Insurance carrier data responsibility in the face of telematics uptick

Insurance carriers have an obligation to safely dispose of policyholder data that no longer serves a legitimate business purpose.

Are insurance carriers paying attention to the risks created by collecting and storing policyholder personal information (PI) within the connected devices inside automobiles? (Stanisic Vladimir/Shutterstock)

I recently bought a used infotainment system off eBay that came from a total loss vehicle. I quickly realized that it had belonged to “Jack.”

Jack is the vice president of a regional bank. He lives in a $2.7 million dollar home. He and his family’s Social Security Numbers were saved in the device’s contact book, which was stored when he synched his phone with the device. It also held contact information for his company’s CEO, CFO and general counsel.

There was information about his banking and online accounts of all sorts, including several logins, PINs and passwords. Text exchanges with colleagues revealed material nonpublic information about the bank where he works as well as personal details, all of which is a great starting point for any bad actor to launch a Business Email Compromise or spear-phishing attack.

Jack never realized this information, which I promptly deleted, was out in the open. His auto insurance carrier could have easily mitigated this risk and at the same time dramatically improved their compliance with a variety of federal and state laws by properly deleting this data before Jack’s car was sold.

A known risk

Automaker privacy policies reveal that many vehicles today can collect, store and transmit various categories of data that fall within the legal definition of Nonpublic Personal Information (NPI or PI).

Auto manufactures have admitted to the Federal Trade Commission that vehicles capture “sensitive personal information” such as driver geolocation, biometrics and behavior.

Additionally, when vehicle users such as drivers and passengers (including minors) link their smartphone via USB, Bluetooth, CarPlay and another connected program, additional PI is transferred and stored in the vehicle’s infotainment system.

The technology content of vehicles, new state and federal laws, and the focus of regulators, public, advocates and attorneys filing individual and class actions are all rising rapidly. Consequently, insurance carriers must start to pay attention to how to reduce both their own and their policyholders’ risk by managing the PI stored in vehicles.

The legal landscape

The U.S. has a complex patchwork of more than 200 federal and state laws regulating the protection of consumer data, including data security, data disposal, biometrics, unfair and deceptive acts and practices, and data privacy laws. Insurance carriers are also specifically regulated in 39 states and Washington D.C. under the National Association of Insurance Commissioners’ (NAIC) Information and Privacy Protection model law (Model 670) and Standards For Safeguarding Consumer Information model law (Model 673).

Model 670 Privacy statutes apply in 18 states the District of Columbia. Covered entities must have reasonable and reliable means of accessing, altering and permanently erasing personal information upon request. This includes from vehicles.

Model 673 Information Safeguards states that covered entities must take “reasonable technical and administrative measures” to protect PI from unauthorized or inadvertent disclosure. This applies to 33 states plus the District of Columbia. All of the PI collected in “direct or indirect means” is covered by these state acts, including when information is not used. This definition includes PI collected by vehicles. Carriers have an obligation to dispose of data that no longer serves a legitimate business purpose in these states even in absence of a consumer Data Subject Request. Deletion must happen by default.

Rental cars and loaners

Privacy4Cars routinely surveys various portfolios of vehicles. Rental vehicles consistently have the highest incidence of consumer PI left behind, with almost 99% of vehicles surveyed to date containing PI, often of multiple previous renters. All of the top four rental operators have been sued for failing to delete consumer PI after every rental, thus exposing users’ information to other renters, employees and unauthorized third parties. Two six-figure settlements have already been reached in related lawsuits.

Insurance carriers are among the largest buyers of rental car services. The rise in repair complexity and the current parts shortage means average rental days per claim are rising, resulting in more cost, more policyholder PI, and more exposure. To limit their exposure, P&C carriers should start mandating that rental suppliers delete the PI of policyholders after each rental and demand compliance records as a condition of doing business.  Manufacturers recommend deleting PI. The National Institute of Standards and Technology NIST 800-88 Rev.1 states data clearing is the minimum “reasonable security” data sanitization standard. Deleting PI from cars is the only way to achieve the “reasonable technical and administrative measures” mandated by Model 673 laws.

Total loss vehicles

Over 90% of the total loss vehicles for sale inspected by Privacy4Cars that could capture consumer data contained PI. The party responsible for protecting this PI is the carrier because, when a total loss occurs and the claim is paid, the title of the vehicle is transferred from the policyholder to the carrier.

At that time, the carrier becomes the owner of the vehicle and everything it contains, including the PI of the policyholder and their family members. As with any other electronic storage containing customer PI, the carrier now has a fiduciary duty to protect it, even if the collection was unintentional. Carriers should not take this responsibility lightly because selling devices containing consumer PI can result in significant liability, as in the recent $60 million class settlement against Morgan Stanley.

Fortunately, insurance carriers have multiple options to mitigate this risk by requiring the deletion of PI from vehicles as part of their standard checklist prior to asset sale. This operation can be performed by adjustors, repair shops, towing companies, or auto auctions in a short time and at reasonable cost. Also in this case, a consistent, standardized, and measurable process is key to proving your compliance.

From obligation to opportunity

Beyond the legal obligations, carriers can benefit from protecting PI collected by vehicles in at least two ways.

First, reducing the data footprint can reduce risk for their policyholders (e.g. many vehicles contain home address and garage door codes).

Second, discussing the protections you set when your policyholders need a rental or suffer a total loss can open an important conversation about data security, including additional protections you may offer (e.g. identity theft protection, cyber insurance) to de-risk your customers.

There are three devices in particular that collect mountains of data from consumers: computers, phones and vehicles. By leading the conversation on data privacy and security in vehicles, insurers can build a lasting impression of comprehensive care and deliver unique value and peace of mind. Their policyholders will be grateful.

Andrea Amico ( is CEO and founder Privacy4Cars. He is a leading authority on vehicle privacy and cybersecurity.

See also: