How new data and cyber security regulations could impact the insurance services industry

76329122_MIf your organization isn’t paying attention to new national laws governing cyber security and data privacy, you could be leaving yourself open to costly litigation and liability risk.

Just recently, California approved a sweeping new set of regulations designed to protect the personal data of consumers. The California Consumer Privacy Act of 2018 was designed to allow individuals to have more control over how their data is collected, used, stored, and distributed.

The law was written as a response to recent high profile cyber security breaches, such as the Equifax data theft by hackers, and the privacy issues around the Facebook data collection used by Cambridge Analytica for political purposes.

Industry experts are keeping a close watch on how California’s new data protection laws will impact providers of insurance services. In general, the new regulation will impact insurance services providers all across the U.S., and will involve added risk, as well as provide new opportunities.

How? To understand, we need to look at the new laws a bit closer. The California Consumer Privacy Act of 2018 will require companies to provide consumers with complete information about how their data is being used.

That means that if a consumer requests it, they are now allowed access to information about what data has been collected by an organization, why it was collected, and what third-parties have received their information.

You might think this sounds drastic, but the California law is NOT an isolated, fringe regulation. The new law is part of a larger pattern, as both the U.S. and Europe move toward protecting consumer privacy.

This is only the latest step toward more comprehensive regulations both here and abroad. The California law is similar to a law passed by the European Union, called the General Data Protection Regulations (GDPR), which also requires organizations to disclose how consumer data is being used.

The California law takes effect on Jan. 1, 2020. That is less than two years away, which means that now is the time to prepare.

The insurance industry is at particular risk of liability if the new laws are not followed, because insurance services handle a high volume of potentially sensitive data. Companies that violate the law could be at risk of costly penalties, and would be open to lawsuits and liability.

The increased risk comes with increased responsibility to be accountable for how data is collected and used, and to disclose that information to individuals and maintain transparency.

So, what does your organization need to know to protect themselves? First, check out this list of requirements from the California law.

Which Insurance Services Providers May be impacted by New Privacy Laws

  • Businesses with annual earnings in excess of $25 million
  • Any business that received more than 50,000 unique data records per year, or derives more than 50 percent of revenue from selling data
  • Any organization collecting and storing IP addresses
  • Any organization aggregating sensitive data

Do any of the above conditions apply to your organization? Chances are, they do. Most every organization is now aggregating data on website traffic views, for example. And misuse and mismanagement of that information puts you at risk.

You can be fined $7,500 per record loss. The level of fines imposed could be catastrophic for companies.

You can’t afford to not be prepared. In our next blog, we’ll cover what information your company must protect to be in compliance.


Cost Financial has been a leader in premium finance for more than 25 years, since it was founded in 1989 in response to a lack of innovation and responsiveness in the industry. You can visit us online to learn more about us, our products, and what we can do for you.