In a world where digitization is rapidly making its way into our everyday life, challenges come as an add on package. Amongst many others, Data and Privacy are the most raised concerns. Be it any sector, consumers need assurance that their data is safe with the company. Insurance is one of the sectors that banks highly sensitive data of its customers. Data breaches, wrongful processing of customer data, using the personal information of customers without consent, etc. puts a dent in the company’s image. We have seen the scandal caused by the data breach at Facebook.
In September 2018, Facebook announced that an attack on its computer network exposed the personal data of over 50 million users. According to Facebook, hackers were able to gain access to the system by exploiting a vulnerability in the code used for the ‘View as’ feature. The attackers stole the ‘access tokens’, which took over the user’s accounts and got access to other services.
The need for data protection in Insurance
‘Trust’ is an essential part of the Insurance industry, failure of which can lead to loss of customer loyalty and subsequently loss of business. Insurance companies need to process customer data for calculating premiums, customized policies, claims, etc.
In India, The Information Technology Act, 2000 (IT Act) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules) set out the general framework for data protection. However, given the nature of the Insurance business and intermediaries, the Insurance Regulatory and Development Authority of India (IRDAI) has prescribed an additional framework for the protection of policyholder information and data, which Insurers need to follow in addition to the general framework under the IT Act.
As India moves towards digitization, the IRDAI and IT Act are not enough to ensure proper compliance of data. The nation needs a comprehensive Data Protection law along with a governing body to oversee the implementation of the law. A draft of the Data Protection Bill was introduced in July 2018 which later was tabled on 11th December 2019 by the Indian Parliament. However, the Bill is being analyzed by a Joint Parliamentary Committee (JPC) in consultation with various groups. Indeed a groundbreaking step for our country, but it might have dangerous implications. The bill gives power to the government to access customers’ private data or government agency data on grounds of sovereignty or public order.
The question is that will the government adhere to data ethics while processing this private data? The answer is unknown, but this step puts Insurance companies and TPAs under pressure to take steps towards data protection.
How can Insurers ensure data ethics
To ensure the privacy of customers and use data effectively, Insurers and intermediaries can adhere to the following measures-
Implementing risk management and IT security policies
Insurance is the most targeted industry by hackers. Also, with a lot of mobile workforce handling portable devices, monitoring data can be challenging. Companies need to protect data on the endpoint. The software should be installed on the systems directly and encrypting the data on portable devices such as USBs and hard drives. Growing risks in cybersecurity increased demand for Cyber Insurance policies. Cyber Insurance products are another such medium which helps in mitigating risks in the event of a cyber attack or a breach.
According to a report by Data Security Council of India on Cyber Insurance in India, the Cyber Global Insurance market is prone to grow from a CAGR of 27% from 4.2 Bn to 22.8 Bn from 2017 to 2024. Insurers can also take measures such as setting-up internal policies and regular audits to keep a check on the data compliance.
Consent mechanism for using policy holder’s data
A company might need data for internal purposes such as upgrading services for its customers. In such cases, companies should mention the purpose and set-up a proper mechanism for taking consent. Insurers can also give a status update on the project for which they used the customer data to keep the trust factor intact.
Using data-centric technologies
Human errors are unavoidable. But a second step validation can be set-up using disruptive technologies such as quantum computing, blockchain, Artificial Intelligence. These technologies not only ensure data security but also help in utilizing the customer data most efficiently.
Ensuring transparency with customers.
In the event of a data breach, the company must inform the customers and take steps to contain the damage. In 2014, Anthem Healthcare was attacked which led to a data breach. They immediately sent out alerts to their customers informing of the possibility of their data leak. Subsequently, they also informed the media after 8 days. Furthermore, they contacted the FBI regarding the attack and hired Mandiant, a cybersecurity firm to assess the level of damage. As an essential part of data ethics, it is equally important to own the mistake and take appropriate measures.
Merits of the case: data ethics in Insurance
Data breaches can occur due to superficial monitoring of data flow; lack of accurate privacy design; poor internal audits; failure in conducting resistance tests; use of outdated security systems.
The present crisis of COVID-19 has made data all the more vulnerable. As many employees are working from home, data security compliance has been an issue. Data protection bills and authority can act as watchdogs in the Insurance sector to avoid breaches. The Insurance sector should not see the law as a burden for additional compliance but rather an opportunity for long term customer trust.
Knowledge thats worth delivered in your inbox