Cloud computing for insurers – fast lane or blind alley?

These days everyone, especially in the insurance industry in Germany, talks about "cloud computing" when the discussion deals with the current trend regarding how companies use IT. The ongoing discussions about the typical issues of "cloud computing" like data protection and security, often result in confusion, leaving many insurers with more questions than answers. Confusion and prejudice often stem from lack of experience and the following open questions: What exactly is "cloud computing" and is it really the so-called paradigm for efficiency, agility and economic utility on demand? Can you really trust and control the cloud? How do you protect data or obtain compliance? Is it really reasonable and does it comply with specific regulations in sensitive branches like insurance? "Cloud computing" for insurers – fast lane or blind alley?

So what is "cloud computing"? It can be defined as Internet-based computing, whereby shared resources, software, and information are provided to computers and other devices on demand. It describes a new supplement, consumption, and delivery model for IT services based on the internet while a distinction is drawn between Software-as-a-Service (SaaS), Storage-as-a-Service, Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS). SaaS means that software is not installed on a company’s hardware but available on demand within the Internet. Storage-as-a-Service is used for (archive) data backup. PaaS makes various applications available, e.g. whole systems for Customer Relations Management. Finally, IaaS provides partial or broad IT infrastructure. The major cloud service providers include Microsoft, Salesforce, Skytap, HP, IBM, Amazon and Google, to name but a few.

Due to specific regulatory requirements applicable to the insurance industry in Germany (e.g. risk management and the transfer of functions are regulated in Sec. 64a of the German Insurance Supervisory law (VAG)), insurers have to meet specific requirements regarding IT outsourcing. In this respect, one of the main issues concerning cloud computing is the subject of data protection and security. The typical challenges German insurers have to handle in this context are the recently increased high standard in data security and the need to implement protective solutions for data storage. Insurers regularly have to hold and handle personal data for a long time. Therefore, insurance companies are interested in identifying redundant data centres that are geographically dispersed since this is a typical application scenario for cloud computing. But here a conflict with legal requirements may arise: the access to and control of personal data is essential for data protection and security but often the using company does not even know where the data is hosted. In some cases the server may be located outside Germany or the EU in countries where different (often less consumer friendly) regulations and rules regarding the handling of personal data apply. Under German data protection law, for example the cross-border transfer of data is strictly regulated and only allowed if the data protection law of the respective foreign country meets at least EU standards.

Nevertheless, while challenging, such issues are capable of being resolved Pursuant to German law data processing, especially "when using a cloud", does meet legal requirements if the related parties agree on detailed rules regarding access to and control of data. One of the most recommended approaches, especially in the context of cloud computing under German laws, is by experience "commissioned data processing" (Auftragsdatenverarbeitung). Sec. 11 of the German Data Protection Act (BDSG) sets the rules: The commissioned data processing agreement is to be concluded in written form. While the instructing party remains responsible and liable for lawful data processing the parties agree on detailed rights of control and instructions to be complied with by the processing party. Moreover, the agreement shall provide for a detailed description of subject, duration, kind, extent and purpose of the data processing. A number of further formal requirements have to be arranged, especially when it comes to cross-border data transfers. However, the required contractual arrangement can be drafted with speed and with little effort.

Therefore, German insurers should not be discouraged from analysing their IT structures in order to find gaps where the use of cloud computing can be a way to increase capacity or swiftly add capabilities without investing in new infrastructure, without training new personnel or obtaining a licence for new software. As already mentioned, aspects like data protection, compliance and security are capable of being resolved. If handled professionally, "cloud computing" can become a "fast lane" innovation for insurers.

Lawyers Jonathan Rogers, Anthony Menzies, James Crabtree, Peter Kempe, Dr. Söntje Julia Hilberg, Dr. Gunbritt Kammerer-Galahn, Detlef Klett, Franz Janssen, Dr. Astrid Wagner, Wolfgang Schaller, Alain de Foucaud, Christine Flion, Christopher Dixon