Does Colorado’s Draft Big Data Governance Rule Foretell of a Long Winter or an Early Spring?

Government Law & Consulting   |   Life, Annuity, and Retirement Solutions   |   Technology   |   February 3, 2023

Colorado Senate Bill (SB) 21-169, which became law in 2021, is intended to “hold insurers accountable for testing their big data systems — including external consumer data and information sources, algorithms, and predictive models — to ensure they are not unfairly discriminating against consumers on the basis of a protected class.” It also directs the Insurance Commissioner to hold stakeholder meetings before adopting rules on how insurers “should test and demonstrate to the Division of Insurance (DOI) that their use of big data is not unfairly discriminating against consumers.”

On February 1st, the DOI issued a draft proposed regulation, styled “Governance and Risk Management Framework Requirements for Life Insurance Carriers’ Use of External Consumer Data and Information Sources, Algorithms, and Predictive Models” (draft rule), in advance of its February 7th stakeholder meeting, the DOI's fifth such meeting. On the same day, renowned groundhog Punxsutawney Phil emerged from his burrow only to see his shadow, foretelling of a long winter. A mere coincidence? Let’s see.

Weather Map of the Draft Rule

The Conditions

For life insurers that use “External Consumer Data and Information Sources” (ECDIS) as well as algorithms and predictive models using ECDIS, the draft rule requires insurers to:

  1. Establish a governance and risk management framework;
  2. Maintain “comprehensive” documentation; and
  3. Submit to the DOI:
    1. Six months after the effective date of the final rule, a report summarizing the progress made towards complying with the first two requirements (progress report);
    2. One year after the effective date of the final rule, a report demonstrating compliance with the first two requirements. This initial report appears to require insurers to set forth their entire governance and risk management frameworks; and
    3. Every two years following the initial report, a report on the use of ECDIS as well as algorithms and predictive models using ECDIS, including material changes to the governance and risk management framework as well as risks detected.

The Definitions

The draft rule includes a definition section, which generally points to definitions from SB 21-169 (codified as Colorado Code Section 10-3-1104.9). However, two definitions forecast at least a chill is in the air. A new term, “Disproportionately Negative Outcome,” appears in the draft rule as follows:

“Disproportionately Negative Outcome” means, for the purpose of this regulation, a result or effect that has been found to have a detrimental impact on a group as defined by race, color, national or ethnic origin, religion, sex, sexual orientation, disability, gender identity, or gender expression, and that impact is material even after accounting for factors that define similarly situated consumers.

In addition, the draft rule expands on the definition of ECDIS. The rule’s definition is set forth below, with additional language in bold.

“External Consumer Data and Information Source” or “ECDIS” means, for the purposes of this regulation, a data or an information source that is used by a life insurer to supplement or supplant traditional underwriting factors or to establish lifestyle indicators that are used in insurance practices. This term includes credit scores, social media habits, purchasing habits, home ownership, educational attainment, licensures, civil judgments, court records, occupation that does not have a direct relationship to mortality, morbidity or longevity risk, and any insurance risk scores derived by the insurer or third-party from the above listed or similar data and/or information source.

Shadows Cast by These Definitions

The adoption of Colorado SB 21-169 is based on a concern that ECDIS, algorithms, and predictive models may unfairly discriminate against consumers on the basis of an individual being a member of a defined protected class. At prior stakeholder meetings, the DOI repeatedly asserted that there should be outcome testing on insurers’ use of ECDIS as well as algorithms and predictive models using ECDIS. Moreover, the DOI also contended that a correlation between the data used and risk is not sufficient. These views are reflected in the definition of "Disproportionately Negative Outcome" and the additional language in the definition of ECDIS. However, the new language raises a number of questions, including:

  • What barometer will determine if there is a Disproportionately Negative Outcome?
  • What is “detrimental impact,” and what constitutes a “material detrimental impact”?
  • What are “factors that define similarly situated consumers”?
  • What if there is an actuarial basis for the detrimental impact?

The additional language in the definition of ECDIS may also underscore insurers’ use of risk scores, including risk scores from third-party vendors.

The Scope

While the stakeholder meetings have, up until now, focused on life insurance underwriting, the scope of the draft rule may not be so limited. Rather, it establishes requirements that apply generally to “life insurers’ use of external consumer data and information sources, algorithms, and predictive models,” rather than to underwriting, specifically.

Shadows Cast by the Scope

Issues that arise under the proposed scope include:

  • Does this broader scope prognosticate future changes in which an adopted governance regulation would apply to other life insurance practices – i.e., marketing, pricing, utilization management, reimbursement methodologies, and claims management?
  • The draft rule’s definition of ECDIS did not include “other insurance practices,” which is part of the definition under Colorado Code Section 10-3-1104.9.

Insurer Responsibility for External Resources and Third-Party Vendors

Consistent with the DOI's prior position, the draft rule makes clear that insurers are ultimately responsible for their use of ECDIS as well as algorithms and predictive models using ECDIS. The draft requires that, as part of its governance and risk management framework, an insurer “establish a process for the selection of all external resources and third-party vendors” and be able to produce “any documents or information that the DOI deems necessary to ensure compliance with the regulatory requirements.” The draft rule’s documentation requirement also extends to third parties and specifically requires a description of the process used for selecting third-party vendors. It also appears to require ongoing review and monitoring.

If these requirements are adopted, each insurer using third-party external data and using third parties’ algorithms would need to: (i) conduct due diligence and ongoing review of those third parties arrangements based on the insurer’s process for selection and document its due diligence and ongoing review; and (ii) include in the contract with the third parties a means by which requests for documents or information can be made to satisfy the division and documentation requirements.

The Effective Date

The draft rule forecasts an effective date for the final rule sometime in 2023. If this forecast is reliable, and the reporting requirements do not change direction, life insurers using ECDIS will be required to make a progress report in less than 18 months.

Governance and Risk Management Framework

Under the draft rule, the stated purpose of an insurer’s governance and risk management framework is to:

Facilitate and support policies, procedures, and systems designed to determine whether the ECDIS’ are credible in all material respects, and whether their use in any insurance practice does not result in unfair discrimination.

The draft rule sets forth 10 required components, most notably:

  1. Documented principles guiding the values and objectives of the insurer;
  2. An organizational governance structure that includes:(i) board of directors and senior management responsibility, including regular reporting, (ii) a cross-functional governance committee, and (iii) individuals named and with assigned roles as to the design, development, testing, deployment, use, and ongoing monitoring of ECDIS as well as algorithms and predictive models using ECDIS;
  3. Written policies and processes for the design, development, testing, deployment, use, and ongoing monitoring of ECDIS as well as algorithms and predictive models using ECDIS. These policies and processes would need to include supervision and training programs of relevant personnel;
  4. Controls to prevent unauthorized access of an algorithm or predictive model;
  5. Processes and protocols for addressing consumer complaints and inquiries about the use of ECDIS, which must provide consumers with the information needed to take action in the event of an adverse decision;
  6. A plan for responding to and recovering from any unintended consequences; and
  7. If necessary, engage outside vendors to conduct audits if internal resources are insufficient.

Shadows Cast by the Governance and Risk Management Framework Requirements

As required by Colorado Code Section 10-3-1104.9.(2)(b), the draft rule sets forth requirements for an insurer to establish and maintain a risk management framework. Some of the questions that arise under the proposed requirements include:

  • What is meant by whether the ECDIS is “credible”? This appears to be a new standard and is not language used in Section 10-3-1104.9.
  • Do the processes and protocols regarding the use of ECDIS require insurers to provide disclosure on the sources of data collected about the consumer, what data is collected, and how that data is used that is above and beyond what state law currently requires?

What kind of “unintended consequences” does the DOI believe need to be planned for?


Under the draft rule, insurers must maintain “comprehensive documentation on their use of ECDIS as well as algorithms and predictive models using ECDIS, including those supplied by third parties. The draft rule sets forth 12 “minimum” documentation requirements, including one requirement that contains seven “minimum” subparts. While the documentation requirements are extensive, the use of the term “minimum” reflects that solely documenting the items in the draft rule would not be a “safe harbor” and the DOI would likely assert that more is required.

In general, the minimum documentation required includes:

  1. An inventory and description of all ECDIS, algorithms, and predictive models in use, including:
    1. The purpose of, or problem solved by;
    2. The dataset, including its size, source, and other relevant characteristics, used to train or develop;
    3. How results are determined, and any assumptions made under;
    4. The inputs, and outputs of;
    5. The risks of the use, and the safeguards to counter such risk of use of; and
    6. The limitations of the ECDIS, algorithms, and predictive models in use, as applies.
  2. Description of the ongoing management of all ECDIS, algorithms, and predictive models in use, including annual reviews, change, and version control management.
  3. Description of the testing to detect unfair discrimination in insurance practices resulting from the use of ECDIS, algorithms, and predictive models. This includes the “methodology, assumptions, results, and steps taken to address disproportionate negative outcomes.”
  4. Description of the process used for selecting third parties.
  5. Documentation of all decisions made regarding the use of all ECDIS, algorithms, and predictive models for the “entire life cycle.” This includes at a minimum documentation as to:
    1. The name of the individuals responsible for the documented decision;
    2. The decision making process, including the information used for the decision, the considerations in making the decision, and the rationale. This includes any changes to decisions; and
    3. The engagement of third parties.

All required documentation must be available to the DOI.

Shadows Cast by the Documentation Requirements

Some issues that arise under the proposed documentation requirements include:

  • Given the use of the term “minimum” it is unclear what amount of documentation will be sufficient; and
  • Will the DOI consider the size of the insurer and the extent to which it uses ECDIS, algorithms, and predictive models to assess the sufficiency of the insurer’s documentation?

What Does Punxsutawney Phil See?

While Punxsutawney Phil can retreat to his cozy burrow to wait out a long winter, life insurers will not have that luxury should the draft rule foretell of a long regulatory winter for users of ECDIS. The DOI invited all stakeholders to submit written formal comments on the draft rule ahead of the February 7th meeting and noted that stakeholders will have additional opportunities to submit written and oral comments.

Carlton Fields will attend the February 7th stakeholder meeting and continue to report on the draft rule.

©2024 Carlton Fields, P.A. Carlton Fields practices law in California through Carlton Fields, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.

Subscribe to Publications


The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.