STATE OF NEW YORK ________________________________________________________________________ 8369 2023-2024 Regular Sessions IN ASSEMBLY December 13, 2023 ___________ Introduced by M. of A. CUNNINGHAM -- read once and referred to the Committee on Insurance AN ACT to amend the insurance law, in relation to the use of external consumer data and information sources being used when determining insurance rates The People of the State of New York, represented in Senate and Assem- bly, do enact as follows: 1 Section 1. The insurance law is amended by adding a new section 2403-a 2 to read as follows: 3 § 2403-a. Insurers' use of external consumer data and information 4 sources; prohibited. (a) No insurer shall: 5 (1) Unfairly discriminate based on race, color, national or ethnic 6 origin, religion, sex, sexual orientation, disability, gender identity, 7 or gender expression; or 8 (2) Pursuant to rules adopted by the superintendent, use any external 9 consumer data and information sources, as well as any algorithms or 10 predictive models that use external consumer data and information sourc- 11 es, in a way that unfairly discriminates based on race, color, national 12 or ethnic origin, religion, sex, sexual orientation, disability, gender 13 identity, or gender expression. 14 (b) (1) The superintendent shall adopt any rules or regulations neces- 15 sary for the implementation of this section. 16 (2) The superintendent shall engage in a stakeholder process prior to 17 the adoption of rules or regulations for any type of insurance that 18 includes carriers, producers, consumer representatives, and other inter- 19 ested parties. The superintendent shall hold stakeholder meetings for 20 stakeholders of different types of insurance to ensure sufficient oppor- 21 tunity to consider factors and processes relevant to each type of insur- 22 ance. The superintendent shall provide notice of stakeholder meetings on 23 the department's website, and such stakeholder meetings shall be open to 24 the public. EXPLANATION--Matter in italics (underscored) is new; matter in brackets [ ] is old law to be omitted. LBD13436-01-3
A. 8369 2 1 (c) (1) After the stakeholder process described in subsection (b) of 2 this section, the superintendent shall adopt rules or regulations for 3 specific types of insurance, by insurance practice, which rules estab- 4 lish means by which an insurer may demonstrate, to the extent practica- 5 ble, that it has tested whether its use of external consumer data and 6 information sources, as well as algorithms or predictive models using 7 external consumer data and information sources, unfairly discriminates 8 based on race, color, national or ethnic origin, religion, sex, sexual 9 orientation, disability, gender identity, or gender expression. 10 (2) Rules and regulations adopted pursuant to this section shall 11 require each insurer to: 12 (i) provide information to the superintendent concerning the external 13 consumer data and information sources used by the insurer in the devel- 14 opment and implementation of algorithms and predictive models for a 15 particular type of insurance and insurance practice; 16 (ii) provide an explanation of the manner in which the insurer uses 17 external consumer data and information sources, as well as algorithms 18 and predictive models using external consumer data and information 19 sources, for the particular type of insurance and insurance practice; 20 (iii) establish and maintain a risk management framework or similar 21 processes or procedures that are reasonably designed to determine, to 22 the extent practicable, whether the insurer's use of external consumer 23 data and information sources, as well as algorithms and predictive 24 models using external consumer data and information sources, unfairly 25 discriminates based on race, color, national or ethnic origin, religion, 26 sex, sexual orientation, disability, gender identity, or gender 27 expression; 28 (iv) provide an assessment of the results of the risk management 29 framework or similar processes or procedures and actions taken to mini- 30 mize the risk of unfair discrimination, including ongoing monitoring; 31 and 32 (v) provide an attestation by one or more officers that the insurer 33 has implemented the risk management framework or similar processes or 34 procedures appropriately on a continuous basis. 35 (3) The rules and regulations adopted by the superintendent pursuant 36 to this section shall include provisions establishing: 37 (i) a reasonable period of time for insurers to remedy any unfairly 38 discriminatory impact in an algorithm or predictive model; and 39 (ii) the ability of insurers to use external consumer data and infor- 40 mation sources, as well as algorithms or predictive models using 41 external consumer data and information sources, that have been previous- 42 ly assessed by the department and found not to be unfairly discriminato- 43 ry. 44 (d) Documents, materials, and other information in the possession or 45 control of the department that are obtained by, created by, or disclosed 46 to the superintendent or any other person pursuant to this section or 47 any rules or regulations adopted pursuant to this section are recognized 48 as proprietary and containing trade secrets. All such documents, materi- 49 als, and other information are confidential and privileged; are not 50 subject to disclosure under article six of the public officers law, or 51 other open records, freedom of information, sunshine, or similar law of 52 this state; are not subject to subpoena; and are not subject to discov- 53 ery or admissible in evidence in any private civil action. However, the 54 superintendent may use the documents, materials, or other information in 55 the furtherance of any regulatory or legal action brought as part of the 56 superintendent's official duties. The superintendent shall not otherwise
A. 8369 3 1 make the documents, materials, or other information public without the 2 prior written consent of the insurer from which the documents, materi- 3 als, or other information was obtained. The superintendent may make data 4 publicly available in an aggregated or de-identified format in a manner 5 deemed appropriate. 6 (e) The superintendent may examine and investigate an insurer's use of 7 an external consumer data and information source, algorithm, or predic- 8 tive model in any insurance practice. Insurers shall cooperate with the 9 superintendent and department in any examination or investigation under 10 this section. 11 (f) The superintendent shall annually submit a report to the governor, 12 the temporary president of the senate, the speaker of the assembly, the 13 minority leader of the senate and the minority leader of the assembly 14 and the insurance chairs of the senate and assembly committees. Such 15 report shall include, but not be limited to: 16 (1) Information concerning any changes in insurance rates that have 17 resulted from the prohibitions described in subsection (a) of this 18 section; 19 (2) A summary of the stakeholder engagement process described in para- 20 graph two of subsection (b) of this section; and 21 (3) A description of data sources, if any, discussed during the stake- 22 holder engagement process, which data sources insurers may use to comply 23 with this section. 24 (g) Notwithstanding any provision of this section to the contrary, 25 this section does not apply to: 26 (1) Title insurance, pursuant to article sixty-four of this chapter; 27 (2) Bonds executed by qualified surety; or 28 (3) Insurers issuing commercial insurance policies; except that this 29 section shall apply to insurers that issue business owners' policies or 30 commercial general liability policies, which business owners' policies 31 or commercial general liability policies have annual premiums of ten 32 thousand dollars or less. 33 (h) Nothing in this section: 34 (1) Requires an insurer to collect from an applicant or policyholder 35 the race, color, national or ethnic origin, religion, sex, sexual orien- 36 tation, disability, gender identity, or gender expression of an individ- 37 ual; or 38 (2) May be construed to: 39 (i) prohibit the use of, or require life, annuity, long-term care, or 40 disability insurers to test medical, family history, occupational, disa- 41 bility, or behavioral information related to a specific individual, 42 which information, based on actuarially sound principles, has a direct 43 relationship to mortality, morbidity, or longevity risk unless such 44 information is otherwise included in the testing of an algorithm or 45 predictive model that also uses external consumer data and information 46 sources; 47 (ii) prohibit the use of, or require life, annuity, long-term care, or 48 disability insurers to test traditional underwriting factors being used 49 for the exclusive purpose of determining insurable interest or eligibil- 50 ity for coverage unless such factors are otherwise included in the test- 51 ing of an algorithm or predictive model that also uses external consumer 52 data and information sources; or 53 (iii) prohibit the use of or require the testing of longstanding and 54 well-established common industry practices in settling claims or tradi- 55 tional underwriting practices unless such practices or factors are
A. 8369 4 1 otherwise included in the testing of an algorithm or predictive model 2 that also uses external consumer data and information sources. 3 (i) As used in this section, unless the context otherwise requires: 4 (1) "Algorithm" means a computational or machine learning process that 5 informs human decision making in insurance practices. 6 (2) (i) "External consumer data and information source" means a data 7 or an information source that is used by an insurer to supplement tradi- 8 tional underwriting or other insurance practices or to establish life- 9 style indicators that are used in insurance practices. "External consum- 10 er data and information source" includes credit scores, social media 11 habits, locations, purchasing habits, home ownership, educational 12 attainment, occupation, licensures, civil judgments, and court records. 13 (ii) The superintendent may promulgate rules and regulations to 14 further define "external consumer data and information source" for 15 particular lines of insurance and insurance practices. 16 (3) "Insurance practice" means marketing, underwriting, pricing, 17 utilization management, reimbursement methodologies, and claims manage- 18 ment in the transaction of insurance. 19 (4) "Predictive model" means a process of using mathematical and 20 computational methods that examine current and historical data sets for 21 underlying patterns and calculate the probability of an outcome. 22 (5) "Unfairly discriminate" and "unfair discrimination" include the 23 use of one or more external consumer data and information sources, as 24 well as algorithms or predictive models using external consumer data and 25 information sources, that have a correlation to race, color, national or 26 ethnic origin, religion, sex, sexual orientation, disability, gender 27 identity, or gender expression, and that use results in a disproportion- 28 ately negative outcome for such classification or classifications, which 29 negative outcome exceeds the reasonable correlation to the underlying 30 insurance practice, including losses and costs for underwriting. 31 § 2. This act shall take effect on the one hundred eightieth day after 32 it shall have become a law. Effective immediately, the addition, amend- 33 ment and/or repeal of any rule or regulation necessary for the implemen- 34 tation of this act on its effective date are authorized to be made and 35 completed on or before such effective date.