5 ways data classification can prevent an insurance data breach

File sharing creates a way in for cybercriminals

Insurance Data Breach

Insuring that your data is safe

Insurance firms collect and process large amounts of policyholder data including personally identifiable information (PII) and protected health information (PHI), as well as sensitive employee and company information that must be protected. Confidential data is the core of the business, and companies that collect and analyze it more effectively have a competitive advantage. And with the cost of file sharing and synchronization technology decreasing, actuaries are able to analyze and share data in real time. However, this also increases the number of unnecessary copies of sensitive business and consumer data.

Unchecked, proliferation of sensitive data makes it easier for cyber criminals to gain access and increases the likelihood that sensitive information will be mishandled. Safeguarding such information against cyber-attacks as well as mishandling has been technologically challenging and expensive. But there are critical steps you can take in order to thwart a data breach incident. Spirion CEO Todd Feinman offers examples of how insurance firms can leverage data classification to reduce the risk of data theft and costly compliance violations.

Insurance Data Breach

Legacy insurance paper work flows pose a risk

Legacy insurance paper work flows consist of a wealth of inbound and outbound documents coming to and from multiple sources. For example, employees scan inbound paper documents, then email, fax or submit them through online forms. Paperwork that is translated into scanned images contain vast amounts of sensitive data. Furthermore, JPEGs of scanned documents or ID cards are an example of unstructured data at its finest. Legacy systems that don’t identify faxed and scanned documents as sensitive data that needs to be secured just as tightly as prototypical PII (Social Security numbers, birthdates, etc.) are putting their customers at risk. Legacy insurance billing systems are another related threat vector for PII and sensitive information to make it into current systems and data repositories that need to be remediated and monitored closely.

 

Insurance Data Breach

Sniff out PDFs that could hold sensitive data

A major privacy concern resides within electronic documents, such as PDF and other sharable files. These unstructured documents can contain just as much sensitive information as structured databases. There is an underlying format to PDF documents that can pose a major security threat -- PDFs have layers of data. For example, a user could have a single word “Social Security” typed next to digits in a PDF document, but under the hood of the PDF, the letter “e” in the word “security” could be on the 50th layer, while the “t” and “y” letters could be resting up on the first layer. These multiple layers make it difficult to do simple optical character recognition (OCR). Data classification tools with the ability to piece together layers and analyze them as a whole are essential to ensuring sensitive data isn’t glanced over and lost in the shuffle of common PDF document email exchanges.

 

Insurance Data Breach

Age old myth that faxes are safer than email

In the insurance industries there are two main steps in the customer journey. The first step is the enrollment and onboarding period. The second step is the claims process. The exchange of PII happens in both instances and both have a common incoming source of PII – fax machines. During the claims process in particular, customers are sending insurance firms PII without giving it a second thought – after all it’s just a faxed form they filled out with a pen. It’s true that sending faxes using the Public Switched Telephone Network (PSTN) is inherently secure. Hacking into the PSTN would require direct manual access to the telephone line, and even if a file was intercepted it would appear as noise, making it impossible to decipher. But unfortunately for the insurance firm, “security” isn’t all about how safe docs are during the sending process. Firms must ensure data is securely sent, received and stored. Insurance firms are receiving PII in an uncontrolled, unorthodox way by today’s standards – through faxed documents that are then scanned into a system.

 

Insurance Data Breach
Thinkstock

Click to submit, but make sure it’s secure

There are particular insurance policies that require and record more PII than others. For example, a key man insurance policy takes down your Social Security number, blood test results, physical results and more. They’re collecting a wealth of sensitive data – both financial and health related -- arguably the biggest PII collection process of any industry. But this extensive PII collection process starts at one place – the online submit form. These insurance providers have information on every person that has applied to these extensive policies, whether they made it through the complete process or not. Imagine if a hacker hit a historical database for applicant information and held it for ransom. It’s up to insurance providers to make sure they know where this user submitted sensitive data is being held, and data discovery and classification tools can help accomplish that. On the consumer side, applicants should make sure they read the fine print before they submit via an online form and understand where and for how long their sensitive data is being held to protect themselves.

 

Insurance Data Breach

Regulations leave no room for error

High-profile data breaches continue to expose the data of millions of consumers, revealing the gaps in current data protection practices and technologies. Regulators have responded with increased enforcement and the introduction of new requirements. The National Association of Insurance Commissioners (NAIC) also responded by publishing “Principles for Effective Cybersecurity: Insurance Regulators Guidance.” The NAIC document provides best practices for insurance regulators and companies, focusing on the protection of the sector’s sensitive data from cyberattacks. Guidance offered by the NAIC includes ensuring that confidential documents and PII that entities hold is protected from cybersecurity risks.

 

Insurance Data Breach

Threats are real; consequences are more real

It’s not a secret, if consumer, employee or company records are breached, the consequences can be severe. Breach of financial, personal or health records could lead to identity theft, which can destroy a person’s finances, credit and reputation. Victims could seek litigation against handlers of their data, including employers and insurers.

Insurance firms must utilize data discovery and classification as step-1 in order to be fully aware of the amount and location of their sensitive data to stay in compliance and out of the data breach headlines.

RELATED: 5 ways data classification can prevent an education data breach