28 Tex. Admin. Code § 22.15

Current through Reg. 49, No. 49; December 6, 2024
Section 22.15 - Limits on Redisclosure and Reuse of Nonpublic Personal Financial Information
(a) If a covered entity receives nonpublic personal financial information from a nonaffiliated financial institution under an exception in § 22.18 of this title (relating to Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Processing and Servicing Transactions) and § 22.19 of this title (relating to Other Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information), the covered entity's disclosure and use of that information is limited as follows:
(1) the covered entity may disclose the information to the affiliates of the financial institution from which the covered entity received the information;
(2) the covered entity may disclose the information to its affiliates, but the covered entity's affiliates may, in turn, disclose and use the information only to the extent that the covered entity may disclose and use the information; and
(3) the covered entity may disclose and use the information pursuant to an exception in § 22.18 and § 22.19 of this title in the ordinary course of business to carry out the activity covered by the exception under which the covered entity received the information.
(b) If a covered entity receives information from a nonaffiliated financial institution for claims settlement purposes, the covered entity may disclose the information for fraud prevention, or in response to a properly authorized subpoena. The covered entity may not disclose that information to a third party for marketing purposes or use that information for its own marketing purposes.
(c) If a covered entity receives nonpublic personal financial information from a nonaffiliated financial institution other than under an exception in § 22.18 and § 22.19 of this title, the covered entity may disclose the information only:
(1) to the affiliates of the financial institution from which the covered entity received the information;
(2) to its affiliates, but its affiliates may, in turn, disclose the information only to the extent that the covered entity may disclose the information; and
(3) to any other person, if the disclosure would be lawful if made directly to that person by the financial institution from which the covered entity received the information.
(d) If a covered entity obtains a customer list from a nonaffiliated financial institution outside of the exceptions in § 22.18 and § 22.19 of this title:
(1) the covered entity may use that list for its own purposes; and
(2) the covered entity may disclose that list to another nonaffiliated third party only if the financial institution from which the covered entity purchased the list could have lawfully disclosed the list to that third party. That is, the covered entity may disclose the list in accordance with the privacy policy of the financial institution from which the covered entity received the list, as limited by the opt out direction of each consumer whose nonpublic personal financial information the covered entity intends to disclose, and the covered entity may disclose the list in accordance with an exception in § 22.18 and § 22.19 of this title, such as to the covered entity's attorneys or accountants.
(e) If a covered entity discloses nonpublic personal financial information to a nonaffiliated third party under an exception in § 22.18 and § 22.19 of this title, the third party may disclose and use that information only as follows:
(1) the third party may disclose the information to the covered entity's affiliates;
(2) the third party may disclose the information to its affiliates, but its affiliates may, in turn, disclose and use the information only to the extent that the third party may disclose and use the information; and
(3) the third party may disclose and use the information pursuant to an exception in § 22.18 or § 22.19 of this title in the ordinary course of business to carry out the activity covered by the exception under which it received the information.
(f) If a covered entity discloses nonpublic personal financial information to a nonaffiliated third party other than under an exception in § 22.18 and § 22.19 of this title, the third party may disclose the information only:
(1) to the covered entity's affiliates;
(2) to the third party's affiliates, but the third party's affiliates, in turn, may disclose the information only to the extent the third party can disclose the information; and
(3) to any other person, if the disclosure would be lawful if the covered entity made it directly to that person.

28 Tex. Admin. Code § 22.15

The provisions of this §22.15 adopted to be effective December 17, 2001, 26 TexReg 10316