There are two laws that address many concerns regulators have raised about whether consumers understand what personal data is used and whether consumers can review the data and take action when data is inaccurate.  The first is the federal Fair Credit Reporting Act (“FCRA”) which applies broadly to all types of consumer data in consumer reports provided by consumer reporting agencies.  The second is the Insurance Information and Privacy Protection Model Act (“Model 670”), a model law adopted in 1981 by the National Association of Insurance Commissioners (“NAIC”) that requires adverse underwriting notices.  Sixteen states have adopted the model law’s adverse underwriting notice provisions in their insurance codes.  These laws provide protections for consumers today.   Although the federal law does not apply to all data compilations and sources and although not all states currently have adverse action notice requirements, together these laws provide a framework for regulators and the industry to work from as they consider what consumer protections may be necessary as the use of non-traditional consumer data evolves.

Fair Credit Reporting Act 

The FCRA and its corresponding regulations provide consumer protections that address regulators’ concerns.  The FCRA governs the provision and use of consumer reports and establishes standards for consumer reporting agencies.  It limits the use and disclosure of consumer reports and consumer report information.  Importantly, consumer reports under the FCRA are not limited to reports of credit information.

Under the FCRA, consumers who are negatively impacted by the use of consumer report information in insurance eligibility or rating are entitled to receive an adverse action notice from the insurance company.i

The notice provides a consumer with the following information:ii

• The consumer’s credit score, if any, and additional related specifics;
• Name and contact information of the entity generating the data, otherwise known as a consumer reporting agency;
• A statement that the consumer reporting agency did not make the decision and cannot provide the consumer with the reasons for the adverse action;
• Their right to obtain a free consumer report; and
• Their right to dispute, with the consumer reporting agency, the accuracy or completeness of any information in the consumer report.

Through adverse action notices, consumers have a readily available and long-existing protection that provides an opportunity to review and correct personal information used to underwrite or rate their policy.  

Many people mistakenly believe that the FCRA applies only to credit reports and the use of credit information.   In fact, the statutory definition of “consumer report” includes information about a person that could be quite personal and well beyond traditional underwriting and rating information. 

The term “consumer report” means any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer's credit worthiness [creditworthiness], credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer's eligibility for--

(A) credit or insurance to be used primarily for personal, family, or household purposes;

(B) employment purposes; or

(C) any other purpose authorized under section 604 [15 USCS § 1681b].iii

Of all the various types of consumer data that insurers use, contemplate using, or that regulators are concerned may be used, most of such data would fit into the categories of character, personal characteristics or mode of living.  Courts have held that “almost any information about consumers arguably bears on their personal characteristics or mode of living.”iv  In addition, information is not a consumer report unless it is provided for a permissible purpose such as determining eligibility for insurance.v

So, when an insurance company acquires consumer data to use in determining insurance eligibility, does that mean FCRA protections apply? The answer is maybe but not necessarily.  According to the Eleventh Circuit Court of Appeals, there are three fundamental elements of a consumer report under the FCRA: (1) a communication by a consumer reporting agency, (2) information, and (3) a permissible purpose.  

For personal information to be a consumer report, it must be communicated by a consumer reporting agency to a person that the consumer reporting agency has reason to believe intends to use it for a permissible purpose.vi  There are several permissible purposes under the FCRA, with the most common ones being a credit transaction, employment, or in “connection with the underwriting of insurance” for a consumer.vii  Insurance companies have a permissible purpose to use consumer reports in insurance underwriting.   

Almost any type of information about a consumer could fall within the broad definition of “consumer report” and yet not all consumer data is a consumer report.  Information is not a consumer report unless provided by a consumer reporting agency for a permissible purpose, and not all businesses that assemble and provide consumer data are consumer reporting agencies.  

The term “consumer reporting agency” means any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing consumer

reports.viii

Nothing requires an insurance company to obtain data from a consumer reporting agency.  If it does, however, then it must provide consumers with adverse action notices and other rights.  If the entity providing consumer information is doing so for a fee and for a permissible purpose, then the entity is likely to be a consumer reporting agency and subject to a myriad of special requirements under the FCRA. 

Courts, however, tend to apply the definition of “consumer reporting agency” quite strictly.   For example, a company that aggregated information such as motor vehicle records, aliases, status of professional licenses, real estate transactions, and similar information about individuals and sold reports to its subscribers was found not to be a consumer reporting agency.  The court determined that for the FCRA to apply, information has to be provided for a permissible purpose and that “purpose” implies an intent element.  Since the company did not intend to provide information for FCRA purposes and took affirmative steps to prevent such use, the court found that the company was not a consumer reporting agency.ix In another case, a network of medical providers assembled patient and medical information that was provided to certain third parties.  The court held the network was not a consumer reporting agency  because it did not provide information in return for monetary fees or for the purpose of furnishing consumer reports.x  In contrast, a staffing agency that received fees for conducting and providing background checks to prospective employers for employment purposes (a permissible purpose) was a consumer reporting agency.xi

One exception to the definition of a consumer report is a report containing “information solely” about “transactions or experiences” between the consumer and the person making the report.xii  This would include data an insurance company might collect from a telematics device or cell phone app.  However, when the insurer provides such data to a third party to evaluate, and the third party provides such evaluations to the insurer to use for insurance eligibility purposes and charges a fee, then those third parties are likely to be considered consumer reporting agencies.xiii

The FCRA provides important consumer protections when it applies.  The Federal Trade Commission (“FTC”) has stated that a fact-specific analysis is necessary to determine whether a given data analytics practice is subject to the FCRA.  More information about the sources of consumer data may be needed in order to determine how broadly the FCRA will apply to “Big Data.”xiv  The FCRA certainly provides a foundation for consumer protection that regulators should consider in their analysis of the use of Big Data in insurance.

State Insurance Laws

Even without the FCRA, consumers in several states have some protections under current law.  Sixteen states have adverse action notice requirements, similar to those in the FCRA, that apply to the use of noncredit, personal information.xv  The basis for such requirements is a model law first adopted by the NAIC in 1981.  The Insurance Information and Privacy Protection Model Act (#670) was an early privacy law that addresses collection and disclosure of data about insureds and prospective insureds.  Similar to the FCRA, it gives applicants and insureds the right to  adverse underwriting action notices as well as several other rights, including the right ask for the “specific items of personal and privileged information” that support an underwriting decision, the right to review such information, and the right to request that information be corrected.xvi    The consumer protections in this forty-year old model law seem to be a possible solution to regulators’ current concerns about the use of non-traditional data.

Consumer protections under the model law kick in when an insurer takes an adverse underwriting action.  The definition of “adverse underwriting action” may need updating to cover rate increases and reductions in coverage, similar to insurance regulations governing the use of credit information. Under the model law, adverse underwriting actions are limited to declinations, terminations of coverage, the failure of an agent to place insurance with the insurer requested by the applicant, and placements in residual markets or with an insurer that specializes in substandard risks.xvii  Unlike the FCRA, an adverse action notice is not required when insurance companies charge higher rates because of consumer information. 

When an adverse underwriting action occurs, an insurer is required to provide written notice of the reasons for such action and an explanation of the consumer’s right to request to review and obtain a copy of their personal information, the source of such information, and a summary of the procedures by which the consumer may request correction, amendment, or deletion of the personal information.  Again, these provisions appear to address regulators’ frequently stated concerns that consumers may not know what data is used and may have no opportunity to review or correct their information.

The model law is not perfect but its language is a good starting place.  While the protections may not be as robust as those under the FCRA, the existence of this model law shows that regulators have existing tools that could be leveraged to resolve some of their concerns about the use of non-traditional data.

Conclusion

As the use of non-traditional consumer data in insurance continues to evolve, regulators may wish to develop consumer protections. If so, the FCRA already provides well-established protections and, to the extent the FCRA does not apply, the model law may provide part of the answer. There is no need to start from scratch.

i An “adverse action” includes a denial or cancellation of insurance, or an increase in any charge for insurance, or a reduction or other unfavorable change in the terms or amount of coverage that occurs based upon, in whole or in part, information in a consumer report.  15 U.S.C. §1681a(k) 
ii 15 U.S.C. § 1681m 
iii 15 U.S.C. §1681a(d)

iv Trans Union Corp. v. TFC, 245 F.3d 809, 813 (D.C.Cir. 2001) 
v 15 U.S.C. § 1681a(d)(1)

vi Yang v. Government Employees Ins. Co., 146 F.3d 1320 (11 Cir. 1998) 
vii 15 U.S.C. § 1681b(a)(3) 
viii 15 U.S.C. § 1681a(f)

ix Kidd v. Thomson Reuters Corp., 2019 U.S. App. LEXIS 16098* (2nd Cir. 2019) 
x Tierney v. Advocate Health & Hosps. Corp., 797 F.3d 449 (7 Cir. 2015) 
xi Adams v. Nat’l Eng’g Serv. Corp., 620 F. Supp. 2d 319 (D. Conn. 2009) 
xii 15 U.S.C. § 1681a(d)(2)

xiii See, Federal Trade Commissioner Report “Big Data: A Tool for Inclusion or Exclusion?” January 2016 (p. 15) 
xiv Federal Trade Commissioner Report “Big Data: A Tool for Inclusion or Exclusion?” January 2016 
xv The states with adverse action notice requirements are Arizona, California, Connecticut, Georgia, Illinois, Kansas, Maine, Massachusetts, Minnesota, Montana, Nevada, New Jersey, North Carolina, Ohio, Oregon, and Virginia (not all laws apply to all lines of business, e.g. Ohio’s law does not apply to property and casualty insurance). 
xvi NAIC Insurance Information and Privacy Protection Model Act (#670) §§ 8-10 
xvii NAIC Insurance Information and Privacy Protection Model Act (#670) § 2