Regulatory/Law
The New Paradigm

• Howard Mills
• April 2020
• 

Insurance is a data-driven industry. Everything that insurers do, from marketing to underwriting to paying claims, is based upon the analysis of data. Insurers have vast troves of data about their customers and prospective customers. They have invested heavily in new technologies so as to be able to make better, more effective use of this data.

Insurance companies are particularly challenged by the tsunami of consumer data protection laws that are sweeping the global marketplace.

In 2018, the European Union's General Data Protection Regulation (GDPR) set the stage for this new era of regulatory scrutiny on how data is used and how to protect consumers in this data-driven age. The GDPR requires transparency around the use of personal consumer data by requiring companies to appoint a data protection officer who is mandated to implement technical and administrative measures pertaining to data security and who will be held accountable for compliance. EU companies must create data protection impact assessments, they must report any security breach to authorities within 72 hours and they must communicate with any individuals whose data might have been compromised. Finally, GDPR changed the game with the scope of the penalties—failure to comply can result in fines of up to 4% of annual global sales.

In 2019, financial services companies regulated by the New York State Department of Financial Services were required to be in compliance with the NYDFS Cybersecurity Regulation which seeks to protect consumer data from criminal cyberattacks. That regulation stipulates that companies conduct regular security risk assessments, maintain audit trails of data usage, implement defensive infrastructure, develop cybersecurity policies and procedures and create an incident response plan. The New York cybersecurity plan quickly became the basis for the NAIC cybersecurity model act and has been widely adopted all across the United States.

And in January, the California Consumer Privacy Act (CCPA) went into effect giving California residents the right to know what personal data is being collected. CCPA empowers consumers to prohibit the sale of their personal data and to demand that a business delete their personal information. Any discriminatory actions by a company toward a consumer for exercising their data privacy rights is banned. It is expected that California's actions will be widely replicated around the country.

Clearly, regulators have served notice that the rules governing the use of consumer data have irrevocably changed and the insurance industry is responding. Insurers have spent a lot of time and money preparing to comply with the European Union's GDPR, the NAIC and NYDFS cybersecurity regulations and California's privacy act. But have they done enough?

Looking ahead, insurance companies need to also brace themselves for additional insurance regulatory initiatives. Many insurers are struggling to meet the new insurance regulatory requirements because their siloed IT legacy systems lack integration. The sheer volume of data being maintained also poses significant risk. Insurers should consider establishing a more comprehensive information governance program that addresses these and other data management and privacy challenges, not just to meet compliance standards, but also to enable better business decisions and actions. Potentially helpful approaches include:

• Utilizing data minimization, which involves setting protocols to automatically flush superfluous information on a regular basis.

• Increasing engagement with customers to better leverage all the new data at their disposal.

• Asking questions about current data and privacy governance: what and where data about specific consumers is being stored, how complete and accurate it is, and how it is being used and protected.

Societal views regarding the ownership of personal information is clearly evolving and the insurance industry, data-driven as it is, will be at the forefront of this global dialogue.

Best’s Review columnist Howard Mills is an independent senior adviser with Deloitte and a corporate director. He previously was superintendent of the New York State Insurance Department. He may be reached at howmills@deloitte.com.