Businesses are operating in a world in which cyber threats are becoming more widespread (it is now a matter of when, not if) and individuals are increasingly prepared to act to protect their personal information or make claims if their privacy has been breached. For health and life insurers, who host and are responsible for some of the most sensitive information about individuals, the introduction of the new Privacy Act 2020 (Act) represents a critical moment to take stock of potential cyber and privacy risks, which carry significant financial and reputational harm.

Nature of personal information is relevant

The Act comes into effect on 1 December 2020. It introduces a range of range of reforms, including mandatory data breach notification requirements. These significant reforms will change the way organisations doing business in New Zealand manage privacy issues and data security and may also lead to an increase in privacy and data security-related claims. Insurers will need to consider how these new obligations affect the way they operate, and the potential exposure or liability they may cause for their insureds.

Unlike many organisations, health and life insurers will often require extensive information about an individual’s health and their medical history that is, by its nature, sensitive. Due to the nature of this information, there may be more exposure for health or life insurers should the personal information that they hold be compromised. This is due to the required assessment of “harm” in respect of both the type of data breaches that need to be notified to the Office of the Privacy Commissioner and whether there has been an interference with privacy under the Act.

Notifiable data breaches

Under the new mandatory breach reporting regime, agencies will have an obligation to report Notifiable Privacy Breaches. A Notifiable Privacy Breach means a breach that has or is likely to cause “serious harm” to an affected individual.

The High Court decision in C v Accident Compensation Corporation [2020] NZHC 2229, an appeal from the Human Rights Review Tribunal, is a recent example of a complaint by an individual about the collection and disclosure of his personal information by an insurance company. Mr C complained to the Office of the Privacy Commissioner about the disclosure of his medical records to Aon by ACC. The purpose of the disclosure was to determine whether ACC or private insurance would provide cover for an injury Mr C suffered in 2014. However, the medical records disclosed included extensive information relating to a past injury Mr C had suffered in 1994, including details of his mental health, including depression, delusions, impaired function due to traumatic brain injury, internal injuries, criminal offending in his youth, family mental health history, drug use and alcohol addiction, sexual disfunction, self-harm, stress-related hair loss, urological issues and sexual health tests. Although the Court found there had not been an interference with Mr C’s privacy, Doogue J considered the disclosure of the sensitive information to Aon was a breach of information privacy principle 11, and considered that the disclosure of the sensitive information, particularly relating to his mental health and sexual function were not relevant to the insurance determination.

This case serves as an important reminder for insurance industry participants to be mindful when asking for personal information so that they only request what is actually required for their relevant purpose, such as settling an insurance claim. As shown in C v Accident Compensation Corporation, often, full medical notes and records will not be relevant to making insurance decisions, such as settling claims. Further, individuals are more likely to take action against agencies where the information involved is sensitive in nature. This kind of information is also more likely to cause harm to the individual if it is mismanaged or improperly disclosed. Harm under the Privacy Act 1993 includes loss, detriment, damage or injury to an individual, along with significant humiliation, loss of dignity or injury to the individual’s feelings.

Protection of data

It is also important that any personal information insurers collect is adequately protected. Because of the nature and amount of personal information insurers hold, they are prime targets for cyber criminals. However, many organisations do not take the same approach to managing and adequately protecting this information, which is an asset, as they do to managing and protecting tangible assets such as property. Data protection, that is, protecting the privacy of personal information and privacy compliance, is an important aspect of managing risk for both insurers and their clients.

In addition, good privacy practices can be a marketing differentiator. Along with complying with legal obligations, they can alleviate brand-damaging privacy-related complaints and build rapport and trust with customers.

Responding to data breaches

When it comes to cybersecurity, one of the most complicated and crucially important projects for businesses is responding to a cybersecurity incident. How organisations respond to a breach is equally as important, if not more important, than how they go about preventing and detecting one. Preparing for a cybersecurity incident involves more than preparing to react – to merely neutralise a one-off attack. It involves the ability to respond effectively and repeatedly, to plan proactively, to defend your critical systems and data assets vigorously, to get ahead of evolving threats, and to recover thoroughly when attacks do occur.

To prepare for the new Privacy Act regime, organisations should have in place, or start implementing, robust systems and processes to manage a breach promptly and effectively when it occurs and ensure you have a good communications plan ready to go so everyone in the organisation is clear about how the breach will be publicised with the media, the regulators, and those affected individuals.

These things tend to move very quickly and the organisation is often under significant pressure to react quickly both internally and externally, so having a clear written plan in place will be your biggest asset in helping ensure the process is run as efficiently and effectively as possible if an event does occur. It is also important that organisations understand their privacy risk profile and what operational measures your organisation has in place to mitigate the occurrence of a data breach.

Brokers can also support their clients in assessing what their privacy risk profile is as part of their overall insurance risk management program and in this way, ensure their insurance policies are as effective as possible.

Read Cover to Cover: Issue 21