Data Privacy & Workers’ Compensation

Topics: Workers' Compensation

How Will Data Privacy Laws Affect Workers’ Compensation Insurance? 

Organizations both large and small were victims of data breaches over the past few years. Some of the biggest names impacted include Facebook, Marriott Starwood, Capital One, American Medical Collection Agency (used by Quest Diagnostic and LabCorp) and Citrix. Every employer, no matter their size, faces the reality that they could be the target of a network security breach. A cybersecurity breach can jeopardize credibility and cost small businesses thousands of dollars (or more) in damages, as well as negatively affect customer service, productivity and reputation.

Workers’ Compensation Insurance and Data Privacy

Workers’ compensation insurers need to be prepared for possible data breaches. Consumers provide a multitude of sensitive personal data to their insurance companies that must be protected from a data breach.

Companies need to be prepared for data breaches by having secure networks and making sure that every employee is trained on how to keep confidential data secure. This training is not always enough, so data privacy laws are being enacted around the world to help give consumers protection in this time of large-scale data breaches.

Increase in Data Privacy Legislation

General Data Protection Regulation (GDPR)

The European Union (EU) enacted The General Data Protection Regulation (GDPR) in May 2018. The GDPR places more requirements on organizations that process and collect personal data with an emphasis on accountability and evidencing compliance, while strengthening the individual’s rights. The U.S. does not yet have an extensive federal data privacy law similar to the GDPR. It is up to individual states to develop personal data legislation. California was the first state to pass a privacy law in late 2018, known as the California Consumer Privacy Act (CCPA). Nine other states are now considering their own versions of similar consumer privacy laws.


California Consumer Protection Act (CCPA)

The CCPA, which went into effect on January 1, 2020, gives California residents an assortment of new privacy rights, starting with the right to be informed about what kinds of personal data companies have collected and why it is being used. The law stipulates that consumers have the right to:
  • Request the deletion of personal information.
  • Opt out of the sale of personal information.
  • Access the personal information in a “readily usable format” that enables the easy transfer of data to third parties.

The CCPA requires businesses that collect personal information about consumers to:
  • Disclose the categories of personal information it has collected.
  • Share the categories of sources from which the personal information is collected.
  • Divulge the purpose for collecting or selling their personal information.
  • Notify the consumer of the categories of third parties with which the business shares the personal information. Detail the specific pieces of personal identifiable information the business has collected on the consumer.

Data Privacy Laws Impact on Workers’ Compensation Insurance

The GDPR and CCPA strengthen an individual’s rights to access and protect their personal data. These include a right for the individual to request that their data be deleted (the right to erasure), a right to object to processing and the right to data portability – in electronic form. This means that a policyholder could request a copy of all data that their insurer holds about them in a commonly used and machine- readable format, so they can provide it to their new insurer.

The new data privacy laws are both a challenge and an opportunity for the insurance industry. It has raised customer awareness for the protection of their personal data. It must be remembered that not all insurance organizations use personal data in the same way or for the same purposes. Certain personal medical information might be needed to assist in processing a workers’ compensation claim, for example, but not needed for a cyber liability policy.

Insurance companies often need to process sensitive personal data to underwrite risks and provide claims handling and other insurance related services. These “special categories” of personal data cannot be processed unless the individual has given explicit consent to that processing, or in certain other limited circumstances, none of which readily apply to the insurance industry.

The CCPA excludes information that is publically available via federal state or local government records, as well as medical or health information collected by an organization governed by California’s Confidentiality of Medical Information Act or HIPAA Privacy Act, which sets conditions on the uses and disclosures of personal medical data without a patient’s authorization.

Protecting Personal Data

AmTrust Financial explored the impact of data privacy laws, such as the GDPR and CCPA, the insurance industry in the U.S., in our recent white paper “What is the GDPR? The Impact on the Insurance Industry and Small Businesses in the U.S.” Download a copy today to learn more about the many aspects of the data privacy law that affects how we share and store PII and personal data.

This material is for informational purposes only and is not legal or business advice. Neither AmTrust Financial Services, Inc. nor any of its subsidiaries or affiliates represents or warrants that the information contained herein is appropriate or suitable for any specific business or legal purpose. Readers seeking resolution of specific questions should consult their business and/or legal advisors. Coverages may vary by location. Contact your local RSM for more information.

Time Zones