Blockchain Technology Presents Privacy Concerns for Insurers

In exploring the use of blockchain technology, the insurance industry must consider the issues and challenges presented by nearly 20- year-old privacy requirements created by the Gramm-Leach-Bliley Act, signed in 1999 by President Clinton.

For the first time since 1933, GLBA allowed insurers and banks to combine, but the Act expressly stated its intention not to usurp the authority of state insurance regulators.

The GLBA treats both banks and insurers as “financial institutions” and imposes consumer privacy protections, obligating financial institutions to safeguard the security and confidentiality of nonpublic personal information. GLBA Section 502 states in relevant part that a “financial institution may not, directly or through an affiliate, disclose to a nonaffiliated third party any nonpublic personal information,” subject to certain exceptions. The GLBA defines when a financial institution may disclose such information and mandates notices concerning such disclosures. The requirements to safeguard nonpublic personal information were imposed for the insurance industry by state legislation and regulation adopted to follow NAIC model regulations. Violations of these requirements may result in enforcement actions, and civil and criminal penalties.

In addition to nonpublic personal information provided by consumers, insurers collect confidential and proprietary information from commercial insureds during the underwriting and claims processes. This information is beyond the scope of GLBA privacy requirements but may be of value to the business and ongoing operations of the insured. As a result, some jurisdictions, such as Illinois, have expanded obligations to safeguard information to include restrictions on “collection, use and disclosure of information gathered in connection with insurance transactions by insurance institutions, agents or insurance-support organizations,” thereby encompassing both personal and commercial lines. Underwriting and other agreements often impose contractual obligations on insurers to secure commercial information.

Insurers must consider this existing backdrop as they explore the implementation of blockchain.

The technical aspects of blockchain are beyond the scope of this article, but at its heart the technology relies on what is commonly referred to as “distributed ledger technology.” DLT allows participants in the chain to have complete access to information concerning the transaction.

The insurance industry has embraced the development of “smart contracts,” which rely on blockchain to expedite claims handling and reduce administrative burdens. The issuance of insurance policies in smart contract form is expected to revolutionize the industry.

Legal, regulatory and contractual obligations requiring the insurance industry to safeguard the security and confidentiality of nonpublic personal information and sensitive commercial information have clear, but often unexplored, implications for the use of DLT.

The deployment of smart contracts based on DLT isn’t without risks, many of which are not yet fully known. One can look to the deployment of other technologies like email and websites and the development of related threats like hacking and spam as a potential harbinger of what might follow from the adoption of smart contracts based on DLT.

Some benefits of blockchain – immutability, transparency, and decentralization – also present concomitant risks. For example, if an insurer inadvertently discloses nonpublic personal information subject to GLBA protections over the blockchain, there is no “control-alt-delete” button enabling a do-over. Further, the insurer’s remedial efforts will be hampered by the permanency of the disclosure and its widespread distribution.

Blockchain technology will probably revolutionize insurance. In considering DLT applications, however, insurers must be vigilant in anticipating the interaction of humans with the technology to prevent inadvertent disclosures. And the privacy and security regime established by a nearly 20-year-old statute will remain an important part of the equation for insurers as they develop cutting-edge offerings related to DLT.

Barth is a partner in Locke Lord’s Chicago office. Augustinos is a member of the Locke Lord Privacy & Cybersecurity Practice Group steering committee and office managing partner of the firm’s Hartford office.