Information security is a hot topic in insurance IT due to the slew of recent data breaches, particularly in healthcare insurance. The mobility trend has only served to intensify the pressure on CIOs to protect sensitive data from loss or theft. Since 2005 more than 200 million sensitive records have been breached as a direct result of lost or stolen devices.
Faced with the complex trifecta of mobility, increasing cybercrime, and a transformational regulatory landscape, it is no wonder insurance IT leaders are feeling overwhelmed. To add to their woes, Gartner predicts that by 2016, 20% of CIOs in regulated industries (like insurance) will lose their jobs for failing to implement successful information security processes.
While the average cost of a data breach is $5.9 million, the average loss in the value of a brand is $330 million. Arguably, this figure would be significantly higher for insurance companies, whose entire business is built on reputation and trust. And since insurance companies operate in the most complex regulatory environment, the consequences of such data breaches are many and varied.
1. Reputational damage: Insurance companies operate in an industry where trust and reputation equate to good business. Mobility is a double-edged sword -- it can deliver employee productivity on one side and instant social shaming on the other. On Google, the brand will be inextricably linked to the data breach scandal forever. This negative publicity will affect customer perception and, ultimately, the company’s reputation.
2. Loss of business: Clients will take their business elsewhere -- and may never return. If a lost or stolen laptop results in a data security incident, sensitive, personal information is now in the hands of a potentially hostile entity. Even if devices are encrypted, it is difficult to be certain that the data will remain secure.
3. Regulatory fines or penalties: Insurance companies will be held to task by the regulatory bodies that oversee corporate compliance when it comes to data security, and healthcare insurers will be regulated by HIPAA. Additionally, 46 states have statutes for data breach notifications. Most state laws apply to insurance companies, and some states encompass healthcare. These regulators can impose significant fines or penalties and mandate that the company be audited frequently, require stringent reporting, or, in extreme cases, cease operations in a particular state or jurisdiction. These types of reprisals are typically public in nature and only feed the PR cycle, keeping the story top of mind.
4. Class-action suits:The insurance company could face class-action lawsuits taken by the individuals or organizations whose personal data becomes compromised. These suits typically result in costly compensation payments or damages.
5. Decreased market value: For publicly traded companies, the share price and market capitalization are likely to fall after a breach, and will continue to suffer if the breach is followed by lengthy audits and lawsuits. The financial stability of the organization would be uncertain.
Mitigate the risk to your business
Diligent IT departments take a layered approach to security technology to mitigate the risk of lost or stolen data. Data and device encryption is the first line of defense, but this does not guarantee the security of your information. Encryption is only as strong as the device user. Oftentimes, passwords are left on devices, or devices are shared with family members or friends. However, encryption can be bolstered with a persistent security technology. If encryption technology is the bricks and mortar of the home, persistent security technology is the monitored alarm system.
Follow these tips to facilitate a mobile workforce while protecting against cyber criminals and meeting the standards set by the multitude of regulators:
- Educate employees about data security protocols involving physical records and mobile devices and data.
- Encrypt sensitive data stored on portable devices including laptops, tablets, and smartphones.
- Deploy a persistent security and management software agent that will allow you to maintain a connection with a device regardless of user or location.
- Set airtight policies for BYOD and company-owned devices. Remotely manage mobile content by restricting access to printing, copying, and emailing of sensitive data. Set time limits on data so that it is remotely removed after a certain time.
- Prove device and data security compliance with encryption status reports and anti-virus/malware reports to show these solutions were in place and properly working (this is an important step to satisfy the rules set by the HHS Office for Civil Rights).
- Ensure your security software allows you to perform remote actions on the device such as data delete, data retrieval, device freeze, and forensic investigations in the case of a security incident.
- Review and update privacy and security policies and procedures and stay up to date with regulatory compliance requirements.
As Legal Counsel at Absolute Software, Stephen provides oversight and guidance on regulatory compliance related to data breaches and other security incidents. He counsels the Absolute Investigations team, which conducts data forensics, theft investigations, and device ... View Full Bio