Claim-related data have the same security and privacy requirements as any other personal information. The need to protect this data is only becoming greater, and not necessarily due to specific Health Insurance Portability and Accountability Act or Gramm-Leach-Bliley Act implications.
Many states are passing even more wide-ranging privacy and disclosure laws than HIPAA or GLBA. Practically every day, we hear about theft or loss of personal information from financial institutions, schools, government, and consumer data services, such as Choicepoint. These targets share something with insurers: they collect a great deal of information about people in a single place.
The Internet is a target-rich environment, offering con artists ease and volume. Fraud over the Internet is anonymous and can take place from anywhere.
People worry about this. In a 2002 IVANS study, 77 percent of consumers surveyed said that they were concerned with their doctors' sending medical information to insurers over the Internet. Additionally, 66 percent expressed concerns about the privacy and security of property claim information's being exchanged via the Internet.
Concern about medical records is understandable, but why do people care whether someone finds out that they had a kitchen fire two years ago? They probably don't much. Instead, they are concerned about loss of privacy and the danger of identity theft.
Between Jan. 1 and May 2, 2005, the personal information of more than 6.5 million people, that we know of, was lost or stolen. Understandably, organizations are reluctant to discuss the details of how their systems were compromised, but failure to positively identify someone seeking access to the data is the category most directly related to failures in protecting personal information. Other causes of information breaches are outlined in Table 1.
Theft of data from computer systems is not new, but it is happening more often because of greater computer interconnection. It also is being reported more often because of new legislation, such as the California Security Breach Notification Law that became effective July 1, 2003. That law mandates that state government agencies, as well as companies and nonprofit organizations, regardless of geographic location, must notify California customers if personal information maintained in computerized data files has been compromised by unauthorized access.
Personal Information?
The State of Virginia provides a good definition of personal information, and the insurance industry's responsibility for it, in this excerpt from 38.2-602 of the Code of Virginia:
“Personal information” means any individually identifiable information gathered in connection with an insurance transaction from which judgments can be made about an individual's character, habits, avocations, finances, occupation, general reputation, credit, health, or any other personal characteristics. “Personal information” includes an individual's name and address and medical-record information, but does not include (i) privileged information or (ii) any information that is publicly available.
The code mandates that insurance institutions implement comprehensive written information security programs that include administrative, technical, and physical safeguards for the protection of policyholder information.
The information security program shall be designed to:
- Ensure the security and confidentiality of policyholder information;
- Protect against any anticipated threats or hazards to the security or integrity of the information; and
- Protect against unauthorized access to or use of the information that could result in substantial harm or inconvenience to any policyholder.
If these compliance rules seem vague, that is because they are. The Virginia act has this in common with HIPAA and GLBA. The fluid nature of the regulations is intended to allow for individual business variables. The Virginia statutes recognize the duty to conduct thorough risk analyses, which must be followed by reasonable precautions to protect personal data from being improperly disclosed or destroyed. There are many facets to this risk assessment, and the insurance industry is among the least likely to get a pass on any oversights.
Technological Considerations
A number of general areas need to be addressed, including physical, personnel, administration, lack of awareness and unclear policies, technology, and data destruction. Although technological security seems the obvious place to start, managerial, organizational, regulatory, economic, and social issues cannot be ignored. Other organizations with which a company shares data should not be forgotten, either.
Technology security planning should encompass several categories. Among these are service reliability, data integrity, authentication of those seeking access, and privacy of information. Alibi prevention and deterrence also should be considered. Information thieves should find it difficult to deny responsibility for any trespasses.
Although security and privacy may overlap, they are not the same. Security is about the processes, procedures, and technology used to protect information. Privacy describes an individual's right to keep certain information from being disclosed without his permission. It is entirely possible to have excellent security without appropriate privacy because, although secure methods for storing, sending, and receiving data (electronically or otherwise) are necessary to privacy, they are not sufficient. No matter how secure the information storage or the methods used to share it, an obligation remains to ensure that those with whom it is shared are authorized to see it.
In order to effect privacy, reasonable assurance must be obtained that a company's business partners treat shared information with care. Business partners should be asked whether they restrict, both by policy and by technology, installation of software on their employees' computers. Are their employees aware of privacy and security concerns? How do they identify users of their systems?
Employee awareness is crucial. Company policies should require reminders about safe use of the Internet and e-mail, proper document disposal, and processes to minimize the risk of employees' providing confidential information to the wrong people.
Who Are You?
Authentication of the identity of those allowed access to computer systems is a critical question. Anyone who uses online financial services jealously guards his own login information. In the absence of strong personal interest, however, it is far less clear whether people protect these “keys.” How many times have you seen passwords on sticky-notes pasted to the front of someone's work computer monitor?
In 2004, an impromptu, man-on-the-street survey by the online IT publication, Security Pipeline, found that almost three-quarters of office workers would give up their passwords in exchange for chocolate bars. Respondents revealed other security lapses: “I work in a financial call center. Our password changes daily, but I do not have a problem remembering it, as it is written on the board so that every one can see it,” said one interviewee. “I think they rub it off before the cleaners arrive.”
Four out of 10 respondents knew their colleagues' passwords. Two-thirds use the same password for work and for personal access, such as online banking and web surfing. The most common password categories were family names, such as partners or children (15 percent), followed by football teams (11 percent) and pets (8 percent). The most common password was “admin.”
Static, reusable passwords have proven easy for hackers to beat. This accounts for interest in two-factor authentication, which requires two separate methods of identification: something known (a password or PIN) and something physical (an authenticator). Often, the authenticator is a key fob-sized device that generates a new number every 60 seconds. That number is an effective one-time password. Even if someone steals an authentication number, through keyboard logging software for example, it becomes useless a minute later. Because two-factor authentication addresses the issues of privacy, authentication, and alibi prevention, it is becoming a common security tool.
Internet Espionage
One of the threats driving the adoption of two-factor authentication is spyware, software downloaded from the Internet unknowingly or attached to e-mail. Unlike a virus, spyware's job is not to damage data or hijack computer resources. It is intended to steal information.
One form of spyware, called adware, has aroused the ire of New York Attorney General Eliot Spitzer, whose recent bid-rigging probe cost insurance brokers a billion dollars, thousands of jobs, and share values. Spitzer charged Intermix Media with “secretly installing software that delivers nuisance pop-up advertisements and can slow and crash personal computers.” The AG's complaint about Intermix does not address the larger danger of spyware turned to criminal use, however.
Even though Spitzer has not seen it yet, Christopher Lipp knows the stakes. Lipp, senior vice president and general counsel for Intermix, denied promoting or condoning spyware, saying that its toolbars and redirection applications do not collect personal information on computer users. Redirection applications are those that direct browsers to web sites that the spyware requests.
Some spyware captures every keystroke, in order to secretly send the information to con artists or other malfeasors. Keylogging was part of a plot to steal nearly $400 million from the Mitsui Sumitomo Bank in 2004. Potentially, this is a far bigger threat than viruses. Would you prefer a virus program that erased all the information from your computer, or spyware that silently stole your insureds' Social Security numbers?
Spyware can be especially difficult to detect and remove, typically requiring several different tools. The best defense at the moment is to avoid use of instant message services, ensure that employees understand the danger of web sites in e-mail solicitations, and prevent them from downloading any software. Be alert to strange computer behavior, such as browsers' leading to different sites than expected or the appearance of new “tool bars.” In addition, virus protection should be kept up to date, as it can stop many of the problems associated with e-mail attachments.
Claim information is personal information, and is protected by an increasing amount of legislation. The legal requirements, and scrutiny, for protection of personal claim information is of great import, and the compliance issues are growing. Beyond that, however, failure to assess risk and adequately protect claim information can lead to loss of data, jobs, reputation, stock value, customers, and competitive advantage.
Duane Hershberger is a director on the board of the ASU Group.
© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.