Lynn Woosley is a Senior Director with Treliant. She is a seasoned executive with extensive risk management experience in regulatory compliance, consumer and commercial credit risk, credit and compliance risk modeling, model governance, regulatory change management, acquisition due diligence, and operational risk in both financial services and regulatory environments.
As the insurance industry continues to undergo a profound digital transformation, three main drivers are telematics in auto insurance, “connected health” apps in health insurance, and alternative data in all insurance sectors. Each of these innovations in insurance technology, or insurtech, presents potential benefits and risks to both consumers and providers.
Among the benefits, new technologies and data sources can increase consumer access to insurance, expand choice and convenience, improve pricing, and better inform decision-making. For insurance companies, new technologies and data may also result in more accurate underwriting and pricing, enhanced product offerings and customer experiences, and improved fraud detection
However, insurtech risks include privacy violations, data breaches, and the fallibility of alternative data, as new risks emerge regarding information security, data accuracy, consumer fairness, and other essentials. This article elaborates the risks and recommends steps to manage them.
Auto insurers have access to an increasing volume of information collected by telematics, which merges telecommunications with information processing to remotely monitor location, condition, and other data related to individual automobiles. In practice, a policyholder either inserts a telematic device into a car’s onboard diagnostic port, accessing the vehicle’s computer, or installs a telematics app on a smart phone.
Data available via the diagnostic port could include location, date and time of vehicle use, driving time and distance, air bag deployment, instances of hard braking or cornering, acceleration rates, lane stability, activation of the vehicle collision warning or automatic emergency braking systems, and road conditions. App-based telematics could gather driving speed, distance, location, acceleration, and braking, as well as instances of distracted driving, such as calls, texts, or other apps used while in motion.
By linking data gathered from the telematics device with GPS and time data from the car or phone, the insurer can determine whether the consumer is:
- Speeding, by comparing vehicle speed to the posted speed limit;
- Rolling through stop signs, by using vehicle location and speed combined with stop sign locations on route maps;
- Traveling to, or parking in, areas with greater incidence of accidents or vehicle theft, by matching location data with geographic statistics; and
- Driving in a fashion consistent with the vehicle use stated in an individual’s insurance application, by tracking whether the car is in use during the day or night, miles driven, and destinations.
For health insurers, there are applications, often called “connected health apps,” that track almost every aspect of a user’s health and lifestyle, including exercise, diet, weight loss, blood glucose, pregnancy, stress, sleep, smoking, and menopause, just to name a few. Some apps let users research symptoms and find doctors or medical specialists.
And across all insurance sectors, insurers are now mining new alternative data sources when issuing and pricing policies. Digital payment platforms, mobile wallets, social media networks, travel, daily activity levels, neighborhood health and safety patterns, “real world” credentials such as college degrees and professional accreditations—these and other sources are increasingly explored for their usefulness in establishing insurability beyond driving records, medical histories, credit bureau scores, and other more traditional inputs.
A review of privacy policies for a number of commercial health, auto, and property insurance apps found in the Apple App Store or the Android Store on Google Play indicates that most are using tracking technologies. These may include cookies, beacons, tags, scripts, and location data, as well as collecting and transmitting log files including IP addresses, device type, browser type, internet service provider, clickstream data, date and time stamps, pixel tracking, and HTML5 Local Storage Objects. Many also capture information about web browsing history, even when transactions are within the app.
Auto insurance apps usually collect driver’s license information and vehicle identification numbers and contain driving histories. Insurance apps often ask for access to a user’s device camera to take pictures of insured items for coverage or claim purposes. For apps with in-app payment capabilities, bank account or payment card information may also be stored. Even without in-app payments, some insurance apps collaborate with third parties to gather banking data about app users.
Connected health apps have been found in recent studies to present numerous privacy issues, including excessive mobile device permissions and undisclosed data collection, such as email addresses, phone numbers, photos, and locations.1 It is unclear whether health apps offered by insurance companies or employers have the same issues as those offered by technology and wellness companies, but it is clear that such apps collect a variety of sensitive personal data points. These include ID, policy
information, social security number, coverage limits and rates; email, phone number, address, marital status, age, claims, and medical history, including doctors, prescriptions, and diagnoses.
In addition to data collection, data sharing is a key consumer privacy concern. After collecting sensitive data, does the insurer share it? If so, with whom? The studies of health and wellness apps mentioned above found that the apps were sharing the information collected with social media platforms, advertisers, and, in some cases, pharmaceutical companies and employers. Although there is no evidence that insurance companies are currently sharing this broadly, some health and wellness apps used in employer-sponsored wellness plans do share data with employers. Even though such data is supposed to be anonymized under the Affordable Care Act (ACA), in practice employee segments may be small enough to reduce anonymity.
Some auto insurers have reserved the right to share telematics data in the future. A review of a sample of iOS and Android insurance app privacy policies indicates that insurance company apps frequently share data with marketing partners, affiliates, and analytics or service providers, as well as state insurance departments. Some apps noted they also shared information with unaffiliated insurance companies, reinsurance companies, insurance agents, third-party claims administrators, consumer reporting agencies, and financial institutions. Our review of insurance app privacy policies revealed that insurtech-related companies are also using social media and large tech firms for analytics.
In the studies referenced above, testers found unencrypted transmission of data to third parties, including sensitive health information, passwords, and consumer contact information. Several health and wellness apps made unencrypted requests for HTML content or unencrypted or plaintext requests to servers in a fashion that would permit “man in the middle” code injection, data leakage, and cyberattacks. Others sent unencrypted user authentication cookies, offering opportunities for account takeover.
A review of the consumer disclosures of several insurance apps showed that many insurance app providers disclose very limited information regarding their data security practices, making it difficult for consumers to understand potential information security risks. None provided details regarding how their apps store and transmit consumer information. As data hacks proliferate, the need increases for robust encryption and other methods of obscuring personally identifiable information (PII)—on the device, during transmission, and in the cloud or physical storage of the app owner—to ensure that opportunities for malicious actors are minimized
Data Accuracy and Reliability
Two risks associated with some insurtech and alternative data are accuracy and reliability. Insurers should incorporate robust data cleaning routines and consider the impact of noisy or inaccurate data.
Consider phone-based telematics, for example. Sensor data from a smartphone’s gyroscope, compass, and GPS systems is notoriously noisy. The app cannot tell if the consumer is the driver, a passenger, or out jogging. The app may not know, especially in some speed ranges, whether the consumer is in a car, a train, or a plane. Health and wellness apps do not know whether the symptoms searched by a user are their own, a family member’s, or a topic being researched for some other purpose. In addition, purchased data that is combined with device-collected data may have unknown accuracy, completeness, and reliability, particularly since data providers may not be subject to regulatory oversight.
As insurance firms use more alternative data and telematics, there are increasing consumer fairness risks. Consumers may not understand the impact of alternative data on insurance underwriting and pricing decisions. Whenever there is a lack of transparency or consumer understanding, the risk of unfair trade practices increases.
Inappropriate use of alternative and location data can increase the risk of illegal discrimination in insurance. Just as the use of location data in credit decisions raises redlining risk, the use of telematics in auto insurance quotes could result in insurance redlining based on driving or garaging location.
Several court cases have found that illegal discrimination in availability, coverage, pricing, or claims processing of insurance covering residential real estate violates the Fair Housing Act (FHA). The Department of Housing and Urban Development (HUD) has held that refusing to insure multi-family properties that include “subsidized housing” and “low-income housing” has a discriminatory effect based on race and national origin in violation of the FHA.2 Although the FHA does not cover auto and health insurance, there are similar prohibitions on illegal discrimination in other laws governing insurance.
Earlier this year, the New York Department of Financial Services (NYDFS) joined the Federal Trade Commission (FTC),3 General Accounting Office (GAO),4 and the Open Technology Institute5 in expressing concerns regarding the use of alternative data in financial services, including underwriting insurance policies. In Insurance Circular Letter #1 (2019),6 the NYDFS reminded insurers operating in the state of their obligations and risks in using external data in underwriting life insurance. Under New York state law,7 it is illegal to discriminate in providing insurance because of prohibited criteria, including race, color, creed, national origin, status as a victim of domestic violence, past lawful travel, sexual orientation, or any other protected class. Many data points potentially useful in underwriting life insurance, such as community-level home value, home ownership, mortality, crime, accident, and addiction or smoking data, may be proxies for prohibited criteria.
In addition, some data points collected via health and wellness apps may be proxies for information protected under the Americans with Disabilities Act (ADA) or the Genetic Information Nondiscrimination Act (GINA). For example, histories of searches of certain symptoms or medical conditions could reveal genetic or disability information.
Recommendations for Risk Management
As insurers adopt new data and technologies, they should take these six steps to help manage their consumer protection risks:
- Insurers should be transparent with consumers regarding the information they collect, how they use that information, and whether and how they share that information.
- Insurers should adopt strong cybersecurity measures, including elimination of unencrypted or plaintext collection, transmission, and sharing of potentially sensitive data.
- Permit consumers to opt out of third-party and affiliate sharing, with ease.
- Insurers should consider fairness broadly in their use of emerging data sources and technologies. Evaluate whether the adoption of new technology would result in unfair trade practices or unfair claim settlement practices. Where appropriate for a particular insurance product, consider the effect on compliance with the FHA, ADA, GINA, and state laws prohibiting discrimination.
- Before using alternative data, insurers should evaluate the relationship of the data to risk. In insurance underwriting or rating, insurers should evaluate whether the data and its usage is supported by generally accepted actuarial principles and consistent with claims experience.
- Finally, insurers should assess whether there is a valid rationale for differential treatment of otherwise similarly situated consumers based on the alternative data.
Insurtech offers the promise of increased access to insurance, expanded consumer choice, and more accurate underwriting and pricing. To achieve these promises without consumer harm, insurers must manage the consumer protection risks of new technologies and data.