InsurTech Legal – CyberSecurity, Privacy and Secure eMail
Cybersecurity, secure email, protecting personal health information, and privacy should be the number one priority in Insurtech. Meeting all compliance standards are without question or debate a foundation of every aspect of all life insurance and retirement product launches including internal and external processes, front office and back office systems, data and document exchange, and all forms of communication. – Ken Leibow
INSURANCE INDUSTRY PRIMER
Authored by Benjamin P. Sykes
Insurance Industry for InsurTech Noobs
So you developed the newest insurance innovation that is going to revolutionize the industry – congratulations! But we also have a couple of questions:
What sector of the industry? Property & Casualty? Life? Health? Title?
Where in the revenue cycle is your innovation going to make the biggest difference? Distribution? Underwriting? Claims? What about Finance or Reinsurance?
Will your innovation be regulated and if so by what jurisdictions? Just the state you’re doing business in? All 50 states? The Feds? How long does it take to obtain those licenses and permits?
If you think these sound like arbitrary questions of an ancient industry that is resistant to change and ripe for innovation, you wouldn’t be too far off. But knowing why the questions are being asked in the first place and the appropriate answers to each will allow you to refine and target your innovation to not only have the greatest impact on the industry, but also a higher likelihood that your investor pitch will land on receptive ears, particularly when you are conversant in the insurance regulatory compliance matters that affect your great new insurance idea.
A Deloitte study on InsurTech has found that traditional insurance companies are avoiding startups that don’t understand their industry and that “InsurTechs need to refine their pitches to align to real-world challenges for insurers, while demonstrating both industry and technical expertise … [and know] ahead of time where legal and compliance issues might arise.”
To that end this publication is intended to provide InsurTech startups with a primer on how the insurance industry really works (that way you won’t sound like a total noob when you are walking the floor of InsurTech Connect).
The effective date for the California Consumer Privacy Act (CCPA) is January 1, 2020. With fewer than 60 days remaining, covered businesses must be ramping up to meet the requirements of the CCPA. The CCPA affords several rights to California residents (as the term “consumer” is defined by the Act) as to personal information collected by a covered business. Among these rights is: (1) the right to request disclosure of personal information collected and uses therefor (§ 1798.110(a)); (2) the right to request deletion of personal information collected by the covered business (§§ 1798.105(a) and (c)); and (3) the right to receive that information from the covered business (§ 1798.100(d)).1
This article focuses on the second – the consumer’s right to request deletion of personal information, often called the “right to be forgotten.” This right obligates covered businesses, which must obligate their service providers. Under § 1798.105:
(a) A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.
* * *
(c) A business that receives a verifiable consumer request to delete the consumer’s personal information pursuant to subdivision (a) of this section shall delete the consumer’s personal information from its records and direct any service providers to delete the consumer’s personal information from their records.
If the Proposed Regs are adopted, we note that before any information is deleted, the covered business must acknowledge within 10 days the receipt of the verifiable consumer request to delete. See Proposed Regs § 999.313(a).
eM4 Compliant Email
Email encryption is a reality today, so why not use the most compliant service that doesn’t require logins or passwords. eM4 B2B model requires no user training, in fact, they don’t even know they’re using it. B2C model does not require authentication and when you need to identify the receiver, using PaperClip’s Wallet Authentication is both friendly and provides that “Proof of Delivery”.
Security Awareness for the Modern Life Insurance Firm
Over the last decade we’ve seen a huge shift in the way that technology creates efficiencies and interacts in our everyday life. We went from a world where caller ID was the biggest innovation to present-day, with Uber providing personal drivers at a click of a button, groceries delivered to your door and bank deposits made by using your mobile device to take the picture of a check. The information that used to be held close is now communicated across the internet. These conveniences also increase your cyber security risk. The Life Brokerage Technology Committee (LBTC) hosted a great Webinar presented by Mark Grosvenor, CTO and Executive Vice President of NFP. Click below:
TLS Secure Email
Email encryption is encryption of email messages to protect the content from being read by entities other than the intended recipients.
Transport Layer Security (TLS) is a security protocol that encrypts email to protect its privacy. TLS is the successor to Secure Sockets Layer (SSL).
Opportunistic TLS: Many consumer ISPs and mailbox providers, including Comcast, Google, Microsoft, and Yahoo, use TLS by default, but when a secure connection isn’t available (both sender and recipient need to use TLS to create a secure connection), the provider will deliver messages over non-secure connections.
Forced / Enforced TLS: You can configure your TLS setting to require a secure connection for email to (or from) specific domains or email addresses that you list. This requires TLS for inbound and outgoing connections and returns a non-delivery report to the sender if the recipient does not support TLS. It is not practical to turn on Forced TLS for all connections, as not every mail server supports TLS.
What happens to email to (or from) domains that don’t use TLS?
· Outgoing Mail: Mail won’t be delivered and will bounce. You’ll get a non-delivery report (NDR). Only one send attempt is made (no retries).
· Incoming Mail: Mail is rejected without any notification to you, although the sender will receive an NDR.
Key features of TLS include:
· Encrypted messages: TLS uses Public Key Infrastructure (PKI) to encrypt messages from mail server to mail server. This encryption makes it more difficult for hackers to intercept and read messages.
· Authentication: TLS supports the use of digital certificates to authenticate the receiving servers. Authentication of sending servers is optional. This process verifies that the receivers (or senders) are who they say they are, which helps to prevent spoofing.
Best Practice is to have both parties work together to establish a Forced TLS connection between their respective email domains. This ensures that all emails between both parties are sent secure. While this is a one-to-one connection, and takes additional time to configure, there is no ongoing cost or transactional cost to consider.
Managing Cyber Risk
Business and Technology play a key role in managing cyber risk. Regardless of what type of business you have, you need to implement a plan for protection because today’s cyber attacks are becoming more sophisticated and more dangerous. Cybersecurity needs to becoming part of the every day operation of your business in order to keep it healthy. Today’s top issue is cybersecurity and privacy. PWC has critical information you can use to apply to protecting your business.
An expert in cybersecurity and network infrastructure, Nick Espinosa has consulted with clients ranging from small businesses up to the Fortune 100 level. Nick founded Windy City Networks, Inc in 1998 at age 19 and was acquired by BSSi2 LLC in 2013 where he is their CIO. In 2015 Security Fanatics, a Cybersecurity/Cyberwarfare outfit dedicated to designing custom Cyberdefense strategies for medium to enterprise corporations, was launched.