The Office of General Counsel issued the following opinion on April 7, 2003, representing the position of the New York State Insurance Department.
Re: Retention and Disclosure of Automobile Claim Files (Regulation 152 and 169).
1. Pursuant to N.Y. Comp. Codes R. and Regs. tit. 11, Part 243 (1996) (Regulation 152), is an insurer required to expunge its automobile claim files six years after the settlement of a claim?
2. Does N.Y. Comp. Codes R. & Regs. tit. 11, Part 420 (2001) (Regulation 169) preclude insurers from sharing automobile claim files with other insurance companies that are more than six years old?
3. May an insurer use automobile claim files that are more than six years old for reinsurance or renewal purposes?
1. No. N.Y. Comp. Codes R. and Regs. tit. 11, Part 243 (1996) (Regulation 152) does not require an insurer to expunge its automobile claim files six years after the settlement of a claim.
2. No. N.Y. Comp. Codes R. & Regs. tit. 11, Part 420 (2001) (Regulation 169) does not preclude insurers from sharing automobile claim files that are more than six years old. However, such disclosure must be made in accordance with the requirements of the regulation.
3. The Department can not provide the inquirer with a response without further details and clarification of the inquiry.
No specific fact pattern was submitted. The inquirer states that he was an automobile policyholder from 1994 to 2001 and he would like to know whether there is a time limit after which an insurer must expunge automobile claim files. The inquirer further inquired whether an insurer is prohibited from using automobile claim files that are more than six years old for reinsurance or renewal purposes or from sharing such files with other insurance companies.
N.Y. Comp. Codes R. and Regs. tit. 11, Part 243 (1996) (Regulation 152), entitled "Standards of Records Retention by Insurance Companies", establishes the minimum requirements regarding the retention of records by insurance companies. Section 243.2 provides, in pertinent part, as follows:
(a) [E]very insurer shall maintain its claims, rating, underwriting, marketing, complaint, financial, and producer licensing records, and such other records subject to examination by the superintendent, in accordance with the provisions of this Part.
(b) Except as otherwise required by law or regulation, an insurer shall maintain: . . .
(4) A claim file for six calendar years after all elements of the claim are resolved and the file is closed or until after the filing of the report on examination in which the claim file was subject to review, whichever is longer. A claim file shall show clearly the inception, handling and disposition of the claim, including the dates that forms and other documents were received. . . .
(8) Any other-record for six calendar years from its creation or until after the filing of a report on examination or the conclusion of an investigation in which the record was subject to review.
(c) If the superintendent is not required to conduct an examination of an insurer, the requirement that the record be maintained until after the filing of the report on examination shall not apply. However, if an examination in which the record is subject to review has begun, the insurer shall retain the record until after the filing of the report on examination. . . .
(f) Nothing in this Part shall prevent or restrict an insurer from maintaining records for a longer period.
Thus, pursuant to N.Y. Comp. Codes R. & Regs. tit. 11, § 243.2(b)(4) (1996) (Regulation 152) an insurer must keep a claim file for six calendar years after all elements of the claim are resolved and the file is closed or until after the filing of the report on examination in which the claim file was subject to review, whichever is longer. Section 243.2(f) further provides that nothing in the regulation prevents or restricts an insurer from maintaining records for a longer period. Therefore, the regulation does not require insurers to expunge records after the time period specified in the regulation has elapsed.
Question No. 2
N.Y. Comp. Codes R. & Regs. tit. 11, § 420.1(a)(2001) (Regulation 169) provides as follows:
(a) Purpose. This part governs the treatment of nonpublic personal information about individuals (defined in this part as consumers or customers) in this State by all licensees of the Insurance Department. This Part:
(1) Requires a licensee to provide notice to individuals about its privacy policies and practices;
(2) Describes the conditions under which a licensee may disclose nonpublic personal health information and nonpublic personal financial information about individuals to nonaffiliated third parties; 1
(3) Provides methods for individuals to prevent a licensee from disclosing that information; and
(4) Provides a method for individuals to prevent a licensee from disclosing nonpublic personal health information by not affirmatively consenting to such disclosure, subject to the exceptions in section 420.17(b) of this Part.
Section 420.3(r) of Regulation 169 defines the term "Nonpublic personal information" as "nonpublic personal financial information and nonpublic personal health information."
Section 420.3(s)(1) defines "Nonpublic personal financial information" as:
(i) Personally identifiable financial information; and
(ii) Any list, description or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information other than publicly available information.
Section 420.3(u)(1) defines "Personally identifiable financial information" as meaning any information:
(i) A consumer provides to a licensee to obtain an insurance product or service from the licensee;
(ii) About a consumer resulting from a transaction involving an insurance product or service between a licensee and a consumer; or
(iii) A licensee otherwise obtains about a consumer in connection with providing an insurance product or service to that consumer.
Section 420.3(u)(2) provides examples of information included in the definition of "Personally identifiable financial information":
(a) Information a consumer provides to a licensee on an application to obtain an insurance product or service;
(b) Account balance information and payment history;
(c) The fact that an individual is or has been one of the licensees customers or has obtained an insurance product or service from the licensee;
(d) Any information about a licensees consumer if it is disclosed in a manner that indicates that the individual is or has been the licensees consumer;
(e) Any information that a consumer provides to the licensee or that the licensee or its agent otherwise obtains in connection with collecting on a policy loan or servicing a policy loan;
(f) Any information the licensee collects through an Internet "cookie: (an information collecting device from a web server) to the extent that such information constitutes personally identifiable information; and
(g) Information from a consumer report.
Section 420.3(t) defines "Nonpublic personal health information" as meaning health information:
(1) That identifies an individual who is the subject of the information; or
(2) With respect to which there is a reasonable basis to believe that the information could be used to identify an individual.
Section 420.3(e)(1) defines the term "consumer" as:
[A]n individual who, in this State, seeks to obtain, obtains or has obtained an insurance product or service, directly or through legal representative, from a licensee that is to be used primarily for personal, family, or household purposes and about whom the licensee has nonpublic personal information.
Thus, pursuant to the above provisions, the inquirers automobile claim file would come within the definition of "nonpublic personal information" and, as a former policyholder, he would come within the definition of "consumer". Therefore, the insurer would have to comply with the initial privacy notice and opt-out requirement for financial information pertaining to consumers, as well as the opt-in authorization requirement for health information prior to disclosure, depending on what is in the file, unless one of the exceptions contained in the regulation applies. The regulation does not restrict the disclosure of certain records according to their age.
Section 420.4(a)(2) provides as follows:
Initial notice requirement. A licensee shall provide a clear and conspicuous notice that accurately reflects the licensees privacy policies and practices to:
(2) consumer- a consumer, before a licensee discloses any nonpublic personal financial information about the consumer to any nonaffiliated third party, if a licensee makes such a disclosure other than as authorized by sections 420.14 and 420.15 of this Part.
Section 420.10(a)(1) provides that:
Condition for disclosure. Except as otherwise authorized in this Part, a licensee may not, directly or through any affiliate, disclose any nonpublic personal financial information about a consumer to a nonaffiliated third party unless:
(i) The licensee has provided to the consumer an initial notice as required under section 420.4 of this Part;
(ii) The licensee has provided to the consumer an opt out notice as required under section 420.7 of this Part;
(iii) The licensee has given the consumer a reasonable opportunity, before the licensee discloses the information to opt out of the disclosure; and
(iv) The consumer does not opt out.
With respect to nonpublic personal health information, Section 420.17(a) provides:
A licensee shall not disclose nonpublic personal health information about a consumer or customer unless an authorization is obtained from the consumer or customer whose nonpublic personal health information is sought to be disclosed.
Section 420.17(b) contains exceptions to this authorization requirement.
Accordingly, provided that the transaction does not fall under an exception contained in the regulation, if the inquirer chooses to opt out of disclosure of nonpublic personal financial information and/or he does not provide the requisite opt-in authorization for the release of nonpublic personal health information, the insurer may not disclose the inquirers automobile claim file containing such information to a nonaffiliated third party.
However, without further details regarding the insurers specific purpose for disclosing the information contained in the file, we can not make a determination regarding whether the transaction would fall under an exception contained in the regulation. In order for us to provide further analysis, the inquirer was directed to provide a description of the transaction.
Please note that the inquirer would not have any control over the insurers disclosure of the claimants information. The claimant would also be considered a consumer under the regulation2 and unless an exception applies, the claimant may assert his or her right to opt out of disclosure of nonpublic personal financial information or to provide an opt-in authorization for the release of nonpublic personal health information.
Question No. 3
It is unclear from the inquiry what the inquirer means by "reinsurance" and why the insurer would need to use the information that the inquirer described for renewal purposes when he is no longer a policyholder. The inquirer was directed to provide us with further details and clarification of the inquiry.
For further information you may contact Senior Attorney Pascale Joasil at the New York City Office.
1 Section 420.3(q)(1) defines the term "nonaffiliated third party", in relevant part, as any person except:
(i) A licensees affiliate; or
(ii) A person employed jointly by a licensee and any company that is not the licensees affiliate (but nonaffiliated third party includes the other company that jointly employs the person). . . .
2 See Section 420.3(e)(2)(iv)(a)(II).