You May be Doing a Great Job with Data Security—But What About Other Departments or Partners?

“Dear Customer:

One of our email service providers, Epsilon, has informed us that we are among a group of companies affected by a data breach that may have exposed your email address to unauthorized third parties. It's important to know that this incident did not involve other account or personally identifiable information.”

That's an e-mail we all love to receive, and I've received several of these notices over the past few days from various prominent companies I've done business with.

The extent of the breach within the insurance industry is not known at this point, as INN colleague Alex Vorro reports. But while there supposedly is no such thing as “bad PR,” things like this are the exception if an insurer has to deliver this kind of news to policyholders. 

Companies may be doing a great job of locking down their data to prevent external and internal leaks, but the Achilles’ heel in all this is the unknown vulnerabilities of business partners or vendors. We operate businesses mean and lean, contracting out a lot of non-core (and often core) functions to partners, third parties and cloud providers. 

There is an accounting standard, shorthanded as “SAS 70,” that many companies use as a guide to ensure that partner businesses employ rigorous methods to safeguard data and processes. But apparently there isn't enough to go around. And many breaches or incidents occur as a result of mistakes, or carelessness on the part of someone outside the production site. 

In fact, a review of insurance industry security incidents at the Privacy Rights Clearinghouse brings to light how a lot of incidents at insurance and financial services companies result from data falling into the wrong hands once its sent out from the main production site either to other departments or outside departments:

•  April 6, 2011: “People who logged into [a major Northeast insurance company's] server between February 22 and February 28 are being notified of a possible breach. The firm's Windows servers were hacked and employee, contractor and some customer information may have been exposed by the breach. Social Security numbers, user account logins and passwords, bank account numbers and credit card numbers may have been exposed.”

•  March 9, 2011: “In late January or early February, [a major Northeast carrier] sent notification that a dishonest employee is likely to have accessed and disclosed customer information. Names, Social Security numbers, addresses, dates of birth and bank account information may have been exposed. [The company] was unable to determine which customers were affected.”

•  January 25, 2011: “Thousands of papers with names, addresses, Social Security numbers, birth dates and account balances were thrown in a dumpster. The breach appears to be the result of an insurance office moving from one location to another. A man searching for metal in dumpsters made the discovery. Most of the files belonged to one insurance agent.”

Actually, an incident cited at a major financial services company last October 12 indicated that the company was doing the right thing—sensitive data was encrypted before it left the production site:

“An isolated administration error caused an encrypted file with the personnel information of one client's employees to be made available to the HR department of another client. A password-based registration system was already in place to prevent the wrong addressee from opening encrypted email, however, the email was addressed to the wrong client.”

Joe McKendrick is an author, consultant, blogger and frequent INN contributor specializing in information technology.

Readers are encouraged to respond to Joe using the “Add Your Comments” box below. He can also be reached at joe@mckendrickresearch.com.

This blog was exclusively written for Insurance Networking News. It may not be reposted or reused without permission from Insurance Networking News.

The opinions of bloggers on www.insurancenetworking.com do not necessarily reflect those of Insurance Networking News.