Data is an invaluable commodity in today’s tech-centric world — and many insurance customers know it. They expect the carriers they do business with to protect that data from breaches and unauthorized use.
There’s also a regulatory incentive for insurers operating in key national and international markets. Any carrier with EU business interests is bound by the General Data Protection Regulation (GDPR), which manifests itself in nation-specific laws for each member state. US insurers that don’t want to leave California customers on the table must follow the equally stringent California Consumer Privacy Act (CCPA). And while Canada’s proposed nationwide data law, the Digital Charter Implementation Act, hasn’t yet cleared the House of Commons, Quebec’s Law 25 takes full effect September 22, 2024, bringing GDPR-esque data privacy requirements standards to the nation’s second-largest provincial market.
The passage of these laws (and similar legislation in major national markets like Australia, India, Japan, and South Korea), indicates that lawmakers have grown to share consumers’ concerns. But even insurers not strictly bound by any all-encompassing regulation should view this as an opportunity. Having the right coretech foundation can help them realize it.
The Necessary Burden
Customer concerns over data privacy didn’t materialize out of nowhere.
Data breaches are a significant factor, of course. The biggest ones make major headlines — most recently, Ticketmaster, AT&T, and the National Public Data leak that exposed 2.9 billion Americans’ Social Security numbers and other personally identifiable information (PII). The average person gets wind of such stories and understands the gravity of the issue, even if they can’t quote specific stats off the top of their head.
While the average number of breached accounts worldwide fell somewhat between 2022 and 2023 (the most recent years with complete data available), these incidents have grown more expensive. As of mid-2024, the global average cost is $4.88 million (up 10% from last year). That figure almost doubles for the average US breach — $9.36 million, with the Middle East, Benelux, Germany, and Italy rounding out the top five (at $8.75 million, $5.9 million, $5.31 million, and $4.73 million, respectively). Customer PII is more commonly exposed than any other data type, including intellectual property or employee PII.
In addition to breaches, large-scale incidents of data misuse ranging from Meta (formerly Facebook) to Cambridge Analytica have further tested public trust. Now, when customers provide sensitive data to various companies, including insurers, many of them have greater expectations for its security. They also want at least some transparency (and control) over how that data is used, especially if the information is shared between partnered businesses.
Juggling Regulations and Consumer Priorities
The requirement to quickly notify affected consumers (and relevant authorities) when data breaches occur is fairly common even in “mild” data privacy legislation. Consumers are also increasingly receiving the right to opt out of certain marketing-related data tracking, or request that their data be deleted once it’s served its purpose.
Data privacy laws on the more stringent side are more likely to require the destruction or anonymization of PII that’s no longer relevant. Some also expect businesses handling PII to appoint an executive to oversee data protection efforts (often called a chief data officer). The right to data portability — providing individuals with full records of their stored personal information upon request — is yet another concept pioneered by the GDPR that’s gaining ground in other far-reaching data privacy laws.
Although the GDPR’s noncompliance fines and other penalties have arguably received the most attention, nearly all of the wide-ranging data regulations impose similar financial consequences. Some fines are large to begin with, while others start small but add up with repeated violations.
Aside from the regulatory necessity of data protection in certain markets, insurers must understand that some customers will consider the issue when making purchase decisions. This can easily be a factor in markets where data privacy isn’t federally regulated (like the US) but consumers generally understand the danger of data exposure. Granted, it likely won’t be the only thing that drives them to choose one carrier over another. But if, for example, two P&C insurers offer essentially identical coverage and one has better data security and privacy services, which do you think the consumer is likely to pick?
EIS Suite: The Ideal Solution for Data-Conscious Insurers
Keeping customer data safe requires insurers to take a multifaceted approach — and EIS Suite provides the means.
Support for Customers’ Data Rights
EIS Suite privacy settings default to the highest level of confidentiality, so insurers effectively begin working to protect customer data as soon as they implement the solution. The platform also gives insurance customers a degree of agency in how their data is used and stored.
For example, the customer-facing portals of all EIS Suite core products give consumers control of data access settings to modify as they see fit. Also, the platform supports data minimization — collecting PII only for specific purposes and destroying or anonymizing it once it’s no longer needed. Lastly, EIS Suite makes it easy for insurers to fulfill data portability requests or purge customer data upon demand.
Thorough Transparency and Disclosure
Insurers using EIS Suite will find it easy to create (and regularly update) clear privacy policies that customers can readily access, so they fully understand how their data is used and shared. This includes details on any automated decision-making processes that leverage customer data and the management of any facial recognition or other biometric data.
Also, in the event of a breach, EIS Suite enables insurers to automate the release of detailed data breach notices for affected customers and regulators. This way, consumers hear about it from carriers within any required time frame.
Risk Assessment and Compliance Reporting
Evaluating the impact of both new projects and existing processes on data privacy is crucial to ensuring PII isn’t needlessly put at risk. EIS Suite makes it easy to conduct risk assessments and determine any privacy hazards caused by data processing procedures, planned initiatives, or data transfers.
Continuous monitoring and reporting is also crucial to upholding customer data privacy. Through its support for intelligent automation and seamless data integration capabilities, EIS Suite streamlines and simplifies breach incident logging, data processing audits, and compliance report generation activities. Because the solution’s integrations extend to third-party systems, carriers can also monitor the data protection practices of their partners.
Internal Governance and Education
Without buy-in and commitment from their internal teams, insurers can’t establish excellent data protection practices. EIS Suite helps carriers make sure that their business users across all lines and departments can easily access governance standards and educational materials that stress the importance of safeguarding customer PII and help staff learn data protection best practices.
Ready to Safeguard Customer Data with Cloud-Native Coretech?
As organizations that rely on the precise assessment of risk, insurers have to treat data privacy with the urgency it deserves.
At EIS, we’re committed to helping insurers across multiple markets safeguard their customers’ invaluable data — and we’re also invested in assisting them with data privacy compliance efforts. Get in touch with an EIS representative today to learn more.