Login Register Subscribe
Current Issue

Data breaches for comp insurers inevitable, preparedness key: Experts

Reprints

The workers compensation industry should anticipate and be prepared for data breaches, experts say.

Workers comp insurers should know “it’s not a matter of if they will be breached, it’s more likely a matter of when they will be breached,” said Patrick Fowler, a Phoenix-based partner and cyber security and privacy practice co-chair at Snell & Wilmer L.L.P. “The bad guys are getting more and more sophisticated and any form of cyber security always has a human element that is dependent on people following certain steps and procedures.”

In November, SAIF Corp., Oregon’s state-chartered workers comp insurer, was victim of a data breach when an unauthorized third party illegally gained access to a SAIF premium auditor’s email account from a phishing attack. The emails contained confidential information, including the names and Social Security numbers of more than 1,000 employees from six of SAIF’s 52,000 policyholders, according to an emailed statement from a SAIF spokeswoman.

SAIF is not the first workers compensation organization to fall victim to a data breach. Last June, the Kentucky’s Workers Compensation Fund fell victim to a ransomware attack. In 2015, personal information of employees who filed workers comp claims in Salt Lake County was available online.

Companies have to pay attention to the vulnerabilities that exist before a data breach occurs because of the type of personal information that can be accessed, experts say.

“Insurers have different obligations because of the information that they store and the volume of information, especially when it comes to workers comp,” said Jennifer Rothstein, New York-based senior director, cyber security at Kroll Associates Inc. “With workers comp, there is a lot of (personally identifiable information) and (protected health information) that is collected, and because you are dealing with employees of an organization, that might trigger notification obligations, credit monitoring and other remediation. Insurers have to be particularly sensitive to all that information that they store. Workers comp requires a review of medical records ... that may trigger some (Health Insurance Portability and Accountability Act) protections.”

There are many risks to be aware of, experts say.

“You have to recognize that the risk involves a lot of pieces. You may have all sorts of computer systems that communicate with physicians, hospitals and other insurers,” said Alan Brill, New York-based senior managing director, cyber security and investigations, at Kroll. “You may have systems that you are using internally, you may have paper records coming in which get scanned and added to the database, so the normal processes that you go through as a person in this industry creates risks.”

The key to lessening these vulnerabilities is having secure networks, using encryption appropriately and making sure employees are trained on how to keep confidential data secure. But 100% security is not guaranteed, Mr. Brill said.

“If you have data and that data is valuable, it could get stolen,” he said. “Somebody could make a mistake, a file setup could be misconfigured, somebody could click on something they shouldn’t click on in a phishing email and those things are enough to start the chain of infection that could lead to the actual compromise of the data.”

Companies have a number of different responsibilities in the aftermath of a data breach, experts said.

“First is reporting requirements, depending on what type of information is subject to breach and where company and information owners are located,” said Michael Hindelang, Detroit-based partner, data security and privacy litigation at Honigman Miller Schwartz & Cohn L.L.P. “There are different notification laws in 48 states. Second is the exposure: Have you been able to remedy the cause of the breach, and ensure that they there is no one actively in your system… and then you have the potential for regulatory inquiries.”

Companies should also be prepared for potential class actions or other civil suits resulting from a breach, Mr. Hindelang said.

In the case of SAIF, insurers have taken steps to respond to the breach.

“As soon as we learned of the incident, we took immediate steps to disable the employee’s business email accounts,” a SAIF spokeswoman said. “We reported the incident to the FBI, the Oregon Department of Justice and the three major consumer reporting agencies. We also retained CSIdentity to provide employees possibly impacted by this with credit monitoring service for twelve months, and notified anyone who may have been affected. We have not received reports that any information has been used to commit identity theft.”