New Yorkâ€™s Department of Financial Services (NYFS) has released new guidelines that will allow life insurance companies to use data from customers’ social media posts to determine their premiums, and experts say that these rules could potentially extend beyond New Yorkâ€™s borders.
The new guidelines suggest that companies can use data from other â€śnon-traditionalâ€ť sources as well, though insurers willÂ have to prove the information doesnâ€™t unfairly discriminate againstÂ protected groups:
An insurer should not use an external data source, algorithm or predictive model for underwriting or rating purposes unless the insurer can establish that the data source does not use and is not based in any way on race, color, creed, national origin, status as a victim of domestic violence, past lawful travel, or sexual orientation in any manner, or any other protected class.
The NYFS press release states that
…insurersâ€™ use of external data sources has the potential to benefit insurers and consumers alike by simplifying and expediting life insurance sales and underwriting processes. External data sources also have the potential to result in more accurate underwriting and pricing of life insurance.Â
The use of social media by insurance companies has been a topic of debate for years now, although there’s very little legal guidance about what privacy rights we have when posting online. Maria T. Vullo, the chief of the NYFS has been trying to get ahead of the inevitable by establishing some ground rules after an 18-month investigation which collected information from 160 life insurers about their practices.
She told the Wall Street Journal last week:
Because this is a rapidly evolving area in insurance underwriting, it was important for the department to create general principles now.
According to an inside source from New Yorkâ€™s investigation, only one of the 160 companies polled currently uses social media data, but that company was not identified.
In 2012, the National Association of Insurance Commissioners released a white paper from their Social Media Working Group which mostly addressed the ways in which insurance companies could use social media in their marketing, but acknowledged that it was already being used to monitor customers:
Companies are using social media in forensic data mining to discover workersâ€™ compensation fraud. For example, some companies monitor social media sites that might contain posts negating the claims of allegedly injured workers who are participating in activities that are beyond the restrictions placed by the treating physician.
Traditionally, life insurance companies used physical exams and questionnaires to determine a customerâ€™s rates. But as this is costly and time-consuming, companies began to engage in predictive modeling to determine how likely it was for a potential customer to develop a disease or engage in dangerous activities and used data collected from many public sources (think medical records of injuries, accident claims, even parking tickets). This new method of data collection is an extension of this, but into a realm we often (and mistakenly) treat as private.
Companies already had access to general social media trends (common phrases or hashtags, viral content, etc.) to help them understand their customers, but this was largely for marketing and customer service, so itâ€™s hard to make the case that that violated privacy in the way that this new, more personalized, surveillance would.
A New York court decision in 2010 (McCann v. Harleysville Insurance Co.) declared that an insurance company could not conduct â€śa fishing expeditionâ€ť into someoneâ€™s Facebook account â€śbased on the mere hope of finding relevant evidence,â€ť but clearly insurers are finding workarounds. At the very least, it appears that the Fair Credit Reporting Act might give customers who are denied insurance the right know whether the decision was based on information gleaned from a social media profile. This could provide fodder for lawsuits that could clarify the boundaries for everyone.
The danger and power of algorithms:
The new ground rulesÂ alsoÂ warn life insurers using non-traditional data that theyÂ are responsible for analyzing their algorithms to be sure they are free of bias against protected groups. This means that they canâ€™t simply shop for algorithmic software and employ it without thorough testing first.
Of course, there are multiple issues here, despite the agencyâ€™s best efforts to try to make the process unbiased. First, we know that companies have often refused to share details of their algorithms with customers and the law has allowed them to do so. We often donâ€™t know how they are processing data, so all we can do is continue to test them. But we also donâ€™t know how much testing it takes to determine if an algorithm is unbiased, and thereâ€™s no objective mechanism or yardstick that allows a company to truly confirm a lack of bias.
Second, while there are plenty of great data scientists and ethicists working together to find ways to make algorithms less biased, we simply donâ€™t know how to do it yet. Humans write algorithms and all of us have biases of some sort. The more we claim we donâ€™t have them, the more deeply entrenched they likely are, making it even more difficult to ferret them out. This has been a disaster already in employment decisions and court sentencing decisions that employ these algorithms. But we continue to think that data is objective and can yield some sort of truth about the world.
Third, it will be very difficult for customers who are not well-versed in algorithmic bias to fight against unfair decisions made about their life insurance premiums based on data they donâ€™t even realize theyâ€™re giving away. Weâ€™ve been bombarded with stories about privacy violations, especially from social media giants like Facebook, over the last year and instead of seeing people take steps to protect themselves, Facebook has only seen more new customers and increased profits.
And if you think youâ€™re safe because you donâ€™t have a social media profile, think again. Recent research has shown that information about a person can be constructed from the comments of as few as 8 of their friends. You are what you post, but apparently, you are what your friends and family post as well. This doesnâ€™t appear to be a tactic insurance companies are looking into yet, but itâ€™s important to keep in mind as they expand their methods of surveillance.
Itâ€™s also important to note that social media posts can be deeply misleading, even to a deep learning algorithm assigned to seek out, process, and judge the value of photos that customers post online. If youâ€™ve given up smoking but have old photos with cigarette in hand (or repost one of those popular Facebook Memories) how can a computer (or even an underwriter with a lot of work to do) properly assess the context of a photo? How do you control what other people post about you online?
While Photoshopped images and even deepfakes could eventually become a problem for those looking to sabotage customers, thatâ€™s likely a problem that lies farther down the line. But thatâ€™s not to say we shouldnâ€™t keep it in mind.
There are some more likely scenarios that itâ€™s worth watching out for (and, to be fair, some scenarios that are worth avoiding altogether). The U.S. Insurance Agentâ€™s blog, which aims to help customers compare plans and provides commentary on the industry has shared some possibilities for ways in which customers might harm their chances of getting not just life in insurance, but home and renters insurance, and keeping their premiums down. Itâ€™s unclear whether or not companies would go this far, but some possibilities include posting photos or updates while driving, posting about an unregistered pet that is classified as a â€śbully breed,â€ť leaving on your geotagging when youâ€™re on vacation and thus signaling to thieves that your house is vacant. These are things we rarely think about when posting online.
So what can we do? Â Â
Plenty of people will join the chorus of protests against this invasion of privacy, but it could also be the case that New York is doing us a favor by putting something on the record that can be challenged. No states have any rules right now governing how life insurers can populate their algorithms. We know they currently use public records such as homeownership data, credit information, educational attainment, civil judgments, licensures and other public filings, and even internet use. But now that theyâ€™ve taken an extra step â€“ and one that will appropriately freak people out â€“ the legal system can move into action. Yes, it will take unfair decisions and lawsuits, and time, and money, but thatâ€™s how the system currently works.
While we wait to see how this all shakes out, customers should be sure to read the fine print on their insurance policies and ask specific questions about what companies will access in order to determine their rates. Companies should be as transparent as possible about how they collect data and state that on their websites in easy-to-understand terms so that customers can make informed decisions about whether they want to apply for a policy with a specific company. The new guidelines do mention the need for transparency:
Where an insurer is using external data sources or predictive models, the reason or reasons for any declination, limitation, rate differential or other adverse underwriting decision provided to the insured or potential insured should include details about all information upon which the insurer based such decision, including the specific source of the information upon which the insurer based its adverse underwriting decision.
And while data breaches and hacks canâ€™t protect even data youâ€™ve marked private, it does make sense for social media users to explore the privacy settings on their accounts. It will be harder for an insurance company to defend their use of data if it has been stolen and trafficked on the Dark Web.
In the meantime, make your profiles private, revisit your friends list and privacy settings for individual posts, turn off location services and geotagging, delete compromising photos, do not allow other people to tag you on social media without your permission, and most importantly, do not engage in dangerous behavior like texting and posting while driving, and always be honest with your insurance company about your habits and health.
Of course, itâ€™s in the best financial interests of honest customers and insurance companies to prevent insurance fraud, which appears to be the main reason a company would check a social media profile right now.