A UK regulator fined Clearview just over £7.5m this week, for a variety of data protection breaches. So what can insurers learn from this ruling? I can see lessons for the sector on a number of levels.
Takes All = Winner?
There’s been an argument in insurance circles for many years now that if the insurer thinks a piece of data could signal something about the risk they’re taking on, then the insurer has the right to collect that data. In more recent years, the influence of analytics has caused this to morph into the view that any piece of data might tell the insurer something about risk. As a result, insurers increasingly felt they had the right to collect any and all data, to check if it might influence the risk. So the narrative went.
The challenge for the sector from this Clearview ruling is around what an insurer might be reasonably expected to collect. I suspect that ‘the right to collect any and all data’ would not be judged reasonable. Just because it might influence a risk (and only statistically at that) may not be enough.
Such a challenge is backed up by recent research in the US, about the types of rating factors that auto insurance policyholders thought it reasonable for insurers to use (more here). It fell well short of what insurers would like to use. And in the UK, research in 2020 by the sector’s trade body reveal high levels of mistrust about how insurers collect data and what they then do with it.
Clearview’s business model, of collecting as much image data as possible, in case a client might find it useful, is pretty similar to insurers’ ‘right to collect any and all data’ thinking. Insurers need therefore to think about recalibrating what is reasonable to collect, and have justifications for continuing to do the collecting they do. Those justifications should be set not just in terms of adverse selection, but in terms of privacy and consumer attitudes as well.
The dramatic rise in the number of suspected fraudsters in UK insurance (more here) over the last few years points not so much to there being lots more tricky customers around, but to a widening of the criteria. A near three fold increase over three years feels very much like a strategic move to capture more data to fine tune counter fraud decisions systems, and to set their scope of assessment much wider. The problem however is that this also feels rather close to the Clearview business model. Something along the lines of ‘if we do not know about them, how can we catch them if they do decide to do something’.
I’ve been told that this is needed in order to catch criminals. In this context, that’s a weak argument, simply because of what it says on this data’s tin – they’re suspected only. Two other points further weak it. Firstly, what is meant by ‘suspected’ is defined by the sector, not the law. And secondly, the degree of suspicion is scaled from a little to a lot.
Smile for your Underwriter
We know that an insurer has been funding research into how the smiles of people in online photos can be used as a predictor of mental health problems (more here). And it is not hard to then see how this could be used, through the scaping of online images, to underwrite such people differently. It’s pretty similar to scaping words off social media posts to guess something about the person’s character.
What the Clearview ruling does is set out the regulator’s attitudes to such wholesale scraping of online data. So while a view widespread across the sector that if something’s on the internet, then it’s free for an insurer to use, this Clearview ruling runs pretty counter to that.
So if an insurer has been scraping personal data off the internet, it will need to start assessing how much of that data it can keep, and how much will need to be deleted. That’s why I’ve been saying of late that data ethics needs now to be considered as a trigger for your business continuity plans.
It looks like the UK data protection regulator has been concentrating on the upstream side - data brokers and software houses. I wonder if this is part of a strategy to target the upstream first, in order to then send signals to firms more downstream, such as insurers. Something along the lines of ‘you know what you have to do now’.
The challenge for insurers will be around interpreting those signals. There’s a tendency in the sector for insurers to see themselves as special cases, due to the nature of the risk at the heart of their business. That can only be taken so far however, and needs to be carefully controlled. So I worry that some insurers will just view the Clearview ruling as nothing to do with them, and so simply dismiss it. That would be a risky move.