LIS

Code of Virginia

Creating a Report: Check the sections you'd like to appear in the report, then use the "Create Report" button at the bottom of the page to generate your report. Once the report is generated you'll then have the option to download it as a pdf, print or email the report.

Code of Virginia
Title 38.2. Insurance
Subtitle .
Chapter 6. Insurance Information and Privacy Protection
11/5/2024

Chapter 6. Insurance Information and Privacy Protection.

Article 1. Collection, Use, and Dissemination of Information.

§ 38.2-600. Purposes.

The purposes of this article are to:

1. Establish standards for the collection, use, and disclosure of information gathered in connection with insurance transactions by insurance institutions, agents or insurance-support organizations;

2. Maintain a balance between the need for information by those conducting the business of insurance and the public's need for fairness in insurance information practices, including the need to minimize intrusiveness;

3. Establish a regulatory mechanism to enable natural persons to ascertain what information is being or has been collected about them in connection with insurance transactions and to have access to such information for the purpose of verifying or disputing its accuracy;

4. Limit the disclosure of information collected in connection with insurance transactions; and

5. Enable insurance applicants and policyholders to obtain the reasons for any adverse underwriting decision.

1981, c. 389, § 38.1-57.3; 1986, c. 562; 2020, c. 264.

§ 38.2-601. Application of article.

A. The obligations imposed by this article shall apply to those insurance institutions, agents or insurance-support organizations that:

1. In the case of life or accident and sickness insurance:

a. Collect, receive or maintain information in connection with insurance transactions that pertains to natural persons who are residents of the Commonwealth; or

b. Engage in insurance transactions with applicants, individuals, or policyholders who are residents of the Commonwealth; and

2. In the case of property or casualty insurance:

a. Collect, receive or maintain information in connection with insurance transactions involving policies, contracts or certificates of insurance delivered, issued for delivery or renewed in the Commonwealth; or

b. Engage in insurance transactions involving policies, contracts or certificates of insurance delivered, issued for delivery or renewed in the Commonwealth.

B. The rights granted by this article shall extend to:

1. In the case of life or accident and sickness insurance, the following persons who are residents of the Commonwealth:

a. Natural persons who are the subject of information collected, received or maintained in connection with insurance transactions; and

b. Applicants, individuals or policyholders who engage in or seek to engage in insurance transactions; and

2. In the case of property or casualty insurance, the following persons:

a. Natural persons who are the subject of information collected, received or maintained in connection with insurance transactions involving policies, contracts or certificates of insurance delivered, issued for delivery or renewed in the Commonwealth; and

b. Applicants, individuals, or policyholders who engage in or seek to engage in insurance transactions involving policies, contracts or certificates of insurance delivered, issued for delivery or renewed in the Commonwealth.

C. For purposes of this section, a person shall be considered a resident of the Commonwealth if the person's last known mailing address, as shown in the records of the insurance institution, agent or insurance-support organization, is located in the Commonwealth.

D. Notwithstanding subsections A and B, this article shall not apply to information collected from the public records of a governmental authority and maintained by an insurance institution or its representatives for the purpose of insuring the title to real property located in the Commonwealth.

E. The provisions of this article shall apply only to insurance purchased primarily for personal, family or household purposes.

1981, c. 389, § 38.1-57.4; 1986, c. 562; 2001, c. 371; 2020, c. 264.

§ 38.2-602. Definitions.

As used in this article:

"Adverse underwriting decision" means:

1. Any of the following actions with respect to insurance transactions involving insurance coverage that is individually underwritten:

a. A declination of insurance coverage;

b. A termination of insurance coverage;

c. Failure of an agent to apply for insurance coverage with a specific insurance institution that an agent represents and that is requested by an applicant;

d. In the case of a property or casualty insurance coverage:

(1) Placement by an insurance institution or agent of a risk with a residual market mechanism or an unlicensed insurer; or

(2) The charging of a higher rate on the basis of information that differs from that which the applicant or policyholder furnished; or

e. In the case of a life or accident and sickness insurance coverage, an offer to insure at higher than standard rates, or with limitations, exceptions or benefits other than those applied for.

2. Notwithstanding subdivision 1 of this definition, the following actions shall not be considered adverse underwriting decisions, but the insurance institution or agent responsible for their occurrence shall provide the applicant or policyholder with the specific reason or reasons for their occurrence:

a. The termination of an individual policy form on a class or statewide basis;

b. A declination of insurance coverage solely because such coverage is not available on a class or statewide basis;

c. The rescission of a policy.

"Affiliate" or "affiliated" means a person that directly, or indirectly through one or more intermediaries, controls, is controlled by, or is under common control with another person.

"Agent" shall have the meaning as set forth in § 38.2-1800 and shall include surplus lines brokers.

"Applicant" means any person who seeks to contract for insurance coverage other than a person seeking group insurance that is not individually underwritten.

"Clear and conspicuous notice" means a notice that is reasonably understandable and designed to call attention to the nature and significance of the information in the notice.

"Consumer report" means any written, oral, or other communication of information bearing on a natural person's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living that is used or expected to be used in connection with an insurance transaction.

"Consumer reporting agency" means any person who:

1. Regularly engages, in whole or in part, in the practice of assembling or preparing consumer reports for a monetary fee;

2. Obtains information primarily from sources other than insurance institutions; and

3. Furnishes consumer reports to other persons.

"Control," including the terms "controlled by" or "under common control with," means the possession, direct or indirect, of the power to direct or cause the direction of the management and policies of a person, whether through the ownership of voting securities, by contract other than a commercial contract for goods or nonmanagement services, or otherwise, unless the power is the result of an official position with or corporate office held by the person.

"Declination of insurance coverage" means a denial, in whole or in part, by an insurance institution or agent of requested insurance coverage.

"Financial information" means personal information other than medical record information or records of payment for the provision of health care to an individual.

"Financial institution" means any institution the business of which is engaging in financial activities as described in Section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. § 1843 (k)).

"Financial product or service" means any product or service that a financial holding company could offer by engaging in an activity that is financial in nature or incidental to such a financial activity under Section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. § 1843 (k)).

"Individual" means any natural person who:

1. In the case of property or casualty insurance, is a past, present, or proposed named insured or certificate holder;

2. In the case of life or accident and sickness insurance, is a past, present, or proposed principal insured or certificate holder;

3. Is a past, present or proposed policyowner;

4. Is a past or present applicant;

5. Is a past or present claimant;

6. Derived, derives, or is proposed to derive insurance coverage under an insurance policy or certificate subject to this article;

7. For the purposes of §§ 38.2-612.1 and 38.2-613, is a beneficiary of a life insurance policy;

8. For the purposes of §§ 38.2-612.1 and 38.2-613, is a mortgagor of a mortgage covered under a mortgage guaranty insurance policy; or

9. For the purposes of §§ 38.2-612.1 and 38.2-613, is an owner of property used as security for an indebtedness for which single interest insurance is required by a lender.

Notwithstanding any provision of this definition to the contrary, for purposes of § 38.2-612.1, "individual" shall not include any natural person who is covered under an employee benefit plan, group or blanket insurance contract, or group annuity contract when the insurance institution or agent that provides such plan or contract: (i) furnishes the notice required under § 38.2-604.1 to the employee benefit plan sponsor, group or blanket insurance contract holder, or group annuity contract holder; and (ii) does not disclose the financial information of the person to a nonaffiliated third party other than as permitted under § 38.2-613.

"Institutional source" means any person or governmental entity that provides information about an individual to an agent, insurance institution or insurance-support organization, other than:

1. An agent;

2. The individual who is the subject of the information; or

3. A natural person acting in a personal capacity rather than in a business or professional capacity.

"Insurance institution" means any corporation, association, partnership, reciprocal exchange, inter-insurer, Lloyd's type of organization, fraternal benefit society, or other person engaged in the business of insurance, including health maintenance organizations, and health, legal, dental, and optometric service plans. "Insurance institution" shall not include agents or insurance-support organizations.

"Insurance-support organization" means any person who regularly engages, in whole or in part, in the practice of assembling or collecting information about natural persons for the primary purpose of providing the information to an insurance institution or agent for insurance transactions, including (i) the furnishing of consumer reports or investigative consumer reports to an insurance institution or agent for use in connection with an insurance transaction or (ii) the collection of personal information from insurance institutions, agents or other insurance-support organizations for the purpose of detecting or preventing fraud, material misrepresentation or material nondisclosure in connection with insurance underwriting or insurance claim activity. However, the following persons shall not be considered "insurance-support organizations" for purposes of this article: agents, governmental institutions, insurance institutions, medical-care institutions and medical professionals.

"Insurance transaction" means any transaction involving insurance primarily for personal, family, or household needs rather than business or professional needs that entails:

1. The determination of an individual's eligibility for an insurance coverage, benefit or payment; or

2. The servicing of an insurance application, policy, contract, or certificate.

"Investigative consumer report" means a consumer report or a portion thereof in which information about a natural person's character, general reputation, personal characteristics, or mode of living is obtained through personal interviews with the person's neighbors, friends, associates, acquaintances, or others who may have knowledge concerning such items of information.

"Joint marketing agreement" means a formal written contract pursuant to which an insurance institution jointly offers, endorses, or sponsors a financial product or service with another financial institution.

"Life insurance" includes annuities.

"Medical-care institution" means any facility or institution that is licensed to provide health care services to natural persons, including but not limited to, hospitals, skilled nursing facilities, home-health agencies, medical clinics, rehabilitation agencies, and public-health agencies or health-maintenance organizations.

"Medical professional" means any person licensed or certified to provide health care services to natural persons, including but not limited to, a physician, dentist, nurse, chiropractor, optometrist, physical or occupational therapist, social worker, clinical dietitian, clinical psychologist, licensed professional counselor, licensed marriage and family therapist, pharmacist, or speech therapist.

"Medical-record information" means personal information that:

1. Relates to an individual's physical or mental condition, medical history, or medical treatment; and

2. Is obtained from a medical professional or medical-care institution, from the individual, or from the individual's spouse, parent, or legal guardian.

"Nonaffiliated third party" means any person who is not an affiliate of an insurance institution but does not mean (i) an agent who is selling or servicing a product on behalf of the insurance institution or (ii) a person who is employed jointly by the insurance institution and the company that is not an affiliate.

"Personal information" means any individually identifiable information gathered in connection with an insurance transaction from which judgments can be made about an individual's character, habits, avocations, finances, occupation, general reputation, credit, health, or any other personal characteristics. "Personal information" includes an individual's name and address and medical-record information, but does not include (i) privileged information or (ii) any information that is publicly available.

"Policyholder" means any person who:

1. In the case of individual property or casualty insurance, is a present named insured;

2. In the case of individual life or accident and sickness insurance, is a present policyowner; or

3. In the case of group insurance that is individually underwritten, is a present group certificate holder.

"Policyholder information" means personal information about a policyholder, whether in paper, electronic, or other form, that is maintained by or on behalf of an insurance institution, agent, or insurance-support organization.

"Pretext interview" means an interview whereby a person, in an attempt to obtain information about a natural person, performs one or more of the following acts:

1. Pretends to be someone he or she is not;

2. Pretends to represent a person he or she is not in fact representing;

3. Misrepresents the true purpose of the interview; or

4. Refuses to identify himself or herself upon request.

"Privileged information" means any individually identifiable information that (i) relates to a claim for insurance benefits or a civil or criminal proceeding involving an individual, and (ii) is collected in connection with or in reasonable anticipation of a claim for insurance benefits or civil or criminal proceeding involving an individual.

"Residual market mechanism" means an association, organization, or other entity defined, described, or provided for in the Virginia Automobile Insurance Plan as set forth in § 38.2-2015, or in the Virginia Property Insurance Association as set forth in Chapter 27 (§ 38.2-2700 et seq.) of this title.

"Termination of insurance coverage" or "termination of an insurance policy" means either a cancellation or nonrenewal of an insurance policy other than by the policyholder's request, in whole or in part, for any reason other than the failure to pay a premium as required by the policy.

"Unlicensed insurer" means an insurance institution that has not been granted a license by the Commission to transact the business of insurance in Virginia.

1981, c. 389, § 38.1-57.5; 1986, c. 562; 2001, c. 371; 2003, c. 729; 2006, c. 638; 2020, c. 264.

§ 38.2-603. Pretext interviews.

No insurance institution, agent, or insurance-support organization shall use or authorize the use of pretext interviews to obtain information in connection with an insurance transaction. However, a pretext interview may be undertaken to obtain information from a person or institution that does not have a generally or statutorily recognized privileged relationship with the person about whom the information relates for the purpose of investigating a claim where, based upon specific information available for review by the Commission, there is a reasonable basis for suspecting criminal activity, fraud, material misrepresentation, or material nondisclosure in connection with the claim.

1981, c. 389, § 38.1-57.6; 1986, c. 562.

§ 38.2-604. Notice of information collection and disclosure practices.

A. An insurance institution or agent shall provide a notice of insurance information practices to all applicants or policyholders in connection with insurance transactions as provided in this section:

1. In the case of an application for insurance a notice shall be provided no later than:

a. At the time of the delivery of the insurance policy or certificate when personal information is collected only from the applicant or from public records;

b. At the time the collection of personal information is initiated when personal information is collected from a source other than the applicant or public records; or

c. Notwithstanding the provisions of subdivision 1 b of subsection A, when an application for insurance is made by telephone and personal information is collected from a source other than the applicant or public records, the notice of insurance information practices may be given orally at the time of application, provided that, if a policy is issued, such notice is given in writing or, if the applicant agrees, in electronic format, no later than at the time of the delivery of the insurance policy or certificate.

2. In the case of a policy renewal, a notice shall be provided no later than the policy renewal date, except that no notice shall be required in connection with a policy renewal if:

a. Personal information is collected only from the policyholder or from public records; or

b. A notice meeting the requirements of this section has been given within the previous 24 months; or

3. In the case of a policy reinstatement or change in insurance benefits, a notice shall be provided no later than the time a request for a policy reinstatement or change in insurance benefits is received by the insurance institution, except that no notice shall be required if personal information is collected only from the policyholder or from public records.

B. The notice required by subsection A of this section shall be in writing or, if the applicant or policyholder agrees, in electronic format, and shall state:

1. Whether personal information may be collected from persons other than an individual proposed for coverage;

2. The types of personal information that may be collected and the types of sources and investigative techniques that may be used to collect such information;

3. The types of disclosures made under subdivisions 1, 2, 3, 4, 5, 8, 10, and 12 of subsection B and subdivision 2 of subsection C of § 38.2-613 and the circumstances under which such disclosures may be made without prior authorization, however only those circumstances need be described that occur with such frequency as to indicate a general business practice;

4. A description of the rights established under §§ 38.2-608 and 38.2-609 and the manner in which those rights may be exercised; and

5. That information obtained from a report prepared by an insurance-support organization may be retained by the insurance-support organization and disclosed to other persons.

C. Instead of the notice prescribed in subsection B of this section, the insurance institution or agent may provide an abbreviated notice in writing or, if the applicant or policyholder agrees, in electronic format, informing the applicant or policyholder that:

1. Personal information may be collected from persons other than an individual proposed for coverage;

2. The information, as well as other personal or privileged information subsequently collected by the insurance institution or agent, in certain circumstances, may be disclosed to third parties without authorization;

3. A right of access and correction exists with respect to all personal information collected; and

4. The notice prescribed in subsection B of this section will be furnished to the applicant or policyholder upon request.

D. The obligations imposed by this section upon an insurance institution or agent may be satisfied by another insurance institution or agent authorized to act on its behalf.

E. An insurance agent shall not be subject to the requirements of this section in any instance where the insurance institution on whose behalf the agent is acting otherwise complies with the requirements contained herein, and the agent does not disclose any personal information to any person other than the insurance institution or its affiliates, or as permitted by § 38.2-613.

F. [Repealed.]

G. An insurance agent seeking to place coverage on behalf of a current policyholder shall be deemed to be in compliance with the requirements of this section in any instance where the agent has provided the notice required by this section within the previous 12 months.

1981, c. 389, § 38.1-57.7; 1986, c. 562; 2001, c. 371; 2002, c. 76; 2003, c. 266.

§ 38.2-604.1. Notice of financial information collection and disclosure practices.

A. An insurance institution or agent shall provide clear and conspicuous notice of financial information collection and disclosure practices in connection with insurance transactions as required by subsection B of this section:

1. To an applicant before any financial information is disclosed about that applicant to any nonaffiliated third party, if the disclosure is made other than as permitted under § 38.2-613. For purposes of this subdivision, a notice provided to an employer benefit plan sponsor, group or blanket insurance contract holder, or group annuity contract holder shall satisfy the notice requirements of this subdivision for applicants of such plan, policy, or annuity, provided the insurance institution or agent does not disclose the financial information of those applicants to a nonaffiliated third party, other than as permitted under § 38.2-613;

2. To a policyholder no later than delivery or issuance of the policy or any other evidence of coverage, or at the later of these events. For purposes of this subdivision, a notice provided to an employee benefit plan sponsor, group or blanket insurance contract holder, or group annuity contract holder shall satisfy the notice requirements of this subdivision for persons covered under such plans, policies, or annuities, provided the insurance institution or agent does not disclose the financial information of those persons to a nonaffiliated third party, other than as permitted under § 38.2-613; and

3. To a policyholder, other than a policyholder of a title insurance policy, not less than once in each calendar year. A notice provided to the sponsor of an employee benefit plan or the owner of a group or blanket insurance policy or group annuity contract shall satisfy the notice requirements of this subdivision for persons covered under such plan, policy or contract. For purposes of this subdivision only, "policyholder" does not include a person who owns a policy that is lapsed, expired or otherwise inactive or dormant under the insurance institution's business practices, and with whom the insurance institution has not communicated about the relationship for a period of 12 consecutive months, other than annual privacy notices, material required by law or regulation, communication at the direction of a state or federal authority, or promotional materials. An insurance institution or agent that provides nonpublic personal information to nonaffiliated third parties only in accordance with § 38.2-613 and has not changed its policies and practices with regard to disclosing nonpublic financial information from the policies and practices that were disclosed in the most recent notice sent to the policyholder in accordance with this section shall not be required to provide an annual notice under this section until such time as the licensee does not comply with any criteria described in this subdivision.

B. Any notice required by subsection A of this section shall be in writing or, if the applicant or policyholder agrees, in electronic format, and shall state:

1. The types of financial information that may be collected;

2. The types of financial information that may be disclosed;

3. The categories of persons to whom financial information may be disclosed; however, when disclosures are made pursuant to subsection B of § 38.2-613, the notice is only required to state that disclosures may be made without prior authorization as permitted by law;

4. If financial information is disclosed pursuant to subdivision C 1 of § 38.2-613, the types of financial information that may be disclosed and the categories of nonaffiliated third parties to whom financial information may be disclosed by contractual agreement;

5. An explanation of the right to direct that financial information not be disclosed to nonaffiliated third parties as provided in § 38.2-612.1, provided that this explanation shall not be required to be given when information is disclosed pursuant to the provisions of § 38.2-613;

6. A description of the policies and practices for protecting the confidentiality and security of financial information;

7. The disclosure required, if any, under Section 603 (d)(2)(A)(iii) of the federal Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.) pertaining to the notices regarding the ability to opt out of disclosure of information among affiliates; and

8. A description of the types of financial information about former policyholders that may be disclosed and a description of the types of affiliates and nonaffiliated third parties to whom financial information about former policyholders may be disclosed; however, when disclosures are made pursuant to subsection B of § 38.2-613, the notice is only required to state that disclosures may be made without prior authorization as permitted by law.

C. An insurance institution or agent that does not disclose, and does not wish to reserve the right to disclose, financial information about policyholders or former policyholders to affiliates or nonaffiliated third parties except as authorized in subsection B of § 38.2-613 may satisfy the requirements of this section by providing a notice, as set forth in subdivisions A 2 and A 3 of this section, that:

1. States the foregoing information regarding such insurance institution or agent;

2. Includes the information described in subdivisions B 1 and B 6 of this section; and

3. States that the insurance institution or agent makes disclosures to other affiliated or nonaffiliated third parties, as applicable, as permitted by law.

D. An insurance institution or agent may satisfy the notice requirements of subdivision A 1 of this section by providing a short form notice at the same time that the insurance institution or agent delivers an opt out notice as required by § 38.2-612.1. Such a short form notice shall: (i) be clear and conspicuous; (ii) state that the notice prescribed in subsection B of this section is available upon request; (iii) explain a reasonable means by which the applicant may obtain that notice; and (iv) be in writing or, if the applicant agrees, in electronic format. The insurance institution or agent is not required to deliver the notice prescribed in subsection B of this section with its short form notice, provided the insurance institution or agent provides the applicant with a reasonable means to obtain such notice.

E. The obligations imposed by this section upon an insurance institution or agent may be satisfied by another insurance institution or agent authorized to act on its behalf. An insurance institution may provide a joint notice from the insurance institution and one or more of its affiliates or other financial institutions, as identified in the notice, if the notice is accurate with respect to the insurance institution and the other institutions.

F. An insurance institution or agent, prior to disclosing financial information to a nonaffiliated third party other than as described in the notice prescribed in subsection B of this section, shall send a revised notice that accurately describes its information collection and disclosure practices. Such notice shall comply with the provisions of subsection B of this section.

G. An insurance institution or agent may satisfy the notice requirements of § 38.2-604 and this section through the use of separate notices or a combined notice.

H. An insurance agent shall not be subject to the requirements of this section in any instance where the insurance institution on whose behalf the agent is acting otherwise complies with the requirements contained herein, and the agent does not disclose any financial information to any person other than the insurance institution or its affiliates, or as permitted by § 38.2-613.

I. An insurance agent seeking to place coverage on behalf of a current policyholder shall be deemed to be in compliance with the requirements of this section in any instance where the agent has provided the notice required by this section within the previous 12 months.

2001, c. 371; 2002, c. 76; 2003, c. 266; 2017, c. 648.

§ 38.2-605. Marketing and research surveys.

An insurance institution or agent shall clearly specify those questions designed to obtain information solely for marketing or research purposes from an individual in connection with an insurance transaction.

1981, c. 389, § 38.1-57.8; 1986, c. 562.

§ 38.2-606. Content of disclosure authorization forms.

Notwithstanding any other provision of law of this Commonwealth, no insurance institution, agent, or insurance-support organization shall utilize as its disclosure authorization form in connection with insurance transactions involving insurance policies or contracts issued after January 1, 1982, a form or statement that authorizes the disclosure of personal or privileged information about an individual to the insurance institution, agent, or insurance-support organization unless the form or statement:

1. Is written in plain language;

2. Is dated;

3. Specifies the types of persons authorized to disclose information about the individual;

4. Specifies the nature of the information authorized to be disclosed;

5. Names the insurance institution or agent and identifies by generic reference representatives of the insurance institution to whom the individual is authorizing information to be disclosed;

6. Specifies the purposes for which the information is collected;

7. Specifies the length of time such authorization shall remain valid, which shall be no longer than:

a. In the case of authorizations signed for the purpose of collecting information in connection with an application for an insurance policy, a policy reinstatement, or a request for change in policy benefits:

(1) Thirty months from the date the authorization is signed if the application or request involves life, accident and sickness, or disability insurance; or

(2) Two years from the date the authorization is signed if the application or request involves property or casualty insurance;

b. In the case of authorizations signed for the purpose of collecting information in connection with a claim for benefits under an insurance policy:

(1) The term of coverage of the policy if the claim is for an accident and sickness insurance benefit; or

(2) The duration of the claim if the claim is not for an accident and sickness insurance benefit; and

8. Advises the individual or a person authorized to act on behalf of the individual that the individual or the individual's authorized representative is entitled to receive a copy of the authorization form.

1981, c. 389, § 38.1-57.9; 1986, c. 562; 2001, c. 371.

§ 38.2-607. Investigative consumer reports.

A. No insurance institution, agent, or insurance-support organization may prepare or request an investigative consumer report about an individual in connection with an insurance transaction involving an application for insurance, a policy renewal, a policy reinstatement or a change in insurance benefits unless the insurance institution or agent informs the individual:

1. That he may request to be interviewed in connection with the preparation of the investigative consumer report; and

2. That upon a request pursuant to § 38.2-608, he is entitled to receive a copy of the investigative consumer report.

B. If an investigative consumer report is to be prepared by an insurance institution or agent, the insurance institution or agent shall institute reasonable procedures to conduct a personal interview requested by an individual.

C. If an investigative consumer report is to be prepared by an insurance-support organization, the insurance institution or agent desiring the report shall inform the insurance-support organization whether a personal interview has been requested by the individual. The insurance-support organization shall institute reasonable procedures to conduct such interviews, if requested.

1981, c. 389, § 38.1-57.10; 1986, c. 562.

§ 38.2-608. Access to recorded personal information.

A. If any individual, after proper identification, submits a written request to an insurance institution, agent, or insurance-support organization for access to recorded personal information about the individual that is reasonably described by the individual and reasonably able to be located and retrieved by the insurance institution, agent, or insurance-support organization, the insurance institution, agent, or insurance-support organization shall within 30 business days from the date the request is received:

1. Inform the individual of the nature and substance of the recorded personal information in writing, by telephone, or by other oral communication, whichever the insurance institution, agent, or insurance-support organization prefers;

2. Permit the individual to see and copy, in person, the recorded personal information pertaining to him or to obtain a copy of the recorded personal information by mail, whichever the individual prefers, unless the recorded personal information is in coded form, in which case an accurate translation in plain language shall be provided in writing;

3. Disclose to the individual the identity, if recorded, of those persons to whom the insurance institution, agent, or insurance-support organization has disclosed the personal information within two years prior to such request, and if the identity is not recorded, the names of those insurance institutions, agents, insurance-support organizations or other persons to whom such information is normally disclosed; and

4. Provide the individual with a summary of the procedures by which he may request correction, amendment, or deletion of recorded personal information.

B. Any personal information provided pursuant to subsection A of this section shall identify the source of the information if it is an institutional source.

C. Medical-record information supplied by a medical-care institution or medical professional and requested under subsection A of this section, together with the identity of the medical professional or medical care institution that provided the information, shall be supplied either directly to the individual or to a medical professional designated by the individual and licensed to provide medical care with respect to the condition to which the information relates, whichever the individual prefers. If the individual elects to have the information disclosed to a medical professional designated by him, the insurance institution, agent or insurance-support organization shall notify the individual, at the time of the disclosure, that it has provided the information to the medical professional.

However, disclosure directly to the individual may be denied if a treating physician, clinical psychologist, clinical social worker, or licensed professional counselor has determined, in the exercise of professional judgment, that the disclosure requested would be reasonably likely to endanger the life or physical safety of the individual or another person or that the information requested makes reference to a person other than a health care provider and disclosure of such information would be reasonably likely to cause substantial harm to the referenced person.

If disclosure to the individual is denied, upon the individual's request, the insurance institution, agent or insurance support organization shall either (i) designate a physician, clinical psychologist, clinical social worker, or licensed professional counselor acceptable to the insurance institution, agent or insurance support organization, who was not directly involved in the denial, and whose licensure, training, and experience relative to the individual's condition are at least equivalent to that of the physician, clinical psychologist, clinical social worker, or licensed professional counselor who made the original determination, who shall, at the expense of the insurance institution, agent or insurance support organization, make a judgment as to whether to make the information available to the individual; or (ii) if the individual so requests, make the information available, at the individual's expense to a physician, clinical psychologist, clinical social worker, or licensed professional counselor selected by the individual, whose licensure, training and experience relative to the individual's condition are at least equivalent to that of the physician, clinical psychologist, clinical social worker, or licensed professional counselor who made the original determination, who shall make a judgment as to whether to make the information available to the individual. The insurance institution, agent, or insurance support organization shall comply with the judgment of the reviewing physician, clinical psychologist, clinical social worker, or licensed professional counselor made in accordance with the foregoing procedures.

D. Except for personal information provided under § 38.2-610, an insurance institution, agent, or insurance-support organization may charge a reasonable fee to cover the costs incurred in providing a copy of recorded personal information to individuals.

E. The obligations imposed by this section upon an insurance institution or agent may be satisfied by another insurance institution or agent authorized to act on its behalf. With respect to the copying and disclosure of recorded personal information pursuant to a request under subsection A of this section, an insurance institution, agent, or insurance-support organization may make arrangements with an insurance-support organization or a consumer reporting agency to copy and disclose recorded personal information on its behalf.

F. The rights granted to individuals in this section shall extend to all natural persons to the extent information about them is collected and maintained by an insurance institution, agent or insurance-support organization in connection with an insurance transaction. The rights granted to all natural persons by this subsection shall not extend to information about them that relates to and is collected in connection with or in reasonable anticipation of a claim or civil or criminal proceeding involving them.

G. For purposes of this section, the term "insurance-support organization" does not include "consumer reporting agency."

1981, c. 389, § 38.1-57.11; 1986, c. 562; 2004, cc. 65, 1014; 2020, c. 945; 2022, c. 509.

§ 38.2-609. Correction, amendment, or deletion of recorded personal information.

A. Within thirty business days from the date of receipt of a written request from an individual to correct, amend, or delete any recorded personal information about the individual within its possession, an insurance institution, agent, or insurance-support organization shall either:

1. Correct, amend, or delete the portion of the recorded personal information in dispute; or

2. Notify the individual of:

a. Its refusal to make the correction, amendment, or deletion;

b. The reasons for the refusal; and

c. The individual's right to file a statement as provided in subsection C of this section.

B. If the insurance institution, agent, or insurance-support organization corrects, amends, or deletes recorded personal information in accordance with subdivision 1 of subsection A of this section, the insurance institution, agent, or insurance-support organization shall so notify the individual in writing and furnish the correction, amendment, or fact of deletion to:

1. Any person specifically designated by the individual who, within the preceding two years, may have received the recorded personal information;

2. Any insurance-support organization whose primary source of personal information is insurance institutions if the insurance-support organization has systematically received the recorded personal information from the insurance institution within the preceding seven years. The correction, amendment, or fact of deletion need not be furnished if the insurance-support organization no longer maintains recorded personal information about the individual; and

3. Any insurance-support organization that furnished the personal information that has been corrected, amended, or deleted.

C. Whenever an individual disagrees with an insurance institution's, agent's, or insurance-support organization's refusal to correct, amend, or delete recorded personal information, the individual shall be permitted to file with the insurance institution, agent, or insurance-support organization:

1. A concise statement setting forth what the individual thinks is the correct, relevant, or fair information; and

2. A concise statement of the reasons why the individual disagrees with the insurance institution's, agent's, or insurance-support organization's refusal to correct, amend, or delete recorded personal information.

D. In the event an individual files either statement as described in subsection C of this section, the insurance institution, agent, or support organization shall:

1. File the statement with the disputed personal information and provide a means by which anyone reviewing the disputed personal information will be made aware of the individual's statement and have access to it; and

2. In any subsequent disclosure by the insurance institution, agent, or support organization of the recorded personal information that is the subject of disagreement, clearly identify the matter or matters in dispute and provide the individual's statement along with the recorded personal information being disclosed; and

3. Furnish the statement to the persons and in the manner specified in subsection B of this section.

E. The rights granted to individuals in this section shall extend to all natural persons to the extent information about them is collected and maintained by an insurance institution, agent, or insurance-support organization in connection with an insurance transaction. The rights granted to all natural persons by this subsection shall not extend to information about them that relates to and is collected in connection with or in reasonable anticipation of a claim or civil or criminal proceeding involving them.

F. For purposes of this section, the term "insurance-support organization" does not include "consumer reporting agency."

1981, c. 389, § 38.1-57.12; 1986, c. 562.

§ 38.2-610. Notice of adverse underwriting decision; furnishing reasons for decisions and sources of information.

A. In the event of an adverse underwriting decision, including those that involve policies referred to in subdivision 1 of subsection E of § 38.2-2114 and in subdivision 3 of subsection F of § 38.2-2212, the insurance institution or agent responsible for the decision shall give a written notice in a form approved by the Commission that:

1. Either provides the applicant, policyholder, or individual proposed for coverage with the specific reason or reasons for the adverse underwriting decision in writing or advises such person that upon written request he may receive the specific reason or reasons in writing; and

2. Provides the applicant, policyholder, or individual proposed for coverage with a summary of the rights established under subsection B of this section and §§ 38.2-608 and 38.2-609.

B. Upon receipt of a written request within ninety business days from the date of the mailing of notice or other communication of an adverse underwriting decision to an applicant, policyholder or individual proposed for coverage, the insurance institution or agent shall furnish to such person within twenty-one business days from the date of receipt of the written request:

1. The specific reason or reasons for the adverse underwriting decision, in writing, if that information was not initially furnished in writing pursuant to subdivision 1 of subsection A of this section;

2. The specific items of personal and privileged information that support those reasons, however:

a. The insurance institution or agent shall not be required to furnish specific items of privileged information if it has a reasonable suspicion, based upon specific information available for review by the Commission, that the applicant, policyholder, or individual proposed for coverage has engaged in criminal activity, fraud, material misrepresentation, or material nondisclosure; and

b. Specific items of medical-record information supplied by a medical-care institution or medical professional shall be disclosed either directly to the individual about whom the information relates or to a medical professional designated by the individual and licensed to provide medical care with respect to the condition to which the information relates, whichever the insurance institution or agent prefers; and

3. The names and addresses of the institutional sources that supplied the specific items of information given pursuant to subdivision 2 of subsection B of this section. However, the identity of any medical professional or medical-care institution shall be disclosed either directly to the individual or to the designated medical professional, whichever the insurance institution or agent prefers.

C. The obligations imposed by this section upon an insurance institution or agent may be satisfied by another insurance institution or agent authorized to act on its behalf. However, the insurance institution or agent making an adverse underwriting decision shall remain responsible for compliance with the obligations imposed by this section.

D. When an adverse underwriting decision results solely from an oral request or inquiry, the explanation of reasons and summary of rights required by subsection A of this section may be given orally.

1981, c. 389, § 38.1-57.13; 1986, c. 562.

§ 38.2-611. Information concerning previous adverse underwriting decisions.

No insurance institution, agent, or insurance-support organization may seek information in connection with an insurance transaction concerning: (i) any previous adverse underwriting decision experienced by an individual, or (ii) any previous insurance coverage obtained by an individual through a residual market mechanism, unless the inquiry also requests the reasons for any previous adverse underwriting decision or the reasons why insurance coverage was previously obtained through a residual market mechanism.

1981, c. 389, § 38.1-57.14; 1986, c. 562.

§ 38.2-612. Bases for adverse underwriting decisions.

A. No insurance institution or agent may base an adverse underwriting decision in whole or in part:

1. On the fact of a previous adverse underwriting decision or on the fact that an individual previously obtained insurance coverage through a residual market mechanism. However, an insurance institution or agent may base an adverse underwriting decision on further information obtained from an insurance institution or agent responsible for a previous adverse underwriting decision;

2. On personal information received from an insurance-support organization whose primary source of information is insurance institutions. However, an insurance institution or agent may base an adverse underwriting decision on further personal information obtained as the result of information received from an insurance-support organization; or

3. On the fact that an individual previously obtained insurance coverage from a particular insurance institution or agent.

B. No insurance institution or agent may base an adverse underwriting decision solely on the loss history of a previous owner of the property to be insured.

1981, c. 389, § 38.1-57.15; 1986, c. 562; 1990, c. 524; 2003, c. 415.

§ 38.2-612.1. Special requirements for providing financial information to nonaffiliated third parties.

A. Except as otherwise provided in § 38.2-613, no insurance institution, agent, or insurance-support organization may, directly or through an affiliate, disclose to a nonaffiliated third party financial information about an individual collected or received in connection with an insurance transaction, unless:

1. The individual has been given a clear and conspicuous notice in writing, or in electronic form if the individual agrees, stating that such financial information may be disclosed to such nonaffiliated third party;

2. The individual is given an opportunity, before such financial information is initially disclosed, to direct that such information not be disclosed, and in no case shall the individual be given less than 30 days from the date of notice to direct that such information not be disclosed;

3. The individual is given a reasonable means by which to exercise the right to direct that such information not be disclosed as well as an explanation that such right may be exercised at any time and that such right remains effective until revoked by the individual; and

4. The nonaffiliated third party agrees not to disclose such financial information to any other person unless such disclosure would otherwise be permitted by this article if made by the insurance institution, agent, or insurance-support organization.

B. 1. No insurance institution, agent, or insurance-support organization may disclose to a nonaffiliated third party, directly or through an affiliate, other than to a consumer reporting agency, a policy number or similar form of access number or transaction account of a policyholder or applicant for use in telemarketing, direct mail marketing or other marketing through electronic mail to an applicant or policyholder, other than to:

a. An agent or other person solely for the purpose of marketing the insurance institution's own products or services as long as the agent or other person is not authorized to directly initiate charges to the account; or

b. A participant in a private label credit card program or an affinity or similar program where the participants in the program are identified to the policyholder or applicant at the time the policyholder or applicant enters the program.

2. A policy or transaction account shall not include an account to which third parties cannot initiate charges.

C. No insurance institution or agent shall unfairly discriminate against an individual because (i) the individual has directed that his personal information not be disclosed pursuant to subsection A or (ii) the individual has refused to grant authorization of the disclosure of his privileged information or medical record information by an insurance institution, agent or insurance support organization pursuant to subsection A of § 38.2-613.

D. The requirements of subsection A may be satisfied by providing a single notice if two or more applicants or policyholders jointly obtain or apply for an insurance product. Such notice shall allow one applicant or policyholder to direct that financial information not be disclosed to nonaffiliated third parties on behalf of all of the joint applicants or policyholders, provided that each applicant or policyholder may separately direct that his financial information not be disclosed to nonaffiliated third parties.

E. An insurance agent shall not be subject to the requirements of subsection A in any instance where the insurance institution on whose behalf the agent is acting otherwise complies with the requirements contained herein, and the agent does not disclose any financial information to any person other than the insurance institution or its affiliates, or as permitted by § 38.2-613.

F. An insurance agent seeking to place coverage on behalf of a current policyholder shall be deemed to be in compliance with the requirements of this section in any instance where the agent has provided the notice required by this section within the previous 12 months.

2001, c. 371; 2003, c. 266; 2020, c. 264.

§ 38.2-612.2. Protection of the Fair Credit Reporting Act.

Nothing in this article shall be construed to modify, limit, or supersede the operation of the federal Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.), and no inference shall be drawn on the basis of the provisions of this article regarding whether information is transaction or experience information under Section 603 of that Act.

2001, c. 371; 2020, c. 264.

§ 38.2-613. Disclosure limitations and conditions.

A. An insurance institution, agent, or insurance-support organization shall not disclose any medical-record information or privileged information about an individual collected or received in connection with an insurance transaction unless the disclosure is with the written authorization of the individual, provided:

1. If the authorization is submitted by another insurance institution, agent, or insurance-support organization, the authorization meets the requirements of § 38.2-606; or

2. If the authorization is submitted by a person other than an insurance institution, agent, or insurance-support organization, the authorization is:

a. Dated,

b. Signed by the individual, and

c. Obtained two years or less prior to the date a disclosure is sought pursuant to this subdivision.

B. Notwithstanding the provisions of subsection A, an insurance institution, agent, or insurance-support organization may disclose personal or privileged information about an individual collected or received in connection with an insurance transaction, without written authorization, if the disclosure is:

1. To a person other than an insurance institution, agent, or insurance-support organization, provided the disclosure is reasonably necessary:

a. To enable that person to perform a business, professional or insurance function for the disclosing insurance institution, agent, or insurance-support organization and that person agrees not to disclose the information further without the individual's written authorization unless the further disclosure:

(1) Would otherwise be permitted by this section if made by an insurance institution, agent, or insurance-support organization; or

(2) Is reasonably necessary for that person to perform its function for the disclosing insurance institution, agent, or insurance-support organization; or

b. To enable that person to provide information to the disclosing insurance institution, agent, or insurance-support organization for the purpose of:

(1) Determining an individual's eligibility for an insurance benefit or payment; or

(2) Detecting or preventing criminal activity, fraud, material misrepresentation, or material nondisclosure in connection with an insurance transaction; or

2. To an insurance institution, agent, or insurance-support organization, or self-insurer, provided the information disclosed is limited to that which is reasonably necessary:

a. To detect or prevent criminal activity, fraud, material misrepresentation, or material nondisclosure in connection with insurance transactions; or

b. For either the disclosing or receiving insurance institution, agent or insurance-support organization to perform its function in connection with an insurance transaction involving the individual; or

3. To a medical-care institution or medical professional for the purpose of (i) verifying insurance coverage or benefits, (ii) informing an individual of a medical problem of which the individual may not be aware or (iii) conducting an operations or services audit, provided only that information is disclosed as is reasonably necessary to accomplish the foregoing purposes; or

4. To an insurance regulatory authority; or

5. To a law-enforcement or other government authority:

a. To protect the interests of the insurance institution, agent or insurance-support organization in preventing or prosecuting the perpetration of fraud upon it; or

b. If the insurance institution, agent, or insurance-support organization reasonably believes that illegal activities have been conducted by the individual; or

c. Upon written request of any law-enforcement agency, for all insured or claimant information in the possession of an insurance institution, agent, or insurance-support organization which relates an ongoing criminal investigation. Such insurance institution, agent, or insurance-support organization shall release such information, including, but not limited to, policy information, premium payment records, record of prior claims by the insured or by another claimant, and information collected in connection with an insurance company's investigation of an application or claim. Any information released to a law-enforcement agency pursuant to such request shall be treated as confidential criminal investigation information and not be disclosed further except as provided by law. Notwithstanding any provision in this article, no insurance institution, agent, or insurance-support organization shall notify any insured or claimant that information has been requested or supplied pursuant to this section prior to notification from the requesting law-enforcement agency that its criminal investigation is completed. Within ninety days following the completion of any such criminal investigation, the law-enforcement agency making such a request for information shall notify any insurance institution, agent, or insurance-support organization from whom information was requested that the criminal investigation has been completed; or

6. Otherwise permitted or required by law; or

7. In response to a facially valid administrative or judicial order, including a search warrant or subpoena; or

8. Made for the purpose of conducting actuarial or research studies, provided:

a. No individual may be identified in any actuarial or research report, and

b. Materials allowing the individual to be identified are returned or destroyed as soon as they are no longer needed, and

c. The actuarial or research organization agrees not to disclose the information unless the disclosure would otherwise be permitted by this section if made by an insurance institution, agent, or insurance-support organization; or

9. To a party or a representative of a party to a proposed or consummated sale, transfer, merger, or consolidation of all or part of the business of the insurance institution, agent, or insurance-support organization, provided:

a. Prior to the consummation of the sale, transfer, merger, or consolidation only such information is disclosed as is reasonably necessary to enable the recipient to make business decisions about the purchase, transfer, merger, or consolidation, and

b. The recipient agrees not to disclose the information unless the disclosure would otherwise be permitted by this section if made by an insurance institution, agent, or insurance-support organization; or

10. To a nonaffiliated third party whose only use of such information will be in connection with the marketing of a nonfinancial product or service, provided:

a. No medical-record information, privileged information, or personal information relating to an individual's character, personal habits, mode of living, or general reputation is disclosed, and no classification derived from the information is disclosed,

b. The individual has been given an opportunity, in accordance with the provisions of subsection A of § 38.2-612.1, to indicate that he does not want financial information disclosed for marketing purposes and has given no indication that he does not want the information disclosed, and

c. The nonaffiliated third party receiving such information agrees not to use it except in connection with the marketing of the product or service; or

11. (i) To a consumer reporting agency in accordance with the Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.) or (ii) from a consumer report reported by a consumer reporting agency; or

12. To a group policyholder for the purpose of reporting claims experience or conducting an audit of the insurance institution's or agent's operations or services, provided the information disclosed is reasonably necessary for the group policyholder to conduct the review or audit; or

13. To a professional peer review organization for the purpose of reviewing the service or conduct of a medical-care institution or medical professional; or

14. To a governmental authority for the purpose of determining the individual's eligibility for health benefits for which the governmental authority may be liable; or

15. To a certificate holder or policyholder for the purpose of providing information regarding the status of an insurance transaction; or

16. To a lienholder, mortgagee, assignee, lessor or other person shown on the records of an insurance institution or agent as having a legal or beneficial interest in a policy of insurance, or to persons acting in a fiduciary or representative capacity on behalf of the individual, provided that:

a. No medical record information is disclosed unless the disclosure would be permitted by this section; and

b. The information disclosed is limited to that which is reasonably necessary to permit such person to protect his interest in the policy; or

17. Necessary to effect, administer, or enforce a transaction requested or authorized by the individual, or in connection with servicing or processing an insurance product or service requested or authorized by the individual, or necessary for reinsurance purposes, or for stop loss or excess loss agreements provided for in subsection B of § 38.2-109; or

18. Pursuant to any federal Health Insurance Portability and Accountability Act privacy rules promulgated by the United States Department of Health and Human Services.

C. An insurance institution, agent, or insurance-support organization may disclose information about an individual collected or received in connection with an insurance transaction, without written authorization, if the disclosure is:

1. To a nonaffiliated third party whose only use of such information will be to perform services for or functions on behalf of the insurance institution in connection with the marketing of the insurance institution's product or service or the marketing of products or services offered pursuant to a joint marketing agreement, provided:

a. No medical-record information or privileged information is disclosed without the individual's written authorization unless such disclosure is otherwise permitted by subsection B,

b. With respect to financial information, the individual has been given the notice required by subsection B of § 38.2-604.1, and

c. The person receiving such financial information agrees, by contract, (i) not to use it except to perform services for or functions on behalf of the insurance institution in connection with the marketing of the insurance institution's product or service or the marketing of products or services offered pursuant to a joint marketing agreement, or as permitted under subsection B and (ii) to maintain the confidentiality of such information and not disclose it to any other nonaffiliated third party unless such disclosure would otherwise be permitted by this section if made by the insurance institution, agent, or insurance-support organization;

2. To an affiliate, provided:

a. No medical-record information or privileged information is disclosed without the individual's written authorization unless such disclosure is otherwise permitted by subsection B, and

b. The affiliate receiving the information does not disclose the information except as would otherwise be permitted by this section if such disclosure were made by the insurance institution, agent, or insurance-support organization.

D. 1. No person proposing to issue, re-issue, or renew any policy, contract, or plan of accident and sickness insurance defined in § 38.2-109, but excluding disability income insurance, issued by any (i) insurer providing hospital, medical and surgical or major medical coverage on an expense incurred basis, (ii) corporation providing a health services plan, or (iii) health maintenance organization providing a health care plan for health care services shall disclose any genetic information about an individual or a member of such individual's family collected or received in connection with any insurance transaction unless the disclosure is made with the written authorization of the individual.

2. For the purpose of this subsection, "genetic information" means information about genes, gene products, or inherited characteristics that may derive from an individual or a family member.

3. Agents and insurance support organizations shall be subject to the provisions of this subsection to the extent of their participation in the issue, re-issue, or renewal of any policy, contract, or plan of accident and sickness insurance defined in § 38.2-109, but excluding disability income insurance.

E. Any notices, disclosures, or authorizations required by this section may be provided electronically if the individual agrees.

F. Any privileged information about an individual that is disclosed in violation of this section shall be available to that individual in accordance with the provisions of §§ 38.2-608 and 38.2-609.

G. Except in the case of disclosures made pursuant to subdivision B 10, the requirements of subsection A of § 38.2-612.1 shall not apply when information is disclosed pursuant to this section.

1981, c. 389, § 38.1-57.16; 1986, c. 562; 1987, c. 325; 1996, c. 704; 2001, c. 371; 2020, c. 264.

§ 38.2-613.01. Commission to promulgate regulations on disclosure of certain medical test results to insurance applicants.

Pursuant to the authority granted by §§ 38.2-223 and 38.2-3100.1, the Commission shall promulgate such regulations as may be necessary or appropriate to ensure that applicants for life or accident and sickness insurance coverage or for modifications to existing coverage are notified of test results whenever insurers require such applicants to submit to testing for human immunodeficiency viruses (HIV).

1997, c. 290.

§ 38.2-613.1. Disclosure of agent's moratorium required.

If a duly appointed agent of an insurer proposes to place a policy of motor vehicle insurance as defined in § 38.2-2212 with another insurer or proposes to submit an application to the Virginia Automobile Insurance Plan solely because of a moratorium on such agent's selling, soliciting, or negotiating new motor vehicle insurance that would otherwise be acceptable to such insurer and such placement or submission would result in the applicant's being charged a higher rate, the agent shall disclose to the applicant the existence of the moratorium prior to such placement or submission.

1991, c. 269; 2001, c. 706.

§ 38.2-613.2. Repealed.

Repealed by Acts 2020, c. 264, cl. 2.

§ 38.2-614. Powers of Commission.

A. The Commission shall have the power to examine and investigate the affairs of any insurance institution or agent doing business in the Commonwealth to determine whether the insurance institution or agent has been or is engaged in any conduct in violation of this article.

B. The Commission shall have the power to examine and investigate the affairs of any insurance-support organization that acts on behalf of an insurance institution or agent and that either (i) transacts business in the Commonwealth, or (ii) transacts business outside the Commonwealth and has an effect on a person residing in the Commonwealth, in order to determine whether the insurance-support organization has been or is engaged in any conduct in violation of this article.

1981, c. 389, § 38.1-57.17; 1986, c. 562; 2020, c. 264.

§ 38.2-615. Hearings and procedures.

A. Whenever the Commission has reason to believe that an insurance institution, agent or insurance-support organization has been or is engaged in conduct in the Commonwealth that violates this article, or whenever the Commission has reason to believe that an insurance-support organization has been or is engaged in conduct outside the Commonwealth that has an effect on a person residing in the Commonwealth and that violates this article, the Commission may issue and serve upon the insurance institution, agent, or insurance-support organization a statement of charges and notice of hearing to be held at a time and place fixed in the notice. The date for such hearing shall be at least ten days after the date of service.

B. At the time and place fixed for the hearing, the insurance institution, agent, or insurance-support organization charged shall have an opportunity to answer the charges against it and present evidence on its behalf. Upon good cause shown, the Commission shall permit any adversely affected person to intervene, appear, and be heard at the hearing by counsel or in person.

C. In all matters in connection with such investigation, charge, or hearing the Commission shall have the jurisdiction, power and authority granted or conferred upon it by Title 12.1.

1981, c. 389, § 38.1-57.18; 1986, c. 562; 2020, c. 264.

§ 38.2-616. Service of process on insurance-support organizations.

For the purpose of this article, an insurance-support organization transacting business outside the Commonwealth that has an effect on a person residing in the Commonwealth and which is alleged to violate this article shall be deemed to have appointed the clerk of the Commission to accept service of process on its behalf. Service on the clerk shall be made in accordance with § 12.1-19.1.

1981, c. 389, § 38.1-57.19; 1986, c. 562; 1991, c. 672; 2020, c. 264.

§ 38.2-617. Individual remedies.

A. If any insurance institution, agent, or insurance-support organization fails to comply with §§ 38.2-608, 38.2-609, or § 38.2-610, any person whose rights granted under those sections are violated may apply to a court of competent jurisdiction for appropriate equitable relief.

B. An insurance institution, agent, or insurance-support organization that discloses information in violation of § 38.2-613 shall be liable for damages sustained by the individual to whom the information relates. No individual, however, shall be entitled to a monetary award that exceeds the actual damages sustained by the individual as a result of a violation of § 38.2-613.

C. In any action brought pursuant to this section, the court may award the cost of the action and reasonable attorney's fees to the prevailing party.

D. An action under this section must be brought within two years from the date the alleged violation is or should have been discovered.

E. Except as specifically provided in this section, there shall be no remedy or recovery available to individuals, in law or in equity, for occurrences constituting a violation of any provision of this article.

1981, c. 389, § 38.1-57.24; 1986, c. 562; 2020, c. 264.

§ 38.2-618. Immunity of persons disclosing information.

No cause of action in the nature of defamation, invasion of privacy, or negligence shall arise against any person for disclosing personal or privileged information in accordance with this article, nor shall such a cause of action arise against any person for furnishing personal or privileged information to an insurance institution, agent, or insurance-support organization. However, this section shall provide no immunity for disclosing or furnishing false information with malice or willful intent to injure any person.

1981, c. 389, § 38.1-57.25; 1986, c. 562; 2020, c. 264.

§ 38.2-619. Obtaining information under false pretenses.

Any person who knowingly and willfully obtains information about an individual from an insurance institution, agent or insurance-support organization under false pretenses shall be fined not more than $10,000 or punished by confinement in jail for not more than 12 months, or both.

1981, c. 389, § 38.1-57.26; 1986, c. 562.

§ 38.2-620. Repealed.

Repealed by Acts 2020, c. 264, cl. 2.

Article 2. Insurance Data Security Act.

§ 38.2-621. Definitions.

As used in this article:

"Authorized person" means a person known to and authorized by the licensee and determined to be necessary and appropriate to have access to the nonpublic information held by the licensee and its information systems.

"Consumer" means an individual, including applicants, policyholders, insureds, beneficiaries, claimants, and certificate holders, who is a resident of the Commonwealth and whose nonpublic information is in the possession, custody, or control of a licensee or an authorized person.

"Cybersecurity event" means an event resulting in unauthorized access to, disruption of, or misuse of an information system or nonpublic information in the possession, custody, or control of a licensee or an authorized person. "Cybersecurity event" does not include (i) the unauthorized acquisition of encrypted nonpublic information if the encryption, process, or key is not also acquired, released, or used without authorization or (ii) an event in which the licensee has determined that the nonpublic information accessed by an unauthorized person has not been used or released and has been returned or destroyed.

"Encrypted" means the transformation of data into a form that results in a low probability of assigning meaning without the use of a protective process or key.

"HIPAA" means the federal Health Insurance Portability and Accountability Act (42 U.S.C. § 1320d et seq.).

"Home state" means the jurisdiction in which the producer maintains its principal place of residence or principal place of business and is licensed by that jurisdiction to act as a resident insurance producer.

"Information security program" means the administrative, technical, and physical safeguards that a licensee uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle nonpublic information.

"Information system" means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of electronic information, as well as any specialized system such as industrial or process control systems, telephone switching and private branch exchange systems, and environmental control systems.

"Insurance-support organization" has the same meaning as provided in § 38.2-602.

"Licensee" means any person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of the Commonwealth. "Licensee" does not include a purchasing group or a risk retention group chartered and licensed in a state other than the Commonwealth or a person that is acting as an assuming insurer that is domiciled in another state or jurisdiction.

"Nonpublic information" means information that is not publicly available information and is:

1. Business-related information of a licensee the tampering with which, or the unauthorized disclosure, access, or use of which, would cause a material adverse impact to the business, operations, or security of the licensee;

2. Any information concerning a consumer that because of name, number, personal mark, or other identifier can be used to identify such consumer, in any combination with a consumer's (i) social security number; (ii) driver's license number or nondriver identification card number; (iii) financial account, credit card, or debit card number; (iv) security code, access code, or password that would permit access to a consumer's financial account; (v) passport number; (vi) military identification number; or (vii) biometric records; or

3. Any information or data, except age or gender, in any form or medium created by or derived from a health care provider or a consumer that can be used to identify a particular consumer, and that relates to (i) the past, present, or future physical, mental, or behavioral health or condition of any consumer or a member of the consumer's family; (i) the provision of health care to any consumer; or (iii) payment for the provision of health care to any consumer.

"Nonpublic information" does not include a consumer's personally identifiable information that has been anonymized using a method no less secure than the safe harbor method under HIPAA.

"Person" means any individual or any nongovernmental entity, including any nongovernmental partnership, corporation, branch, agency, or association.

"Publicly available information" means any information that a licensee has a reasonable basis to believe is lawfully made available to the general public from federal, state, or local government records; widely distributed media; or disclosures to the general public that are required to be made by federal, state, or local law. A licensee has a reasonable basis to believe that information is lawfully made available to the general public if the licensee has taken steps to determine (i) that the information is of the type that is available to the general public and (ii) whether a consumer can direct that the information not be made available to the general public and, if so, that such consumer has not done so.

"Third-party service provider" means (i) a person, not otherwise defined as a licensee, that contracts with a licensee to maintain, process, or store nonpublic information, or otherwise is permitted access to nonpublic information through its provision of services to the licensee or (ii) an insurance-support organization.

2020, c. 264.

§ 38.2-622. Private cause of action; neither created nor curtailed.

Nothing in this article shall be construed to create or imply a private cause of action for violation of its provisions, nor shall it be construed to curtail a private cause of action which would otherwise exist in the absence of this article.

2020, c. 264.

§ 38.2-623. Information security program.

A. Commensurate with the size and complexity of the licensee; the nature and scope of the licensee's activities, including its use of third-party service providers; and the sensitivity of the nonpublic information used by the licensee or in the licensee's possession, custody, or control, each licensee shall develop, implement, and maintain a comprehensive written information security program based on the licensee's assessment of the licensee's risk and that contains administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee's information system.

B. Each licensee's information security program shall be designed to:

1. Protect the security and confidentiality of nonpublic information and the security of the information system;

2. Protect against any reasonably foreseeable threats or hazards to the security or integrity of nonpublic information and the information system;

3. Protect against unauthorized access to or use of nonpublic information, and minimize the likelihood of harm to any consumer; and

4. Define and periodically reevaluate a schedule for retention of nonpublic information and a mechanism for its destruction.

C. Each licensee shall:

1. Designate one or more employees, an affiliate, or an outside vendor designated to act on behalf of the licensee who is responsible for the information security program;

2. Design its information security program to mitigate the identified risks, commensurate with the size and complexity of the licensee; the nature and scope of the licensee's activities, including its use of third-party service providers; and the sensitivity of the nonpublic information used by the licensee or in the licensee's possession, custody, or control;

3. Place access controls on information systems, including controls to authenticate and permit access only to authorized persons to protect against the unauthorized acquisition of nonpublic information;

4. At physical locations containing nonpublic information, restrict access to nonpublic information to authorized persons only;

5. Implement measures to protect against destruction, loss, or damage of nonpublic information due to environmental hazards, such as fire and water damage or other catastrophes or technological failures;

6. Develop, implement, and maintain procedures for the secure disposal of nonpublic information in any format;

7. Stay informed regarding emerging threats or vulnerabilities and utilize reasonable security measures when sharing information relative to the character of the sharing and the type of information shared; and

8. Provide its personnel with cybersecurity awareness training.

D. 1. If a licensee has a board of directors, the board or an appropriate committee of the board shall, at a minimum, require the licensee's information executive management or its delegates to (i) develop, implement, and maintain the licensee's information security program and (ii) report in writing (a) the overall status of the information security program and the licensee's compliance with this article and (b) material matters related to the information security program, addressing issues such as risk assessment, risk management and control decisions, third-party service provider arrangements, results of testing, cybersecurity events or violations and management's responses thereto, and recommendations for changes in the information security program.

2. If executive management delegates any of its responsibilities under this section, it shall oversee the development, implementation, and maintenance of the licensee's information security program prepared by the delegate and shall receive a report from the delegate complying with the requirements of subdivision 1.

E. Beginning July 1, 2022, if a licensee utilizes a third-party service provider, the licensee shall:

1. Exercise due diligence in selecting its third-party service provider; and

2. Require a third-party service provider to implement appropriate administrative, technical, and physical measures to protect and secure the information systems and nonpublic information that are accessible to, or held by, the third-party service provider.

F. Each licensee shall monitor, evaluate, and adjust, as appropriate, the information security program consistent with any relevant changes in technology, the sensitivity of its nonpublic information, internal or external threats to information, and the licensee's own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems.

G. As part of its information security program, each licensee shall establish a written incident response plan designed to promptly respond to, and recover from, any cybersecurity event that compromises the confidentiality, integrity, or availability of nonpublic information in its possession; the licensee's information systems; or the continuing functionality of any aspect of the licensee's business or operations. Such incident response plan shall address:

1. The internal process for responding to a cybersecurity event;

2. The goals of the incident response plan;

3. The definition of clear roles, responsibilities, and levels of decision-making authority;

4. External and internal communications and information sharing;

5. Identification of requirements for the remediation of any identified weaknesses in information systems and associated controls;

6. Documentation and reporting regarding cybersecurity events and related incident response activities; and

7. The evaluation and revision, as necessary, of the incident response plan following a cybersecurity event.

H. Beginning in 2023 and annually thereafter, each insurer domiciled in the Commonwealth shall, by February 15, submit to the Commissioner a written statement certifying that the insurer is in compliance with the requirements set forth in this section, any rules adopted pursuant to this article, and any requirements prescribed by the Commission. Each insurer shall maintain for examination by the Bureau all records, schedules, and data supporting this certificate for a period of five years. To the extent an insurer has identified areas, systems, or processes that require material improvement, updating, or redesign, the insurer shall document the identification and the remedial efforts planned and underway to address such areas, systems, or processes. Such documentation must be available for inspection by the Commissioner.

2020, c. 264.

§ 38.2-624. Investigation of a cybersecurity event.

A. If a licensee learns that a cybersecurity event has or may have occurred, the licensee or an investigator shall conduct a prompt investigation.

B. During the investigation, the licensee or an investigator shall, at a minimum, determine as much of the following information as possible:

1. Determine whether a cybersecurity event has occurred;

2. Assess the nature and scope of the cybersecurity event;

3. Identify any nonpublic information that may have been involved in the cybersecurity event; and

4. Perform or oversee reasonable measures to restore the security of the information systems compromised in the cybersecurity event in order to prevent further unauthorized acquisition, release, or use of nonpublic information in the licensee's possession, custody, or control.

C. If a licensee learns that a cybersecurity event has or may have occurred in a system maintained by a third-party service provider, the licensee will complete the steps listed in subsection B or make reasonable efforts to confirm and document that the third-party service provider has completed those steps.

D. Each licensee shall maintain records concerning all cybersecurity events for a period of at least five years from the date of the cybersecurity event and shall produce those records upon demand of the Commissioner.

2020, c. 264.

§ 38.2-625. Notice to Commissioner.

A. If a licensee has determined that a cybersecurity event has actually occurred, such licensee shall notify the Commissioner, in accordance with requirements prescribed by the Commission, as promptly as possible but in no event later than three business days from such determination if:

1. The licensee is a domestic insurance company, or in the case of a producer, the Commonwealth is the licensee's home state and the cybersecurity event meets threshold and other requirements prescribed by the Commission; or

2. The licensee reasonably believes that the nonpublic information involved is of 250 or more consumers residing in the Commonwealth or the licensee is required under federal law or the laws of another state to provide notice of the cybersecurity event to any government body, self-regulatory agency, or other supervisory body.

B. Notice provided pursuant to this section shall be in electronic form and shall include as much of the following information as possible:

1. The date of the cybersecurity event;

2. A description of how the nonpublic information was exposed, lost, stolen, or breached, including the specific roles and responsibilities of third-party service providers, if any;

3. How the cybersecurity event was discovered;

4. Whether any lost, stolen, or breached information has been recovered and, if so, how this was done;

5. The identity of the source of the cybersecurity event;

6. Whether the licensee has filed a police report or has notified any regulatory, government, or law-enforcement agencies and, if so, when such notification was provided;

7. A description of the specific types of information acquired without authorization. Specific types of information include particular data elements such as medical information, financial information, or other information allowing identification of the consumer;

8. The period during which the information system was compromised by the cybersecurity event;

9. The number of consumers in the Commonwealth affected by the cybersecurity event. The licensee shall provide the best estimate in the initial report to the Commissioner and update this estimate with each subsequent report to the Commissioner pursuant to this section;

10. The results of any internal review identifying a lapse in either automated controls or internal procedures, or confirming that all automated controls or internal procedures were followed;

11. A description of efforts being undertaken to remediate the situation that permitted the cybersecurity event to occur;

12. A copy of the licensee's consumer privacy policy and a statement outlining the steps the licensee will take to investigate and notify consumers affected by the cybersecurity event; and

13. The name of a contact person who is both familiar with the cybersecurity event and authorized to act for the licensee.

C. A licensee shall have a continuing obligation to update and supplement initial and subsequent notifications to the Commissioner concerning the cybersecurity event.

D. Each licensee shall notify consumers in compliance with § 38.2-626, and provide a copy of the notice sent to consumers under such section to the Commissioner, when a licensee is required to notify the Commissioner under this section.

E. If there is a cybersecurity event in a system maintained by a third-party service provider, the licensee, once it has become aware of such cybersecurity event, shall treat such event as it would under this section, unless the third-party service provider provides notice in accordance with this section. The computation of a licensee's deadlines shall begin on the day after the third-party service provider notifies a licensee of the cybersecurity event or the licensee otherwise has actual knowledge of the cybersecurity event, whichever is sooner.

F. If a cybersecurity event involves nonpublic information that is used by a licensee that is acting as an assuming insurer or is in the possession, control, or custody of a licensee that is acting as an assuming insurer or its third-party service provider and the licensee does not have a direct contractual relationship with the affected consumers, the licensee shall notify its affected ceding insurers and the head of its supervisory state agency of its state of domicile within three business days of making the determination or receiving notice from its third-party service provider that a cybersecurity event has occurred. Ceding insurers that have a direct contractual relationship with affected consumers shall fulfill the consumer notification requirements imposed under § 38.2-626 and any other notification requirements relating to a cybersecurity event imposed under this section.

G. If there is a cybersecurity event involving nonpublic information that is in the possession, custody, or control of a licensee that is an insurer or its third-party service provider and for which a consumer accessed the insurer's services through an independent insurance producer, the insurer shall notify the producers of record of all affected consumers as soon as practicable as directed by the Commissioner. The insurer is excused from this obligation for those instances in which it does not have the current producer of record information for any individual consumer.

H. Nothing in this article shall prevent or abrogate an agreement between a licensee and another licensee, a third-party service provider, or any other party to fulfill any of the investigation requirements imposed under § 38.2-624 or notice requirements imposed under this section.

2020, c. 264.

§ 38.2-626. Notice to consumers.

A. A licensee that maintains consumers' nonpublic information shall notify the consumer of any cybersecurity event without unreasonable delay after making a determination or receiving notice the cybersecurity event has occurred, if consumers' nonpublic information was accessed and acquired by an unauthorized person or such licensee reasonably believes consumers' nonpublic information was accessed and acquired by an unauthorized person and the cybersecurity event has a reasonable likelihood of causing or has caused identity theft or other fraud to such consumers. Such notice shall include a description of the following:

1. The incident in general terms;

2. The type of nonpublic information that was subject to the unauthorized access and acquisition;

3. The general acts of the licensee to protect the consumer's nonpublic information from further unauthorized access;

4. A telephone number that the consumer may call for further information and assistance, if one exists; and

5. Advice that directs the consumer to remain vigilant by reviewing account statements and monitoring the consumer's credit reports.

B. Notice to consumers under this section shall be given as written notice to the last known postal address in the records of the licensee, telephone notice, or electronic notice. However, if the licensee required to provide notice demonstrates that the cost of providing notice will exceed $50,000, the affected class of consumers to be notified exceeds 100,000 consumers, or the licensee does not have sufficient contact information or consent to provide notice, substitute notice may be provided. Substitute notice shall consist of (i) e-mail notice if the licensee has e-mail addresses for the members of the affected class of consumers; (ii) conspicuous posting of the notice on the website of the licensee if the licensee maintains a website; and (iii) notice to major statewide media.

C. In the event that a licensee provides notice to more than 1,000 consumers at one time pursuant to this section, the licensee shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 U.S.C. § 1681a (p), of the timing, distribution, and content of the notice.

D. Notice required by this section shall not be considered a debt communication as defined by the Fair Debt Collection Practices Act in 15 U.S.C. § 1692a.

E. Notice required by this section and § 38.2-625 may be delayed if, after the person notifies a law-enforcement agency, the law-enforcement agency determines and advises the person that the notice will impede a criminal or civil investigation or jeopardize national or homeland security. Notice shall be made without unreasonable delay after the law-enforcement agency determines that the notification will no longer impede the investigation or jeopardize national or homeland security.

F. If there is a cybersecurity event in a system maintained by a third-party service provider, the licensee, once it has become aware of such cybersecurity event, shall treat such event as it would under this section, unless the third-party service provider provides notice in accordance with this section. The computation of a licensee's deadlines shall begin on the day after the third-party service provider notifies a licensee of the cybersecurity event or the licensee otherwise has actual knowledge of the cybersecurity event, whichever is sooner.

2020, c. 264.

§ 38.2-627. Powers and duties of the Commission; exclusive state standards.

A. The Commissioner may examine and investigate the affairs of any licensee to determine whether a licensee has been or is engaged in any conduct in violation of this article. This power is in addition to the powers that the Commissioner has under Article 4 of Chapter 13 (38.2-1300 et seq.) and Chapter 18 (38.2-1800 et seq.). Any such investigation or examination shall be conducted pursuant to Chapters 13 and 18.

B. Whenever the Commissioner has reason to believe that a licensee has been or is engaged in conduct in the Commonwealth that violates this article, the Commissioner may take action that is necessary or appropriate to enforce the provisions of this article.

C. The Commission may examine and investigate the affairs of any insurance-support organization that acts on behalf of an insurance institution or agent as defined in § 38.2-602 and that either (i) transacts business in the Commonwealth or (ii) transacts business outside the Commonwealth and has an effect on a person residing in the Commonwealth, in order to determine whether the insurance-support organization has been or is engaged in any conduct in violation of this article.

D. The Commission shall adopt rules and regulations implementing the provisions of this article.

E. This article and any rules adopted pursuant to this article establish the exclusive state standards applicable to licensees for data security, the security of nonpublic information, the investigation of cybersecurity events, and notification of cybersecurity events for those individuals and entities subject to this article.

2020, c. 264.

§ 38.2-628. Confidentiality.

A. Any documents, materials, or other information in the control or possession of the Bureau that are furnished by a licensee or an employee or agent thereof acting on behalf of licensee pursuant to subsection H of § 38.2-623 or subdivisions B 2, 3, 4, 5, 8, 10, and 11 § 38.2-625, or that are obtained by the Commissioner in an investigation or examination pursuant to § 38.2-627, shall be confidential by law and privileged, shall not be subject to § 12.1-19, shall not be subject to subpoena, and shall not be subject to discovery or admissible in evidence in any private civil action. However, the Commissioner is authorized to use the documents, materials, or other information in the furtherance of any regulatory or legal action brought as a part of the Commissioner's duties.

B. Neither the Commissioner nor any person who received documents, materials, or other information while acting under the authority of the Commissioner shall be permitted or required to testify in any private civil action concerning any confidential documents, materials, or information subject to subsection A.

C. In order to assist in the performance of the Commissioner's duties under this article, the Commissioner may:

1. Share documents, materials, or other information, including the confidential and privileged documents, materials, or information subject to subsection A, with other state, federal, and international regulatory agencies; with the National Association of Insurance Commissioners (NAIC), its affiliates, or its subsidiaries; and with state, federal, and international law-enforcement authorities, provided that the recipient agrees in writing to maintain the confidentiality and privileged status of the documents, materials, or other information;

2. Receive documents, materials, or information, including otherwise confidential and privileged documents, materials, or information, from the NAIC, its affiliates, or its subsidiaries and from regulatory and law-enforcement officials of other foreign or domestic jurisdictions, and shall maintain as confidential or privileged any documents, materials, or information received with notice or the understanding that it is confidential or privileged under the laws of the jurisdiction that is the source of the documents, materials, or information;

3. Share documents, materials, or other information subject to subsection A with a third-party consultant or vendor provided the consultant agrees in writing to maintain the confidentiality and privileged status of the documents, materials, or other information; and

4. Enter into agreements governing sharing and use of information consistent with this subsection.

D. No waiver of any applicable privilege or claim of confidentiality in the documents, materials, or information shall occur as a result of disclosure to the Commissioner under this section or as a result of sharing as authorized in subsection C.

E. Documents, materials, or other information in the possession or control of the NAIC or a third-party consultant or vendor as a result of an examination or investigation pursuant to subsection H of § 38.2-623 or subdivisions B 2, 3, 4, 5, 8, 10, and 11 of § 38.2-625 shall be confidential by law and privileged, shall not be subject to § 12.1-19, shall not be subject to subpoena, and shall not be subject to discovery in any private civil action.

F. Nothing in this article shall prohibit the Commissioner from releasing final, adjudicated actions that are open to public inspection to a database or other clearinghouse service maintained by the NAIC, its affiliates, or its subsidiaries.

2020, c. 264.

§ 38.2-629. Exceptions.

A. The following exceptions shall apply to this article:

1. A licensee subject to HIPAA that has established and maintains an information security program pursuant to such statutes, rules, regulations, or procedures established thereunder shall be considered to meet the requirements of § 38.2-623, provided that licensee is compliant with, and submits a written statement certifying its compliance with, the same, and certifies that it will protect nonpublic information not subject to HIPAA in the same manner it protects information that is subject to HIPAA, and any such licensee that investigates a cybersecurity event and notifies consumers in accordance with HIPAA and any HIPAA-established rules, regulations, or procedures shall be considered compliant with the requirements of §§ 38.2-624 and 38.2-626.

2. An employee, agent, representative or designee of a licensee, who is also a licensee, is exempt from §§ 38.2-623, 38.2-624, 38.2-625, and 38.2-626 and need not develop its own information security program or conduct an investigation of or provide notices to the Commissioner and consumers relating to a cybersecurity event, to the extent that the employee, agent, representative, or designee is covered by the information security program, investigation, and notification obligations of the other licensee.

3. A licensee affiliated with a depository institution that maintains an information security program in compliance with the Interagency Guidelines Establishing Standards for Safeguarding Customer Information (Interagency Guidelines) as set forth pursuant to §§ 501 and 505 of the federal Gramm-Leach-Bliley Act, P.L. 106-102, shall be considered to meet the requirements of § 38.2-623 and any rules, regulations, or procedures established thereunder, provided that the licensee produces, upon request, documentation satisfactory to the Commissioner that independently validates the affiliated depository institution's adoption of an information security program that satisfies the Interagency Guidelines.

B. If a licensee ceases to qualify for an exception, such licensee shall have 180 days from the date it ceases to qualify to comply with this article.

2020, c. 264.