The Federal Insurance Office, U.S. Department of the Treasury (“FIO”) released its first annual Report on Protection of Consumers and Access to Insurance (the “Report”). The Report reviews developments and concerns relating to five insurance issues: technology; environmental hazards; fairness in insurance practices; fairness in state insurance standards; and retirement and related issues. The Report identifies options available to consumers, industry, and state and federal policymakers to address certain noteworthy gaps in protection for insurance consumers.
Of note is the Report’s observations on technology (Section II of the Report), and the manner in which technology issues (such as big data and cybersecurity) affect both traditional insurance companies and innovative InsurTech companies.
The Report notes that the use of big data holds promise for both insurers and consumers, as it facilitates innovation and modernization in insurance product design, distribution, and delivery. However, the Report identifies some of the concerns regarding the use of big data by insurers in the U.S., specifically in respect of the risks for consumers. “Big data” is defined in the Report as the “ability to gather large volumes of data, often from multiple sources, [which] produce[s] new kinds of observations, measurements and predictions.” Big data can accumulate consolidated information which is gleaned from different sources, such as information collected from GPS devices, mobile phones, internet searches, social media, public record, surveys, and more.
Big data supports insurers’ analysis and development of premium pricing based on “risk classification” for insurance products, by increasing the number of variables that could be assessed. At the same time, big data also enables insurers to practice “price optimization” in which data about an individual, such as shopping habits or pricing tolerance, is used to set premiums for an individual consumer. This practice may lead to individuals paying different premiums for similar policies. Certain states have restricted price optimization
Insurance companies in the U.S. are increasingly using data brokers, which purchase, sell, collect and analyse big data, and develop related products (for example, by integrating data from social media). Data brokers do not have a direct relationship with the individuals from whom the data originates, which can raise privacy and transparency concerns (see publication in this regard by the U.S. Federal Trade Commission (“FTC”), here, and by the Privacy Commissioner of Canada, here).
The FIO called on state insurance regulators to specifically enforce state and federal legal requirements that are applicable to use of big data by insurers. The Report further highlights significant legislative and regulatory gaps in the U.S.
Insurance companies maintain vast databases of personal information regarding past, present and potential consumers. The use of big data, as well as increased use of outsourcing by insurers, can lead to significantly larger cybersecurity risk.
U.S. state insurance regulators have been cooperating on several regulatory initiatives, in order to set a mandatory cybersecurity standard for insurance companies. These initiatives include the Cyber Security Task Force and the Insurance Data Security Model Law (IDSML), which is not yet finalized. Of special note are the Cybersecurity Requirements for Financial Services Companies, issued by the New York State Department of Financial Services (“DFS“), which came into effect on March 1, 2017.
The FIO encourages insurers to adopt cybersecurity strategies based on best practices guidelines, such as the Framework for Improving Critical Infrastructure Cybersecurity, published by the National Institute for Standards and Technology. At the same time the FIO is pressing on state regulators to promote increased cybersecurity and data protection awareness among insurance companies, through new legislation and regulations, cybersecurity training and hiring, and frequent cybersecurity examinations.
Protection of insurance consumers is critical to the functioning of a stable and fair insurance marketplace. Technology and big data, in particular, have enabled growth and development of traditional insurance products. In fact, big data is often at the core of InsurTech products. Regulators are catching up with such advancements, and have identified what they see as regulatory gaps. Insurers that sell insurance, through traditional and technology-enabled channels, should consider anticipated regulatory requirements, when developing new products, and be prepared to address new regulatory standards.
Insurers in Canada operate in a different legal and regulatory landscape. The use of big data in Canada is subject to human rights legislation, privacy legislation, and personal health information. However, Canadian insurers that operate in the U.S., and Canadian companies which provide services to U.S. insurance companies, may wish to consider the trend in the U.S. of increased enforcement and regulation with respect to big data and cybersecurity.
For more information about our firm’s Fintech expertise, please see our Fintech group page. Information about McCarthy Tétrault’s Cybersecurity, Privacy and Data Management Group is available here. Please visit our firm’s 2017 edition of the Cybersecurity Risk Management Guide.