The Connecticut Insurance Department (CID) updated and amended its April 2021 Notice with a new Notice dated April 20, 2022 (Notice), reminding insurers and other licensees of compliance obligations when using “Big Data.” The new Notice adds a requirement for licensees using Big Data to complete an annual “Data Certification.”
For the past several years, federal and state agencies have been investigating the use of data and artificial intelligence by financial services companies in a manner that may discriminate against certain consumers. The Notice is the most recent example of state insurance and other regulators taking an increasingly greater interest in how companies are using data sources for secondary purposes. As in other examples, the Notice focuses mainly on the application of existing laws and more regulation around such data (without discussing how the CID might facilitate compliant usage, for example, by expediting the review of new products or rates that comply with state law).
It is also important to remember that state insurance regulators are only one set of regulatory agencies that can regulate the use of data to profile and underwrite customers, and that other limitations and requirements could apply to insurers, data brokers and other stakeholders.
REQUIREMENTS IN THE CID NOTICE
The Data Certification, which is vague in certain respects, essentially requires the licensee to affirm its use of Big Data complies with the Notice. The Notice reminds licensees (insurers in particular) that the CID “continues to expect such entities … to use technology and Big Data in full compliance with anti-discrimination laws and have completed the data certification, which shall be due on or before September 1, 2022, and annually thereafter.” The Notice states these requirements apply to the use of “Big Data either internally or with vendors.”
The Notice initially includes the CID’s recognition of the importance of industry innovation, stating the CID “is supportive of the insurance industry’s use of technological advances and opportunities to provide innovative products and services to consumers and to operate more effectively and efficiently.” “Big Data refers to a complex volume of data and the set of technologies that analyze and manage it,” and may include “algorithms, predictive models, and/or processes” the licensee develops on its own or purchases or jointly develops with third-party developers or vendors, as well as wide and varied sources of information including “consumer intelligence, social media, credit …, retail purchase history, geographic location tracking and telematics, mobile, satellite, behavioral monitoring, … sensors, wearable devices, RFID, etc.” The CID “recognizes the potentially transformative and diverse nature of the utilization of Big Data” and that “Big Data is aiding insurers’ underwriting, rating, marketing, claim settlement practices, [and] fraud [prevention], and every other facet of the insurance process life cycle.”
More specifically, licensees must use Big Data “responsibly and transparently” and in “full compliance with Federal and State anti-discrimination laws.” The CID also states it “has the authority to require that insurance carriers and third-party data vendors, model developers, and bureaus provide the [CID] with access to data used to build models or algorithms included in all rates, forms, and underwriting filings.” Appendix A to the Notice provides examples of the types of information the CID may request during an examination specific to the usage of data brokers. The examples are categorized as: (i) information about the organization/data broker; (ii) the sources and nature of the data; (iii) data privacy and security; (iv) data curation—i.e., validation methods and standards—; and (v) data documentation and related processes including corrective action to prevent errors. The CID has been among the more active states in conducting such examinations over the past couple of years as insurers have expanded use of Big Data. Finally, the Notice reiterates the potential for regulatory concerns in internal data deployment, internal data governance, and risk management and compliance.
OTHER STATE ACTIVITY
Colorado enacted legislation in 2021 that prohibits unfair discrimination in the use of external consumer data and information sources, including in algorithms/predictive models. The New York Department of Financial Services (NYDFS) issued Insurance Circular Letter No. 1 in 2019 addressing Big Data in underwriting life insurance. On March 2, 2022, the NYDFS sent written requests to insurers writing private passenger automobile, commercial automobile and homeowners’ insurance in New York about their use of personal credit scores in underwriting and rating. These state activities complement ongoing discussions regarding the use of Big Data and related issues at the National Association of Insurance Commissioners (NAIC).
The NAIC has been active in Big Data as well, charging its Big Data and Artificial Intelligence Working Group with researching and monitoring the use of Big Data and artificial intelligence (including machine learning). The NAIC’s model privacy and data security laws also apply to Big Data, both of which have been adopted in Connecticut.
Insurance-specific laws and guidance are supplemented by other federal and state laws and guidance. In the past year, Colorado, Utah and Virginia have joined California in enacting comprehensive consumer privacy laws, and dozens of state legislatures (including Connecticut’s) have drafted bills modeled after these laws. In April 2022, Connecticut’s state Senate unanimously voted to approve the “Act Concerning Personal Data Privacy and Online Monitoring,” which focuses on ensuring individual data subjects are given notice of how a business will be using their personal data. While these state consumer privacy laws typically have broad exemptions that apply to the financial services industry (namely, institutions and data that are subject to the Gramm-Leach-Bliley Act), insurance companies and other industry stakeholders should still be aware of how these laws might impact the personal data they collect.
There remains a relative vacuum in terms of legal standards governing the use of Big Data. However, the above activity illustrates the evolving views of state insurance and other regulators, as well as legislatures, and provides examples of how states may seek to regulate innovation efforts in the insurance industry, including outside of the formal legislative and rulemaking processes. Insurers, data vendors, investors and other stakeholders looking to leverage Big Data should be mindful of these and other regulatory developments.
* * *
McDermott Will & Emery represents a wide and diverse number of clients innovating in the insurance industry. We help clients develop groundbreaking insurance products, leverage private equity and venture capital opportunities, structure acquisitions for optimal tax benefits and defend against “bet the company” claims, disputes and multi-state regulatory investigations and enforcement proceedings. Our cross-border team includes lawyers from multiple practice areas—Transactions, Regulatory, Healthcare, Intellectual Property, Technology, Litigation, Tax and Privacy—delivering seamless, one-stop shop advice, no matter where you do business. Please do not hesitate to contact the authors or another McDermott contact.