As we move forward towards new discovery and innovations, the insurance market is also changing rapidly, which is driven by shifting customer expectations and technology progress. IoT and connected devices are transforming the industry, for example with the increasing use of telematics for motor insurance, wearable technologies and m-health apps for health insurance, and smart appliances and devices for home insurance. At the same time, customers expect to connect with their insurers constantly, with new apps and tools that facilitate smooth interaction.
InsurTech is the word commonly used to frame this change and represents the impact of ICT technologies (and, in general, digital transformation) in the insurance sector. InsurTech applications may allow, on the one hand, to set lower insurance premiums on traditional insurance products and services (e.g. car insurance) and, on the other hand, to develop new insurance products and services based on new IT-related risks.
There are many legal issues to take into account when dealing with InsurTech, also considering the heavily regulated nature of the relevant market. In this article, we will summarize the main issues to consider.
1. Data protection
Within the above-mentioned “connected” scenario, InsurTech firms are now able to process a large amount of data, which can be used to control risks and gather insights for new products, with substantial benefits for the entire insurance value chain. From a data protection perspective, the more the volume and value of data captured in the connected environment, the more challenges InsurTech firms will have to face. Adequate data management is accordingly becoming of paramount importance, not only as a positive market differentiator but also to avoid substantial risks, including, for instance, the sanctions provided by the new European General Data Protection Regulation (GDPR).
The GDPR, in fact, provides for a new accountability approach, whereby InsurTech firms have to demonstrate compliance with stringent obligations such as the data protection impact assessment, to carry out for each risky processing/insurance product, and the data protection by design and by default. This implies that InsurTech firms need to take into consideration data privacy throughout the whole lifecycle of any data processing and integrate the data governance process with appropriate safeguards, including, for instance, data minimization and data portability.
All these considerations are very topical for the InsurTech industry: Just think of the “Event Data Recorder” (EDR), sometimes also referred to as a “black box”. Such a recorder collects a wide array of data, which can be associated with electronic communication and localization systems and used as evidence to check the accuracy of witness statements in cases of litigation. In all such cases, among other things, it is necessary to meet the relevant legal requirements, including, for instance, the EU jurisdictions (e.g. GDPR, Article 29 Working Party on processing personal data in the context of Cooperative Intelligent Transport Systems (C-ITS), etc.).
2. Marketability standards for new devices and technologies
When dealing with connected devices and technologies, it is obviously necessary to assess fully the device, including the marketability standards. In fact, devices must meet the essential requirements and safety characteristics set out by the EU harmonization legislation. For instance, all equipment that uses the radio frequency spectrum must comply with the requirements of the Radio and Telecommunication Terminal Equipment Directive 1999/5/EC (“R&TTE Directive”) which was revised in 2014 to become the Radio Equipment Directive 2014/53/EU (“RED Directive”). Furthermore, electrical and electronic equipment must comply with Directive 2011/65/EU (“RoHS Directive”) on the restriction of the use of certain hazardous substances. The abovementioned requirements are particularly important when a product, albeit manufactured by third parties, is placed on the market with InsurTech firms trademarks. Indeed, the responsibilities of the manufacturer apply also to any natural or legal person who assembles, packs, processes or labels ready-made products and places them on the market under his own name or trademark.
3. Smart contracts and blockchain
Smart contracts may allow for faster insurance settlements. Specifically, this is made possible through blockchain systems that allow for the converting of standard contracts into computer code, thus eliminating the cumbersome authorization and validation processes. However, the legal value of smart contracts and blockchain technologies also depends on the government’s ability to provide a reliable legal framework in a timely manner. In Italy, for example, the legislator, through Art. 8-bis of the “Decreto Semplificazioni”, introduced a formal definition of blockchain and smart contract in order to provide them with full legal value. Such a legal framework, however, will require further implementation by the government agency (Agenzia per l’Italia digitale). At least for the Italian jurisdiction, it will accordingly be fundamental to assess fully how such regulation will be implemented completely.
We will further address this topic in our TMT Bites Newsletter. For further information about blockchain and data protection, please read here.
4. Intellectual property
When dealing with connected devices and technology, it is also necessary to assess whether they are protected by any intellectual property rights (“IPRs”). Particular care will also have to be exercised concerning underlying patents (and other IPRs), also when a new technology is devised internally or acquired (or licensed) from a third party. Furthermore, the underlying software policies and architectures will have to be reviewed, addressing also which type (or portion) of open source software is used so as to ensure that there will be no issues for future usages and that the same software will be supported by an adequate community, also from a cybersecurity compliance perspective. This may require a review of the whole process that led to the creation of the software. This is particularly important when addressing other intellectual property issues. In this respect, formal copyright assignments, patent clearance and warranties from commercial partners are useful risk management practices.
5. Regulatory requirements
Other legal issues to consider relate to the use of mobile channels for communication, registration, payment of premiums and claims processing, which will have to be assessed carefully. Sector regulators have shown varying levels of enthusiasm, as they balance the need for dynamic insurance management processes and required regulatory controls. For instance, in Italy, the insurance sector regulator (IVASS) actively promoted the use of digital documents and other online tools to manage the relationship with clients. A number of legal and regulatory requirements will have to be addressed when dealing with electronic documents (including policies), which will be executed increasingly through mobile devices. A recent change to the Italian digital signature regulation provides that an electronic signature may be equivalent to a standardly written signature, but its evidence value would be assessed by the courts on a case-by-case basis. Strong authentication options may accordingly avoid the risk that documents signed through electronic signatures are considered as not enforceable. Within this scenario, InsurTech firms have to put in place appropriate arrangements taking into account the role played by all parties involved, e.g. software developers, device manufacturers, etc., so as to ensure that all parties are fully aware of risk implications (and hold their share of responsibility). To address fully the new technologies environment, InsurTech firms may also implement scalable and agile strategies to simplify business processes. This may also imply a review of contract standards, including standards for “agile” software or technology development, and of other supply agreements so as to avoid vendor lock-in.