The IFED hopes to prosecute unscrupulous claims management companies - what are the potential issues for insurers?

Where claims management companies are using inducements to obtain information from insurers’ employees, criminal prosecutions under section 7 of the Bribery Act may follow, and insurance companies may have exposure in relation to data protection breaches. 

The Insurance Fraud Enforcement Department (IFED), the specialist police unit dedicated to tackling insurance fraud, has announced an intention to target those unscrupulous claims management companies using inducements (of various kinds and values) to extract information from employees at insurance companies, often junior claims handlers. Section 7 of the Bribery Act makes it a criminal offence for a commercial organisation to “fail to prevent” a person from bribing another for the benefit of the organisation. An organisation will have a defence if they can prove that adequate procedures designed to prevent such conduct were in place. Any prosecution of a company would therefore be brought against the claims management company as the payer of the bribe, but other issues are raised for the insurance company.

For the insurance company, while the employees who have received inducements in exchange for information can be prosecuted personally, the section 7 offence would not apply as the bribes were not paid for its benefit. Leaving aside the question of dealing with any (possibly systemic) employee misconduct, and the possibility of FCA action over inadequate controls, there may be other troubling issues for senior management in this context, namely the breach of data protection rules. Insurance companies are exposed to the extent that their employees are handing out “personal data” to third parties.

Insurance companies (and indeed any associated entities who are controlling or processing data of this type and may be subject to approaches from claims management companies) should be aware of their obligations as regards protection of personal data. The Data Protection Act (DPA) requires personal data only to be obtained, and then used, for specified and lawful purposes. It must be processed "fairly and lawfully". Insurance companies, as “data controllers” (in that they “determine the purposes for which and the manner in which any personal data are processed”) are required to ensure that “appropriate” measures are taken to secure data, subject to technological development and cost (DPP7 of the DPA). In our article here we consider the decision in Various Claimants v WM Morrisons Supermarket plc, in which the supermarket chain was found vicariously liable for the acts of a rogue employee who copied and shared other employees’ personal data, despite a finding that most of the organisation’s systems and controls were adequate and appropriate under the DPA. Our article here also highlights the risk when insurance companies share data with third parties, such as professional service providers, outsourced functions, IT support or cloud data suppliers

The new EU General Data Protection Regulation (GDPR) regime, which comes into force in May 2018, will expand upon the current rules. Organisations, to the extent they have not already done so, will have to implement appropriate technical and organisational security measures to ensure protection of any personal data being processed. Key points to note about the new regime include:

  • Increased sanctions: penalties for infringements include fines of up to €20m or 4% of an enterprise's annual worldwide turnover of the preceding financial year, whichever is greater.

  • Heavier administrative burden: companies will need to put in place a significant additional layer of process and documentation surrounding data processing activities. Data controllers and processors will have to, amongst other things, keep records of their data processing activities, individuals concerned and the recipients of data.

  • Data protection impact assessment: companies must conduct (and document) an impact assessment in relation to data processing that is likely to result in a high risk for the rights and freedom of individuals due to its nature, scope, context or purpose.

  • Data breach notification requirement: in case of a data breach the company responsible for the data will have to, without undue delay and, where feasible, within 72 hours after having become aware of the breach notify the applicable data protection authority.

A focus on potential bribery claims involving employees of insurance companies may lead to uncomfortable questions about data protection for their employers. Our GDPR microsite outlines the key aspects of the GDPR in more detail and offers tools and guidance as to what must be in place by May 2018.

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.