Managing risk is an art form. Fortunately, life insurance agents and carriers working in the information security and data protection sectors have a great starting point when discussing policyholders’ risks. Certain trigger events, outlined below, are responsible for a large percentage of data breaches. By focusing first on these risk areas, the majority of exposures can be greatly minimized.
Lost and stolen devices. A misplaced smartphone, laptop or tablet is more than a mere annoyance when it contains sensitive data or possesses login credentials sufficient to access a company’s stores of personally identifiable information (PII), protected health information (PHI) or other confidential data. This is also a problem when laptops and tablets are stolen—out of employees’ cars, from hotel lobbies, or off baggage carousels. Historically, thieves were interested in the value of the equipment, but today they’re equally tempted by the treasure of the data housed within.
Mis-mailings. Invoices, account statements and appointment reminders are just a few examples where one individual can easily receive another individual’s personal information. If the labels and contents of the envelopes are off by even just one record, the organization could be looking at a wide-scale data breach. The same holds true for emails containing PII that are accidentally sent to the wrong recipient.
Hacking. External threat actors are more prevalent than ever (think: Target, Michael’s, P.F. Chang’s, and others). Some hackers zero in on specific companies while others just look for systems with easy access. Internal dangers lurk here, too. Disgruntled or vulnerable employees with access to sensitive data may use it for financial gain or to retaliate against the company or a coworker.
Backup malfunctions. Cloud backup services are increasing in popularity, but they open another door for lost or exposed data if the vendor suffers any type of breach. Even companies using onsite backup appliances and conventional tape backups run the risk of a breach if the network is compromised or the tape’s chain of custody comes into question.
Third-party vendor breaches. It’s a rare company that internalizes every process. Organizations routinely look to outside providers for additional resources or specialized expertise. Payroll and benefits management are two commonly outsourced functions that by their very nature hold PII.
If one of those vendors suffers a data breach, the ripple effects throughout their client base can be devastating to your entire employee base. And, as seen with the Target incident, even a non-technical vendor with system access can pose a system-wide risk.