Claim-related data have the same security and privacyrequirements as any other personal information. The need to protectthis data is only becoming greater, and not necessarily due tospecific Health Insurance Portability and Accountability Act orGramm-Leach-Bliley Act implications.

Many states are passing even more wide-ranging privacy anddisclosure laws than HIPAA or GLBA. Practically every day, we hearabout theft or loss of personal information from financialinstitutions, schools, government, and consumer data services, suchas Choicepoint. These targets share something with insurers: theycollect a great deal of information about people in a singleplace.

The Internet is a target-rich environment, offering con artistsease and volume. Fraud over the Internet is anonymous and can takeplace from anywhere.

People worry about this. In a 2002 IVANS study, 77 percent ofconsumers surveyed said that they were concerned with theirdoctors' sending medical information to insurers over the Internet.Additionally, 66 percent expressed concerns about the privacy andsecurity of property claim information's being exchanged via theInternet.

Concern about medical records is understandable, but why dopeople care whether someone finds out that they had a kitchen firetwo years ago? They probably don't much. Instead, they areconcerned about loss of privacy and the danger of identitytheft.

Between Jan. 1 and May 2, 2005, the personal information of morethan 6.5 million people, that we know of, was lost or stolen.Understandably, organizations are reluctant to discuss the detailsof how their systems were compromised, but failure to positivelyidentify someone seeking access to the data is the category mostdirectly related to failures in protecting personal information.Other causes of information breaches are outlined in Table 1.

Theft of data from computer systems is not new, but it ishappening more often because of greater computer interconnection.It also is being reported more often because of new legislation,such as the California Security Breach Notification Law that becameeffective July 1, 2003. That law mandates that state governmentagencies, as well as companies and nonprofit organizations,regardless of geographic location, must notify California customersif personal information maintained in computerized data files hasbeen compromised by unauthorized access.

Personal Information?

The State of Virginia provides a good definition of personalinformation, and the insurance industry's responsibility for it, inthis excerpt from 38.2-602 of the Code of Virginia:

“Personal information” means any individually identifiableinformation gathered in connection with an insurance transactionfrom which judgments can be made about an individual's character,habits, avocations, finances, occupation, general reputation,credit, health, or any other personal characteristics. “Personalinformation” includes an individual's name and address andmedical-record information, but does not include (i) privilegedinformation or (ii) any information that is publicly available.

The code mandates that insurance institutions implementcomprehensive written information security programs that includeadministrative, technical, and physical safeguards for theprotection of policyholder information.

The information security program shall be designed to:

1. Ensure the security and confidentiality of policyholderinformation;
2. Protect against any anticipated threats or hazards to thesecurity or integrity of the information; and
3. Protect against unauthorized access to or use of theinformation that could result in substantial harm or inconvenienceto any policyholder.

If these compliance rules seem vague, that is because they are.The Virginia act has this in common with HIPAA and GLBA. The fluidnature of the regulations is intended to allow for individualbusiness variables. The Virginia statutes recognize the duty toconduct thorough risk analyses, which must be followed byreasonable precautions to protect personal data from beingimproperly disclosed or destroyed. There are many facets to thisrisk assessment, and the insurance industry is among the leastlikely to get a pass on any oversights.

Technological Considerations

A number of general areas need to be addressed, includingphysical, personnel, administration, lack of awareness and unclearpolicies, technology, and data destruction. Although technologicalsecurity seems the obvious place to start, managerial,organizational, regulatory, economic, and social issues cannot beignored. Other organizations with which a company shares datashould not be forgotten, either.

Technology security planning should encompass severalcategories. Among these are service reliability, data integrity,authentication of those seeking access, and privacy of information.Alibi prevention and deterrence also should be considered.Information thieves should find it difficult to deny responsibilityfor any trespasses.

Although security and privacy may overlap, they are not thesame. Security is about the processes, procedures, and technologyused to protect information. Privacy describes an individual'sright to keep certain information from being disclosed without hispermission. It is entirely possible to have excellent securitywithout appropriate privacy because, although secure methods forstoring, sending, and receiving data (electronically or otherwise)are necessary to privacy, they are not sufficient. No matter howsecure the information storage or the methods used to share it, anobligation remains to ensure that those with whom it is shared areauthorized to see it.

In order to effect privacy, reasonable assurance must beobtained that a company's business partners treat sharedinformation with care. Business partners should be asked whetherthey restrict, both by policy and by technology, installation ofsoftware on their employees' computers. Are their employees awareof privacy and security concerns? How do they identify users oftheir systems?

Employee awareness is crucial. Company policies should requirereminders about safe use of the Internet and e-mail, properdocument disposal, and processes to minimize the risk of employees'providing confidential information to the wrong people.

Who Are You?

Authentication of the identity of those allowed access tocomputer systems is a critical question. Anyone who uses onlinefinancial services jealously guards his own login information. Inthe absence of strong personal interest, however, it is far lessclear whether people protect these “keys.” How many times have youseen passwords on sticky-notes pasted to the front of someone'swork computer monitor?

In 2004, an impromptu, man-on-the-street survey by the online ITpublication, Security Pipeline, found that almost three-quarters ofoffice workers would give up their passwords in exchange forchocolate bars. Respondents revealed other security lapses: “I workin a financial call center. Our password changes daily, but I donot have a problem remembering it, as it is written on the board sothat every one can see it,” said one interviewee. “I think they rubit off before the cleaners arrive.”

Four out of 10 respondents knew their colleagues' passwords.Two-thirds use the same password for work and for personal access,such as online banking and web surfing. The most common passwordcategories were family names, such as partners or children (15percent), followed by football teams (11 percent) and pets (8percent). The most common password was “admin.”

Static, reusable passwords have proven easy for hackers to beat.This accounts for interest in two-factor authentication, whichrequires two separate methods of identification: something known (apassword or PIN) and something physical (an authenticator). Often,the authenticator is a key fob-sized device that generates a newnumber every 60 seconds. That number is an effective one-timepassword. Even if someone steals an authentication number, throughkeyboard logging software for example, it becomes useless a minutelater. Because two-factor authentication addresses the issues ofprivacy, authentication, and alibi prevention, it is becoming acommon security tool.

Internet Espionage

One of the threats driving the adoption of two-factorauthentication is spyware, software downloaded from the Internetunknowingly or attached to e-mail. Unlike a virus, spyware's job isnot to damage data or hijack computer resources. It is intended tosteal information.

One form of spyware, called adware, has aroused the ire of NewYork Attorney General Eliot Spitzer, whose recent bid-rigging probecost insurance brokers a billion dollars, thousands of jobs, andshare values. Spitzer charged Intermix Media with “secretlyinstalling software that delivers nuisance pop-up advertisementsand can slow and crash personal computers.” The AG's complaintabout Intermix does not address the larger danger of spyware turnedto criminal use, however.

Even though Spitzer has not seen it yet, Christopher Lipp knowsthe stakes. Lipp, senior vice president and general counsel forIntermix, denied promoting or condoning spyware, saying that itstoolbars and redirection applications do not collect personalinformation on computer users. Redirection applications are thosethat direct browsers to web sites that the spyware requests.

Some spyware captures every keystroke, in order to secretly sendthe information to con artists or other malfeasors. Keylogging waspart of a plot to steal nearly $400 million from the MitsuiSumitomo Bank in 2004. Potentially, this is a far bigger threatthan viruses. Would you prefer a virus program that erased all theinformation from your computer, or spyware that silently stole yourinsureds' Social Security numbers?

Spyware can be especially difficult to detect and remove,typically requiring several different tools. The best defense atthe moment is to avoid use of instant message services, ensure thatemployees understand the danger of web sites in e-mailsolicitations, and prevent them from downloading any software. Bealert to strange computer behavior, such as browsers' leading todifferent sites than expected or the appearance of new “tool bars.”In addition, virus protection should be kept up to date, as it canstop many of the problems associated with e-mail attachments.

Claim information is personal information, and is protected byan increasing amount of legislation. The legal requirements, andscrutiny, for protection of personal claim information is of greatimport, and the compliance issues are growing. Beyond that,however, failure to assess risk and adequately protect claiminformation can lead to loss of data, jobs, reputation, stockvalue, customers, and competitive advantage.

Duane Hershberger is a director on the board of the ASUGroup.