Insurance Data Protection Act
The Insurance Data Protection Act would significantly restrict how federal financial regulators can obtain data directly from insurance companies. It would prohibit certain regulators, notably the Federal Insurance Office (FIO) within the Department of the Treasury, and other financial regulators, from collecting data directly from insurance companies. Instead, regulators would be required to coordinate with other federal and state agencies (and use publicly available sources) before attempting to collect data, and, if data is not readily available, would require compliance with the Paperwork Reduction Act. The bill also removes certain subpoena/enforcement authorities and imposes new confidentiality protections and privilege protections for data obtained from insurers, including limitations on the sharing of that data and new framework for information sharing with state regulators. Overall, the bill aims to protect insurer data from direct regulatory collection and to strengthen privacy and confidentiality safeguards, potentially at the cost of slower or more circuitous data gathering for regulatory oversight. Key structural changes include: (1) barring direct data collection from insurance companies by FIO and related regulators; (2) repealing a portion of the federal subpoena/enforcement authority that would affect data collection power; (3) expanding confidentiality and privilege protections for nonpublic insurer data shared with regulators; (4) narrowing the Office of Financial Research’s subpoena authority specifically with respect to insurance companies; and (5) adding a new confidentiality-focused framework (Subtitle D) to the Financial Stability Act of 2010 governing data collected from insurance companies, including advance coordination requirements and formal information-sharing rules with state regulators.
Key Points
- 1Prohibition on direct data collection from insurers by FIO and other financial regulators; regulators must coordinate with other federal/state regulators and use publicly available data before collecting from a covered entity, or rely on the Paperwork Reduction Act if new data collection is needed.
- 2Repeal of Subpoena and Enforcement Authority: Amends Section 313(e) of title 31 to strike the referenced paragraph, effectively limiting the regulators’ ability to compel data directly from insurers.
- 3Confidentiality by the Federal Insurance Office: Expands confidentiality protections around nonpublic data shared with the Office and other entities, clarifying that sharing does not waive privileges and requiring continued application of existing confidentiality agreements and privacy rules; permits data sharing with state regulators under confidential information-sharing agreements.
- 4Limitation on Subpoenas by the Office of Financial Research: Amends the Financial Stability Act to exclude insurance companies from the OFR’s subpoena power, restricting OFR’s ability to compel data from insurers.
- 5New confidentiality framework for data collected from insurers (Subtitle D of Dodd-Frank): Establishes a formal framework for how regulators treat data collected from insurance companies, including definitions of “covered entity” and “financial regulator,” advance coordination requirements, privacy/privilege protections, and FOIA limitations; requires information-sharing agreements that protect privilege and confidentiality and apply applicable federal law.