Handle Data Like Diamonds

Data security is much broader than a technology concern for CIOs; it's a topic that's on the minds of many senior executives at U.S. corporations. From headlines about stolen data to federal regulations such as HIPAA to proposed Congressional legislation on data sharing and disclosure when a breach occurs, data security has become a front-burner issue for boardrooms and back-office data centers.Although many of the well-publicized incidents of large-scale data pilfering have involved hackers using computers to breach IT security, two recent incidents of stolen data occurred due to weak policies and procedures. In February, Bank of America confirmed that several data tapes were lost in transit to a backup data center. The tapes contained account and other personal information belonging to 1.2 million credit card holders that are employed by the U.S. General Services Administration.

Also in February, ChoicePoint Inc. revealed that fraudsters had established bogus small-business accounts and illegally purchased 145,000 records containing personal information such as names, addresses, Social Security numbers, driver's license numbers, and abbreviated credit reports. No insurance data was stolen in the incident.

Reaction to both incidents from consumer privacy groups and Capitol Hill was swift. Senate Judiciary Chairman Arlen Specter (R-Pa.) said he would hold hearings on identity theft. Sen. Charles Schumer (D-N.Y.) said he was close to introducing legislation that would control how personal data is shared. And Sen. Diane Feinstein (D-Calif.) has introduced legislation similar to a California law that requires financial institutions to notify their customers after incidents of lost or stolen data.

Insurance companies have a trove of personal data that criminals would love to get their hands on. We've written many articles over the years about technologies such as encryption and firewalls that are designed to secure databases. Security experts agree that these technologies are effective deterrents, but they're not bullet proof-especially when there are holes in policies and procedures governing data.

The lesson from the B of A and ChoicePoint incidents is that carriers and other businesses should approach personal data as they would handle a shipment of diamonds: Insurers should review all policies and procedures on how personal data is used, managed and moved, because a simple slip-up could be costly to a company's reputation in the eyes of consumers.

For reprint and licensing requests for this article, click here.
Analytics Data and information management Policy adminstration
MORE FROM DIGITAL INSURANCE