Insurers are particularly concerned with storing Personal Identifiable Information (PII) and Personal Health Information (PHI) data, which is protected by the Health Insurance Portability and Accountability Act (HIPAA). Personal identifiable information is considered to be more valuable than credit card information, which can easily be canceled and reissued. It is much harder, if not impossible, to replace a social security number.The HIPAA defines policies, procedures and guidelines for maintaining the privacy and security of identifiable health information, setting fines and penalties for violations. These fears may be warranted, but in fact, technology is transforming the insurance industry for the better, improving claim processing efficiency and customer service, while creating a competitive landscape. In light of recent cyber attacks, measures can be easily introduced to mitigate risk.
In 2010, Zurich UK was fined $2.3m for losing their customer’s personal data. Zurich UK had outsourced the processing of part of its general insurance data to Zurich Insurance Company South Africa Ltd. During a routine transfer of data to a data storage center in South Africa, an unencrypted hard drive was misplaced. The hard drive contained personal details relating to 46,000 policyholders and 1,800 third parties.
What’s more shocking however is the fact that Zurich didn’t realize the data had gone missing until the following year. Now I know if I were a Zurich customer I’d be upset that my personal data had been compromised, but the fact no one noticed for a year would really be the icing on the cake! Granted it doesn’t appear anyone used the data, but that was just lucky for Zurich, and they could have come off much worse if it had.
Granted, Zurich dealt with the issue once they were aware, notifying customers, and reporting the incidence to the Financial Services Authority (FSA) in the UK. They also introduced new security measures, and have since appointed a dedicated security officer to ensure this never happens again.
There are a few lessons we can all learn from the Zurich breach of security:
- Identify Quickly if a Breach Occurs: In a 2015 study carried out by KPMG, one-quarter of respondents admitted their firms didn’t have the ability to detect a security breach in real-time, or they weren’t aware of such capabilities. Ensure you implement a system, or have procedures in place that will allow your team to identify a security breach. Compile an internal team, consisting of senior management to meet regularly and identify potential threats to the business.
- Have a Disaster Recovery Plan in Place: Upon discovery of a breach, each employee should know how to deal with the situation. Create a handbook, such as a “Disaster Recovery” document, outlining who needs to be notified, and what steps should be undertaken to inform all relevant parties. All employees should have access to this handbook as a term of employment.
- Draw up Contracts for Third-Party Contractors: Although we don’t know the details of the outsourcing arrangement, if Zurich had a solid contract in place for dealing with data transfers in South Africa, with repercussions in place for parties responsible for any breach, more care may have been taken during these routine data transfers. Creating a contract for use with any third-party contractor should be a business best practice.
- Are Internal Parties Responsible? Intel recently reported that 40% of all serious security breaches were due to negligence from internal actors, of which half were intentional and half incidental. In the case of Zurich, had internal parties been properly educated on security threats and vulnerabilities, and the role they might play in a breach, it may have been avoided. The repercussions for exposing data to a breach should be outlined as a term of employment, to deter any intentional, and avoid any accidental exposures.
- Notify the Relevant Regulatory Body: The Disaster Recovery plan should outline the relevant regulatory body that needs to be notified. Depending on where your business is located there are different regulatory bodies, such as the FSA in the UK and the HIPAA in the US. If your business spans across multiple countries or jurisdictions, a number of bodies may need to be notified.
- Notify Affected Parties: It is more effective for affected parties to hear directly from you before hearing about a breach on the news. Emails should be sent to all affected parties, the company website should be used as a source for live updates, and a press release can be issued to deal with a breach in a dignified manner.
- React Quickly to Mitigate Effects on Reputation: When Anthem BCBS was subject to a security breach, their solid reputation protected them from the aftermath of the event. Upon realizing there was a breach, they acted big and fast, notifying federal authorities, customers, and the public in a timely fashion. This quick reaction and the hiring of experienced consultants to deal with security issues pleased affected parties, reassuring them that Anthem would deal with the issue quickly and efficiently.
So although the insurance industry is reluctant to adopt new technology due to security fears, there are procedures you can put in place to ensure you protect identifiable information. The ClaimVantage claim processing solution is built on the robust Force.com platform. There are various security measures in place which we have discussed before in great length.
If you are still worried about the security of your data, tokenization and encryption of data are also an option, although there are limitations on the use of this technology. To learn more and consider your options, download this whitepaper today.