How technology may create data privacy risks in auto P&C

Trucks travel along Interstate 70 highway in Greenfield, Indiana, U.S., on Thursday, Dec. 2, 2021. Roughly $8.8 billion from the federal $1.2 trillion infrastructure package should head to Indiana over the next five years to improve crumbling highways, roads, bridges and more, the Indianapolis Business Journal reports. Photographer: Cheney Orr/Bloomberg
Trucks travel along Interstate 70 highway in Greenfield, Indiana, on Dec. 2, 2021.

Technology is rapidly reshaping automotive property and casualty. The introduction of advanced driver assistance systems such as lane-keeping, distraction warning, automated braking, and collision warning brought the promise of reduced accidents, including injuries and fatalities. It also brought challenges, such as appropriately pricing risk, rising repair costs, operational and legal challenges with the recalibration of these systems, and an increased share of vehicles deemed a total loss. The rise of telematics and driver monitoring offered ways to coach drivers to be safer behind the wheel, new pricing models like usage-based insurance and creating new touchpoints and loyalty programs. It also brought challenges, including how to deal with an adverse selection of customers, the ethical and legal implications of profiling and automated decision making, not to mention the security and privacy implications of the data collected and shared via these systems.

Not only is digital technology changing, but so is the regulatory landscape. Some U.S. states have passed laws that will lead the insurance industry to take a fresh look at technology such as Bluetooth and navigation because they capture significant amounts of personal information from drivers and occupants.

Using hands-free calling is good for safety. When we sync a phone over Bluetooth, our vehicles download all sorts of data from the occupants' phones. Contact books, call logs, text messages, phone identifiers, and the related metadata are commonplace. Some vehicles go as far as collecting records of the photos taken by the phone, calendar entries, social media handles, vehicle and services credentials, etc. Using navigation is also an everyday convenience drivers enjoy, but few think about the treasure trove of precise geolocation that is left behind. As a carrier, if the vehicle becomes a total loss, upon the title transfer your company has now become responsible for the safekeeping of this information.

The National Association of Insurance Commissioners' Model 673 and Model 670 laws have already been recently adopted in 39 states and Washington, D.C. and they put specific requirements on how insurance players must treat their customers’ electronic personal information. Model 673 is a data security law, currently in effect in 33 states plus D.C. and model 670 is a data privacy law, currently in effect in 17 states plus D.C. The former requires “technical and administrative measures” to protect any electronic personal information that ends up in possession of insurance companies with “reasonable security” and the latter grants consumers a set of rights not too dissimilar from the California Consumer Privacy Act, which includes the right of deletion of any personal information in possession of insurance companies.

The problem is data stored in cars can be seen by anybody with physical access to the vehicle since the key is the only authentication factor and very few vehicles have any sort of encryption in place. It is also very hard to determine a priori if the contact book includes somebody’s social security number, a bank pin, or IDs and passwords, or if the text message database contains records of financial transactions, medical appointments, or other sensitive and regulated information. The only way to comply with Model 673 and 670 laws is to set up a robust process to delete the data from the cars before they are sold - and ensure that process is monitored, effective, and produces records to prove your compliance.

With 273 million vehicles on the road, raising statistics on accidents and total losses, increased scrutiny from regulators and agencies, and growing concern from consumers, the issue of personal information left in vehicles has the potential to be a multi-billion-dollar exposure to automotive P&C players. Plaintiff attorneys are paying close attention to both vehicle data and the insurance and financial sectors’ data leaks from disposed devices. Morgan Stanley was fined $60 million last year and will settle a class action this December over consumer records left in electronic assets they sold without properly wiping them.

Conversely, studies show that consumers are more likely to purchase services when companies protect their privacy and well-crafted programs can create new, delightful experiences for policyholders. New platforms and technologies are also emerging to assist insurance players as they navigate these new waters so they can better comply with local and federal laws, reduce the risk of potential lawsuits while instilling a feeling of trust, loyalty and protection to their customers and isn’t this what insurance is about?

For reprint and licensing requests for this article, click here.
Auto insurance Auto industry Data privacy rules Data security Cybersecurity and data privacy due diligence Cyber security Telematics Usage-based insurance
MORE FROM DIGITAL INSURANCE