Privacy Impact Assessment (PIA)

Privacy Impact Assessment Update
for the

National Flood Insurance Program
Information Technology Systems
DHS/FEMA/PIA-011(a)
August 25, 2016
Contact Point
Roy Wright
Deputy Associate Administrator for Insurance and Mitigation
Federal Emergency Management Agency
Department of Homeland Security
(202) 646-2781
Reviewing Official
Jonathan R. Cantor
Acting Chief Privacy Officer
Department of Homeland Security
(202) 343-1717

Privacy Impact Assessment Update
DHS/FEMA/PIA-011(a)
National Flood Insurance Program
Information Technology Systems
Page 2

Abstract
The Department of Homeland Security (DHS) Federal Emergency Management Agency (FEMA)
Federal Insurance and Mitigation Administration (FIMA) National Flood Insurance Program
(NFIP) owns and operates the NFIP Information Technology System (ITS). The NFIP ITS and its
subsystems help manage the NFIP by collecting flood insurance data and processing flood
insurance policies and claims, specifically, policies and claims from the FEMA Direct Servicing
Agent (DSA) contractor on behalf of the NFIP and by Write Your Own Companies (WYO) that
sell and service flood insurance policies. FEMA is updating this Privacy Impact Assessment (PIA)
to include the NFIP Reinsurance Program and to expand its sharing of NFIP information. On a
case-by-case basis, FEMA will share information with domestic and international reinsurance
brokers; reinsurance companies; academics; independent risk modeling firms; or insurance
industry associations that may not have an affiliation with the DSA or participate in the WYO
Program.

Overview
Congress created the NFIP through the National Flood Insurance Act of 1968. 1 The
program was established in response to the rising cost of taxpayer-funded disaster relief for flood
victims and the increasing amount of damage caused by floods. FIMA manages the NFIP and
oversees the insurance, floodplain management, and mapping components of the program.
The NFIP enables individuals and organizations in the participating communities to
purchase insurance protection against losses from flooding. The basis for a community’s
participation in the NFIP is an agreement with FEMA to adopt and enforce sound floodplain
management ordinances to mitigate future flood risks to new construction, additions, repairs, and
rebuilding within the community’s floodplain. The FEMA Community Information System (CIS)
collects and maintains communities’ flood zone and floodplain information and maintains the
official record of a community’s NFIP participation status. NFIP then makes flood insurance
available to property owners and renters within the community as a means of reducing the risk of
flood losses. Areas outside the floodplain of these communities generally have a lower risk of
flooding. Properties within those areas are eligible for Preferred Risk Policies (PRP) with a lower
premium. Additionally, certain areas within these communities may be part of a Coastal Barrier

1

42 U.S.C. §§ 4001-4129.

Privacy Impact Assessment Update
DHS/FEMA/PIA-011(a)
National Flood Insurance Program
Information Technology Systems
Page 3
Resource System (CBRS) area. Properties within the CBRS area require more robust flood
management safeguards in order to be eligible for flood insurance.
To help manage the NFIP, FEMA developed the NFIP ITS. The NFIP ITS collects flood
insurance data from both the DSA and participating WYOs. WYOs are private insurance
companies that sell and service FEMA’s Standard Flood Insurance Policy (SFIP) under their own
names. NFIP and private sector insurance companies execute an agreement that allows the WYOs
to sell and administer flood insurance on behalf of FEMA. For individuals and organizations within
NFIP-compliant communities where WYOs are not available, NFIP uses contract support known
as the DSA to provide flood insurance policies to the individual or organization through
independent agents on behalf of FEMA. Policy and claims information collected from the DSA
and WYOs are categorized as transaction data and financial data. Transaction data consist of policy
information such as policyholder name and property address. Financial data includes flood
insurance premiums collected and claims paid for each property by the DSA and WYOs. NFIP
ITS collects, uses, maintains, retrieves, and may share information about policyholders, insurance
policy processors, and individuals requesting access to the flood insurance system.

Reason for the PIA Update
Generally, the Federal Government assumes all financial risk for flood insurance. The
Biggert-Waters Flood Insurance Reform Act of 2012 2 and the Homeowners Flood Insurance
Affordability Act of 2014 3 authorize the NFIP Reinsurance Program, which allows the Federal
Government to share this risk with private reinsurance companies and other private sector entities.
The NFIP Reinsurance Program buys reinsurance to transfer some of the insurance risk assumed
by NFIP. FEMA is updating the NFIP ITS Privacy Impact Assessment (PIA) to describe the NFIP
Reinsurance Program and expands its categorization of organizations with which FEMA shares
NFIP information.
While reinsurance is a common practice within the insurance industry, flood reinsurance
for a program as big as the NFIP requires risk studies and models to assess current and future risk.
For instance, reinsurers use models to assess the risk of losses from a large catastrophic flood event
and to undertake mitigation so that the losses do not impair the reinsurer’s financial capital or
create a risk to the reinsurance company’s other commitments.
Generally, reinsurance companies will require certain risk models to help interpret the risk
to their company and require the insurance company to have a reinsurance broker or modeling
2
3

Pub. L. No. 112-141 § 100232(d) [2012)].
Pub. L. No. 113-89 § 10 [2014)].

Privacy Impact Assessment Update
DHS/FEMA/PIA-011(a)
National Flood Insurance Program
Information Technology Systems
Page 4
company to take data and create general risk models that the reinsurance companies can then use
and incorporate into their risk model for their company. One important output of those risk models
is an “Exceedance Probability Curve,” which plots the level of expected losses against the
probabilities of those losses occurring. Many of the largest reinsurance companies that are more
capable of supporting a national program like the NFIP are located outside of the United States;
many are headquartered in Europe and Bermuda. Some reinsurance companies based in the United
States may have subsidiaries outside of the United States. In addition to the reinsurance models,
FEMA plans to request or cooperate on independent flood assessments and feasibility studies from
risk modeling firms, academics, and educational institutions.
FEMA has designed a two phase approach to implement NFIP Reinsurance Program. The
Program consists of a risk proposal phase and an implementation phase.
Risk Proposal Phase
During the first phase, FIMA anticipates contractually engaging with reinsurance brokers
in order for the reinsurance brokers to model the NFIP risk and to assist in the development of risk
proposals. Specifically, FIMA will execute a contract with reinsurance brokers or a risk modeling
company that in turn will create risk models, interact with reinsurance companies on behalf of
FIMA, and assist in flood reinsurance risk proposals. During this phase, FIMA will create and
export a file from the NFIP ITS and share the data extract that will include limited PII, specifically,
property address and geographical location information (latitude and longitude) with the
reinsurance broker or risk modeling company. Due to inherent inaccuracies with either
geographical location information or physical street addresses, FEMA provides both to help ensure
a more accurate flood risk model.
Most risk models use a Geographical Information System (GIS) platform to run risk
models. The reinsurance company will use the geographical location information from FEMA for
its GIS platform. However, if there is an error, the reinsurance broker, reinsurance company, or
risk modeling company will use the address provided to verify correct address and generate
geographical location information to ensure the correct information is processed for its risk model.
FEMA will not share policy holder name, policy number, or WYO and DSA information
with the reinsurance broker, risk modeling companies, or reinsurance companies during this phase.
The reinsurance broker or risk modeling company will create a risk model and may subsequently
share that information as well as the FEMA NFIP ITS extract information, if FEMA so directs,
with reinsurance companies in order to solicit quotes from those reinsurance companies. The
reinsurance companies could develop their own risk models as needed to develop their unique risk
proposals. The reinsurance broker or risk modeling company executes Non-Disclosure

Privacy Impact Assessment Update
DHS/FEMA/PIA-011(a)
National Flood Insurance Program
Information Technology Systems
Page 5
Agreements (NDA) with all reinsurance companies that will have access to the NFIP ITS extract
information. FEMA will maintain copies of these agreements.
Many of the largest and most relevant reinsurance companies, or their affiliates, are offshore and located outside the United States, such as in Europe and Bermuda. FEMA’s reinsurance
brokers will market the Reinsurance Program and generate a listing of reinsurance companies that
are either based in the United States or internationally-affiliated that have the best ability to support
the program. Through a review process that will include FEMA’s Office of Chief Counsel, FEMA
may decide an internationally-affiliated reinsurance company has the ability and experience to
support the program, through a technical proposal. FEMA’s decision will be based on technical
and financial ability to support the program and then narrowed based on any federal regulations
that may limit official business outside of the United States.
Through FEMA’s statutory authority, FEMA will enter into an information sharing and
access agreement (ISAA) with the reinsurance company. The agreement will contain appropriate
information and privacy safeguards language. If FEMA directs, FIMA reinsurance brokers or risk
modeling companies may disseminate and allow foreign nationals access to FEMA information
based on the agreement between FEMA and the reinsurance company. In this instance, FEMA
information may not necessarily remain exclusively on U.S. servers.
Implementation Phase
During the second phase, FEMA will use the results of phase one to solicit flood
reinsurance technical and pricing quotes from the reinsurance industry and award contracts to
begin reinsuring the NFIP. Under the terms of the reinsurance contracts, FIMA can share NFIP
policyholder information from the NFIP ITS for the claims processing as part of the NFIP
Reinsurance Program. FEMA may share both aggregate and property-specific policy and claims
information to include address; latitude and longitude; policy limits; and claims history. This
sharing is required because the reinsurance company is assuming part of the financial burden of
NFIP claims and needs to review how the claims are handled by the NFIP.
Sharing with Other Stakeholders
FEMA plans to share policyholder information with additional stakeholders to assess
general risk and conduct feasibility studies and models that can help FIMA manage the overall
risk of the NFIP and assess potential impact on communities. These additional stakeholders
include academics, educational institutions, flood risk modeling companies, and insurance
industry associations 4. When FEMA shares information, it will be pursuant to a contract, NDA, or
4

FEMA may provide information to insurance industry associations for the purpose of conducting insurance risk or
trend studies related to flood insurance and provide risk assessments and reports to its insurance members. This
allows the NFIP to reach a broad audience of insurance organizations to help market the WYO Program or help

Privacy Impact Assessment Update
DHS/FEMA/PIA-011(a)
National Flood Insurance Program
Information Technology Systems
Page 6
ISAA. FEMA will share address, geographical location data (latitude and longitude), and non-PII
related policy and claims data. Even after sharing parameters are agreed upon, FEMA sends cover
letters to accompany shared policyholder information to remind receiving organizations of their
handling and sharing limitations.

Privacy Impact Analysis
In each of the below sections consider how the system has changed and what impact it has on the below fair
information principles. In some cases there may be no changes and indicate as such.

Authorities and Other Requirements
The Biggert-Waters Flood Insurance Reform Act of 2012 5 and the Homeowners Flood
Insurance Affordability Act of 2014 6 authorize FEMA to secure reinsurance from the private
reinsurance and capital markets on terms and conditions determined by the Administrator to be
reasonable and appropriate. Prior to the start of phase 2, DHS will update and republish
DHS/FEMA-003 National Flood Insurance Program Files System of Records 7 to include sharing
and access of NFIP information with/by flood risk modeling organizations, educational institutions
and reinsurance brokers, reinsurance companies with international affiliates, and with other
categories of requestors when the sharing of data would be beneficial to FEMA and compatible
with the reasons for which FEMA collected the information.
A NFIP ITS System Security Plan (SSP) was approved in May 2015, and an Authority to
Operate (ATO) was issued on May 28, 2015. Additionally, the IT systems managed by the
reinsurance brokers, reinsurance companies, or the risk modeling companies will have a SSP and
an ATO issued for their system.
There are no additional information collections that require coverage by the Paperwork
Reduction Act (PRA) within the NFIP ITS.
There are no changes to NFIP ITS’s records retention schedule.

insurance companies interested in privately selling flood insurance outside of the NFIP to understand flood
insurance trends and risk.
5
Pub. L. No. 112-141 § 100232(d) [2012)].
6
Pub. L. No. 113-89 § 10 [2014)].
7
79 Fed. Reg. 28747 (2014).

Privacy Impact Assessment Update
DHS/FEMA/PIA-011(a)
National Flood Insurance Program
Information Technology Systems
Page 7
Characterization of the Information
FEMA will not collect or maintain any additional data elements than those already in the
NFIP ITS. FEMA may share the following information with reinsurance brokers, reinsurance
companies, and risk modeling companies in support of the Reinsurance Program:
Individual Insured Information:
•

Address(es);

•

Insurance/Claims Data (i.e., Insurance Rate(s), Claim Amounts);

•

Geographical Locations (i.e., latitude, longitude);

•

Flood Zone Data;

•

Property loss history; and

•

City.

FEMA may collect the following information from the reinsurance brokers, reinsurance
companies, risk modeling companies, or other stakeholders involved in NFIP Reinsurance
Program or feasibility and trend studies:
•

Organization Name;

•

Point of Contact Full Name;

•

Address(es);

•

Email Address(es);

•

Telephone Number(s); and

•

Insurance/Claims Statistical Data.

FEMA may collect, use, or maintain the following user account information for the NFIP
ITS and other systems supporting the Reinsurance Program:
•

Full Name;

•

Address(es);

•

Email Address(es);

•

Telephone Number;

•

User ID; and

•

Personal Identification Number (PIN)/ Password(s).

Privacy Impact Assessment Update
DHS/FEMA/PIA-011(a)
National Flood Insurance Program
Information Technology Systems
Page 8
Uses of the Information
Reinsurance brokers, risk modeling firms, reinsurance companies, and other stakeholders
use address, geographic location information such as latitude and longitude, and other non-PII
related policy and claims information of policyholders to conduct research and create risk models
of flood risk for the purpose of assessing national flood risk, creating risk proposals, and the
sharing of flood insurance financial risk with reinsurance companies.
There are no changes or updates to the NFIP ITS’s use or access of information. The
following are additional privacy risk and mitigations in relation to the NFIP ITS.
Privacy Risk: There is a privacy risk that reinsurance brokers, risk modeling companies,
reinsurance companies, and other stakeholders may use the NFIP information for other non-NFIP
related studies and research or other commercial uses.
Mitigation: This risk is partially mitigated. FEMA ensures that proper information and
records safeguards are included within the contracts and other types of arrangements to outline
appropriate use of NFIP information and provide guidance on the processes necessary to
adequately protect and secure NFIP data, including requiring NDAs to be signed by all individuals
that would have access to the granular data. FEMA considers any violation of these binding terms
to constitute a breach of contract/agreement. FEMA will evaluate and investigate each of these
violations and may terminate the agreement, pursue other legal means to prevent any further
violations, and address any impact on individual’s privacy resulting from the misuse of FEMA
information. However there still is the residual risk of making sure that each and every instance of
misuse of information is reported to FEMA, which FEMA cannot fully mitigate.
Notice
FEMA provides notice of the sharing of NFIP information with risk modeling
organizations, reinsurance brokers, reinsurance companies, and international affiliates of the
reinsurance brokers, reinsurance companies, and other stakeholders, through the publication of this
PIA. FEMA provides additional notice of the sharing of information for risk proposals for
reinsurance program through the SORN mentioned above. Under the current system, the right to
consent or decline occurs when the DSA and WYO inform policyholders of their privacy
guidelines and practices and require policyholders to sign FEMA forms that provide
acknowledgement during the policy purchase and renewal process. Individuals that are required
by law or by a mortgaging institution to have flood insurance on a property do not have the option
of opting out of this program. FEMA’s sharing of risk and subsequently, NFIP information with
reinsurance companies is a statutory requirement. In order to explain new uses and sharing, FEMA
will provide additional notice in the DHS/FEMA-003 SORN. FEMA is currently updating this
SORN to clarify sharing with international organizations as part of the reinsurance program and
sharing of information with other stakeholders for the purpose of assessing flood risk and

Privacy Impact Assessment Update
DHS/FEMA/PIA-011(a)
National Flood Insurance Program
Information Technology Systems
Page 9
affordability studies. Additionally, FEMA’s is updating the current Privacy Act statements on its
NFIP policy application and claims forms to clarify possible sharing and access of information
internationally.
Data Retention by the project
There are no changes to the data retention of the information within the NFIP ITS.
Information Sharing
NFIP ITS may share information with reinsurance brokers, reinsurance companies, and
other categories of requestors by way of a reinsurance broker or risk modeling company. FEMA
shares information pursuant to an Information Sharing and Access Agreement such as a contract
or memorandum of agreement (MOA) with reinsurance companies. FEMA shares the information
mentioned is the “Characterization of the Information” section of this update PIA via a file transfer.
NFIP shares the file using data encryption and electronic media such as compact disk (CD), digital
video disk (DVD), or portable hard drive. This purpose of the information sharing is to conduct
market research on the viability and impact of sharing flood insurance financial risk with the
reinsurance community in order to implement the NFIP Reinsurance Program. The information
sharing enables requestors, such as educational institutions, to conduct flood risk assessments and
feasibilities studies to assist NFIP in assessing national flood risk and impacts on communities.
This sharing is pursuant to DHS/FEMA-003 National Flood Insurance Program Files System of
Records.
Routine use H allows FEMA to partner with Write Your Own insurance companies as
authorized under 44 CFR § 62.23 to administer flood insurance.
Routine use V allows NFIP to share policy information with reinsurance brokers and
reinsurance companies based in the United States. The NFIP Reinsurance Program is compatible
with the purpose for original collection of information because NFIP shares flood insurance
financial risk information with the insurance community (i.e., private reinsurers, private capital
firms, and financial institutions) for the purposes of preparing NFIP assumption of risk proposals.
Prior to initiating sharing, FEMA will update the DHS/FEMA-003 SORN to explicitly
cover sharing limited location information with other stakeholders (domestic and international),
including educational institutions.
FEMA will limit re-dissemination of information using language within the ISAA, NDA
or associated with a letter or notification or Privacy Act sharing limitations that FEMA will initiate
with each recipient of NFIP information.

Privacy Impact Assessment Update
DHS/FEMA/PIA-011(a)
National Flood Insurance Program
Information Technology Systems
Page 10
Privacy Risk: There is a privacy risk that FEMA may not be able to control the sharing or
re-dissemination of policyholder’s PII as it relates to the Reinsurance Program or flood insurance
feasibility studies.
Mitigation: FEMA partially mitigates this risk by including privacy safeguards within any
ISAA to extend control of FEMA’s information while in process by reinsurance brokers,
reinsurance companies, or risk modeling companies. These agreements will contain the DHS’s
cyber hygiene clauses. For flood risk modeling companies and other stakeholders that FEMA may
not enter into an ISAA with, FEMA will limit further re-dissemination of NFIP information using
language within a FEMA cover letter that references restrictions on re-dissemination placed by the
Privacy Act or NDA that will limit sharing of information. FEMA considers any third-party
sharing of information without the express consent of FEMA a violation of the terms of agreement.
FEMA will investigate any sharing outside of the terms and understandings of any contract or
agreement to determine any ill intent or gross neglect and pursue any contractual or legal means
to stop any inappropriate sharing of information, such as termination of contract/agreement.
DHS/FEMA in partnership with other appropriate federal departments, such as the Department of
Justice, will coordinate or consult with the appropriate international law enforcement agency to
attempt to retrieve any inappropriately shared information and to ensure any inappropriate sharing
of information has cleared and information has been removed from the property of any
inappropriate third party recipient(s) of FEMA information. Specifically, DHS/FEMA will seek to
recover the PII of NFIP flood policyholders, as practicable. FEMA or the organization that caused
the breach of PII information will provide further remediation as needed and appropriate to include
notification of individuals that have been affected by the breach. There is a residual risk for
reporting each inadvertent or unauthorized release of information to a third party that FEMA is not
able to fully mitigate.
Redress
There are no changes to the NFIP ITS redress procedures. Individuals can correct their
information by contacting their flood insurance provider (WYO company or DSA), and updating
their information. The reinsurance companies are only accepting financial risk and may need to
review information to ensure proper payouts and compliance with contract terms with FEMA. The
reinsurance companies will not own the insurance policy.
Auditing and Accountability
There are no changes to the NFIP ITS or FEMA’s process for system auditing and
adherence to FEMA’s stated practices within the previously published PIA. The reinsurance
brokers, reinsurance companies, risk modeling companies, and other stakeholders will have similar
auditing and accountability within their system as documented within the SSP with FEMA’s Office

Privacy Impact Assessment Update
DHS/FEMA/PIA-011(a)
National Flood Insurance Program
Information Technology Systems
Page 11
of the Chief Information Officer. Additionally, any approval of Reinsurance Program related
ISAAs will go through the same review process.

Responsible Official
Tammi Hines
Acting Privacy Officer
Federal Emergency Management Agency
Department of Homeland Security

Approval Signature
Original signed copy on file with the DHS Privacy Office.

________________________________
Jonathan R. Cantor
Acting Chief Privacy Officer
Department of Homeland Security