The wealth of personally identifiable information (PII) sitting inside insurance companies’ environments is staggering. It represents significant value by offering more informed decision-making, but it introduces tremendous risk for breaches and theft—providing a proverbial honeypot for potential breaches. Still, the insurance industry needs this data to analyze buying trends, demographics, and telematics to determine policy rates. As a result, possessing and maintaining such vast quantities of data is now an operational necessity.
So, the question becomes: Is there a way to preserve the utility of data in a way that does not also create unnecessary risk for the organizations storing it? The short answer: yes. But it’s not quite that simple.
The Difficulty of Storing Data
Recent research from the Ponemon Institute indicates large organizations—including insurance carriers—have a 29.6 percent chance of being breached within two years. The same report goes on to show that organizations today are one-third more likely to experience a breach than they were in 2014, so things are only getting worse. Further, much of the data possessed by organizations includes more PII than it did in the past, which is why cybercriminals are increasingly interested in it. Using elements of this data type, malicious actors can create an entire fake persona, which can then be used (or sold) for any number of fraudulent activities. Imagine that exposure. Now multiply it into the millions of profiles—each representing a single customer’s set of PII—when an entire organization is breached. And that amount of data is growing.
Telematics: More Data, More Risk
Some insurance companies are now encouraging people to use wearable health technologies to track daily activities and health data so their policyholders can be rewarded with lower premiums for their healthy behavior. Similarly, car insurance providers are also using trackable devices on automobiles to reward insureds who drive less and avoid speeding. These types of devices are known as telematics.
Telematics are focused on using data to gain a whole new universe of insight into their customers’ lifestyles. When you consider the sheer volume of PII and PHI being collected by these devices, it’s a little frightening just how much sensitive data insurance companies are now responsible for protecting. Additionally, the sensitive data gathered by these technologies are subject to class-action lawsuits, international fines for noncompliance, legislative penalties, and more when exposed. And these regulations are only the beginning.
New Laws are Coming—and That’s a Good Thing
The National Association of Insurance Commissioners (NAIC) has adopted regulatory principles in the form of a model law in the United States, which establishes blanket standards for data security and breach notifications. This is a move in the right direction, but to this point, only eight states have adopted the law, and it still doesn’t address international privacy standards.
Elsewhere in the world, regulations such as the European Union’s General Data Protection Regulation (GDPR) mandate how an individual’s personal data should be handled and detail the rights those individuals have in regard to their data. Although the GDPR is an EU-focused law designed to protect the personal data of EU citizens, it applies to any entity—regardless of location or industry—that processes, stores, or transmits personal data from individuals within the EU.
Although some might be apprehensive about more industry oversight, cybersecurity regulations create accountability industry-wide. Without them, insurance organizations would have to write, implement, and maintain their own versions of a comprehensive data security program containing administrative, technical, and physical safeguards for the protection of PII. A universal standard creates clear guidelines for how sensitive data should be handled, enabling consistent protection for both insurers and insureds.
Layering Security for Maximum Protection and Compliance
Back to the question we posed at the beginning: Is there a way to preserve the utility of data in a way that does not also create unnecessary risk for the organizations storing it? Yes—when organizations implement layered security strategies that include technologies such as tokenization and encryption. Utilizing these two technologies in conjunction with each other increases the effectiveness of an organization’s overall security standing by building a complete defense strategy rather than focusing solely on perimeter or endpoint protection.
Tokenization is especially effective in insurance use cases for its ability to preserve certain aspects of the original data for analytics and other business-utility purposes while simultaneously deidentifying it in compliance with many international privacy regulations. It works by removing sensitive data sets and replacing them with nonsensitive placeholders called tokens. Because the tokens are irreversible and mathematically unrelated to the original sensitive data, if a breach of a tokenized environment occurs, no sensitive data will be exposed. What previously was being processed and stored in internal systems is now being safely kept outside of that environment.
This model of security enables the protection of sensitive data without negatively impacting its value to an organization. It also can help organizations satisfy their regulatory compliance obligations by focusing on deidentifying the data first, which is viewed by several international compliance regulations as best a practice for protecting the privacy of sensitive data. As insurance companies continue to ingest, process, and store more and more information about its policyholders, the importance of a security strategy that effectively balances data protection with preservation cannot be overstated. The right cloud-based tokenization platform such as TokenEx and/or VGS can help accomplish that goal.