Insurance Policy

HOW TO HELP INSUREDS MANAGE CUSTOMER PRIVACY RISK

Insurance carriers and agents have come to learn that increased data can lead to greater risk for insureds, and they are increasingly advising businesses to disclose data collection practices while seeking to gain insurance coverage, according to David Garrett, president of CISO Advisory & Investigations LLC.

“It is not unusual now for insurance applications to include specific questions about applicants’ data collection practices,” Garrett said.

Standard insurance applications are becoming more detailed in the wake of increased wrongful collection of data claims as more companies are unintentionally swept up in litigation or regulatory action as a result of data collection practices, insurance industry experts told Insurance Journal.

“There have been many instances in the last decade where companies didn’t know they were doing anything wrong,” John Coletti, chief underwriting officer for cyber and technology at XL Catlin, said. “They thought they were collecting data for innocent means, but really, they were in violation of some statute. These situations can actually cause some large financial losses for companies.”

NetDiligence’s 2015 Cyber Claims Study found that personally identifiable information was the most frequently exposed data, making up 45 percent of claims, last year. The study also found that 2015’s largest legal and regulatory costs resulted from mid-revenue organizations accused of wrongful data collection. The combined legal and regulatory costs for these organizations ranged from $411,000 to more than $6.7 million over the course of the year, according to the study.

Coletti pointed to one example where some California and Massachusetts retail stores found out the hard way in the past several years that asking for customer ZIP codes along with a credit card transaction in those states can lead to class action lawsuits or regulatory involvement.

“There’s a statute in California that has to do with the collection of information at the point of sales,” Coletti said. “In the past when you would go into a store to purchase something, companies may ask for your ZIP code. It turns out that isn’t allowed under this statute in California, so lots of companies were doing this in violation of the statute and ended up with class action claims. They didn’t even realize it in many cases, because they just wanted that information to know a little more about their customers.”

This example points to the broader issue of information security, which has become more important than ever with trends toward collecting big data – large and complex sets of data used for analytical purposes.

“Some businesses today are storing massive amounts of customer data for no immediate purpose – simply in the hope that they will discover a way to monetize it in the future,” Garrett said.

“But stockpiling petabytes of data creates significant risks to businesses,” Garrett said.

Indeed, the California Supreme Court decided in February 2011 that the collection of a customer’s ZIP code along with a credit card transaction violates consumer privacy under the Song-Beverly Credit Card Act. Similarly, the Supreme Judicial Court of Massachusetts ruled that state law prohibits retailers from collecting ZIP codes as part of credit card transactions in March 2013.

“When you give somebody what you think is a harmless piece of information, they can do a lot more with it than you expect,” said Nick Economidis, an underwriter at Beazley, during a panel discussion at the 2016 Professional Liability Underwriting Society (PLUS) Cyber Liability Symposium held in New York City.

In fact, the swipe of a credit card combined with a ZIP code and email address can lead a large data broker to get a name, address and other information about a customer, he added. As technology has grown more complex, protecting information privacy has become increasingly difficult, leading some states to crack down on data collection practices to better define personally identifiable information and leading regulators to dive deeper into the issue.

“What researchers have shown is that separate databases can be used along with algorithms to basically disclose the anonymity of anybody,” said Arturo Perez-Reyes, vice president at HUB International.

Regulatory Landscape

In 2012, the Federal Trade Commission (FTC), the nation’s chief privacy policy and enforcement agency, issued a final report outlining best practices for businesses to protect U.S. consumer privacy and give consumers broader control over the collection and use of personal data. Additionally, the FTC in 2014 issued another report urging U.S. Congress to consider legislation to make data broker practices more transparent to consumers, offering consumers additional control over personal information collected and shared by data brokers, or companies that collect consumers’ personal information and resell or share it with others.

“The regulators have started looking at what constitutes personally identifiable information in a much broader sense,” said panelist Dominique Shelton, partner at Alston & Bird LLP, at the 2016 PLUS Cyber Liability Symposium. “They are looking at the fact that a lot of data can be identified later and linked to a specific person, so they are moving away from the concept of aggregated, purely anonymous data.”

Additionally, some state and local governments have moved to better regulate data privacy and security, Garrett said.

“New York is a great example,” he said. “Agencies as diverse as the New York Department of Financial Services have recently proposed new cybersecurity regulations.”

The New York State Department of Financial Services (DFS) has issued cybersecurity regulations for financial services companies that aim to protect New York state’s financial services industry from cyber attacks. The proposed regulation is the first of its kind in the U.S. It requires banks, insurance companies and other financial services institutions regulated by the DFS to maintain a cybersecurity program designed to protect consumers and ensure safety in New York’s financial services industry, according to a DFS press release. The proposal also addresses the issue of company data collection and retention.

While the FTC and state regulators have taken a closer look at this issue recently, laws around data collection still vary by state with no federal standard for compliance.

“The laws around that are kind of a state in progress right now,” said Perez-Reyes.

Garrett added that the patchwork nature of these laws so far has made it difficult for many businesses and underwriters to comply.

“There is no one security standard for companies to build their network, so for an underwriter, there’s no reference point,” said Coletti.

“On the buyer side, it can get frustrating because you can talk to three different underwriters who will all ask different questions because there’s no standardized process for evaluating someone’s cybersecurity.”

Insurance Industry Challenge

Another source of confusion for the insurance industry regarding data collection can be determining the difference between an unintentional wrongful collection of data claim and a business that has been negligent or malicious, Coletti added.

“This is a tricky coverage area for insurers because you understand from an insurance perspective in some cases, the company feels like it’s doing everything correctly, is being transparent, has read the laws, has done due diligence and has had lawyers review statutes and privacy notices and still gets hit with wrongful collection claims,” he said. “But you have some clients that aren’t doing that and are collecting data without any regard to laws or statutes. The coverage in the market treads that line between wanting to cover innocent insureds, but not wanting to cover those that are collecting data negligently.”

This has led many insurers to exclude wrongful collection of data from their policies, he stated.

“Some carriers say flat out they don’t want to cover wrongful collection because they don’t want to get into a dispute about whether the insured did this intentionally or negligently,” Coletti said.

This is because increased technological connectivity can impact the exposures both policyholders and insurers face, said Laurie Kamaiko, partner at Sedgwick Law.

“Insurance companies have the challenge of being very much on top of their own exposures, but also on top of the exposures presented to them through the lines of insurance they write,” she said.

Evolving Coverage

With this in mind, businesses need to take a close look at their insurance policies to be sure the right coverage is in place.

“I tell clients all the time that it’s not just a question of seeking coverage for cyber events – there are a host of class actions for privacy claims associated with data breaches as well,” Shelton said during the panel discussion.

After companies are hit with class action lawsuits or regulatory investigations, they will sometimes look to their cyber policies for coverage and find a wrongful collection of data exclusion that’s not what they thought it would be, she explained.

Some insurers that initially exclude wrongful collection from their policies will add it back in through an endorsement or negotiation at the time of binding. Because this is a new product and market for many insurers, as coverages are better understood with advances in technology and increased wrongful collection claims, underwriters are learning to ask the right questions, Coletti added.

“I think the discussions between the underwriters and clients are getting more technical in regards to security and privacy law,” he said. “That trend will continue, and it has to continue. Evaluating cyber is a difficult underwriting process, and the only way to analyze it is through a detailed discussion or application. It’s a good thing for the industry in general, because this is something that has to be done to effectively mitigate cyber risk.”

Although regulation around data management has increased recently, businesses need to be aware of the data they’re collecting and what it’s being used for, particularly as technology changes so quickly, Coletti said.

“We live in a dynamic time,” Garrett added. “You have regulators all over the world pushing for increased controls to ensure data privacy and security. On the other hand, you have businesses seeking to monetize new technologies, such as big data analytics. One trend is pushing businesses to store less data, and the other is pushing [them] to store more. Only time will tell where the equilibrium will be.”

FIRMS SHOULD LOOK CLOSELY AT DATA PRACTICES, NEW YORK CONFERENCE PANELISTS SAY

Panelists at the 2016 Professional Liability Underwriting Society (PLUS) Cyber Liability Symposium held Tuesday at the Hilton Midtown in New York City urged companies to take a closer look at data aggregation practices as regulators have begun to take a stricter approach to information privacy in recent years.

“The regulators have started looking at what constitutes personally identifiable information in a much broader sense,” said panelist Dominique Shelton, partner at Alston & Bird LLP. “They are looking at the fact that a lot of data can be identified later and linked to a specific person, so they are moving away from the concept of aggregated, purely anonymous data.”

In 2012, The Federal Trade Commission (FTC), the nation’s chief privacy policy and enforcement agency, issued a final report outlining best practices for businesses to protect the privacy of U.S. consumers and give them broader control over the collection and use of personal data. Additionally, the FTC in 2014 issued another report urging U.S. Congress to consider legislation to make data broker practices more transparent to consumers, offering consumers additional control over personal information collected and shared by data brokers, or companies that collect consumers’ personal information and resell or share it with others.

As technology has advanced, data that was once considered anonymous is being found identifiable in some cases and could violate privacy rights, presenting concerns for companies that could become unintentionally wrapped up in litigation or regulatory investigations for wrongful collection of data following a technology breach, panelists explained.

“One thing companies have to worry about is inadvertent data collection,” said Thomas Reagan, cyber practice leader at Marsh Inc. “It can be very easy for organizations to get caught up in data tracking unintentionally, and one thing that I think will come before thinking about why organizations could be subject to a cyber attack is thinking about the data they collect – that has a lot of value organizations may not have thought about.”

As many businesses begin to look to internet connectivity as a way to measure employee behavior and facilitate business operations, they need to be challenging themselves about why they’re collecting data and how it could be used improperly, he said.

Panelist Nick Economidis, an underwriter at Beazley, pointed to one example of his experience with a dentist that was inadvertently collecting unnecessary data from patients, such as driver’s license information, that could present concerns in a case of identity theft.

“They were working with a third party and just got a standard form and didn’t give it a lot of thought,” he said. “So they just started asking patients for this information.”

With this in mind, companies are encouraged to not only analyze data aggregation procedures, but to take a close look at their insurance policies, panelists added.

“I don’t view it as a technology issue so much as a business issue,” Economidis said. “The law in Canada around information privacy is very adamant that you’re not supposed to collect information unless there is a business need in order to complete a transaction, not for analysis later on. In the U.S, we haven’t gotten to that point of thinking about things that way yet. We’re just getting our arms around protecting the data that we hold, but we haven’t thought much about what information we have a right to collect as part of our business processes and what information is a step too far.”

Under most cyber insurance policies, the appetite for coverage regarding wrongful data collection varies considerably between carriers and typically needs to be sought out through a unique policy where the coverage is included, he stated, adding that coverage agreements about loss or theft of information don’t always provide affirmative coverage for wrongful data collection.

“So many companies have this approach that cyber risk is a really important issue for someone else,” Reagan said. “But increasingly, across all industries, companies are coming into contact with data either as a primary business activity or a sideline of their business. It’s definitely something that’s evolving quite a bit and definitely an area where people need to pay attention, dot the I’s and cross the T’s. Organizations that haven’t done that will have the potential for a rude awakening over the next few years.”

HOW TO GAIN ‘DIGITAL TRUST’ OF EMPLOYEES IN AGE OF

INTERNET OF THINGS

Employers will need to accept tradeoffs to foster “digital trust” with employees if they want to gather the workplace data necessary to realize the full benefits of the Internet of Things (IoT) and the sharing economy.

That’s according to a report, “The Data Sharing Economy: Quantifying Tradeoffs that Power New Business Models,” by American International Group Inc. The insurer unveiled the study during the the giant Consumer Electronics Show (CES) in Las Vegas.

The IoT’s potential seems limitless and borderless, with sensors, storage, analytics and other connected technology becoming faster, smarter and less expensive to implement. However, realizing the potential of the IoT relies on the willingness of businesses and employees to share data so that connected devices can generate insight, action and value.

When benefits are perceived by those surveyed, the willingness of businesses and employees to participate in data sharing jumps to 75 percent from only 11 percent when no benefit is perceived.

Common Ground

There is common ground between companies and employees about what conditions are needed to create a data sharing environment. Seventy six percent (76%) of employees surveyed globally indicate digital trust requires that employers notify them if data collection is taking place. The same percentage of companies surveyed (76%) agree that notifying employees about data sharing is important.

Eighty one percent (81%) of employees also see their employer as responsible for keeping their data private, should they choose to share it, while more than 70 percent of companies responded that it is important to establish clear policies when it comes to data collection.Robert Schimek

Both businesses and employees agree by wide majorities (89% and 87%, respectively) that laws must be updated to accommodate new data sharing business models, balancing privacy protections with innovation, particularly in the IoT space.

“Smart, safe data sharing will power the new economy,” said Rob Schimek, chief executive officer, Commercial Insurance, who spoke at the Consumer Electronics Show (CES) this week in Las Vegas. “We conducted this study to quantify the tradeoffs necessary for success in the sharing economy. A new kind of digital trust is being built in the workplace based on these tradeoffs, and every employer and employee using technology today is part of it.”

The report is based on the findings from a survey commissioned by AIG that targeted employees and business decision-makers in nine countries: the United States, United Kingdom, France, Germany, Italy, Australia, Singapore, Japan and China. Approximately 400 employees and 250 business executives in each country were asked to complete a 20-minute online survey. The survey was conducted on behalf of AIG by RTi Research, an independent global research firm.

AIG, which is one of the world’s largest workers’ compensation insurers, just one year ago announced it had made a strategic investment in Human Condition Safety (HCS), an early-stage technology startup company developing wearable devices, analytics and systems for use at worksites. Schimek discussed that investment at last year’s Consumer Electronics Show.

New York-based HCS, part of a larger technology invention research organization and lab called Human Condition Global, is creating tools it says will help workers, their managers, and worksite owners prevent injuries before they happen.

Digital Trust

While there is some overlap in attitudes between companies and employees about data access, differences exist that may require tradeoffs to be made and compromises to be struck, according to the survey.

The study shows that more than half of all businesses (56%) believe that firms should require employees to agree to workplace monitoring as a condition of employment. On average globally, about the same number of companies would ask employees to wear devices (wearables) that help ensure safety in the workplace.

Employers further indicate they would be willing to invest in wearable devices and telematics in support of fleet vehicle safety to realize benefits. Employers in the U.S. would invest the most, up to $917 on wearables and $835 on telematics devices – per employee per year – which is about the cost of a mobile phone plan.

Employees are also interested in the safety benefits provided by wearables at work, but not to the same degree employers are. Thirty eight percent (38%) of U.S. and Australian workers would agree to wearables, which was in line with workers in the U.K. and France (40%) and Japan (36%). Employees in Italy, Singapore, and China were most inclined to accept wearables (56%), while German employees were least open to the idea (29%).

Of those employees globally who would accept wearables, they are most interested in sharing workplace environmental conditions, presumably for the benefit of their own health and safety. This suggests there is a basis for additional incentives and trust building to persuade more employees to share their workplace data, according to the report.

Perhaps the most challenging divide revealed in the study is that while a majority of companies would mandate data monitoring, employees by nearly three to one (71%) feel they should be able to choose the data they provide to employers, rather than accept mandatory data sharing requirements.

Game Changer

In a video on its website last year with principals from HCS and AIG discussing the potential for the technology, an AIG executive called wearables a potential “game changer” for the industry in reducing costs and improving workers’ experience.

AIG is not the only insurer interested in wearables. A survey reported by Accenture in May, 2015 found that that nearly two-thirds of insurers expected wearable technologies to have a significant impact on the industry within two years. Some insurers have experimented with Google glasses.

Researchers at Virginia Tech have been combining tiny radio sensors that construction workers can wear on or inside vests with connected vehicle technology that allows cars to “talk” to one another, roadside infrastructure, and personal electronics such as mobile phones. IBM is also working on wearables and analytics for multiple uses including workplace safety.

While wearables offer the promise of improving efficiency and reducing the risk of injury, some worry they also pose a data privacy and security risk in their collection and sharing of information. Others have raised concerns about potential health risks such as headaches, double vision and dizziness from wearing devices.