Insurance is the proverbial honey-hole for cybercriminals. The wealth of personally identifiable information (PII) sitting inside insurance companies’ environments is staggering. They need this Big Data to analyze buying trends, demographics, and using telematics (constant monitoring/evaluations) to determine policy rates. It represents serious power by way of informed decision making. Thus, possessing and maintaining such vast quantities of data is no longer an option for insurance companies. Is there a way for them to store Big Data in a way that does not put their organization in harm’s way? More importantly, how do insurance companies secure their Big Data? How are state and federal oversite agencies policing the insurance industry for negligence with Big Data management? Is standardization on the horizon?
Insurance Has A Problem
Recent research from the Ponemon Institute shows that 90% of all large organizations—including insurance carriers—suffered cyber security breaches in 2015, up from 81% in 2014. An increase this sharp is mind blowing- and to think, those numbers will only increase, with the average breach rising to around $4,000,000 per incident. Further, “Big Data” includes a lot more PII than it did in the past, which is why cyber-criminals are increasingly more focused on it. An entire persona- mimicking yours- can be created and utilized (or sold) for any number of nefarious criminal activities. Imagine that exposure - now multiply it into the millions of profiles, each representing a single customer's PII, when an entire organization is breached.
Telematics Creates More Risk Points
Health insurance companies are encouraging their clients wear health tracking technologies like Fitbit to track daily activities, heart rate, blood pressure, while rewarding those clients with lower premiums for their healthy behavior. Car insurance providers are also using trackable devices on automobiles to reward less driving and not speeding. That is a little frightening when you consider the sheer volume of PII and PHI (Personal Health Information) that insurance companies are now compiling and most importantly - responsible for protecting. In addition to their seemingly infinite possible nefarious uses, these sensitive data sets could be ruinous if exposed. Imagine if someone had a diagnosis of a very serious disease and that data was exposed to the public. All that being said, Telematics are focused on using “Big Data” to gain a whole new universe of insight into their customer’s lifestyles. However, this usage of “Big Data” is now subject to class action lawsuits, Federal Trade Commission fines, State Legislative fines when exposed, and that is 100% due to the sensitive data sets.
New laws are on the way and that is a good thing
The National Association of Insurance Commissioners (NAIC) has adopted regulatory principles in the form of a model law, which establishes exclusive standards for data security and notification of a data breach for licensees in the states that would adopt the bill. This is definitely a move in the right direction, but the industry will have to adopt the new regulations and agree to the consequences when a data breach occurs. While some cringe at the thought of more industry regulations, cyber security regulations create accountability industry-wide. Insurance organizations would have to implement and maintain a comprehensive written data security program containing administrative, technical, and physical safeguards for the protection of personally identifiable information.
US Federal Directive - Lack of Budget No Longer An Excuse
Data breaches have become so rampant that the White House has established a "Commission on Enhancing National Cybersecurity." Additionally, the White House recently issued a Presidential Policy Directive (PPD) on United States Cyber lncident Coordìnation. Its goals are quite reasonable, with the focus covering modernization of government IT, as well as an increase to dedicated government resources, all with the intention of helping Americans secure online accounts. To further that, President Obama has outlined a specific framework for organizations who are breached and how they will be judged. This framework includes: shared responsibility in protecting all organizations, risk-based response, respecting privacy of affected, unity of government IT, and enabling restoration and recovery. Attention is being directed primarily at the private sector, with the dedication of governmental resources aimed at determining the best methods to secure sensitive data. Currently, encryption is being addressed as one component of the data security picture, but moving forward, one can anticipate tokenization to become an increasingly important part of this focused conversation.
Insurance Layered Data Security Solutions
Tokenization and encryption are no longer optional. Utilizing these two technologies in conjunction with one another creates a “Layered” data security approach. Tokenization removes the sensitive data sets, replacing them with tokens that if breached, expose no data. All data in transit must utilize point-to-point encryption, ensuring that all data entered is immediately encrypted.
Tokenize All Data Sets
Most tokenization solutions from payment processors or other service providers deal only with payment data, not PII (personally identifiable information), HIPAA data, or data sets covered by diverse international rules and regulations that vary by country. Obviously it is uneconomical and much more work to maintain two or more tokenization systems, one for financial payment data and others for personal and health data. However, an even worse result of using different tokenization solutions is that you could be trusting your data sets with payment processors whose sole focus is payments – not securing data.
The TokenEx Cloud Security Platform is unique in its ability to provide a single platform for tokenizing all of your sensitive datasets and ensuring it is protected with uniform tokenization formats. TokenEx Cloud Security Platform stores the original value of the PCI and PII data while your systems use the corresponding tokens for normal business processes.