There was an interesting announcement from LexisNexis and Human API last week. It reiterated our company's philosophy on how we think about mobile identities and the security implications that arise when personal and confidential data is transmitted and stored electronically. Given the current business and security climate (see recent Target, Yahoo!, and Heartland Payment Systems breaches), as well as the sensitive nature of medical data, we have a word of warning for InsureTech providers and consumers attempting to conduct know-your-customer (KYC) insurance efforts by harvesting vast stores of personal, and vulnerable data. Trust us, there’s a better way.
LexisNexis Risk Solutions provides data, analytics, and technology solutions for the insurance industry, and Human API is a real-time, digital health data network. The two companies announced the formation of an alliance that combines Human API’s electronic health data, including medical history, encounter information, medications, and lab results, with LexisNexis’ risk solutions aggregated from public records, driving history, and credit. The goal is to provide life insurers with a more accurate portrayal of potential applicants to lower underwriting costs, reduce cycle time and drop-out rates, and place applicants into appropriate risk classes – thus improving the overall customer experience for purchasing life insurance.
There's a lot to unpack here. First, let's home in on "improve the overall customer experience."
The current pitch is that modern, mobile-friendly technology can reduce consumer friction and make it "easier" to get a policy without all the hassle. LexisNexis and Human API are playing against the traditional method of obtaining life insurance, often characterized by aggressive multi-level marketing schemes and costly and complicated processes required to screen applicants. It’s low-hanging fruit for sure, but the target Millennial generation (typically technology-literate and deeply skeptical of too-good-to-be-true corporate marketing pitches) is wise enough by now to understand:
- The cost trade-off of going to large insurers' instant underwriting products: They can't be as price and payout competitive as unregulated “InsurTech” startups flush with VC cash and lower overhead, and
- The risk trade-off of going to upstart “InsurTech” apps: They may offer rates and payouts competitive with or superior to the traditional players now, but could very well dry up in the event of a market correction once the consequences of fundraising round surfing and unregulated risk rear their heads, leaving deeply damaged policies in their wake.
Protecting personal information and privacy is currently being aggressively deregulated domestically and increasingly regulated abroad, making it more confusing and therefore more costly to track and manage heterogeneous privacy policies and practices, especially with an expected rapid rate of change.
Further, one quick history lesson on the consequences of harvesting personal data for commercial use should appeal to Millennials' strong sense of social awareness on all ends of the political spectrum.
We've seen from the ongoing Yahoo! Data Breaches of 1 billion user accounts that the primary target was their security questions and answers, stored in plain text – a security gating procedure spread by data harvesters. A lot of early security questions involved fact-based information, such as asking for your mother's maiden name. Once that information is breached, you can’t easily change the answer – a very common problem with biometrics too, but that’s a topic for another blog – making this information no longer a secure form of authentication.
The more widespread this information is used as a gate, the more valuable it becomes to bad actors who can now charge a much higher premium to criminal and fraud syndicates (domestic and especially overseas). Furthermore, as more basic information becomes less useful, the trend has been for security to:
- Become more invasive: "What was your mortgage payment last month?", or
- Use information more prone to false connections: "What phone number/address/automobile are you associated with?", with the answer actually belonging to a person of the same name on the other side of the country.
On top of the challenges posed by security questions as a form of authentication, we've also seen from the Target data breach that 3rd party contractors were easily able to infiltrate customer data due to a lack of basic governance. Regulation cannot keep up with the lackadaisical mechanisms commercial entities will deploy to protect consumer data.
As it stands, there's an imbalance of risk. The financial risk of not monetizing personal data is far greater than the risk of breach. The brand impact of a breach is easily washed away in the sands of information overload, for all except those who regularly follow these sorts of things. And early regulation provides a false safety net for ineffective procedures, like we saw with the Heartland Payment Systems breach of payment card data, despite Heartland believing they were compliant with an early iteration of the Payment Card Industry Data Security Standard (PCI DSS).
The war for personal data is far from won by any side, but it only makes good business sense for traditional insurers and InsureTech startups alike to wholeheartedly reject this approach by LexisNexis and Human API. Adding ease of access to detailed, personal, highly private health and medical information about an individual is ill advised in the context of history and a business environment with a vested interest and potentially fiduciary duty to maximize revenues on the partnership, likely by expanding to new markets, industries and use cases (and thus opening up the data to more potential threat sources).
Thankfully, our experience here at Confirm validates our belief that Insurance and InsurTech providers of all sizes, shapes, and ages are in the process of rolling out alternative means for effectively reducing fraud, knowing their customer, and leveraging advanced actuarial analytics. Through these methods, companies can provide competitive products with a better consumer experience without enabling the negligence that sprouts from readily-available personal data harvests that ultimately result in widespread consumer nightmares, the demolition of shareholder value, the downfall of high ranking executives, and the empowerment of nefarious organizations.