"Let’s chat insurance," prompts the chatbot of an emerging insurtech, offering bite-sized, customized insurance plans. In return, the user must provide certain personal information like Aadhaar number and medical prescriptions. The insurtech assures it will match the user with the right insurer, negotiate the premium and present a seamless claim management process. The user skims through the FAQs, the policy and submits the information, at the click of a button. Indeed this is the tech-savvy, millennial-friendly, “ideal" insurance world. The user then stumbles on the T&C (terms and conditions) and privacy policy, stops for a moment and, finally, decides to save time.
Should a user diligently read T&C and privacy policy? Most terms would include all-encompassing statements that allow ceaseless processing of user information for vague purposes such as improving customer experience, analytics, directing customized ads and service efficiency. It further states that by using the website, user consent is deemed, and the only way out is to stop using the website. Since these terms provide no meaningful choice to the user, reading them is regarded futile. This phenomenon, called “consent deluge", points to a bigger concern: are users compromising “informational privacy" for convenience?
Informational privacy is an individual’s interest in preventing unauthorized access and dissemination of her information. The right becomes relevant in the context of digitized personal information, which leads to the identification of a natural person. Certain kinds of information such as passwords, financial, health, medical and biometrics are classified as sensitive. This is because their misuse and unfettered disclosure can cause harm such as impersonation, discrimination and financial fraud.
Currently, data protection and privacy are regulated under the Information Technology Act and reasonable security practice rules. The regime, unfortunately, is not equipped to fully grasp the growth trajectory and disruptive implications of emerging tech-data driven industries, including insurtech.
Micro-insurance, peer-to-peer insurance, blockchain, robo advisory, gamification, IoT (internet of things) and big data are getting engrained in how insurance operates. They yield efficiency through expansive outreach, direct digital interface and streamline processes throughout the value chain. Its much-valued asset is the vast pool of uncensored data, obtained from different sources, presumably for customer engagement and expedited processing. But a word of caution: Insurtech is the seismic point for data breach that can expose companies to disrepute, devaluation, loss of confidence and legal claims. Also, it can subject the consumer to identity theft, illegal trade in personal information and insurance fraud. The underlying motivation of a hacker is simple—insurance operates on analytics, retains unimaginable terabytes of personal data and, typically, does not use analogical foresight to safeguard the information from breach attacks.
Owing to limited IT rules, there is a minimal associated cost for “processing" information. Implementation of personal information management and security infrastructure is seen as a volitional act and not a governance mandate. However, times are about to change and insurtech will not be left behind.
In August 2017, the Supreme Court recognized informational privacy as a legal right enforceable against private parties. Consequently, the government unravelled India’s first-ever Personal Data Protection Bill. The Bill’s text has been reportedly finalized for Parliament’s approval. It seeks to balance business interests with right to informational privacy. The Bill proposes rigorous obligations on data fiduciary, i.e., the person who determines the purpose and means of processing. It identifies core processing principles that a fiduciary must adhere to. It requires them to provide prior notice, obtain specific consent and implement privacy by design. This means that privacy expectations of a reasonable consumer can no longer be a by-product of the business process. It also obligates the fiduciary to establish a rights regime through which a user can access and control processing of personal information. Further, it contemplates massive penalties for non-compliance. Thus, when the Bill is passed, deemed consent will not suffice. The law will call for revamping of existing business, organizational, managerial and technical practices to prevent potential risk or, in the least, mitigate it.
Beyond the entire legal mandate, while it is not always feasible for insurtech to prevent a breach, it is possible to act proactively. An analysis of recent data breaches reveals that they occurred due to flippant monitoring of data flow, lack of privacy designing as the default technology setting, poor internal checks, failure in conducting breach resistance tests, and use of outdated security systems. This also implies that a proactive approach and ethical regard to a user’s privacy could redeem the situation. Indeed, there is an increased awareness among stakeholders and data protection is gradually featuring as the new board room agenda. But, it is a long path ahead for insurtech and it needs to start now.
Arya Tripathy is principal associate at PSA, a law firm
