How pervasive are security breaches within the insurance and financial services sector? A perusal of publicly reported breaches that occurred over the past few months at the PrivacyRights.org timeline provides a good picture of all the things that can go wrong when data is not carefully shielded against abuse—particularly insider abuse.
Midwest insurance company: “An employee was caught misusing customer information on July 28. The dishonest employee had been improperly using customer names, Social Security numbers, addresses, dates of birth, and credit card numbers for at least two months. An unspecified number of customers had fraudulent online purchases made in their names.”
Northeastern insurance company: “On July 13, [the insurance company] inadvertently sent a report via secure email that included client information to an incorrect retirement Plan Sponsor. Client names, Social Security numbers, and 401(k) balance information were exposed. The individual who received the plan information informed [the insurance company] of the error immediately and claimed to have deleted the information without storing or printing it.”
Northeastern insurance company, investment subsidiary: “A vendor of the broker-dealer... was involved in a data security breach. [The company] learned that a vendor had inadvertently shared electronic files with another federally regulated broker-dealer that also uses [the company's] services. The information included client names, Social Security numbers, and certain types of account data. Five clients from California may have been affected, but the total number of affected individuals nationwide was not reported. The vendor responsible for the mistake worked with the other broker-dealer to delete the client files from their system.”
Midwestern insurance company: “An investigation confirmed that an employee of an unnamed [company] office may have used customer information in an inappropriate manner. An unknown number of customers may have had their names, addresses, credit card numbers, and Social Security numbers misused by the dishonest employee."
West Coast insurance services company: “[The company] became aware of a vulnerability in its computer network that may have resulted in the exposure of some electronic files. The information was secured, but some RJL files were accessible for a period of two weeks. Client names, Social Security numbers, driver's license numbers, and medical conditions may have been exposed.”
Midwestern insurance company: “An unauthorized access occurred sometime between January 22 and February 15, 2012. Consumers may have had their credit reports accessed by someone using a client's login credentials. Names, Social Security numbers, and addresses would have been exposed.”
Northeastern insurance company: “A customer discovered that spreadsheet with current and former [company] customer information had been posted online. [The company] corrected the problem after being notified by the customer and provided two years of credit monitoring and identity theft insurance to customers who had been affected by the breach. The type of information exposed in the spreadsheet and the length of time it was available online were not revealed.... Additional negotiations with Attorney General George Jepsen and Consumer Protection Commissioner William Rubenstein resulted in an agreement for [the company] to offer additional protection. [The company] paid an additional $10,000 for a special fund that will reimburse the state of Connecticut's investigative and enforcement costs, or reimburse losses for consumers in the future. Additionally, customers who paid for a security freeze to be lifted or placed will be eligible for reimbursement and [the company] agreed to improve employee personal information protection training policies and procedures.”
Bottom line: Data breaches can be costly, and it pays to put preventative measures in place. Notice how the above incidents had nothing to do with outside hackers—they were all perpetrated by inside employees or contractors, or were the result of mistakes.
For a good idea of what kind of measures will help, Gijo Mathew of CA Security Management had put together a white paper, outlining key steps to be taken:
1. Find and protect sensitive data at many locations: “There is a growing list of channels where information can be lost (i.e. social networking, mobile devices, virtualization and cloud computing) and a growing list of sensitive information in your organization. Most products address data loss tactically, but your organization will need a strategic information protection and control solution to address the growing set of requirements.”
2. Improve control of messaging: “Email continues to be the most uncontrolled system for information misuse. Monitoring and protecting email can dramatically reduce the risk of information misuse and improper disclosure.”
3. Flexible, customized remediation options: “Protecting information is not just about either monitoring or blocking misuse but about proper enablement and education. An information protection and control solution will help you take the appropriate action based on the classification of the data, the identity of the violator, and how the data is being used. This will enable end user awareness of data policy and serve as the foundation for encryption and digital rights management technology."
4. Identity-based policy: “When a particular data incident is being analyzed, information about the user is necessary to take the appropriate next step. The ability for an information protection and control solution to leverage user attributes is key to providing effective protection and remediation of data violations.”
5. Identity-based policy administration: “What a user can and can’t do with data is correlated with their role in the organization. An effective information protection and control solution will leverage this intelligence to apply the right data policies to the right users at the right time.”
6. Identity-based remediation: “Data violations will undoubtedly occur in any organization but the remediation of those violations is not always the responsibility of the security team. Most violations need to be delegated to a manager, HR, compliance or some other function based on the type of violation. The solution needs to know about and route the violations to the right identities and only allow them to see the violations they are responsible for.”
7. Accurate content analysis: “If your information protection and control solution cannot perform comprehensive and accurate content analysis, you won’t easily be able to find and resolve true violations among a mass of false positives. As a result, this ineffective detection system will prevent you from proactively blocking potential data loss violations with confidence, since so many of those flagged actions will be legitimate business activities.”
8. Enhance scalability: “Digital data continues to grow at exceptional rates and be used by more people in different ways. An effective information protection and control solution needs to be able to scale to analyze and act on large volumes of data without burdening existing performance of systems and applications.”
9. Modularize: “As new data types, channels, and protocols emerge, the solution should be able to adapt to these evolving requirements. Compared to a rigid or unproven solution, one with a modular, distributed architecture providing superior flexibility, scalability, performance, and fault tolerance is the best way to address both current and future information risk needs.”
10. Integrate information protection and identity and access management: “Security has always been about layers of security controls but integration is needed to prevent certain risks don’t fall through the cracks. Information protection and control cannot be another island of security but rather the next step in your identity and access management process.”
Joe McKendrick is an author, consultant, blogger and frequent INN contributor specializing in information technology.
Readers are encouraged to respond to Joe using the “Add Your Comments” box below. He can also be reached at firstname.lastname@example.org.
This blog was exclusively written for Insurance Networking News. It may not be reposted or reused without permission from Insurance Networking News.
The opinions of bloggers on www.insurancenetworking.com do not necessarily reflect those of Insurance Networking News.
Register or login for access to this item and much more
All Digital Insurance content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access