Over the last couple On our Radar posts, my colleagues have covered two industries that hold some of our most personal and sensitive information; healthcare and financial services. Today I wanted to dig into another industry that experiences unique regulatory challenges when it comes to protecting personally identifiable information, both PHI and PII: the insurance sector.
Around the RadarFirst offices, we talk a lot about the different data breach notification laws proposed and enacted at a global level, and how that can contribute to a patchwork of complex privacy regulations that can leave privacy professionals scratching their heads.
One of the trending regulatory changes we’re seeing in US states that will impact the insurance industry in particular is the comprehensive data security requirements that applies to licensees of the state’s Insurance Commissioner. Several states have placed new cybersecurity requirements on insurers, based on the NAIC. What’s interesting about this trend is that these states are widely enacting laws modeled after the National Association of Insurance Commissioners (NAIC) Data Security Model Law (opens as PDF). The end result of this regulatory trend is additional complexity for data breach notification compliance in these states.
Speaking of onerous data breach reporting requirements for the insurance industry, another challenge for privacy professionals in the field is the risk of noncompliance - and the media attention that can follow. Here are a few recent stories in the media:
- An insurer recently notified 2.96M patients of a potential data breach following the discovery of a hacking of the company’s computer servers, beginning as early as 2010. Though the investigation finished nearly nine years after the unauthorized access began, the notification to individuals was sent in a timely manner, within 60 days of discovery as required under HIPAA Breach Notification Rule.
- Insurance organizations are also prey to a malicious attack called credential stuffing, where attackers will buy or take usernames and passwords that were leaked from other companies’ data breaches and use that information to try to gain access into other accounts and websites. While the attacker was able to obtain some usernames and passwords, no personally identifiable information (PII) was exposed.The company notified affected individuals and even took the extra step of resetting the passwords of those accounts that were accessed.
- A life Insurance company notified patients of a potential data breach caused by a phishing email that an employee responded to. The hacker gained access to information such as: plan member names, addresses, date of birth, social security number, and personal health information of the individuals along with their family members. Here’s the success story in this privacy incident: The account was disabled within 90 minutes and completely withdrawn from their network.
Organizations in insurance have a deep regulatory burden when it comes to the data they collect, protect, and disclose. Protecting sensitive customer information is incredibly important, because the insurance business is built on trust.
Read how one health insurance company uses Radar to assess hundreds of incidents each quarter, ensure that if they have a privacy incident, they have a streamlined process in place to help them assess the incident, determine if they have a breach–and if they do, who they need to notify, and when. Read the case study >