Insurance brokers—like many other organizations—must collect sensitive personal data about people to underwrite, process claims, and serve customers. As insurance brokers rely more on electronic data collection and processing, data privacy and security become more important. In the public interest, data privacy laws have been passed that enforce specific requirements and penalize organizations that fail to meet these requirements.
As if data privacy requirements in Canada, the United States, and Europe weren’t already stringent enough, the Canadian Consumer Privacy Protection Act (CPPA) may still have a good chance of passing this year or next. Introduced in 2020, it stalled in Parliament last year and will likely get introduced again this year. This bill, C-11, signifies a data privacy trend. While laws may stall in the short term, they will eventually get passed in the long term.
Consider the success of the European Union’s General Data Protection Regulation (GDPR) or the influential California Consumer Privacy Act (CCPA). The United States has also seen 18 states pass insurance-specific data privacy laws as insurers must also follow the Gramm-Leach-Bliley Act (GBL), the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley Act (SOX), and the Payment Card Industry Data Security Standard (PCI DSS).
Currently, insurance brokers in Canada follow the broad Personal Information Protection and Electronic Documents Act (PIPEDA)—with individual non-PIPEDA variants for companies that do business in or operate entirely in Alberta, British Columbia, and Quebec. If brokers serve U.S. or European customers, then the other laws mentioned above likely apply. The more international markets for an insurance broker, the more data privacy laws and definitions of personal information they will encounter.
If you do business internationally, you’re likely already taking data privacy seriously. If you are focused only on Canadian customers, it might be time to get some data privacy and security measures in place before C-11 eventually passes. In addition to meeting compliance requirements, such data privacy best practices also help you earn more trust with customers and better protect you from a possible data breach.
Impact of Data Privacy Laws on Insurance Brokers
The main impact of data privacy laws on insurance brokers is the effect on internal data handling policies and procedures—and IT decision-making about infrastructure related to those procedures.
- Policy: The number one golden rule for insurance brokers is to store all their client documents and information in a central brokerage application—and nowhere else. Few brokerage applications exist, but they all have the same components—a database to hold client records and a Document Management System (DMS) to hold client documents.
- Infrastructure: It is extremely popular for insurance brokers to use hosted virtual desktop solutions that limit all brokerage activity to a controlled environment. Thus, if employees accidentally leave data somewhere while in transit, the data is not stored locally on the laptop or desktop system that’s used to access the hosted desktop.
Even with these policies and infrastructure in place, there are ways to improve data privacy in anticipation of stricter laws.
Begin Improving Data Privacy with Assessments and Accountability
While regulatory oversight is not mandatory in the private sector insurance broker industry, any serious broker will partner with one of the Big Four accounting firms for an audit to cover the following areas. At a high level, data privacy is owned by both your legal and IT teams. While legal may take a good bit of the responsibility, there are data privacy activities that require IT collaboration.
- Designate a privacy “champion”: On the IT side, your IT director or the employee overseeing your managed services provider (MSP) relationship will own data privacy.
- Assess your data privacy risk: To identify risks, threats, and resource gaps, a data privacy risk assessment should include:
- A data audit—including data inventory and data mapping—determines the types of data you need to protect, the different levels of protection needed for each piece of data, and how data is collected, stored, and transmitted. You will also need to assess capabilities for de-identifying personal information and ensuring data portability.
- A security measure review to assess access and authorization policies, how data is protected from unauthorized access, and incident response processes in case of a breach or privacy violation.
- A vendor assessment to examine data privacy risks related to third parties that include inventorying vendors, assessing level of risk, and evaluating security risks and processes.
- Develop a compliance strategy: Depending on the data you need to protect, brokers can decide to create a compliance strategy that accounts for any and all privacy laws you must follow. A compliance strategy involves legal, administrative, and technical policies, procedures, and processes. In most cases, you will need to account for various use cases around consent, retention policies, etc.
- Develop a third-party risk management program: Specific to vendors, such a program can help you better conduct due diligence, document third-party data privacy efforts and risks, and mitigate the risk of a data privacy violation from a third party’s negligence or accident. Clarify and document who has access to your data, what data they can access, and where data is stored.
- Train employees about privacy: It’s a good idea to consider providing employees with regular training about data privacy and security policies and procedures to ensure they remain compliant with laws. Many brokers enforce training internally.
“Reasonable Security Measures”
While we’re just touching on the above data privacy strategies at a high level, we want to delve deeper into security measures around data privacy. Often, laws still state that you need “reasonable security measures” but do not specifically define those measures. For example, PIPEDA does not define security safeguards, although you must have them in place to protect information.
What security safeguards should you focus on? While an audit might delve quite deeply into your security measures, here are a few essentials you will definitely need to address:
- Access and authorization policies: These policies go beyond password best practices, such as multi-factor authentication (MFA), which is essential. You need to set clear policies around access privileges depending on role and function. These policies include internal employees, third parties, and even customers.
- Hardware and software vulnerabilities: Obviously, you need to patch and update software to ensure that hackers do not enter your systems through known vulnerabilities. Going deeper, security tools such as endpoint detection and response (EDR) can help you detect cyberattackers who have already gotten inside your systems—especially through getting people to click on malicious file attachments in one of the many emails sent between insurance brokers and customers. You should also have policies around BYOD, smartphones, and portable media such as USB drives that can lead to data privacy breaches.
- Email archiving: It is important to archive emails. Insurance brokers are highly susceptible to wire fraud as they communicate to vendors in high volumes of email. Brokers also use emails to settle litigations, which means copies must be retained. Even if a user deletes an email, your email archiving solution should provide a backed-up copy.
- Proactive systems monitoring: Automated monitoring and maintenance tools help you identify critical systems issues before they become problems, detect suspicious user activity, and manage configurations that may lead to security vulnerabilities. Managed detection and response (MDR) tools can also monitor your systems, similar to EDR on endpoint devices, to detect security threats before an attack occurs. IT professionals need to constantly sift through any alerts to identify and resolve serious issues that may affect data privacy.
- Data lifecycle management: It’s important to understand how data is protected (or not protected) during its entire lifecycle—creation, collection, processing, storage, maintenance, usage, and destruction.
- Incident response: What if a data privacy violation occurs? What is your plan of action? Data privacy laws will require that you contain any threats, investigate any incident, assess the risk, follow data breach notification processes, and correct any mistakes that led to the incident. A data backup and disaster recovery strategy should also be part of your incident response plan.
- Encryption: In case data is accessed by an unauthorized user, encrypting that data can prevent the data from being viewed or used.
- Staffing and resources: Do you have the staff and/or resources to protect data? If not, you need to hire or contact IT professionals who can implement and oversee security measures that ensure data privacy. You don’t want to underbudget or understaff for data privacy.
- Training: Employees need regular training about data privacy security measures to prevent them from falling victim to wire fraud.
As with all data privacy and security best practices, it’s not wise to wait until a law forces you to do something. Insurance brokers—regardless of whether or when CPPA passes—should accelerate and refine their data privacy programs and enhance their security measures. The best practices listed above will help you protect customers, your data, and your reputation.
If you are interested in finding out more about how VC3 can help protect the privacy of your insurance company’s data, get in touch with us today.