Professional Documents
Culture Documents
Claims related data have the same security and privacy requirements as any
other personal information. The need to protect this data is only becoming
greater, and it doesn’t have to have specific Health Insurance Portability and
Accountability Act (HIPAA) or Gramm-Leach-Bliley Act (GLBA)
implications, either.
Many states are passing even more wide-ranging privacy and disclosure
laws than HIPAA or GLBA.
Fraud over the internet is anonymous and can take place from anywhere.
The internet is a “target rich” environment for con artists and what they’ve
lost in personal “confidence games” they make up for in volume.
People worry about this. In 2002 an IVANS, Inc. study showed that
“Seventy-seven percent of consumers surveyed say they are concerned with
their doctors' sending medical information to an insurance company over
the Internet. Additionally, 66 percent of survey respondents are concerned
about the privacy and security of property claims information being
exchanged via the Internet.”
http://www.insurancejournal.com/news/national/2002/11/05/24169.htm
Duane Hershberger
ASU Group Confidential
Claims Information Privacy (Final Draft) 2 8-May-2005
They probably don’t much. Instead, they are concerned about loss of
privacy and the danger of identity theft. Between Jan-1 and May-2, 2005 the
personal information of over 6.5 million people, that we know of, has been
lost or stolen.
Table 1
Category Method # People
Failure to Properly Hacking/Compromised password/Sold without
Identify verifying customer is legitimate 2,621,000
Physical Lost backup tape/Stolen Computer/Break-in 2,656,300
Inside Job Account information sold by employees 1,200,000
Policy/Procedure Lost Information 295,000
See Table 2, below, for detail.
Theft of data from computer systems isn’t new, but it is happening more
often because of greater computer interconnection. It is also probably being
reported more often because of new legislation; like the California Security
Breach Notification Law that became effective July 1, 2003:
“…state government agencies as well as companies and nonprofit
organizations regardless of geographic location must notify California
customers if personal information maintained in computerized data files
have been compromised by unauthorized access.”
Duane Hershberger
ASU Group Confidential
Claims Information Privacy (Final Draft) 3 8-May-2005
address and medical-record information, but does not include (i) privileged
information or (ii) any information that is publicly available.
Claims data are personal data, and its protection is legally required.
If these compliance rules seem vague, that’s because they are. The Virginia
Act has this in common with HIPAA and GLBA. This is intended to allow
for individual business variables.
There are many facets to this risk assessment and the insurance industry is
among the least likely to get a pass on any oversights.
Duane Hershberger
ASU Group Confidential
Claims Information Privacy (Final Draft) 4 8-May-2005
Physical
Unauthorized access to physical plant
Theft of mobile computing devices, including cell phones
Destruction of computers and infrastructure
People &Administrative
Social Engineering – Phishing/Pharming
Lack of awareness/unclear policy
Employee collusion
Technology
Data destruction - viruses
Data theft - “spyware”
Transmission intercepts
Technological Considerations
Data integrity. Records are authentic, reliable and complete. The methods
of accessing them enforce that integrity.
Duane Hershberger
ASU Group Confidential
Claims Information Privacy (Final Draft) 5 8-May-2005
The first 2 items are almost entirely internally directed. Are your provisions
for virus checking adequate? Are backups effective and tested? Are your
firewalls effective and are they maintained to continue to be effective? Is
the data center physically protected? Is there a business recovery plan? Do
your systems (hardware, software and manual/procedural) have adequate
controls, error checking and correction routines?
The last 3 items mostly have to do with dealing with the outside world and
all of them revolve around confirming the identity of those with whom you
share information.
I’ve been using “security” and “privacy” pretty much interchangeably, but
while they overlap, they are not the same.
No matter how secure the information storage or the methods used to share
it, there remains an obligation to ensure that those with whom it is shared are
authorized to see it.
In order to effect privacy you must obtain reasonable assurance that your
business partners treat the information you have shared with them with care.
Ask your business partners if they restrict, both by policy and by technology,
installation of software on their employees’ computers. Ask if they make
their employees aware of privacy and security concerns. Ask how they
positively identify users of their systems.
Duane Hershberger
ASU Group Confidential
Claims Information Privacy (Final Draft) 6 8-May-2005
I’m sure that anyone who uses online financial services jealously guards
their own login information. Absent strong personal interest, however, it is
far less clear that people protect these “keys”.
How many times have you seen passwords on sticky-notes pasted to the
front of someone’s computer monitor?
Duane Hershberger
ASU Group Confidential
Claims Information Privacy (Final Draft) 7 8-May-2005
same password for work and for personal access such as online banking
and web site access.”
http://www.securitypipeline.com/news/18902074
Beyond passwords
Static, reusable passwords have proven easy for hackers to beat. This
accounts for interest in “two-factor authentication.” Two-factor
authentication requires two separate methods of identification - something
you know (a password or PIN) and something you have (an “authenticator”).
Duane Hershberger
ASU Group Confidential
Claims Information Privacy (Final Draft) 8 8-May-2005
One form of spyware, called “adware” has recently aroused the ire of New
York Attorney General Eliot Spitzer, whose recent bid-rigging probe has
cost insurance brokers a billion dollars, thousands of jobs, and plummeting
share values.
Spitzer has charged Intermix Media Inc. (Intermix stock fell 17% on the
news) with “secretly installing software that delivers nuisance pop-up
advertisements and can slow and crash personal computers.”
http://www.newsday.com/news/local/wire/newyork/ny-bc-ny--spitzer-
spyware0428apr28,0,7687475.story?coll=ny-region-apnewyork
Spitzer’s complaint about Intermix does not address the larger danger of
“spyware” turned to criminal use.
Even though Spitzer hasn’t seen it yet, Christopher Lipp knows the stakes.
Lipp, “senior vice president and general counsel for Intermix, denied
promoting or condoning spyware, saying its toolbars and redirect
applications do not collect personal information on computer users.” Italics
mine.
Some spyware captures every keystroke you enter in order to secretly send it
to some con-artist.
Potentially, this is a far bigger threat than viruses. Would you prefer a virus
program that wiped all the information on your computer, or spyware that
silently stole your insured’s Social Security number?
In conclusion
Duane Hershberger
ASU Group Confidential
Claims Information Privacy (Final Draft) 9 8-May-2005
Duane Hershberger
ASU Group Confidential
Claims Information Privacy (Final Draft) 10 8-May-2005
Table 2
Date Institution Category Method # People
03-Jan-05 George Mason University Physical Break-in/Hacker 30,000
Science Applications International
25-Jan-05 Corp Physical Break-in 45,000
15-Feb-05 ChoicePoint Authentication ID thieves purchased 145,000
25-Feb-05 Bank of America Physical Lost backup tape 1,200,000
25-Feb-05 PayMaxx Policy/Procedure Exposed online 25,000
08-Mar-05 DSW/Retail Ventures Authentication Hacking 100,000
10-Mar-05 LexisNexis Authentication Passwords compromised 300,000
11-Mar-05 Boston College Authentication Hacking 120,000
11-Mar-05 Univ. of CA, Berkeley Physical Stolen laptop 98,400
12-Mar-05 NV Dept. of Motor Vehicle Physical Stolen computer 8,900
20-Mar-05 Univ. of NV., Las Vegas Authentication Hacking 5,000
22-Mar-05 Calif. State Univ., Chico Authentication Hacking 59,000
23-Mar-05 Univ. of CA, San Francisco Authentication Hacking 7,000
08-Apr-05 San Jose Med. Group Physical Stolen computer 185,000
11-Apr-05 Tufts University Authentication Hacking 106,000
12-Apr-05 LexisNexis Authentication Passwords compromised 280,000
14-Apr-05 Polo Ralph Lauren/HSBC Authentication Hacking 180,000
18-Apr-05 DSW/ Retail Ventures Authentication Hacking 1,300,000
20-Apr-05 Ameritrade Physical Lost backup tape 200,000
21-Apr-05 Carnegie Mellon Univ. Authentication Hacking 19,000
26-Apr-05 Christus St. Joseph's Hospital Physical Stolen computer 19,000
28-Apr-05 BoA, Wachovia and Commerce Banks Inside Job Account Info Sold 1,200,000
29-Apr-05 Mizuho Bank of Japan Physical Lost backup tape 270,000
02-May-05 Time Warner Physical Lost backup tape 600,000
Total 6,502,300
Modified from: http://www.privacyrights.org/ar/ChronDataBreaches.htm
Duane Hershberger
ASU Group Confidential