Regulatory/Law
Don't Stifle It

• Theodore P. Augustinos
• May 2019
• 

Insurers collect and use data in increasingly interesting and productive ways. Insurtech investments skyrocket as insurers seek innovative, data-driven solutions to design products, mitigate risk and handle claims. Simultaneously, the legal and regulatory environment related to data protection becomes increasingly complicated. How can insurers pursue innovation in this changing and challenging environment?

Insurers' obligations to safeguard certain information originated with the Gramm-Leach-Bliley Act of 1999, but they're rapidly evolving to include expanding types of data, more specific security requirements, and new disclosures and notifications.

For International Insurers, the GDPR: The EU General Data Protection Regulation (GDPR) required international insurers to develop processes to map identifiable data collected about individuals, including innocuous information companies didn't think about before, and granted individuals new rights concerning their data. Many struggle with the GDPR's nuances, given the potential for expansive interpretations. Other countries' laws and regulations may also apply to international insurers, including the Canadian PIPEDA and provincial laws, but the GDPR drives the discussion internationally.

U.S. State Privacy and Cybersecurity Developments: States legislatures also innovate. The California Consumer Privacy Act of 2018 (CCPA) represents a new approach for the insurance industry and beyond. Like the GDPR, the CCPA expands the types of data to map and protect, and grants individuals new rights. Copycat legislation already appears in several other states. Although the CCPA echoes key concepts of the GDPR, GDPR compliance doesn't satisfy the CCPA. Companies must address the CCPA's particular requirements, regardless of the sophistication of their existing compliance program.

The New York Department of Financial Services (DFS) Cybersecurity Regulation established onerous new cybersecurity requirements for financial services, including insurance. The DFS definition of nonpublic information includes information that had not been previously addressed by U.S. requirements of insurance companies, including critical business information in addition to personal information. Inspired by the DFS, the NAIC issued its Insurance Data Protection Model Law last year. With variations, it has been adopted in several states, and proposed in others.

Breach notification laws also continue to be amended to include new data, including health and medical, and biometric data.

How to Address Privacy and Cybersecurity Requirements Without Stifling Innovation: There's no shortage of imagination for collecting and using data, but the legal and regulatory environment is increasingly challenging. Here are three steps to managing privacy and cybersecurity risks without stifling innovation.

• Build a Culture. From top down, a company must embrace privacy and cybersecurity. Build a culture that sees privacy and cybersecurity as important features, not barriers.
• Map Data and Systems. Types of data covered by the developing privacy and cybersecurity obligations continues to diversify. Understand what data your company collects and how it's processed.
• Include Privacy and Cybersecurity in Development and Onboarding. Reverse engineering a system or function is difficult, expensive and risky. Address privacy and cybersecurity up front. An old concept, “privacy by design,” is more relevant than ever. Product design, technology development and onboarding third-party solutions must address potential privacy and cybersecurity issues from conception for quicker, more efficient and effective development.