By Brookes Taney, Vice President of Data Breach Solutions, Epiq Systems
Insurers collect, store, and manage substantial volumes of confidential personal and commercial information. This makes the industry an attractive target for cybercriminals who seek information that later can be used for financial gain through extortion, identity theft, or other criminal activities.
Not only are data breach incidents among insurers increasing in number, the motives of the cybercriminal are changing rapidly. Traditionally, hackers targeted names, addresses, bank and credit card information in order to commit fraud. Increasingly, there appears to be a hierarchy among hackers—a contest of sorts—with status measured by the size, scale and audacity of the hack. In the Netherlands, an insurer was recently subject to the so-called “CEO hack,” a specific form of phishing cyber-attack where the criminals had allegedly researched certain operational details of the insurer. Pretending to be the CEO of a major and well-known commercial customer of the insurer, the criminals tried to persuade employees of the insurer to transfer money into a certain account.
Given the shifting landscape, what steps should insurers take to effectively prepare for and respond to data breaches? In the past, an insurer’s response to a breach would begin with the discovery of an incident. At this stage, the extent of the breach and any specifics as to what information was taken might be unknown. Outside counsel and investigators would likely be involved as soon as possible to find out what type of information was compromised, when it was taken and how quickly the leak could be stopped.
Insurers are now looking for more than just one-off breach responses. Instead they are looking to partner with experts who can handle a breach from initial detection through any resulting litigation and offer adjacent services, such as proactive information governance to help both reduce the risk of a data breach, and minimise the damage if one does occur. Similarly, even after a data breach, that partner may offer services to efficiently and effectively handle any litigation that arises from the breach, including eDisclosure services, forensics and collections, document review and processing and production.
Insurers can face lawsuits from consumers and shareholders, as well as regulatory fines and potential loss of clients and reputation. As the breach runs through its life cycle, litigation may arise depending on factors including, but not limited to, the size of the breach, the company and consumers involved, and the nature and scope of what was taken or compromised. In the event of litigation, an organisation may require an eDisclosure service, which enables it to efficiently manage the collection, processing and review of electronic documents and communications. An experienced eDisclosure service provider will use technology to perform automated searches on collected data to determine relevance to the case at hand. Utilising technology not only speeds up the eDisclosure process, but it also helps manage the cost of the exercise.
With the help of its service provider, the insurance organisation will need to prove to the regulatory authorities that it had systems in place to minimise the risk of a breach in the first instance by demonstrating that it had established, well-communicated corporate policies as to data loss prevention and any associated auditing procedures. It will also need to show that it had no advance knowledge of potential threats and that it responded with timely and adequate notice, post-breach.
Document review is integral to this process, involving in-depth evaluation of the relevant communications. In data breach litigation, this process can be exhaustive, with large bodies of documents needing to be reviewed for relevance by trained experts in very short periods of time. In this scenario, an outsourced solution for document review with secure facilities, tested training methodologies and review workflows is essential.
A rise in the volume of data breaches among insurers has put the threat of malicious hacking in the spotlight, raising fears of regulatory punishment and severe damage to corporate reputation. Insurers need to take control of the whole data breach cycle, working with information governance experts to take a more proactive approach to prevention and developing a more holistic, end-to-end response in the case of detection. As hackers become more sophisticated and less predictable, organisations are increasingly engaging with experts to counter the threat should it arise.
|