Claims Information Privacy (Final Draft) 1 8-May-2005

Is Your Claims Related Information Safe?

Claims related data have the same security and privacy requirements as any
other personal information. The need to protect this data is only becoming
greater, and it doesn’t have to have specific Health Insurance Portability and
Accountability Act (HIPAA) or Gramm-Leach-Bliley Act (GLBA)
implications, either.

Many states are passing even more wide-ranging privacy and disclosure
laws than HIPAA or GLBA.

Practically every day now, we hear about theft or loss of personal

information from financial institutions, schools, government, and consumer
data aggregators like Choicepoint. These targets share something with
insurers – they have a great deal of information about people in a single
place.

As famed bank robber Willie Sutton is said to have answered in response to

the question "Why do you rob banks?"- "Because that's where the money is."

The Internet makes it easier

Fraud over the internet is anonymous and can take place from anywhere.
The internet is a “target rich” environment for con artists and what they’ve
lost in personal “confidence games” they make up for in volume.

People worry about this. In 2002 an IVANS, Inc. study showed that
“Seventy-seven percent of consumers surveyed say they are concerned with
their doctors' sending medical information to an insurance company over
the Internet. Additionally, 66 percent of survey respondents are concerned
about the privacy and security of property claims information being
exchanged via the Internet.”
http://www.insurancejournal.com/news/national/2002/11/05/24169.htm

Concern about medical records is understandable, but why do people care if

someone finds out they had a kitchen fire 2 years ago?

Duane Hershberger
ASU Group Confidential
Claims Information Privacy (Final Draft) 2 8-May-2005

They probably don’t much. Instead, they are concerned about loss of
privacy and the danger of identity theft. Between Jan-1 and May-2, 2005 the
personal information of over 6.5 million people, that we know of, has been
lost or stolen.

Table 1
Category Method # People
Failure to Properly Hacking/Compromised password/Sold without
Identify verifying customer is legitimate 2,621,000
Physical Lost backup tape/Stolen Computer/Break-in 2,656,300
Inside Job Account information sold by employees 1,200,000
Policy/Procedure Lost Information 295,000
See Table 2, below, for detail.

Organizations are understandably reluctant to discuss the details of how their

systems were compromised, but failure to positively identify someone
accessing the data is the category most directly related to failures in
protecting personal information.

Theft of data from computer systems isn’t new, but it is happening more
often because of greater computer interconnection. It is also probably being
reported more often because of new legislation; like the California Security
Breach Notification Law that became effective July 1, 2003:
“…state government agencies as well as companies and nonprofit
organizations regardless of geographic location must notify California
customers if personal information maintained in computerized data files
have been compromised by unauthorized access.”

What is “personal information?” Is it in claims data?

The State of Virginia provides a good definition of personal information,

and the insurance industry’s responsibility for it, in this excerpt from 38.2-
602 of the Code of Virginia.
http://leg1.state.va.us/cgi-bin/legp504.exe?031+ful+SB878ER

“ “Personal information” means any individually identifiable information

gathered in connection with an insurance transaction from which judgments
can be made about an individual's character, habits, avocations, finances,
occupation, general reputation, credit, health, or any other personal
characteristics. “Personal information” includes an individual's name and

Duane Hershberger
ASU Group Confidential
Claims Information Privacy (Final Draft) 3 8-May-2005

address and medical-record information, but does not include (i) privileged
information or (ii) any information that is publicly available.

A. Each insurance institution, agent, and insurance-support organization

shall implement a comprehensive written information security program that
includes administrative, technical, and physical safeguards for the
protection of policyholder information. The administrative, technical, and
physical safeguards included in the information security program shall be
appropriate to the size and complexity of the insurance institution, agent, or
insurance-support organization and the nature and scope of its activities.

B. The information security program shall be designed to:

1. Ensure the security and confidentiality of policyholder information;

2. Protect against any anticipated threats or hazards to the security or

integrity of the information; and

3. Protect against unauthorized access to or use of the information that

could result in substantial harm or inconvenience to any policyholder.

Claims data are personal data, and its protection is legally required.

If these compliance rules seem vague, that’s because they are. The Virginia
Act has this in common with HIPAA and GLBA. This is intended to allow
for individual business variables.

What is compliance? Are you safe?

Virginia is saying is that there is a duty to conduct a thorough risk analysis,

and that must be followed by reasonable precautions to protect personal data
from being improperly disclosed or destroyed.

There are many facets to this risk assessment and the insurance industry is
among the least likely to get a pass on any oversights.

Duane Hershberger
ASU Group Confidential
Claims Information Privacy (Final Draft) 4 8-May-2005

These general areas need to be addressed:

Physical
Unauthorized access to physical plant
Theft of mobile computing devices, including cell phones
Destruction of computers and infrastructure

People &Administrative
Social Engineering – Phishing/Pharming
Lack of awareness/unclear policy
Employee collusion

Technology
Data destruction - viruses
Data theft - “spyware”
Transmission intercepts

This article is primarily concerned with technological security, but you

cannot ignore managerial, organizational, regulatory, economic, and social
areas - and you must not forget other organizations with which you share
data.

Technological Considerations

Technology security planning should consider these different, if sometimes

overlapping, categories:

Service reliability. Availability, completeness and promptness of system.

Data integrity. Records are authentic, reliable and complete. The methods
of accessing them enforce that integrity.

Privacy. Information is available only to those people authorized to receive

it.

Authentication. Positive identification of who/what (person, organization,

hardware device or software) is asking to access data.

Duane Hershberger
ASU Group Confidential
Claims Information Privacy (Final Draft) 5 8-May-2005

Alibi prevention/deterrence. It should be difficult for a thief to deny

responsibility.

The first 2 items are almost entirely internally directed. Are your provisions
for virus checking adequate? Are backups effective and tested? Are your
firewalls effective and are they maintained to continue to be effective? Is
the data center physically protected? Is there a business recovery plan? Do
your systems (hardware, software and manual/procedural) have adequate
controls, error checking and correction routines?

The last 3 items mostly have to do with dealing with the outside world and
all of them revolve around confirming the identity of those with whom you
share information.

Security vs. Privacy

I’ve been using “security” and “privacy” pretty much interchangeably, but
while they overlap, they are not the same.

Security is about the processes, procedures and technology used to protect

information.

Privacy is about an individual’s right to keep certain information from being

disclosed without his or her permission.

It is entirely possible to have excellent security without appropriate privacy,

because while secure methods for storing, sending and receiving data
(electronically or otherwise) are necessary to privacy, they are not sufficient.

No matter how secure the information storage or the methods used to share
it, there remains an obligation to ensure that those with whom it is shared are
authorized to see it.

In order to effect privacy you must obtain reasonable assurance that your
business partners treat the information you have shared with them with care.

Ask your business partners if they restrict, both by policy and by technology,
installation of software on their employees’ computers. Ask if they make
their employees aware of privacy and security concerns. Ask how they
positively identify users of their systems.

Duane Hershberger
ASU Group Confidential
Claims Information Privacy (Final Draft) 6 8-May-2005

Restricting software installation

There should strict prohibitions against unsupervised employee software

installation; otherwise the risk of data theft skyrockets. Computers should
be locked down insofar as possible to prevent accidental downloading of
software.

Employee Training & Management

Employee awareness is crucial. Your policies, and your business partners’,

should require reminders about safe use of the Internet and email; proper
document disposal; and processes to minimize the risk of employees
providing confidential information to the wrong people.

Who is it? - Authentication

Authentication of the identity of those allowed access to computer systems

is a key question.

I’m sure that anyone who uses online financial services jealously guards
their own login information. Absent strong personal interest, however, it is
far less clear that people protect these “keys”.

How many times have you seen passwords on sticky-notes pasted to the
front of someone’s computer monitor?

In 2004 an impromptu man-on-the-street survey found that almost three-

quarters of office workers would give up their passwords in exchange for a
chocolate bar. It is possible, of course, that those interviewed lied simply to
get free chocolate. However, other details of the study suggest that many
people were truthful:

“The most common password categories were family names such as

partners or children (15%), followed by football teams (11%), and pets
(8%). The most common password was ‘admin.’ One interviewee said, ‘I
work in a financial call center, our password changes daily, but I do not
have a problem remembering it as it is written on the board so that every
one can see it.... I think they rub it off before the cleaners arrive.’ … Four
out of 10 knew their colleagues' passwords. …Two thirds of workers use the

Duane Hershberger
ASU Group Confidential
Claims Information Privacy (Final Draft) 7 8-May-2005

same password for work and for personal access such as online banking
and web site access.”
http://www.securitypipeline.com/news/18902074

Beyond passwords

Static, reusable passwords have proven easy for hackers to beat. This
accounts for interest in “two-factor authentication.” Two-factor
authentication requires two separate methods of identification - something
you know (a password or PIN) and something you have (an “authenticator”).

In a common scenario the authenticator is a key-fob sized device which

generates a new number every 60 seconds. That number is effectively a
one-time password. Even if someone steals an “authentication number”,
through keyboard logging software for example, it becomes useless 60
seconds later.

Two-factor authentication addresses the issues of Privacy, Authentication

and Alibi prevention noted above. It is becoming a common security tool.

In September, 2004, America Online announced a premium service they

named AOL Passcode.
http://www.paymentsnews.com/2004/09/aol_rsa_securit.html

In December, 2004, the Federal Deposit Insurance Corporation

recommended two-factor authentication as a defense against theft of
personal information.
http://www.fdic.gov/consumers/consumer/idtheftstudy/index.html

On March 1st, 2005, E*Trade announced the 2Q05 availability of Digital

Security ID.
http://www.gartner.com/DisplayDocument?doc_cd=126676

“Spyware” is one of the threats driving the adoption of two-factor

authentication.

The proliferation of “spyware”

Spyware is software typically downloaded from the Internet unknowingly,

or attached to an email like many viruses. Unlike a virus, however,

Duane Hershberger
ASU Group Confidential
Claims Information Privacy (Final Draft) 8 8-May-2005

spyware’s job is not to damage data or hijack computer resources. Spyware

is intended to steal information.

One form of spyware, called “adware” has recently aroused the ire of New
York Attorney General Eliot Spitzer, whose recent bid-rigging probe has
cost insurance brokers a billion dollars, thousands of jobs, and plummeting
share values.

Spitzer has charged Intermix Media Inc. (Intermix stock fell 17% on the
news) with “secretly installing software that delivers nuisance pop-up
advertisements and can slow and crash personal computers.”
http://www.newsday.com/news/local/wire/newyork/ny-bc-ny--spitzer-
spyware0428apr28,0,7687475.story?coll=ny-region-apnewyork

Spitzer’s complaint about Intermix does not address the larger danger of
“spyware” turned to criminal use.

Even though Spitzer hasn’t seen it yet, Christopher Lipp knows the stakes.
Lipp, “senior vice president and general counsel for Intermix, denied
promoting or condoning spyware, saying its toolbars and redirect
applications do not collect personal information on computer users.” Italics
mine.

“Redirect applications” means that when you direct your browser to a

particular Web-site the spyware hijacks that request, sending you to a fake
Web-site.

Some spyware captures every keystroke you enter in order to secretly send it
to some con-artist.

Potentially, this is a far bigger threat than viruses. Would you prefer a virus
program that wiped all the information on your computer, or spyware that
silently stole your insured’s Social Security number?

In conclusion

Claims information is personal information, and is protected by an

increasing amount of legislation.

Duane Hershberger
ASU Group Confidential
Claims Information Privacy (Final Draft) 9 8-May-2005

While you certainly want to protect information that may be of value to

competitors, the legal requirements, and scrutiny, for protection of personal
claims information are of potentially greater import and the compliance
issues are growing.

Failure to assess risk and the consequence -failure to adequately protect

claims information - can lead to:
• Loss of stock value;
• Loss of jobs;
• Loss of reputation in the market;
• Consumer suits;
• Government fines;
• Loss of customers;
• Loss of competitive advantage;
• Injury to persons;
• Damage to property;
• Loss of data, and/or alteration or disclosure/theft of data;

There is more assistance available for developing a security plan on the

Internet, for example:
http://counsel.cua.edu/glb/resources/baylor1.cfm
and,
http://law.wlu.edu/administration/surveys/financial.asp
(Use code “Demo”)

And remember, technological security is important, but it is only one of the

areas where your defenses must be strong.

Duane Hershberger
ASU Group Confidential
 Claims Information Privacy (Final Draft) 10 8-May-2005

Table 2
Date Institution Category Method # People
03-Jan-05 George Mason University Physical Break-in/Hacker 30,000
Science Applications International
25-Jan-05 Corp Physical Break-in 45,000
15-Feb-05 ChoicePoint Authentication ID thieves purchased 145,000
25-Feb-05 Bank of America Physical Lost backup tape 1,200,000
25-Feb-05 PayMaxx Policy/Procedure Exposed online 25,000
08-Mar-05 DSW/Retail Ventures Authentication Hacking 100,000
10-Mar-05 LexisNexis Authentication Passwords compromised 300,000
11-Mar-05 Boston College Authentication Hacking 120,000
11-Mar-05 Univ. of CA, Berkeley Physical Stolen laptop 98,400
12-Mar-05 NV Dept. of Motor Vehicle Physical Stolen computer 8,900
20-Mar-05 Univ. of NV., Las Vegas Authentication Hacking 5,000
22-Mar-05 Calif. State Univ., Chico Authentication Hacking 59,000
23-Mar-05 Univ. of CA, San Francisco Authentication Hacking 7,000
08-Apr-05 San Jose Med. Group Physical Stolen computer 185,000
11-Apr-05 Tufts University Authentication Hacking 106,000
12-Apr-05 LexisNexis Authentication Passwords compromised 280,000
14-Apr-05 Polo Ralph Lauren/HSBC Authentication Hacking 180,000
18-Apr-05 DSW/ Retail Ventures Authentication Hacking 1,300,000
20-Apr-05 Ameritrade Physical Lost backup tape 200,000
21-Apr-05 Carnegie Mellon Univ. Authentication Hacking 19,000
26-Apr-05 Christus St. Joseph's Hospital Physical Stolen computer 19,000
28-Apr-05 BoA, Wachovia and Commerce Banks Inside Job Account Info Sold 1,200,000
29-Apr-05 Mizuho Bank of Japan Physical Lost backup tape 270,000
02-May-05 Time Warner Physical Lost backup tape 600,000
Total 6,502,300
Modified from: http://www.privacyrights.org/ar/ChronDataBreaches.htm

Duane Hershberger
ASU Group Confidential