Data Analytics in the Insurance Industry

Posted on 02-21-2019


Data analytics is at work every time Amazon tells a customer he or she may want to buy a product, each time Facebook recommends a resource page, and when a life insurance company assesses risk and set rates for potential policyholders. It’s an area governed by layers of laws and rules that are impacting the highly regulated insurance industry in a significant way.

THIS ARTICLE PROVIDES PRACTICAL GUIDANCE FOR ATTORNEYS on managing data analytics in the insurance industry. It focuses on data related to complaints, claims, call centers, privacy, and security. Rules and regulations on how companies need to keep specific types of data are also discussed.

Rules and Regulations

The Health Insurance Portability and Accountability Act, the New York Department of Financial Services Rule Cyber Security Rule, and the General Data Protection Regulation speak to an insurer’s obligation to make sure that data is protected from cybersecurity threats and that breaches of data are properly and timely reported. Specific types of data that are governed by these rules include protected health information (PHI), personally identifiable information (PII), and personal financial information (PFI). These rules and regulations do not speak to the collection of data or how an insurer may use the data.

Although legislators and regulators have addressed these issues, they are beyond the scope of this article. Insurance companies analyze their data and look for ways to provide a better customer service experience, streamline processes, create efficiencies, reduce claims and complaints, and detect and reduce fraud.

A consistent, repeatable process should be outlined and defined to clearly articulate the process for collecting data and to help ensure data that is collected may be accurately measured, analyzed, and assessed. If all employees charged with collecting and reporting on data are not following the same process and data is not collected on a regular basis and for a specified period of time (e.g., quarterly or monthly), then measuring and analyzing the data will not work. Specificity, clear definitions, and a consistent, repeatable process are imperative.


State rules and regulations require authorized insurance companies to maintain a complaints policy and procedure and designate a department within the company to manage complaints. Management of customer complaints by the designated department should also include management of complaints data. Analyzing complaints can speak to broader issues and concerns with respect to company processes, complaint response timeliness, claim denials, and overall customer service and satisfaction.

The most effective way to analyze complaints data is by outlining a clear and consistent repeatable process. A complaint must be defined and then universally agreed upon by all business areas. All communications meeting the definition of a complaint are then reported using a centralized database. Database reports are generated regularly using specific categories. The results are reviewed and analyzed, helping to identify trends that may provide insight into the company, its policies, and procedures.

Adding a data analyst proficient in Structured Query Language (SQL) will help to assist the department in organizing and outlining how complaints data will be gathered, reviewed, and analyzed. SQL is a programming language used to run analytical queries and manage relational databases.

Categories for organizing complaints data for review and analysis include:

  • Amount of time since complaint was logged
  • Age of complainant (if available)
  • Gender of complainant (if available)
  • State
  • Region
  • Line of business
  • Agent/broker
  • Claim denials
  • Claim appeals
  • Origin of complaint:
    • Executive complaints
    • Department of Insurance
    • Website inquiries
    • Social media
    • Call centers

Analyzing these fields may help identify trends in the way the company handles complaints in addition to targeting where greater resources may need to be provided. Examples of discoveries made during data analysis can include:

  • A decrease in call center complaints and an increase in social media complaints may mean the company needs to dedicate more resources to the team responding to social media complaints.
  • A large number of complaints from a specific state may speak to an issue with a policy issued in that state.
  • A number of complaints from complainants of a certain age may speak to a policy coverage issue related to that demographic.

A centralized reporting system and a complaints policy that clearly defines a complaint and complainant are essential, especially if you are looking to provide metrics on complaints data. Analyzing data and providing metrics without a centralized approach and clear policy will not add value and will not provide accurate data or reliable insights.

In addition to reviewing and analyzing customer complaints, you should also look at internal complaints received through human resources (HR) and through an ethics hotline and/or portal. HR complaints should be centralized with a policy on reporting HR complaints. HR complaints should be categorized by fields including age, gender, nature of the complaint including harassment, and employee terminations. A series of complaints related to a specific individual may speak to employee behavior that violates company policy.

A policy on sexual harassment and a system for reporting such complaints is essential. Analyzing that data may speak to broader concerns with the company culture. The data may only be effectively analyzed if the system for reporting this data is consistent and repeatable.


If you would like to measure claim denials and appeals, a centralized policy for reporting claim denials and appeals should be established. Claim denials and appeals may be categorized by:

  • State
  • Geographic region
  • Line of business
  • Reason for claim denial:
    • Coverage policy denial
    • Failure to timely appeal

These are just a few of the categories the claims team may wish to use for collecting and analyzing data. For this data to be properly scrubbed, reviewed, and analyzed, the process for collecting and reporting the claims data must be consistent and repeatable. Adding a data analyst proficient in SQL will assist the department in organizing and outlining how claims data will be gathered, reviewed, and analyzed.

Examples. Many claim denials in a specific geographic area over a certain period of time may speak to a coverage concern (e.g., was a policy incorrectly issued). Many complaints related to how the claim was handled may speak to the claims analyst’s ability and knowledge. This may prompt the company to look at its training program and perhaps provide additional training and education to ensure claims analysts understand the policy, coverage, and how to adjust claims.

Call Centers

Call center employees should be trained, and data received through the call center should be centralized and collected consistently and repeatedly. Call center employees must operate under the same definitions and processes. Call center data may be categorized in several ways including by:

  • State
  • Geographic region
  • Customer service representative
  • Nature of the call

Adding a data analyst proficient in SQL will assist the department in organizing and outlining how call center data will be gathered, reviewed, and analyzed.

Examples. If a large number of calls are reported shortly after the new year and related to the issuance of a new policy, the calls may speak to a processing or coverage error. Repeated calls regarding a customer call center representative may speak to the call center representative’s professionalism and/or lack of product understanding. Both scenarios afford the company an opportunity to address the expressed concerns before the matter gains external traction—perhaps preventing a matter from trending and thus mitigating company reputational harm.


A privacy breach is the loss of, unauthorized access to, or disclosure of personal information. Privacy breaches occur when personal information is lost, stolen, or inadvertently shared. A privacy breach can also happen because of faulty business procedures or operational breakdowns. Like the processes outlined for complaints and call centers, privacy data reporting should follow a consistent and repeatable process. Questions you should ask include:

  • What is the company’s privacy-incident response plan?
  • Is a privacy incident clearly defined?
  • Is a privacy breach clearly defined?
  • Do employees know and understand when to advise of a privacy incident or privacy breach?
  • Is the company operating under a set of clearly defined privacy definitions, protocols, and processes?

Collecting privacy data consistently and repeatedly over a specified period will allow the incidents and breaches to be accurately analyzed and interpreted. Adding a data analyst proficient in SQL will assist the privacy department in organizing and outlining how privacy data will be gathered, reviewed, and analyzed. If a number of reports from a specific region surface, you may be able to assess why the privacy incident or breach occurred and take corrective action quickly. Privacy incidents and breaches should be reported through a centralized repository. The categories for privacy incidents and breaches may include:

  • State
  • Geographic region
  • Line of business
  • Type of incident (e.g., misdirected emails or mail)
  • Type of breach (e.g., PFI, PHI, PII)

Example. If you received many complaints claiming a breach of PII from the same geographic region and yet there is no indication of any type of systematic error leading to a privacy breach, the breach may be an internal one by a rogue employee. The company may need to look at the security controls around the data and who has access and who should have access to information.


Unlike a privacy breach, which involves personal information, a security breach or security violation is an act from inside or outside an organization that bypasses or contravenes security policies, practices, or procedures. Security incidents should follow the same process for collection of data. Is there a clearly defined policy for reporting security incidents with a clear definition of a security incident? Do employees know where and how to report security incidents? The incidents should be reported on a consistent basis through a centralized repository. Adding a data analyst proficient in SQL will assist the department in organizing and outlining how security data will be gathered, reviewed, and analyzed. Categories for security incidents may include:

  • Internal security incident
  • External security incident
  • Cybersecurity threats
  • Fraud

A data analyst should produce reports on the data on a regular basis to allow the security data to be analyzed and assessed.


Data may be used to analyze and assess company policies and efficiencies, company behavior, and patterns of conduct. Clearly drafted data analysis policies can help to ensure that the approach to the collection of data is consistent, thereby yielding data that may be analyzed for trends and broader company issues and concerns. A company best practice is to utilize a data analytics specialist to collate the data and present the findings on an agreed-upon regular basis for further analysis and assessment. Companies may try to standardize collection of data across the company, enabling the company to paint an even broader picture and allowing the company to, over time, follow and address trends.

Attorneys managing data need to understand how data can assist companies in providing greater efficiencies, helping to reduce claims and complaints, detect fraud, and curtail privacy and security incidents. The key is creating a successful program and implementing a consistent repeatable process. Data can only be analyzed and used to create metrics if the process is the same each time and collected on a regular basis.

To find this article in Lexis Practice Advisor, follow this research path: RESEARCH PATH: Insurance > Trends and Insights > Practice Notes

Related Content

For information about responding to complaints, see


RESEARCH PATH: Insurance > Conducting Insurance Company Operations > Practice Notes

For step-by-step guidance on handling complaints, see


RESEARCH PATH: Insurance > Conducting Insurance Company Operations > Checklists

For a discussion of coverage for data breaches, see


RESEARCH PATH: Insurance > Assessing Claims and Coverage > Types of Insurance > Practice Notes

For information about the regulation of innovation in the insurance industry, including data analytics, see


RESEARCH PATH: Insurance > Interacting with Regulators and Responding to Investigations > Secondary Materials

For forms to use when handling complaints from policyholders, see


RESEARCH PATH: Insurance > Conducting Insurance Company Operations > Forms