Tag Archives: general data protection regulation

Vast Implications of the CCPA

The California Department of Finance recently wrote a Standardized Regulatory Impact Assessment (SRIA) of the California Consumer Privacy Act of 2018 (CCPA). The SRIA was prepared for the Department of Justice, the primary regulatory body, whose work is hoped to provide some clarity over what remains a confusing array of obligations for most California businesses. The Department of Finance is required by law to do these assessments when the proposed regulation has an economic impact of over $50 million.

The Department of Finance went to great lengths to separate the cost of compliance with the CCPA as opposed to the costs generated by possible regulations from the Department of Justice. As to the former, per a letter dated Sept. 16 from the Department of Finance to the Department of Justice, “The SRIA estimates that the initial cost of compliance may be up to $55 billion.”

As noted in the report, “Small firms are likely to face a disproportionately higher share of compliance costs relative to larger enterprises.” The definition of small business in the full report appears to be based on an estimate of how many employees would need to generate the revenue necessary to constitute a business as defined in the CCPA. As a result of this calculation, it is estimated that a “small” business would have at least 250 employees.

This analysis, however, does not take into account the impact of the CCPA on a small business that acts as a service provider to a business but does not itself qualify as a business under the CCPA. Using the Finance methodology, this would mean any service provider with fewer than 250 employees that receives personal information from a business. These service providers will need to respond when their business customers start asking for revisions in contracts to meet CCPA obligations, and to show they are otherwise compliant with the obligations of service providers under the act.

See also: Keys to California’s Consumer Privacy Act  

The report also notes, looking to the experience of the European Union (EU) and the General Data Protection Regulation (GDPR): “Conventional wisdom may suggest that stronger privacy regulations will adversely impact large technology firms that derive the majority of their revenue from personal data, however evidence from the EU suggests the opposite may be true. Over a year after the introduction of the GDPR, concerns regarding its impact on larger firms appear to have been overstated, while many smaller firms have struggled to meet compliance costs.”

The Department of Finance makes the assumption there will be a fairly static compliance environment after Jan. 1, 2020. That may not be a correct assumption. Alastair Mactaggart, the father of the California Consumer Privacy Act of 2018 (CCPA), announced recently he will be going back to the ballot in 2020 with the cleverly named California Consumer Privacy Act of 2020. At least part of the motivation behind this, according to Mactaggart, is to keep the legislature from weakening privacy protections – a much more difficult task when a law is enacted as an initiative measure. Following his initial filing with the attorney general on Sept. 25, Mactaggart filed a slightly edited version of the proposal – now titled the California Privacy Rights and Enforcement Act of 2020 (CPREA) – on Oct. 2. The new moniker for this may have something to do with messaging in anticipation of a campaign next fall.

While the business community is attempting to negotiate with Mactaggart and his coalition in an effort to ameliorate the impact of this initiative, in the rapidly changing world of technological innovation nothing is static. The initiative process in California, however, is public process cast in quick-set concrete. Regardless of what is put into this ballot measure regarding future amendments in the legislature, the proponents of this law will invest in themselves the prerogative to decide what is “in furtherance of” their grand scheme. Their self-serving bureaucracy, the California Privacy Protection Agency (CPPA), is an effort to create a semi-autonomous state within but unaccountable to any of the apparatus of state government. While disdainful of the legislative process, this agency would be governed by a decidedly political five-member panel, two appointed by the governor, one by the president pro tem of the Senate, one by the assembly speaker and one by the attorney general.

No mention of the insurance commissioner — just in case you missed that omission.

See also: In Race to AI, Who Guards Our Privacy?  

Regardless of the fate of a ballot measure on privacy, we are now in an environment where multibillion-dollar compliance costs are table stakes. For those who can afford it, it will be business as usual, even if slightly disrupted. For those who cannot, compliance is a death knell to innovation. Promising technologies that are dependent on personal information will be stifled unless Big Tech can grab it and afford the cost of putting such innovations to market. This affects all aspects of California’s economy.

But when Big Government and Big Tech are the only easily identifiable winners in a public policy debate, can we expect anything more?

What GDPR Means for Insurtech

After Solvency II, the European Union is ready for its next big and comprehensive regulation, called GDPR (General Data Protection Regulation). GDPR was approved by the EU Parliament in April 2016 and after a two-year grace period took effect in May 2018! The new regulation will replace the current Data Protection Directive 95/46/EC.

Regulatory Landscape and Breaches

The first key point of the new regulation is protecting all E.U. citizens’ data privacy with an extended regulatory landscape. New data privacy rules should be applied to all personal data of data subjects residing in the European Union, regardless of companies’ locations.

With GPPR, fines for possible breaches were increased sharply, up to 4% of annual global revenue or 20 million euro (whichever is greater). Another radical change is that regulations apply to not just controllers, but also processors. So, cloud processors are also covered. Under GDPR, the data owner must give consent through a document that is understandable, simple and easily accessible. Withdrawal of consent for data usage must also be easy.

With GDPR, breach notification will become mandatory and should be performed within 72 hours after the breach is spotted. Notifications must be to all affected data owners.

The Key Point for Insurtech

These changes are key for insurtech. Data security and privacy had seemed to be key concerns that would hold back insurtech, because of the dangers created by the increased use of connected IoT devices, real-time data collection and high profile cyberattacks. But customers will be much more comfortable with insurtech because GDPR will alleviate concerns about data privacy, without regard to a company’s scale. With GDPR, drivers of insurtech like IoT, machine learning and much more won’t be considered as possible tools for data breaches. GDPR will be a spontaneous trigger of insurtech!

What GDPR Means for Insurance Companies

GDPR (General Data Protection Regulation) took effect in Europe on May 25 — and is expected to create a ripple effect that affects U.S.-based organizations, regardless of whether they have European operations.

This is the most significant data privacy regulation ever – the EU views this as a human rights issue. The recent Facebook issues will accelerate GDPR acceptance here in the U.S., and it is up to insurance agents and carriers to be sure they are in compliance with all applicable laws and regulations in the U.S. and in Europe.

GDPR was enacted to further protect the rights of individuals in controlling how their personal data is shared. Many expect further regulations to come to the U.S., along with stiffer financial penalties for those organizations that do not comply.

But there are those in the insurance industry who see this as the “starting gun” not “the finish line.” The reality for most U.S. business, insurance companies and others is that GDPR will become the global standard for how businesses must handle consumer data, and it will set new benchmarks for consumer data privacy.

GDPR will have a positive impact for both the business/marketer and the consumer.

This can become an incredible opportunity for U.S. companies that choose to embrace GDPR. Instead of something scary and negative, it can become a great opportunity that they can use to challenge themselves to build tools and processes to maintain smarter marketing and more personalized and predictive communications with customers.

As consumers begin to understand the advantages to them, they will likely prefer to work with and share their consumer data with compliant companies. Rather than waiting and wondering, companies need to take the steps necessary to comply. If it’s great for the customer, and if businesses lead the way, it will end up being great for the company.

See also: How GDPR Will Affect Insurance 

First, insurance companies will need to take steps to comply with the legislation so they will not be open to stringent financial penalties. They must begin by working with their legal team and GDPR experts to appoint a company representative who is established in an EU supervisory country. This person is the point of contact for all communications with the GDPR supervisory body.

Not all organizations need one, but if it’s required, appoint a Data Protection Officer who has the expertise needed. This person can help redesign what consent and disclosure looks like for customers. Consumers will need to check a box (or its equivalent) for every single use case of their data. They need to be able to select those they agree with and decline those they don’t, and companies need to be able to comply and track their preferences in their systems.

Insurance companies also need to consider third-party providers, as well. If a third party is not able to prove GDPR compliance, the EU work it does is illegal. Companies should audit their third-party providers and reevaluate service level agreements.

Companies also need to work within the GDPR regulations and still be able to have a “good client experience” and grow and find and retain new customers with the new law that is a game changer for the way they do business now.

Moving forward, companies will need to be much more aware of their audiences’ tolerance for marketing. Companies that have been careless by oversaturating their audiences with irrelevant marketing will lose the privilege to market to those customers.

Consumers want information and marketing that is timely and relevant. Technology companies have tools available for clients that account for marketing saturation modeling and use dynamic marketing workflows. Their audiences should receive the “Goldilocks” amount of marketing – not oversaturated, but enough to maintain brand awareness and positive disposition when they are in the position of making a buying decision.

The positive impact for insurance industry will be that GDPR compliance forces companies to implement data storage and processing and marketing “best practices.” Once a consumer asks to be forgotten, companies must remove all the person’s data. Not just take people off an email list, or a call list, but delete all their preferences, history and contact information.

Businesses that comply with GDPR will reap the benefits of better consumer confidence. Additionally, the practice of impeccable data security demands migrating customer data to the latest network technology. The long-term benefit of storing and running data using the best and most current technology reduces overall digital footprint.

But how companies use technology to retain brand awareness and win and keep customers without becoming a nuisance at a permanent cost will be a challenge. Achieving and retaining brand awareness without irritation becomes a balance of just the right messaging, via the right channel at the right time.

See also: How to Avoid Being Bit by GDPR (Part 1)

We are proponents of human engagement and realize that all the AI in the world cannot replace human connections. We also realize that the human connection is invaluable and that marketing communications coming from a trusted adviser versus a faceless organization elevates the message.

More than ever, companies need to rely on marketing acceleration models that induce a repeatable pattern of activity, garnered from AI and machine learning to create marketing workflows that enable individuals at a company to have personal connections, smarter marketing, more personalized and predictive customer experiences and better sales outcomes.

Technology can help companies achieve one-on-one interactions and make them more confident that what they say and show is relevant and tailored to their client.

Blockchain – What Is It Good for?

Much is said about blockchain technology and how it will change how business operates. As with any new technology, a gap exists between understanding the theory and seeing the practical applications. But it should be no surprise that blockchain technology is already being used to secure the digital electronic health record (EHR) of large numbers of people in Europe.

EHR, augmented with data from self-monitoring devices, will change how health is managed. But this digital future comes with legal and ethical risks. Legitimate concerns include how sensitive personal data can be kept secure from theft or cyber-attacks. Without the assurance that blockchain technology promises, digital files can be corrupted, deleted and altered. Since much existing data protection legislation is purblind to digital data, the European Commission has acted to reform the rules across all E.U. member states. The General Data Protection Regulation (GDPR), aimed to strengthen data protection for those in the E.U., puts clear legal obligations on controllers and processors of any personal data.

This move aligns with the concept of a “personal data economy” in which people take control of the scattered mass of digital data about themselves and share it with whomever they choose. Many individuals seeking life insurance want to share their medical data simply and promptly, so it’s important that rules protect that process without hampering it.

See also: Blockchain: the Next Big Wave?  

Beginning in May 2018, the GDPR will act to hand back control of personal data to individuals. Their data will be portable between service providers, and people will have the right to be “forgotten” and to have their data deleted when there are no legitimate grounds for retaining it. It is hoped GDPR will simplify the regulatory environment for businesses across the E.U., creating savings and increasing competition.

Estonia is on the front foot. The country’s e-government system, which uses a website and smartcard to provide residents instant access to hundreds of public services, has earned it a reputation as a digital pioneer. Notably, too, the entire electronic patient records of its 1.3 million citizens are collated in one central database. The security of this store of highly sensitive personal data is underpinned using blockchain.

Blockchain may be used in any form of asset registry, inventory and exchange. This includes transactions of finance, money, physical property and intangible assets, including health information.

In Estonia, individuals’ EHRs are condensed as “blocks” and linked into “chains” by computer code in a bid to keep them safe. The blockchain registers every change, access and update to the records, including hacks or attacks from malware, using a series of computer code — tracks that can’t be modified without leaving a trail. This makes it impossible for the information to be tampered with, deleted or improperly changed in any way without its being spotted. Patients may log in to view who has accessed their data at any point or added information to their records. This means people can feel their data is more secure and their rights protected while the opportunities for medical or insurance fraud and other harmful misuse are mitigated.

Estonia stores complete patient histories in a national database to protect public health and create efficiencies and cost savings. The value in the combined medical data is used to drive improvements in the quality and effectiveness of care. The information can be exchanged between doctors so that interactions with clinical services are simpler and personalized.

See also: Insurtech in 2018: Beyond Blockchain  

Sharing data for the common good requires a high degree of trust. One way of ensuring accuracy is to allow people to agree on what represents the truth. Blockchain is a “trustless” system because the network of users act together to vouch for the accuracy of the record. The example of blockchain protecting patient records in Estonia demonstrates its potential to implement other trusted and secure transactions with less bureaucracy.

For more perspective on how technology is changing life insurance, click here.

Europe’s New Data Breach Requirements

The number of foreigners purchasing property in the U.S. surged between March 2016 and March 2017, according to the National Association of Realtors. The association said foreigners bought 284,455 properties, about a third more than a year earlier. And, similar to previous years, a larger percentage of buyers, especially in states like Florida and Arizona, were European citizens. European home buyers who insure their properties through U.S. companies could require those businesses to upgrade their data protection efforts soon.

As of May 25, U.S.-based businesses that have operations in the European Union (EU) or that have customers who are citizens of E.U. nations will have new requirements to meet regarding data protection. This is when the new General Data Protection Regulation (GDPR) takes effect. Any companies not prepared to meet the new regulations that experience a data breach could face massive fines.

GDPR was designed to better protect E.U. citizen data. Standards vary based on where the data originates, but generally any information like name, address, credit card number, etc. is covered. In the domestic U.S., protected data is defined as personally identifying information (PII). As defined by GDPR, for an E.U. citizen it is known as personal data. Failure to protect the PII or personal data to the right standard could bring a hefty bill or, on consistent failure, even an order to cease business in E.U. countries.

See also: VPNs: How to Prevent a Data Breach  

Current U.S.-based data privacy regulations require companies to notify customers if a data breach occurs, but in the U.S. there can be a significant time delay between the breach and the notification letter; not so with GDPR. GDPR requires that supervisory authorities be notified within 72 hours, even while a breach is still being investigated. Failure to report within 72 hours could lead to significant fines. Maximum fines could be $26 million, or 4% of global gross revenue, whichever is greater.

Insurance companies selling plans to E.U. citizens purchasing homes, rental properties or commercial properties in the U.S. could be affected by GDPR because they gather personal data on applications and store data on customers. If a hacker is able to breach the insurance company’s systems and gain access to E.U. citizen data, the company would be required to notify GDPR supervisory authorities and prove that it met all GDPR requirements. Failure to cooperate with an investigation or to meet GDPR requirements could lead to fines or worse.

The first step toward compliance for any company is determining the need for and, if necessary, assigning a data protection officer (DPO). A company will be required to have a DPO if it possesses large amounts of data covered by GDPR. The DPO must be available and involved in any events where there is a possibility of a loss of GDPR-covered data. The DPO will be the point person for any GDPR issue with the affected persons and the supervisory authority. Obviously, because the DPO will be instrumental in proving a company’s compliance with GDPR, this individual needs to know the regulations and the company’s security protocols inside and out, backward and forward. If a company is not required to have a DPO, it should still have a plan in place for who it will call if the supervisory authority opens an investigation.

Additionally, any personal data that is lawfully received, stored or processed by a company needs to be encrypted. This means completely encrypted at rest and in transit, complete end-to-end encryption. GDPR does not allow for lenience regarding outdated software or new implementations that are being investigated for deployment.

Companies will also now be required to complete data protection assessments and privacy impact assessments. They will be expected to increase visibility into what level of impact a breach might have for customers and the company, if one occurs. And, all efforts made to comply with GDPR need to be documented so they can be given to a supervisory authority upon request. The best source of information on the regulation requirements is gdpr-info.eu.

See also: Firms Ally to Respond to Data Breaches  

Once GDPR takes effect, if a company experiences a breach or is contacted by a GDPR supervisory authority the best course of action is to show an attitude of compliance by offering complete support for the investigation. Then, contact the legal team. It is important to remember that complying with GDPR can be complex. It takes some time to update systems and processes to the level of security required by the new regulations. It can also be costly, and disruptive, but the protection of data is becoming paramount in the new business paradigm. For GDPR, the cost of compliance is geared to be less than the cost of sanctions.