Duck Creek Blog
Blog Post

2022 Data Privacy Regulations for Insurance Companies to Know

January 25, 2021

The insurance industry has become increasingly impacted and reliant on digital technologies, for both internal operations and customer-facing programs. While technology has undoubtedly made processes faster and customer self-service more widely available, all of this data means insurers and their customers are susceptible to security breaches.

That’s why many state and federal governments have enacted new data privacy laws and legislation — not only to protect everyone’s data from hackers, but also to protect consumers from having their data sold and shared without their permission. As such, staying in compliance and keeping customers’ data safe must be a top priority for all insurers. Here is a breakdown of some of the most important legislation that will impact insurance operations, and the steps insurers can take to protect data privacy.

Watch the webinar replay to learn about Duck Creek’s approach to security, data privacy, and compliance

Data Privacy Laws Insurers Should Know

Federal Gramm-Leach-Bliley Act (GLB): The Gramm-Leach-Bliley Act “requires financial institutions offering consumers loan services, financial or investment advice, and/or insurance, to fully explain their information-sharing practices to their customers. Firms must allow their customers the option to opt-out if they do not want their sensitive information shared.”

General Data Protection Regulation (GDPR): Arguably the most impactful piece of data privacy legislation, the General Data Protection Regulation (GDPR) applies to companies of almost every size and sector that process the personal data of European Union citizens. This law requires businesses to protect personal data and privacy for transactions that occur within all EU member states. Where the GDPR gets murky, however, is in the definition of “personal data,” and the lengths companies are expected to go to to protect it. 

Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules (SPDI Rules): These rules were enacted in India in 2017 to better protect the data of private citizens. The SPDI cyber security guidelines explicitly require insurance companies and their intermediaries to have:

  • A uniform framework for data, cloud, mobile, and cyber security
  • A governance mechanism (including a board-approved policy on information and cyber security, a chief information security officer responsible for articulating and enforcing the policy, and an information security committee responsible for the information security governance framework) to address security-related issues on a periodic basis.
  • Preparation of a gap analysis report
  • Formulation of a cyber crisis management plan
  • Completion of the first comprehensive information and cyber security assurance audit in a phased manner

What Does Data Privacy Legislation Mean for Insurers?

Each data privacy law has different requirements, so depending on where an insurer operates, they may have differing standards that they have to meet. Failure to meet these standards can be highly consequential, as it can result in heavy fines, damage a company’s reputation, and make it difficult to attract new business.

However, regardless of geographic location, there are a few things P&C insurers can do to make sure they’re proactively protecting the data of their customers and themselves.

  1. Make sure they are in compliance
  2. Educate their customers
  3. Deal with greater customer awareness of privacy
  4. Improve network and data security
  5. Pick third-party service providers that offer platforms which are configurable enough so as to meet their security, regulatory and compliance needs

Keep up with ongoing changes to rules and regulations

Insurance Data Privacy FAQs

Q. What is the role of Cloud Service Providers in relation to privacy regulatory compliance?

A. As companies move towards Cloud Service Providers (CSP), it is important to make sure that roles and responsibilities are clear, and this includes all concerns related to privacy. The best way to approach this is to understand where the ultimate responsibility lies from a regulatory perspective. Cloud Service Providers are commonly known as data processors, and their customers are known as data owners. These two roles have different defined responsibilities in different regulations, but in the end, the customer and the CSP must work together to ensure that all requirements are met. A data processor may have the responsibility to ensure that data is encrypted at rest within their hosting solution. The data owner may need to ensure their customers consent to collection of personal information. In both cases, the Cloud Service Provider and their customer must work together to ensure these requirements are being met. A CSP that cannot help a customer meet its requirements will not be successful, and a company that cannot clearly communicate their requirements to a CSP will face challenges from their clients and their auditors.

Q. What are other related risks do insurance companies face with respect to privacy?

A. Most regulatory requirements related to privacy come with a set of penalties, and some carry very significant fines. That is certainly an incentive to maintain compliance with these regulations, but there are also other concerns. A company that has publicly disclosed a breach will usually suffer reputational damage that can impact market value. Companies that cannot prove compliance may have challenges securing adequate cyber insurance to help cover some of the costs of a privacy breach. You may also see that any competitive advantage you have is offset by having to explain poor compliance and incident response. So overall, the risks of not having a good privacy program can be very high.

Regardless of what region you operate in or the size of your organization, staying in compliance with data privacy laws will pay dividends for you and your clients. Not only will you avoid costly fines and sanctions, you will also demonstrate your commitment to protecting customers and their most valuable assets. And in building that trust with your customers, you establish a relationship that promotes loyalty and an overall more satisfied customer base.

Keep up on our latest news!
John Germain
As Duck Creek’s chief information security officer (CISO), John Germain is accountable for the strategy, direction, and management of the company’s overall security program and capabilities, including those of Duck Creek’s OnDemand services. John brings more than 15 years of experience as an information security professional to Duck Creek, and more than 25 total in IT. He has a strong background building and managing IT security programs for large, global organizations and is a well-respected leader in the community, having been named both a Top 100 CISO and a Top 25 Breakaway CISO Leader. Prior to Duck Creek, John was both CISO and vice president of IT infrastructure at a multi-billion-dollar global manufacturing company, where he spent nearly 20 years honing his skills in the defense sector, critical infrastructure, and most recently in commercial products and services. John is active in the information security community as a member of several professional governing bodies, and is a frequent speaker at events and conferences.