The explosion of data available to the insurance industry has unlocked vast new insights and given companies a competitive edge. Data analytics can help insurance providers discover and draw conclusions about client information and write business in a much more efficient manner.
However, the recent uptick in cyber incidents, data breaches and the implementation of data protection regulations show that data collection and analysis can have serious consequences for insurance firms that don’t quite get it right.
Mayer Brown attorneys Dan Masur, Brad Peterson, and Donald Moon recently co-authored a chapter on “DOs and DON’Ts for Big Data Analytics” in Mayer Brown’s handbook, Technology Transactions: Thriving in an Age of Digital Transformation. The attorneys point out that complete compliance to evolving data laws and regulations is paramount.
One of their DO tips reads: “A company cannot simply implement “reasonable” steps to be in complete compliance. There are federal, state and international laws, treaties and applicable regulations that need to be reviewed and complied with, depending on the business and industry.
“For example, insurance companies need to be aware of HIPAA with respect to personal health information, as well as additional cyber security requirements imposed by the New York Department of Financial Services (NYDFS) on insurance companies doing business in New York.”
The General Data Protection Regulation (GDPR) is an extra-territorial European law that North American companies need to be aware of, especially with regards to the personal data they’re collecting. But for many North America firms, the GDPR compliance date of May 25 this year was just a starting date.
“US regulation means that lots of US-domiciled insurance companies only carry out domestic business, therefore many believe they’re outside the reach of the GDPR,” commented Brad Peterson, partner in Mayer Brown’s Chicago office, and leader in the firm’s Technology Transactions practice. “Most US companies we’re speaking to saw May 25 as more of a starting date than an end date, and some of them have been quite surprised by the impact of the GDPR.
“On the other hand, some companies have changed to GDPR standards because they know they’re insuring EU residents, and other firms owned by European-based insurance companies are switching on the basis that it’s their global standard. Some US-domiciled firms are taking on the burdens of the GDPR, and I think that will become more common as we move forward. So far, it’s hard to predict what the impact of the GDPR will be. The reaction from this side of the Atlantic has been a little bit of shock and awe.”