United States

Data Protection for the Insurance Industry


Customers entrust insurance companies with a vast array of non-public personally identifiable information (PII) and/or protected health information (PHI) to support daily business needs (underwriting, claims processing, etc.). Regulators and customers expect that you are protecting that data. Has your organization implemented the necessary controls to protect against unintentional accidents or malicious breach attempts?

Personally identifiable information

PII is information that can be used to uniquely identify, contact or locate an individual, or can be used with other sources to uniquely identify a single individual. The following are common examples of data that would be considered PII:

  • Full name
  • Street address
  • Email address
  • Identification number (social security, driver's license, etc.)
  • Birthday
  • Birthplace

Protected health information

PHI, as defined under the U.S. Health Insurance Portability and Accountability Act (HIPAA) is any information about health status, provision of health care or payment for health care that can be linked to a specific individual; including a patient's medical record. Data is "individually identifiable" if it includes any of the 18 various identifiers defined by HIPAA. The identifiers include PII data listed above, as well as medical record numbers, account numbers and photographic images, to name a few.

Electronic protected health information (ePHI) is PHI which is stored, accessed, transmitted or received electronically; for example, worker's compensation claim information stored within a company's database.

Organizations need to ensure they have the appropriate controls to protect sensitive information, such as PII, PHI or ePHI, to reduce or limit the risk and impact of data breaches. In addition, organizations should develop an understanding of the other various laws and regulations that may impact the data elements captured for their business, such as PCI DSS (Payment Card Industry Data Security Standard), HITECH (Health Information Technology for Economic and Clinical Health Act) and/or HIPAA.

Impact of data breaches

Recently, there has been a new headline about a large company that has had a data breach through malicious attacks or cyber attacks seemingly every week. Based on a benchmark study from the Ponemon Institute, nearly 31 percent of all data breach cases in 2010 involved malicious or criminal attacks. This was the first time malicious attacks were not the least common cause for breaches.1 FBI Director Robert Muller recently informed the Senate Judiciary Committee that the FBI plans to increase its focus on the increased threat of cyber attacks over the next two years.

Even though malicious or cyber attacks are front-page news headlines, lost or stolen laptop computers or other mobile devices represented 35 percent of data breaches.2 As companies and technology continue to allow employees more flexibility to work remotely (i.e., outside of the company's physical location), there is an increased risk of data breaches.

According to the Identity Theft Resource Center, over the last six years there have been 288 publicly disclosed breaches at financial services companies that exposed at least 83 million customer records.

Data breaches continue to cost organizations more every year. The average organizational cost of a data breach for 2010 increased to $7.2 million, up 7 percent from $6.8 million in 2009. Data breaches cost companies an average of $214 per compromised record in 2010, up $10 (5 percent) from 2009. However, the financial services sector has one of the highest average per record cost of $353.3

Additional impacts include damage to your organization's brand and reputation, loss of customer confidence, litigation and regulatory actions.

Protecting your customer's data

Before you can be confident your organization is appropriately protecting the sensitive data collected, you need to understand the specific data elements that are captured, retained and stored within existing processes and systems. After the universe of data is determined, ensure that the appropriate policies, procedures, safeguards and controls are placed in operation. Identify any potential gaps in controls compared to a selected framework, such as the Generally Accepted Privacy Principles (GAPP) issued by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Charted Accountants (CICA), the International Organization for Standardization (ISO) 27002 or the Health Information Trust Alliance Common Security Framework (HITRUST CSF).

While these approaches are effective to understand your company's current state of data protection, there are many automated enterprise data protection solutions that should be considered to strengthen your data security program. The following are some of the more common technologies that we have seen implemented at insurance companies:

  • Encryption of PII and other sensitive data; including laptops and other mobile devices
  • Data loss prevention (DLP) solutions
  • Identity and access management solutions

With the increased attempts of malicious attacks and the continued trend of working remotely, companies should determine whether they have implemented a comprehensive security program to protect sensitive data.

For more information, please contact RSM Director David Wood at 847.413.2066

1 2010 Annual Study: U.S. Cost of a Data Breach, Ponemon Institute, LLC and Symantec Corporation, March 2011

2 2010 Annual Study: U.S. Cost of a Data Breach, Ponemon Institute, LLC and Symantec Corporation, March 2011

3 2010 Annual Study: U.S. Cost of a Data Breach, Ponemon Institute, LLC and Symantec Corporation, March 2011


How can we help you?

Contact us by phone 800.274.3978 or
submit your questions, comments, or proposal requests.

Rapid Assessment®

Complete our Rapid Assessment form to be contacted about receiving our "quick-hit" diagnostic of your critical areas of operations.