Privacy laws and regulations are changing at a rapid pace in the United States. Recently introduced and imminent regulations such as GDPR, CCPA, NY DFS etc. are providing motivation to dispose of records that are eligible for destruction. As these and other statutes evolve and legal holds are lifted, insurers need to be prepared to address their legacy records.
For P&C insurers, the handling of retention and disposition of minor claims files have historically been challenging due to poor information governance (IG) practices. The lack of appropriate IG practices ultimately leads to the commingling of minors’ files with age of majority files.
With the onset of all these privacy regulations, now more than ever organizations are required to take action to only maintain files that are required for retention and legitimate business purposes.
As you move from a physical to digital way of working, it’s important you have a game plan in place to manage your physical legacy minors’ claim files that are more than likely commingled with your age of majority files.
As you work towards creating an IG process around these files, it’s important you ask yourself the following questions:
- What do you consider to be the age of majority?
- Do you have a consistent policy or does it vary by state?
- How long do you retain physical claims files for minors?
- How long do you retain electronic claims files for minors?
- Do you typically use the same retention schedule for both?
- Do you have a policy to store adult and minor claim files separately?
- How do you handle retention and disposition for physical records that may include both adult and minor claim files?
- Do you have an electronic claims management system and, if so, when was it implemented?
- How did this implementation impact the retention of legacy physical claims files before and after the system deployment?
Insurers’ real-world experiences
We recently interviewed a subset of our P&C insurance clients to better understand how they are handling minor claims files and asked them some of these questions. More than 50% of those we spoke with said that they consider people 21 years and older to be the age of majority and 25% of those firms manage their claims on a state-by-state basis. When asked how long they retain both physical and electronic claims files for minors, 50% retain closed claims greater than or equal to seven years past the age of majority. All firms we spoke with use the same retention schedule for physical and electronic claims files.
If faced with records that are suspected of having commingled adult and minor files, the majority of those we interviewed chose to apply the longest retention. One insurer stated that, “digital files and paper files are indexed the same. Doing this effectively takes granular level expertise of the business to apply accurately and consistently.”
This is a consistent theme across the insurance industry. Insurers are faced with the challenge of addressing the retention of legacy files and this is only made more difficult by the lack of expertise, human capital, and budget.
What insurance companies can do
With the level of granularity required to address the privacy implications, and given all the potential obstacles, it’s important to have a plan in place.
You will want to define a risk-based approach that is tailored for each of your inventory sets that will be less cumbersome than existing processes. Although the process will be unique for the different inventory sets, they should be consistent, objective and defensible .
Here are some tips on how you can best approach developing an IG process that works for your you:
- Use data extraction utilities to identify physical records that are older than 25 years.
- Search metadata for date of birth and age of majority keywords to identify which physical records are at risk.
- Create risk profiles for commingled records using a data profiling methodology.
Streamlined processes are necessary to manage your retention and privacy regulatory requirements as near real-time results are standard and expected. Implications of privacy requirements are surfacing as data subject requests are becoming more commonplace. Companies continue to invest significant resources in privacy and data protection compliance activities and the investment cost is expected to continue rising. The cost of non-compliance could include business disruption, loss of productivity, revenue loss, fines and penalties. Beyond that, the risk of non-compliance can also harm your brand and company’s reputation.
Without an IG process in place, are you creating unnecessary risk for you and your organization?