A number of years ago I had an experience with attempted theft of personal information that actually encouraged me to believe that the bad guys would have a tough time stealing important data from anyone who took reasonable precautions (I have since learned better).
At that time I was using a phone card provided by my long-distance carrier to make calls from the road and charge them to my home number. One day, I made such a call from a railroad station, little realizing that someone was observing me and taking down the code numbers I punched in. The perpetrator then tried to make some very long-distance calls to South America, but the calls never went through because my carrier’s systems kicked them out as an anomaly and shut down that service before possibly thousands in fees were attached to my account.
Literally within the hour, the carrier called to inform me of what happened, and the action they had taken. Needless to say, I was very relieved.
Now fast forward to May 2008, when one of the worst security breaches ever took place at
Did Heartland’s customers—or MasterCard’s—get that immediate call like I did? Hardly. In fact, Computerworld notes that although the intrusion began in May, it wasn’t discovered until January of the next year. Now Heartland is reported to be setting aside more than $12.6 million to cover intrusion-related costs.
I’m not so shocked that an attack—even one this big—could take place. What does disturb me, however, is how long it takes the compromised company to discover the problem, notify its customers, and do something about it. The same kind of time delay occurred a few years back with the much-publicized
As so often happens, the customer will likely have to bear the pain and inconvenience that result from such attacks. Certainly, once these incidents occurred, both companies mentioned went above and beyond to put new safeguards in place, but that doesn’t help those who have already been victimized. Paying customers who have been hurt is also an admirable move, but how can they adequately pay for months of stress caused by constant credit problems and difficulties fixing the damage?
My point here is that the insurance industry—with its massive amounts of personal and sensitive data—needs to do more than make doubly sure that its intrusion detection systems are functioning and very much up to date. We need to be ready to respond to an intrusion by aggressively determining the cause, shutting down the threat, closing the openings that allowed the attack, and informing our affected customers. Then, we need to do all we can to fix any damage done. Only then can we hope to retain the perhaps naïve trust placed in us by the insurance-buying public.
There also needs to be increased security to prevent physical losses of laptops or other mobile devices that carry or can access the data. Yet most surveys of insurance CIOs don’t put data security anywhere near the top of companies’ priorities.
What will it take to change that? It seems it will take a big, widely publicized intrusion that hurts a lot of insurance customers, as well as the insurance company. The question is: Who will be the first insurance-related Heartland?
