued for delivery, or renewed in this State.

(b) The rights granted by this Article shall extend to:

(1) In the case of life, health, or disability insurance, the following persons who are residents of this State:

a. Natural persons who are the subject of information collected, received, or maintained in connection with insurance transactions; and

b. Applicants, individuals, or policyholders who engage in or seek to engage in insurance transactions;

(2) In the case of property or casualty insurance, the following persons:

a. Natural persons who are the subject of information collected, received, or maintained in connection with insurance transactions involving policies, contracts, or certificates of insurance delivered, issued for delivery, or renewed in this State; and

b. Applicants, individuals, or policyholders who engage in or seek to engage in (i) insurance transactions involving policies, contracts, or certificates of insurance delivered, issued for delivery, or renewed in this State; or (ii) mortgage guaranty insurance transactions involving policies, contracts, or certificates of insurance delivered, issued for delivery, or renewed in this State.

(c) For purposes of this section, a person shall be considered a resident of this State if the person's last known mailing address, as shown in the records of the insurance institution, agent, or insurance-support organization, is located in this State.

(d) Notwithstanding subsections (a) and (b) of this section, this Article shall not apply to information collected from the public records of a governmental authority and maintained by an insurance institution or its representatives for the purpose of insuring the title to real property located in this State.

(e) This Article applies to credit insurance that is subject to Article 57 of this Chapter. (1981, c. 846, s. 1; 2001-351, s. 1;  2003-262, s. 2(1).)

 

§ 58-39-15.  Definitions.

As used in this Article:

(1) "Adverse underwriting decision" means:

a. Any of the following actions with respect to insurance transactions involving insurance coverage that is individually underwritten:

1. A declination of insurance coverage;

2. A termination of insurance coverage;

3. Failure of an agent to apply for insurance coverage with a specific insurance institution that an agent represents and that is requested by an applicant;

4. In the case of a property or casualty insurance coverage:

I. Placement by an insurance institution or agent of a risk with a residual market mechanism, an unauthorized insurer, or an insurance institution that specializes in substandard risks; or

II. The charging of a higher rate on the basis of information that differs from that which the applicant or policyholder furnished; or

5. In the case of a life, health, or disability insurance coverage, an offer to insure at higher than standard rates.

b. Notwithstanding subdivision (1)a. of this section, the following actions shall not be considered adverse underwriting decisions, but the insurance institution or agent responsible for their occurrence shall nevertheless provide the applicant or policyholder with the specific reason or reasons for their occurrence:

1. The termination of an individual policy form on a class or statewide basis;

2. A declination of insurance coverage solely because such coverage is not available on a class or statewide basis; or

3. The rescission of a policy.

(2) "Affiliate" or "affiliated" means a person that directly, or indirectly through one or more intermediaries, controls, is controlled by, or is under common control with another person.

(3) "Agent" has the meaning as set forth in G.S. 58-33-10, and includes limited representatives, limited line credit insurance producers, limited lines producers, insurance producers, and surplus lines licensees.

(4) "Applicant" means any person who seeks to contract for insurance coverage other than a person seeking group insurance that is not individually underwritten.

(5) "Consumer report" means any written, oral, or other communication of information bearing on a natural person's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living that is used or expected to be used in connection with an insurance transaction.

(6) "Consumer reporting agency" means any person who:

a. Regularly engages, in whole or in part, in the practice of assembling or preparing consumer reports for a monetary fee;

b. Obtains information primarily from sources other than insurance institutions; and

c. Furnishes consumer reports to other persons.

(7) "Control," including the terms "controlled by" or "under common control with," means the possession, direct or indirect, of the power to direct or cause the direction of the management and policies of a person, whether through the ownership of voting securities, by contract other than a commercial contract for goods or nonmanagement services, or otherwise, unless the power is the result of an official position with or corporate office held by the person.

(8) "Declination of insurance coverage" means a denial, in whole or in part, by an insurance institution or agent of requested insurance coverage.

(9) "Individual" means any natural person who:

a. In the case of property or casualty insurance, is a past, present, or proposed named insured or certificate holder;

b. In the case of life, health, or disability insurance, is a past, present, or proposed principal insured or certificate holder;

c. Is a past, present or proposed policy owner;

d. Is a past or present applicant;

e. Is a past or present claimant;

f. Derived, derives, or is proposed to derive insurance coverage under an insurance policy or certificate subject to this Article; or

g. Is the subject of personal information collected or maintained by an insurance institution, agent, or insurance-support organization in connection with mortgage guaranty insurance.

(10) "Institutional source" means any person or governmental entity that provides information about an individual to an agent, insurance institution, or insurance-support organization, other than:

a. An agent;

b. The individual who is the subject of the information; or

c. A natural person acting in a personal capacity rather than in a business or professional capacity.

(11) "Insurance institution" means any corporation, association, partnership, reciprocal exchange, inter-insurer, Lloyd's insurer, fraternal benefit society, or other person engaged in the business of insurance, including health maintenance organizations and medical, surgical, hospital, dental, and optometric service plans, governed by Articles 65 through 67 of this Chapter. "Insurance institution" shall not include agents or insurance-support organizations.

(12) "Insurance-support organization" means any person who regularly engages, in whole or in part, in the practice of assembling or collecting information about natural persons for the primary purpose of providing the information to an insurance institution or agent for insurance transactions, including: (i) the furnishing of consumer reports or investigative consumer reports to an insurance institution or agent for use in connection with an insurance transaction; or (ii) the collection of personal information from insurance institutions, agents, or other insurance-support organizations for the purpose of detecting or preventing fraud, material misrepresentation, or material nondisclosure in connection with insurance underwriting or insurance claim activity; provided, however, the following persons shall not be considered "insurance-support organizations" for purposes of this Article: agents, governmental institutions, insurance institutions, medical-care institutions, and medical professionals.

(13) "Insurance transaction" means any transaction involving insurance primarily for personal, family, or household needs rather than business or professional needs that entails:

a. The determination of an individual's eligibility for an insurance coverage, benefit, or payment; or

b. The servicing of an insurance application, policy, contract, or certificate.

(14) "Investigative consumer report" means a consumer report or portion thereof in which information about a natural person's character, general reputation, personal characteristics, or mode of living is obtained through personal interviews with the person's neighbors, friends, associates, acquaintances, or others who may have knowledge concerning such items of information.

(15) "Life insurance" includes annuities.

(16) "Medical-care institution" means any facility or institution that is licensed to provide health care services to natural persons, including but not limited to, hospitals, skilled nursing facilities, home-health agencies, medical clinics, rehabilitation agencies, public health agencies, or health-maintenance organizations.

(17) "Medical professional" means any person licensed or certified to provide health care services to natural persons, including but not limited to, a physician, dentist, nurse, chiropractor, optometrist, physical or occupational therapist, licensed clinical social worker, clinical dietitian, clinical psychologist, pharmacist, or speech therapist.

(18) "Medical-record information" means personal information that:

a. Relates to an individual's physical or mental condition, medical history, or medical treatment; and

b. Is obtained from a medical professional or medical-care institution, from the individual, or from the individual's spouse, parent, or legal guardian.

(19) "Personal information" means any individually identifiable information gathered in connection with an insurance transaction from which judgments can be made about an individual's character, habits, avocations, finances, occupation, general reputation, credit, health, or any other personal characteristics. "Personal information" includes an individual's name and address and medical-record information, but does not include privileged information.

(20) "Policyholder" means any person who:

a. In the case of individual property or casualty insurance, is a present named insured;

b. In the case of individual life or accident and health insurance, is a present policy owner; or

c. In the case of group insurance that is individually underwritten, is a present group certificate holder.

(21) "Pretext interview" means an interview whereby a person, in an attempt to obtain information about a natural person, performs one or more of the following acts:

a. Pretends to be someone he is not;

b. Pretends to represent a person he is not in fact representing;

c. Misrepresents the true purpose of the interview; or

d. Refuses to identify himself upon request.

(22) "Privileged information" means any individually identifiable information that (i) relates to a claim for insurance benefits or a civil or criminal proceeding involving an individual, and (ii) is collected in connection with or in reasonable anticipation of a claim for insurance benefits or civil or criminal proceeding involving an individual: Provided, however, information otherwise meeting the requirements of this subsection shall nevertheless be considered personal information under this Article if it is disclosed in violation of G.S. 58-39-75.

(23) "Residual market mechanism" means any reinsurance facility, joint underwriting association, assigned risk plan, or other similar plan established under the laws of this State.

(24) "Termination of insurance coverage" or "termination of an insurance policy" means either a cancellation or nonrenewal of an insurance policy, in whole or in part, for any reason other than the failure to pay a premium as required by the policy.

(25) "Unauthorized insurer" means an insurance institution that has not been granted a license by the Commissioner to transact the business of insurance in this State. (1981, c. 846, s. 1; 1987, c. 629, s. 13; 1993, c. 464, s. 1; 2001-203, s. 30; 2001-351, ss. 2, 3; 2001-487, s. 40(f);  2003-262, s. 2(1).)

 

§ 58-39-20.  Pretext interviews.

No insurance institution, agent, or insurance-support organization shall use or authorize the use of pretext interviews to obtain information in connection with an insurance transaction: Provided, however, a pretext interview may be undertaken to obtain information from a person or institution that does not have a generally or statutorily recognized privileged relationship with the person about whom the information relates for the purpose of investigating a claim where, based upon specific information available for review by the Commissioner, there is a reasonable basis for suspecting criminal activity, fraud, material misrepresentation, or material nondisclosure in connection with the claim. (1981, c. 846, s. 1; 2003-262, s. 2(1).)

 

§ 58-39-25.  Notice of insurance information practices.

(a) An insurance institution or agent shall provide a notice of information practices to all applicants or policyholders in connection with insurance transactions as provided in this section:

(1) In the case of an application for insurance a notice shall be provided no later than:

a. At the time of the delivery of the insurance policy or certificate when personal information is collected only from the applicant or from public records; or

b. At the time the collection of personal information is initiated when personal information is collected from a source other than the applicant or public records;

(2) In the case of a policy renewal, a notice shall be provided no later than the policy renewal date, except that no notice shall be required in connection with a policy renewal if:

a. Personal information is collected only from the policyholder or from public records; or

b. A notice meeting the requirements of this section has been given within the previous 24 months; or

(3) In the case of a policy reinstatement or change in insurance benefits, a notice shall be provided no later than the time a request for a policy reinstatement or change in insurance benefits is received by the insurance institution, except that no notice shall be required if personal information is collected only from the policyholder or from public records.

(b) The notice required by subsection (a) of this section shall be in writing and shall state:

(1) Whether personal information may be collected from persons other than the individual or individuals proposed for coverage;

(2) The types of personal information that may be collected and the types of sources and investigative techniques that may be used to collect such information;

(3) The types of disclosures identified in subsections (2), (3), (4), (5), (6), (9), (11), (12), and (14) of G.S. 58-39-75 and the circumstances under which such disclosures may be made without prior authorization: Provided, however, only those circumstances need be described that occur with such frequency as to indicate a general business practice;

(4) A description of the rights established under G.S. 58-39-45 and 58-39-50 and the manner in which such rights may be exercised; and

(5) That information obtained from a report prepared by an insurance-support organization may be retained by the insurance-support organization and disclosed to other persons.

(c) In lieu of the notice prescribed in subsection (b) of this section, the insurance institution or agent may provide an abbreviated notice informing the applicant or policyholder that:

(1) Personal information may be collected from persons other than the individual or individuals proposed for coverage;

(2) Such information, as well as other personal or privileged information subsequently collected by the insurance institution or agent, in certain circumstances, may be disclosed to third parties without authorization;

(3) A right of access and correction exists with respect to all personal information collected; and

(4) The notice prescribed in subsection (b) of this section will be furnished to the applicant or policyholder upon request.

(d) The obligations imposed by this section upon an insurance institution or agent may be satisfied by another insurance institution or agent authorized to act on its behalf. (1981, c. 846, s. 1; 2003-262, s. 2(1).)

 

§ 58-39-26.  Federal privacy disclosure notice requirements.

(a) Disclosure Required. - In addition to the notice requirements of G.S. 58-39-25, an insurance institution or agent shall provide, to all applicants and policyholders no later than (i) before the initial disclosure of personal information under G.S. 58-39-75(11) or (ii) the time of the delivery of the insurance policy or certificate, a clear and conspicuous notice, in written or electronic form, of the insurance institution or agent's policies and practices with respect to:

(1) Disclosing nonpublic personal information to affiliates and nonaffiliated third parties, consistent with section 502 of Public Law 106-102, including the categories of information that may be disclosed.

(2) Disclosing nonpublic personal information of persons who have ceased to be customers of the financial institution.

(3) Protecting the nonpublic personal information of consumers.

These disclosures shall be made in accordance with the regulations prescribed under section 504 of Public Law 106-102.

(b) Information to Be Included. - The disclosure required by subsection (a) of this section shall include:

(1) The policies and practices of the insurance institution or agent with respect to disclosing nonpublic personal information to nonaffiliated third parties, other than agents of the insurance institution or agent, consistent with section 502 of Public Law 106-102, and including:

a. The categories of persons to whom the information is or may be disclosed, other than the persons to whom the information may be provided under section 502(e) of Public Law 106-102.

b. The policies and practices of the insurance institution or agent with respect to disclosing of nonpublic personal information of persons who have ceased to be customers of the insurance institution or agent.

(2) The categories of nonpublic personal information that are collected by the insurance institution or agent.

(3) The policies that the insurance institution or agent maintains to protect the confidentiality and security of nonpublic personal information in accordance with section 501 of Public Law 106-102.

(4) The disclosures required, if any, under section 603(d)(2)(A) (iii) of the Fair Credit Reporting Act.

(c) In the case of a policyholder, the notice required by this section shall be provided not less than annually during the continuation of the policy. As used in this subsection, "annually" means at least once in any period of 12 consecutive months during which the policy is in effect.

(d) Exception to Annual Notice Requirement. - An insurance institution or agent is not required to provide the privacy notice annually as required under subsection (c) of this section if all of the following apply:

(1) The insurance institution or agent provides nonpublic personal information only in accordance with the provisions of sections 502(b)(2) or 502(e) of Public Law 106-102 or regulations prescribed under section 504(b) of Public Law 106-102.

(2) The insurance institution or agent has not changed its policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed in the most recent disclosure sent to consumers in accordance with this section.

If, at any time, subdivision (1) or (2) of this subsection no longer applies to an insurance institution or agent, then the insurance institution or agent shall be required to provide the annual privacy notice required under subsection (c) of this section. (2001-351, s. 4; 2003-262, s. 2(1); 2019-179, s. 5.)

 

§ 58-39-27.  Privacy notice and disclosure requirement exceptions.

(a) Under G.S. 58-39-25 and G.S. 58-39-26, an insurance institution or agent may provide a joint notice from the insurance institution or agent and one or more of its affiliates or other financial institutions, as defined in the notice, as long as the notice is accurate with respect to the insurance institution or agent and the other institutions.

(b) An insurance institution or agent may satisfy the notice requirements of G.S. 58-39-25 and G.S. 58-39-26 by providing a single notice if two or more applicants or policyholders jointly obtain or apply for an insurance product.

(c) An insurance institution or agent may satisfy the notice requirements of G.S. 58-39-25 and G.S. 58-39-26 through the use of separate or combined notices.

(d) An insurance institution or agent is not required to provide the notices required by G.S. 58-39-25 and G.S. 58-39-26 to:

(1) Any applicant or policyholder whose last known address, according to the insurance institution's or agent's records is deemed invalid. The applicant's or policyholder's last known address shall be deemed invalid if mail sent to that address has been returned by the postal authorities as undeliverable and if subsequent reasonable attempts to obtain a current valid address for the applicant or policyholder have been unsuccessful; or

(2) Any policyholder whose policy is lapsed, expired, or otherwise inactive or dormant under the insurance institution's business practices, and the insurance institution has not communicated with the policyholder about the relationship for a period of 12 consecutive months, other than annual privacy notices, material required by law or regulation, or promotional materials.

(e) If an agent does not share information with any person other than the agent's principal or an affiliate of the principal, and if the principal provides all notices required by G.S. 58-39-25 and G.S. 58-39-26, the agent is not required to provide the notices required by G.S. 58-39-25 and G.S. 58-39-26. G.S. 58-39-75 applies to the sharing of information with an affiliate under this subsection.

(f) When an agent discloses a policyholder's personal information, other than medical information, to an insurance institution solely for the purposes of renewal, transfer, replacement, reinstatement, or modification of an existing policy, the agent is not required to provide the notices required by G.S. 58-39-25 and G.S. 58-39-26.

(g) For the purposes of G.S. 58-39-26 only, the terms "applicant" or "policyholder" include respectively a person who applies for, or a certificate holder who obtains, insurance coverage under a group or blanket insurance contract, employee benefit plan, or group annuity contract, regardless of whether the coverage is individually underwritten. An insurance institution or agent that does not disclose personal information about an applicant or policyholder under a group or blanket insurance contract, employee benefit plan, or group annuity contract, except as permitted under G.S. 58-39-75(1) through (10) and G.S. 58-39-75(12) through (21), may satisfy any notice requirement that otherwise exists under G.S. 58-39-26 with respect to that applicant or policyholder by providing a notice of information practices to the holder of the group or blanket insurance or annuity contract or the employee benefit plan sponsor. If an insurance institution or agent discloses personal information about an applicant or policyholder as permitted by G.S. 58-39-75(11), it shall provide the notice required by G.S. 58-39-26 to the applicant or policyholder not less than 30 days before the information is disclosed, and it may satisfy any other notice requirement that otherwise exists under this section with respect to that applicant or policyholder by providing a notice of information practices to the holder of the group or blanket insurance or annuity contract or employee benefit plan sponsor. (2001-351, s. 5; 2003-262, s. 2(1).)

 

§ 58-39-28.  Exception for title and mortgage guaranty insurance.

(a) A title insurance company shall give notice of its insurance information practices under G.S. 58-39-25 and G.S. 58-39-26 only at the time the final policy of title insurance is issued and is not subject to any annual notice requirement thereafter.

(b) In the case of mortgage guaranty insurance, the notice required by G.S. 58-39-25 and G.S. 58-39-26 shall be provided at the time a master policy is issued and thereafter only if there is a material change in the insurer's policies and practices regarding the use or disclosure of personal information. (2001-351, s. 6; 2003-262, s. 2(1).)

 

§ 58-39-30.  Marketing and research surveys.

An insurance institution or agent shall clearly specify those questions designed to obtain information solely for marketing or research purposes from an individual in connection with an insurance transaction. (1981, c. 846, s. 1;  2003-262, s. 2(1).)

 

§ 58-39-35.  Content of disclosure authorization forms.

Notwithstanding any other provision of law of this State, no insurance institution, agent, or insurance-support organization shall utilize as its disclosure authorization form in connection with insurance transactions involving insurance policies or contracts issued after July 1, 1982, a form or statement that authorizes the disclosure of personal or privileged information about an individual to the insurance institution, agent, or insurance-support organization unless the form or statement:

(1) Complies with the provisions of Article 38 of this Chapter;

(2) Is dated;

(3) Specifies the types of persons authorized to disclose information about the individual;

(4) Specifies the nature of the information authorized to be disclosed;

(5) Names the insurance institution or agent and identifies by generic reference representatives of the insurance institution to whom the individual is authorizing information to be disclosed;

(6) Specifies the purposes for which the information is collected;

(7) Specifies the length of time such authorization shall remain valid, which shall be no longer than:

a. In the case of authorizations signed for the purpose of collecting information in connection with an application for an insurance policy, a policy reinstatement, or a request for change in policy benefits:

1. Thirty months from the date the authorization is signed if the application or request involves life, health, or disability insurance; or

2. One year from the date the authorization is signed if the application or request involves property or casualty insurance;

b. In the case of authorizations signed for the purpose of collecting information in connection with a claim for benefits under an insurance policy:

1. The term of coverage of the policy if the claim is for a health insurance benefit; or

2. The duration of the claim if the claim is not for a health insurance benefit; and

(8) Advises the individual or a person authorized to act on behalf of the individual that the individual or the individual's authorized representative is entitled to receive a copy of the authorization form. (1981, c. 846, s. 1; c. 1127, s. 56; 2003-262, s. 2(1).)

 

§ 58-39-40.  Investigative consumer reports.

(a) No insurance institution, agent, or insurance-support organization may prepare or request an investigative consumer report about an individual in connection with an insurance transaction involving an application for insurance, a policy renewal, a policy reinstatement, or a change in insurance benefits unless the insurance institution or agent informs the individual:

(1) That he may request to be interviewed in connection with the preparation of the investigative consumer report; and

(2) That upon a request pursuant to G.S. 58-39-45 he is entitled to receive a copy of the investigative consumer report.

(b) If an investigative consumer report is to be prepared by an insurance institution or agent, the insurance institution or agent shall institute reasonable procedures to conduct a personal interview requested by an individual.

(c) If an investigative consumer report is to be prepared by an insurance-support organization, the insurance institution or agent desiring such report shall inform the insurance-support organization whether a personal interview has been requested by the individual. The insurance-support organization shall institute reasonable procedures to conduct such interviews, if requested. (1981, c. 846, s. 1; 2003-262, s. 2(1).)

 

§ 58-39-45.  Access to recorded personal information.

(a) If any individual, after proper identification, submits a written request to an insurance institution, agent, or insurance-support organization for access to recorded personal information about the individual that is reasonably described by the individual and reasonably locatable and retrievable by the insurance institution, agent, or insurance-support organization, the insurance institution, agent, or insurance-support organization shall within 30 business days from the date such request is received:

(1) Inform the individual of the nature and substance of such recorded personal information in writing, by telephone, or by other oral communication, whichever the insurance institution, agent, or insurance-support organization prefers;

(2) Permit the individual to see and copy, in person, such recorded personal information pertaining to him or to obtain a copy of such recorded personal information by mail, whichever the individual prefers, unless such recorded personal information is in coded form, in which case an accurate translation in plain language shall be provided in writing;

(3) Disclose to the individual the identity, if recorded, of those persons to whom the insurance institution, agent, or insurance-support organization has disclosed such personal information within two years prior to such request, and if the identity is not recorded, the names of those insurance institutions, agents, insurance-support organizations or other persons to whom such information is normally disclosed; and

(4) Provide the individual with a summary of the procedures by which he may request correction, amendment, or deletion of recorded personal information.

(b) Any personal information provided pursuant to subsection (a) of this section shall identify the source of the information if such source is an institutional source.

(c) Medical-record information supplied by a medical-care institution or medical professional and requested under subsection (a) of this section together with the identity of the medical professional or medical-care institution that provided such information, shall be supplied either directly to the individual or to a medical professional designated by the individual and licensed to provide medical care with respect to the condition to which the information relates, whichever the insurance institution, agent, or insurance-support organization prefers. If it elects to disclose the information to a medical professional designated by the individual, the insurance institution, agent, or insurance-support organization shall notify the individual, at the time of the disclosure, that it has provided the information to the medical professional.

(d) Except for personal information provided under G.S. 58-39-55, an insurance institution, agent, or insurance-support organization may charge a reasonable fee to cover the costs incurred in providing a copy of recorded personal information to individuals.

(e) The obligations imposed by this section upon an insurance institution or agent may be satisfied by another insurance institution or agent authorized to act on its behalf. With respect to the copying and disclosure of recorded personal information pursuant to a request under subsection (a) of this section, an insurance institution, agent, or insurance-support organization may make arrangements with an insurance-support organization or a consumer reporting agency to copy and disclose recorded personal information on its behalf.

(f) The rights granted to individuals in this section shall extend to all natural persons to the extent information about them is collected and maintained by an insurance institution, agent, or insurance-support organization in connection with an insurance transaction. The rights granted to all natural persons by this subsection shall not extend to information about them that relates to and is collected in connection with or in reasonable anticipation of a claim or civil or criminal proceeding involving them.

(g) For purposes of this section, the term, "insurance-support organization" does not include the term, "consumer reporting agency." (1981, c. 846, s. 1; 2003-262, s. 2(1).)

 

§ 58-39-50.  Correction, amendment, or deletion of recorded personal information.

(a) Within 30 business days from the date of receipt of a written request from an individual to correct, amend, or delete any recorded personal information about the individual within its possession, an insurance institution, agent, or insurance-support organization shall either:

(1) Correct, amend, or delete the portion of the recorded personal information in dispute; or

(2) Notify the individual of:

a. Its refusal to make such correction, amendment, or deletion;

b. The reasons for the refusal; and

c. The individual's right to file a statement as provided in subsection (c) of this section.

(b) If the insurance institution, agent, or insurance-support organization corrects, amends, or deletes recorded personal information in accordance with subdivision (a)(1) of this section, the insurance institution, agent, or insurance-support organization shall so notify the individual in writing and furnish the correction, amendment, or fact of deletion to:

(1) Any person specifically designated by the individual who, within the preceding two years, may have received such recorded personal information;

(2) Any insurance-support organization whose primary source of personal information is insurance institutions if the insurance-support organization has systematically received such recorded personal information from the insurance institution within the preceding seven years. The correction, amendment, or fact of deletion need not be furnished if the insurance-support organization no longer maintains recorded personal information about the individual; and

(3) Any insurance-support organization that furnished the personal information that has been corrected, amended, or deleted.

(c) Whenever an individual disagrees with an insurance institution's, agent's, or insurance-support organization's refusal to correct, amend, or delete recorded personal information, the individual shall be permitted to file with the insurance institution, agent, or insurance-support organization:

(1) A concise statement setting forth what the individual thinks is the correct, relevant, or fair information; and

(2) A concise statement of the reasons why the individual disagrees with the insurance institution's, agent's, or insurance-support organization's refusal to correct, amend, or delete recorded personal information.

(d) In the event an individual files either statement as described in subsection (c) of this section, the insurance institution, agent, or support organization shall:

(1) File the statement with the disputed personal information and provide a means by which anyone reviewing the disputed personal information will be made aware of the individual's statement and have access to it; and

(2) In any subsequent disclosure by the insurance institution, agent, or support organization of the recorded personal information that is the subject of disagreement, clearly identify the matter or matters in dispute and provide the individual's statement along with the recorded personal information being disclosed; and

(3) Furnish the statement to the persons and in the manner specified in subsection (b) of this section.

(e) The rights granted to individuals in this section shall extend to all natural persons to the extent information about them is collected and maintained by an insurance institution, agent, or insurance-support organization in connection with an insurance transaction. The rights granted to all natural persons by this subsection shall not extend to information about them that relates to and is collected in connection with or in reasonable anticipation of a claim or civil or criminal proceeding involving them.

(f) For purposes of this section, the term, "insurance-support organization" does not include the term, "consumer reporting agency." (1981, c. 846, s. 1; 1991, c. 720, s. 74; 2003-262, s. 2(1).)

 

§ 58-39-55.  Reasons for adverse underwriting decisions.

(a) In the event of an adverse underwriting decision, the insurance institution or agent responsible for the decision shall give a written notice in a form approved by the Commissioner that:

(1) Either provides the applicant, policyholder, or individual proposed for coverage with the specific reason or reasons for the adverse underwriting decision in writing or advises such person that upon written request he may receive the specific reason or reasons in writing; and

(2) Provides the applicant, policyholder, or individual proposed for coverage with a summary of the rights established under subsection (b) of this section and G.S. 58-39-45 and 58-39-50.

(b) Upon receipt of a written request within 90 business days from the date of the mailing of notice or other communication of an adverse underwriting decision to an applicant, policyholder or individual proposed for coverage, the insurance institution or agent shall furnish to such person within 21 business days from the date of receipt of such written request:

(1) The specific reason or reasons for the adverse underwriting decision, in writing, if such information was not initially furnished in writing pursuant to subdivision (a)(1) of this section;

(2) The specific items of personal and privileged information that support those reasons: Provided, however:

a. The insurance institution or agent shall not be required to furnish specific items of privileged information if it has a reasonable suspicion, based upon specific information available for review by the Commissioner, that the applicant, policyholder, or individual proposed for coverage has engaged in criminal activity, fraud, material misrepresentation, or material nondisclosure, and

b. Specific items of medical-record information supplied by a medical-care institution or medical professional shall be disclosed either directly to the individual about whom the information relates or to the medical professional designated by the individual and licensed to provide medical care with respect to the condition to which the information relates, whichever the insurance institution or agent prefers; and

(3) The names and addresses of the institutional sources that supplied the specific items of information given pursuant to subdivision (b)(2) of this section: Provided, however, the identity of any medical professional or medical-care institution shall be disclosed either directly to the individual or to the designated medical professional, whichever the insurance institution or agent prefers.

(c) The obligations imposed by this section upon an insurance institution or agent may be satisfied by another insurance institution or agent authorized to act on its behalf.

(d) When an adverse underwriting decision results solely from an oral request or inquiry, the explanation of reasons and summary of rights required by this section may be given orally. (1981, c. 846, s. 1; 2003-262, s. 2(1).)

 

§ 58-39-60.  Information concerning previous adverse underwriting decisions.

No insurance institution, agent, or insurance-support organization may seek information in connection with an insurance transaction concerning: (i) any previous adverse underwriting decision experienced by an individual; or (ii) any previous insurance coverage obtained by an individual through a residual market mechanism, unless such inquiry also requests the reasons for any previous adverse underwriting decision or the reasons why insurance coverage was previously obtained through a residual market mechanism. (1981, c. 846, s. 1; 2003-262, s. 2(1).)

 

§ 58-39-65.  Previous adverse underwriting decisions.

No insurance institution or agent may base an adverse underwriting decision in whole or in part:

(1) On the fact of a previous adverse underwriting decision or on the fact that an individual previously obtained insurance coverage through a residual market mechanism: Provided, however, an insurance institution or agent may base an adverse underwriting decision on further information obtained from an insurance institution or agent responsible for a previous adverse underwriting decision;

(2) On personal information received from an insurance-support organization whose primary source of information is insurance institutions: Provided, however, an insurance institution or agent may base an adverse underwriting decision on further personal information obtained as the result of information received from such insurance-support organization. (1981, c. 846, s. 1; 2003-262, s. 2(1).)

 

§ 58-39-70: Recodified as G.S. 58-39-125 by Session Laws 2003-262, s. 2(3), effective June 26, 2003.

 

§ 58-39-75.  Disclosure limitations and conditions.

An insurance institution, agent, or insurance-support organization shall not disclose any personal or privileged information about an individual collected or received in connection with an insurance transaction unless the disclosure is:

(1) With the written authorization of the individual, provided:

a. If such authorization is submitted by another insurance institution, agent, or insurance-support organization, the authorization meets the requirements of G.S. 58-39-35; or

b. If such authorization is submitted by a person other than an insurance institution, agent, or insurance-support organization, the authorization meets the requirements of G.S. 58-39-35 and is:

1. Dated;

2. Signed by the individual; and

3. Obtained one year or less before the date a disclosure is sought pursuant to this paragraph; or

(2) To a person other than an insurance institution, agent, or insurance-support organization, provided such disclosure is reasonably necessary:

a. To enable that person to perform a business, professional, or insurance function for the disclosing insurance institution, agent, or insurance-support organization, including, but not limited to, performing marketing functions and other functions regarding the provision of information concerning the disclosing institution's own products, services, and programs, and that person agrees not to disclose the information further without the individual's written authorization unless the further disclosure:

1. Would otherwise be permitted by this section if made by an insurance institution, agent, or insurance-support organization; or

2. Is reasonably necessary for that person to perform its function for the disclosing insurance institution, agent, or insurance-support organization; or

b. To enable that person to provide information to the disclosing insurance institution, agent, or insurance-support organization for the purpose of:

1. Determining an individual's eligibility for an insurance benefit or payment; or

2. Detecting or preventing criminal activity, fraud, material misrepresentation, or material nondisclosure in connection with an insurance transaction; or

(3) To an insurance institution, agent, insurance-support organization, or self-insurer, provided the information disclosed is limited to that which is reasonably necessary:

a. To detect or prevent criminal activity, fraud, material misrepresentation, or material nondisclosure in connection with insurance transactions; or

b. For either the disclosing or receiving insurance institution, agent, or insurance-support organization to perform its function in connection with an insurance transaction involving the individual; or

(4) To a medical-care institution or medical professional for the purpose of (i) verifying insurance coverage or benefits, (ii) informing an individual of a medical problem of which the individual may not be aware, or (iii) conducting an operations or services audit, provided only such information is disclosed as is reasonably necessary to accomplish the foregoing purposes; or

(4a) To a person making an inquiry under G.S. 58-58-97 when providing funeral service to a deceased insured; or

(5) To an insurance regulatory authority; or

(6) To a law-enforcement or other government authority:

a. To protect the interests of the insurance institution, agent, or insurance-support organization in preventing or prosecuting the perpetration of fraud upon it; or

b. If the insurance institution, agent, or insurance-support organization reasonably believes that illegal activities have been conducted by the individual; or

(7) Otherwise permitted or required by law; or

(8) In response to a facially valid administrative or judicial order, including a search warrant or subpoena; or

(9) Made for the purpose of conducting actuarial or research studies, provided:

a. No individual may be identified in any actuarial or research report;

b. Materials allowing the individual to be identified are returned or destroyed as soon as they are no longer needed; and

c. The actuarial or research organization agrees not to disclose the information unless the disclosure would otherwise be permitted by this section if made by an insurance institution, agent, or insurance-support organization; or

(10) To a party or a representative of a party to a proposed or consummated sale, transfer, merger, or consolidation of all or part of the business of the insurance institution, agent, or insurance-support organization, provided:

a. Prior to the consummation of the sale, transfer, merger, or consolidation only such information is disclosed as is reasonably necessary to enable the recipient to make business decisions about the purchase, transfer, merger, or consolidation, and

b. The recipient agrees not to disclose the information unless the disclosure would otherwise be permitted by this section if made by an insurance institution, agent or insurance-support organization; or

(11) To a person whose only use of such information will be in connection with the marketing of a product or service, provided:

a. No medical-record information, privileged information, or personal information relating to an individual's character, personal habits, mode of living, or general reputation is disclosed, and no classification derived from such information is disclosed;

b. The individual has been given an opportunity to indicate that he does not want personal information disclosed for marketing purposes and has given no indication that such individual does not want the information disclosed; and

c. The person receiving such information agrees not to use it except in connection with the marketing of a product or service; or

(12) To an affiliate whose only use of the information will be in connection with an audit of the insurance institution or agent or the marketing of an insurance product or service, provided the affiliate agrees not to disclose the information for any other purpose or to unaffiliated persons; and further provided that no medical record information may be disclosed to the affiliate for the marketing of an insurance product or service; or

(13) By a consumer reporting agency, provided the disclosure is to a person other than an insurance institution or agent; or

(14) To a group policyholder for the purpose of reporting claims experience or conducting an audit of the insurance institution's or agent's operations or services, provided the information disclosed is reasonably necessary for the group policyholder to conduct the review or audit; or

(15) To a professional peer review organization for the purpose of reviewing the service or conduct of a medical-care institution or medical professional; or

(16) To a governmental authority for the purpose of determining the individual's eligibility for health benefits for which the governmental authority may be liable; or

(17) To a certificate holder or policyholder for the purpose of providing information regarding the status of an insurance transaction; or

(18) To a lienholder, mortgagee, assignee, lessor, or other person shown on the records of an insurance institution or agent as having a legal or beneficial interest in a policy of insurance only if:

a. No medical record information is disclosed unless the disclosure would otherwise be permitted by this section; and

b. The information disclosed is limited to that which is reasonably necessary to permit such person to protect its interest in such policy; or

(19) To authorized personnel of the Division of Motor Vehicles upon requests pursuant to G.S. 20-309(c) or G.S. 20-309(f).

(20) To the Department of Health and Human Services and the information disclosed is immunization information described in G.S. 130A-153.

(21) To a person whose only use of an applicant's or policyholder's personal information, but not including medical record information, will be in connection with the marketing of a financial product or service intended to be provided by participants in a marketing program where the program participants and the types of information to be shared are identified to the applicant or policyholder when the applicant or policyholder is first offered the financial product or service. As used in this subdivision:

a. "Financial institution" means any institution the business of which is engaging in activities that are financial in nature or incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. § 1843(k)).

b. "Financial product or service" means any product or service that a financial holding company could offer by engaging in an activity that is financial in nature or incidental to such financial activity under section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. § 1843(k)).

c. "Marketing program" includes only those programs established by written agreement by the insurance institution and one or more financial institutions under which they jointly offer, endorse, or sponsor a financial product or service. (1981, c. 846, s. 1; 1985, c. 666, s. 68; 1993, c. 134, s. 2; 1997-443, s. 11A.20A; 2001-351, ss. 7, 8, 10, 11, 12; 2003-262, s. 2(1); 2009-566, s. 24.)

 

§ 58-39-76.  Limits on sharing account number information for marketing purposes.

(a) General Prohibition on Disclosure of Account Numbers. - An insurance institution, insurance agent, or insurance-support organization shall not disclose, other than to a consumer reporting agency, an account number or similar form of access number or access code for a credit card account, deposit account, or transaction account of a consumer to any nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer.

(b) Definitions. - As used in this section:

(1) "Account number" means an account number, or similar form of access number or access code, but does not include a number or code in an encrypted form, as long as the insurance institution, insurance agent, or insurance-support organization does not provide the recipient with a means to decode the number or code.

(2) "Transaction account" means an account other than a deposit account or credit card account. A transaction account does not include an account to which third parties cannot initiate charges.

(c) Exceptions. - Subsection (a) of this section does not apply if an insurance institution, insurance agent, or insurance-support organization discloses an account number or similar form of access number or access code:

(1) To the insurance institution's, insurance agent's, or insurance-support organization's agent or service provider solely in order to perform marketing for the insurance institution's, insurance agent's, or insurance-support organization's own products or services, as long as the agent or service provider is not authorized to directly initiate charges to the account; or

(2) To a participant in a private label credit card program or an affinity or similar program where the participants in the program are identified to the customer when the customer enters into the program. (2001-351, s. 9; 2003-262, s. 2(1).)

 

Part 2. Enforcement, Sanctions, Remedies, and Rights.

§ 58-39-80.  Hearings and procedures.

(a) Whenever the Commissioner has reason to believe that an insurance institution, agent, or insurance-support organization has been or is engaged in conduct in this State that violates this Article, or whenever the Commissioner has reason to believe that an insurance-support organization has been or is engaged in conduct outside this State that has an effect on a person residing in this State and that violates this Article, the Commissioner may issue and serve upon such insurance institution, agent, or insurance-support organization a statement of charges and notice of hearing to be held at a time and place fixed in the notice. The date for such hearing shall be not less than 10 days after the date of service.

(b) At the time and place fixed for such hearing the insurance institution, agent, or insurance-support organization charged shall have an opportunity to answer the charges against it and present evidence on its behalf. Upon good cause shown, the Commissioner shall permit any adversely affected person to intervene, appear, and be heard at such hearing by counsel or in person. (1981, c. 846, s. 1; 2003-262, s. 2(2).)

 

§ 58-39-85.  Service of process; insurance-support organizations.

For the purpose of this Article, an insurance-support organization transacting business outside this State that has an effect on a person residing in this State shall be deemed to have appointed the Commissioner to accept service of process on its behalf. The provisions of G.S. 58-16-30 and 58-16-45 shall apply to service of process under this section, except that such service shall be mailed to the insurance-support organization at its last known principal place of business. (1981, c. 846, s. 1; 1985, c. 666, s. 9; 2003-262, s. 2(2).)

 

§ 58-39-90.  Cease and desist orders.

If, after a hearing pursuant to G.S. 58-39-80, the Commissioner determines that the insurance institution, agent, or insurance-support organization charged has engaged in conduct or practices in violation of this Article, he may issue an order requiring such insurance institution, agent, or insurance-support organization to cease and desist from the conduct or practices constituting a violation of this Article. (1981, c. 846, s. 1; 2003-262, s. 2(2).)

 

§ 58-39-95.  Penalties.

(a) In any case where a hearing pursuant to G.S. 58-39-80 results in the findings of a violation of this Article, the Commissioner, in addition to the issuance of a cease and desist order as prescribed in G.S. 58-39-90, may levy a civil penalty under G.S. 58-2-70.

(b) Any person who violates a cease and desist order of the Commissioner under G.S. 58-39-90, after notice and hearing and upon order of the court, may be subject to one or more of the following penalties, at the discretion of the court:

(1) A monetary fine of not more than ten thousand dollars ($10,000) for each violation; or

(2) A monetary fine of not more than fifty thousand dollars ($50,000) if the court finds that violations have occurred with such frequency as to constitute a general business practice; or

(3) Suspension or revocation of an insurance institution's or agent's license.

(c) The clear proceeds of any civil penalties levied pursuant to this section shall be remitted to the Civil Penalty and Forfeiture Fund in accordance with G.S. 115C-457.2. (1981, c. 846, s. 1; 1991, c. 720, s. 73; 1998-215, s. 89(b); 2003-262, s. 2(2).)

 

§ 58-39-100.  Appeal of right.

From any final order of the Commissioner issued pursuant to the provisions of this Article there shall be an appeal as provided in G.S. 58-2-75. (1981, c. 846, s. 1; 2003-262, s. 2(2).)

 

§ 58-39-105.  Individual remedies.

(a) If any insurance institution, agent, or insurance-support organization fails to comply with G.S. 58-39-45, 58-39-50, or 58-39-55 with respect to the rights granted under those sections, any person whose rights are violated may apply to the superior court in the county in which such person resides for appropriate equitable relief.

(b) An insurance institution, agent, or insurance-support organization that discloses information in violation of G.S. 58-39-75 shall be liable for damages sustained by the individual to whom the information relates. No individual, however, shall be entitled to a monetary award that exceeds the actual damages sustained by the individual as a result of a violation of G.S. 58-39-75.

(c) In any action brought pursuant to this section, the court may award the cost of the action and reasonable attorney's fees to the prevailing party.

(d) An action under this section must be brought within two years from the date the alleged violation is or should have been discovered.

(e) Except as specifically provided in this section, there shall be no remedy or recovery available to individuals for any occurrence that constitutes a violation of any provision of this Article. (1981, c. 846, s. 1; 2003-262, s. 2(2).)

 

§ 58-39-110.  Immunity.

No cause of action in the nature of defamation, invasion of privacy, or negligence shall arise against any person for disclosing personal or privileged information in accordance with this Article, nor shall such a cause of action arise against any person for furnishing personal or privileged information to an insurance institution, agent, or insurance-support organization: Provided, however, this section shall provide no immunity for disclosing or furnishing false information with malice or willful intent to injure any person. (1981, c. 846, s. 1; 2003-262, s. 2(2).)

 

§ 58-39-115.  Obtaining information under false pretenses.

Any person who knowingly and willfully obtains information about an individual from an insurance institution, agent, or insurance-support organization under false pretenses shall, upon conviction, be guilty of a Class 1 misdemeanor. (1981, c. 846, s. 1; 1985, c. 666, s. 33; 1993, c. 539, s. 465; 1994, Ex. Sess., c. 24, s. 14(c); 2003-262, s. 2(2).)

 

§ 58-39-120.  Rights.

The rights granted under G.S. 58-39-45, 58-39-50, and 58-39-75 shall take effect on July 1, 1982, regardless of the date of the collection or receipt of the information that is the subject of such sections. (1981, c. 846, s. 1; c. 1127, s. 56; 2003-262, s. 2(2).)

 

§ 58-39-125.  Powers of the Commissioner.

(a) The Commissioner shall have the power to examine and investigate into the affairs of every insurance institution or agent doing business in this State to determine whether the insurance institution or agent has been or is engaged in any conduct in violation of this Article.

(b) The Commissioner shall have the power to examine and investigate the affairs of every insurance-support organization that acts on behalf of an insurance institution or agent and that either (i) transacts business in this State, or (ii) transacts business outside this State and has an effect on a person residing in this State in order to determine whether such insurance-support organization has been or is engaged in any conduct in violation of this Article. (1981, c. 846, s. 1; 2003-262, ss. 2(1), 2(3).)

 

Part 3. Customer Information Safeguards.

§ 58-39-130.  Purpose.

The purpose of this Part is to establish standards for developing and implementing administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information, as required by sections 501, 505(b), and 507 of the federal Gramm-Leach-Bliley Act (Public Law 106-102), codified as 15 U.S.C. §§ 6801, 6805(b), and 6807. The purpose of this Part is also to provide privacy and security protection consistent with federal regulations governing the privacy and security of medical records when this Part is consistent with those federal regulations. In those instances in which this Part and the federal regulations are inconsistent and this Part provides privacy and security protection beyond that offered by the federal regulations, the purpose of this Part is to provide that additional privacy and security protection. (2003-262, s. 4.)

 

§ 58-39-135.  Scope.

The safeguards established under this Part apply to all customer information as defined in G.S. 58-39-140. (2003-262, s. 4.)

 

§ 58-39-140.  Definitions.

As used in this Part, in addition to the definitions in G.S. 58-39-15:

(1) "Customer" means an applicant with or policyholder of a licensee.

(2) "Customer information" means nonpublic personal information about a customer, whether in paper, electronic, or other form that is maintained by or on behalf of the licensee.

(3) "Customer information systems" means the electronic or physical methods used to access, collect, store, use, transmit, protect, or dispose of customer information.

(4) "Licensee" means any producer, as defined in G.S. 58-33-10(7), insurer, MEWA, HMO, or service corporation governed by this Chapter. "Licensee" does not mean:

a. An insurance-support organization.

b. A licensee who is a natural person operating within the scope of the licensee's employment by or affiliation with an insurer or producer.

c. A surplus lines insurer or licensee under Article 21 of this Chapter.

(5) "Service provider" means a person that maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to the licensee and includes an insurance support organization. (2003-262, s. 4.)

 

§ 58-39-145.  Information security program.

Each licensee shall implement a comprehensive written information security program that includes administrative, technical, and physical safeguards for the protection of customer information. The administrative, technical, and physical safeguards included in the information security program shall be appropriate to the size and complexity of the licensee and the nature and scope of its activities. (2003-262, s. 4.)

 

§ 58-39-150.  Objectives of information security program.

A licensee's information security program shall be designed to:

(1) Ensure the security and confidentiality of customer information;

(2) Protect against any anticipated threats or hazards to the security or integrity of the information; and

(3) Protect against unauthorized access to or use of the information that could result in substantial harm or inconvenience to any customer. (2003-262, s. 4.)

 

§ 58-39-155.  Rules.

The Commissioner may adopt rules that the Commissioner deems necessary to carry out the purposes of this Part, including rules that govern licensee oversight of service providers with which it contracts or has a relationship. (2003-262, s. 4.)

 

§ 58-39-160.  Violation.

A violation of G.S. 58-39-145 or G.S. 58-39-150 subjects the violator to Part 2 of this Article. (2003-262, s. 4.)

 

§ 58-39-165.  Effective date.

Each licensee shall establish an information security program, including appropriate policies and systems under this Part by April 1, 2005. (2003-262, s. 4.)