By: Abhinav Gupta
Innovation by way of technology is the key driver for the financial sector and now, even the insurance sector is no stranger to technology. The insurance industry is being greatly disrupted due to the rise in InsurTech startups (hereinafter ‘InsurTechs’). InsurTech is the integration of Insurance services and technology.
Although InsurTech is in its initial phase in India, it has moved beyond the traditional ways to improve ‘digital distribution’ and ‘customer experience’. For example, some insurers have introduced chatbots for assisting customers through messaging and hence, improving customer service. Some insurers have gone to the extent of using drones to ascertain claims in agriculture insurance. No doubt, InsurTech improves the consumer experience and provides easy access to insurance services, however, it poses serious cybersecurity and data protection issues. In this article, the author seeks to explore the developments in the InsurTech industry and reflect upon the data protection issues posed by this innovation.
Insurance Regulatory & Development Authority of India (hereinafter ‘IRDAI’) realised the increasing use of technology in order to provide insurance services to consumers and in 2017, they started a discussion about the use of telematics in order to provide motor insurance. In 2018, IRDAI constituted a working group on Wearable Technology in order to analyse the interface of insurance services and wearables. After the Reserve Bank of India released its ‘Enabling Framework for Regulatory Sandbox’, IRDAI released IRDAI (Regulatory Sandbox) Regulations, 2019. These regulations allow insurers to be part of the regulatory sandbox if they intend to promote innovation which is beneficial to insurance in India. Under the regulation, IRDAI puts the onus on the insurer to ensure confidentiality of consumer data.
Allowing the inclusion of insurers in Regulatory Sandbox is a positive step towards the promotion of innovation in insurance. It will increase access to insurance services which is the current requirement, considering the low insurance penetration in India. Moreover, market players have a wider scope of exploring and innovating with new technologies in a controlled environment. In order to address the concerns related to data protection during the testing phase, the Insurance Sandbox Committee recommended that despite special exemptions, participants will have to mandatorily comply with regulations related to data protection and policyholder safeguards.
DATA PROTECTION AND INSURTECH
The insurance industry in general is greatly dependent upon customer data. InsurTechs seek to match the customer with the appropriate insurer. This matchmaking requires them to collect a variety of data such as Aadhaar details, medical prescriptions, customer’s medical history. Moreover, for such a data-driven industry Internet of Things (hereinafter ‘IoT’) is a gold mine. By using IoT, insurance companies do not need indirect indicators like age and gender to determine the premium, they can just track fitness bands or access driving apps to understand customers’ habits, lifestyle and preferences. New York’s Department of Financial Services went to the extent of allowing insurance companies to access social media accounts of customers in order to determine the premiums.
The use of big data and automated decision-making by InsurTech companies may be perceived as interfering with the individual’s right of self-determination and breach of informational privacy. This usage and storage of data raise the question of whether we are compromising with our privacy for convenience? Whether access to personal data is warranted and safe? These questions become even more pertinent in light of increasing data breaches in the insurance sector. IoT further exposes customers to data breaches and a study suggests that the majority of the companies are unable to detect such security breaches.
The intention behind putting such obligations on data fiduciary is to put consumers in control of their data. The service provider will be duty-bound to handle the data carefully and for fair and reasonable purposes only. As a result, the way businesses collect data will change drastically and they will need to modify their policies accordingly.
- There is a need for adopting a new model for the protection of consumer’s data. A leading international organisation proposed a new model for the protection of consumer data. As opposed to the ‘Notice and Consent Model’ where the burden of ensuring privacy is on individuals, the onus should shift on to the providers. In doing so, they advocate for a ‘legitimate purpose test’ or imposing a ‘fiduciary duty’. A similar model is being adopted by India. PDP bill provides that every person processing personal data should do it ‘in a fair and reasonable manner’ and for the purpose consented by the individual.
- Increased reliance on information technology means an increased risk of cyber-attacks and breaches. Considering, that the insurance industry is facing the highest number of data breaches, insurers need to ensure optimum internal checks, establish technology risk management capabilities and be ready to handle IT security incidents and system failures. There is a need for robust security mechanisms in order to protect data against cyberattacks. Organizations need to move beyond simple PINs and necessarily adopt multifactor authentication.
The insurance industry in India is undergoing a massive change. Where insurance involved a lot of paperwork, with the integration of technology and delivery of services, this paperwork has been reduced and has resulted in ease and easy accessibility of information to consumers. At the same time, this integration has led to concerns related to informational privacy and use of data. The categorization of right to privacy as a fundamental right and the PDP Bill are few positive steps towards protecting the confidential and personal information of consumers. It is of the utmost importance to create a balance between privacy and innovation. If privacy protection proves to be insufficient, it will hamper consumers’ trust in innovation. On the other hand, if the regulators develop an overly strict legal regime barring the use of personal data, it may hamper innovation and easy access to services.
(Abhinav is currently a law undergraduate at National Law University, Jodhpur. He may be contacted via LinkedIn.)
Cite as: Abhinav Gupta, ‘InsurTech: An Opportunity Riddled with Threats’ (The RMLNLU Law Review Blog, 21 October 2020) <https://rmlnlulawreview.com/2020/10/21/insurtech-an-opportunity-riddled-with-threats > date of access.