![if gte IE 9]><![endif]><![if gte IE 9]><![endif]><![if gte IE 9]><![endif]><![if gte IE 9]><![endif]><![if gte IE 9]><![endif]>
Not a Lexis+ subscriber? Try it out for free.
LexisNexis® CLE On-Demand features premium content from partners like American Law Institute Continuing Legal Education and Pozner & Dodd. Choose from a broad listing of topics suited for law firms, corporate legal departments, and government entities. Individual courses and subscriptions available.
By Frederick J. Pomerantz and Aaron J. Aisen
IntroductionData collection is the new normal in the 21st century. This extends from search engines to social media to consumer shopping habits. This also includes monitoring driving behavior and auto performance. Insurance companies can use vehicle driving data1 gathered by telematics sensors attached to vehicles to rate automobile insurance policies, while auto dealers can use the same sensors to gather vehicle diagnostic data which is used by dealers for use in servicing customers in diagnosing problems with their vehicles and other related services.This article analyzes two specific questions relating to the collection of this data through auto insurance telematics devices installed in vehicles sold by automobile manufacturers. First, what state and federal laws and regulations exist at present to protect the drivers' confidential information transmitted to the dealers and the service departments through the telematics devices or otherwise communicated to third parties by automobile manufacturers? Second, who owns the data gathered through auto insurance telematics devices installed in vehicles? Statutory And Regulatory EnvironmentAs a general rule, the legal environment surrounding the issue of data privacy and ownership is still relatively new and very fluid. For example, with respect to the ownership of data sent to dealers, the question is much easier to answer than the question regarding ownership of telematics data since there is a finite, but evolving (and still inadequate), body of state insurance and state privacy laws which define the categories of protected consumer information. In most instances, the categories of protected consumer information are defined by the statute. Few states define the categories of protected consumer information broadly, but in the context of auto telematics data, the current categories of protected consumer information are inadequate. There is, on the other hand, an evolving body of interpretations under federal law and regulation, including but not limited to the Federal Trade Commission (FTC), which suggest the existence of remedies by consumers where their information is sold to private parties for commercial purposes.Contrast this to the legislative and regulatory regime regarding the use of telematics by insurance companies. There is no definitive answer to this question. The law of telematics-data sharing is young and developing and has not kept pace with the realities of the rapidly changing market for automobiles and automobile insurance. Insurers need and want access to a growing database of telematics data to facilitate the setting of premiums for individual drivers and for vehicle diagnostic use; however, arrangements governing how that data is obtained, managed and accessed are likely to change quickly to adapt to new laws and regulations responding to the results of legislators' and regulators' scrutiny of the use of such data. The market for telematics data is growing and there is a strong possibility that in the future telematics data will become central to how insurers set drivers' premiums. Good drivers stand to benefit from the use of telematics data since their premiums will likely fall, even as those of poor drivers rise. However, it is unclear who owns the data gathered through auto insurance telematics devices, although there are hints in the available federal regulations pointing to the consumer as the owner of such information. However, the evidence is far from conclusive at this time and does not permit us to respond definitively to the issue of ownership of vehicle data. Selected State Statutes ReviewedIn this article, due to space constraints, we focus our analysis primarily on the laws of six selected states: California, Kansas, Missouri, Nebraska, New York, and Texas. We also cite from time to time statutes of certain other states which are particularly relevant or shed light on the prevailing views of state legislators in a majority of states. We also discuss applicable federal laws or regulations where, for completeness of our discussion of the principal issues, those cannot be ignored. We do not, however, focus on the laws regulating the use of credit information in insurance underwriting.Further, we have searched for U.S. case law on the subject of ownership of telematics data and, significantly, have found only seven decisions, none of which are relevant or responsive to the principal issues or helpful in the analysis.We attempt to draw general responses to the two principal issues based solely on the laws of the six states selected and the federal legal framework, discussed below, which in any event is inadequate and does not prohibit the activity of automobile manufacturers outlined in the section on "Facts." Before drawing definitive conclusions on the two principal issues, we advise a comprehensive review of all 50 state laws and regulations. The Origins Of A Legal Framework Gramm-Leach-Bliley Act (GLB)GLB requires financial regulators to establish standards for administrative, technical and physical safeguards for the security and confidentiality of customer records and information. Safeguard standards under GLB for insurance providers are a matter of state insurance law, addressed by the applicable state insurance regulators. National Association Of Insurance Commissioners Model Laws And RegulationsThe National Association of Insurance Commissioners, in response to GLB, adopted in 2002 the Standards for Safeguarding Customer Information Model Regulation, 673-1 (NAIC Model), which states, in relevant part, as follows:Each licensee shall implement a comprehensive written information security program that includes administrative, technical and physical safeguards for the protection of customer information. The administrative, technical and physical safeguards included in the information security program shall be appropriate to the size and complexity of the licensee and the nature and scope of its activities. 673-1, § 3A licensee's information security program shall be designed to:A. Ensure the security and confidentiality of customer information;B. Protect against any anticipated threats or hazards to the security or integrity of the information; andC. Protect against unauthorized access to or use of the information that could result in substantial harm or inconvenience to any customer. 673-1, § 4Not all states have adopted the NAIC Model. Some states have adopted regulations, somewhat different in form and substance, but incorporate the principles stated in the NAIC Model.
Lexis.com subscribers may click here to read the complete article.
Lexis Advance subscribers customers may click here to read the complete article.
Frederick J. Pomerantz is a partner in Goldberg Segalla's New York City office, where he focuses his practice on serving the corporate and commercial needs of highly regulated industries. With 30 years' experience representing insurance companies in transactional and related regulatory matters, he also handles the organization and licensure of insurers, reinsurers, and related entities, including producers, risk retention groups, and risk purchasing groups. He is a frequent author and speaker on insurance regulation and other topics, and has published articles in major insurance trade publications in the United States, South America, Asia, and Europe. Aaron J. Aisen is an associate in Goldberg Segalla's Buffalo, NY office. His practice is focused on regulatory matters, banking, global insurance and reinsurance matters, and cyber risk. He writes, contributes, and blogs on cyber risk and a variety of financial and other regulatory issues, and has co-authored papers on cyber risk and cyber insurance for the prestigious Federation of Defense and Corporate Counsel. Any commentary or opinions do not reflect the opinions of Goldberg Segalla or LexisNexis, Mealey's. Copyright (c) 2015 by Frederick J. Pomerantz and Aaron J. Aisen. Responses are welcome.
For all of your legal news needs, please visit www.lexisnexis.com/mealeys
Lexis.com subscribers may search all Mealey’s Publications
Non-subscribers may search for Mealey’s Publications stories and documents at www.mealeysonline.com or visit www.Mealeys.com
Mealey's is now available in eBook format!
For more information about LexisNexis products and solutions, connect with us through our corporate site