Emerging encryption matters are the next wave of cyber concerns
In a day and age when hackers are persistently attempting to break into networks, an organization that fails to encrypt its sensitive data is taking a huge risk with both its financial resources and reputation. Unprotected data is a legitimate business problem that is no longer confined to IT, especially when it comes to healthcare organizations where the loss of sensitive unprotected data can result in fraud, identity theft, and stolen financial resources from employees and customers. In these cases the burden or blame ultimately falls upon the most senior executive leaders at an organization. And when it comes to the senior teams knowing their areas of risk, encrypting data and building protections have become the latest concern in evaluating them.
As seen in the Target data breach that affected approximately 70 million customers and resulted in $162 million in expenses in 2013-14, even encrypted data is not impervious to being hacked. However, the Health and Human Services’ (HHS) Office for Civil Rights, which enforces the Health Insurance Portability and Accountability Act (HIPAA), advises organizations to encrypt as much data as possible. The office has enforced penalties or reached settlements in 24 data-breach cases in recent years, including two in April 2014 involving lack of encryption. Concentra Health Services unit of Humana Inc. and QCA Health Plan Inc. of Arkansas agreed to pay $1.7 million and $250,000 respectively after unencrypted laptops were stolen. The U.S. Court of Appeals, the Eleventh Circuit, has also recently adjusted class action requirements to give more power to patients. As it relates to patient data theft, the court determined “allegations of identity theft that cause monetary damages are an injury-in-fact sufficient to give plaintiffs standing in a putative class action.” This ruling provides plaintiffs with more influence in their argument that their stolen personal information should result in monetary compensation.
One of the most newsworthy and extensive unencrypted data breaches was that of Anthem Inc. The health insurance company became aware of the situation on January 29, 2015, nearly two months after “suspicious activity” began. Whoever was responsible for the hack broke into the database and gained access to the information of tens of millions of consumers. While encryption could have made the data less valuable to hackers or harder to access in bulk, the trade-off is that it would have been harder for Anthem employees to track health care trends or share data with states and health providers.
In the months since the Anthem breach, there has been a debate whether encrypting data to protect a corporate network is worth the price tag. In addition, the extent to which it can slow companies down is sometimes considered inexcusable. However, it is important to note that the average costs incurred as a result of a cybersecurity breach are rising. According to a 2014 Ponemon Institute Study, companies have experienced nearly a 10 percent increase in the costs of addressing a breach since last year. While taking the necessary measures to safeguard data is costly, the costs associated with an unencrypted data breach are extensive. They include, but are not limited to, lost sales due to a tarnished brand damage, forensics investigations, litigation costs, credit monitoring for customers, and fines.
Today’s insurance marketplace is hardening on cases where unencrypted data is stored on clients servers. With large corporations such as Target and Anthem’s breaches visible in the media, insurance carriers are getting cautious of the increased threat of a breach for their clients. This awareness has created a spike in premiums by primary and excess carriers as customers prepare for the worst.
Our team is experienced in handling data security issues, and is ahead of the curve when preparing our clients for increased exposures in cyber security. In fact our Cyber Response policy offers the most comprehensive coverage available, and be sure to visit Cyber Risk Hub, an online platform for all of the insurance industry, designed to be a resource to provide a better understanding of the increasing risks resulting from breaches of information and network security.
About the Author
Spencer Mahoney is a Client Executive at Gallagher WGA, working on structuring and negotiating complicated insurance placement for clients in the Property and Casualty area. Mr. Mahoney specializes in dealing with energy and technology clients.