27 April 2017
The protection of customer data has been the subject of legislation and regulation in the UK for decades, but the spread of new technology and ethical concerns about the use of increasing amounts of customer data means data protection and cyber security laws need to adapt to deal with new risks. Insurers and technology providers will have to address legal/regulatory and ethical data privacy and cyber security risks as part of insurtech business models. This Insurtech Taster briefly looks at some of the issues that may be relevant to insurtech projects.
Increasing interconnectivity, globalisation and new technologies are driving greater frequency and severity of cyber security incidents, including data leaks. Insurers and brokers will be familiar with their obligations under the Data Protection Act 1998 (DPA) and the FCA’s Handbook, in particular the SYSC requirements on information security, as the current key sources of UK legislation and regulation that are relevant to the protection of customer data. Firms may also need to comply with contractual obligations in commercial agreements around confidentiality and security of data and be aware of codes of practice and general common law duties relating to data protection too. The FCA’s Principles for Business are also relevant to insurers and brokers and the FCA has noted that cyber risk, which includes the loss of, or damage to customer data, impacts all of its objectives and has put good governance practices in the spotlight, saying that it will look for firms of all sizes to have a ‘security culture’ in place.
As well as the risk of regulatory sanctions, breaches of data protection legislation could lead to a firm incurring a significant fine and of course reputational damage. Firms need to evaluate the sensitivity of the information they collect and the damage that could be caused if there was a security breach. Keeping data secure can be a complex task and require significant resource and specialist expertise to implement technical measures. But cyber risk is not just an IT issue; for example an insurance firm was recently fined by the ICO for the theft from premises of a data storage device containing information on around 60,000 customers so firms will need to address risks posed by people and processes as well as technology in their cyber security plans, policies and procedures. Where firms rely on third parties to provide IT services, this will require contractual protection in agreements with service providers so that insurers can manage risk, although insurers should be prepared for complex negotiations when no service provider will (or can) guarantee the security of data. Of course, some cyber risks can be insured and the increase in demand for cyber insurance products is stimulating competition among providers.
The UK Government is supporting improved cyber risk management in the wider economy through its adoption of the General Data Protection Regulation (GDPR) and measures that more clearly link data protection with cyber security involving work between the ICO and the National Cyber Security Centre and non‑regulatory interventions to incentivise better cyber risk management. The key will be balancing the objective of protecting citizens from cyber security risk, with the interests of business and the competitiveness of the wider economy.
Customer data is valuable to insurers and broader insurtech businesses, but the adoption of new technology by consumers will be negatively impacted if consumers do not trust companies to protect their privacy. Consumers know their data is being collected, but they are not necessarily aware of the ways in which companies are prepared to use it, which suggests some companies are not fulfilling their DPA or regulatory duties. The public’s concern about the use and control of their data will be magnified by the type of data being collected by new devices, like wearables. The responsible use and protection of data from sources such as social media sites has attracted scrutiny from the UK government and regulators and firms can (and should) learn from the mistakes of others. We can all think of high profile examples of the theft of personal data, including in 2015 from a controversial dating website where the stolen information was very personal and sensitive, but falls outside the DPA definition of “sensitive personal data”. In the latter example, whether or not economic loss is suffered by a customer as a result of a failure to protect customer data is irrelevant. Firms should look beyond the strict requirements of the law and regulation when it comes to the protection and use of customer data in order to build trust with legislators, regulators and customers. Companies that control vast amounts of personal information can help change attitudes by demonstrating greater sensitivity and transparency in how they use and sell their customers’ data.
Looking briefly at some key legal/ regulatory actions for 2017 that are relevant to data privacy:
- Firms should be preparing for the changes introduced by the General Data Protection Regulation (GDPR) and the consequential changes to UK law.
- The FCA will continue with initiatives linked to Project Innovate which will include discussions on the use by firms of Big Data. The FCA has decided not to launch a market study at this time as a result of the Call for Input on Big Data in retail general insurance (which kicked-off in November 2015), but the FCA will engage with the industry and the Information Commissioner’s Office on customer data privacy in the GI retail sector.
- Distributed ledger technology is purportedly harder to attack (at least until the cryptography relied upon is broken) and access to data can be controlled. The use of distributed ledger technology could be marketed by businesses to reassure customers about the privacy of their data, giving such businesses a competitive advantage.
- Technology is facilitating the flow of information across borders and in response we are seeing a toughening of data localisation laws, which has implications for international businesses. Facilitating compatible legal frameworks is necessary for the proper protection of personal data and related issues are being discussed at an international level, but harmonisation is a long way off. As the FCA acknowledges, cyber security issues require co-operation between regulators and the industry in order to manage risk and the regulator expects firms of all sizes to put data protection and broader cyber security issues high on their risk agendas as they design, build and implement insurtech projects.