Why You'll Hear More About Data Fiduciaries in the Future


Protecting your customers’ data has never been more critical. With more and more people working from home and using personal computers to work and handle private data, online security risks are greater than usual.

What’s more, 82% of Americans stated they’re concerned about online security in a recent survey. State lawmakers are taking notice and have responded to major data breaches — like those at the American Medical Collection Agency and Capital One (to name a few) — with stricter data protection laws and regulations. In 2019, 31 states passed some form of cybersecurity legislation.

One such regulation, the California Consumer Protection Act, or CCPA, went into effect on Jan. 1, 2020. The CCPA gives customers more control and insight into how their data is collected and used, and it dictates how companies manage and store that data. While this law only applies to companies that operate in California, other states are using it and the European Union’s General Data Protection Regulation, or GDPR, as a framework for their own privacy legislation.

Even stricter and arguably more comprehensive than CCPA and GDPR, the New York Privacy Act, or NYPA, was introduced in 2019. While it did not pass in the last Senate session — and its progress has been further interrupted by the COVID-19 crisis —  organizations should be aware of the bill. It could have significant effects on the insurance industry going forward. If the bill becomes law, it would require businesses operating in New York to prioritize customer privacy over profit.

In that same vein, the NYPA would require businesses to operate as “data fiduciaries.” Sometimes referred to as information fiduciaries, this means businesses wouldn’t be able to use data to benefit their companies if it comes at the expense of consumers’ privacy and protection. The concept stems from HIPAA, which bans healthcare providers from freely exchanging patient information. As with a fiduciary in other industries, a data fiduciary would have to act in the best interest of the customers whose data it collects.

Even if the NYPA is not passed, other legislators may use the concept of a data fiduciary in their own cybersecurity laws in the future. This would have major implications for the insurance industry. For one, businesses would have to gain written consent before they could sell or share customers’ data. Companies that earn that consent would then become data fiduciaries. It could even affect how marketers can use customers’ data in targeted ads.

What’s more, a data fiduciary clause would make it even more difficult for insurance companies to remain compliant to avoid fines, legal action, etc. Even if you have a strong culture of compliance, this new rule would require updated training, systems, and more. Instead of scrambling when change inevitably comes, start planning for stricter laws like NYPA now so you can take them in stride.

Regardless of whether other states adopt the concept of a data fiduciary, it’s important to keep in mind as you work to protect your customers’ data. These changing regulations present an opportunity to show customers how much you care about their privacy and trust.

To stay up to date on the latest laws and regulations affecting the insurance industry, become a PIMA member today. PIMA® (Professional Insurance Marketing Association®) is a member-driven trade association focused exclusively on the group-sponsored benefits market. For more information on becoming a member, click here.