Smart Homes: Are P&C Providers Ready for The Privacy and Security Challenges?

Smart home devices offer unparalleled opportunities to prevent or mitigate damage, but they also pose a minefield of risks.

On one hand, smart home devices could revolutionize risk assessment and prevention in P&C insurance because they can monitor building operations and send early warnings. Yet insurers must also be prepared for the privacy and security concerns these devices raise.

Here’s what insurers need to know about the current state of smart home devices — and how, as a means to prevent loss, they can offer great hope to insurance companies.

What Security and Privacy Risks Do Smart Home Devices Pose?

In May 2018, an Amazon Alexa smart speaker recorded a family’s conversation and sent it to a contact in the family’s address book, Gary Horcher of KIRO News reports.

The family didn’t know the recording had been made or sent until the recipient contacted them to tell them it had happened. And while Amazon pledged to fix the problem immediately, the family was never told exactly why or how it happened in the first place.

Smart home devices have been identified as a weak point in many home cybersecurity systems. Unlike connected tablets, laptops and gaming systems, many smart home devices don’t update their operating systems or security software automatically, David Nield at Gizmodo notes.

Unless users update the devices themselves, smart home tools, like thermostats, can become weak points in the household’s cybersecurity network. This leaves other connected devices open for exploitation.

“Every device in your smart home, anything with even the smallest piece of firmware and a networking capability, can become compromised,” Dan Sung says at the Ambient.

Sometimes, the hacker’s goal is to collect information about the people inside the connected home. That’s what happened in the case of a baby monitor hacked in Houston in 2013, allowing hackers to listen in on the family and speak to them, Alana Abramson reports for ABC News.

Sometimes, the goal is to harness the devices to launch an attack on someone else online, as in a 2016 DDoS attack that hacked millions of smart devices worldwide,cybersecurity expert Brian Krebs explains.

The malware used in that attack “scours the Web for IoT devices protected by little more than factory-default usernames and passwords, and then enlists the devices in attacks that hurl junk traffic at an online target until it can no longer accommodate legitimate visitors or users.”

How Customers Respond to Privacy and Security Risks

Smart home devices pose a paradox for insurance companies. On one hand, customers are excited about the devices: 75 percent would like to purchase smart home devices from their insurers in exchange for lower premiums or deductibles, and 40 percent would switch insurers for a free smart home device, Pamela Simpson says in Insurance Journal.

Yet the hype around smart home devices doesn’t always match adoption. “U.S. consumers want the benefits of smart home devices, yet don’t feel entirely comfortable with the intangible costs,” Nicholas Shields says at Business Insider. These intangible costs include privacy and security.

A recent survey from the Insurance Research Council found that one in four homeowners and renters would not allow their insurance company to receive information from their smart home devices. Security, privacy and information control were the top concerns for these respondents, Denny Jacob says at PropertyCasualty360.


The Privacy Paradox: Can Smart Devices Bridge the Gap?

Although users are deeply concerned about privacy, they don’t always act to protect it on personal devices like phones and tablets. In a literature review published in the November 2017 issue of Telematics and Informaticsresearchers Susanne Barth and Menno D.T. de Jong refer to the discrepancy between belief and behavior the privacy paradox. They note that few users undertake a risk evaluation or a risk assessment, leaving the onus on the device creators to do so.

When it comes to smart devices for the home, however, some users are taking privacy into their own hands. For example, after surveying 2,000 smart home device users, enterprise technology provider Ooma learned that 72 percent of respondents were concerned that home security companies would use smart security systems to invade the family’s privacy, Jim Gustke of Ooma says. Yet many of these respondents took steps to mitigate the risk: 23 percent turned off their smart home devices completely when guests were visiting.

The families that turn off smart devices for privacy’s sake demonstrate that smart home devices might be the missing link between our strong instincts for privacy in physical spaces and our comparatively weak instinct for privacy in virtual spaces, Fen Zhao says at TechCrunch. Making digital privacy a component of the physical home increases homeowners’ impulse to protect their privacy, leading to a more proactive approach to device security.

Privacy and the Insurance Industry

Concerns about privacy and security have been pressing issues for the insurance industry for fifteen years or more. As early as 2003, Gary E. Clayton notes that insurance companies faced risks like “damaging media episodes, costly litigation and consumer demand” surrounding privacy and security, and that insurers ignored the concerns at their peril.

Today, concerns about smart home devices are just one of the many nodes around which the conversation about insurance customer data centers. Laws like California’s Consumer Privacy Act of 2018 require companies to tell customers what personal data they’ve collected, why it was collected and what third parties received it.

The Consumer Privacy Act also creates a private right of action “in connection with certain unauthorized access and exfiltration, theft, or disclosure of a consumer’s nonencrypted or nonredacted personal information.” In other words, consumers in California will have standing to sue when companies lose their data to hackers.

Insurance companies have already begun to face litigation in connection with their own security procedures surrounding customer information, as in the case of Galaria v. Nationwide Mutual Insurance Co. While Galaria was dismissed for failure to state a claim, similar cases with a stronger legal footing could proceed.

Laws like the Consumer Privacy Act of 2018 also raise the possibility that insurance companies will be drawn into litigation surrounding security breaches from the hacking of smart home devices, whether as parties or through provisions in homeowner’s and renter’s insurance policies.

“From an insurance perspective it certainly creates the potential for more liability for companies and therefore for their insurers,” Joan D’Ambrosio, a partner at San Francisco law firm Clyde & Co., says of the new California law.

Stricter data access rules like the California law and Europe’s GDPR have the side effect of limiting the data available to insurance companies, which in turn can affect underwriting quality. “As insurers, data is the foundation of everything we do. We would certainly be nervous about the introduction of a law that might deny access to the data we need to underwrite our products effectively,” Nat Wienecke of the Property Casualty Insurers Association of America says.


How Insurers Can Manage the Risks of Smart Home Devices

One of the top industry concerns about smart home devices focuses on how insurance companies will use smart home device data.

States like South Carolina and Rhode Island have begun considering new rules focused on cybersecurity within the insurance industry, Peter A. Kurtz and Craig A. Newman of Patterson Belknap say. New laws in these jurisdictions may require insurance companies within their boundaries to adopt formal data security safeguards for the customers’ own data.

While these laws likely will not address P&C insurers’ promotion of smart home devices specifically, both these rules and the smart home devices fall into the realm of customer data security overall. To address real-world scenarios that aren’t covered by the law, customers may turn to the courts.

“Regulatory rules generally take a while to catch up,” Jack Gavigan of Zcash says. He notes that information security experts have a responsibility to help insurers and other interested parties understand the risks that connected home devices can pose to the physical safety and privacy of those who use them.

Insurers, in turn, can help protect themselves and their customers by providing information on security risks and how to manage them. Many customers are unaware how data is stored, retrieved or sold, Wienecke says. By improving their awareness, insurance companies can empower customers to protect their own data from loss, reducing potential liability.