An Ontario resident approached a direct writer for an auto insurance quote in March 2005. A new customer, the man gave the insurer his name, date of birth, vehicle information and property information. Upon receiving the quote, he took his auto insurance business elsewhere.
Little did he know, the insurer would retain his data for the next eight years.
The customer found out in 2013 when he requested to access his personal information from the insurance provider. The insurer confirmed to him that it had retained his personal information from the 2005 quote. Upon the man’s request, the insurer, a subsidiary of a Canadian bank, deleted the personal information from its database.
But the discovery stuck in the craw of the consumer, who filed a complaint with Canada’s privacy commissioner. In resolving the complaint, the insurer explained that its records management system and retention periods were set by its parent organization, the bank. Under the bank’s policy, a seven-year retention period applied to records such as declined or withdrawn insurance quotes, as well as to records related to declined and withdrawn applications for other bank products (e.g., credit cards, loans, mortgages, etc.). The purpose of retaining the data was to substantiate a lack of bias or discrimination in the approval or declining of a product, the insurer said.
But the consumer couldn’t understand why his information had not been deleted after seven years, as per the bank’s policy. He also didn’t understand why a seven-year retention period would apply to personal information collected for an insurance quote that is valid for only 60 days.
Canada’s privacy commissioner sided with the complainant. The insurer thus narrowed its retention period for auto quotes to three years, reflecting standard fraud prevention requirements. By November 2014, the insurer’s system automatically deleted each month all auto quote records after three years.
Problem solved, right? Not so fast…
Data collection remains a hot – and sensitive – topic in the industry. As data becomes the next hot currency akin to gold, a type of confidence game is developing: Can the industry be trusted with a consumer’s private information?
Whose information is this, anyway?
Discussion about data always boils down to where the information came from in the first place, insurers and brokers say. “‘Whose information is it?’ That’s the question,” says Brenda Rose, vice president of FCA Insurance Brokers. “It’s the customer’s information. It’s not the insurer’s and it’s not the broker’s information. It’s only ours in our role as representatives of the customer. We are custodians of that information because that’s where our duty lies, legally. When we are sharing information with the insurer, we are doing so on behalf of the customer.”
Based on this fundamental understanding, the Insurance Brokers Association of Canada (IBAC) prepared a report in 2014 on appropriate data usage. IBAC CEO Peter Braid summarized the essence of the report saying that IBAC “supports PIPEDA fair information principles.”
In an email to Canadian Underwriter, the Office of the Privacy Commissioner of Canada reiterated that the Personal Information Protection and Electronic Documents Act (PIPEDA) outlines 10 principles of fair information practices, including:
Using or disclosing personal information only for the purpose for which it was collected, unless the individual consents, or the use or disclosure is authorized by the act.
Keeping personal information only as long as necessary to satisfy the purposes.
Putting guidelines and procedures in place for retaining and destroying personal information.
Keeping personal information used to make a decision about a person for a reasonable time period. This should allow the person to obtain the information after the decision and pursue redress.
In addition to supporting these and other PIPEDA principles, Braid says, IBAC believes “consumers’ consent for direct or indirect use or disclosure of their personal information must be explicit and must not be assumed by default.”
Is the industry making clear the purposes for which it collects consumer data?
“We don’t need more regulation, but we might need more transparency around how information is being used and what it’s being used for,” Rose says. “What’s evolving is the use to which people can put the information. If a carrier collects information and all they do is generate a quote with it, that’s fine. If they then try to use it to do some kind of analysis and learn something about this client and then come back to the client in some way that was not intended by the customer, that’s when it’s crossing the line.”
If a client doesn’t know how insurers are using the data, then it’s difficult to know whether the consumer has given the insurer consent to use that information for the purpose to which it is put.
“I think there’s a bit of a grey area in the industry as to whether explicit or implied consent is required for certain activities,” says Colin Simpson, CEO of Insurance Brokers Association of Ontario (IBAO). “One example is marketing activities. If you as a consumer have gone in to get a quote from an insurance broker, have you then opened yourself up for any company to which you have provided this quote to market directly back to you again? To me, the answer is no.”
Another ambiguity comes out of conflicting contractual terms – both within and outside the P&C industry — that define personal and commercial information and retention policies differently, as Simpson points out.
“In Motor Vehicle Reports [MVRs, which show an Ontario customer’s driving history] and AutoPlus Reports [which show auto claim history], for example, the collection of the data held in those two reports are governed by MTO [Ministry of Transportation Ontario] rules and regulations, which are quite different than industry norms,” Simpson says. “Most [insurance] company contracts with brokers will state that you have to retain all information on a client for seven years. But if that client leaves the brokerage, you’ve got 30 days to destroy the personal data in an MVR or AutoPlus, so there are conflicts we have resolve within our industry to make sure we are all on the same page.”
Issues around data collection have more to do with just regulation and compliance, Rose says. There’s also the data security issue.
“If you are a brokerage or a carrier, and you are retaining all kinds of information, everything you retain is a security hazard,” she says. “If you are breached and a bad actor then has access to it and abuses it, then you now have a responsibility or a liability. You have to weigh the need for retaining [the information] for self-protection – to prove why you made a decision – versus a potential risk if you get hacked.”
Privacy and security are fundamental data issues, to be sure. But perhaps the greatest sensitivity around the use of consumer information cuts to the core of the trust between brokers and insurers. This, above all, is a distribution issue.
“It comes down to broker-carrier relationships,” Rose says. “If, as a broker, I shared information with a carrier and then subsequently found out they were sharing that information with someone else because they weren’t successful at obtaining the business with us, then I would not be able to trust that relationship. The vast majority of carriers are careful about this and, before they start talking about a file with a different broker, they require authorization from the insured.”
Privately, brokers have told Canadian Underwriter data collection stories that make them nervous. The underlying fear is that insurers are using client data supplied by brokers to establish a direct relationship with clients, thus cutting brokers out of the action.
Several have queried insurers’ attempts to collect personal information such as a client’s email address, for example. “Where companies cross the line is when they insist on sharing of email addresses,” Rose says. “[Such] companies believe that for retention, they need to get between us and the client. They are trying to build a direct relationship with the client rather than go through the broker.”
The issue of sharing email addresses came up late last year, when brokers made reference to a strategy outlined in Intact’s 2018 Annual General Report. In its report, Canada’s largest insurer made known its desire to be actively digitally engaged with three out of four of its customers by 2020.
Intact stresses that it’s voluntary for clients to provide their email addresses. “Our current business practices regarding email communications to customers remain unchanged,” an Intact spokesperson tells Canadian Underwriter. “Customers have a choice if they want to provide their email address. For example, customers may choose to share their email in order to receive various correspondence from us, like updates on claims.”
The company went on to say that “we appreciate brokers’ concerns about the protection of customer information. We are committed to protecting customers’ privacy, especially when it comes to the collection and use of their personal information. We have updated the language in our broker agreement to reinforce this. Brokers can expect to hear more from their business development teams about this over the coming months.”
To be clear, brokers are not singling out the activities of individual companies when they discuss data collection; their concerns are industry-wide. When asked about what brokers are saying about data collection, Insurance Bureau of Canada (IBC), the trade association representing Canada’s P&C insurers, took no position on the matter, because broker distribution issues fall outside of its mandate.
That said, insurance companies are well aware of the brokers’ sensitivity around data collection. The issue about whether brokers can trust insurers not to use consumer data in a way that will harm the broker channel came up last October at the IBAO annual convention. Insurers on a CEO panel expressed surprise that brokers would harbour any suspicions about such a matter.
“I guess the question would be, why would you [insurers] do that?” Bob Tisdale, president and CEO of Pembridge Insurance Company, asked rhetorically at the IBAO Convention. “Why would you take data that your broker has given you and then turn it around and use the data against the broker?
“There will be a lot more usage of data to help brokers acquire customers, and help them understand where the best risks are, and the characteristics that create the best risks, the best loss ratios, and the best retention. We’ve done a lot of work on helping brokers understand the lifetime value of the customer; how likely that customer will be to retain; and how much profitability will be in the customer over time. That’s where the focus is; not on how to cut the broker out. If we did that, you would stop supporting us.”
Louis Gagnon, president of Intact Financial Corporation’s Canadian operations, noted at the IBAO Convention that Intact sold 20% of its business through the direct channel a decade ago. Now the percentage is down to 10%, implying that more of Intact’s business is done through the broker channel.
“We’ve invested $7 billion in the broker channel over the last 10 years,” Gagnon said at the panel. “Tell me how much I stand to lose if I do stupid things like using your data to promote my own goods? I want you to know, we want to use the data for the right reasons in the channel from which the data came….There is a fear in this world of data, that we will use data in a way that is not proper. Like Bob [Tisdale] was saying, if that happened, we would be dead.”
Some of the brokers’ misgivings are based on misunderstandings, which points to the need for greater clarity within the industry about data collection and retention policies. In Ontario, IBAO is trying to gather insurers, regulators, tech vendors and other stakeholders around a table to make sure a consumer’s data is protected.
“It’s in all of our interests to ensure that consumers are protected when they come to our industry,” Simpson says. “We’re going to get everyone around the table and have a discussion, understand what the issues are, and see if we can come up with some resolutions. As an industry, if we don’t do this, the regulators will enforce something on us, which might not be as palatable as what we could come up with ourselves. If we can come up with processes and procedures that protect consumers, hopefully the regulators can support it….
“Data itself is just becoming a more important asset in the industry. At the end of the day, you are down to asking: ‘Are we doing what we need to do to protect consumers?’ It’s an evolution of our business model. If we can do this before the horse leaves the barn, it might be a bit easier.”