Additional Notice to Colorado, Connecticut, Virginia and Utah Residents
This section relates solely to residents of the States of Colorado, Connecticut, Virginia and Utah, and their respective privacy rights under the Colorado Privacy Act, the Connecticut Data Privacy Act, the Virginia Consumer Data Protection Act and the Utah Consumer Privacy Act. This section shall be effective for residents of the State of Virginia as of January 1, 2023; for residents of the States of Colorado and Connecticut as of July 1, 2023; and for residents of the State of Utah as of December 31, 2023.
Categories of Personal Information Collected & Disclosed
The following identifies the categories of Personal Information we may collect about you (and may have collected in the prior 12 months). Note that our collection, use and disclosure of Personal Information about you will vary depending upon the circumstances and nature of our interactions or relationship with you. Depending on how you use our Services, we may collect the following categories of Personal Information:
- Identifiers, such as real name, alias, job title, address, email address, date of birth, policy number, salary information, social security number, driver’s license number, other government identifiers, credit card number, and tax ID.
- Online Identifiers, such as unique personal identifiers, device IDs, ad IDs, IP addresses, and cookie data.
- Customer or Claimant Records, such as paper or electronic customer or claimant records containing Personal Information, as well as information provided by an insurance broker/agent or reinsurer for underwriting purposes and information included in a list of claims, such as name, signature, physical characteristics or description, address, telephone number, education, current employment, employment history, social security number, passport number, driver’s license or state identification card number, insurance policy number, bank account number, payment card number, gender, height, weight, medical information (including reports and medical bills), health insurance information, details about home address, security and travel plan arrangements, records of personal property, products or services purchased or obtained.
- Financial Information, such as your bank account or credit card number and other payment details.
- Characteristics of Protected Classifications, such as age (40 years or older), race, national ancestry, national origin, citizenship, religion or creed, marital status, pregnancy, medical condition, physical or mental disability, sex, sexual orientation, and veteran or military status.
- Usage Data, such as Internet or other electronic network activity information regarding an individual’s interaction with portals, Internet websites, applications, or advertisements, including, but not limited to, browsing history, clickstream data, search history and content of public posts.
- Biometric Information, such as individual biological or behavioral characteristics including measurements of physical characteristics such as height, weight and blood pressure, sleep, health, or exercise data that contain identifying information.
- Education Information, such as education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes and student disciplinary records.
- Geolocation Data, such as physical location or movements.
- Audio, Video and Other Electronic Data, such as audio information including call recordings, video and photographs, recorded meetings and webinars, and CCTV footage to secure our offices and premises.
- Professional or Employment-Related Information, such as employment history, qualifications, licensing, and disciplinary record.
- Inferences and Preferences, such as inferences drawn from any of the information described in this section about a consumer including inferences reflecting the consumer’s preferences, characteristics, behavior and abilities.
- Sensitive Personal Information, such as social security number, driver’s license number, racial or ethnic origin, religious or philosophical beliefs, medical condition, and physical or mental disability.
Sources of Personal Information
We generally collect Personal Information from the following categories of sources:
- Directly from you and automatically;
- Insurance carriers or self-insured risk pools;
- Brokers and agents;
- Corporate policyholders; and
- Our vendors and service providers.
Purposes for Collecting and Disclosing Personal Information
We collect and otherwise process the Personal Information we collect for the following business or commercial purposes:
- Operate our business;
- Provide you products and services;
- Communicate with you;
- Evaluate and improve our products and services;
- Analytics models to support our business;
- Marketing and advertising;
- Find locations on request;
- Fraud and security purposes;
- Legal requirements;
- Business transfers; and
- Other operational and business purposes.
Sensitive Personal Information
Notwithstanding the purposes described above, we do not collect, use, or disclose “sensitive Personal Information” beyond the purposes authorized by applicable law. Accordingly, we only use and disclose sensitive Personal Information as reasonably necessary and proportionate: (i) to perform our services requested by you; (ii) to help ensure security and integrity, including to prevent, detect, and investigate security incidents; (iii) to detect, prevent and respond to malicious, fraudulent, deceptive, or illegal conduct; (iv) to verify or maintain the quality and safety of our services; (v) for compliance with our legal obligations; (vi) to our service providers who perform services on our behalf; and (vii) for purposes other than inferring characteristics about you.
Retention of Personal Information
Disclosure of Personal Information to Third Parties and Other Recipients
The categories of Personal Information we have disclosed for a business purpose in the preceding twelve (12) months include: identifiers, online identifiers, customer records, financial information, characteristics of protected classifications, usage data, biometric information, education information, geolocation data, audio, video, and other electronic data, professional or employment-related information, inferences, and sensitive Personal Information.
The categories of third parties and other recipients to whom we may disclose Personal Information for a business purpose may include:
- Affiliates, subsidiaries, and business partners;
- Vendors and service providers;
- Acquirers of business assets;
- Advisors, auditors, consultants, and representatives;
- Agents and brokers;
- Insurance carriers or self-insured risk pools
- Regulators, government entities, and law enforcement;
- Operating systems and platforms; and
- Others as required by law.
We do not disclose or make available Personal Information to a third-party in exchange for monetary or other valuable consideration. We also do not disclose or making available Personal Information to a third-party for purposes of cross-contextual behavioral advertising.
The Colorado Privacy Act, the Connecticut Data Privacy Act, the Virginia Consumer Data Protection Act and the Utah Consumer Privacy Act provide their respective residents with specific privacy rights regarding Personal Information. In the event that CCMSI determines the purpose and means of processing your Personal Information, you have the right to make the following requests:
Right to Know. With respect to the Personal Information we have collected about you in the prior twelve (12) months, you have the right to request from us:
- The categories of Personal Information we collected about you;
- The sources from which we have collected that Personal Information;
- Our business or commercial purpose for collecting, selling, or sharing that Personal Information;
- The categories of third parties to whom we have disclosed that Personal Information; and
- A copy of the specific pieces of your Personal Information we have collected.
Right to Correct. Subject to certain restrictions, you have the right to request that we correct inaccuracies in your Personal Information.
Right to Delete. Subject to certain conditions and exceptions, you have the right to request deletion of your Personal Information that we have collected about you.
Right to Opt-Out. You have the right to opt-out of processing your Personal Information for the purpose of automated processing or profiling that produce significant or legal effects, as well as the right to opt-out of sales and sharing of your Personal Information. While we do not sell or share Personal Information, we support consumer choice regarding use of consumers’ Personal Information and for this reason you may formally record your preference that CCMSI not sell or share your Personal Information in the future by emailing the CCMSI Information Security Officer.
Right to Data Portability. Subject to technological limitations, you have the right to obtain a copy of your Personal Information in a portable state that allows you to copy or transfer Personal Information in a safe and secure manner.
Right to Non-Discrimination. We will not discriminate against you for exercising any of the rights described in this section.
Exercising Your Rights
If you are a resident of the State of Colorado, Connecticut, Virginia or Utah, and would like to exercise your respective privacy rights under the Colorado Privacy Act, the Connecticut Data Privacy Act, the Virginia Consumer Data Protection Act or the Utah Consumer Privacy Act, you may do so via any of the methods described below:
Authorized Agent. You may designate someone as an authorized agent to submit requests and act on your behalf. Authorized agents will be required to provide proof of their authorization in their first communication with us, and we may also require that you directly verify your identity and the authority of your authorized agent.
Businesses operating as an authorized agent on behalf of a resident must provide both of the following:
- Certificate of good standing with its state of organization; and
- A written authorization document, signed by the resident, containing the resident’s name, address, telephone number, and valid email address, and expressly authorizing the business to act on behalf of the resident.
Individuals operating as an authorized agent on behalf of a resident must provide a written authorization document, signed by the resident, containing the resident’s name, address, telephone number, and valid email address, and expressly authorizing the individual to act on behalf of the resident.
We reserve the right to reject (1) authorized agents who have not fulfilled the above requirements, or (2) automated requests where we have reason to believe the security of the requestor’s Personal Information may be at risk.
Verification. Before responding to your request, we must first verify your identity using the Personal Information you recently provided to us. The information we need in order to verify your identity differs depending on the request made and our relationship with you and might include (as applicable) your name, the email address you regularly use to interact with us, your phone number, your date of birth, and, if available, your policy number. We will take steps to verify your request by matching the information provided by you with the information we have in our records. In some cases, we may request additional information to verify your identity, or where necessary to process your request. In some cases, we may also carry out checks, including with third party identity verification services, to verify your identity before taking any action with your Personal Information. If we are unable to verify your identity after a good faith attempt, we may deny the request and, if so, will explain the basis for the denial.
Response to Request. Upon receipt of an authenticated request, CCMSI will respond within forty-five (45) days or provide notice within forty-five (45) days that we require additional time with explanation. If we cannot comply with a request or a portion of your request, we will explain in our response.
For residents of the States of Colorado, Connecticut and Utah, you may make one request within a twelve-month period at no charge. For residents of the State of Virginia, you may make a request up to two (2) times within a twelve (12) month period at no charge. We reserve the right to charge a fee to process or respond to any request that we consider excessive, repetitive, malicious in intent, or made without the intention of exercising applicable rights. If the request warrants a fee, CCMSI will provide an explanation regarding our decision and the estimated cost before complying with the request.
Right to Appeal. You have the right to appeal our Response within a reasonable period of time after receipt of notice by emailing the CCMSI Information Security Officer. CCMSI will respond to your appeal with an explanation of our decisions within 60 days of receipt for residents of Connecticut, Utah, or Virginia, or within 45 days of receipt for residents of Colorado.
- Health or medical information that we collect and that is subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) or the Health Information Technology for Economic and Clinical Health Act (“HITECH”). CCMSI provides a separate HIPAA privacy notice to certain individual consumers as required under applicable laws and regulations.
- Information we collect in connection with the issuance of financial products or services to you that are to be used primarily for your personal, family, or household purposes and that is subject to the Gramm-Leach-Bliley Act (“GLBA”). For example, where we handle a claim from you as an individual. Note that this exclusion may not apply to all of your Personal Information, including to Personal Information collected before you become a customer. CCMSI provides a separate GLBA privacy notice to certain individual consumers as required under applicable laws and regulations.
- Information we collect and provide for use that is subject to the Fair Credit Reporting Act.
- Information we collect as a motor vehicle record and that is subject to the Driver’s Privacy Protection Act of 1994.
- Publicly available information from government records, and information we have a reasonable basis to believe is lawfully made available to the general public by you or by widely distributed media, or by a person to whom you have disclosed the information and not restricted it to a specific audience.
- Deidentified or aggregated information.