The Changing Face of Insurance Data Breach Risk

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.insurancetech.com/distribution/the-changing-face-of-insurance-data-brea/240167070

On February 25, several small outstate Minnesota banks filed suit against
Target for losses stemming from the recent data breach. They've joined the
ranks of banks and credit unions around the country that have spent a
combined more than more than $200 million replacing credit and debit cards
whose data was taken in the attack on the retailer's computer system.

The property and casualty insurance industry has a complex system of data
upload/download between companies, comparative rater vendors, and agencies.
Is that system safe, and if not, is that system necessary?

Our industry has a spotty history of indifference to safeguarding
individual privacy. When I started in the industry in 1970, everything was
done on paper. However, that didn't stop the industry from invading privacy
on a daily basis. Part of the "fun" of working for an insurance company was
reading the sometimes-salacious reports provided by inspection companies
for home and auto risks. At that time, it was common practice for the
inspectors to question the neighbors about the "character" of the company's
customer. Particularly interesting comments were passed around like cheap
novels.

In the early 1990s my agency was the top producer in the nation for new
personal lines business for Metropolitan. That company used a person's
social security number as their policy number. Even at that time the social
security card said that number was not to be used for identification. I was
told that any privacy issues were offset by the convenience of only having
to memorize one set of numbers.

About a decade ago, insurance companies started to auto-fill data onto
insurance applications for agents based on name and address of the insured.
As late as just a few months ago at least one company would auto-fill
social security numbers if the agent provided the name and address.

The P&C insurance industry has not acted responsibly. Insurance companies
are large, complex giants who are horribly political. What is called
"problem solving" is often merely "problem disguising," or intricate
manipulation to provide cover for careers in case disaster strikes.
Insurance company IT systems are outdated and easy to infiltrate. They rely
on third-party vendors who are often under-capitalized.

But, at least in my opinion, we have no choice but to continue on the
current path. Our industry's cost structures are based on the savings
allowed by free-flowing data between companies and agencies. The advantages
outweigh the potential risks.

When I started in the industry I worked in an average-sized branch office
for a large company. We had about 100 employees. Of those 100 employees,
three to five of them were called "finders". Their job was to "find" paper
files that were needed. That was all they did. Obviously with e-files that
position isn't needed and files can be found and shared by any company
employee who needs them on a timely basis.

The file room for that branch covered about one-fourth of the office space.
Each desk area had to have about 25% more space than current work areas to
handle the paper involved. When data sharing between companies and agencies
first started all the discussion centered on saving keystrokes. In reality,
the keystroke savings was but a small tip of the iceberg.

Prior to the advent of e-commerce, the average expense ratio for P&C
companies was in the area of 33% to 35%. Those companies who have done the
best job of utilizing shared data are now in the 20% to 30% range. A large
share of this is due to e-commerce.

Insurance agencies were tied to a 40/40/20 rule in which salaries and
expenses each accounted for 40% of revenue, leaving 20% for profit. There
are still some agencies that fit this model, but just as many are now
virtual offices where 65/15/20 is closer to today's model. The key to
increased profits is that a virtual agency is working with a much larger
gross.

When I started in business, much of "data-transfer" was done with carbon
copies. Clerical workers wore cuff protectors to keep from having the
shorts and blouses ruin by the ink on the carbon paper. No Carbon Required
paper was a huge advancement, followed by multiple Xerox copies. We would
still be fumbling with multiple copies without e-commerce.

Each system has had its "data breach" problems. Waiters stole the carbon
paper to get your credit card number. Not until recently did people even
consider that every photocopy made a record in the machine's memory.
E-commerce isn't the only data breach culprit.

Trashing the e-commerce system is not an option, but corporations have to
pull off the blinders and come to grips with their exposure. For example,
they need to attack data privacy issues with outside vendors developing
solutions for them to implement.

Accepting that e-commerce is a new world with new rules won't be easy for
most insurance companies. I'm reminded of the top exec for one of the
largest insurance companies who bragged in the late 1990's that he didn't
own a PC because he had people to do that sort of thing for him. His
company went broke and was acquired, because he thought of e-commerce as
something that just happened, rather than something to be managed.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!