New regulations, insurer pressure and growing consumer alarm about online security will force agents to act this year to protect their data from unfettered use by third-party vendors.

The NAIC Insurance Data Security Model Law has already been adopted in eight states (Alabama, Connecticut, Delaware, Michigan, Mississippi, New Hampshire, Ohio and South Carolina) with more expected this year. Insurers are sounding the alarm by pushing agents to take further steps to strengthen their privacy and security policies and make certain their vendors match it. Also, a survey last November by Pew Research Center shows 81% of the public say that the potential risks they face because of data collection outweigh the benefits. Clearly, this is one issue agents can't put off.

A lot of attention has been paid to the California Consumer Privacy Act (CCPA), which went into effect Jan. 1. Vendors have been scrambling to comply, which is why most of us are seeing emails from many of them announcing updates to their terms of service, particularly their privacy policies.

The primary goal of CCPA is to help consumers understand what information is collected and how it's used in order to make better choices on whether to use a service. CCPA contains loopholes, however, according to Mary Stone Ross, a nationally recognized expert in consumer privacy, cybersecurity and data.

Ross says companies can still collect data, photos and emails; however, they now must tell consumers when asked what they're collecting and delete it when requested. Companies can still deny such a request for certain reasons (to complete a financial transaction or protect against fraud) and can't legally sell that data if you tell them not to.

If they sell it anyway, however, a consumer can't sue, Ross notes.

For agents, the NAIC model law raises the stakes. The law seeks to establish data security standards for regulators and insurers in order to mitigate the potential damage of a data breach. The law covers agents as well, however and phases in requirements for compliance with the information security program and oversight of third-party service providers.

Every app and digital tool agents use collects data. Many, if not most, freely share that data with third parties and some sell it. Most people understand that posting something to Facebook or searching on Google is tracked. When searching for products online to purchase, ads for those items appear the next time a consumer jumps online. Or when placing an order online for an item, ads for related items appear. There is a value to that. Given the critical nature of agency data, agents must be hyper-vigilant of the outside services they choose to use and to understand their privacy, security and data-sharing policies in detail. That's the message many insurers are sending out to agents.

Consumers will reward agents that recognize their concerns over data security and take action now as will insurers in addressing their concerns. Agents should do the following:

  • Review the privacy statements of all third-party vendors, many of which allow the service to share data with unknown partners and, in a legal sense, assume your data is theirs to do what they wish. Choose vendors that stipulate in writing that they will not sell, rent or otherwise share both your personal and marketing data with third parties.
  • Be prepared to answer insurer concerns about what your agency is doing to protect your data's security and privacy and provide details on the steps you have already taken and will take to safeguard that data.
  • After completing steps one and two, promote your actions to clients with this message -- that you take their concerns on data-sharing seriously.

Republished from Insurance Journal Magazine, Jan. 27, 2020.