“Are you next? ID theft announcements from insurance companies underscore importance of data protection.”

“Are you next? ID theft announcements from insurance companies underscore importance of data protection.”
Eran Farajun, Asigra

With the U.S. Justice Department estimating a conservative 700,000 I.D. thefts reported each year, the requirements to disclose data loss is causing more geographically dispersed organizations to realize they need to evaluate how to handle and secure ROBO data.

A late 2006 announcement from Aetna, one of the largest U.S.-based health insurers, detailing the theft of sensitive personal information of 130,000 plan members from a field office of a company that provides medical claim audit services highlights a year of data loss and theft throughout the insurance industry in 2006.

There were more than 10 such announcements from insurers this year, as companies dealt with the fallout of customer privacy missteps including the loss of names, addresses, birth dates, drivers license numbers and social security numbers of its insured. Some instances included loss of sensitive medical information.

Aetna’s December announcement of a late October event was the second for the company this year. In May 2006, the company also reported the loss of information of 38,000 of its members resulting from a theft of an employee’s laptop. Other insurers reporting data breeches this past year included Aflac, Allstate, American Family Insurance, American Insurance Group (AIG), Blue Cross/Blue Shield, Kaiser Permanente, Progressive Casualty Insurance, Sentry Insurance, Virginia Bureau of Insurance and Wellpoint.

The announcements of each of these data loss incidents typically included the disclaimer that any personal information would be difficult to access by thieves, with many adding that the sensitive data was simply part of a burglary of property that could be sold for cash and that identity theft was not an intended goal. But with identity theft three times greater than the aggregate of all U.S. property crimes (burglary, larceny and motor vehicle theft), the cause for concern is high.

The Federal Trade Commission reports that the three-year compound rate of growth in the nation’s identity theft was 16.4 percent from 2002 through 2005, with enterprises losses attributed to identity theft estimated at $2.12 billion during 2005. The cost of this crime to businesses and enterprises is around $10,200 per victim.

Besides the financial impact and public relations embarrassment of having to disclose the loss of customers’ sensitive data, companies are also faced with the time and management headaches of restoring missing corporate information. The fact that many of these instances occur at remote locations or through the theft of mobile devices such as laptops is not going unnoticed by companies who provide data storage solutions and services to globally dispersed enterprises.

While many companies spend an appropriate amount of their IT budget on equipment to store their corporate data, important functionality such as restorability, security and protection of off-site information are often overlooked. Remote office data and information residing on employees’ laptop computers are just as valuable as data which resides on corporate servers. Its loss must also be mitigated. To further protect valuable customer and business information, a solution that features encryption of data at-rest and in-flight helps ensure that any information that is lost or stolen remains worthless to the thieves who do not have the right tools to decode this sensitive information, thereby proactively thwarting identity theft before it begins.

As more and more companies require customers’ sensitive information, the need to protect this data continues to be of paramount importance. The creation of protocols on how to handle this information face hurdles when these rules are deliberately or inadvertently not followed, creating an environment where data is left unprotected. Data residing on back-up cassette tapes or employee laptops also represent a point of insecurity because of the ability of thieves to physically remove them from a location. With the U.S. Justice Department estimating 700,000 I.D. thefts each year, the requirements to disclose data loss is causing more geographically dispersed organizations to realize they need to treat and protect remote branch office data as well as centralized data.