Data Privacy for Insurance
Big data has become the Gollum’s Ring of the technologically advanced world. Everyone wants it, even if it could come with unforeseen danger.
Personal data has brought a whole new world of products and services that perfectly match our innermost desires right to us. Much of the use and normalization of user data collection slowly built up over the years without much public awareness. Companies, especially those in the United States leading this data collection crusade, had a brief moment of the wild west of data. Everything was possible, and data was modern gold.
Eventually, as the public became more aware of just how much information companies have on them, we saw a switch in consumer attitudes surrounding data collection. Europe took warning and enacted the most comprehensive and impactful piece of data privacy legislation, the General Data Protection Regulation. The impact of this legislation was so encompassing and the penalties so severe, that everyone rushed to meet this new understanding of data collection and privacy.
We are now at an age, where like early Frodo, we still want to harness the power of the ring, but we are more aware of the potential downsides and dangers. While many data protection aspects are similar across industries, because of the high amount of personal data insurance providers keep, they must also take special steps and considerations.
Key challenges for insurance
Data is particularly important, as well as dangerous for insurance companies. By design, insurance companies need a lot of very personal and sensitive information on their users. Each branch of insurance will have concerns specific to their location and offerings, but some of the most challenging hurdles for insurance companies are data portability, consent and data breaches.
Data portability
Article 20 of the GDPR is one of the more culturally known, even if you think you have never heard of it before. This portion of the GDPR allows individuals to request a copy of all of the information a company has collected on them, including information collected by secondary means like through partner companies. This particular piece of the legislation became a hot topic when individuals started asking social media and dating sites about the data they had on them. One journalist from The Guardian received international attention after asking dating app Tinder what information they had on her. As you might imagine, it didn’t go well.
While insurance companies might not have information that cuts us in quite the same way, insurance companies, especially ones related to personal health, do have a lot of sensitive information. If a customer requests this information, the company must be able to provide it in a certain format, and within a particular time frame. If the company is unable to do so, they are met with a hefty fine. While consumers might not be as eager to request a copy of their data from insurance companies, all of this personal user data a company keeps does need to be safely collected and stored in a way that companies can immediately identify what information they have on a customer and prove it is all within the legal constraints.
Consent
Traditionally consent around data privacy has been to opt-out rather than opt-in. This was probably one of the most noticeable changes immediately after GDPR went into effect. Almost overnight, every website suddenly had a pop-up bar up asking about tracking and ad preferences. Instead of lumping everyone in together, assuming most would have similar permissions, companies now need to pay specific attention to which users have given permission for data collection. Stringent rules surround what kinds of data you are allowed to collect, what you can use it for, and how long it can be stored. All of this requires the users consent and must be continuously updated to reflect current policies.
Hacks and Data Breaches
Last year was a sobering reminder of how vulnerable our data is. In just the financial and insurance industry alone, there were 448 confirmed data breaches. Then, the severity of the potential dangers came into focus when the NHS was hacked, and the personal and health data of 56 million people was in jeopardy.
According to Verizon’s 2020 Data Breach Investigations Report, the most common outsider attacks on the insurance and financial industry are scams, phishing attacks, and pretexting attacks. These data leaks can cause a whole barrage of problems for insurance companies. First and foremost, having a hoard of upset customers knocking down your door isn’t a nice way to start the week. These breaches can also lead to current customers losing confidence in your company and cancelling their plans or impacting future clients’ decisions when choosing their preferred company.
A part of the problem is also that the insurance industry is particularly appealing to cybercriminals. Not only does the industry have vast amounts of user data, but missteps can also open the door to insurance fraud so insurance agencies are careful not to take risks when it comes to their data.
What you can do to protect your company and your data/Best practices for data protection compliance
1. Appoint a data protection officer- There needs to be at least one (if not multiple) people at your company who are specifically tasked with monitoring data and data privacy issues.
2. Conduct a risk assessment- What kinds of customer data do you have that might be valuable or somehow cause either cause reputational or financial harm if it was exposed? How is that data stored, who has access to it and how difficult would it be for someone to illegally access that information if they wanted to?
3. Ensure secure access to data- Network security from your office’s wifi connection is already commonplace, but portable devices are often a blindspot. Given that insurance companies have a considerably mobile workforce (inspectors going on-site, sales representatives visiting conferences), these devices can all be a potential risk. Now with a huge portion of the workforce working from home, this problem is only exacerbated. This adds up to a lot of phones and laptops potentially left vulnerable to both malicious attacks as well as accidents if something was to be lost or misplaced. All it takes is the addition of special privacy software installed directly on the device; this way, phones and computers can be safe, even if they use not secured internet connections or a third party gets access to the device.
4. Educate privileged employees- Employees with privileged access to your IT infrastructure are the most common targets of cyber attackers. Ensure that any employee with any security clearance undergoes educational training about the most up to date security practices. Multiple factor authentication and a password manager can also substantially cut down risk.
5. Reduce third-party risks- Third parties are held to the same data privacy standards as the primary company handling the data. Therefore, you will be required to audit and assess what information is shared with third parties and how they use it. You can either require third parties to use the same data security tools your company uses, or in the very least, oversee their data privacy policies.
6. Encrypt data- Data encryption is standard for most companies and is either required or strongly recommended by most data protection legislation. This is one of the easiest ways to ensure your data is safe, or at least better protected, if anything falls into the wrong hands. Device control policies can also help block the connection of mobile devices or regulate which devices are allowed to connect to a computer.
7. Prepare for a fast response- Things that can go wrong often find a way of doing so. A complete and ready incident response plan will help your company get ahead of any potential leak or hack and make sure you can hit the ground running with a response plan. This plan should include what actions employees at all levels should take, who should be informed, and the timeframes for every action. This is particularly important because under GDPR, there is a 72-hour notification deadline that starts after your company becomes aware of any cybersecurity incident.
To read this article in its original publishing, click here