The data privacy landscape is plagued by fragmentation
Data privacy laws weave a web of intrigue around the globe as insurance carriers and producer groups find themselves sifting through mountains of legislation searching for truth and guidance.
Cybersecurity risk. Data breaches. Identity theft. Malware. Are they the making of a suspenseful dramatic thriller like “The Firm,” or a boring chapter in your annual online anti-money laundering training requirement?
Akin to Tom Cruise’s harrowing journey in “The Firm,” when the law itself became his adversary, the twists and turns in data privacy law keep insurance producers and carriers on the edge of their seats.
In our era of interconnectedness, when data flows freely and information becomes a prized commodity, the financial and insurance sectors stand willing to safeguard sensitive and personal data. Yet, our current data privacy landscape is plagued by fragmentation and a lack of comprehensive regulation.
Although some states have taken steps to enact legislation, the absence of a unified federal framework leaves a void in addressing the unique challenges posed by the Fourth Industrial Revolution. The current pace of innovation has outpaced our preparedness to tackle critical issues about data privacy.
Expert reviews of data privacy policies between the U.S. and nations including Australia, the European Union and Brazil reveal staggering inconsistencies across the legislative landscape. Some of the privacy policies we know today have been around since the 1970s.
“While the European Union’s General Data Protection Regulation serves as the gold standard among data privacy regulations, Brazil’s complex privacy laws remain a close competitor,” said Alec Christie of Clyde & Co., based in Sydney, Australia. “The less complex we make the rules, the better chance we have to apply them.”
As the race intensifies, Australia gears up for a modernization battle, unleashing 116 proposals for change and causing Christie’s phone in Sydney to ring incessantly.
What does this mean in the US?
If you wonder how this affects you here in the U.S., we turn to current trackers, as reported by iapp.org. With more than 50 pieces of pending state legislation currently in review, only nine states have signed regulations that are currently enacted. These states are California, Colorado, Connecticut, Indiana, Iowa, Montana, Tennessee, Utah and Virginia, according to the U.S. State Privacy Legislation Tracker from iapp.org updated May 26.
While Australia, Brazil and the European Union contend with fair and proper client onboarding and off-boarding standards, the United States struggles to maintain consistency in standard consent to process sensitive data. Other countries require client-specific consent to process their sensitive information.
In the U.S., the prevailing approach to data privacy revolves around the concept of opting. This principle puts the burden on individuals to actively seek out and request to be excluded from data collection and usage. This may seem like a reasonable option on the surface, but it creates several problems and much disparity when compared to the more stringent opt-in principle under the General Data Protection Regulation in the European Union.
A primary concern with the opt-out approach is that it assumes individuals have knowledge their data is being collected and processed. In reality, many consumers are unaware of the extent to which their personal information is collected, shared and monetized by various entities. This lack of awareness undermines the concept of informed consent and limits individuals’ ability to exercise control over their own data.
Moreover, the opt-out principle often leads to a situation where individuals are inundated with complex privacy policies and settings requiring significant effort and time to navigate. This puts an undue burden on consumers, who must wade through convoluted terms and conditions, locate the opt-out options, and manage their preferences across multiple platforms and services. As a result, individuals may unknowingly surrender their privacy rights or become frustrated with the cumbersome process, leading to a lack of trust in the industry.
In contrast, the GDPR’s opt-in principle, known as “explicit consent,” places the onus on organizations to obtain clear and affirmative consent from individuals before processing their personal data. This approach empowers individuals by ensuring they are actively involved in decision-making regarding the use of their information. It promotes transparency, accountability and a greater sense of control over personal data.
A concerning reality
For firms and their producers undergoing business transformation efforts, this means that intermediaries or middlemen who have been hired to help optimize a practice, automate a process or even modernize a product platform have access to extensive client data. For firms and their producers in the U.S., the current less-stringent privacy laws present a concerning reality.
Under the current U.S. privacy landscape, intermediaries hired by insurance companies and firms can easily access vast amounts of client data without having robust safeguards in place. This poses significant challenges to maintaining the privacy and security of client information, as these intermediaries may not be held to the same stringent privacy standards as are the primary entities they work for.
Some of the states mentioned previously have data privacy laws that carry safety provisions. The California Consumer Privacy Act and the recently enacted California Privacy Rights Act include provisions related to de-identification. At the federal level, however, there is no overarching requirement for companies or intermediaries to de-identify personal client data. Again, the absence of comprehensive federal data privacy legislation leaves gaps in regulatory standards and best practices, leading to variations in data protection practices across industries and, more notably, the insurance space.
Narrowing the scope
Given that the first American insurance company was established hundreds of years ago, it’s hard to imagine a time before the enactment of the Health Insurance Portability and Accountability Act of 1996, which established crucial privacy standards that continue to govern our clients’ data. HIPAA has played a pivotal role in raising awareness about data privacy and personal information in the insurance industry. HIPAA introduced comprehensive regulations establishing a critical foundation for safeguarding sensitive data.
The Gramm-Leach-Bliley Act, also known as the Financial Services Modernization Act of 1999, addresses data privacy concerns in the insurance and financial services industry by requiring financial institutions to establish safeguards for protecting consumer information. Under the act, institutions must develop privacy policies and provide customers with notice about how their information is collected, shared and protected.
There are obvious differences in the scope and application of privacy through HIPAA and GLB that primarily apply to health care providers, health plans, and the broader financial services and insurance industry. Their data privacy guidelines and disclosures focus on the protection of personal health data and consumer information sharing practices in these specific industries, while on the other hand, the stringency of GDPR extends its reach to any organization that processes personal data of individuals within the European Union, regardless of industry or sector. This broader scope ensures a more comprehensive and consistent approach to data privacy across various domains — including insurance.
NAIC is a guiding force
In today’s rapidly evolving digital landscape, where data breaches and cyberthreats loom large, the National Association of Insurance Commissioners has stepped forward as a guiding force, shaping data privacy laws and regulations in the U.S. The patchwork nature of data privacy legislation in the U.S. poses significant challenges to offering sound guidance to businesses, organizations and communities. With varying laws and regulations at the federal, state and local levels, the absence of a comprehensive and harmonized framework hinders the establishment of clear and consistent guidance on data privacy strategies.
Through its dedicated working groups and proactive initiatives, the NAIC has recognized the paramount importance of data privacy in the insurance industry and is working diligently to enhance cybersecurity practices and provide invaluable guidance to insurance carriers and producer groups.
On the matter of privacy protections as seen in the work of the H Committee, NAIC’s committee on innovation, cybersecurity and technology brings promise to a model law that will make its way to the state level for consideration. Former Arizona Department of Insurance Director Evan Daniels states, “We have to accept our regulatory system and structure and understand it to navigate towards our mutual big goals. We have to make certain the model law we are rolling out is not outdated; it needs to be iterative.”
As an attorney at Mitchell Sandler, Daniels expresses his concern over the sheer volume of moving legislation and the legal community’s inability to offer guidance on matters that are still unsettled. Daniels is a national leader on insurtech/fintech matters, advising clients on regulatory strategy in the U.S.
What this means for producers and carriers
As producers continue to flourish in remote and hybrid work conditions, their ability to keep up with global standards establishing safer working conditions becomes challenged. In the wake of the pandemic transition, a staggering 73% of remote workers were not provided with any cybersecurity guidance for their new work-from-home conditions.
Although larger corporations may deliver internal resources to guide their employees on data protocols, the everyday insurance producer working remotely is left in the dark. The guidance they seek is still scarce, leaving them unsure about where to obtain the necessary information to protect their clients’ data.
Independent insurance workers find themselves distanced from the resources and knowledge centers that corporate employees have access to, so the burden of securing their Wi-Fi, encrypting data, and upgrading their hardware and devices falls squarely on their shoulders.
Insurance carriers, represented by producers, may be inclined to operate under GDPR-like guidance. However, intermediaries such as broker general agencies and independent marketing organizations have their own privacy standards. These privacy standards become further watered down once intermediaries enter the relationship, as they are one step removed from the creation of the insurance product and the stringency with which the client-to-carrier data collection process operates on a day-to-day basis.
Although a standard business manual from brokers’ favorite BGA/IMO may appear comprehensive, it fails to address governance for data privacy. This can raise concerns for both the client/insured and the broker/producer, which can expose the insurance carrier to unintended data privacy breaches.
Through collaborative efforts, shared expertise and a commitment to empowering insurance professionals, can we bridge the gap and ensure that every individual, regardless of their work environment, can protect themselves and their clients from the threat of data breaches and the inappropriate sharing of personal information? In the high-stakes world of data privacy, the line between protection and vulnerability is razor-thin.
The absence of a comprehensive federal data privacy law in the U.S. leaves organizations on a precarious edge. There is no explicit requirement for companies or intermediaries to de-identify personal client data, so it becomes crucial that organizations take a proactive approach to data privacy and consider implementing de-identification techniques and other security measures as part of their privacy strategy.
In the insurance space, where multiple parties are involved, nascent blockchain solutions have shown potential for safeguarding techniques. Despite its lack of adoption, this distributed ledger technology can store, encrypt and share personal client data within a network to address data privacy challenges. The transparency of these ledgers allows all parties across the value stream to access the necessary information, while ensuring confidentiality and anonymity.
As data privacy concerns intensify, we seek to grow closer to the truth through sound legislative guidance and trustworthy systems, which become paramount to earning the trust of future clients in the rapidly evolving insurtech space.
What happens when states purge their Medicaid rolls?
Four words that move the annuity conversation
Advisor News
- Bill that could expand access to annuities headed to the House
- Private equity, crypto and the risks retirees can’t ignore
- Will Trump accounts lead to a financial boon? Experts differ on impact
- Helping clients up the impact of their charitable giving with a DAF
- 3 tax planning strategies under One Big Beautiful Bill
More Advisor NewsAnnuity News
- An Application for the Trademark “EMPOWER INVESTMENTS” Has Been Filed by Great-West Life & Annuity Insurance Company: Great-West Life & Annuity Insurance Company
- Bill that could expand access to annuities headed to the House
- LTC annuities and minimizing opportunity cost
- Venerable Announces Head of Flow Reinsurance
- 3 tax planning strategies under One Big Beautiful Bill
More Annuity NewsHealth/Employee Benefits News
Life Insurance News
- On the Move: Dec. 4, 2025
- Judge approves PHL Variable plan; could reduce benefits by up to $4.1B
- Seritage Growth Properties Makes $20 Million Loan Prepayment
- AM Best Revises Outlooks to Negative for Kansas City Life Insurance Company; Downgrades Credit Ratings of Grange Life Insurance Company; Revises Issuer Credit Rating Outlook to Negative for Old American Insurance Company
- AM Best Affirms Credit Ratings of Bao Minh Insurance Corporation
More Life Insurance News