HBA-NRS C.S.S.B. 712 77(R)BILL ANALYSIS Office of House Bill AnalysisC.S.S.B. 712 By: Sibley Insurance 5/14/2001 Committee Report (Substituted) BACKGROUND AND PURPOSE Congress enacted the Gramm-Leach-Bliley Act (GLBA) in part to require state insurance authorities to adopt requirements on privacy and disclosure of nonpublic personal financial information applicable to the insurance industry. The National Association of Insurance Commissioners (NAIC) developed a privacy model in an effort to aid states in adopting consistent privacy requirements for insurers. C.S.S.B. 712 requires insurers and other entities regulated by the Texas Department of Insurance to comply with requirements of GLBA and requires the commissioner of insurance to adopt rules consistent with GLBA based on the NAIC privacy model. RULEMAKING AUTHORITY It is the opinion of the Office of House Bill Analysis that rulemaking authority is expressly delegated to the commissioner of insurance in Section 1 (Article 28A.51, Insurance Code) and SECTION 2 of this bill. ANALYSIS C.S.S.B. 712 amends the Insurance Code to require a covered entity to comply with federal provisions relating to obligations with respect to the disclosure of personal information and the disclosure of a privacy policy in the same manner as a financial institution. The bill requires an entity that is a nonaffiliated third party in relation to a covered entity to comply with federal limits on the reuse of information obtained from a financial institution. The disclosure of such information does not apply to a covered entity to the extent that the entity is acting solely as an insurance agent or other authorized representative for another covered entity. The bill provides that provisions relating to privacy do not affect the authority of the Texas Department of Insurance (TDI) or another state agency to adopt stricter rules governing the treatment of health information by a covered entity, if another law gives TDI or an agency that authority, including any laws or rules of this state related to the privacy of individually identifiable health information under the federal Health Insurance Portability and Accountability Act of 1996. The bill requires the commissioner of insurance (commissioner) to adopt rules to implement the provisions and any other rules necessary to carry out federal provisions relating to the disclosure of nonpublic personal information to make this state eligible to override federal regulations not later than 30 days after the effective date of this bill. The bill also requires the commissioner to ensure that state privacy requirements are consistent with and not more strict than federal regulations. The bill authorizes the commissioner to adopt these initial rules on an emergency basis. The bill requires TDI to implement standards for insurers and other entities as they apply to federal institutions and requires TDI to enforce provisions relating to the disclosure of nonpublic personal information. The bill authorizes the attorney general to institute an action for injunctive or declaratory relief to restrain a violation of the enforcement of the disclosure of nonpublic personal information. The bill authorizes the attorney general to institute an action for civil penalties against a covered entity or a nonaffiliated third party for a violation of the enforcement of the disclosure of nonpublic personal information. The bill prohibits a civil penalty from exceeding $3,000 for each violation except if a court finds that the violations have occurred with a frequency as to constitute a pattern or practice, the court may assess a civil penalty not to exceed $250,000. EFFECTIVE DATE On passage, or if the Act does not receive the necessary vote, the Act takes effect September 1, 2001. COMPARISON OF ORIGINAL TO SUBSTITUTE C.S.S.B. 712 modifies the original bill to include other authorized representatives under the exemption from provisions relating to the disclosure of information obtained from a financial institution. The substitute requires the commissioner of insurance to ensure, rather than attempt to ensure, that state privacy requirements are consistent with and not more strict than federal regulations relating to the disclosure of nonpublic personal information.