Its negative connotation is deserved. For insurance companies, a data breach spells instant trouble-the least of which is potential loss of reputation, brand and revenue. If a court of law rules the insurance company is negligent, a data breach has the potential of ultimately shutting the carrier's doors.Recent research by the Chief Marketing Officer Council, Palo Alto, Calif., revealed that a company loses, on average, from 0.63% to 2.10% value in stock price when a breach is reported-equivalent to a loss in market capitalization of $860 million to $1.65 billion per incident.
The perils associated with data breaches are profound, as are the number of recorded insurance industry events (see "Chronology of Data Breaches," below.) Yet nearly two-thirds of security executives queried in a recent research study reported that their organizations lack the accountability and resources necessary to enforce data security policy compliance. Of the 853 U.S.-based information security professionals (nearly 20% from insurance and financial services firms) surveyed in the "National Survey on Detection and Prevention of Data Breaches" study, 59% believe they can effectively detect a data breach, but 63% believe they cannot prevent a data breach.
"Our data show that, in spite of the increased attention being paid to the issue of data security, enormous gaps remain in corporate America's ability to effectively protect sensitive data," says Larry Ponemon, chairman and founder of the Ponemon Institute, the Elk Rapids, Mich. firm that conducted the study.
FACING CHALLENGES
Clearly, detection is not prevention, and insurance carriers hoping to master both face a host of challenges as they monitor their users and their networks (see "Identifying Outgoing Data: Top 5 Challenges," below).
"No doubt, it's a force to be reckoned with," says Ken Patterson, chief information security officer for Harvard Pilgrim Healthcare (HPHC), a Wellesley, Mass., provider of health insurance products to more than one million members.
To Patterson, issues around data protection accountability and resources are made into non-issues at his 25-year old company.
Respecting not-for-profit company's mission statement-to be the most trusted name in healthcare-Patterson jokes that his view of security ROI may be different than most. "To me, it means 'risk of incarceration,'" he says.
Patterson is in charge of securing HPHC's internal work force of 2,200 users, the majority of whom communicate via the company's intranet. The company's external reach, however, is more complex. Access to the company's Web-facing applications is provided to a growing number of constituents, including 130 hospitals and 22,000 physicians.
HPHC hosts its own Web site. With separate portals for brokers, providers, employers and employees, Patterson acknowledges that the entire enterprise is at risk for potential problems.
"Our entire workforce uses a computer one way or another-even in the cafeteria-so we have to be proactive around the privacy of our members."
The company's security policy is far-reaching, from ongoing privacy and security training for its internal and broker network users to encryption of everything except systems files.
The decision to encrypt came on the heels of a 21-day evaluation with an encryption software vendor that gave rise to some disquieting results, recalls Patterson.
"It told us we had some issues," he admits.
MONITORING THE NETWORK
Working with PGP, a Palo Alto, Calif., provider of encryption products, the company has since encrypted all of its laptops and PCs, as well as its online backup system for laptops, PCs and hand-held devices.
Additionally, HPHC uses a password synchronization tool, accompanied by a voice recognition system for forgotten passwords.
PGP's plug-in to data protection software from San Francisco-based Vontu helps the carrier monitor its network. Built in to the insurer's Lotus Notes' client, the software provides HPHC with details on anything traveling on its outbound gateway, including instant messaging (IM), file transfer protocol (FTP) and more.
To ensure future data leak protection, the insurers' security risk assessment program requires a formal risk assessment of any new element introduced into the infrastructure.
To Patterson, the costs associated with network security and its associated and various privacy and security policies are a "trade-off."
"The highest area of risk is in protecting health information, and the confidentiality of that information is the priority," says Patterson. "You need constant enforcement of a data protection policy and constant reinforcement of that message."
POLICY A MUST
Enforcement of a data protection policy is a must, says Robert Scott, principal with Dallas-based law firm Scott & Scott LLP.
"There is no such thing as a secure network," he says. "Every enterprise with electronic data is at risk of a data security breach."
According to Scott, "75% to 95% of all corporate e-mail traffic is dangerous. Any employee who opens a personal e-mail at work can download a virus, leaving the network highly vulnerable to data security breaches," he says.
Dan Greil, senior infrastructure security analyst with Indianapolis-based Indiana Farm Bureau (IFB) agrees. "It's impossible to be completely secure, but it is possible to be proactive in our data protection efforts and in the enforcement of a data protection policy."
Like Patterson, Greil understands the importance of accountability, and is in the process of tweaking IFB's existing policy to include new processes that ensure data transmission safety, and education of all stakeholders who communicate on the 72-year old mutual company's network.
Greil's efforts follow a surprising discovery during a pilot program with data protection provider PortAuthority, Palo Alto, Calif. IFB, which sells auto, life, home, business and farm insurance through a network of 450 agents, recognized it had an information leak problem.
"We have 1,200 users on an internal network across 130 sites, and all e-mail goes out through one point," he says. "We suspected we had an information leak when we inadvertently caught something on an incoming e-mail. An employee had sent data to himself at home, modified it and brought it back in."
In the past, this type of "work at home" would not have been challenged, but outbound sensitive data sent to an unsecured home e-mail address raised all sorts of flags.
"We wanted to quantify the extent of our problem," he says. "But we didn't have the tools, so I could only suspect and wonder about the rest."
OPPORTUNITIES TO IMPROVE
The pilot allowed Greil to start identifying business processes that involved sending information out via e-mail, so he and his 8-member security team began working with employees to modify those processes, and come up with additional security elements that would keep data secure.
Greil asked PortAuthority to stretch the feature boundaries of its information leak protection product beyond generic pattern 9-digit matching, thereby eliminating a large number of false-positives. Instead, the insurer was able to point the system to specific customer and employee databases, telling it to monitor for specific social security or credit card numbers. The system generates an alarm only if it recognizes IFB customer data.
"We simply didn't have the resources to weed through all the exceptions that would be triggered by false positives," Greil says. "So it's efficient and economical for us, because PortAuthority's technology is watching for matches to numbers that belong to our customers exclusively."
Internal users being trained on the system are prohibited from sending out sensitive data, and those users will not be able to reply to an e-mail sent to them that contains sensitive information until the sensitive data is first stripped out.
Nearing full production with the PortAuthority system, the insurer is also implementing a multi-phase effort to complement its existing spam and anti-virus protection systems with two port appliances: one that acts as an e-mail proxy and the other as a fingerprinting engine. The e-mail proxy passively monitors other protocols, such as IM, Web email, FTP and inbound mail.
Like HPHC, IFB's privacy and security policy requires all desktops and laptops to be encrypted. Next on the agenda, says Greil, is encryption of e-mail and file transfer.
EDUCATION IS KEY
Meanwhile, the insurer's Web site is under constant scrutiny. IFB is implementing an application firewall for applications that may be vulnerable to cross-site scripting, SQL injections and session hijacking. Before arriving at IFB's Web server, every request an external user makes of the Web site is sanitized, ensuring that the request does not harbor attacks, and that the request meets all the Web HTTP rules.
"A couple of years ago when we launched a Web application that could connect to our back-end database on our own internal network, we knew it could be exposed externally, so we wanted to make sure it was secure," he says.
And as the insurer updates its formal company-wide privacy and security policy, reports Greil, the team is creating a way to communicate back to another source of potential risk - IFB's policyholders - that using public e-mail as a medium to communicate social security or credit card information is ill-advised.
"We have policyholders who don't see the danger in e-mailing us their credit card number, expiration, date, and tell us 'pay my bill,'" Greil says.
IFB is working with PortAuthority to enable an automatic reply message that says, in effect, "in light of the fact that you have sent us this confidential information, please be aware that the network you are using is not fully secured. To avoid becoming a victim of identity theft or credit card fraud, we recommend you contact your agent directly for this service."
Patterson is resigned to the fact that hackers will never give up and go away. "You have to take the view of all the threats-I've seen reports that state there are more than 10K vulnerabilities. If that's the case, you must protect against all of them."
For Patterson, that means keeping up with new threats and vulnerabilities, putting safeguards in place, and working with the business side to garner support and cooperation.
"You can't ever be satisfied that you are done," he says.
Identifying Outgoing Data: Top 5 Challenges
* Fragments of sensitive data can easily be cut and pasted;
* Sensitive data is often modified from an original document into derivations or excerpts;
* Multiple copies of sensitive data typically exist;
* Sensitive data is kept in different file formats (unstructured) or databases (structured);
* Sensitive data is communicated through a variety of channels.
Source: PortAuthority Technologies Inc., Palo Alto, Calif.
Regulatory Requirements May Change the Data Breach Reporting Landscape
At press time, two bills that could shape the way insurance companies deal with data breaches were in process.
The Financial Data Protection Act (HR 4127) is designed to protect consumers by requiring reasonable security policies and procedures to protect computerized data containing personal information, and to provide for nationwide notice in the event of a security breach.
Introduced by Rep. Cliff Stearns, R-Fla., the bill would preempt state laws governing consumer reporter data security responsibilities, except any laws governing professional confidentiality or limiting the purposes for which information may be disclosed.
HR 4127 amends the Fair Credit Reporting Act to prescribe guidelines for data security safeguards that require a consumer reporter who becomes aware of information suggesting a breach of data security "immediately" to investigate and notify authorities and consumers. It defines "consumer reporter" as any entity that regularly engages in assembling or evaluating consumer financial files and consumer reports to furnish consumer reports to third parties or to provide payment for products and services, or for employment purposes.
HR 4127 has passed through the appropriate committees and as of press time, is on the Congressional Union calendar for discussion after the November elections.
A similar bill with the same title, S 2169 is currently on the Senate Banking, Housing and Urban Affairs Committee's agenda for review. Introduced by Sen. Thomas Carper, D-Del., the S2169 Financial Data Protection Act, also amends the Fair Credit Reporting Act to provide for secure financial data, and for other purposes.
Chronology of Data Breaches
DATE MADE PUBLIC: Feb. 15, 2005
NAME(Location): ChoicePoint (Alpharetta, Ga.)
TYPE OF BREACH: Bogus accounts established by ID thieves. The initial number of affected records was estimated at 145,000 but was later revised to 163,000. UPDATE (1/26/06): ChoicePoint settled with the Federal Trade Commission for $10 million in civil penalties and $5 million for consumer redress.
NUMBER OF RECORDS: 163,000
DATE MADE PUBLIC: April 28, 2005
NAME(Location): Wachovia, Bank of America, PNC Financial Services Group and Commerce Bancorp
TYPE OF BREACH: Dishonest insiders
NUMBER OF RECORDS: 676,000
DATE MADE PUBLIC: Feb. 16, 2006
NAME(Location): Blue Cross and Blue Shield of Florida
TYPE OF BREACH: Contractor sent names and Social Security numbers of current and former employees, vendors and contractors to his home computer in violation of company policies.
NUMBER OF RECORDS: 27,000
DATE MADE PUBLIC: April 6, 2006
NAME(Location): Progressive Casualty Insurance (Mayfield Village, Ohio)
TYPE OF BREACH: Dishonest insider accessed confidential information, including names, Social Security numbers, birth dates and property addresses on foreclosure properties she was interested in buying.
NUMBER OF RECORDS: 13
DATE MADE PUBLIC: June 2, 2006
NAME(Location): Humana (Louisville, Ky.)
TYPE OF BREACH: Personal information of Humana customers enrolled in the company's Medicare prescription drug plans could have been compromised when an insurance company employee called up the data through a hotel computer and then failed to delete the file.
NUMBER OF RECORDS: 17,000
DATE MADE PUBLIC: June 14, 2006
NAME(Location): American Insurance Group (AIG), Midwest Office (New York)
TYPE OF BREACH: The computer server was stolen on March 31 containing personal information including name, Social Security numbers and tens of thousands of medical records.
NUMBER OF RECORDS: 930,000
DATE MADE PUBLIC: June 26, 2006
NAME(Location): AllState Insurance Huntsville branch (Huntsville, Ala.)
TYPE OF BREACH: Over Memorial Day weekend, a computer containing personal data including images of insurance policies, correspondence and Social Security numbers was stolen.
NUMBER OF RECORDS: 2,700
DATE MADE PUBLIC: July 29, 2006
NAME(Location): Sentry Insurance (Stevens Point, Wis.)
TYPE OF BREACH: Personal information including SSNs on workers' compensation claimants was stolen, some of which was later sold on the Internet. No medical records were included. The thief was a lead programmer-consultant who had access to claimants' data. The consultant was arrested and faces felony charges.
NUMBER OF RECORDS: Information on 72 claimants was sold on the Internet. Data on an additional 112,198 claimants was also stolen with no evidence of being sold online. Total affected is 112,270
DATE MADE PUBLIC: Aug. 8, 2006
NAME(Location): Virginia Bureau of Insurance
TYPE OF BREACH: The Bureau has advised insurance agents in the state that their SSN may have been exposed on its web site from June 13 through July 31, 2006, due to a programming error. The SSNs were not shown on any web page, but could have been found by savvy computer users using the source code tool of a web browser.
NUMBER OF RECORDS: Unknown
DATE MADE PUBLIC: Aug. 17, 2006
NAME(Location): HCA Inc. Hospital Corp. of America (Nashville, Tenn.)
TYPE OF BREACH: Ten computers containing Medicare and Medicaid billing information and records of employees and physicians from 1996-2006 were stolen. Some patient names and SSNs were exposed, but details are vague. Records for patients in hospitals in the following states were affected: Colorado, Kansas, Louisiana, Missouri, Oklahoma, Oregon, Tennessee and Washington.
NUMBER OF RECORDS: "Thousands of files"
Source: See Editor's note.
Editors note: The information presented on in sidebar "Chronology of Data Breaches" was gleaned from the Privacy Rights Clearinghouse, a San Diego nonprofit consumer education and advocacy organization. Every effort was made to ensure accuracy of reporting. For updates to particular incidents, visit www.privacyrights.org.
