We were recently asked about the extent to which your insurance company can share your personal information.

This question begins with the privacy protections under federal law found in the 1999 Graham-Leach-Bliley Act (the Act).1 Title V of this Act relates to consumer privacy, and contains rules about how financial institutions may share “non-public personal information” (“NPI”) that they obtain from and about you. NPI is a broad category of information that can include your address, Social Security Number, account numbers, and any personally identifiable information you entered onto an application, for example.

NPI does not include public information. If your lender has recorded a mortgage on your property, this information may be found in your local county records and does not enjoy any privacy protections under the Act.2

The Act does not generally prohibit the dissemination of NPI, but instead requires each financial institution to provide you with a notice of its privacy policy. This privacy notice should describe how and when your NPI may be shared. Most people barely glance at this notice, but you should read it carefully. This is because the institution is also required to provide some means of “opting out” of any NPI sharing it may have planned. This “opt-out” is important, because, in the world of financial institution law, if you do not “opt-out,” you are deemed to have given your permission to the institution to share your NPI.3

Although insurance is regulated at the state level, Title V of the Act requires state governments to adopt privacy codes for insurance companies.4 Most states have adopted some variant of the model regulations published by the National Association of Insurance Commissioners, and these codes are typically available to the public online. Texas, for example, codified its privacy codes under the Act in 2001, which can be found on the Secretary of State’s website.5

As you can see just by skimming the Texas regulations, privacy regulations are lengthy and chock-full of exceptions, cross-references, and other potentially confusing language. For example, a common exception is that a financial institution (including an insurance company) need not obtain your approval to share your NPI with an affiliated company. In addition, the financial institution may disclose your NPI to the extent it deems it necessary to provide or sell services to you. An insurance company may provide information about you and your policy to a claims adjuster without obtaining your permission.

Federal and state privacy law is complex and it varies from state to state, so I have just provided a very introductory description here. If you have specific questions, review the codes themselves, consult your state insurance department, or contact an attorney. And you should read your own policy’s privacy notice, of course.
1 Pub.L. 106–102, 113 Stat. 1338, enacted November 12, 1999.
2 15 U.S.C. § 6809.
3 15 U.S.C. § 6802.
4 15 U.S.C. § 6701.
5 http://texreg.sos.state.tx.us/public/readtac$ext.ViewTAC?tac_view=5&ti=28&pt=1&ch=22&sch=A&rl=Y