Editor's Note: This is the first in an ongoing, occasional series on the impact of big data on the insurance industry.

Major insurance carriers sit on a treasure trove of big data, with endless possibilities to sharpen actuarial risk projections and target financial products more narrowly to millions of consumers.

But there are big risks, too. Regulators are trying to protect privacy and ward off hidden discrimination, all while allowing insurers to match financial products with those who need them for retirement. It is a needle in need of serious threading.

The expanding efforts toward data privacy regulation are seeing major developments on three main fronts:

  • Legislators in five states passed data privacy laws, and nearly two dozen states are working on similar efforts. California sprinted out of the gate first with the "gold standard" in data privacy protections, as one law firm put it, but other states are taking a more business-friendly approach. Especially where financial services is concerned.
  • The National Association of Insurance Commissioners (NAIC) created an entirely new committee, the H Committee, to study data, technology and cybersecurity issues. It is the first letter committee created by the NAIC since 2004.
  • A bipartisan group of House and Senate members released a draft proposal earlier this month for a national data privacy bill, called the American Data Privacy and Protection Act, which aims to establish a framework for better protecting consumer data privacy and security.

Since virtually all of these efforts are ongoing, it is difficult to pinpoint the full impact on financial services, but here is what we know:

Laws 'effectively exempt' most carriers

So far in 2022, legislators in Utah and Connecticut passed new data privacy laws, while Colorado and Virginia passed versions last summer. But unlike California, these laws exempt financial institutions, explained Drew G. Wegner of Cooley, an international law firm based in Palo Alto, Calif. The laws "effectively exempt almost all insurance carriers," Wegner added.

California passed the first data privacy law, which contains the broadest consumer protections. The state passed two separate laws: the California Consumer Privacy Act, which took effect on Jan. 1, 2020, and the California Privacy Rights Act, passed in November 2020 and taking effect on Jan. 1, 2023.

The former bill gives Californians the right to access personal information companies collect on them and prevent it from being sold. The latter law extends those rights to allow consumers to request the deletion of their personal data.

One of the biggest changes in the CPRA is the creation of the California Privacy Protection Agency. This agency will have the full administrative power, authority, and jurisdiction to implement and enforce the CCPA and CPRA, and can impose fines of $2,500 for each violation of the CPRA or $7,500 for each intentional violation or each violation involving a minor.

"California continues to set the gold standard for privacy," the law firm Wilmer Hale wrote in a client alert. "In addition to preparing for the California Privacy Rights Act ... businesses operating in California must also pay attention to current enforcement trends for the California Consumer Privacy Act."

This agency will oversee any ramifications for insurers, Wegner explained.

"The amendments to the CCPA through the California Privacy Rights Act direct the attorney general and the newly created privacy agency to review the insurance code and then make recommendations regarding new rules about the use of consumer data and privacy," he said. "So there might be a little bit of a revamping of the insurance code with respect to those particular areas."

The National Law Review summarized the very extensive changes contained in the CPRA. While the California privacy agency is up and running, it has already stated that it will not meet its July 2022 deadline for the final CPRA regulations.

"It likely will not come out with CPRA rules until the third or fourth quarter of this year, which means that businesses will have a quick compliance turnaround," Wilmer Hale wrote.

In a second significant departure from the California standard, new data privacy laws in Utah, Virginia, Colorado and Connecticut do not include a private right to sue. California allows lawsuits, but limits damages to $750 per violation proven in court.

"This is where the plaintiff attorneys got quite excited," said Heidi Lawson, partner at Cooley and formerly an insurance underwriter. "If you insure 100,000 people in California, and you violated the law consistently ... that definitely adds up very, very quickly to an incredibly high amount straight out of the gate."

It is a significant priority for financial services to avoid a "patchwork" of different laws across state boundaries coast to coast, Lawson explained. Often what happens is companies will "default to the strictest standard," she added.

NAIC upgrades efforts

Insurance is regulated at the state level and the NAIC would seem the logical place to establish data privacy laws covering insurance underwriting. Thus far, it has been an uneven effort.

In August 2020, the NAIC adopted "guiding principles" for use of artificial intelligence based on the Organization for Economic Co-operation and Development's AI principles that have been adopted by 42 countries, including the United States.

After robust discussions, regulators added a principle encouraging industry participants to take proactive steps to avoid proxy discrimination against protected classes when using AI platforms.

From there, data privacy issues were spread out among several different committees, subgroups and the Innovation and Technology Task Force. The Big Data and Artificial Intelligence Working Group seemed most active on data privacy for a time.

But the working group has met very few times over the past year and the results of an artificial intelligence and machine learning survey of auto insurers announced in the summer of 2021 has not been publicly released. An NAIC spokesperson said all of the working groups continue to meet and are progressing.

Regulators did collect comment letters from industry balking at the scope of the survey effort.

"This information is not even shared broadly within companies during the initial development stages due to the proprietary nature of it," wrote Angela Gleason, senior counsel for the American Property Casualty Insurance Association.

At the fall meeting in December, the NAIC voted to create the H Committee to coordinate the growing amount of work taking place across various NAIC subgroups and committees, explained Kathleen Birrane, Maryland insurance commissioner and chair of the H Committee.

"Insurers make important decisions about marketing, underwriting, pricing, claim processing, fraud detection using predictive models that are developed through the application of machine-learning-supported computing, applying that to data," Birrane said during a May NAIC podcast. "So, we know that unfair bias can creep in, and it does creep in."

The Big Data and Artificial Intelligence Working Group is among those existing committees folded into the new H Committee. The working group was assigned four workstreams during the NAIC Spring Meeting in March:

Workstream 1: Collect Big Data Information for Home and Life Business; Draft White Paper
Workstream 2: Consider Proper Regulatory Oversight of Third-Party Data and Model Vendor Information
Workstream 3: Study Big Data Tools for Use by Insurance Regulators
Workstream 4: Consider Drafting AI Model Guidance

Congress getting involved

While there is no one comprehensive federal law that governs data privacy in the U.S., a group of bipartisan lawmakers are making an effort. In early June, several House and Senate members released a draft proposal for a national data privacy bill, called the American Data Privacy and Protection Act, which aims to establish a framework for better protecting consumer data privacy and security.

Released amid sobering financial news that includes rising inflation, the data privacy bill attracted little attention and was quickly replaced by gun control headlines, as well as the Jan. 6 Committee work. But sponsors say data privacy is a huge issue.

"We have reached a pivotal moment in our landmark effort to enshrine fundamental digital privacy rights for all Americans into federal law," Rep. Jan Schakowsky, D-Ill., said today during the initial Consumer Protection and Commerce Subcommittee hearing on the bill. "We live in an increasingly online world, and it is time to pass privacy reform that keeps pace with the speed of technological innovation."

The bill would require the Federal Trade Commission to set up a new bureau that would have authority for parts of the act. Among other things, the act would require the FTC to issue guidance on policies that companies must follow in collecting, processing and transferring covered data.

Several previous data privacy bills failed to gain support in Congress and the ADPPA faces an uphill battle, it would appear. The bill, "as drafted is unworkable and should be rejected," the U.S. Chamber of Commerce wrote in a letter to lawmakers.

However, Politico reported that the bill includes agreement between Republicans and Democrats on two areas that have blocked previous efforts: whether a federal privacy law can preempt state laws and whether individuals should have the right to sue companies that illegally share their data or use it in ways the law prohibits.

Originally published in InsuranceNewsNet

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.