Companies should be certain
of their rationale for using private data
Considering the legal risks that accompany the use of private data,
it is important to create, vet and publish privacy statements that
are clear, accurate and in compliance with applicable laws.
By Bruce D. Hicks, CPCU, CLU
The Court Decisions column is a popular part of Rough Notes magazine. One reason for this is that the court room is where the promises made in an insurance contract often become real. All insurance professionals can develop “what if” scenarios, but until those scenarios are tested with an actual loss and a court decision, they remain mental exercises. This column comes from the industry expert contributors to Policy Forms & Manual Analysis (PF&M). This is a knowledge base consisting of more than 15,000 pages of coverage explanations from The Rough Notes Company’s digital solutions. The contributors are going to dig a little deeper into one of those court decisions to identify a coverage problem, provide possible solutions and/or offer broader perspectives.
What has become a major issue with all organizations is liability related to their handling of private data. The peril lies mainly in the vulnerability created when unauthorized parties are able to access and misuse personally identifiable information.
The court case Citizens v. Mullins illustrates an increasingly common business situation. A food ingredient manufacturer implemented a program that it hoped would allow it to monitor its workers. Besides tracking the employees’ productivity, it facilitated increased data storage and payroll control. The chief element of the program was the scanning and storage of employee fingerprints.
A class action suit was filed on behalf of the workers. The allegations were that the program invaded employee privacy. Specifically, the personal identifying information was collected without the permission of the workers, the company did not share how it would use the information, there was no company policy that documented or explained the program, and the information was provided to third parties (vendors).
While the violations were evident, a legal battle was waged over whether a couple of exclusions in the three annual periods of CGL policies were in effect during the violations barred coverage. In the end, a high court found that one of the policies may be obligated to protect the defendants and the matter was sent back to the lower courts for appropriate handling.
Incidents such as the above remind and warn insurance and risk professionals that they can never relax. It’s unlikely that the policyholder was satisfied with that portion of its insurance program nor with the persons providing them services.
Paying attention to privacy invasion exposures is incredibly important. Litigation and defense costs are expensive and the frequency of lawsuits is increasing as consumers become more aware of the risks that accompany having their private information collected, stored, digitized and shared with other entities. They are endangered by companies who are victims of data breaches. In some instances, customer vulnerabilities are exacerbated by data collectors who even sell their information to parties that plan to exploit it.
An increased interest in privacy issues is shared by regulators and lawmakers. The regulatory environment is robust. While there are federal acts with significant requirements, more actions are occurring on the state level. Much of the increased activity is a reaction to the growing use and influence of artificial intelligence. AI concerns have also grown due to reporting of problematic biases that have affected algorithms.
Companies would be ahead of the game to establish measures for monitoring privacy laws as a critical guide on how private data should be handled. Attention should be paid not only to federal regulations but also to state and even international regulations, as they all influence each other.
A number of important acts include:
- Biometric Information Privacy Act (BIPA)—Illinois
- California Consumer Privacy Act (CCPA)—California
- Capture or Use of Biometric
Identifier Act (CUBI)—Texas - Children’s Online Privacy Protection Act (COPPA)—United States
- Digital Operational Resilience Act (DORA)—European Union
- Digital Personal Data Protection Act (DPDPA)—India
- Federal Act on Data Protection (FADP)—Switzerland
- General Data Protection Regulation (GDPR)—European Union
- Health Insurance Portability and Accountability Act (HIPAA)—United States
- Personal Information Protection Law (PIP)—China
- Personal Information Protection and Electronic Documents Act (PIPEDA)—Canada
Common features of the above laws are having the consent of the persons whose information is being used and transparency regarding how the data is handled. The business sued in our featured case failed to secure permission and made no effort to explain its need to use fingerprints (one form of biometric data) of its employees.
Considering the legal risks that accompany the use of private data, it is important to create, vet and publish privacy statements that are clear, accurate and in compliance with applicable laws. Statements should also be regularly monitored to assure that accuracy and compliance are ongoing.
Fortunately, insurance and risk management professionals are able to assist their commercial clients in navigating their growing privacy risks. Ask questions about what private information from their workers and customers they may be handling within their operations. If applicable, is there information in employee handbooks that discuss what worker information is used?
Discussions should include clear explanations on how and why such data is needed. What steps do clients take to make sure their private data use complies with applicable regulations? Does the client have a published privacy statement? If so, is it regularly reviewed and updated?
Companies should be certain of their rationale for using private data. Their reasoning should include whether alternatives could meet their needs. That certainly would have been a route that should have been explored by the company that, likely, had to face major out-of-pocket litigation costs.
Perhaps, rather than using sensitive information such as employee fingerprints, creating its own employee ID numbers would have enhanced its ability to monitor productivity and improve payroll tracking. This would have completely avoided the use of potentially invasive data.
The author
Bruce D. Hicks, CPCU, CLU, is an Indiana-based insurance coverage expert. Active in the CPCU Society, Bruce served as a governor of the organization from 2007 through 2010 and most recently served on its International Interest Group Committee and as Chair of its Publications Committee.