As Yogi Berra, master of American baseball, once said, “You can observe a lot by just watching.”
There has been a lot to observe in the world of data privacy and protection recently. Advances in artificial intelligence and mobile computing promise to automate repetitive error-prone claims and underwriting tasks, from sifting through physician notes to scrutinizing heart traces. At the same time, insurers can better access masses of data from daily life to develop highly accurate assessments of personal risk.
Impressive, yes. But also concerning. Consumer advocacy groups have begun to raise the alarm about data misuse and theft. Indeed, according to Forbes magazine, the average data theft in 2018 cost $7.91 million in the U.S. alone in [legal fees, consumer reimbursements and other losses], the highest annual amount on record. Regulators have taken notice. The European Union’s launch of the General Data Protection Regulation (GDPR) in 2013 spurred a spate of similar policies across the globe.
- See also: Prescription for Success
As sports analogies go, baseball seems oddly appropriate to describe the shifting state of data protection in insurance today. In baseball, the defense is given control of the ball, and the offense must decide whether to swing or let an opportunity pass by. Similarly, while insurers today have good reason for caution, many also have access to invaluable data and the knowledge to protect it. How can insurers both address data privacy concerns and capitalize on competitive opportunities? Perhaps the lessons every insurer needs to learn can be found on a baseball field.
Going on Offense: Data Analytics in Risk Assessment
The question is urgent as carriers face mounting volumes of data. Basic demographic details, such as age, gender, education, and occupation, are only a small percentage of the possible insights now available. Data scientists can now build highly accurate predictive models based on behavioral, socioeconomic, and biometric information.
Collected together, data from pharmacy, wellness, motor vehicle, and credit sources can help carriers construct a far more complete profile of each applicant or claimant. The possibilities seem endless. New rating factors can enable underwriters to better segment risk and protect against anti-selection, non-disclosure, and fraud. Post-sale, carriers can perform more accurate and comprehensive multivariate experience analysis to support better in-force management and uncover untapped distribution, cross-selling, and up-selling opportunities. And at claims time, more insight can deliver greater accuracy in adjudication.
But like any hitter up at bat, insurers make a series of almost split-second decisions to try for a hit and risk a miss or even a strike-out. Players who step back from the plate could risk losing market share to more agile competitors. And yet, unauthorized or merely lax data use can contribute to reputational damage, loss of business, and substantial fines. Success will only come to those carriers that rapidly develop both effective, and protective business practices.
Playing Defense: Data Protection Strategies
The good news? Adopt the right strategies and an insurer can gain the competitive advantage. The bad news? Each option has brings positives and negatives:
- Create a data catalog – Companies can create a single source of truth for all data, from origin source to usage. This eases information sharing and visibility and can help carriers more easily identify gaps; it also magnifies risk if the data in such a catalog were to become inadequately protected.
- Detect and classify data –By correctly sorting sensitive data based on clear definitions, carriers can more easily identify and protect personally identifiable information and satisfy regulatory and auditor requests. On the other hand, misclassifying or mishandling this data due to vague definitions or process problems can draw hefty regulatory fines and reduce productivity.
- Protect data – Insurers can protect sensitive data through a variety of encryption techniques, including anonymization, pseudonymization, or redaction. These enable only authorized users to see specific data elements, minimizing risk of unintended disclosure and ensuring compliance. However, removal of data fields can impede analysis and raise integration risks, particularly in large complex organizations with multiple touchpoints. Also, no technical solution can be protective if the definitions of sensitive data are too lenient.
- Set a master person index – Carriers can establish a master person index by evaluating two or more data records containing the same, or similar, data elements to make a determination if they are for the same individual, who then can be assigned an alias across different partners and different data sets. This index can empower a carrier to better manage jumbo risks and retention limits, reduce the need for time-consuming manual comparisons, and increase data quality – but only if the aliases for each individual are correctly linked. The practice can lead to data redundancy, selection bias, and incorrect linkages that degrade data quality.
Complicating this, encryption technology itself is evolving, opening new choices and fresh risks. Consider the widespread practice of data anonymization. Insurers routinely anonymize or withhold identifying factors to protect personal information from analysts. While this approach is highly effective in isolation, it often proves too static when insurers must compare multiple sources of data. Alternate data streams cannot be easily merged with the anonymized data, and overreliance on this technique can impede deeper understanding of risk.
Carriers have responded to this problem by pursuing a variety of encryption methods:Read More +