The insurance industry has always been a rich source of data, but more than ever, the data that we collect and how we use it can play a critical role in business success or failure. From informing decisions about our customers and how insurance products are priced, to influencing risk appetite and brand reputation, the importance of data cannot be overstated. It will come as no surprise therefore that the protection and security of data continue to be fundamental business priorities for the insurance industry.
Many insurers, with international data flows and footprints, will have been monitoring the impact of both Brexit and the Schrems II decision on the legality of data transfers. Under the ‘bridging mechanism’ provided for by the Trade and Co-operation Agreement (effective 1 January 2021), personal data can continue to flow freely from the EU to the UK for a maximum of 6 months, which will hopefully prove to be sufficient time for the EU to reach an adequacy decision. Although the odds of such a decision look favourable, the Information Commissioner’s Office (ICO) has advised businesses to take precautionary measures and to put in place alternative transfer mechanisms. Data transfers from the UK to the EEA can, however, continue regardless of an adequacy decision following the UK Government’s decision to regard EEA jurisdictions as adequate. However, data transfers are set to remain a hot topic in the coming months as we await the adoption of new Standard Contractual Clauses and as organisations grapple with new obligations such as Transfer Impact Assessments. Beyond data transfers, other potential data protection actions triggered by Brexit include a requirement to review privacy notices, data protection clauses within contracts and Data Protection Impact Assessments (DPIA) to ensure the correct statutory language is being used, reviewing whether you require an EU Representative and ensuring that you have correctly identified your lead supervisory authority.
One of the many ways in which the pandemic has created a longer term business impact relates to the shift to remote working. The concept of a remote and a more disparate workforce is likely to endure and so too will the associated data protection and cyber security challenges. The ability to implement and maintain effective security controls across a much larger attack surface is not straightforward. Aside from an increased number of endpoints, the proliferation of virtual meetings, remote desktop access and use of personal devices will all continue to contribute to a more complex IT estate. The rise in phishing and social engineering frauds serves as a constant reminder to ensure that staff are adequately trained, as your first line of defence. The pandemic has arguably raised awareness of and investment in cyber risk and resiliency, which is a good thing. However, there has also been a corresponding rise in the frequency and severity of many cyber threats.
Supply Chain Risk
Targeting organisations through vulnerabilities in the data security of their supply chain is not a new tactic, and most insurers will already have mature controls in place to help manage this. However, the recent SolarWinds breach should provide stimulus to take stock of any existing measures and to look at the potential risks again, through the lens of increasingly sophisticated attackers, who are deliberately targeting ‘watering holes’ which if breached, enable them to also infect many other organisations. Insurers typically have large supply chains to manage and frequently need to share significant volumes of personal data. We anticipate an increase in regulatory focus and enforcement activity in this area.
Consumer privacy, data security and the ethical use of data were strong themes in the Financial Conduct Authority’s last Annual Report. We discuss this aspect further in our review of Financial Services Regulation.
The cyber insurance market hardened significantly last year as the frequency and severity of ransomware increased exponentially, leading to much higher costs for losses such as business interruption. In the short term, the ransomware epidemic shows little sign of slowing as double and triple extortion variants continue to wreak havoc. There is however some evidence that the appetite to pay ransom demands may be diminishing due to a variety of factors, including an increasing number of incidents where the attackers have leaked exfiltrated data online even after a ransom payment was made. There have also been calls to look at the criminalisation of ransom payments, beyond those entities appearing on sanctions lists. This is a complicated issue and one that is unlikely to be resolved in the near future. Despite a hard market, we expect the demand for cyber insurance to continue to grow and keep pace with the rise in cyber threats and general digitalisation.
Digital transformation programmes will continue to be a major focus, with most insurers having accelerated their digitalisation during the pandemic. Further acceleration looks likely as technologies such as automation and artificial intelligence continue to embed and move from proofs of concept into core service/product components. This means data protection will continue to be a key consideration, from website or application security and privacy settings, DPIAs, to the validity of customer consents and online marketing practices. A broad range of data protection issues arise and it will be critical to the success of any digital transformation project (and brand reputation) to get these right.
With GDPR now in its third year, data protection legislation, including the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003, is now regularly being interpreted in case law and we are also seeing a steady trickle of regulatory guidance. Big cases from the last 12 months included R (on the application of Bridges) v Chief Constable of South Wales (automated facial recognition cameras), Schrems II (international data transfers), R (on the application of M) v Chief Constable of Sussex (Data Sharing) and WM Morrison Supermarkets plc v Various Claimants (Vicarious Liability / Data Breach). In terms of regulatory guidance from the ICO, we have new detailed guidance on the Right of Access, the Age Appropriate Design Code in respect of child data, a new Data Sharing Code of Practice, a draft Direct Marketing Code of Practice, and guidance on Artificial Intelligence and Data. There is a lot of new information for insurers to digest and then make necessary adjustments as we can expect this new case law, guidance and codes of practice to increasingly inform regulatory expectations and decisions.
After something of a hiatus, we saw a flurry of regulatory enforcement action last year with some major GDPR fines being levied against Marriott, British Airways and Ticketmaster. Although none of these decisions were focused on the insurance industry, they do collectively provide insight into regulator expectations concerning issues that are very relevant to insurers, including the frequency and extent of both risk assessments in relation to card data and supplier due diligence. At the other end of the scale and of great relevance to insurers, was a prosecution by the ICO against two individuals for the unauthorised access and sale of insurance claims/accident data. This was a welcome example of the ICO utilising powers under the Computer Misuse Act 1990 in response to the unlawful trade of accident management data.
Claims & Litigation
Many insurers will be feeling the brunt of the rise in frequency of damages claims for alleged data protection breaches and consequently looking closely at their appetite for policy coverage of these risks. Claims farmers are now entrenched in this area and actively marketing, with the promise of compensation. This is currently a lucrative area for claimants and their representatives where insurers face difficult decisions around the economics of defending individual claims, where the costs risk far exceeds what are often small damages amounts. Privacy activists also continue to be very active in this space, tackling some of the big privacy issues of the day, such as how children are tracked and monitored online. The trend of claims farmers following in the privacy activists slipstream is likely to continue. All eyes will be on the Supreme Court this year when Lloyd v Google LLC is heard, as this decision has the potential to have far reaching consequences in relation to issues such as when damages for loss of use can be claimed, even if no distress has been suffered.