How Changes in Data Privacy Laws Will Impact Insurance Carriers

By: Afton Lucente, Director of Marketing

I sat down with Ernst Renner, NEOS’ CEO and Managing Partner, to discuss the changes he sees in the insurance industry and his perspective on how insurers can make disruption work to their advantage. This month, we discussed the impacts that change in data privacy laws (such as the upcoming CCPA) will have on insurance carriers, along with what companies could do to prepare for new laws.

Q: While human-less transactions may be what this generation of consumers demands, the amount of personal information that is required for online transactions puts insurers on the hook for protecting this information. We’ve seen new regulations introduced because of this – such as the General Data Protection Regulation (GDPR) – but how do you think the insurance industry can use these new regulations for their benefit?

Ernst: I don’t think that insurers can really use any regulation for their benefit – not a hard benefit, anyway. Anytime a regulation is imposed, it costs the industry something. In this case, companies that fail to comply with these regulations will likely face severe economic repercussions, making it vital for them to prepare for upcoming acts.

However, there are some soft benefits that can come out of this. For instance, the new data governance that will need to be created to meet the regulations could give insurers better control of and insight into their data. Insurers could also use new data programs as an opportunity to perform data centralization.

Q: Following the GDPR’s passage, several US states are proposing their own data protection laws, such as the California Consumer Privacy Act (CCPA), which goes into effect on January 1, 2020. With less than six months to put compliance programs in place for the CCPA, how do you see carriers responding? Do you have any recommendations for carriers?

Ernst: Insurers could use this as an opportunity to centralize their data. By building out new data programs in a strategic manner, companies could reorganize their data into a form that would provide access to more cross- and up-sell opportunities across different lines of business.

In terms of the CCPA specifically – well, the major part of the act for carriers has to do with the exchange of data with external parties. Although carriers don’t usually send much personal information out to third parties, the CCPA’s emphasis on data lineage means that insurers will need to know where exchanged data originated from and eventually went to, along with whether or not it was sent outside of the four walls of the carrier. Carriers should make sure that they have a solid reporting system in place for the data elements that the CCPA covers, especially regarding places where those elements pass outside the boundaries of the company.

Q: One of the reasons that the CCPA stands out is its broad definitions of personal information, which includes (but is not limited to) names, email addresses, physical addresses, bank account numbers, employment information, physical characteristics, purchase records, familial status, biometric data, and educational information. Regarding this, the CCPA does not require companies to complete data inventories or governance, but how important do you think that having a solid data strategy and governance program will be for insurance carriers?

Ernst: Even though the CCPA doesn’t mandate anything about data governance, it’s still absolutely critical that companies have solid data governance frameworks in place. Although it wasn’t as important in the past, having strong data governance now is integral to a company’s success. If there aren’t any processes in place to govern people’s data, then there will always be a firefight when a corporation needs to determine whether or not it complies with regulations.

Furthermore, many prospective state regulations overlap with existing regulations – such as New York’s Regulation 187 – or even each other. If there was a Venn diagram of data elements for each regulation, you would see some overlap. So, even though the CCPA may not have extensive data governance requirements, having strong data governance can only help companies moving forward, especially if similar regulations come into play.

Q: Since the CCPA was passed, copy-cat regulations are coming – Hawaii, Maryland, Massachusetts, New Mexico, and Rhode Island have all advanced privacy bills. What will this mishmash of regulations mean for insurance providers?

Ernst: When every state creates its own version of a specific regulation, it’s bound to create headaches for everybody, if not only because the formats for reporting to each regulatory body may be slightly different. There’s always a cost – if Rhode Island wants something different from California, then different things will need to be established for each state. However, I don’t foresee this as being a major issue, as it looks like the regulatory rules in the CCPA won’t vary too much across states. The big problem would be if a state decided that sharing information with a third party is a violation of rights – that could cause some problems, especially if the other states that a provider works in don’t share that sentiment. Otherwise, this will be more of an annoyance than a major issue.

Q: Because of the CCPA and other state-level copy-cat regulations, there are several data privacy bills being introduced into Congress. If federal data privacy legislation is passed, how do you think it will impact insurance providers?

Ernst: Well, if companies get ready for the CCPA [or other similar regulations], then they should be well prepared for any federal regulations. Federal regulation would likely stick to macro-level effects, leaving the smaller details up to each state. In fact, such a regulation would likely be similar to the GDPR, which the CCPA is – essentially – a subset of.

This actually loops back into your third question, the one about data governance. If the federal government gets involved, then it will be critical for life insurance and financial services companies to have rock-solid people plans. They will need to keep track of how they monitor, watch, or even obfuscate (if need be) their core clients. Many carriers struggle with this because they capture client information at a business level instead of aggregating it across the company. When every line of business has its own set of information on clients, checking for compliance across each tier of the company becomes incredibly clumsy. There exists a very real need to bring integrated data sets together across different lines of business.

Leave a Reply