THIS BULLETIN IS FURNISHED TO INFORM YOU OF CURRENT DEVELOPMENTS. AS A REMINDER, YOU ARE CHARGED WITH KNOWLEDGE OF THE CONTENT ON VIRTUAL UNDERWRITER AS IT EXISTS FROM TIME TO TIME AS IT APPLIES TO YOU, AS WELL AS ANY OTHER INSTRUCTIONS. OUR UNDERWRITING AGREEMENTS DO NOT AUTHORIZE OUR ISSUING AGENTS TO ENGAGE IN SETTLEMENTS OR CLOSINGS ON BEHALF OF STEWART TITLE GUARANTY COMPANY. THIS BULLETIN IS NOT INTENDED TO DIRECT YOUR ESCROW OR SETTLEMENT PRACTICES OR TO CHANGE PROVISIONS OF APPLICABLE UNDERWRITING AGREEMENTS. CONFIDENTIAL, PROPRIETARY, OR NONPUBLIC PERSONAL INFORMATION SHOULD NEVER BE SHARED OR DISSEMINATED EXCEPT AS ALLOWED BY LAW. IF APPLICABLE STATE LAW OR REGULATION IMPOSES ADDITIONAL REQUIREMENTS, YOU SHOULD CONTINUE TO COMPLY WITH THOSE REQUIREMENTS.
Bulletin: NJ000087
Bulletins by State or Territory
Bulletins by Country
Bulletin: NJ000087
Dear Associates:
The New Jersey Department of Banking and Insurance has promulgated new regulations concerning the Standards for Safeguarding Customer Information, which appear at N.J.A.C. 11:1-44.1 et seq. The new requirements become effective on October 19, 2004. The regulations establish standards for developing and implementing administrative, technical and physical safeguards to protect the security, confidentiality and integrity of customer information in accordance with the provisions of the Gramm-Leach-Bliley Act, and apply to all licensed insurers and producers.
A licensee must implement a comprehensive written information security program which includes administrative, technical and physical safeguards for the protection of Customer Information (defined below). The program can be appropriate to the size and complexity of the licensee. The program must be designed to ensure the security and confidentiality of Customer Information, as well as protecting against any anticipated threats or hazards to the information and protecting against unauthorized access to the Customer Information that could result in substantial harm or inconvenience to the customer. The licensee must maintain and make available appropriate records to enable DOBI to determine compliance with the requirements. The regulations apply to both electronic and physical data.
Some examples of methods of implementation are set forth in the Code, including:
- Assessment of internal and external threats which could result in unauthorized
disclosures.
- Methods to manage and control the risk, including staff training, regular
testing of key controls and design of the system to control the risks.
- Exercise of appropriate due diligence in selecting service providers and
taking steps to insure that such service providers satisfy these obligations.
- Adjustment to the program when required and review on an appropriate basis.
Failure to comply with the requirements is a violation of the statutes governing trade practices and will result in the imposition of penalties as set forth in the Licensed Producer's Act or the imposition of files beginning at $1,000.
The following definitions apply to the regulations:
"Consumer" is defined as an individual who seeks or obtains an insurance product to be used primarily for personal, family or household purposes and about whom the licensee has personal information (or that individual's legal representative).
"Customer" means an individual with whom the licensee has a "Customer Relationship".
"Customer Information" means "Non-Public Personal Information" and "Privileged Information". "Non-Public Personal Information" means any individually identifiable information gathered in connection with an insurance transaction from which judgments can be made about an individual's character, habits, avocations, finances, occupation, general reputation, credit, health or any other personal characteristics. "Non-Public Personal information" includes an individual's name and address and medical-record information but does not include "Privileged Information". "Privileged Information" is defined as any individually identifiable information that relates to a claim for insurance benefits or a civil or criminal proceeding involving an individual, and is collected in connection with or in reasonable anticipation of a claim for insurance benefits or civil or criminal proceeding involving an individual.
A "Customer Relationship" is a continuing relationship between a Consumer and a licensee where the licensee provides one or more insurance products or services used primarily for personal, family or household purposes. A continuing relationship is defined as one with a current policy holder or one where the Consumer obtains financial, investment or economic advisory services relating to an insurance product for a fee. There is no continuing relationship if the Consumer applies for insurance but does not purchase the insurance, or where the Consumer is no longer a current policyholder, or where the Consumer has opted to settle a claim involving an on-going relationship with the licensee or has accepted a lump sum settlement option.
Please call the State Office if you have any questions.
NEW JERSEY ADMINISTRATIVE CODE
TITLE 11. DEPARTMENT OF BANKING AND INSURANCE DIVISION OF INSURANCE
CHAPTER 1. ADMINISTRATION
SUBCHAPTER 44. STANDARDS FOR SAFEGUARDING CUSTOMER INFORMATION
Current through April 19, 2004; 36 N.J. Reg. No. 8
11:1-44.1 Purpose and scope
(a) This subchapter establishes standards for developing and implementing administrative,
technical and physical safeguards to protect the security, confidentiality and
integrity of customer information, pursuant to Sections 501, 505(b) and 507
of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801, 6805(b) and 6807.
(b) This subchapter shall apply to all licensees as defined herein.
(c) This subchapter shall not be deemed to limit or affect the duty of a licensee
to maintain the confidentiality of information required to be kept confidential
pursuant to law, including, but not limited to, N.J.S.A. 17:23A-1 et seq.
11:1-44.2 Definitions
The following words and terms, when used in this subchapter, shall have the
following meanings, unless the context clearly indicates otherwise:
"Consumer" means an individual who seeks to obtain, obtains or has
obtained an insurance product or service from a licensee that is to be used
primarily for personal, family or household purposes, and about whom the licensee
has nonpublic personal information, or that individual's legal representative.
"Customer" means a consumer who has a customer relationship with a
licensee.
"Customer information" means nonpublic personal information as defined
in this section about a customer, whether in paper, electronic or other form,
that is maintained by or on behalf of the licensee.
"Customer information systems" means the electronic or physical methods
used to access, collect, store, use, transmit, protect or dispose of customer
information.
"Customer relationship" means a continuing relationship between a
consumer and a licensee under which the licensee provides one or more insurance
products or services to the consumer that are to be used primarily for personal,
family or household purposes.
1. A consumer has a continuing relationship with a licensee if:
i. The consumer is a current policyholder of an insurance product issued by
or through the licensee; or
ii. The consumer obtains financial, investment or economic advisory services
relating to an insurance product or service from the licensee for a fee.
2. A consumer does not have a continuing relationship with a licensee if:
i. The consumer applies for insurance but does not purchase the insurance;
ii. The licensee sells the consumer airline travel insurance in an isolated
transaction;
iii. The individual is no longer a current policyholder of an insurance product
or no longer obtains insurance services with or through the licensee;
iv. The consumer is a beneficiary or claimant under a policy and has submitted
a claim under a policy choosing a settlement option involving an ongoing relationship
with the licensee;
v. The consumer is a beneficiary or a claimant under a policy and has submitted
a claim under that policy choosing a lump sum settlement option;
vi. The customer's policy lapsed, expired or otherwise became inactive or dormant
under the licensee's business practices, and the licensee has not communicated
with the customer about the relationship for a period of 12 consecutive months,
except through annual privacy notices, material distributions or mass mailings
required by law or regulation, communication at the direction of a State or
Federal authority, or promotional materials;
vii. The individual is an insured or an annuitant under an insurance policy
or annuity, respectively, but is not the policyholder or owner of the insurance
policy or annuity; or
viii. The individual's last known address of record is deemed invalid for the
purposes of this subchapter. An address of record is deemed invalid if mail
sent to that address by the licensee has been returned by the postal authorities
as undeliverable and if subsequent attempts by the licensee to obtain a current
valid address for the individual have been unsuccessful.
"Licensee" means all licensed insurers, producers and other persons
licensed or required to be licensed, or authorized or required to be authorized,
or registered or required to be registered pursuant to Titles 17 and 17B of
the New Jersey Statutes, health maintenance organizations holding a certificate
of authority pursuant to N.J.S.A. 26:2J-1 et seq., and any other person or entity
subject to the statute governing information practices at N.J.S.A. 17:23A-1
et seq. "Licensee" shall not include: a purchasing group; or an unauthorized
insurer in regard to the surplus lines business conducted pursuant to N.J.S.A.
17:22-6.40 et seq.
"Nonpublic personal information" means "personal information"
and "privileged information" as defined in N.J.S.A. 17:23A-2t and
w, respectively.
"Service provider" means a person that maintains, processes or otherwise
is permitted access to customer information through its provision of services
directly to the licensee.
11:1-44.3 Information security program
(a) Each licensee shall implement a comprehensive written information security
program that includes administrative, technical and physical safeguards for
the protection of customer information. The administrative, technical and physical
safeguards included in the information security program shall be appropriate
to the size and complexity of the licensee and the nature and scope of its activities.
(b) A licensee shall maintain and make available appropriate records to enable
the Department to determine compliance with the requirements of this subchapter.
11:1-44.4 Objectives of information security program
(a) A licensee's information security program shall be designed to:
1. Ensure the security and confidentiality of customer information;
2. Protect against any anticipated threats or hazards to the security or integrity
of customer information; and
3. Protect against unauthorized access to or use of customer information that
could result in substantial harm or inconvenience to any customer.
11:1-44.5 Examples of methods of development and implementation
The actions and procedures described in N.J.A.C.11:1-44.6 through 44.9 are examples of methods of implementation of the requirements of N.J.A.C. 11:1-44.3 and 44.4. These examples are non-exclusive illustrations of actions and procedures that licensees may follow to implement N.J.A.C. 11:1-44.3 and 44.4.
11:1-44.6 Assessment of risk
The licensee identifies reasonably foreseeable internal or external threats that could result in unauthorized disclosure, misuse, alteration or destruction of customer information or customer information systems; assesses the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information; and assesses the sufficiency of policies, procedures, customer information systems and other safeguards in place to control risks.
11:1-44.7 Management and control of risk
The licensee designs its information security program to control the identified risks, commensurate with the sensitivity of the information, as well as the complexity and scope of the licensee's activities; trains staff, as appropriate, to implement the licensee's information security program; and regularly tests or otherwise regularly monitors the key controls, systems and procedures of the information security program. The frequency and nature of these tests or other monitoring practices are determined by the licensee's risk assessment.
11:1-44.8 Service provider agreements
The licensee exercises appropriate due diligence in selecting its service providers; and requires its service providers to implement appropriate measures designed to meet the objectives of this subchapter, and, where indicated by the licensee's risk assessment, takes appropriate steps to confirm that its service providers have satisfied these obligations.
11:1-44.9 Adjustment of the program
The licensee monitors, evaluates and adjusts, as appropriate, the information security program in light of any relevant changes in technology, the sensitivity of its customer information, internal or external threats to information, and the licensee's own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements and changes to customer information systems.
11:1-44.10 Violations
Failure to comply with the provisions of this subchapter shall be deemed to constitute a violation of the statutes governing trade practices at N.J.S.A. 17:29B-1 et seq. and 17B:30-1 et seq., as applicable, and shall result in the imposition of penalties as provided in those statutes, N.J.S.A. 17:22A-26 et seq., 17:23A-1 et seq., 17:33-2, and any other provision of law.
11:1-44.11 Effective date
A licensee shall establish and implement an information security program, including appropriate policies and systems pursuant to this subchapter, by October 19, 2004.
References
- Bulletins Replaced:
- None
- Related Bulletins:
- NJ000104 - A2047 EFFECTIVE October 1, 2005 Passage of Bill Prohibiting the Printing or Displaying of individual's Social Security number
- NJ000106 - New Jersey Identity Theft Prevention Act
- NL000103 - Privacy of Personal Information of Consumers and Customers
- SLS00160 - Privacy of Personal Information of Consumers and Customers; Update
- Underwriting Manual:
- None
- Exceptions Manual:
- None
- Forms:
- None