Insurers will soon find out about the potential risks they will face when new European Union privacy rules are unveiled in the new year. In the first big update of data protection legislation since 1995, businesses that are found to have mishandled any personal data they hold – on customers, suppliers or employees – could be hit with a fine of up to 5% of turnover.
Obviously, insurers themselves are directly exposed to such risks. In fact, the UK operation of Zurich has already demonstrated how costly data security failings can be. It was fined £2.3m ($3.6m) last year by the Financial Services Authority for losing the personal details of around 46,000 customers. The data went missing in 2008 en route to a storage centre in South Africa. It took Zurich a year to realise the data had disappeared.
Now measures are being finalised in the European Commission, which will then have to be approved by national governments before they are brought into effect. The whole process could take years. But that at least gives the industry time to get its act together. Importantly, as well as implementing their own risk management safeguards, they can start working on wordings for new data insurance products.
The proposals will significantly bolster the EU's powers to prevent data protection breaches, such as when companies sell customer data to third parties without authorisation or fail to adequately protect information held by social networks and cloud computing services.
A number of the proposals have leaked from Brussels ahead of the official release. It seems that companies will have 24 hours to notify data protection authorities and the affected parties in cases where private data are compromised.
Companies with more than 250 employees will have to train dedicated staff to look after data protection issues.
The commissioner for justice and fundamental rights, Viviane Reding, has indicated that she would ask all websites, including social networking sites like Facebook, to seek explicit consent from their European users before preserving their IP addresses.
In practice this could entail 'consent boxes' being used every time an IP address of individual users was transferred to a web site offering goods and services, which many e-businesses believe could create on-line jams or deter consumers from using websites.
Some measures could have a big impact on social media. A controversial "right to be forgotten" will force sites like Facebook and LinkedIn to allow users to delete information they have posted online, even after having previously given their consent for it to be public.
Reding was speaking in November to a conference on data protection staged by the US Chamber of Commerce. By ensuring the rules also apply to foreign groups' European subsidiaries, the new rules will force global companies to strengthen their data policies.
The commissioner said that the reforms would seek to unify the data protection regimes across the EU as currently each member state applies varying rules to data protection. A fragmented approach was costing the EU €2.3bn ($3.1bn) each year in lost business, she claimed.
But again, insurers and reinsurers need to look on the bright side. The new rules should be a fillip for the nascent data security insurance industry.