INSURTECH TASTER DATA PROTECTION

The protection of customer data has been the subject of legislation and regulation in the UK for decades, but the spread of new technology and ethical concerns about the use of increasing amounts of customer data means data protection and cyber security laws need to adapt to deal with new risks. Insurers and technology providers will have to address legal/regulatory and ethical data privacy and cyber security risks as part of insurtech business models. This Insurtech Taster briefly looks at some of the issues that may be relevant to insurtech projects.

Cyber RiskIncreasing interconnectivity, globalisation and new technologies are driving greater frequency and severity of cyber security incidents, including data leaks. Insurers and brokers will be familiar with their obligations under the Data Protection Act 1998 (DPA) and the FCA’s Handbook, in particular the SYSC requirements on information security, as the current key sources of UK legislation and regulation that are relevant to the protection of customer data. Firms may also need to comply with contractual obligations in commercial agreements around confidentiality and security of data and be aware of codes of practice and general common law duties relating to data protection too. The FCA’s Principles for Business are also relevant to insurers and brokers and the FCA has noted that cyber risk, which includes the loss of, or damage to customer data, impacts all of its objectives and has put good governance practices in the spotlight, saying that it will look for firms of all sizes to have a ‘security culture’ in place.

As well as the risk of regulatory sanctions, breaches of data protection legislation could lead to a firm incurring a significant fine and of course suffering reputational damage. Firms need to evaluate the sensitivity of the information they collect and the damage that could be caused if

there was a security breach. Keeping data secure can be a complex task and require significant resource and specialist expertise to implement technical measures. But cyber risk is not just an IT issue; for example an insurance firm was recently fined by the ICO for the theft from premises of a data storage device containing information on around 60,000 customers so firms will need to address risks posed by people and processes as well as technology in their cyber security plans, policies and procedures. Where firms rely on third parties to provide IT services, firms will require contractual protection in agreements with service providers so that insurers can manage risk, although insurers should be prepared for complex negotiations when no service provider will (or can) guarantee the security of data. Of course, some cyber risks can be insured and the increase in demand for cyber insurance products is stimulating competition among providers.

The UK Government is supporting improved cyber risk management in the wider economy through its adoption of the General Data Protection Regulation (GDPR) and measures that more clearly link data protection with cyber security, involving work between the ICO and the National Cyber Security Centre and non‑regulatory interventions to incentivise better cyber risk management. The key

will be balancing the objective of protecting citizens from cyber security risk, with the interests of business and the competitiveness of the wider economy.

Data PrivacyCustomer data is valuable to insurers and broader insurtech businesses, but the adoption of new technology by consumers will be negatively impacted if consumers do not trust companies to protect their privacy. Consumers know their data is being collected, but they are not necessarily aware of the ways in which companies are prepared to use it, which suggests some companies are not fulfilling their DPA or regulatory duties. The public’s concern about the use and control of data will be magnified by the type of data being collected by new devices, like wearables. The responsible use and protection of data derived from sources such as social media sites has attracted scrutiny from the UK government and regulators and firms can (and should) learn from the mistakes of others. We can all think of high profile examples of the theft of personal data, including in 2015 from a controversial dating website where the stolen information was very personal and sensitive, but falls outside the DPA definition of “sensitive personal data”. In the latter example, whether or not economic loss is suffered by a customer as a result of a failure to protect customer

APRIL 2017 1

2 APRIL 2017

INSURTECH TASTER: DATA PROTECTION

data is irrelevant. Firms should look beyond the strict requirements of the law and regulation when it comes to the protection and use of customer data in order to build trust with legislators, regulators and customers. Companies that control vast amounts of personal information can help change attitudes by demonstrating greater sensitivity and transparency in how they use and sell their customers’ data.

Looking AheadLooking briefly at some key legal/regulatory actions for 2017 that are relevant to data privacy:

• Firms should be preparing for the changes introduced by the General Data Protection Regulation (GDPR) and the consequential changes to UK law.

• The FCA will continue with initiatives linked to Project Innovate which will include discussions on the use by firms of Big Data. The FCA has decided not to launch a market study at this time as a result of the Call for Input on Big Data in retail general insurance (which kicked‑off in November 2015), but the FCA will engage with the industry and the Information Commissioner’s Office on customer data privacy in the GI retail sector.

• Distributed ledger technology is purportedly harder to attack (at least until the cryptography relied upon is broken) and access to data can be better controlled. The use of distributed ledger technology could be marketed by

businesses to reassure customers about the privacy of their data, giving such businesses a competitive advantage.

• Technology is facilitating the flow of information across borders and in response we are seeing a toughening of data localisation laws, which has implications for international businesses. Facilitating compatible legal frameworks is necessary for the proper protection of personal data and related issues are being discussed at an international level, but harmonisation is a long way off.

As the FCA acknowledges, cyber security issues require co‑operation between regulators and the industry in order to manage risk and the regulator expects

firms of all sizes to put data protection and broader cyber security issues high on their risk agendas as they design, build and implement insurtech projects.

Who to talk toClifford Chance supports clients in the insurance sector across a range of regulatory, commercial, restructuring, distribution, outsourcing, financing and strategic needs including M&A and joint ventures. Our multi‑disciplinary team includes insurance sector experts from IT/IP, antitrust, tax, real estate, regulatory, pensions and employment teams. Please contact any of the individuals below about your insurance sector needs.

APRIL 2017

INSURTECH TASTER: DATA PROTECTION

3

CONTACTSINSURANCE REGULATION/CORPORATE/INSURTECH

Ashley PrebblePartner LondonT: +44 20 7006 3058E: ashley.prebble@

cliffordchance.com

Clare SwirskiPartnerLondonT: +44 20 7006 2689E: clare.swirski@

cliffordchance.com

Emma EatonSenior AssociateLondonT: +44 20 7006 1789E: emma.eaton@

cliffordchance.com

Jonathan KewleySenior AssociateLondonT: +44 20 7006 3629E: jonathan.kewley@

cliffordchance.com

This publication does not necessarily deal with every important topic nor cover every aspect of the topics with which it deals. It is not designed to provide legal or other advice.

www.cliffordchance.com

Clifford Chance, 10 Upper Bank Street, London, E14 5JJ

© Clifford Chance 2017

Clifford Chance LLP is a limited liability partnership registered in England and Wales under number OC323571 Registered office: 10 Upper Bank Street, London, E14 5JJ

We use the word ‘partner’ to refer to a member of Clifford Chance LLP, or an employee or consultant with equivalent standing and qualifications.

If you do not wish to receive further information from Clifford Chance about events or legal developments which we believe may be of interest to you, please either send an email to nomorecontact@cliffordchance.com or contact our database administrator by post at Clifford Chance LLP, 10 Upper Bank Street, Canary Wharf, London E14 5JJ.

Abu Dhabi • Amsterdam • Bangkok Barcelona • Beijing • Brussels Bucharest • Casablanca • Dubai Düsseldorf • Frankfurt • Hong Kong Istanbul • Jakarta* • London Luxembourg • Madrid • Milan Moscow • Munich • New York • Paris Perth • Prague • Rome • São Paulo Seoul • Shanghai • Singapore • Sydney Tokyo • Warsaw • Washington, D.C.

*Linda Widyati and Partners in association with Clifford Chance.

Clifford Chance has a co‑operation agreement with Abuhimed Alsheikh Alhagbani Law Firm in Riyadh.

Clifford Chance has a best friends relationship with Redcliffe Partners in Ukraine.

J201702140050288