Managing risk is an art form. Fortunately, life insurance agents and carriers working in the information security and data protection sectors have a great starting point when discussing policyholders’ risks. Certain trigger events, outlined below, are responsible for a large percentage of data breaches. By focusing first on these risk areas, the majority of exposures can be greatly minimized.
Lost and stolen devices. A misplaced smartphone, laptop or tablet is more than a mere annoyance when it contains sensitive data or possesses login credentials sufficient to access a company’s stores of personally identifiable information (PII), protected health information (PHI) or other confidential data. This is also a problem when laptops and tablets are stolen—out of employees’ cars, from hotel lobbies, or off baggage carousels. Historically, thieves were interested in the value of the equipment, but today they’re equally tempted by the treasure of the data housed within.
Mis-mailings. Invoices, account statements and appointment reminders are just a few examples where one individual can easily receive another individual’s personal information. If the labels and contents of the envelopes are off by even just one record, the organization could be looking at a wide-scale data breach. The same holds true for emails containing PII that are accidentally sent to the wrong recipient.
Hacking. External threat actors are more prevalent than ever (think: Target, Michael’s, P.F. Chang’s, and others). Some hackers zero in on specific companies while others just look for systems with easy access. Internal dangers lurk here, too. Disgruntled or vulnerable employees with access to sensitive data may use it for financial gain or to retaliate against the company or a coworker.
Backup malfunctions. Cloud backup services are increasing in popularity, but they open another door for lost or exposed data if the vendor suffers any type of breach. Even companies using onsite backup appliances and conventional tape backups run the risk of a breach if the network is compromised or the tape’s chain of custody comes into question.
Third-party vendor breaches. It’s a rare company that internalizes every process. Organizations routinely look to outside providers for additional resources or specialized expertise. Payroll and benefits management are two commonly outsourced functions that by their very nature hold PII.
If one of those vendors suffers a data breach, the ripple effects throughout their client base can be devastating to your entire employee base. And, as seen with the Target incident, even a non-technical vendor with system access can pose a system-wide risk.
Improper data disposal. Medical records, old account information and other protected data often find their way into the Dumpsters of companies that do not have secure disposal programs. Documents that should be put into the shredder are tossed into a communal recycling container or trashcan.
Data on old computer drives and network printers end up on eBay and then CBS News. With the vast amounts of data being generated today, properly disposing of information that is no longer needed has become a security weakness all its own.
Rules and regulations around breach notification and data destruction
An array of breach notification laws exist at the federal, state and local levels, and many vary from one industry to the next. Healthcare organizations, for example, operate under federal mandates such as HIPAA, HITECH and the Federal Trade Commission.
Financial institutions are regulated by the Gramm-Leach-Bliley Act, the Security Exchange Commission or the Office of the Comptroller of the Currency. Most states also have instituted their own data breach notification compliance requirements, some of which impose tighter tolerances for accepted timeframes and methods for notifying affected parties.
Several states also have passed data destruction laws. They often apply to a wider swath of businesses—by industry as well as size—than many of the breach notification laws. And some stipulate the manner required for proper data disposal. Most also carry penalties or fines for companies that aren’t in compliance.
Companies aren’t always aware of the myriad mandates that affect them, so producers should be doubly sure to evaluate all potential breach notification requirements. Without solid practices around information security and data destruction, policyholders could run afoul of these regulations without even knowing it.
Simple steps help safeguard records and ensure data safety
Many data protection strategies can be effective as well as easy and relatively inexpensive.
Strong passwords offer mobile devices a layer of security against loss or theft.
Encrypting sensitive data is also highly effective on mobile platforms as well as desktop and server-level components.
Routine security assessments ensure the organization is always aware of potential threats, possible systems weaknesses, and where processes should be improved.
Developing a breach response plan enables the policyholder to quickly respond to a data exposure and minimize the risk of financial penalties as well as reputational harm.