Privacy And Data Security: 2020 Considerations For The Insurance Industry


With the California Consumer Privacy Act of 2018 (CCPA) having taken effect on January 1, 2020, the privacy and data security landscape for insurance carriers, producers and insurtech (collectively, "insurers") continues to grow more complex. A number of states have also recently passed laws regulating data security in the insurance industry, with the first transition period under a number of these laws set to end in 2020. Given the significant amount of sensitive personal information that insurers collect, process and retain, this trend of increased privacy and data security regulation within the insurance industry is likely to continue. To stay ahead of these new privacy and data security requirements, insurers need to take steps now to navigate the increasingly complex regulatory landscape.

How Does the CCPA Impact Insurers?

On January 1, 2020, California became the first state in the United States to enact comprehensive privacy legislation that governs the collection, use and sale of personal information of California residents (i.e., consumers) and households. Personal information is broadly defined as any information that identifies, relates to, describes is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household. The CCPA applies to "businesses," which are for-profit entities that determine the purposes and means of processing consumers' personal information that do business in California and meet certain applicability thresholds.

Insurers operating in California that meet the CCPA applicability thresholds will be deemed "businesses" subject to a number of obligations under the CCPA, including disclosure obligations and requirements related to consumer privacy rights. While these obligations can be quite onerous, the vast majority of personal information that many personal line insurers collect, process and retain will likely fall under an exemption in the CCPA. The CCPA includes exemptions for:

(i) Personal information that is collected, processed, sold or disclosed pursuant to the Gramm-Leach-Bliley Act and its implementing regulations (GLBA) or the California Financial Information Privacy Act (CalFIPA);

(ii) Personal health information collected by a covered entity or a business associate (as such terms are defined in HIPAA) and medical information (as defined in the California Confidentiality of Medical Information Act (CCMIA)); and

(iii) Covered entities (as defined in HIPAA), to the extent the entity maintains patient information in the same manner as personal health information.

Insurers providing products or services to individuals for their personal, family or household purposes are currently subject to GLBA at the federal level (and may be subject to HIPAA in some cases) and state laws implementing GLBA. Many of these state laws are based upon the National Association of Insurance Commissioners (NAIC) Privacy of Consumer Financial and Health Information Model Regulation...

To continue reading