Note: This website, sponsored by Steve Anderson, provides business leaders with the information they need to identify, prioritize, and mitigate their vulnerabilities in the event private client information is breached. Click the About link to the right to read more detailed information about Steve and this site. |
Digital Copiers are a Security Risk
Digital copiers built since 2002 contain hard drives that store images of every document copied or scanned. Many of the stored documents include confidential data, leaving individuals vulnerable to identify theft if no safeguards are in place.
During a CBS News investigation in April 2010 an expert downloaded tens of thousands of documents from old copiers available for sale using a free forensic software program. One copier contained files from a police department sex crimes unit; one contained addresses and social security numbers along with $40,000 in copied checks; and yet another contained 300 pages of individual medical records from a health insurance company.
You can view the video report by Armen Keteyian, “Digital Photocopiers Loaded With Secrets,” (Apr. 19, 2010) by clicking here:
http://www.cbsnews.com/video/watch/?id=6412572n&tag=related;photovideo
Any company that maintains any type of health records have a particularly risky situation if that information is breached. Federal privacy laws including the Americans with Disabilities (ADA) require that employers keep employee health records private.
You might be able to obtain a security or encryption add-on to your copier that will automatically erase images and other data from the copier hard drive. Any organization should make sure that before they allow an old copier to be removed from their premises the hard drive is either removed or completely wiped of all data.
Colorado Casualty: “There is no coverage”
Colorado Casualty Insurance company is seeking a judicial ruling that it is not obligated to pay for costs incurred by the University of Utah in 2008 as a result of a client information breach.
On or about June 1, 2008 car burglars stole back-up tapes from the personal car of a Perpetual Storage employee containing medical billings records with sensitive personal information (including social security numbers) on 1.7 million university patients covering a time period of approximately 16 years.
University of Utah officials want Perpetual Storage, their backup storage vendor, to reimburse the cost the university incurred because of the client data breach. Not including 6,232 in personnel hours responding to the breach, the University allegedly spent over $3.2 million on: (1) $646,149 in printing and mailing costs; (2) $81,389 for a call center that fielded over 11,000 calls within two weeks; and (3) $2.5 million for credit-monitoring services.
Colorado Casualty Insurance Company wrote a commercial package policy and a commercial liability umbrella policy for Perpetual Storage that was in effect at the time of the client data breach. Ron Sutherland of United Insurance Services was Perpetual’s insurance agent at the time and placed the coverage with Colorado Casualty.
The University has brought Sutherland and United Insurance Services into the suit as a third party claimant alleging they were “careless, negligent and made various negligent misrepresentations about Perpetual’s insurance coverage from Colorado Casualty.”
The Colorado Casualty suit does not provide any specific details on why the company feels it is not obligated to pay for this claim. Notwithstanding what the Colorado Casualty policy may actually state, the above claim would probably have been covered under most network security and data breach privacy policies currently available.
Lesson learned: It is critical for every agency to inform their client’s about the coverage limitations for any claim arising from a client data and information breach. And, they should offer to provide them with a quote for a Network Security and Data Breach Privacy policy.
Here is an article from the Salt Lake Tribune.
Do you have the proper insurance coverage for the costs of a client information breach?
Cyber Breaks, Insurance & Data Breach Response Advice
Stroz Friedberg is a consulting firm that does computer forensics, mobile phone forensics, electronic discovery and cyber crime response, operating at the intersection of law, technology and behavioral sciences. In this Insurance Journal interview David Garrett, managing director of Stroz Friedberg’s San Francisco office, explains why clients may or may not have cyber risk insurance, whether those that have the insurance actually make a claim in the event of a cyber breach, and simple steps any company can take to reduce the exposure.
You can view the interview by going here: http://www.insurancejournal.tv/videos/3754/
FTC Extends Deadline for Red Flags Rule
The FTC announced in a press release on Friday May 28 that they would postpone enforcement of the Identity Theft Red Flags Rule.
“At the request of several Members of Congress, the Federal Trade Commission is further delaying enforcement of the “Red Flags” Rule through December 31, 2010, while Congress considers legislation that would affect the scope of entities covered by the Rule. Today’s announcement and the release of an Enforcement Policy Statement do not affect other federal agencies’ enforcement of the original November 1, 2008 deadline for institutions subject to their oversight to be in compliance.”
The full release is available here.
A New Era in HIPAA Enforcement Has Begun
Connecticut AG files First HITECH Act Law Suit
In the first lawsuit to invoke the new provisions of the HITECH Act, Connecticut Attorney General Richard Blumenthal filed a lawsuit against Health Net for violating HIPAA requirements. Here is the actual complaint: CT Complaint Against HealthNet
The lawsuit was filed on January 13, 2010 and was described in a statement “Sadly . . . historic.” The suit alleges that Health Net failed to secure private patient medical records and financial information involving hundreds of thousands of Connecticut enrollees and promptly notify consumers endangered by the security breach. This case is the first action by a state attorney general under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act to enforce provisions of the Health Insurance Portability and Accountability Act (“HIPAA”). The suit also alleges a violation of Connecticut’s breach notification statute.
On or about May 14, 2009 Health Net learned that a portable disk drive had disappeared from one of its offices. The disk contained unencrypted protected health information, social security numbers and bank account numbers for approximately 1.5 million past and present enrollees, including 446,000 Connecticut residents. Health Net did not begin notifying affected individuals until November 2009.
Is this the first sign of the fines/lawsuits organizations will face in the future?
- Have you implemented new policies and procedures to ensure compliance with the HITECH requirements?
- Have you trained all employees on new requirements?
- Do you have tracking and documentation of employee acknowledgements and understanding?
- Have you implemented ongoing awareness training as risks, threats and best practices are constantly changing?
What have you done to inform your clients of the risks they also face and offered them data breach insurance coverage?
Steve Anderson: System Selection and Data Security
In this short interview, Jack Burke from Audio Insurance Outlook talks with Steve Anderson about two important topics: the importance of selecting the very best agency management system for your agency and why client information security will be a hot topic for agencies in the next couple of years and what agencies can do today to protect themselves. [18 minutes]
Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.
No time to listen now? Right click and download to listen later on your computer or iPod/iPhone.
Blue Cross Eastgate Hard Drive Theft Update
During the past two weeks, significant progress has been made in BlueCross BlueShield of Tennessee’s continuing auditing, identifying and notification efforts of members affected by the Eastgate hard drive theft.
As of January 19, 2010, 220,000 current and former members have been identified and 211,253 notifications have been sent to members indicating that their personal information was included on the stolen hard drives and have been offered remediation services, including credit monitoring and identity theft protection. These members, which fall in the Tier 3 category, have been confirmed as having their name, address, BlueCross member ID number, diagnosis, Social Security number and/or date of birth included in the stolen hard drives. Additionally, minors whose personal information has been identified in the Tier 3 category have begun to receive letters offering LifeLock® identity services.
BlueCross has confirmed that 20,940 members have contacted Equifax to initiate the free 3-in-1 credit monitoring service offered to those members in the Tier 3 category. Also, two members have contacted Kroll regarding activation of its Enhanced Identity Theft Consultation and Restoration services. However, as of January 19, 2010, there has been no documented incident of identity theft or credit fraud of BlueCross members as a result of this incident.
Beginning in early February, members falling in the Tier 2 category of personal information (name, address, BlueCross member ID number and diagnosis) will begin to receive their notifications with details of the hard drive theft and remediation services offered to them.
Below is a graphical representation of total members identified and notifications sent as of January 19, 2010. If you are unable to view this image, you can go to the Eastgate Hard Drive Theft page of bcbst.com to view this statistic and other information related to our identification and notification efforts.
While this theft has received significant coverage in many Tennessee news and media outlets, our auditing and notification process has received favorable reviews from IT-related online publications and blogs. BlueCross has been lauded for its open and frequent communications, as well as engaging a leader in data security, Kroll, in assisting with its file audit and remediation efforts.
BlueCross BlueShield of Tennessee is committed to delivering up-to-date and relevant communications to its clients – members, brokers and employers – as information becomes available. As always, you can direct questions specific to this incident to the BlueCross BlueShield of Tennessee Privacy Office by calling 1-888-422-2786 or through email at Privacy_Questions_GM@bcbst.com. Or, you can visit our Web site at bcbst.com.
BCBS of Tennessee Client Data Breach
My health insurance is with BCBS of Tennessee. For a couple of months now I have been receiving updates because of a Client data breach they experiences last October. Following is a copy of the official information.
“In October 2009, 57 hard drives containing video and audio files related to coordination of care and eligibility telephone calls from providers and members were stolen from a leased facility in Chattanooga, Tenn. that formerly housed a BlueCross BlueShield of Tennessee call center. The video files were images from computer screens of BlueCross BlueShield of Tennessee customer service representatives and the audio files were recorded phone conversations from January 1, 2007 to October 2, 2009.
“Almost immediately, BlueCross BlueShield of Tennessee began communicating to brokers and employers of this incident and has been providing periodic updates as more information became available. Additionally, BlueCross BlueShield of Tennessee has been diligently reviewing and analyzing the backup files of the stolen hard drives. Since early December, nearly 200,000 active and former members have been identified on those files and notified that certain personal information was included on the stolen hard drives.
“As of January 4, 2010, we have completed the audit of the 1.3 million audio files and 300,000 video files and will now begin a broad communications effort to members, brokers and employers. Part of this comprehensive communications effort will include a progress report delivered via email every two weeks to brokers and group administrators. This report will include details of total affected members and our notification and remediation steps. We will continue to post regular updates to our Web site, bcbst.com – including a special Eastgate Hard Drive Theft page – along with a FAQ section to assist in providing answers to many questions we have received over the past few weeks.
“We will also be providing more detail on the steps BlueCross BlueShield of Tennessee has taken to identify and protect the personal data of affected members. Beginning with the member notification letters generated the week of January 11, 2010, information will be included regarding the discovery of the theft of the hard drives and BlueCross BlueShield of Tennessee’s response to that incident. Additionally, BlueCross BlueShield of Tennessee members that are classified as minors will be receiving a specific notification letter addressed to their parent or guardian and offering LifeLock Identity Alert™ services (see attached). Letters to current and former BlueCross BlueShield of Tennessee groups explaining these changes will be sent the week of January 11, 2010.
“BlueCross BlueShield of Tennessee is committed to delivering up-to-date and relevant communications to its clients – members, brokers and employers – as information becomes available.”
This organization had to pay for someone to review 1.3 million audio and 300,000 video files. They also have mailed letters to all the potentially affected members. All because some hard drivers were stolen. Another reason to make sure your physical security will protect client information from being compromised because of a burglary.
What is your organization doing to enhance your physical security?
Farmers Insurance Agent Hires Hacker
In a statement to the Channel 4 I-Team (local Nashville TV Station WSMV), Farmers Insurance Company said a former insurance agent of theirs may have accessed private client information, and it is in the process of notifying potentially affected customers.
Allegedly a local ISP provider was contracted by a former Farmers agent to exploit a flaw on the Farmers web site that allowed someone to extract all the information from its database, such as insurance policies, names, addresses and Social Security numbers. Because of this client information security breach, Farmers contacted the Secret Service which investigates cyber crime, which is investigating this incident.
Read the full story by clicking this link: http://www.wsmv.com/news/21715549/detail.html
There are at least two lessons to learn from this incident.
First, it is vitally important that every company perform an information security audit to make sure they identify (and correct) as many of the possible client information security problems and holes as possible. Having performed an audit will also help an organization defend itself against the consequences of a data breach.
Second, every company regardless of size needs to have a client security breach plan in place. It is alleged that Farmers Insurance was notified by the ISP provider that they had a potential client information breach, but did not take steps to determine the extent of the breach until Channel 4 started to investigate.
Anderson Issues Report Protecting Agencies from Data Breaches
Client Data Security
NASHVILLE, Tenn. (January 6, 2010)—“Information is the most radioactive element in today’s businesses,” says Steve Anderson of The Anderson Agency Report in his most recent business guide for independent insurance agencies, called Client Information Security.
Anderson’s report highlights that more than 88% of client data breach cases last year involved employee negligence and that 84% of cases involved organizations with more than one incident. The average, total, per-incident cost of a breach was nearly $6.7 million, including civil and regulatory penalties, administrative expenses and legal defense costs.
Insurance agencies of all sizes are treasure troves of personal client data, and they need to establish effective protective barriers and appropriate responses in case there is a breach. Client Information Security provides agency leaders with the information they need to identify and prioritize their vulnerabilities.
The report provides a walk through the agency’s “weak links,” including employee malpractices and negligence, theft of equipment, and external attacks, such as hacking. It aids the agency in categorizing what data to protect and gives more than 20 detailed steps on how to get a data-breach security plan up and running. Anderson provides a convenient, at-a-glance method for classifying risks and incidents in a graphic depiction that can be used to track, analyze and document compliance with a security plan.
Anderson gives insights into surprising areas of vulnerability, such as the problem of “reverse shredding” of documents, and how to foil hardcopy data thieves. He also goes into substantial detail on dealing with an incident from original, internal discovery to notification of authorities, gathering of evidence, damage control and corrective action.
Client Information Security goes beyond treatment of personal data, addressing corporate data held at agencies as well. It not only helps the agency with its data but makes agency members smarter about risk management and insurance resources for their own clients. Security breach laws are covered in their own section, and a state-by-state summary and “further resources” section round out the comprehensive report. To find out more or order a copy, visit http://www.ClientInformationSecurity.com/.
The report can be purchased at www.ClientDataSecurity.com.
About Anderson: Based in Nashville, Tenn., Steve Anderson (www.SteveAnderson.com) is one of the insurance industry’s top consultants and speakers. He delivers keynote addresses, lectures, seminars and conference programs, in addition to individual agency consultations, helping clients maximize productivity and profits by smart use of technology. He is executive editor of The Anderson Agency Report (TAAR), a monthly newsletter dedicated to providing independent agents with the technology information they need to more effectively manage and grow their agencies. In addition to being a licensed independent agent for more than 30 years, Steve has a master’s in Insurance Law.
Data Backup & Recovery
Pages
Latest Release
Categories
- Client Data Breach
- Client Information Security
- Insurance
- Insurance Agent Breach
- Live Interviews
- Products
- Uncategorized
Blogroll
- Chris Christian's Professional Liability Tidbits
- Office of Inadequate Security
- Privacy Rights Clearinghouse
- Steve Anderson – Insurance technology Authority
- Womble Carlyle – Privacy and Data Protection
