Insurers and other corporations need to develop systems to protect the authenticity of electronic documents, says a risk expert from Marsh Kroll Inc.[@@]

If they fail to develop an effective authentication system, they risk losing valuable evidence that could support their case in a court proceeding, according to Alan Brill, a member of Kroll, a subsidiary of Marsh & McLennan Companies, New York. His comments came during an on-line panel discussion on risk sponsored by MMC.

Despite the investment in electronic security, the average loss per security breach incident is greater that $200,000, Brill said. For financial institutions and insurers, the 2 major concerns are loss of proprietary information and unauthorized access to networks.

When an incident does occur and an insurer begins to develop its legal case, electronic records will be increasingly important. There is also the growing “CSI” phenomenon (named after the TV program), where juries expect to see forensic evidence that back up litigants’ claims.

One problem with those records is lack of redundancy within the computer systems. Each time a record is opened, the record is altered, damaging the authenticity of the records, Brill said. He recommended companies create storage facilities, or logs, within their networks to document and copy records to show changes, who made them and when.

“The relevant records in criminal and civil cases are likely to be some form of digital log or digital record on a computer, server, or storage network or some form of back-up media,” he said.

Companies need to work on this problem now, Brill insisted.

“The real key is this: you don’t wait for a crisis to do your planning,” he said.

On the subject of identity theft, he recommend corporations keep information only as long as needed.

“If you need to hold [the information]. make sure it is safely stored,” he said. “And if you want to get rid of it, make sure it is safely gone.”

He described a phenomenon called vampire data, data that is thought to be dead and gone but resurrects itself years later “and bites your company in the neck.”

“Remember too, that computers don’t steal, people steal,” he said, and advised that background checks are needed on all employees, permanent and temporary, who handle data.