Privacy and wearable technologies - A POPI dilemma?
Privacy and wearable technologies
As technology becomes less of a utility and begins to retain intelligence about who we are through wearables, organisations will begin to invest in such technologies to gain competitive advantage and consumer insights through what has become “human telematics”.
As consumers increasingly demand meaningful, personalised, communications and engagement with their insurance providers through seamless platforms such as wearables, insurers will, by necessity, be required to integrate wearable technologies into their product offering to retain their competitive edge. Technological integration positively impacts both insurers and consumers, however, we need to “draw a line in the sand”between utility and the right to privacy so as to avoid over-reaching privacy invasions.
Rapid innovations in technology, falling costs in the unit price of devices, and a general social trend toward health by tech-savvy consumers, are largely held to be the drivers of the increased demand for health-related wearables. Ian Chen, a marketing manager at Freescale Semi-Conductors Sensor Division, believes that “by 2025, there will be more data generated from sensors and devices than all of the data being generated today from every source.”
With increased demand comes a highly competitive market with new and old entrants battling it out to produce better, more accurate and more useful wearables. The pace of innovation and demand in this space is increasingly leading to concerns over privacy and inadequate security safeguards as development outstrips legislative and regulatory requirements. However, there is a further commercial benefit that insurers have been quick to leverage at the risk of potentially invading the privacy of their policyholders and users.
Security and privacy
Wearables present multiple attack vectors, in that they often require data to be transmitted to a processing application typically housed on a smart devices such as phones, tablets or computers. Furthermore, applications may store the data online. Gary Davis, the Chief Consumer Evangelist at Intel Security believes that the data collected through wearable devices “is worth 10 times more than that of a credit card on the black market.”
Reviews by various security firms have found multiple vulnerabilities in wearable devices and related applications, these range from exposed login credentials, network sniffing (wherein data transmitted from the device is visible to potential attackers), to being able to monitor a user’s location through the device’s tracking mechanisms and public networking capability. It is worth considering the security risks of wearables when linked to smart devices.
Careless users may leave their wearable or smart phone unattended, where any person may pick it up and peruse the data stored thereon. Wearables themselves are not typically password protected or secured, and smartphones and other devices are only as secure as their lock screen password, if enabled.
Future concerns include the susceptibility of the Internet of Things to cyber-attacks. While not currently viewed as a serious problem, it is poised to become one as smart devices, wearables and other smart appliances become more widely adopted, providing would-be thieves with a plethora of information about individuals.
Privacy of the user is closely linked to the security considerations and concerns that are inherent to wearables. Wearables that process health-related information - which may be anything from vital statistics to sleeping patterns - and track user locations, require additional safeguards to be in place to ensure the protection and lawful processing of such information in accordance with various legislation and regulations in place worldwide. However, despite the number of countries with laws regulating the use of personal information, few laws holistically address the collection, storage, use, sharing and disclosure of personal information obtained through wearables.
Globalisation provides another facet of complexity. Wearables and applications developed in one part ofthe world are quickly made available worldwide. Many countries have established privacy laws which regulate the processing of personal information, including health information, and in some countries more stringent safeguards to ensure the privacy of individuals’ health-related information (such as HITECH in the United States) would need to be considered.
Furthermore, some countries require mechanisms to be in place to protect personal information that is transferred across borders. Through increased accessibility of wearables and related applications globally and the differing legal requirements for privacy between countries, challenges are presented to both users and service providers to determine the applicable legislation and regulatory framework that is to be applied.
Breaches of personal information held by organisations, especially health-related information, are also a concern. In 2014, the top five health-related breaches in theUSA alone affected 7.4 million individuals.6 Breaches of personal information are not only costly to the organisations responsible for the data – as highlighted in a recent IBM study which estimated the average cost of a breach to companies was US$3.5 Million- but also to the individual whose sensitive health information becomes public or falls into the wrong hands.
Another emerging phenomenon regarding the theft of health information is medical identity theft, which is the use of stolen medical details to obtain medical care, buy drugs or submit fraudulent billing to medical aid schemes. Medical records are worth up to US$50 per record onthe black market, which when compared to US$1 per stolen credit card record, indicates why medical identity theft is so lucrative. While data coming from your fitness band or glucose meter may not be as valuable as your electronic health record on the black market, users of wearables and their related applications need to be aware of the pervasive nature of the health information being collected and stored about them, and what a breach of that information might mean.
With health-related information fetching such a high price on the black market, and cybercrime already a problem, it probably will not be long before medical identity theft and other health data-related crimebecomes prevalent in South Africa. While South Africa has enacted legislation to protect the privacy of individuals and electronic transactions through legislation, such as the Electronic Communications and Transactions Act (ECT) and Protection of Personal Information Act (POPI), cybercrime is often difficult to detect, and identifying and apprehending the culprit even more so.
What does this mean in the South African context?
South Africans have also been swept up in the wearable fever. Fitness bands, for example, are common features in public and in the workplace. Large insurers and medical aid schemes offer incentives to members who buy and use wearables and share the related health information with the organisation. In turn, this information is utilised in profiling, and incentivising policy holders and scheme members. The benefits of the technological integration are multi-faceted and present opportunities for both consumers, insurers and medical aid schemes.
Imagine an insurer or medical aid scheme being able to calculate, in real-time, the risk profile of its policy holders and members and provide competitive premiums based on the health profile of each of its policy holders or members uniquely. This not only incentivises members to lead healthy lifestyles but enables the insurer and medical aid scheme to accurately quantify and underwrite its risk exposure. From a consumer perspective the benefits are numerous and range from customised premiums, as well as health-related savings and promotions, to early warning of possible health risks enabling more relevant, just-in-time treatment.
Privacy awareness in South Africa is still in its infancy. However, there are currently several pieces of legislation that provide a framework to understand the rights and obligations of the user, service provider and other parties, where personal information is concerned. Policy holders and scheme members will need to become more astute as to the purposes for which their personal information, health-related data, and other data collected through wearables provided or utilised by insurers and medical aid schemes is processed to ensure that their privacy is not unreasonably infringed.
All organisations integrating new technologies into their day-to-day interactions with consumers, like insurers and medical aid schemes, will need to start considering the privacy impact of adopting these technologies and the consequent business, consumer, and compliance risks.
Organisations should consider the privacy impact in light of the following:
- nature of information processed (i.e. health information);
- how the information is collected, used and why the organisation requires it;
- where the information is located and volume of information retained;
- who has access to the information and whether it is shared with third parties; and
- the legal obligations in respect of the information.
Based on this assessment, the organisation will be able to accurately determine what the privacy impact of technology adoption, such as wearables, is and most importantly where to “draw a line in the sand.”
© 2022 KPMG Services Proprietary Limited, a South African company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.