May 24, 2022

Protecting the Protectors: Data Security in the Insurance Industry

When individuals and organizations experience a crisis, they turn to the insurance industry. Medical, life, and car insurance companies provide support during life’s most difficult circumstances. It is essential, then, that insurance companies build trust with their policyholders by providing excellent customer service and protecting their data.

Unfortunately, a growing data security crisis threatens insurance companies’ reputations with their customers. Shred-it's 2021 Data Protection Report found that insurance companies are more likely than those in any other industries to experience a data breach. Three in four of the insurance companies surveyed have experienced a data breach at some point, with 65% reporting a data breach in the previous year. These breaches can affect both small insurance companies and some of the largest insurance firms in the world. In fact, in 2021 one of the most prominent providers of cybersecurity insurance experienced a data breach, which resulted in a ransom payment of $40 million.

Insurance policy providers can be targets because they store large amounts of sensitive information for individuals and businesses. For individual policyholders, insurance companies may collect social security numbers, phone numbers, addresses, bank information, and even protected health information (PHI). For businesses, insurance companies are trusted with financial information, names and addresses of employees and, in some cases, information about internal operations.

Like healthcare organizations, some insurance companies face risks when managing potential data breaches. Since  health insurance providers have access to their customers’ PHI, they would be required by the Health Insurance Portability and Accountability Act (HIPAA) to disclose a data breach affecting more than 500 individuals.  Many states have additional data protection requirements for insurance companies outside of those established by HIPAA. For example, California’s Insurance Information and Privacy Protection Act requires insurance providers to “implement a comprehensive written information security program that includes administrative, technical, and physical safeguards for the protection of policyholder information.”

If an insurance company has relatively weak information security protocols, then bad actors have easier access to the insurance company’s data. According to the 2021 Data Protection Report, just half of insurance organizations surveyed have information security policies in place, compared to 64% of healthcare organizations and 72% of financial organizations. Just one in four insurance organizations surveyed perform regular infrastructure auditing and even fewer perform vulnerability assessments.

Additionally, insurance companies tend to be more concerned about internal physical data breaches, as 85% of organizations surveyed said they are concerned about employees leaving confidential materials out on their desks. A simple solution to helping protect vulnerable information is implementing a clean desk policy, which requires employees to shred or securely store any confidential information each time they leave their desk. This type of policy works best when it is paired with a paper shredding service, which only 6% of insurance companies surveyed have.

Insurance companies know how to support other businesses through a crisis, but by investing in proper data security measures, they can be better prepared to protect themselves. Learn more about data protection in the insurance industry by downloading our Data Protection Report infographic and visiting our insurance page.

Get the Infographic