Underwriting Insurance Data Security

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.insurancetech.com/compliance/underwriting-insurance-data-security-/a/d-id/1318252

Information security is a hot topic in insurance IT due to the slew of
recent data breaches, particularly in healthcare insurance. The mobility
trend has only served to intensify the pressure on CIOs to protect
sensitive data from loss or theft. Since 2005 more than 200 million
sensitive records have been breached as a direct result of lost or stolen
devices.

Faced with the complex trifecta of mobility, increasing cybercrime, and a
transformational regulatory landscape, it is no wonder insurance IT leaders
are feeling overwhelmed. To add to their woes, Gartner predicts that by
2016, 20% of CIOs in regulated industries (like insurance) will lose their
jobs for failing to implement successful information security processes.

While the average cost of a data breach is $5.9 million, the average loss
in the value of a brand is $330 million. Arguably, this figure would be
significantly higher for insurance companies, whose entire business is
built on reputation and trust. And since insurance companies operate in the
most complex regulatory environment, the consequences of such data breaches
are many and varied.

1. Reputational damage: Insurance companies operate in an industry where
trust and reputation equate to good business. Mobility is a double-edged
sword -- it can deliver employee productivity on one side and instant
social shaming on the other. On Google, the brand will be inextricably
linked to the data breach scandal forever. This negative publicity will
affect customer perception and, ultimately, the company’s reputation.

2. Loss of business: Clients will take their business elsewhere -- and may
never return. If a lost or stolen laptop results in a data security
incident, sensitive, personal information is now in the hands of a
potentially hostile entity. Even if devices are encrypted, it is difficult
to be certain that the data will remain secure.

3. Regulatory fines or penalties: Insurance companies will be held to task
by the regulatory bodies that oversee corporate compliance when it comes to
data security, and healthcare insurers will be regulated by HIPAA.
Additionally, 46 states have statutes for data breach notifications. Most
state laws apply to insurance companies, and some states encompass
healthcare. These regulators can impose significant fines or penalties and
mandate that the company be audited frequently, require stringent
reporting, or, in extreme cases, cease operations in a particular state or
jurisdiction. These types of reprisals are typically public in nature and
only feed the PR cycle, keeping the story top of mind.

4. Class-action suits:The insurance company could face class-action
lawsuits taken by the individuals or organizations whose personal data
becomes compromised. These suits typically result in costly compensation
payments or damages.

5. Decreased market value: For publicly traded companies, the share price
and market capitalization are likely to fall after a breach, and will
continue to suffer if the breach is followed by lengthy audits and
lawsuits. The financial stability of the organization would be uncertain.

Mitigate the risk to your business
Diligent IT departments take a layered approach to security technology to
mitigate the risk of lost or stolen data. Data and device encryption is the
first line of defense, but this does not guarantee the security of your
information. Encryption is only as strong as the device user. Oftentimes,
passwords are left on devices, or devices are shared with family members or
friends. However, encryption can be bolstered with a persistent security
technology. If encryption technology is the bricks and mortar of the home,
persistent security technology is the monitored alarm system.

Follow these tips to facilitate a mobile workforce while protecting against
cyber criminals and meeting the standards set by the multitude of
regulators:

 - Educate employees about data security protocols involving physical
records and mobile devices and data.
 - Encrypt sensitive data stored on portable devices including laptops,
tablets, and smartphones.
 - Deploy a persistent security and management software agent that will
allow you to maintain a connection with a device regardless of user or
location.
 - Set airtight policies for BYOD and company-owned devices. Remotely
manage mobile content by restricting access to printing, copying, and
emailing of sensitive data. Set time limits on data so that it is remotely
removed after a certain time.
 - Prove device and data security compliance with encryption status reports
and anti-virus/malware reports to show these solutions were in place and
properly working (this is an important step to satisfy the rules set by the
HHS Office for Civil Rights).
 - Ensure your security software allows you to perform remote actions on
the device such as data delete, data retrieval, device freeze, and forensic
investigations in the case of a security incident.
 - Review and update privacy and security policies and procedures and stay
up to date with regulatory compliance requirements.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!