Today, I want to share a story about data quality, data breaches, and disillusionment. It’s a personal story. For anyone who reads this blog regularly, you may remember how in November, I shared a sad tale about how bad data caused me to lose my homeowner’s insurance.

When Bad Data Happens to Good People

Carey Lening

·

November 23, 2023

Read full story

A quick summary: Due to a combination of human error, inefficient or buggy manual processes, and shitty communications, Chill Insurance (my insurance broker) and Liberty Insurance (the underwriter), accidentally cancelled my homeowner’s insurance policy and forgot to tell me about it. Twice.

I only discovered the second occurrence when I needed to get my roof repaired and was told my policy had lapsed. I spent the month of November trying to get the policy reinstated. I also notified Chill Insurance (and the Irish Data Protection Commissioner) in January that the errors that had occurred amounted to what I believed was a reportable personal data breach under the GDPR.

Later that month, Liberty acknowledged partial fault, and sent me a goodwill / go away check, and I discussed my progress as a data subject crusader here:

No, You Do Not Own Your Personal Data

Carey Lening

·

January 30, 2024

Read full story

It’s worth noting that, to their credit, Chill owned up to their own errors quickly after I brought it to their attention in November. There’s absolutely no dispute between us that the loss of my coverage was due to a combination of human & technical failures directly related to how Chill processed my insurance policy and renewal payment, and how they communicated that to the underwriter. They reiterated as much in a “Final Response Letter” I received on March 7. I’ve quoted and highlighted the relevant bits below:

We identified that the issue originated from the processing of your renewal premium payment in 2022. On the 1st September 2022, you made an online payment for the forthcoming policy term. All premium payments received require manual processing on our system to effect cover. Your payment was processed by an agent who failed to execute this process correctly. Payment was posted to your file, and the policy status was manually updated incorrectly. Due to this, Liberty was not made aware that the policy was renewed. As a consequence of the incorrect status, on the 16th October 2022 the system did not recognise the premium as paid, and the policy was automatically lapsed and issued a communication to Liberty to this effect.

In March 2023, during an account’s reconciliation, Chill noticed the aforementioned error and took steps to rectify the discrepancy between our accounts. Chill provided proof of payment to Liberty and policy was manually reinstated. Regrettably, due to agent oversight your policy status was completed incorrectly again. The result of this error meant the policy was not listed within our control process for your renewal in September 2023. As your policy was not contained in our control process, we failed to chase Liberty for your 2023/2024 renewal terms and the policy lapsed with effect from 16th September 2023. We sincerely apologise for this oversight.

They also did compensate me for the cost of the policy premium, “as a gesture of goodwill.” So, you might be wondering, why am I writing yet another blog article on this? The short answer is that my victory was only partial. And what we disagree on — whether their errors constituted a personal data breach — feel substantial to me.

Accuracy Matters

When I wrote the original post in November, I observed that this wasn’t just a series of unfortunate events or ‘oversights’, but a

glaring example of poor data quality and accuracy impacting the integrity of data, a foundational part of GDPR’s Article 5 principles. Article 5(d), the “accuracy principle", emphasizes that personal data must be “accurate and, where necessary, kept up to date”. When data isn’t accurate, controllers should take “every reasonable step” to ensure that inaccuracies are rectified without delay.

Accuracy ultimately touches on the integrity of data, which is covered by Article 5(f) GDPR.1 That principle (referred to as the ‘integrity and confidentiality’ or ‘security principle’) states that in order to be lawful, personal data must be processed in a manner that ensures adequate “technical and organisational” measures are in place that protect against ‘accidental loss, destruction or damage’ to personal data.

Accuracy ties into integrity because if you have garbage, incorrect, or flawed data, your data ceases to be a truthful representation of reality. It’s also not very useful. We see that every day when someone posts an example where a LLM spits out botshit. For example, we all know that there were likely no Asian or Black Nazis roaming around Germany in 1943:

But inaccuracy and data integrity issues can also translate to real harms. People make bad choices with inaccurate data. Bad data can lead to massive business losses, and can have profound impacts on people’s livelihoods, creditworthiness, and healthcare outcomes.

When data failures affect the confidentiality, integrity, and availability of personal data, we refer to those failures as personal data breaches.

What’s a Personal Data Breach Again?

A “personal data breach” under the GDPR refers to “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” 2 The steps I’ve identified in bold are considered processing activities. The concept of a ‘breach of security’ is broad under the GDPR. Essentially, this means anything that impacts the confidentiality, integrity, or availability of personal data, and includes all the dirty hacker stuff you’d expect (cyberattacks, ransomware, theft), but also unintentional or accidental harm to personal data. For example—

• a hospital accidentally deletes or misplaces your medical records (loss of availability of personal data);

• a mailing list provider shares the email addresses of a group of domestic violence survivors by including addresses in the cc: line (loss of confidentiality of personal data);

• an insurance broker incorrectly records that payment was not received for an insurance policy and discloses that the policy as lapsed to the underwriter, leading to the cancellation of coverage (loss of integrity of personal data, and availability of coverage).

In order to ensure that data is adequately protected/secured, controllers must have appropriate “technical and organisational measures” (TOMs) in place to protect against threats and harms.3 TOMs include physical controls (locks, cameras), logical controls (encryption, access controls), detective controls (logging & monitoring), but also organizational measures — training, awareness, a ‘four-eyes’ process for manual processes, etc. Under the GDPR, controllers also must have processes in place for testing, assessing and evaluating the effectiveness of their TOMs, and restoring or recovering when something goes wrong.

Finally, if a personal data breach does occur, controllers must notify supervisory authorit(ies), “without undue delay” after they become aware of the breach (which is to say, after they discover or are notified that something went wrong), unless its “unlikely to result in a risk to the rights and freedoms of natural persons.” In non-legalese, this means ‘Did the affected person(s) suffer harm?’ and includes everything from identity theft, extortion, financial loss and discrimination, to loss of control over the data, loss of access to data, and even fear or stress about the possible consequences of the breach. If there’s really no or a low risk of harm, the controller still needs to document that a breach occurred, and internally explain why the event wasn’t reportable.

Chill Dies on the Hill of ‘Not a Data Breach!’

From my perspective, Chill’s actions undeniably qualify as a personal data breach. Chill’s Data Protection Officer disagreed, but failed to explain why. This is what they told me:

However, having consulted with our data protection officer on the points raised and having reviewed the details of the events, we do not believe that the instances which occurred constitute a personal data breach as defined in article 4(12) of the GDPR.

So let’s unpack this. For the sake of Chill’s DPO, fellow data protection colleagues, interested readers, and the Data Protection Commission (who seem to be slow/no-walking my complaint), I’m going to break this down step-by-step. This is how I approach assessment of a data breach on behalf of my clients. If the answer to any of these is no, then yeah, it’s likely not a reportable data breach. For fairness, I will be relying on the statements Chill provided in their answer above.

1. Is personal data involved?

   1. I have an insurance policy that covers my home.

   2. It contains personal data about me, including my name, address, date of birth, phone number, and crucially, whether I have timely paid the premium on my policy. The policy would be viewed as personal data within the GDPR’s scope.

2. Is the entity a controller? Are they processing personal data?4 As it relates to their own policy and claims processing, Chill is a controller of data about my policy. They are also likely a controller in relation to interactions with Liberty (though Liberty is also a controller in its own right). As a controller, Chill undertakes (and failed at) a number of processing steps regarding my policy:

   1. a manual process for storing and recording payments:

      • ‘All premium payments received require manual processing on our system to effect cover’;

   2. multiple communications/transmissions to the underwriter:

      • ‘Liberty was not made aware that the policy was renewed’

      • ‘[We] issued a communication to Liberty to this effect’;

3. Was there a breach in security? Accidental alteration, arguable loss, and transmission of inaccurate information occurred as part of Chill’s processing. Human errors also occurred:

   1. ‘an agent [] failed to execute this process correctly’

   2. ‘the policy status was manually updated incorrectly’

   3. ‘Regrettably, due to agent oversight your policy status was completed incorrectly again.’;

4. Were TOMs effective? Were they being tested? The TOMs that Chill has in place to ensure integrity, availability, and accuracy of my policy information were not being followed, which is why my policy fell into manual purgatory for months. The TOMs were likely not being tested, assessed, or evaluated for at least five months. That means for five months, Chill had no idea whether their processes were working as intended, or whether they could meet their obligations under the GDPR.

   1. ‘In March 2023, during an account’s reconciliation, Chill noticed the aforementioned error and took steps to rectify the discrepancy between our accounts’;

5. Did this breach cause harm (or is it likely to cause harm) to an individual? As a result of these failures, my policy lapsed on two different occasions, and I lost coverage. Had something occurred in that period (my house burning down, a slip and fall) I would have been entirely on the hook. My losing coverage led to a ton of anxiety and lost time spent from November until now trying to get it reinstated, and dealing with the post-breach issues like poking the DPC, trying to get Chill to acknowledge fault, sending angry letters to Liberty, etc. If I’d had a mortgage on the house, I also would have been in breach for not having insurance.

6. Was the risk or harm due to Chill’s ineffective controls? Yes. Yes they were:

   1. ‘As a consequence of the incorrect status, on the 16th October 2022 the system did not recognise the premium as paid, and the policy was automatically lapsed and issued a communication to Liberty to this effect’;

   2. ‘[Your] policy was not listed within our control process for your renewal in September 2023. As your policy was not contained in our control process, we failed to chase Liberty for your 2023/2024 renewal terms and the policy lapsed.’

   3. ‘We recognise that this issue resulted in a period where you were left without insurance on your property at a time when you needed it most.’ 

Yes, This is All Very Much a First-World Problem

I realize that this seems pointlessly academic/dramatic to most people. Who gives a shit if Chill doesn’t report this as a personal data breach?! What difference does it make? You got your money, now shut up you whiner, etc., etc.

In the grand scheme of things, it’s true, it probably doesn’t matter. Chill and Liberty have provided a full apology and compensation for what happened. Wrongs have been made right. I’ve won.

And it wasn’t as if I suffered nearly as much as I could have. My house didn’t burn down. I didn’t have a contractual obligation requiring me to maintain homeowners’ insurance. All in all, my losses as such are few — I’ve given up about 30 hours of my life doing battle with phone trees and apologetic, but mostly powerless customer support people, and I was stressed for a few weeks while everyone was initially screaming ‘not-it!’ in the Blame Game. But that’s resolved.

Despite all of this though, it feels unsatisfactory that they fought me on the breach issue, in part because I worry that by writing this off as something other than a data breach, they minimize the harm these data quality and process failures cause to real people. Rightly or wrongly, data breaches seem to be treated as much bigger affairs by organizations & sometimes even regulators. I’m concerned that by declaring this to be something else — harmless human error, a simple technical problem — they’ll do what so many others do with such things — reprimand the employee, add a note to a risk register somewhere, and then … drop it on the floor. They won’t improve their processes, learn from the error, or try to keep it from happening again.

I’d be remiss if I didn’t add that this weighs more on me now than it would have before probably. Last week, I spoke at the Castlebridge Data Leaders Summit in Wexford. The conference was a small, informal Chatham House Rules sort of affair, and it was a great opportunity to do a little public speaking in a very friendly environment. But I haven’t been able to shake one comment that was shared by a fellow participant. It was about the role of Big Tech and how most people don’t care, and are happy to let the likes of Meta, Google, TikTok and others step all over their rights. We just let companies get away with violating rights out of apathy, they complained.

The thing is, I don’t necessarily agree. I don’t think it’s indifference so much as resignation. We are confronted daily with the realization that success is impossible, or at least damn near so — a burden that isn’t achievably met by mere mortal humans. Corporations are unfeeling, uncaring things. We are the product, not people. The harsh reality is few profit-making entities will change out of benevolence, principle, or because it’s the right thing to do. What motivates them is either forced action (by a regulator, or their shareholders), or a recognition that the badness will affect their bottom line. What’s frustrating as a practitioner in this field is that while I did ‘fight the man’ I don’t feel like it will positively change anything. And I’m coming at this from a relatively privileged position! I knew what to argue, who to complain to, and what to complain about. Many others, particularly those who don’t have the time, energy, knowledge, or resources to yell at insurers for a month might not be so fortunate.

I’m also annoyed that the DPC seems unwilling to pursue what seems like an obvious personal data breach against a company who isn’t complying with the law. I’m annoyed that I literally spelled out the argument, demonstrated the breach and harm, and pointed to the law and their own decisions, and yet… have gotten nothing but radio silence. I don’t think they’re doing it out of malice or intent. The truth is it’s because the DPC, like many regulators, doesn’t have the time and resources to pursue the vast majority of complaints that end up on their doorstep.

The same manual and human errors that plagued my renewal have happened before, and are very likely to happen again. For Chill, it’s sensible to conclude that this isn’t important or worthy of change because the cost of non-compliance is substantially lower and less impactful on the business compared to actually fixing the problem. Change costs money, time, cultural buy-in, and effort — quite a bit more, I suspect than the rounding error of a few hundred euro it cost them to pay me off.

Really, I’m frustrated that the impact and harms suffered by individuals due to bad data quality, inaccuracies, and non-accountability, is treated as an externality and forgotten; it rarely shows up as a line-item on a balance sheet. The punter at the conference was right that most people don’t act, but they were wrong about why. We all have stories like this, either personally or in connection with people we care about — challenges dealing with companies who have made the calculus that it’s better to think of shareholder value than customer well-being. Runs against big tech, large institutions, or governments who seem monolithic. Against that, it’s hard to feel empowered or motivated to act.

Short of me spending €10,000+ to lodge a complaint in court, I’m mostly out of options. I could complain to the Financial Services & Pensions Ombudsman's Bureau here in Ireland, but I suspect that it will yield about as much success as the DPC. I could keep trying to force Chill’s DPO to take this seriously. I could (theoretically) go to the press.5 But beyond that, I’ve hit the end of the line and the addressable issue won’t be addressed. And that sucks.

I should encourage others to fight. Otherwise it will just get worse. And my story is at least more of a success than it could have been. And yet, I don’t feel triumphant.