3 areas insurers must address for California Consumer Privacy Act complianceOctober 8, 2019
The California Consumer Privacy Act of 2018 (CCPA), which becomes effective on Jan. 1, 2020, is one of the most comprehensive and far-reaching of the new privacy rules proliferating at the international, national and state levels. Through CCPA and similar initiatives, regulators want businesses, including insurers, to be able to protect the privacy and security of consumers’ data.
The implementation of CCPA compliance initiatives presents insurers with several data and operating challenges. With the act going into effect in just a few months, insurers need to focus on addressing three specific areas in particular:
- Over-retention of data. The legacy of over-retention of consumer information is presenting insurers with challenges in consistently and effectively disposing of consumers’ personally identifiable information. As part of a broader review of information life cycle management programs, insurers should review their data retention policies to align with CCPA requirements. A key question is whether data retention periods align with legal requirements or are based on other business rationales. Under CCPA, insurers are able to retain some information for legal or regulatory needs, but if they wish to keep other data for longer periods, they must be able to demonstrate a legitimate business reason for doing so.
- Third-party data. Understanding the flow of personal information across supply chains and securing collaboration among third-party partners to dispose of consumer information is proving to be a time-intensive process. The requirements of CCPA dictate that insurers be able to contact suppliers and other third parties with access to consumer data and direct them to dispose of such information when a legitimate request is made. This can be a challenging operational problem for many insurers that have complex supply chains. They need to establish contractual obligations with suppliers to enable insurers to respond to their legal obligations. Insurers with large networks of agents or independent brokers (which can number in the thousands) may face a major undertaking to determine what consumer information has been shared. This is all predicated on establishing a reliable inventory of third parties that may be difficult given the complexity of the agent population, but it is fundamental to any subsequent analysis to determine which information has been shared with which third-party.
- Data discovery. Insurers need to know where consumer data is within their organization, including how it is stored and how it can be obtained on demand. This requires a clear line of sight into where structured and unstructured data (from sources such as…