How expensive is investing in data security? Ask the executives at WellPoint Inc. The insurance company was recently fined $1.7 million by the U.S. Department of Health and Human Services (HHS) for leaving data on 612,400 customers potentially exposed, in violation of the Health Insurance Portability and Accountability Act (HIPAA). The HHS says that WellPoint did not adequately implement policies and procedures for authorizing access to an online application database and did not put adequate identity safeguards in place.
While health insurers have an extra layer of government mandates, insurance companies of all types may eventually find it's more expensive to pay for breaches after the fact than to take preventive measures. A recent study from Ponemon Institute and Symantec puts the average cost of a data breach within the United States at $188 per affected record. The number of breached records per incident this year ranged from 2,300 records to more than 99,000 records, Ponemon says. In 2013, the average per incident settled at 23,647. Therefore, it can be surmised that the average cost of a security incident for a U.S. company was more than $4.4 million.
These post-breach costs include direct, indirect and opportunity costs, including lost business costs such as customer churn, customer acquisition activities and brand reputation loss. Many of these costs are incalculable and won't show up on balance sheets.
"The hardest cost to measure may be reputational risk," says Martin Frappolli, CPCU, senior director of knowledge resources at The Institutes. "Coverages may require a lot of personal information. Once you become a claimant, and especially if you have a medical claim, be it automobile, workers comp, or other, then the insurer really possesses a lot of sensitive information. So an insurer's reputation is absolutely on the line to safeguard that as closely as possible."
A number of insurance companies have had publicly disclosed brushes with breaches. For example, at the end of last year, according to the PrivacyRights.org timeline, a portion of the computer network used by a major Midwestern insurance company was breached by hackers. While the attack was discovered the same day, tens of thousands of names, Social Security numbers, driver's license numbers, dates of birth, marital status, gender, occupations and employer information had been stolen.
The escalating threats are analogous with the constant tug of war between automakers and auto theft, Frappolli says. "Auto theft was a big problem, and in response automakers and insurers developed policies and technologies to discourage auto theft. Auto thieves developed new technologies to defeat them."
While many insurance companies themselves are keeping up with security requirements, it's a battle that keeps escalating.
"The technology landscape is evolving fast and there are always new threats coming out. So the industry is always reactive," says Anthony Dagostino, VP of ACE Professional Risk. However, the challenges for insurance companies are not very different from companies in other industries, Dagostino says. "Insurance companies span all exposures that are out there - everything from intellectual property to personally identifiable information, such as names, addresses and credit card numbers for paying premiums. There's also financial information, such as bank account numbers and routing numbers because of direct debits. There's also health information, which could be associated with workers comp claim information. Then there's all the employee information that's at stake. It spans everything."
Not all security incidents are intentional. In many cases, unencrypted data is transmitted through internet channels and exposed accidentally. For example, this past summer, a major northeastern insurance company reported that the retirement plan information of certain clients was inadvertently exposed when an account manager sent an e-mail, which included names, Social Security numbers, investment elections and account balances. Such incidents point to internal threats, which may be far more pervasive than outside hacking incidents. "The greatest vulnerability is the human factor," Frappolli says. "Most breaches come from human compromises more so than machine compromises."
At issue is the fact that management often refuses to see the insider threat for what it is. "I think there's very little awareness of insider threats," says Jason Polancich, founder and lead architect for HackSurfer LLC. "Companies tend to make blanket actions. They try to restrict their employees' access to the internet or networks. It's more a draconian lock-down on access to Facebook or Twitter, when the people doing the damage are doing it a different way. As a result, companies engage in knee-jerk measures in looking for insider threats and protecting against them, while not spending the money to take the surgical measures to secure data, how systems talk to each other and the privileges the systems themselves have," Polancich says.
Related to the insider threat is the unfettered access given to contractors or third-party partners who handle the data. In the recent case of a Midwestern insurance company cited by PrivacyRights.org, a compact disk that contained information, including names, Social Security numbers and birth dates for more than 30,000 beneficiaries, was taken from the home of an employee of the company's accounting firm.
"Your protections are only as good as those vendors that you're using as well," Dagostino says. "Insurance companies should focus on vendor usage, what they're using those vendors for, what type of information they will have access to and that whole selection process. Is there going to be an audit process? Make sure that vendors have the same security an insurance company does, or better," he advises.
The need for better screening and auditing of vendors will only grow as more insurers turn to outside services for everything from business analytics to cloud computing. "Insurance companies are really looking into big data analytics using social media more," Dagostino says. "To do that, a lot of them are employing third-party vendors to help with those efforts. As more are touching information, you have more risk of exposure."
Deploying encryption and strong authentication applications also helps, since many data abuses occur when it is replicated or moved out of the protected data center environment and sent to other parts of the organization, or out to third party vendors.
Frappolli says there is an emerging class of data professionals in many insurance organizations that take data security very seriously and need to be supported in these efforts. "The value of data within an insurer has become better understood and better appreciated," he says. "The folks who used to handle the data were once just clerical staff and IT, but responsibility has moved to statistical and data management departments. Most insurers of any appreciable size have data management departments populated with schooled and certified insurance data management professionals," he says. "These are the people who maintain an inventory of the data sources, the types of data, how data is used, what the access restrictions are and where the data is stored." Frappolli urges that other groups work closely with these emerging data management specialists.
However, despite their expertise, data management and IT departments can't handle this challenge alone. The most effective way to mitigate the threat to data security is to educate employees and train them on how to handle confidential information.
"It gets down to creating a culture in the organization," Dagostino says. "Education - creating training around employee awareness - is huge. Part of this is sending constant information out to all levels, from the C-suite all the way to janitors and volunteers and interns. This includes everything from just making sure that you're locking up laptops and changing their passwords, to really understanding the risks of social media, so you're not going to get some kind of phishing attack."
It's important to get management onboard as well, says Polancich. "Sadly, the prevailing thought in the industry is just keep patching the holes, don't fix the leak for good. That's going to have to change for us to really evolve and for us to become safer as a connected set of enterprises in a connected world."
Joe McKendrick is a writer and consultant specializing in IT, and a regular blogger for insurancenetworking.com.
