Additional Notice to California Residents

If you would like to exercise your rights under the California Consumer Privacy Act of 2018 (“CCPA”), as amended by the California Privacy Rights Act of 2020 (“CPRA”), please visit us at our Data Subject Request web page or please email the CCMSI Information Security Officer.

You can find CCMSI’s CCPA Notice at Collection below. 

This section of our Privacy Policy provides additional information for California residents pursuant to the CCPA and applies to “Personal Information” as defined in the CCPA, whether collected online or offline. This section of our Privacy Policy applies to CCMSI websites or applications that link to this Privacy Policy (the “Services”), as well as offline activities where California residents are directed to this section of the Privacy Policy. It does not apply to any non-CCMSI websites or applications that you may access via our services. Those services are governed by the privacy policies that appear on those sites and applications. As used in this section of our Privacy Policy, “Personal Information” means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California resident or household.

Service Provider

CCMSI often acts as a service provider under the CCPA. This means that we collect and use Personal Information on behalf of another company, such as when we provide claims management services to third party insurers and insureds. Where your Personal Information is processed by CCMSI acting as a service provider on behalf of another company, that other company’s privacy policy will explain its privacy practices, and you should submit any request to exercise CCPA rights directly to that company. If you make a request to exercise CCPA rights to CCMSI where it acts as a service provider under the CCPA, we may be required to disclose your request to the relevant company.

Personal Information Not Covered by this California Section of the Privacy Policy

There are a number of exemptions from the application of the CCPA. The following sets out some of the categories of Personal Information that are not subject to the CCPA, and therefore are not covered by this California section of the Privacy Policy. Note that other sections of the Privacy Policy may still apply in addition to other privacy notices that we may issue addressing our specific relationship with you, including privacy notices that are sent to individuals.

• Health or medical information that we collect and that is subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the California Confidentiality of Medical Information Act or the Health Information Technology for Economic and Clinical Health Act. CCMSI provides a separate HIPAA privacy notice to certain individual consumers as required under applicable laws and regulations.
• Information we collect in connection with the issuance of financial products or services to you that are to be used primarily for your personal, family, or household purposes and that is subject to the Gramm-Leach-Bliley Act (“GLBA”) or the California Financial Information Privacy Act. For example, where we handle a claim from you as an individual. Note that this exclusion may not apply to all of your Personal Information, including to personal information collected before you become a customer. CCMSI provides a separate GLBA privacy notice to certain individual consumers as required under applicable laws and regulations.
• Information we collect and provide for use that is subject to the Fair Credit Reporting Act.
• Information we collect as a motor vehicle record and that is subject to the Driver’s Privacy Protection Act of 1994.
• Publicly available information from government records, and information we have a reasonable basis to believe is lawfully made available to the general public by you or by widely distributed media, or by a person to whom you have disclosed the information and not restricted it to a specific audience.
• Deidentified or aggregated information.

California Notice At Collection

Categories of Personal Information Collected & Disclosed

The following identifies the categories of Personal Information we may collect about you (and may have collected in the prior 12 months). Note that our collection, use and disclosure of Personal Information about you will vary depending upon the circumstances and nature of our interactions or relationship with you. Depending on how you use our Services, we may collect the following categories of Personal Information:

• Identifiers, such as real name, alias, job title, address, email address, date of birth, policy number, salary information, social security number, driver’s license number, other government identifiers, credit card number, and tax ID.
• Online Identifiers, such as unique personal identifiers, device IDs, ad IDs, IP addresses, and cookie data.
• Customer or Claimant Records, such as paper or electronic customer or claimant records containing Personal Information, as well as information provided by an insurance broker/agent or reinsurer for underwriting purposes and information included in a list of claims, such as name, signature, physical characteristics or description, address, telephone number, education, current employment, employment history, social security number, passport number, driver’s license or state identification card number, insurance policy number, bank account number, payment card number, gender, height, weight, medical information (including reports and medical bills), health insurance information, details about home address, security and travel plan arrangements, records of personal property, products or services purchased or obtained.
• Financial Information, such as your bank account or credit card number and other payment details.
• Characteristics of Protected Classifications under California Law, such as age (40 years or older), race, national ancestry, national origin, citizenship, religion or creed, marital status, pregnancy, medical condition, physical or mental disability, sex, sexual orientation, and veteran or military status.
• Usage Data, such as Internet or other electronic network activity information regarding a California resident’s interaction with portals, Internet websites, applications, or advertisements, including, but not limited to, browsing history, clickstream data, search history and content of public posts.
• Biometric Information, such as individual biological or behavioral characteristics including measurements of physical characteristics such as height, weight and blood pressure, sleep, health, or exercise data that contain identifying information.
• Education Information, such as education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes and student disciplinary records.
• Geolocation Data, such as physical location or movements.
• Audio, Video and Other Electronic Data, such as audio information including call recordings, video and photographs, recorded meetings and webinars, and CCTV footage to secure our offices and premises.
• Professional or Employment-Related Information, such as employment history, qualifications, licensing, and disciplinary record.
• Inferences and Preferences, such as inferences drawn from any of the information described in this section about a consumer including inferences reflecting the consumer’s preferences, characteristics, behavior and abilities.
• Sensitive Personal Information, such as social security number, driver’s license number, racial or ethnic origin, religious or philosophical beliefs, medical condition, and physical or mental disability.

Sources of Personal Information

We generally collect Personal Information from the following categories of sources:

• Directly from you and automatically;
• Insurance carriers or self-insured risk pools;
• Brokers and agents;
• Corporate policyholders; and
• Our vendors and service providers.

Purposes for Collecting and Disclosing Personal Information

As described in the “How We Use Personal Information” section above, in general, we collect and otherwise process the personal information we collect for the following business or commercial purposes:

• Operate our business;
• Provide you products and services;
• Communicate with you;
• Evaluate and improve our products and services;
• Analytics models to support our business;
• Marketing and advertising;
• Inferences;
• Find locations on request;
• Fraud and security purposes;
• Legal requirements;
• Business transfers; and
• Other operational and business purposes.

Sensitive Personal Information

Notwithstanding the purposes described above, we do not collect, use, or disclose “sensitive personal information” beyond the purposes authorized by the CCPA. Accordingly, we only use and disclose sensitive personal information as reasonably necessary and proportionate: (i) to perform our services requested by you; (ii) to help ensure security and integrity, including to prevent, detect, and investigate security incidents; (iii) to detect, prevent and respond to malicious, fraudulent, deceptive, or illegal conduct; (iv) to verify or maintain the quality and safety of our services; (v) for compliance with our legal obligations; (vi) to our service providers who perform services on our behalf; and (vii) for purposes other than inferring characteristics about you.

Retention of Personal Information

We retain the Personal Information we collect only as reasonably necessary for the purposes described in this Privacy Policy or otherwise disclosed to you at the time of collection. For example, we will retain certain identifiers for as long as it is necessary to comply with our tax, accounting and recordkeeping obligations, to administer certain policies and coverage, and for research, development and safety purposes, as well as an additional period of time as necessary to protect, defend or establish our rights, defend against potential claims, and to comply with our legal obligations. From time to time, we may also deidentify your Personal Information, retain it and use it for a business purpose in compliance with CCPA.

Disclosure of Personal Information to Third Parties and Other Recipients

The categories of Personal Information we have disclosed for a business purpose in the preceding twelve (12) months include: identifiers, online identifiers, customer records, financial information, characteristics of protected classifications, usage data, biometric information, education information, geolocation data, audio, video, and other electronic data, professional or employment-related information, inferences, and sensitive personal information.

The categories of third parties and other recipients to whom we may disclose personal information for a business purpose may include:

• Affiliates, subsidiaries, and business partners;
• Vendors and service providers;
• Acquirers of business assets;
• Advisors, auditors, consultants, and representatives;
• Agents and brokers;
• Insurance carriers or self-insured risk pools
• Reinsurers;
• Regulators, government entities, and law enforcement;
• Operating systems and platforms; and
• Others as required by law.

Additionally, the CCPA defines “sale” as disclosing or making available personal information to a third-party in exchange for monetary or other valuable consideration, and “sharing” includes disclosing or making available personal information to a third-party for purposes of cross-contextual behavioral advertising. We do not sell or share Personal Information.

Rights Regarding Your Personal Information

The CCPA provides California residents with specific rights regarding Personal Information. This section describes your rights under the CCPA and explains how to exercise those rights. Subject to certain exceptions, California consumers have the right to make the following requests:

Right to Know. With respect to the Personal Information we have collected about you in the prior (twelve) 12 months, you have the right to request from us (up to twice per year and subject to certain exemptions):

• The categories of Personal Information we collected about you;
• The sources from which we have collected that Personal Information;
• Our business or commercial purpose for collecting, selling, or sharing that Personal Information;
• The categories of third parties to whom we have disclosed that Personal Information; and
• A copy of the specific pieces of your Personal Information we have collected.

Right to Correct. Subject to certain restrictions, you have the right to request that we correct inaccuracies in your Personal Information.

Right to Delete. Subject to certain conditions and exceptions, you have the right to request deletion of your Personal Information that we have collected about you.

Right to Opt-Out. You have the right to opt-out of “sales” and “sharing” of your Personal Information, as those terms are defined under the CCPA. While we do not “sell” or “share” Personal Information, we support consumer choice regarding use of consumers’ personal information and for this reason you may formally record your preference that CCMSI not sell or share your personal information in the future by emailing the CCMSI Information Security Officer.

Right to Limit Use and Disclosure of Sensitive Personal Information. We do not engage in uses or disclosures of Personal Information that would trigger the right to limit use of sensitive personal information under the CCPA.

Right to Non-Discrimination. We will not discriminate against you for exercising any of the rights described in this section.

Exercising Your Rights

If you are a California resident and would like to exercise your CCPA rights, you may do so via any of the methods described below:

• Accessing our Data Subject Request web page; or
• Emailing the CCMSI Information Security Officer.

Authorized Agent. You may designate someone as an authorized agent to submit requests and act on your behalf. Authorized agents will be required to provide proof of their authorization in their first communication with us, and we may also require that you directly verify your identity and the authority of your authorized agent.

Businesses operating as an authorized agent on behalf of a California resident must provide both of the following:

1. Certificate of good standing with its state of organization; and
2. A written authorization document, signed by the California resident, containing the California resident’s name, address, telephone number, and valid email address, and expressly authorizing the business to act on behalf of the California resident.

Individuals operating as an authorized agent on behalf of a California resident must provide a written authorization document, signed by the California resident, containing the California resident’s name, address, telephone number, and valid email address, and expressly authorizing the individual to act on behalf of the California resident.

We reserve the right to reject (1) authorized agents who have not fulfilled the above requirements, or (2) automated CCPA requests where we have reason to believe the security of the requestor’s personal information may be at risk.

Verification. Before responding to your request, we must first verify your identity using the Personal Information you recently provided to us. The information we need in order to verify your identity differs depending on the request made and our relationship with you and might include (as applicable) your name, the email address you regularly use to interact with us, your phone number, your date of birth, and, if available, your policy number. We will take steps to verify your request by matching the information provided by you with the information we have in our records. In some cases, we may request additional information to verify your identity, or where necessary to process your request. In some cases, we may also carry out checks, including with third party identity verification services, to verify your identity before taking any action with your Personal Information. If we are unable to verify your identity after a good faith attempt, we may deny the request and, if so, will explain the basis for the denial.

Contact Us

If you have any questions or comments about this section of the Privacy Policy, the ways in which we collect and use your Personal Information, your choices and rights regarding such use, or wish to exercise your rights under California law, please do not hesitate to contact the CCMSI Information Security Officer.