Back in 2012, I singled out privacy as the number one ethical issue that will confront the insurance sector over the next five years. Recent developments in South Korea, the world’s tenth largest insurance market, act as a warning signal to other markets that privacy concerns have the potential to trigger explosive repercussions.
In December 2012, the South Korean regulator disciplined three insurance market assocations for privacy and consent issues relating to the handling of 8 million policyholder records. At the same time, a Government agency launched an investigation into the South Korean regulator itself, amid allegations relating to the misuse of a collective search system called KLICS, designed to prevent insurance fraud. Users of KLICS stood accused of having collated far more personal information than was needed for its stated purpose, or policyholders had given consent to.
Now comes news that the South Korean regulator has instructed all financial institutions to stop all telemarketing activities until the end of March, following data fraud at a credit information service provider. That same regulator then uncovered further data leaks at three insurers. Telemarketing accounts for a significant proportion of some insurers’ new business, so not surprisingly, the sector is up in arms about the instruction.
Could such events happen here? Let’s come to that after considering a US survey of data governance policies across a range of private companies and public organisations. It found that 44% of those surveyed had no such policy and a fifth of them had no plans to implement one. You can find more on data governance here.
If the US survey is in any way indicative of the state of UK data governance, and of the insurance sector in particular, then it would be fairly safe to assume that the privacy breaches and fraud happening in South Korea are already happening here – they’re just waiting for the spark that will ignite the controversy.
Privacy can create some highly explosive ethical situations. Think of the relevation that murdered schoolgirl Milly Dowler’s phone had been hacked – it was the spark that blew up the News of the World. Think of the revelations of the whistleblower Edward Snowden – they are continuing to be the spark for upheavals in international politics.
And privacy issues have a tendency to trigger huge political interventions, as South Korean insurers and their regulator are now experiencing. It’s rare for an insurance regulator to be investigated, and somewhat ironic that this was triggered by the misuse of a system originally built to combat insurance fraud.
Having a data governance policy is a pretty entry level step for any company handling large amounts of customer data. And if you intend to take privacy seriously, then your data goverance policy should set out exactly how you’re doing to respect the privacy of the information entrusted to you by your customers.
Experts in privacy tell me that such sector specific incidents are going to become more common over the next few years. UK insurance firms would do well to heed the warning and closely inspect their data governance before a spark triggers a reputational explosion.