Bulletin: NJ000087
Dear Associates:
The New Jersey Department of Banking and Insurance has promulgated new regulations concerning the Standards for Safeguarding Customer Information, which appear at N.J.A.C. 11:1-44.1 et seq. The new requirements become effective on October 19, 2004. The regulations establish...
Unlock tools and resources designed exclusively for title professionals. Access bulletins, underwriting manuals, and state-specific guidance, all in one place.
THIS BULLETIN IS FURNISHED TO INFORM YOU OF CURRENT DEVELOPMENTS. AS A REMINDER, YOU ARE CHARGED WITH KNOWLEDGE OF THE CONTENT ON VIRTUAL UNDERWRITER AS IT EXISTS FROM TIME TO TIME AS IT APPLIES TO YOU, AS WELL AS ANY OTHER INSTRUCTIONS. OUR UNDERWRITING AGREEMENTS DO NOT AUTHORIZE OUR ISSUING AGENTS TO ENGAGE IN SETTLEMENTS OR CLOSINGS ON BEHALF OF STEWART TITLE GUARANTY COMPANY. THIS BULLETIN IS NOT INTENDED TO DIRECT YOUR ESCROW OR SETTLEMENT PRACTICES OR TO CHANGE PROVISIONS OF APPLICABLE UNDERWRITING AGREEMENTS. CONFIDENTIAL, PROPRIETARY, OR NONPUBLIC PERSONAL INFORMATION SHOULD NEVER BE SHARED OR DISSEMINATED EXCEPT AS ALLOWED BY LAW. IF APPLICABLE STATE LAW OR REGULATION IMPOSES ADDITIONAL REQUIREMENTS, YOU SHOULD CONTINUE TO COMPLY WITH THOSE REQUIREMENTS.
NEW JERSEY ADMINISTRATIVE CODE
TITLE 11. DEPARTMENT OF BANKING AND INSURANCE DIVISION OF INSURANCE
CHAPTER 1. ADMINISTRATION
SUBCHAPTER 44. STANDARDS FOR SAFEGUARDING CUSTOMER INFORMATION
Current through April 19, 2004; 36 N.J. Reg. No. 8
11:1-44.1 Purpose and scope
(a) This subchapter establishes standards for developing and implementing administrative,
technical and physical safeguards to protect the security, confidentiality and
integrity of customer information, pursuant to Sections 501, 505(b) and 507
of the Gramm-Leach-Bliley Act, 15 U.S.C. ยงยง 6801, 6805(b) and 6807.
(b) This subchapter shall apply to all licensees as defined herein.
(c) This subchapter shall not be deemed to limit or affect the duty of a licensee
to maintain the confidentiality of information required to be kept confidential
pursuant to law, including, but not limited to, N.J.S.A. 17:23A-1 et seq.
11:1-44.2 Definitions
The following words and terms, when used in this subchapter, shall have the
following meanings, unless the context clearly indicates otherwise:
"Consumer" means an individual who seeks to obtain, obtains or has
obtained an insurance product or service from a licensee that is to be used
primarily for personal, family or household purposes, and about whom the licensee
has nonpublic personal information, or that individual's legal representative.
"Customer" means a consumer who has a customer relationship with a
licensee.
"Customer information" means nonpublic personal information as defined
in this section about a customer, whether in paper, electronic or other form,
that is maintained by or on behalf of the licensee.
"Customer information systems" means the electronic or physical methods
used to access, collect, store, use, transmit, protect or dispose of customer
information.
"Customer relationship" means a continuing relationship between a
consumer and a licensee under which the licensee provides one or more insurance
products or services to the consumer that are to be used primarily for personal,
family or household purposes.
1. A consumer has a continuing relationship with a licensee if:
i. The consumer is a current policyholder of an insurance product issued by
or through the licensee; or
ii. The consumer obtains financial, investment or economic advisory services
relating to an insurance product or service from the licensee for a fee.
2. A consumer does not have a continuing relationship with a licensee if:
i. The consumer applies for insurance but does not purchase the insurance;
ii. The licensee sells the consumer airline travel insurance in an isolated
transaction;
iii. The individual is no longer a current policyholder of an insurance product
or no longer obtains insurance services with or through the licensee;
iv. The consumer is a beneficiary or claimant under a policy and has submitted
a claim under a policy choosing a settlement option involving an ongoing relationship
with the licensee;
v. The consumer is a beneficiary or a claimant under a policy and has submitted
a claim under that policy choosing a lump sum settlement option;
vi. The customer's policy lapsed, expired or otherwise became inactive or dormant
under the licensee's business practices, and the licensee has not communicated
with the customer about the relationship for a period of 12 consecutive months,
except through annual privacy notices, material distributions or mass mailings
required by law or regulation, communication at the direction of a State or
Federal authority, or promotional materials;
vii. The individual is an insured or an annuitant under an insurance policy
or annuity, respectively, but is not the policyholder or owner of the insurance
policy or annuity; or
viii. The individual's last known address of record is deemed invalid for the
purposes of this subchapter. An address of record is deemed invalid if mail
sent to that address by the licensee has been returned by the postal authorities
as undeliverable and if subsequent attempts by the licensee to obtain a current
valid address for the individual have been unsuccessful.
"Licensee" means all licensed insurers, producers and other persons
licensed or required to be licensed, or authorized or required to be authorized,
or registered or required to be registered pursuant to Titles 17 and 17B of
the New Jersey Statutes, health maintenance organizations holding a certificate
of authority pursuant to N.J.S.A. 26:2J-1 et seq., and any other person or entity
subject to the statute governing information practices at N.J.S.A. 17:23A-1
et seq. "Licensee" shall not include: a purchasing group; or an unauthorized
insurer in regard to the surplus lines business conducted pursuant to N.J.S.A.
17:22-6.40 et seq.
"Nonpublic personal information" means "personal information"
and "privileged information" as defined in N.J.S.A. 17:23A-2t and
w, respectively.
"Service provider" means a person that maintains, processes or otherwise
is permitted access to customer information through its provision of services
directly to the licensee.
11:1-44.3 Information security program
(a) Each licensee shall implement a comprehensive written information security
program that includes administrative, technical and physical safeguards for
the protection of customer information. The administrative, technical and physical
safeguards included in the information security program shall be appropriate
to the size and complexity of the licensee and the nature and scope of its activities.
(b) A licensee shall maintain and make available appropriate records to enable
the Department to determine compliance with the requirements of this subchapter.
11:1-44.4 Objectives of information security program
(a) A licensee's information security program shall be designed to:
1. Ensure the security and confidentiality of customer information;
2. Protect against any anticipated threats or hazards to the security or integrity
of customer information; and
3. Protect against unauthorized access to or use of customer information that
could result in substantial harm or inconvenience to any customer.
11:1-44.5 Examples of methods of development and implementation
The actions and procedures described in N.J.A.C.11:1-44.6 through 44.9 are examples of methods of implementation of the requirements of N.J.A.C. 11:1-44.3 and 44.4. These examples are non-exclusive illustrations of actions and procedures that licensees may follow to implement N.J.A.C. 11:1-44.3 and 44.4.
11:1-44.6 Assessment of risk
The licensee identifies reasonably foreseeable internal or external threats that could result in unauthorized disclosure, misuse, alteration or destruction of customer information or customer information systems; assesses the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information; and assesses the sufficiency of policies, procedures, customer information systems and other safeguards in place to control risks.
11:1-44.7 Management and control of risk
The licensee designs its information security program to control the identified risks, commensurate with the sensitivity of the information, as well as the complexity and scope of the licensee's activities; trains staff, as appropriate, to implement the licensee's information security program; and regularly tests or otherwise regularly monitors the key controls, systems and procedures of the information security program. The frequency and nature of these tests or other monitoring practices are determined by the licensee's risk assessment.
11:1-44.8 Service provider agreements
The licensee exercises appropriate due diligence in selecting its service providers; and requires its service providers to implement appropriate measures designed to meet the objectives of this subchapter, and, where indicated by the licensee's risk assessment, takes appropriate steps to confirm that its service providers have satisfied these obligations.
11:1-44.9 Adjustment of the program
The licensee monitors, evaluates and adjusts, as appropriate, the information security program in light of any relevant changes in technology, the sensitivity of its customer information, internal or external threats to information, and the licensee's own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements and changes to customer information systems.
11:1-44.10 Violations
Failure to comply with the provisions of this subchapter shall be deemed to constitute a violation of the statutes governing trade practices at N.J.S.A. 17:29B-1 et seq. and 17B:30-1 et seq., as applicable, and shall result in the imposition of penalties as provided in those statutes, N.J.S.A. 17:22A-26 et seq., 17:23A-1 et seq., 17:33-2, and any other provision of law.
11:1-44.11 Effective date
A licensee shall establish and implement an information security program, including appropriate policies and systems pursuant to this subchapter, by October 19, 2004.