Chapter 9

The Impact of Big Data on Insureds, Insurance Coverage, and Insurers

Ethan D. Lenz and Morgan J. Tilleman

9.1 Introduction

This chapter discusses the impact of Big Data on the insurance industry, both from the perspective of businesses that purchase commercial insurance coverage and from the perspective of insurers. The first part of this chapter focuses on several topics that will have an impact on purchasers of insurance, including

• Risks posed by Big Data and the limitations of insurance coverage under traditional forms of insurance;
• New insurance products that have been, or are currently being, developed to protect businesses against risks posed by Big Data; and
• How these new insurance products work and how they may differ from more traditional insurance coverage forms, such as commercial general liability insurance.

Further in the chapter, we discuss topics that will specifically affect insurers, including

• How insurers are currently, and in the future will be, utilizing Big Data in their day-to-day operations; and
• The impact of insurance industry regulations on insurers’ utilization of Big Data.

9.2 The Risks of Big Data

The use of Big Data and the application of analytics to Big Data by any business will give rise to legal risks. These risks might arise from any number of sources, such as the following:

• Professional liability risks associated with allegedly faulty analytics provided to clients;
• Claims arising from damaged or lost data belonging to clients and other third parties;
• Data privacy breaches caused by the wrongful disclosure of personally identifiable and other sensitive data; and
• Breach of laws or regulations seemingly unconnected to the analytics, such as antitrust laws (see Chapter 8, “The Antitrust Laws and Big Data”); discrimination and human resource laws (see Chapter 10, “Using Big Data to Manage Human Resources”); or breach of e-discovery obligations (see Chapter 11, “Big Data Discovery”).

Furthermore, the costs associated with data privacy breaches and other claims associated with Big Data will likely pose a more significant risk to companies in many different lines of business than has been seen in the past. As the amount of data generated increases, so does the potential harm caused by a data breach and the potential for faulty or inadequate analysis of available data by data analytics service providers.1 Experts now predict that the amount of data created every day will double every 40 months.2

Particularly in the realm of data breaches, the potential losses are very real; consumers and the plaintiff’s bar are active in this space, and lawsuits frequently follow data breaches (see Chapters 4, “Privacy and Big Data,” and 6, “Big Data and Risk Assessment”). In terms of insurance coverage, a recent draft empirical analysis of data breach litigation by Sasha Romanosky, David Hoffman, and Alessandro Acquisti3 suggests two patterns that will make coverage critical for consumer-focused Big Data usage: First, the likelihood of a lawsuit increases as the number of consumer records breached increases; second, breaches of health care information are most likely to result in costly settlements (see also Chapter 5, “Federal and State Data Privacy Laws and Their Implications for the Creation and Use of Large Health Information Databases”). Significantly, in 2011, one report documented 855 separate data breaches that resulted in the loss of over 174 million data records.4 Thus, the question of what insurance coverage is, or is not, available to cover losses arising from these myriad risks quickly becomes paramount for all businesses operating in a Big Data environment.

9.3 Traditional Insurance Likely Contains Significant Coverage Gaps for the Risks Posed by Big Data

Some of the risks discussed in the preceding section may be covered by existing insurance products, such as commercial general liability insurance, errors and omissions liability insurance, or directors’ and officers’ liability insurance. However, for the most part, such policies were not developed with an eye toward the risks presented by Big Data, and most have exclusions and other coverage limitations that may significantly limit the coverage available for exposures arising from Big Data. In particular, companies cannot assume that their current insurance programs will provide adequate coverage for data security breaches, other third-party liability exposures, or even first-party losses that might result from the utilization of Big Data. For example, a standard form commercial general liability insurance policy, which is the most common type of liability protection purchased by most businesses, likely provides limited, if any, protection for most liability arising from a data breach or other technology-related loss exposures. The reason for this is that commercial general liability policies, particularly those issued to companies that are involved in data-driven service industries, will now almost universally contain specific exclusions and other coverage limitations that preclude coverage for such claims. These exclusions and limitations include the following:

• provisions expressly excluding electronic data from the definition of covered property damage;
• a specific exclusion of coverage for most damages arising from the loss of use of, or damage to, electronic data;
• limitations of the definition of covered property damage to damage to tangible property only (data is typically considered intangible property)5;
• exclusion of all “personal injury” liability coverage for businesses with significant technology-focused operations6; and
• endorsements that specifically exclude coverage for personal injury liability arising from any access to or disclosure of a person’s or organization’s confidential or personal information.

Furthermore, for publicly traded entities, the coverage for the company itself (i.e., when the company is named as a defendant in a claim) under a directors and officers liability insurance policy is typically limited to coverage for securities-related claims. Consequently, there is also likely little or no coverage for the company under its directors and officers coverage if it is sued by a customer or other third party for losses arising from handling their data.

Given the limitations under traditional insurance coverage forms, new products, primarily in the form of “cyber liability” coverage have become more prevalent in the insurance marketplace. As such, not only decision makers in all sorts of businesses will need to recognize the potential risks that accompany an increased use of data and analytics, but also risk managers and executives will need to understand how newer, and often more distinctive, forms of insurance coverage can facilitate the use of Big Data by offering protection for their business against its potential risks (along with the limitations of such coverage).

9.4 Cyber Liability Insurance Coverage for the Risks Posed by Big Data

Given the likely gaps in coverage under standard forms of commercial insurance, businesses that utilize Big Data as a part of their corporate strategy will typically need to explore the purchase of some type of “cyber liability,” “technology errors and omissions,” or “cyber package” insurance protection as part of their risk management program. Currently, there is no standardization among such policies, and the coverage can vary widely depending on the insurer that underwrites the coverage. However, most such policies are “menu” driven, allowing the insured to pick and choose among the types of coverage it desires to purchase, thereby allowing the insured to customize the protection to the particular risk profile of its business.

Some of the available options that will potentially provide coverage for not only liability but also a company’s “first-party” financial losses7 arising from security breaches and other technology-related risks posed by the utilization of Big Data include the following:

• Professional Liability/Technology Errors and Omissions Liability Coverage. This type of insurance covers liability arising from an insured’s performance of professional services for third parties for a fee. It can be broadly tailored to provide coverage for a wide variety of business activities, from data aggregation and analysis services; to data storage services; to software as a service (SaaS) applications; and beyond. The key to such coverage is carefully considering the services a company provides and negotiating the “professional services” definition of the policy to ensure that it includes coverage for liability arising from all such services provided by a particular company. However, as discussed further in the chapter, it often only provides coverage for “damages” suffered by a third party and may not pick up certain costs that are often associated with privacy breaches.
  • Technology errors and omissions coverage can be particularly valuable for insureds that are responsible for storing, aggregating, and analyzing or otherwise handling Big Data consisting of large volumes of third-party customer data. In this regard, it may cover liability arising from deficient security, and resulting loss of use, or misuse of consumer-related data if the insured’s systems are breached and customer data is stolen or destroyed. Furthermore, it can potentially provide coverage for damages arising from faulty aggregation or analysis services that are provided to third parties. Again, such risk exposures are highly unlikely to be covered under standard form commercial general liability insurance policies, particularly for companies whose primary business involves the handling or analysis of large quantities of data.
• Privacy Breach Cost Protection. Many forms of technology errors and omissions liability coverage will cover damages that a third party suffers as a result of a privacy breach. However, the coverage may not extend to potentially significant costs associated with a privacy breach, such as notification of affected individuals or the costs of monitoring services that must be, or are voluntarily provided to, the affected individuals following a privacy breach event. For companies that handle large volumes of personal information, these costs can be crippling when there is a large-scale privacy breach. As such, privacy breach cost protection (or similar) coverage should often be purchased separately as part of a comprehensive cyber liability or cyber package insurance policy.
• Privacy Law Breach Protection. This coverage provides protection against regulatory investigations and actions that might arise from alleged breaches of privacy-related laws. Although such insurance likely will not cover the costs of actual fines or penalties incurred resulting from a regulatory action, as state and national governments become more proactive in enforcing privacy laws, the legal expenses associated with responding to investigations will necessarily increase. Therefore, privacy law breach protection-type coverage will likely become a more valuable part of a company’s cyber insurance protection portfolio, particularly for those companies handling personally identifiable and other sensitive data.
• Hardware and Software/Network Security Liability Protection. Although technology errors and omissions coverage will provide protection against liability arising from services provided to others, it may still leave a gap in coverage for companies if they are not directly providing services as part of their business activities. The best example might be a business that, as part of its data aggregation services, accesses nonclient third-party networks and inadvertently transmits a computer virus from its network to the nonclient networks. Although significant liability might arise from such an event, it may not be covered under the technology errors and omissions coverage because it did not directly arise from providing services to a third party for a fee. This potential gap can often be filled by purchasing separate hardware and software/network security liability protection.
• Cyber-Related Business Interruption Coverage. This is so-called first-party protection that provides insurance for direct losses suffered by a company as a result of an interruption in the availability, or degradation of availability, of its website, computer systems, or network. Particularly for companies with significant web presences, this can be a significant gap, as the coverage may be excluded from a standard form commercial property insurance policy and therefore must be separately purchased as part of a cyber package policy that provides both first-party and third-party protections.
• Cyber Extortion Coverage. One of the most recent protections added as an option to many cyber package policies is for losses arising from cyber extortion. This coverage is typically unavailable under any of the standard forms of commercial property insurance coverage and will provide coverage for ransoms and other amounts paid as a result of illegal threats to damage websites or computer and software or data systems by way of the threatened introduction of computer viruses/worms, logic bombs, Trojan horses, and so on.

9.5 Considerations in the Purchase of Cyber Insurance Protection

Cyber insurance protection is still in its relative infancy when placed in the context of traditional forms of insurance. The coverage forms have largely been developed since the mid-2000s, and insurers have only recently started to see significant increases in the overall volume of sales in the commercial insurance marketplace. Given this, both insurers and insureds continue to struggle with the exact scope of the protection that insurers are willing to provide and insureds are willing to purchase. As noted, the policies are not standardized; therefore, most insurers are willing to negotiate the precise terms and conditions of their policy forms to “fit” the policies more precisely to the risk exposures faced by different insureds. Insureds should take advantage of this willingness of the insurers and attempt to carefully tailor the coverage to provide as broad protection as possible for their particular business. However, this can only be accomplished by investing the time and resources necessary to identify the risks posed by a company’s Big Data strategy, which should follow a risk management paradigm, including the following:

• A comprehensive assessment of where, how, and when data flows throughout the organization and how Big Data is utilized (utilization of data flow mapping is helpful to most organizations when completing such an assessment; see Figure 4.1 on data flow mapping);
• An analysis of the potential loss exposures (e.g., exposure to claims for data breaches, lost or damaged customer data, provision of faulty data analytics, etc.) presented by this utilization of Big Data;
• The company’s risk appetite for either retaining these risks or transferring/covering them via insurance; and
• Careful analysis and understanding of potentially available insurance coverage to ensure that appropriate forms of cyber insurance coverage are put in place and that gaps in protection are minimized.

9.6 Issues Related to Cyber Liability Insurance Coverage

In addition to ensuring that appropriate types of insurance are put in place to protect your business, you should keep in mind when purchasing cyber insurance protection that the coverage may respond differently, in at least two fundamental ways, than some of the more traditional forms of insurance coverage. First, under most commercial general liability insurance coverage, liability suit defense costs are usually covered in addition to the policy limits. However, under most technology errors and omissions insurance policies, defense costs reduce the limits of coverage available to pay any settlements or damage awards. Given that defense costs may mount quickly in a complicated technology-related lawsuit, this means that insurance buyers will need to carefully consider the appropriate limits for such coverage.

The second fundamental way cyber insurance may respond differently to a loss is in terms of which policy year of coverage will provide protection. In this regard, most traditional commercial general liability protection is written on what is called an “occurrence” basis. This means that the policy that was in effect when any bodily injury or property damage suffered by a third party occurs will provide coverage, no matter how far in the future any claim is made. In contrast, most technology errors and omissions insurance coverage is written on a “claims-made” basis, which means coverage is only available if a policy is still in place when a claim is actually made against the insured. Given this, even if a company ceases business operations, it may need to extend its insurance coverage into the future to ensure proper protection against liability and claims that relate to events that took place during the time it was actively operating in the technology or Big Data space. This is typically referred to as “tail” or “extended reporting period” coverage and is something a company will usually need to consider if it is acquired or if it otherwise ceases or wraps up its operations.

Cyber liability insurance protection will undoubtedly continue to rapidly evolve in the coming years. Given the limitations of traditional insurance coverage forms, it will likely become a cornerstone of insurance protection for companies with significant exposure to loss in the technology space and particularly companies that utilize Big Data in their day-to-day operations. Therefore, risk managers and other savvy insurance purchasers will be required to familiarize themselves with the forms of protection available and carefully undertake a cost-benefit analysis to determine if the coverage is a viable option to treat their Big-Data-related and other technology-related loss exposures.

9.7 The Use of Big Data by Insurers

Insurance companies’ increasing use of data analytics and the development of larger and more sophisticated datasets have the potential to dramatically change the marketing, underwriting, and service capabilities of insurance companies; however, insurance regulation poses at least two potential issues for insurance companies seeking to further leverage data analytics using Big Data. Unlike many other industries, insurance is exempted from many federal regulations and is instead subject to state-by-state regulation.8

Three model laws will likely have the greatest impact on the growth and development of insurance company use of data analytics: the NAIC Model Privacy of Consumer Financial and Health Information Regulation (the Privacy Regulation), the NAIC Insurance Information and Privacy Protection Model Act (the Privacy Act), and the NAIC Model Unfair Trade Practices Act (the Trade Practices Act).

9.8 Underwriting, Discounts, and the Trade Practices Act

Insurers have always been able to use information about applicants to engage in underwriting; indeed, this is one of the central functions of an insurance company. From application forms to property inspections and audits, insurers seek to obtain the best possible picture of their insureds and the risks their insureds face in order to adequately price insurance coverage while competing for business in the highly competitive market. Big Data can be a powerful tool to improve underwriting; witness the efforts taken by automobile insurers to secure more data about individual drivers through programs like Progressive’s “Snapshot” device.9 Even though better underwriting benefits both consumers (who can see premium reductions) and insurers (who can better predict their future losses and thereby improve underwriting results), state laws, including the Trade Practices Act, currently restrict the ability of insurers to make use of granular information about particular insureds. The Trade Practices Act prohibits certain “unfair discrimination” in insurance pricing; although this concept is not explicitly defined in the Trade Practices Act, both general understanding in the insurance world and the limited number of published cases available define impermissible or unfair discrimination as discrimination that is not actuarially justified.10

For example, Texas law contains an explicit exemption from the prohibition on discriminatory pricing for rates that vary based on actuarial analysis. Texas Insurance Code § 544.053 (a) states: “A person does not violate Section 544.052 [which prohibits discriminatory pricing] if the refusal to insure or to continue to insure, the limiting of the amount, extent, or kind of coverage, or the charging of an individual a rate that is different from the rate charged another individual for the same coverage is based on sound actuarial principles.” In other states, this principle is established by case law. Take Maryland, where the state supreme court has held that unfair (and thus prohibited) discrimination “means discrimination among insureds of the same class based upon something other than actuarial risk.”11 As a general principle, it is fair to say that the act allows pricing based on actuarial principles. Accordingly, insurance may be priced or underwritten based on factors that can be demonstrated through actuarial analysis to have an actuarially significant impact on the relevant risk. In all cases, whether personal lines automobile or large commercial property and liability or workers’ compensation, insurers will need to use analytics in actuarially sound ways to avoid violating the Trade Practices Act.

Large insurers that have already started to amass data about their insureds (Progressive, State Farm, and Allstate each have car-interface devices in the market, for example) will no doubt be able to demonstrate the actuarial value of this information in many cases. Auto insurers have already been able to identify risk profiles using their car-interface devices. In 2012, the New York Times reported: “Allstate says the lowest-risk time for accidents is 5 a.m. to 11 p.m. on weekends, with the highest risk from 11 p.m. to 4 a.m. on weekdays and 11 p.m. to 5 a.m. on weekends.”12 Consequently, drivers who drive during high-risk hours may face higher rates (or simply miss out on discounts). This information, and other information that insurers already know, or will learn in the future, does not appear immediately after implementing a data-driven underwriting process; insurers must first invest time, energy, and substantial financial resources in collecting and connecting the data that can support robust actuarial analysis and the resulting underwriting differentiation. Thus far, these data-driven underwriting tools have been widely employed by some of the largest insurers; State Farm, Allstate, and Progressive are titans of the insurance world with plenty of resources to invest in such tools. The development of a Snapshot-like tool at smaller automobile and other insurers may prove to be a greater challenge given the number of insureds and the smaller scale of resources. Thus, the ability to develop and deploy data collection devices and conduct analytics, even of information generated by a single source (like the car-interface device), may provide a competitive pricing advantage to large, resource-rich insurers.

Although automobile insurance is perhaps the type of coverage for which data-driven pricing is most visible, the combination of first- and third-party data seems likely to become an increasing part of the insurance industry’s practices in other lines of coverage as well. The use of third-party data raises significant compliance risks with respect to the Privacy Act and Privacy Regulation, as we explain further in this chapter. Indeed, large and sophisticated consultancies are marketing their Big Data services to insurers across a broad spectrum of lines. For example, IBM advertises its ability to align data sources and underwriting for all types of insurers,13 while Milliman touts its ability to achieve Big Data insights for small insurers.14 Similarly, Sam Medina of Tata Consultancy Services Limited recently told Business Insurance: “There is not a single commercial lines carrier that we deal with that does not have Big Data on their agenda.”15

9.9 The Privacy Act

The Privacy Act’s purpose is to establish standards for the collection, use, and disclosure of consumer information in connection with insurance transactions.16 Clearly, it will have an impact on the use of Big Data in insurance underwriting and marketing. Insurers have three primary obligations under the Privacy Act that will apply to the data underlying Big Data: (1) the obligation to permit consumers access to information about themselves; (2) the obligation to correct, amend, or delete inaccurate personal information about consumers; and (3) the obligation to disclose data-driven adverse underwriting decisions. Because of the substantially larger amount of data now being collected, connected, and used, the compliance process will be more involved and the potential regulatory risks larger for insurers who use Big Data in their underwriting and pricing decisions.

9.10 Access to Personal Information

Section 8 of the Privacy Act obligates insurers, insurance agents, and insurance support organizations to provide individuals with access to personal information that is held by such entities on written request. The Privacy Act has a broad definition of personal information; it includes “any individual identifiable information gathered in connection with an insurance transaction from which judgments can be made about an individual’s character, habits, avocations, finances, occupation, general reputation, credit, health or any other personal characteristics.” Collecting and understanding this type of information is a primary purpose for the use of Big Data by insurance companies; accordingly, a large portion, if not all, of the underlying data will be subject to disclosure to consumers pursuant to the Privacy Act, as discussed in the following material. This poses several potential problems for insurers.

Unlike traditional credit reports and other datasets used in underwriting, Big Data databases are not generally consumer friendly; that is, their contents are not readily accessible and understandable to laypersons. The disclosure of such information, even about a limited number of insureds, could confuse or anger customers who may not have any understanding of what Big Data is or how it is actually used by insurers. Second, such disclosure could reveal an insurance company’s Big Data strategy by showing what sorts of information a particular company felt were important enough to utilize in its underwriting process. Third, the sheer magnitude of Big Data databases makes the required disclosure more challenging. For example, providing access to a summary credit report is relatively simple, but giving consumers access to their Big Data records will be substantially more burdensome because of the sheer quantity of data in question. Because the Privacy Act does not distinguish between first- and third-party data, insurers will potentially need to provide access to both types of data for consumers who make Privacy Act requests. As insurers increase the amount of data they utilize in making underwriting and coverage decisions, the cost of compliance with Section 8 of the Privacy Act will increase rapidly as well. Insurers will need to be aware of the potential costs imposed by the disclosure obligation and factor the cost and inconvenience of potential future disclosures into decisions that are made as analytics are deployed across their business.

9.11 Correction of Personal Information

Like credit agencies, insurance companies that maintain consumer databases are obligated to respond to requests for correction regarding recorded personal information. Section 9 of the Privacy Act gives insurers 30 business days to respond to written requests for changes, corrections, and deletions of specific personal information from consumers, either by correcting recorded information or providing written notification, and reasons for a refusal to do so. As databases grow, the potential volume of challenges grows as well; consumers will have a much larger amount of data to challenge, which will require insurers to dedicate more human and information technology resources to evaluating and responding to consumer challenges to stored or connected personal information. This is a second collateral impact of expanding the use of Big Data that will be important for insurers to consider in implementing data-driven marketing and underwriting. Insurers must therefore ensure that stored and connected personal information is subject to correction pursuant to the Privacy Act, even information that remains in the possession of third-party providers at all times.

9.12 Disclosure of the Basis for Adverse Underwriting Decisions

Section 10 of the Privacy Act requires that insurers provide consumers with specific written explanations of adverse underwriting decisions. On consumer request, the insurer must also furnish specific items of personal information that underlie such adverse underwriting decisions. For underwriting decisions based on Big Data and its analytics, this disclosure will be complicated by the very nature of dynamic analysis and Big Data. There may no longer be one or even a handful of data points that cause an adverse decision; instead, there will be a whole universe of data points that, taken together, inform underwriting decisions. In this sense, the increasing use of Big Data may fundamentally alter the nature of disclosure for adverse underwriting decisions. Although such a notice today might simply state that a consumer’s driving record contains too many traffic violations and the excess of violations caused the adverse underwriting decision, a disclosure in the world of Big Data may need to provide the consumer with an explanation of the analytics process as well as the data points that underlie its analysis. This will be an area of the law to watch closely: The recently released report on insurance regulatory modernization completed by the Federal Insurance Office suggests that data-driven underwriting should be even more thoroughly regulated, with the scope of insurers’ use of personal information in underwriting limited by law and regulation.17 Nevertheless, the practical nature of disclosure is likely to change because of the change in the nature of data underlying insurance underwriting.

Disclosure of personal data, correction of challenged personal data, and disclosure of the bases for adverse underwriting decisions are not new obligations for insurers. The sheer magnitude of personal data that may be used in Big Data analytics makes this task a compliance concern in ways that insurers’ existing uses of personal information do not, however. Compliance professionals as well as data specialists will need to be mindful of the challenges posed by insurers’ use of Big Data as insurers embark on more complicated and more numerous data analytics projects. Although compliance will be an ongoing challenge, insurers should consider the following general principles as they build analytic platforms and deploy Big Data in their marketing and underwriting:

• Commercial analytics solutions are likely not set up for insurance law compliance out of the box.
• Compliance can no longer be an after-the-fact response handled solely by compliance professionals.
• Analytic platforms and processes must take into account the legal obligations imposed by state insurance regulations. For example, insurers must be able to identify the third-party information actually utilized in their Big Data analyses with respect to specific consumer months, or even years, after such analysis occurred.
• Legal and compliance professionals at insurance companies must closely monitor developments at the state and federal levels to maintain compliance on a going-forward basis.

9.13 Third-Party Data and the Privacy Act

The disclosure obligations imposed by the Privacy Act described previously do not differentiate between personal information collected directly by the insurer (on an application or using an auto-interface device, for example) and third-party information. This has always been true, and insurers regularly use credit reports, driving histories, and other third-party sources of information to evaluate and underwrite potential risks. However, the governments and credit reporting organizations that prepare these traditional types of third-party data are subject to public disclosure requirements in their business as well; that is not necessarily the case for other types of third-party data vendors who may be sources of data used in Big Data analytics. However, should third-party data be used by insurers to perform data-driven underwriting, the insurers would be obligated to disclose such third-party data pursuant to the provisions of Sections 8 and 10 of the Privacy Act. Insurers will need to secure contractual rights to reveal such information when required under the Privacy Act and similar laws if third-party data is to be utilized in underwriting or sales activities. While this is not a new type of obligation for insurers, who already receive information from Insurance Services Office Incorporated (ISO), MIB Group, Inc., and other third-party data providers, next-generation data providers not focused on the insurance industry may need to be educated by insurance company clients to ensure that these compliance obligations are provided for by contract and achieved by third-party providers.

9.14 The Privacy Regulation

The Privacy Regulation requires insurance companies to provide notice of their information privacy practices to their customers and imposes certain restrictions and conditions on the use of customers’ personal information by insurance companies, their affiliates, and third parties. The Privacy Regulation has many parallels with the portions of the Gramm-Leach-Bliley (“GLB”) Act,18 which applies to financial institutions. Unlike other financial institutions, insurers are also subject to state privacy laws specifically governing the insurance industry. Among those laws are many based on the Privacy Regulation. There are two provisions in the Privacy Regulation that potentially will have an impact on data analytics at insurance companies. These provisions are (1) the requirement that consumers be allowed to opt out of information sharing with nonaffiliated third parties and (2) prohibition of discrimination against consumers who have opted out of information sharing.

To the extent that an insurer wants to participate fully in the world of Big Data, it may desire not only to receive third-party information but also to sell or otherwise share its own first-party data with other third parties. Much like banks and other noninsurance financial institutions must do under the GLB Act, insurers are obligated by Section 12 of the Privacy Regulation to give consumers a privacy notice and the chance to opt out of information sharing with third parties. If an insurer desires to share its own data with others, it will need to update its privacy notices and give consumers the chance to opt out of that data sharing. Should a consumer opt out of disclosure of information to third parties, Section 24 of the Privacy Regulation prohibits any discrimination or other actions taken in response.

9.15 Conclusion

The utilization of Big Data and the implementation of Big-Data-related business strategies will pose myriad challenges for both purchasers of commercial insurance coverage and all insurers. Insurance purchasers will need to:

• Carefully assess the new loss exposures created by the utilization of Big Data and implementation of Big Data business strategies;
• Understand the coverage and limitations under their traditional insurance programs; and
• Undertake a carefully planned risk management analysis to ensure that any cyber package or similar insurance policies they intend to utilize to cover their Big Data exposures are comprehensive enough to accomplish that goal.

With respect to insurers, the most significant challenges arising from the utilization of Big Data and Big-Data-driven strategies will be:

• The determination of the Big Data strategies that can be justified in their marketing, underwriting, and service operations; and
• Understanding and adhering to the regulatory challenges and requirements that will arise from their existing obligations to policyholders.

Although the challenges faced by both insurance purchasers and insurers are not insignificant by any means, through careful assessment and implementation of appropriate strategies, as discussed in this chapter, both will be well on their way to navigating these challenges and appropriately protecting their businesses.

Notes

1. For example, if a service provider is retained to gather data and create an algorithm to analyze that data, it might be exposed to liability for failure to gather a sufficient amount of relevant data, missing relevant data points, or failing to create an algorithm that appropriately analyzes the data based on its clients’ needs.

2. Andrew McAfee and Erik Brynjolfsson. Big Data: The Management Revolution. Harvard Business Review (October 2012).

3. Sasha Romanosky, David Hoffman, and Allesandro Acquisti. Empirical Analysis of Data Breach Litigation. Draft available at http://ssrn.com/abstract=1986461.

4. Verizon RISK Team. 2012 Data Breach Investigations Report. 2012. Available at http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf.

5. While court decisions are not universal on the subject, the majority rule in most US jurisdictions appears to lean toward finding that data is intangible property, and therefore damage resulting from lost or damaged data falls outside the coverage of a policy that limits the definition of covered “property damage” to tangible property.

6. “Personal injury” liability coverage under the standard form commercial general liability insurance policy typically includes coverage for publication of material that violates a person’s right of privacy, and insureds have previously utilized this definition to argue for coverage for data breach liability claims.

7. In insurance terms, liability insurance typically covers defense costs and judgments or settlements arising from third-party claims against a person or business. On the other hand, “first-party” coverage refers to insurance for a business for direct losses the business suffers to property that it owns (e.g., costs associated with re-creating data that the business owns).

8. The McCarran-Ferguson Act, 15 U.S.C. §§ 1011-1015.

9. The Snapshot device is a small automotive interface device that attaches directly to the On-Board Diagnostics (OBD-II) port in an automobile. It collects and transmits to Progressive information about the driving behavior of a customer, including incidences of hard braking and the number of miles driven each day.

10. Actuarial analysis is the application of statistical methods to the evaluation of the financial consequences of risk. Actuaries evaluate the likelihood of uncertain future events and the potential insurance costs of such events according to principles set forth in Actuarial Standards of Practice adopted by the Actuarial Standards Board. See http://www.actuarialstandardsboard.org/asops.asp. Because of the centrality of actuarial analysis to the operation of insurance companies, state regulators frequently defer to such analyses when evaluating the underwriting and pricing activities of insurers.

11. Insurance Comm’r for the State v. Engelman, 345 Md. 402 (1997).

12. Randall Stross. So You’re a Good Driver? Let’s Go to the Monitor. The New York Times, November 24, 2012. Available at http://www.nytimes.com/2012/11/25/business/seeking-cheaper-insurance-drivers-accept-monitoring-devices.html?_r=0.

13. See http://www-935.ibm.com/services/us/gbs/thoughtleadership/big-data-insurance/.

14. See http://www.milliman.com/insight/2013/Why-big-data-is-a-big-deal/.

15. Bill Kenealy. Commercial Insurers Embrace Big Data. Business Insurance, December 16, 2013, at 4.

16. While the Gramm-Leach-Bliley Act (GLBA) (Financial Services Modernization Act of 1999, Pub.L. 106-102, 113 Stat. 1338) generally governs the privacy practices of financial institutions, GLBA does not preempt state laws governing insurers’ privacy practices so long as such laws are at least equivalent to GLBA (15 U.S.C. § 6807). State laws based on the Privacy Act are equivalent to GLBA, although some states have enacted more restrictive privacy laws with respect to insurance. For thorough discussion of GLBA, see Chapter 2, “Overview of Information Security and Compliance: Seeing the Forest for the Trees.”

17. Federal Insurance Office. How to Modernize and Improve the System of Insurance Regulation in the United States. U.S. Department of the Treasury, December 2013, at pp. 56–57.

18. Financial Services Modernization Act of 1999 (Pub.L. 106-102, 113 Stat. 1338).