A number of years ago I had an experience with attempted theft of personal information that actually encouraged me to believe that the bad guys would have a tough time stealing important data from anyone who took reasonable precautions (I have since learned better).
At that time I was using a phone card provided by my long-distance carrier to make calls from the road and charge them to my home number. One day, I made such a call from a railroad station, little realizing that someone was observing me and taking down the code numbers I punched in. The perpetrator then tried to make some very long-distance calls to South America, but the calls never went through because my carrier’s systems kicked them out as an anomaly and shut down that service before possibly thousands in fees were attached to my account.
Literally within the hour, the carrier called to inform me of what happened, and the action they had taken. Needless to say, I was very relieved.
Now fast forward to May 2008, when one of the worst security breaches ever took place at Heartland Payment Systems Inc., a payment processing company that handles huge volumes of credit card transactions. According to Computerworld, the processor announced the breach in January 2009, and it is now believed that as many as 100,000 credit cards may have been compromised.
Did Heartland’s customers—or MasterCard’s—get that immediate call like I did? Hardly. In fact, Computerworld notes that although the intrusion began in May, it wasn’t discovered until January of the next year. Now Heartland is reported to be setting aside more than $12.6 million to cover intrusion-related costs.
I’m not so shocked that an attack—even one this big—could take place. What does disturb me, however, is how long it takes the compromised company to discover the problem, notify its customers, and do something about it. The same kind of time delay occurred a few years back with the much-publicized ChoicePoint break-in.
As so often happens, the customer will likely have to bear the pain and inconvenience that result from such attacks. Certainly, once these incidents occurred, both companies mentioned went above and beyond to put new safeguards in place, but that doesn’t help those who have already been victimized. Paying customers who have been hurt is also an admirable move, but how can they adequately pay for months of stress caused by constant credit problems and difficulties fixing the damage?
My point here is that the insurance industry—with its massive amounts of personal and sensitive data—needs to do more than make doubly sure that its intrusion detection systems are functioning and very much up to date. We need to be ready to respond to an intrusion by aggressively determining the cause, shutting down the threat, closing the openings that allowed the attack, and informing our affected customers. Then, we need to do all we can to fix any damage done. Only then can we hope to retain the perhaps naïve trust placed in us by the insurance-buying public.
There also needs to be increased security to prevent physical losses of laptops or other mobile devices that carry or can access the data. Yet most surveys of insurance CIOs don’t put data security anywhere near the top of companies’ priorities.
What will it take to change that? It seems it will take a big, widely publicized intrusion that hurts a lot of insurance customers, as well as the insurance company. The question is: Who will be the first insurance-related Heartland?
Register or login for access to this item and much more
All Digital Insurance content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access