On June 23, 2010 more than 200,000 Anthem Blue Cross customers received letters informing them that their personal information might have been accessed during a security breach of the company's website. Customers who had pending insurance applications in the system are currently being contacted because information was viewed through an on-line tool that allows users to track the status of their application. Social Security and credit card numbers were potentially viewed. It's one more tumble in a cascade of security breaches that can have terrible consequences for the customers and clients of such a large insurance company.
And of course, this raises an ironic question: Do insurance companies maintain their own liability insurance in the event that their information systems are compromised? As absurd as it may seem at first glance, it's really not a laughing matter. According to the Ponemon Institute, the average cost of a security breach is now exceeding $200 per client record. This would mean that Anthem Blue Cross's breach last month created a liability as great as $40M.
Moreover, there's a ripple effect to organizations that do business with insurance companies that suffer such an information security breach. Each Personnel Department that delivers private employee information to an outside service supplier has an inherent responsibility and liability to its employees.
We all know that the privacy information transferred between companies should use a secure and confidential method of transmission. Yet too many small and medium-sized companies are still using simple FTP (File Transfer Protocol) software that has been proven to be susceptible to the threats of network hackers. And by the time these organizations realize their vulnerability, it's often too late These companies are often performing these FTP transfers below the radar of their IT departments. How does it happen?
Often personnel data is off-loaded to PCs from the main information systems where it is left "in the open" on the hard drives of desktops or laptops. After the data is transferred this residual data is often unprotected, where it's subject to theft or secondary security flaws. Insurance agents - whose jobs are to facilitate the processing of the data with their insurance providers - can also suffer from such breaches. The loss of an agent's laptop - through theft, accident, or routine use of USB thumb-drives - poses additional liability.
There are two readily available strategies to help prevent these kinds of security abuses. The first strategy is to use data encryption technologies that not only encrypt the data, but also record into a secure log detailing when, where, and by whom the sensitive data has moved from the main information database. CryptoComplete offers precisely this kind of encryption capability, and it should be examined by IT professionals as a viable, highly configurable resource for the protection of the company's information assets.
The second strategy is to use a secure method of transfer for the data itself, ensuring that the information is never left in a vulnerable state on an individual's personal computer. By removing FTP access to the data by any employee's PC and channeling the transfer through the secure corporate server, IT can prevent the problem of network hacking from occurring. The GoAnywhere Director solution is precisely the means of achieving the goal of a secure FTP transfer between companies.
The tragedy of the Anthem Blue Cross breach was the result of a faulty security scheme in the design of its customer service solution. But it is not the only potential failure of data security that can impact its customers and business partners. And, unfortunately, this information security breach is just one of the 356 million reported breaches that have occurred in the US over the last five years.
So who insures the insurer when a data security breach occurs? The real answer is IT itself. And helping IT achieve a better result will be the subject of this blog over the next few months.
Recoverable error: Object of class modUser_mysql could not be converted to string