Ezel / AG Opinions / DE
DE 25-IB13 2025-02-28

If a state agency stores its data in a database owned and operated by a private vendor, can a Delaware FOIA requester force the agency to hand over the database structure?

Short answer: No. The Delaware Department of Insurance did not violate FOIA when it denied a request for database names, table names, and field structures, because the databases that hold its insurance data are owned, operated, and managed by third parties like NAIC, SBS, SERFF, and Aithent. FOIA does not reach records the agency does not possess or control.
Disclaimer: This is an official Delaware Attorney General opinion. AG opinions are persuasive authority but not binding precedent. This summary is for informational purposes only and is not legal advice. Consult a licensed Delaware attorney for advice on your specific situation.

Plain-English summary

Lee Lifeng Hsu wanted Delaware-specific insurance data of the kind compiled by national groups like NAIC and the Insurance Information Institute. He filed a FOIA request with the Delaware Department of Insurance for aggregated claims data, complaint data, market conduct examination reports, and similar records. After two rounds of denials, he narrowed the request to something more modest: a list of the databases the Department uses, plus metadata describing the structure of those databases (names of tables, names of fields). No substantive data, just the schema.

The Department still said no. Its sworn affidavit explained that it does not actually run those databases. The complaint and producer-licensing data sits in State Based Systems (SBS), which NAIC owns and operates. Premium rate and forms filings sit in SERFF, also a NAIC system. Fraud data sits with a vendor called Aithent. The Department uses these systems but does not own, manage, or even possess the metadata.

The Chief Deputy AG concluded the Department did not violate FOIA. Under 29 Del. C. § 10003(a), an agency must give reasonable access to its public records, but no statute requires it to produce records it does not have. The opinion relied on the Department's sworn affidavit and on Vanella v. Duran for the proposition that an agency cannot be made to disclose what it does not control.

What this means for you

If you're a journalist or researcher trying to pry insurance data out of state regulators

Two practical workarounds. First, the Department itself flagged that SBS is publicly available online via NAIC; you may be able to access producer licensing and complaint data through that portal directly, without going through Delaware FOIA at all. SERFF is similarly accessible. Second, if a state regulator does not own its database, ask whether the regulator has the right under its vendor contract to demand a data extract. That is a separate question, and the answer can sometimes change the calculus, but you would have to get a court to order it.

If you work in a state agency that uses third-party SaaS for record-keeping

This opinion is friendly to your position when a vendor stores the underlying data, but do not over-rely on it. The Department here won partly because its affidavit named the specific vendors and specifically attested it does not have the metadata. A vague "we use a vendor" answer would be weaker. If the agency does have administrative access to the schema (most SaaS contracts include that), the analysis could go the other way.

If you're a Delaware citizen wondering why basic insurance market data isn't on a state website

The short answer is that Delaware has outsourced most of its insurance-data infrastructure to NAIC. That is normal across states, NAIC was built for it. But it does mean Delaware-specific drilldowns often live behind NAIC's tools rather than on a Delaware-controlled portal. If you want this fixed, the lever is the General Assembly, not FOIA.

If you're an attorney representing a FOIA petitioner in similar circumstances

The opinion treats the agency affidavit as effectively unrebuttable on the question of possession. To push back, you would need either to challenge the credibility of the affidavit (rare) or to argue that "control" extends to data the agency contractually has the right to obtain. Judicial Watch v. University of Delaware lets you require an affidavit; it does not give you a path to discovery beyond it.

Common questions

Q: Is database structure (table names and field names) ever a public record?
A: It can be, when the agency owns the database. The opinion does not hold that schema is categorically exempt; it holds that this particular Department did not possess the schema because the vendor does. If you ask for schema of a database the State runs in-house, this opinion does not block you.

Q: Doesn't Delaware FOIA require agencies to "create" simple data extracts when the underlying data exists?
A: No, FOIA does not require creating new records. Delaware courts have read this rule somewhat flexibly: in Vanella v. Duran the court said producing "easily disclosable information stored in a computer system" is not record creation. But you still need the agency to have the data in the first place, which is the issue here.

Q: Could the Department have asked NAIC for the metadata and then turned it over?
A: It might have been able to, but FOIA does not obligate it to. The statute reaches records the public body has, not records it could theoretically obtain.

Q: What is SBS and SERFF, plain English?
A: SBS (State Based Systems) is NAIC's licensing-and-complaints platform that most state insurance departments use. SERFF (System for Electronic Rates and Forms Filing) is NAIC's filings platform. Both are accessible to insurance regulators across states, and parts of both are publicly queryable.

Q: Why does the AG cite 18 Del. C. § 2406(a)?
A: The Department also raised that statute, which keeps fraud-investigation records confidential. The AG did not need to reach the fraud-records question because the no-possession finding disposed of the case.

Citations

  • 29 Del. C. § 10003(a), public access to records
  • 29 Del. C. § 10005(c), public body bears burden to justify denial
  • 29 Del. C. § 10002(o)(3), investigatory files exemption (raised but not reached on merits here)
  • 18 Del. C. § 2406(a): confidentiality of insurance fraud investigations
  • Judicial Watch, Inc. v. Univ. of Del., 267 A.3d 996 (Del. 2021), affidavit standard for FOIA denial
  • Vanella v. Duran, 2024 WL 5201305 (Del. Super. Dec. 23, 2024), agency need not produce records it does not possess; data extracts not "creating" new records

Source

Original opinion text

KATHLEEN JENNINGS
ATTORNEY GENERAL

DEPARTMENT OF JUSTICE
820 NORTH FRENCH STREET
WILMINGTON, DELAWARE 19801

CIVIL DIVISION (302) 577-8400
CRIMINAL DIVISION (302) 577-8500
DIVISION CIVIL RIGHTS & PUBLIC TRUST (302) 577-5400
FAMILY DIVISION (302) 577-8400
FRAUD DIVISION (302) 577-8600
FAX (302) 577-2610

OFFICE OF THE ATTORNEY GENERAL OF THE STATE OF DELAWARE
Attorney General Opinion No. 25-IB13
February 28, 2025

VIA EMAIL
Lee Lifeng Hsu
[email protected]

RE:

FOIA Petition Regarding the Delaware Department of Insurance

Dear Mr. Hsu:
We write in response to your correspondence alleging that the Delaware Department of
Insurance violated Delaware's Freedom of Information Act, 29 Del. C. §§ 10001-10008 ("FOIA").
We treat your correspondence as a Petition for a determination pursuant to 29 Del. C. § 10005 of
whether a violation of FOIA has occurred or is about to occur. For the reasons set forth below, we
determine that the Department did not violate FOIA by denying access to the requested records.

BACKGROUND
On December 11, 2024, you submitted your first request to the Department seeking various
data records related to insurance claims and complaints in Delaware. The request notes that it was
inspired by a report produced by the Insurance Information Institute and the National Association
of Insurance Commissioners ("NAIC") that highlights significant trends in this area. You seek to
understand the specifics for Delaware. The request sought aggregated data for all insurance claims
categorized by insurance type and with respect to homeowners' insurance, sought the number of
homeowner insurance policies issued, number of homeowner insurance claims filed, aggregated
consumer complaint data (including the nature of the complaint and resolution status), water
intrusion claims and complaints, market conduct examination reports, and summary of
enforcement actions. The following day, the Department denied access to the requested records,
stating the Department is not required to answer questions or to create new reports or records. In

addition, the response stated, "[a]s an accommodation, please be advised that the Department has
no responsive records to the FOIA request."1
On December 20, 2024, you submitted a revised request, noting that given modern database
systems, neither extracting information based on specific criteria, querying an existing database,
nor providing raw data constitutes creating a new record. You requested the following:
1.

2.

A list of the names of all databases owned, used, or
maintained by the Department in connection with insurance
matters. . . .
Metadata for the databases related to insurance complaints,
fraud, auto insurance, and homeowner insurance. This
metadata includes only the names and structures of the data
fields (e.g., database names, table names, and field names)
and does not contain any substantive data. . . .2

The Department responded on January 9, 2025, reiterating that FOIA does not require a
public body to answer questions or to create new reports or records. The Department also noted
that to the extent you seek insurance complaints in the second item, those records are exempt
pursuant to 29 Del. C. § 10002(o)(3), and fraud investigatory records are exempt pursuant to 18
Del. C. § 2406(a). Finally, the Department stated, as an accommodation, it has no records
responsive to this revised request. This Petition followed.
In the Petition, you allege that your revised request was reasonable and in compliance with
FOIA's standards. You contend the metadata and database descriptions do not fall under the cited
exemptions for investigatory files and confidentiality, nor do they contain substantive
investigatory data. Further, you assert that the Department's refusal to provide even basic database
descriptions is an overbroad application of the exemptions and is inconsistent with the Delaware
Supreme Court's guidance favoring transparency. You request that this Office review the
December 20, 2024 FOIA request.
On February 11, 2025, the Department, through its legal counsel, replied to the Petition
and enclosed the affidavit of its Deputy Insurance Commissioner ("Response"). The affidavit
states that the Deputy Commissioner adopts the facts and arguments in the Response. The Deputy
Commissioner specifically attests that "the Department has no records responsive to the FOIA
request because the databases and their respective metadata which house Department data are
owned, managed, and operated by third parties."3 The Response states that the NAIC owns,
1

Petition.

2

Id.

3

Response, Aff. of Deputy Insurance Commissioner dated Feb. 11, 2025. The Response
also states that the "Department databases related . . . 'to insurance complaints, fraud, auto
insurance, and homeowner insurance' are all owned, operated, and managed by third parties."
2

operates, and manages State Based Systems ("SBS") which houses all the Department's data
specific to insurance complaints and producer licensing; SBS is publicly available online. The
Department asserts that NAIC also owns, operates, and manages the Systems for Electronic Rates
and Forms Filing ("SERFF"), which houses all the Department's data and forms related to
premium rate and form filings with respect to, among others, auto and home insurance; SERFF is
publicly available online. The Department says that Aithent, another third-party provider, owns,
operates, and manages the database that houses the Department's fraud data. Because the
Department does not own, operate, or manage these databases, the Department asserts that it "does
not have possession of and has no records with respect to any metadata from those databases."4

DISCUSSION
FOIA requires that citizens be provided reasonable access to and reasonable facilities for
the copying of public records.5 The public body has the burden of proof to justify its denial of
access to records.6 In certain circumstances, a sworn affidavit may be required to meet that
burden.7
In this case, the Department provided its Response under oath and named the databases
associated with your request.8 The Department provided a sworn statement from the Deputy
Insurance Commissioner that "the Department has no records responsive to the FOIA request
because the databases and their respective metadata which house Department data are owned,
managed, and operated by third parties."9 The Department is not obligated under FOIA to provide
records it does not possess or control.10 On the basis of this sworn evidence, we find that the
Department did not violate FOIA by denying access to the requested records.

4

Response.

5

29 Del. C. § 10003(a).

6

29 Del. C. § 10005(c).

7

Judicial Watch, Inc. v. Univ. of Del., 267 A.3d 996 (Del. 2021).

8

We note that, although the Department denied the first item in your request for the list of
databases, the Department, in this Response, references the three databases related to your request
that the Department uses. See supra note 3.
9

Response, Aff. of Deputy Insurance Commissioner dated Feb. 11, 2025.

10

Vanella v. Duran, 2024 WL 5201305, at *6 (Del. Super. Dec. 23, 2024).
3

CONCLUSION
For the foregoing reasons, we conclude that the Department did not violate FOIA by
denying access to the requested records.

Very truly yours,

Daniel Logan
Chief Deputy Attorney General

cc:

Kathleen P. Makowski, Deputy Attorney General
Dorey L. Cole, Deputy Attorney General