The personal lines insurance industry is just breaking into the world of mobile device applications, or “apps.” From auto insurers offering digital proof of coverage to life insurers giving policy quotes directly to shoppers, insurance apps offer carriers a new platform to attract, interact with and retain policyholders. Today, the failure of a consumer-oriented business to provide an app is viewed by many like not having a website: a signal that a company is out of touch and behind on the efficiencies enabled by technology.
That said, an app is not an easy product for an industry as regulated as personal lines insurance. Insurers must find a way to reconcile the features customers want from apps with what the law requires about the collection, storage and use of consumer information. Complicating matters further, in addition to the requirements of the digital world, insurance regulations designed for a paper-based world follow carriers into the digital realm, introducing a unique set of compliance and privacy considerations.
While every app developed is different, below are three important considerations when developing or offering a personal lines insurance app.
While Delta was ultimately able to get this case dismissed last May, it did so with an argument unavailable to insurance carriers. Delta successfully argued that CalOPPA was federally preempted by the Airline Deregulation Act, which bars states from regulating “services” provided by airlines. By contrast, with the insurance industry regulated almost entirely at the state level, an insurance carrier caught in California’s cross hairs for a CalOPPA violation would not have a federal preemption argument as a defense, potentially exposing a carrier to CalOPPA’s extreme statutory penalty.
An app is an opportunity to distribute digital notices, but be aware that app functionalities may also trigger notice requirements. Almost all states require personal lines carriers to provide privacy notifications to their policyholders. Based in large part on the notice requirements of the Gramm-Leach-Bliley Act and the National Association of Insurance Commissioners Model Privacy of Consumer Financial and Health Information Regulation, these state statutes or regulations typically require an initial and annual distribution of a privacy notice that both explains how a customer’s information will be used and provides them with an opt-out (or, in some states, opt-in) from certain types of third-party information sharing.
In many cases, a mobile app is an asset for the distribution of these notices. Most states explicitly permit a carrier to distribute notices electronically, provided a person grants permission for electronic distribution. A mobile application provides a platform for obtaining consent for electronic notice distribution, as well as a low-cost method to distribute notices that may otherwise be printed and mailed. In this instance, an app can save carriers money.
That said, certain app functionalities require a carrier to be mindful of whether any notice distribution requirement is tripped by automated app activity. For example, Virginia requires that a carrier or agent deliver a notice of information collection and disclosure practices (NICDP) to policy applicants. This is a separate requirement from the Gramm-Leach-Bliley-inspired privacy notice (though the two are permissibly consolidated into one notice). The NICDP must be delivered either when a policy is placed or, if the carrier seeks information about an applicant from a third party (like a credit bureau), prior to the carrier’s obtaining this third-party information.
If a carrier offers an app that provides policy quotes, and in the process of pricing these quotes accesses third-party information sources, then preparing a quote for a Virginian has possibly tripped its obligation to provide an NICDP prior to any policy being placed or quote prepared. This is an easy problem to solve—obtain consent for electronic notices and provide the NICDP within the application prior to the submission of information—but it is an example of how certain app functionalities may trigger traditionally paper-based notice requirements.
Protect The Information
States have taken various approaches to protect their residents from the loss or theft of private information. Massachusetts and Nevada have passed laws or regulations that require the encryption of personal information, such as account numbers or other identification numbers, when stored in conjunction with a person’s name. In Nevada, businesses are required to encrypt data that is both transmitted electronically and stored on PCs or mobile devices. In Massachusetts, if personal information is stored on company mobile devices or PCs, these devices must be encrypted. Both states apply their statutes or regulations to businesses that have customers or operations in their states, impacting any company with a national footprint.
To be clear, this is not a requirement to encrypt your customer’s phones or tablets. Rather, when it comes to apps that collect and transmit information about your customers, this is a requirement to ensure that the transmission is secure, and, when you receive the information, the information is stored on a secure and encrypted device. If you are considering an app or have one in place, it’s quite likely that this is already a top priority, but it bears noting that it might also be a legal obligation.
Catering To Consumers
An app is important and a de facto requirement of many modern businesses. Modern consumers expect the companies in their lives to cater to their mobile lifestyles and provide apps that facilitate their personal, financial and economic needs. Despite facing higher regulatory hurdles, the insurance industry is advancing to fill these expectations. As insurance apps become the norm, carriers must be mindful of their privacy obligations.•
Matt Lewis is an associate in the insurance practice group of Drinker Biddle Reath in Philadelphia. He counsels personal lines insurance carriers on compliance, data security and customer privacy obligations. His practice includes the drafting of policies and procedures (including mobile app privacy policies), compliance auditing, security breach work and other regulatory and compliance challenges facing various types of personal lines products.