Many insurance companies have been in business for hundreds of years. Their brands are often household names and evoke a sense of tradition consistent with their long histories. However, the ways in which insurance products are designed, advertised, underwritten, sold, and administered are undergoing rapid change—the business of insurance, like almost every other major industry, is increasingly a high-tech venture. The impact of these high-tech changes on the global economy, including the use of artificial intelligence (AI), big data, the internet of things, augmented reality, and robotics, has been hailed by some as the “Fourth Industrial Revolution.”

This coming revolution is conspicuous in some industries. Self-driving cars are already navigating public streets in California; our homes are becoming populated with internet-connected devices like the Nest, the Amazon Echo, and smart TVs; and, of course, our trusty smartphones are increasingly integrated into every minute of our professional, personal, and social lives.

While its effects are perhaps not as conspicuous as with some other industries, the Fourth Industrial Revolution is changing the insurance industry, too. Major insurance companies now have an information conduit into your living room through Amazon Echo “skills” (i.e., software akin to smartphone apps). Insurers or other third parties have an information conduit into your car when on-board computers, OBD-II dongles, or your smartphone collect telematics information about your driving habits. And, with their fintech partners, insurers literally have their finger on the pulse of insureds when they collect biometric information through Fitbits and other wearable devices.

Insurance companies and their business partners, as well as the consumers they serve, can benefit greatly by standing at the nexus of these new information streams. Telematics information flowing from smart cars can lead to premium discounts for consumers with safe driving habits, while simultaneously helping insurers avoid claims fraud. The biometric information from Fitbits provides a way for physically active consumers to get premium discounts or rebates, while simultaneously helping insurers incentivize healthy behavior and reduce the cost of risk they insure.

Further, predictive analytics and machine learning algorithms (forms of AI), can “mine” the vast amount of data generated by these technologies to assess underwriting risk in new ways. Whether we see it or not, these innovations are pushing the insurance industry to the cutting edge of the Fourth Industrial Revolution.

However, notwithstanding these considerable benefits to both insurers and consumers, the fact that such vast and varied amounts of consumer data are being collected, housed, and used introduces new risks to consumers’ privacy and to the security of the underlying information systems managing the data. These risks affect both consumers and insurance companies, along with their fintech and other business partners. This article will address some of these risks in three areas: cybersecurity risks, big data analytics, and online behavioral advertising.

Cybersecurity Risks

The most overt and highest-profile risk in this space is the risk of a cyber incident leading to a data breach, data destruction or corruption, or ransomware attack. Over the last few years, several major insurers have suffered cyberattacks resulting in the breach of sensitive consumer information. In 2015, for example, a cyberattack led to the release of information for up to 91 million policyholders at Anthem Blue Cross Blue Shield and Premera Blue Cross. Full names, addresses, social security numbers, personal health information, and other data were compromised in these breaches.

Cyberattacks on insurance companies and their business partners, and associated data breaches, are extremely costly in terms of remediation, class action litigation, regulatory enforcement actions, enhanced cyber-regulatory standards, more spending on cyber defenses, and brand damage. Further, the legal landscape around cybersecurity is rapidly evolving, which creates ongoing compliance risks. However, the complex attribution, enforcement, and litigation issues raised by cyber incidents can also be mitigated by appropriate contractual measures and other protections.

Big Data Analytics

Big data programs also raise privacy risks and legal uncertainties as insurance companies increasingly rely on big data and AI to offer accelerated underwriting, to create finely segmented risk profiles to price insurance, or to target advertisements for insurance products. While these methods have the potential to reduce costs and increase efficiencies for insurers and their service providers, as well as some classes of insureds, companies using big data programs should be mindful of the complex legal landscape in which they operate.

First, big data programs should ensure they provide transparency about what data is collected and how it is stored, analyzed, used and shared. For example, machine learning algorithms may be able to find novel correlations between consumer behavior and lower underwriting risk profiles. However, due to the way those algorithms are designed and processed, the humans relying on them may not be able to explain why such correlations exist.

Many machine learning algorithms are, in that sense, “black boxes” that leave the humans using them in the position of having to simply trust that the correlations produced by the algorithms are not spurious, or worse, that they do not have unlawful discriminatory effects. The relevance of certain underwriting criteria, such as credit scores, have long been questioned by consumer advocates, while today, critics question how counterintuitive factors, such as web browsing behavior, purchasing behavior, and online reputational data from websites like Yelp are being used in pricing and underwriting processes.

Further, the quality of the outputs of machine learning algorithms is limited by the quality of the data inputs they receive. While the Fair Credit Reporting Act provides consumers some protection against the use of inaccurate data in insurance decision-making, not every kind of data, nor every aspect of the insurance process, is covered. This can lead to, for example, accelerated underwriting being unavailable to some applicants due to incomplete or inaccurate information in the data profiles that data brokers have compiled for them.

Online Behavioral Advertising

Increasingly prevalent concerns have also arisen from the use of online behavioral advertising (OBA) by insurers and their business partners. OBA is “the practice of tracking an individual’s online activities in order to deliver advertisements tailored to the individual’s interests.” While many consumers appreciate targeted advertising because it increases the relevance of the ads they see, others find the tracking, collection, and analysis of data about their online behavior to be unsettling. OBA is also increasingly able to track users across devices.

With the ongoing proliferation of the internet of things (including the smart TV and Amazon Echo in consumers’ living rooms, connected cars on the road, and everything in-between), this tracking is becoming nearly ubiquitous, and raises questions about whether appropriate consents for the collection, retention and sharing of personal information have been obtained. For example, most privacy policies strictly limit and control the use of personal data to the purposes for which it was originally collected unless user consent is obtained.

OBA also presents risks for insurance companies. For instance, companies are exercising more caution with their use of OBA after a string of incidents in which the advertisements of major brands appeared near troubling and offensive content on a website. For example, Allstate had to reconsider some of its OBA practices after one of its banner ads was displayed on a website claiming the Sandy Hook massacre was a hoax. When the user is being directly tracked and targeted through OBA, the ads can follow them wherever they go. Insurance companies are still grappling with the risks associated with that practice.

Insurers and their business partners need to carefully consider whether their current practices involving the collection, storage, and use of personal data need to be upgraded to enable their high-tech programs to proceed. These companies should be taking a hard look at their data security practices, data transparency, allocation of responsibilities among themselves and vendors, data sharing and anonymization practices, all while analyzing whether their multifaceted uses of consumer data are lawful.

The Fourth Industrial Revolution is already leading to real benefits for both insurers and consumers. However, a robust understanding of the technologies driving this Revolution is essential to coping with the new risks that come along with it, both for consumers and the insurance companies serving them.