The importance of privacy laws for insurance markets

Privacy regulations and legislation are topics that continue to be of concern for businesses. News of data breaches, data vulnerabilities and compromised private information is released almost daily from businesses small and large, some of which are insurers.

It follows that individual state legislation has recently been proposed to address such data privacy needs. Several states including Virginia, Vermont, Colorado, New York and New Jersey recently introduced privacy regulations. And California recently adopted the California Consumer Privacy Act (CCPA), which gives citizens the right not only to protect their own data but also obligates businesses to disclose exactly which information has been collected about them.

On the other side of the country, Vermont recently implemented a law regulating data broker companies that buy and sell personal information. With the new law, brokers must disclose what information they collect as well as allow their customers to opt out of collection. Furthermore, consumers can sue data brokers if they sell any information that causes illegal discrimination.

A similar law proposed in Colorado is even broader.

Federal level questions

Individual states seem to be leading the way for data privacy regulation discussions as the U.S. federal government has yet to propose a national privacy bill that would affect insurers.

Meanwhile, international regulations now play a significant role in the privacy discussion, specifically following enforcement of Europe’s General Data Privacy Regulation (GDPR).

Related: 5 questions answered about GDPR’s impact on insurance

These regulations contribute to the movement toward consumerism and prompt the U.S. insurance market to rethink data collection and management, particularly since violating these laws could adversely affect their business and brand.

Many insurers are asking themselves: Am I liable and governed by the legislation in the EU? For many, the answer is yes.

More specifically, any website that offers goods or services to EU citizens is subject to the GDPR. The discussion has further prompted insurance companies to question whether or not they are governed by similar laws in the United States.

Anticipating greater domestic regulation

Since the introduction of the CCPA in California, several senators have proposed policy options for national legislation on data security and privacy. Proposed bills have a GDPR-like flavor that is similar in scope to the international regulation. If the U.S. were to adopt similar regulatory standards, business processes and products that handle personal data would need to be built to include data protection by design and default.

Related: Here’s what risk managers need to know about the EU’s GDPR

Regardless of business size, the magnitude of data collected, shared or mismanaged is more concerning considering the sensitivity of private information that everyday people entrust their insurance companies to protect.

As the conversation around regulation increases, there has been much talk about what a national privacy law might look like, and furthermore how state regulations would affect insurance organizations doing business across the U.S.

The tech business

At the forefront of privacy-law related issues are very visible and widely used technology companies. These big technology players have demonstrated some interest in getting ahead of possible regulation by drafting regulatory standards themselves. Big data companies such as Facebook, Google and Twitter have all been involved in the regulatory discussion, and various reports have been released stating the companies are “in-favor” of such legislation.

This push has left some lawmakers feeling uneasy, considering these companies are likely seeking to be involved in legislation to sway technicalities in their favor.

So, it may very well fall to the states to continue to pave the way for privacy regulations in the U.S. Until formal national legislation is adopted, and voters see these initiatives on their ballots, states will continue to implement their own forms of data protection.

Problems will continue to rise for businesses as states implement their own data privacy laws. A national privacy law could make this transition easier among U.S. business owners, as one uniform standard can be applied to all.

Related: 5 takeaways from recent cybersecurity developments by Colorado & the SEC

Matt Dumiak (mdumiak@compliancepoint.com) is the director of Privacy at CompliancePoint and has over 10 years of experience with cybersecurity and risk management. CompliancePoint is a leading provider of information security and risk management services. Opinions expressed are the author’s own.