Tough data law ushers in boom time for insurers
Data protection law is expected to usher in boom time for insurers keen on side-stepping.
For Kenyan insurers long frustrated by extremely low uptake of cyber-crime policies by skeptic corporates, there is fresh hope for booming business as firms race to comply with a new law that has shaken up personal data security rules in the country.
President Uhuru Kenyatta in November 2019 signed the Data Protection Act that took effect last year—spooking corporates that collect large volumes of customer data to clean up and safeguard their systems to avoid punitive consequences.
The law sets out restrictions on how personally identifiable data obtained by firms and government entities can be handled, stored, and shared. Firms breaching the law face a penalty of up to Sh5 million or one per cent of its preceding year annual turnover—whichever is lower.
The net effect of this for the insurance sector in Kenya is that its efforts to establish cyber and data cover as a lucrative business line may be about to bear fruit.
“If you are a data handler or a processor and someone else gets access to the data and the customer sues you, the only protection you can take is a professional indemnity cover,” Mr Tom Gichui, chief executive of the Association of Kenya Insurers (AKI) told Smart Business.
Data controllers
The Data Protection Act requires data controllers and processors both in Kenya and abroad to ensure that all personal information is processed lawfully, fairly, and in a transparent manner. They are also required to inform clients on the use of personal data and correct or delete any false representations about them.
The law also guarantees special safeguards for sensitive data such as one’s marital status, sexual orientation, health status and ethnicity. Further, the Act restricts transfer of personal data to parties outside Kenya. Data controllers and processors are required to obtain permission from the Data Commissioner before transferring such outside the country and provide proof of sufficient safeguards against misuse of the information.
Mr Ezekiel Macharia, managing director of insurance brokerage firm, Kenbright Holdings projects a surge in uptake of cyber security cover by firms keen on avoiding liabilities under the new law. “Cyber insurance has been there for while mostly as a protection against hacking and protecting data but now increasingly it will cover the legal implications should the company be penalised. Legal liability is growing for example if a hospital treated a prominent person and its system gets hacked leaking his or her data on cancer or HIV, the legal abilities can be huge,” he said.
Improved uptake of data-driven products could be a boon for insurance, which has since last year recorded improved demand for cyber security products-- driven by companies keen on limiting vulnerability of the systems to hacking as employees worked remotely to curb the spread of Covid-19.
“In terms of trends it has grown so much during the Covid-19 pandemic as people worked from home and vulnerabilities increased with no close network,” Mr Macharia said. In Kenya, cyber insurance has mostly concentrated on hacking, recovery of data, and its protection. Premiums are usually set at between one to two per cent of the revenues, depending on the size of the corporate.
Mr Gichuhi said the firms in Kenya are developing products on data-driven insurance to help clients conform to the Data Protection Act.
“This is something people need to start thinking about, I know it is still early, the guidelines are still being developed and evaluation of the risk is still a work in progress. This is a new development and will open new areas for potential cover but for now, I do not think we have developed any products for this kind of exposure,” the AKI boss said. Apart from the projected surge in data-driven insurance uptake, the Data Act has also triggered a boom in data protection and analytics officer jobs in Kenya as corporates scramble to hire software and privacy experts in a race to comply with the law.
Industry inquiries showed that insurance and tech firms have also stepped up a chase for the signatures of the now most sought-after workers— triggering a jobs boom for software and privacy experts in an environment where overall hiring has remained subdued due to the economic fallout of Covid-19.
Section 24 of the Act allows data controllers and data processors to appoint a data protection officer who may be a staff member whose role includes advising on compliance with the Act.
All entities whose core activities entail substantial monitoring or processing of personal data have been forced to hire experts to avoid privacy breaches that could lead to hefty fines.
According to Safaricom sustainability report, the country’s largest telco, it conducted 36 investigations into alleged fraud, dismissed 28 and warned 19 employees. One case was taken to state authorities for further action. The majority of the cases (22) flagged by Safaricom are related to data privacy with eight involving breach of policy and four sim swap cases while two cases involved asset misappropriation.
