Insurance data privacy & ethics - how far does the market need to go?

With the lack of a comprehensive U.S. Federal data privacy law means we are left with a patchwork of confusing and jurisdictional challenging state laws. Four states California, Colorado, Connecticut, Virginia, and Utah passed comprehensive consumer data privacy laws and twenty-seven other states have introduced and are in different stages of becoming law.
The concern and confusion come from the number of consumer rights and business obligations insurers must navigate, implement, and establish to comply with those new individual state laws and regulations.
A national insurer licensed and admitted offering multiline insurance products in all fifty states has consumer data in multiple locations across multiple jurisdictions in multiple systems in the cloud and on premises. With billions of records spanning decades, stored within outdated legacy systems including sales, quotes, underwriting, claims, and payment data makes complying with every state consumer right to access, restrict, op-out, delete a dauting task for even the most sophisticated compliance, IT and data science staff.                    

This is an interesting topic - because if you see insurers who follow GDPR across Europe for example - they have different interpretations.
GDPR should be seen as a mechanism to share data under lawful conditions when often it can be said that it is instead used to say no to sharing. This has an impact to fraud - especially with data sharing and we all know that fraudsters are not vertical specific i.e. if they commit insurance fraud, they may commit banking fraud, tax fraud, benefits fraud etc.
Having a platform that is transparent, explains decision making and only uses the data required to make decisions is very important. Especially when considering multiple use cases - with data collected under different gateways i.e. consent versus legitimate interest.

Thanks . Where does legitimate interest around prevention of crime lie within this? Do you think the issue is around the timing and type of data used across different decisions?

what do you think?

I would imagine that the move to hyperscalers (GCP, AWS & Azure) complicate this even further, with data sovereignty issues etc

U.S. Federal laws such as HIPAA and Gramm-Leach-Bliley have carve-outs for the use of personal consumer data for fighting insurance fraud and prevention, in turn the current enacted state consumer data privacy laws have exemptions and exceptions to those federal statutes.
As long as those same exemptions and exceptions are in future state privacy laws insurance companies will have the ability to access and operationalize actionable intelligence from consumer data sources.

agreed there is clearly a piece for hyperscalers around residency with in region capabilities. However when this is in place, I have seen the ability to blend hyperscaling cloud with private hosting and dedicated private security wraps actually allow better control, transparency and assurance around data ethics. I am seeing a move away from the pure SaaS for critical customer data platforms.

great points - for fraud and prevention of crime almost all legal frameworks have carve outs for that. What I also see is that customer data technologies which help provide better decisions for good customers are also breaking down the barriers around the use of data within the insurance market which is a really positive step.

Would love to hear more on this :)

Earlier this year I spoke at the National Association of Insurance Commissioners (NAIC) Insurance Summit, and after receiving a question about the ethical use of consumer data and if insurance companies should be allowed access and use consumer data for rating, underwriting, marketing, and claims processing. I simply asked, how quickly and accurately do you want your claim paid? How quickly do you want your application processed, receive a quote and policy? I explained the same data is used to process and pay 98 percent of all insurance claims across all lines of business is the same data used for analytics to identify, prevent, and deny questionable or fraudulent claims. The same consumer privacy advocates want claims paid more efficient, electronically and with a better customer experience. Consumer data is used to validate claims the vast majority of the time then it is used to deny a claim.