When to Bring in Reinforcements to Address Emerging Cyber Regulations and Data Privacy


The California Consumer Privacy Act, or CCPA, will take effect on January 1, 2020. The law gives consumers more control over their personal information and mandates how companies manage, use, and store customer data.

The measure certainly has its merits, but its broad scope will force insurers to follow stricter data compliance rules. A single misstep could expose your business to regulatory risk.

Maintaining a culture of compliance makes it easier to follow regulations. When compliance is a part of everyone's job — from top to bottom — your company gains a competitive advantage. Who wouldn’t want to do business with an organization that follows the letter and spirit of the law?

The only problem: Even with a culture of compliance, many insurance firms aren’t equipped internally to comply with CCPA and similar laws. They understand the basics of compliance, but they don’t necessarily have the knowledge or expertise to execute it.

An outside firm might be better equipped to perform a current state assessment to efficiently and effectively arrive at compliance with CCPA and similar regulations, according to Philip Gow, managing partner at Global Insurance Service Innovations and PIMA member.

Let the experts do their jobs while your team focuses on other business requirements. If CCPA has not been part of your organization’s plan, and there's a lack of bandwidth to respond in the mandated time frame, it's best to leverage external specialized resources.


The Time to Start Is Now

Even if a law isn’t looming in your area, you can still use existing ones like CCPA, Europe's GDPR, and New York's Part 500 to prepare for a similar regulation — and you can count on one coming to your state. The regulatory landscape is changing with each new data security and privacy law, so insurers need to evolve.

Get a program in place, draw up policies, and implement controls to ensure customer data is safe and sound. Almost 7 in 10 consumers rank honesty and transparency as a necessity when it comes to a company’s use of their personal data. If you want to continue to grow your business, make sure you’re in compliance — whether through internal or external methods.


Seeking Outside Help

“When evaluating whether you might need to enlist an outside firm, consider your organization's experience and knowledge regarding these emerging cyber regulations,” Gow said.

If your organization established its sites under Part 500 or you are doing business in Europe, then you probably already have the ability and insight to do the work internally. If not, then Gow suggests taking an objective look at your other business and compliance priorities. Decide whether you have the necessary resources, bandwidth, and expertise to meet the measures. If that isn't an option, an outside firm could be the best route for your company.

Keep in mind that this is still a relatively new field, though. “I can count the good national companies on less than five fingers,” Gow explained.

As you choose a third-party provider, it’s essential to look into its background. Ask about its experience in the insurance and financial services sectors. Get a feel for its expertise with cyberbreaches, hacks, and other unauthorized exposures of consumer information. Above all, make sure you choose a firm that fits your company's needs.


Finding New Opportunities

Instead of worrying about increased scrutiny regarding data privacy and protection, focus on the silver lining: It’s an opportunity for insurers to show consumers how important data privacy is to their organizations. The steps you take to remain compliant will demonstrate your commitment to protecting clients. Make sure they know what you're doing to keep their data secure.

Putting the appropriate levers and barriers in place also means you’ll be ahead of the curve when similar ballot measures hit Idaho, Illinois, and other states. CCPA is a comprehensive piece of legislation and a natural template for other states to use as a starting point, Gow said. Even if your legislators approve a pared-down version, taking steps to comply with CCPA will set your organization up for success.

Data privacy is on everyone’s mind. If you’re slow to implement the necessary protections, clients may question your commitment to them. Insurance is a business based on trust, and a proactive approach to data privacy measures is just another way to strengthen that trust.

PIMA® (Professional Insurance Marketing Association®) is a member-driven trade association focused exclusively on the group-sponsored benefits market. For more information on becoming a member, click here.