Data Ownership in Glass TPA Relationships: What Carriers Must Protect
When a carrier outsources glass claims to a TPA, sensitive data flows between organizations. Policyholder information, claim details, financial records, and vehicle data all pass through TPA systems. Carriers must ensure this data remains theirs — in practice, not just in principle.
Data ownership should be explicit in the Carrier Service Agreement. The agreement should state clearly that all policyholder data, claim records, and program data generated during the TPA relationship are and remain the property of the carrier.
GLBA compliance is the baseline. The Gramm-Leach-Bliley Act requires financial institutions — including insurance carriers — to protect nonpublic personal information. Any TPA handling this data must comply with GLBA requirements for data safeguarding.
Breach notification SLAs define response obligations. The CSA should include specific timelines for notifying the carrier of any data security incident. Industry best practice is 48 to 72 hours for initial notification, with detailed reporting to follow.
Role-based access controls who sees what. Not everyone at the TPA needs access to all data. Platform access should be scoped by role — carrier administrators see everything, TPA staff see what they need to process claims, and shops see only their assigned work.
Audit rights give carriers verification ability. The CSA should grant the carrier the right to audit the TPA data handling practices, security controls, and compliance procedures at any time with reasonable notice.
Data portability ensures continuity. If the carrier-TPA relationship ends, the carrier should be able to export all historical claim data in a standard format. Data should never be held hostage.
These protections are not just legal formalities — they are operational necessities that protect the carrier, its policyholders, and the integrity of the glass program.