On November 21, 2016, the Federal Insurance Office (FIO) issued its first ever annual Report on the Protection of Consumers and Access to Insurance (Report). The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Dodd-Frank) authorizes FIO to monitor all aspects of the insurance industry, including the extent to which traditionally underserved communities and consumers, minorities, and low- and moderate-income persons have access to affordable insurance products (other than health). Dodd-Frank requires FIO to make annual reports to the President and Congress on the insurance industry, and in past years, consumer protection and insurance availability have been discussed within this single, annual report. This year, consumer protection and availability issues were addressed in a stand-alone Report.

The Report addresses five broad themes: (1) insurance and technology; (2) environmental hazards and insurance; (3) fairness in insurance practices; (4) fairness in state insurance standards; and (5) retirement and related issues. In this alert, we focus only on the Report’s insurance and technology section, which discusses consumer protection concerns raised by industry use of Big Data, and of the threats to consumer privacy posed by data breaches.

Big Data and Consumer Protection

FIO identifies Big Data as the gathering and use of “large volumes of data, often from multiple sources, [to] produce new kinds of observations, measurements, and predictions.” The various kinds of data collected include GPS information from mobile phones, inputs from social media and web usage, existing government and consumer databases, and the newfound Internet of Things.

While acknowledging the potential for Big Data to benefit both insurers and consumers, FIO emphasized a number of potential risks to consumers.

First, FIO pointed to the risk of “unlawful discrimination” associated with certain uses of Big Data in insurance. FIO believes Big Data’s use in creating finely tuned risk assessments (e.g., by using real-time GPS information from cars along with reputational data from social media sites to price P&C insurance) carries with it a risk of market segmentation that could closely correlate to protected classes like race, gender, ethnicity, or religion.

Second, FIO criticized the practice of “price optimization” whereby Big Data is used to predict a consumer’s tolerance for changes to premium price that do not reflect a corresponding change in the consumer’s risk profile.

Finally, and perhaps most significantly, FIO expressed concern about insurers’ use of data and consumer scores from third-party vendors such as data brokers. When data brokers furnish insurers with pricing models based on proprietary information and analytical methods, FIO notes that they have “a direct effect on the affordability and accessibility of insurance to a consumer, [but are] themselves outside the scope of supervision by state insurance regulators.” We note that the Report does not discuss the consumer protections provided by the federal Fair Credit Reporting Act or state privacy laws.

A move by state insurance regulators to assert jurisdiction over non-insurance companies like data brokers would be a major development, though it remains to be seen whether any state regulators will respond to the Report by doing so.

Cybersecurity and Consumer Protection

Focusing on the fact that insurers routinely gather and store sensitive non-public data on consumers, including personally identifiable information (PII) and protected health information (PHI), FIO identified the potential for data breaches as a “significant concern” for insurers. Pointing to the recent breaches at Anthem Blue Cross Blue Shield and Premera Blue Cross as examples of the dire consequences that can arise from data breaches (which we reported on last year), FIO is urging insurers to “do everything reasonable to protect against cyber risk and data breaches.”

FIO suggests that insurers adopt “baseline protections,” including limiting access to information technology to authorized users, coordinating data breach response with law enforcement agencies, and adopting cybersecurity standards for using third-party vendors. FIO is also encouraging state insurance regulators to develop more robust cybersecurity standards, including more frequent cybersecurity examinations.

The FIO Report is the latest addition to a growing chorus of regulators voicing concern over Big Data and Cybersecurity issues. At the state level, the NAIC is actively involved in both, through its Big Data (D) Working Group and its Cybersecurity (EX) Task Force. And, as we have previously reported, NY DFS is leading the way by adopting heightened cybersecurity standards for insurers. Further, at the federal level, the Federal Reserve, FDIC, and OCC have released a joint Advanced Notice of Proposed Rulemaking proposing unprecedented cybersecurity standards for banking and certain other financial institutions (including insurance companies designated as SIFIs) with an eye toward mitigating systemic risk, which we recently reported in Enhanced Cyber Risk Management Standards Announced in Joint Rulemaking Initiative by Treasury, Federal Reserve, and FDIC.

As the threat environment for cyber attacks continues to intensify, state and federal regulators are approaching the threats in piecemeal fashion, leading to a great deal of uncertainty about regulatory expectations. In any event, state insurance regulators’ continued focus on Big Data and Cybersecurity is probably here to stay for the foreseeable future.