When Bad Data Happens to Good People
"Oh, the tangled webs we weave when first we fail to ensure integrity..."
For this week’s piece, I want to keep it real. I’m going to tell you a story of how a seemingly simple data glitch can cascade into a Kafkaesque nightmare. A real ‘it happened to me’ event.
This is the story of my ongoing saga with Chill Insurance and Liberty Insurance, a drama rife with data quality mishaps, automated decision-making fails, and a house left uninsured. Maybe Kafkaesque is a little strong, but it really has been a royal pain in the hole, and cost me days of stress and angst. Buckle up, it's going to be a ride.
A Policy Lost in Digital Limbo
Our story opens on a cold November morning. A few weeks ago, after a pretty substantial rain, I discovered not one, but two roof leaks. Such is the state of living in Ireland, in an old house that had been renovated by dodgy cowboys in 2020. Dutifully, I called a roofer. And then I called my insurance broker, Chill Insurance. On that day, I learned a few things:
Chill’s customer service music is enervating, especially when you’re on hold for hours.
There are apparently 5 people who work for the company.
But more importantly, I learned that my home insurance policy, which I had thought was valid, had mysteriously lapsed. Now, to be fair, my spidey senses should have figured something was up. My policy normally renews in September, yet I received no notice. At the time, I was travelling, and figured that maybe my policy had been renewed automatically with a card on file. I mean, Chill and Liberty wouldn’t just drop a paying customer without notice of something, would they?
It turns out, that hadn’t happened, and while my policy wasn’t cancelled per se, it ended up in a hellish limbo state, neither active, nor canceled. All of this was due to a series of data quality and accuracy errors which began in 2022.
In September 2022, Chill’s automated systems recorded that my policy had lapsed due to nonpayment (despite confirming to me that my renewal and payment had gone through). They then reported that lapse to Liberty (the insurer), and Liberty cancelled my policy. To their credit, Chill realized their mistake relatively quickly in 2022, corrected the screw-up with Liberty, backdated my policy coverage, and manually updated my account to reflect this change.
At no point, however, did Chill inform me of any of this.
Chill’s manual updating process is apparently not great, a point that was repeatedly acknowledged by various apologetic Chill managers. More importantly, as these things sometimes do, their manual processes don’t play nicely with their renewal automation at all. So when August 2023 rolled around, nothing reported that my policy was up for renewal. I still had coverage (until September 15), but my policy was neither living nor dead in their system. Nor did appear to be living or dead in Liberty’s systems, and thus that my (still then) active cover was soon going to end.1
I suspect that if I hadn’t noticed, I’d have never found out at all. Well done, everybody. If Kafka were alive, and decided to write about insurance, he’d have some ripe fodder with this case.
To date, despite some apologies from Chill managers, Liberty is still debating what to do, and Chill is apparently incapable of resolving this on their own or covering me through another insurer who will backdate the coverage. Right now, I’m now out €8,000 in a roof repair that my insurer should probably be covering.
GDPR in Real Life: More Than Just a Bunch of Rules
This debacle isn't just a series of unfortunate events; it's a glaring example of poor data quality and accuracy impacting the integrity of data, a foundational part of GDPR’s Article 5 principles. Article 5(d), the “accuracy principle", emphasizes that personal data must be “accurate and, where necessary, kept up to date”. When data isn’t accurate, controllers should take “every reasonable step” to ensure that inaccuracies are rectified without delay. That “without delay” bit is important. It doesn’t mean whenever the controller gets around to it, or can be arsed to do so. Liberty Insurance might want to take a primer course on its obligations. Fortunately, I know a few companies who can help.
But wait, there's more! Enter the world of automated decision-making (Article 22 of GDPR). Like a robot butler gone rogue, both Chill and Liberty's automated systems made significant decisions based on inaccurate data, showing how bad data can lead to bad outcomes. This has produced legal or "similarly significant” effects on me. As I noted earlier, the odds of me getting my roof leak covered are low. If my house burns down tomorrow, I’m on the hook as well. Finally, if we had a mortgage attached, we’d likely be in breach of the terms of that mortgage.
Chill also doesn’t mention its reliance on this use of ADM in its privacy statement. It discloses that it relies on ADM when requesting a quote and in the context of operating a vehicle with car insurance cover, but it says nothing about how automated processes also impact renewals. Liberty’s Customer Data Protection Statement isn’t much better. The closest I could find to automated decision-making was in this wall of text:
Finally, there’s a loss of integrity issue, and arguably at least a few potential data breaches in the mix. Under Article 32 (Security of Processing) controllers and processors are required to
implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
…
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
…
a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
(emphasis added)
Integrity, isn’t directly defined in the GDPR, but in the simplest sense, ‘integrity’ refers to the process of maintaining and ensuring the accuracy and completeness of data over its entire lifecycle. It’s pretty clear that both Chill and Liberty failed to ensure the integrity of my policy. They both repeatedly failed to keep accurate records of my policy status, first in 2022 when Chill reported the policy had lapsed to Liberty, and then later this year, when both Chill and Liberty failed to send out a renewal notice or notify me that my policy was going to lapse. Essentially, I lost coverage because they had inaccurate data and didn’t test or assess their automation or data quality processes.
But is it a Personal Data Breach? Probably!
Matt Levine, who writes the incomparable Money stuff has a mantra. For any given negative thing that happens to a public company, he asks, whether or not it’s securities fraud. The punchline is always the same: everything is securities fraud. In that spirit, I pose a similar question when it comes to bad data and negative outcomes: “Is it a personal data breach?”
Let’s break it down:
A “personal data breach” under Article 4(12) refers to “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” (emphasis mine)
In most cases, a controller must notify the supervisory authority (here, the Data Protection Commissioner), “without undue delay and, where feasible, not later than 72 hours after having become aware” of the breach, unless its “unlikely to result in a risk to the rights and freedoms of natural persons.” (Article 33 GDPR). If there’s really no or low risk, the controller still needs to document that a breach occurred. There’s also a separate requirement to notify the people affected in cases where the impact is likely to result in a “high risk” to those natural persons rights and freedoms under Article 34 GDPR. That also includes the “without undue delay” language, but no specific timeline.
Chill reported inaccurate data to Liberty about my policy at some point between September and October 2022. While both companies became aware of and corrected this inaccuracy, neither bothered to inform me (or likely, the DPC) of this lapse of data integrity. That’s a personal data breach, and probably violated the reporting obligations under the GDPR unless Chill can demonstrate that it was unlikely to result in a risk to my rights and freedoms.2
Since Chill failed to test or evaluate its renewal automation processes against manually-added policies, this led their automated systems missing my policy at renewal time, and failing to alert Liberty or myself of this fact. That’s definitely a data breach, and a reporting breach. There’s lots of legal and similar effects happening here. Importantly, by not notifying me, I couldn’t correct this error.
Separately, Liberty had its own process failures (which still haven’t been disclosed to anyone), and they failed to notify Chill, or myself that I needed to pay more money to remain covered. That’s breach # 3. Coincidentally, I suspect that none of these newly discovered breaches have been reported to the DPC by Chill or Liberty, and it’s been well past 72 hours since they became aware. Liberty certainly hasn’t communicated with me, and appears to be stonewalling Chill, to add further insult.
But that’s ok, I will be reporting them to the DPC shortly.
It might be helpful for Chill, and particularly for Liberty (who has been awful in this) to note that there are many parallels in terms of what happened to me and the DPC’s 2022 decision against the Bank of Ireland.3 In March 2022, BOI was fined almost 500,000 and reprimanded due to having inadequate security controls and failing to timely notify the DPC and data subjects regarding numerous data breaches related to confidentiality, integrity, and availability. A number of the integrity and availability breaches concerned poor data quality and accuracy issues, including incorrect loan and agreement details that were transmitted to the CCR (Central Credit Register). This gave an erroneous view of BOI’s customers’ finances and credit history. The bank didn’t really consider them breaches, so much as “technical coding errors,” and thus failed to notify the regulator or the affected individuals until well outside the bounds of what might be considered timely.
In its decision, the Data Protection Commissioner highlighted that when controllers or processors share or disclose that data to others, they should do so with accurate data.
BOI ought to have implemented robust validation procedures prior to transferring personal data to the CCR or the ICB. BOI has responsibility to verify the accuracy of the personal data and to ensure the personal data sent is within the scope of BOI’s reporting obligations prior to disclosing it to the CCR or the ICB. This would help to eradicate coding errors which resulted in personal data breaches. If BOI had robust validation measures in place, it would have helped it to detect design failures in its disclosure system which would have helped it to pre-empt certain personal data breaches. There was also a lack of quality assurance controls and oversight mechanisms to ensure appropriate procedures were followed. I find BOI has failed to implement robust validation procedures and quality assurance controls.4 (emphasis added)
But more importantly, the Commissioner took the view that these data quality failures led to concrete integrity and availability failures under Article 32 and represented an absence of effective organisational and technical controls.
So What Now?
This saga isn't just about me or my uninsured house. It's about the broader implications of data inaccuracies and automated systems operating unchecked. It’s likely that these failures have or will impact other Chill and Liberty policy holders, at least until they clean up their technical and organisational processes and data quality failures. Mine is but a cautionary tale, to remind us all to do better.
It’s also a stark reminder that in a world increasingly governed by algorithms and data points, we shouldn’t forget the human element. Behind every data point is a person, a house with a roof leak, … a story. The choices made about their data can have profound effects.
For me, the story is that my house is currently uninsured, and exposed to significant risk. I’m out of pocket €8000 for a leaky roof. It’s arguable whether Liberty will renew, much less back-date the coverage, even though it was at least partially their error that caused it. I will likely have a higher insurance premium that I need to absorb, assuming Chill can find an adequate replacement insurer. All of this could have been avoided if Chill and Liberty had disclosed the initial data failure in 2022 and fixed their shit. Importantly, by not notifying me of any of this, it left me powerless to prevent any of these downstream consequences.
As I await the next act in this drama, I ponder the lessons learned and the changes needed. We're not just numbers in a database; we're lives impacted by every click and keystroke in the vast digital landscape.
Stay tuned, and stay insured (if you can)!
To date, nobody at Chill has been able to explain what failed on Liberty’s end. Liberty has been generally awful about returning calls, communicating with Chill or myself, or rectifying this situation. They’ve stonewalled on renewing my coverage. For a company that claims to offer the “best-in-class car and home insurance” with 200k satisfied customers, I’m deeply worried about insurance cover in the state of Ireland. Chill has been nominally better, at least with regard to apologizing, but that’s been mostly on account of me hounding them every day for a week.
Separately, the fact that they provided inaccurate information to Liberty might itself be a data breach, as reporting inaccurate information may have changed the scope of Chill’s obligations under any statutory laws they may be bound by, at least based on the DPC’s BOI decision. See: paras 10.19, 10.27.
DPC (Ireland) - DPC Case Reference: IN-19-9-5, March 2022 https://www.dataprotection.ie/sites/default/files/uploads/2022-04/Final%20Decision%20in%20Inquiry%20IN-19-9-5%20%2831.03.2022%29.pdf
DPC Decision, Para 9.19.