How safe is your data with your insurance company?
Not very safe, actually. There was a massive data breach at Star Health and Allied Insurance which has put 3.1 crore customers at risk.
Today, your sensitive data is at risk from hackers. And that is a fact you need to understand.
A data breach can lead to financial losses, legal liabilities, and significant reputational damage. The global average cost of a data breach in 2023 was approximately $4.45 million, covering expenses like incident response and legal fees. In India, the Digital Personal Data Protection (DPDP) Act outlines strict compliance requirements for data protection. Non-compliance can result in heavy fines, and in severe cases, the insurer could face suspension or revocation of its license by the Irdai.
What The Law Says
“From the legal perspective, insurance companies are required to protect customer data under various regulations issued by the Irdai. The Insurance Regulatory and Development Authority of India( Irdai), (third party administrators – health services) regulations, 2016, enforce strict confidentiality for data shared with TPAs. The cybersecurity guidelines (2023) require insurers and intermediaries to implement robust data security frameworks, appoint a Chief Information Security Officer (CISO), and conduct periodic audits,” says Rashmi Deshpande, Founder, Fountainhead Legal, a law firm.
“A thorough and rigorous forensic investigation, led by independent cybersecurity experts is underway, and we are working closely with government and regulatory authorities at every stage of this investigation, including by duly reporting the incident to the insurance and cybersecurity regulatory authorities apart from filing a criminal complaint. We also timely approached the Madras High Court which in the attached order has directed all including certain third parties to disable access to the relevant information. We are diligently pursuing the implementation of this order,” said Star Health in a statement.
In fact, data breaches can have far-reaching consequences for both customers and insurers. Financial losses and identity theft are immediate risks for customers, while insurers may suffer reputational damage and erosion of customer trust.
“Under the IT Act, companies failing to protect personal data or notify authorities of a breach can face severe penalties, including fines and imprisonment. This legal framework serves as a deterrent, emphasising the importance of stringent data protection and quick remediation measures,” says Sharad Mathur, MD and CEO, Universal Sompo General Insurance.
A data breach can expose customers to identity theft and fraud, posing significant financial risks and privacy violations. Insurance companies may face substantial financial losses, reputational damage, and operational disruptions as a result of such breaches. The CISO is currently required to report incidents to the IRDAI within 24 hours and to CERT-IN authorities within six hours; however, the IRDA’s circular does not outline penalties for non-reporting.
“Under the Information Technology Act, 2000, failure to comply with CERT-IN directives can lead to fines of up to Rs 1 lakh and/or imprisonment. Once the new Data Protection and Digital Privacy Act, 2023 is operational, insurance companies will be obligated to report data breaches promptly, ensuring greater transparency and enhanced data protection,” says Deshpande.
What Insurance Companies Do To Protect Your Data
Insurance companies employ a multi-layered approach to protect customer data, including encryption, access control, and regular security audits.
“Sensitive information is safeguarded through advanced encryption technologies and stringent access controls, allowing only authorised personnel to access specific data. Organisations also implement robust Data Loss Prevention (DLP) policies, maintain detailed system logs, and conduct regular vulnerability assessments to identify and address security gaps,” says Sunil Kapoor, Chief Risk Officer, Future Generali India Life Insurance.
Additional measures include limiting employee access to data based on roles, regular staff training on data security best practices, and comprehensive data governance policies for collection and storage. Insurers also perform third-party risk assessments, include data protection clauses in contracts, and regularly monitor third-party activities.
“Compliance with the Data Protection Bill (DPDP) is ensured through periodic audits, while incident response plans enable rapid action to minimise damage in case of breaches. These efforts collectively strengthen data security and protect customer interests,” says Kapoor.
Indian insurance companies are governed by strict data protection regulations under the Information Technology Act, 2000 and DPDP Act 2023, which mandate comprehensive measures to safeguard customer data. These include data minimization practices, stringent data retention policies, and robust data security frameworks. Insurers also implement data breach notification procedures, train employees on security best practices, and ensure third-party vendors adhere to the same standards. Compliance with these regulations helps mitigate the risk of unauthorised access, disclosure, or alteration of personal information.
What Can The Customer Do
“In case of a data breach, the customer can take several actions including- filing a complaint with Irdai/ cyber crime cell, seeking compensation in case of any financial loss, changing their passwords, imposing a security alert, considering an account freeze, contacting their respective banks/credit card companies which they usually use for their insurance payments to block them, and encrypting their data,” says Naval Goel, founder and CEO, PolicyX.com, an insurance web aggregator.
“However, in the case of a data breach, the current grievance redressal framework in the insurance sector primarily addresses insurance-specific matters, leaving customers with limited recourse. CERT-IN focuses on cybersecurity incidents, such as data breaches. This absence of a dedicated grievance redressal framework for personal data breaches creates significant challenges for customers seeking accountability and resolution.” says Deshpande.
This issue could be resolved once the DPDP Act and its accompanying rules are enforced, as it will establish a clearer mechanism for handling grievances related to data breaches, ensuring that customers have appropriate channels for recourse and enhanced protection of their personal information.
Customers should proactively monitor their financial accounts for suspicious activity and change passwords immediately if a breach involves personal information. “Enrolling in identity theft protection services can add an extra layer of security by providing alerts for unusual credit activity. Staying informed and vigilant can significantly reduce the impact of a data breach on one’s personal and financial well-being,” says Mathur.