Responsibility for the data of the insurance carrier in the face of telematics

Are insurance carriers addressing the risks created by the collection and storage of policyholder personal information (PI) within connected devices in cars?  (Vladimir Stanisic/Shutterstock) Are insurance carriers addressing the risks created by the collection and storage of policyholder personal information (PI) within connected devices in cars? (Vladimir Stanisic/Shutterstock)

I recently bought a used infotainment system on eBay that came from a total loss vehicle. I quickly realized that it belonged to “Jack”.

Jack is a vice president of a regional bank. He lives in a $2.7 million home. He and his family’s social security numbers were saved in the device’s contact book, which was saved when he synced his phone to the device. It also contains contact information for his company’s CEO, CFO and general counsel.

There was information about his bank and online accounts of all kinds, including multiple logins, PINs and passwords. A text message exchange with colleagues revealed crucial non-public information about the bank he worked for as well as personal data, all of which are great starting points for any bad actor to launch a business email compromise or phishing attack.

Jack never realized that this information, which I immediately deleted, was out in the open. His auto insurance company could have easily mitigated this risk and at the same time dramatically improved its compliance with various federal and state laws by properly erasing this data before Jack’s car was sold.

Known risk

Car manufacturers’ privacy policies reveal that many vehicles today can collect, store and transmit various categories of data that fall within the legal definition of non-public personal information (NPI or PI).

Automakers have admitted to the Federal Trade Commission that the vehicles capture “sensitive personal information” such as the driver’s geolocation, biometrics and behavior.

Additionally, when vehicle users such as drivers and passengers (including minors) connect their smartphone via USB, Bluetooth, CarPlay and other related software, additional PI is transferred and stored in the vehicle’s infotainment system.

The technological content of vehicles, new state and federal laws, and the focus of regulators, the public, lawyers, and attorneys filing individual and class action lawsuits are growing rapidly. Therefore, insurance carriers need to start paying attention to how to reduce their own risk and the risk of their policyholders by managing PI stored in vehicles.

The legal landscape

The US has a complex mix of more than 200 federal and state laws governing the protection of consumer data, including data security, data disposal, biometrics, unfair and deceptive practices and practices, and data privacy laws. Insurance carriers are also specifically regulated in 39 states and Washington under the National Association of Insurance Commissioners (NAIC) Model Information Protection and Privacy Act (Model 670) and Model Consumer Information Protection Standards Act (Model 673).

Model 670 Privacy Statutes apply in the 18 states of the District of Columbia. Covered Entities must have reasonable and reliable means to access, modify and permanently delete personal information upon request. This includes vehicles.

Model 673 Information Protection states that covered entities must take “reasonable technical and administrative measures” to protect PI from unauthorized or inadvertent disclosure. This applies to 33 states plus the District of Columbia. All PI collected by “direct or indirect means” is covered by these state acts, including when the information is not used. This definition includes PI collected from vehicles. Carriers have an obligation to dispose of data that no longer serves a legitimate business purpose in those states, even in the absence of a consumer data subject’s request. Deletion should be done by default.

Rental cars and lenders

Privacy4Cars routinely surveys a variety of vehicle portfolios. Rental vehicles consistently have the highest incidence of user PI, with nearly 99% of vehicles surveyed to date containing PI, often from multiple previous renters. All four leading rental operators were sued for failing to delete user PI after each rental, thereby exposing users’ information to other renters, employees and unauthorized third parties. Two six-figure settlements have already been reached in related lawsuits.

Insurance companies are among the biggest buyers of rental car services. Increasing repair complexity and ongoing parts shortages mean average rental days per claim are increasing, resulting in more costs, more insured PI and more exposure. To limit their exposure, P&C carriers should begin requiring rental providers to delete policyholder PI after each rental and compliance records as a condition of doing business. Manufacturers recommend deleting the PI. The National Institute of Standards and Technology NIST 800-88 Rev.1 states that data sanitization is the minimum standard for sanitizing data for “reasonable security.” Erasing PI from cars is the only way to achieve the “reasonable technical and administrative measures” required by the Model 673 laws.

Total loss of vehicles

Over 90% of the total lost vehicles for sale reviewed by Privacy4Cars that can capture user data contain PI. The party responsible for protecting this PI is the carrier because when a total loss occurs and the claim is paid, ownership of the vehicle is transferred from the policyholder to the carrier.

At that time, the carrier becomes the owner of the vehicle and everything it contains, including the PI of the policyholder and their family members. As with any electronic repository containing customer PI, the carrier now has a fiduciary duty to protect it, even if the collection was inadvertent. Carriers must no take this responsibility lightly, as the sale of devices containing user PI can result in significant liability, as in the recent $60 million settlement against Morgan Stanley.

Fortunately, insurance carriers have multiple options for mitigating this risk by requiring the deletion of PI from vehicles as part of their standard checklist prior to the sale of assets. This operation can be performed by tuning specialists, garages, towing companies or car auctions in a short time and at a reasonable cost. And in this case, a consistent, standardized and measurable process is key to proving your compliance.

From obligation to opportunity

In addition to legal obligations, carriers can benefit from the protection of PI collected from vehicles in at least two ways.

First, reducing the data footprint can reduce the risk to their policyholders (eg many vehicles contain home address and garage door codes).

Second, discussing the protections you put in place when your policyholders need a rental or suffer a total loss can start an important conversation about data security, including additional protections you might offer (e.g., identity theft protection, cyber insurance) to reduce your customers’ risk.

There are three devices in particular that collect mountains of data from users: computers, phones, and vehicles. By leading the conversation about data privacy and security in vehicles, insurers can create a lasting impression of end-to-end care and provide unique value and peace of mind. Their policies will thank you.

Andrea Friend ( [email protected]) is the CEO and founder of Privacy4Cars. She is a leading authority on vehicle privacy and cybersecurity.

See also: