Protecting government information
It is not a question of if, but when, and everybody is vulnerable. And another thing — size does not matter.
That is pretty much the stance the property and casualty insurance industry takes when it looks at the potential exposure to network and enterprise security breaches for cities, counties or any other government entity. But, risk management options exist to help prevent loss of vital information and deal with it should a breach of security occur.
And they do occur. Breaches of public and private networks during the past year alone — think Sony, the U.S. government, law enforcement sites in Arizona — have been highly publicized in the general media. The stolen data runs the gamut from immigration documents to personally identifiable information to financial statements, and more.
Three degrees of exposure
Insurance professionals who work with public entities on information security risk management strategies often divide the exposures into three main groups: the risk to personally identifiable information, which could be used for identity theft; a threat to critical infrastructure; and political activism.
Loss of personal and private information is the biggest security risk a government agency faces today, according to Larry Harb, owner and CEO of IT Risk Managers, a wholesale insurance brokerage in Okemos, Mich., that specializes in technology security issues. Such losses can occur electronically — and that exposure becomes greater the more business an agency conducts online or interacts with residents online — but they also can result from mishandling of paper records, Harb adds.
Larry Collins, head of E-solutions for Zurich Services Corp., agrees that the main exposure for public entities “has to do with the information they possess from an identity theft point of view, as well as from a privacy point of view.” Cities and counties may have some credit card and bank account information, Collins says, but they also have medical programs with public health records, tax records, benefit and retirement information on public employees, names and addresses of public school children, court and criminal records, etc., the protection of which is often subject to federal statutes.
A breach in Texas
The cost of mitigating an incident after the fact, such as notifying privacy breach victims, providing credit or identity monitoring services to affected parties, consulting with a public relations firm to control reputational damage, as well as defense and settlement expenses, can be exorbitant.
For instance, in April 2011, the Texas Comptroller’s Office discovered that unencrypted data from the Teacher Retirement Center of Texas, the Texas Workforce Commission and the Employees Retirement System of Texas had been posted on one of the state’s public servers for nearly a year, exposing a possible 3.5 million current and former state employees, and unemployment insurance claimants to potential identity theft. The data contained personally identifiable information such as names, addresses, Social Security numbers and birth dates. Class action lawsuits have been filed against the state on behalf of the potential victims, including one that seeks a $1,000 penalty for each individual affected, according to the San Diego, Calif.-based non-profit organization Privacy Rights Clearinghouse.
While it found no evidence the information had been misused, the Texas Comptroller’s Office admitted that the data was improperly posted on a public server because the agency’s own internal procedures for handling such information were not followed. “Employee training is key in these cases,” says Tim Stapleton, product liability product manager for Zurich North America Commercial Insurance. “You can have the best IT staff and the best IT measures in place, but really all it’s going to take is one employee to make a mistake and you have a privacy issue on your hands.”
That is why when insurance companies are considering insuring a city or county, they focus on the proactive risk management techniques and employee training that the entity either has in place or needs to establish. “We’re really looking at three major elements of their risk management profile around security and privacy issues, and that’s technical, administrative and physical,” Stapleton says. “And for municipalities particularly, what I’m more concerned with and probably would put more weight on in these cases is administrative and physical elements.”
The resource problem
Cash-strapped cities and counties may be tempted to reduce information technology, security and privacy budgets because they may not be seen as essential as, say, emergency services, Collins says. “But they’re enormously important from the point of view of preserving your own municipal IT infrastructure, as well as defending your records, which are very unique, against attacks by hackers and the like.”
A 2010 study by the National Association of State Chief Information Security Officers and Deloitte consultants found that budgets and resources in the public sector lag behind those available to private sector organizations. That gap is widening as private companies increase their investment in security, according to the “2010 Deloitte-NASCIO Cybersecurity Study.”
When assessing their cyber risk, cities and counties must consider whether they have spent their money wisely, says Michael Murphy, an underwriter for Allied World Assurance. “Have they made the investments in the appropriate individuals with the necessary skill sets to develop adequate network security controls and procedures to protect their information?” he says.
On the issue of cyber security, one of the major differences between public and private organizations is that private companies are usually more agile in their ability to assess risk quickly and allocate funds accordingly. “Governmental entities are tightly strapped as to where they put this money,” Murphy says.
However, taking a “proactive stance on network security and providing the right amount of money to the right individuals in order to be able to protect the information properly,” is advisable, he adds. You can’t prevent everything, he says, but one of the most important things an organization can do is to be prepared when something happens.
Having an incidence response plan in place will allow the organization to respond quickly to protect the information and the incidence of a liability situation. It also can protect the government entity from a public relations standpoint. “You want to handle it properly so that people know if their information is lost, the government knows about it and as quickly as possible can let them know,” Murphy says.
Transferring the risk
Taking the position that all organizations are vulnerable and entities of any size can be susceptible to data breach incidents, the insurance industry has responded over the past decade to the ever-evolving security threats that enterprising criminals and mischief-makers devise. The coverage can encompass everything from defense and notification costs to third-party liability to federally mandated fines.
The policies, however, are not standard. “The concept of ‘if it’s not excluded, it’s covered’ is not true,” Harb says. “In fact, this is the exact opposite. I tell everybody: if you want coverage for a particular exposure, make sure that policy states that exposure is covered.”
So, when an organization is seeking insurance for cyber security issues, it is important to deal with specialists who are familiar both with the exposures and the risk transfer mechanisms available, Harb says. “I always tell people that insurance is a risk transfer vehicle, and that’s all it is,” Harb says. “It doesn’t make the risk go away, it just pays for it if there’s a problem… From that standpoint, when I can contractually get somebody else to pay for the exposure, I’d like to do that.”
- Read the “The increasing costs of data breaches” sidebar to learn more.
- National Association of State Chief Information Officers, www.nascio.org
- The Ponemon Institute, www.ponemon.org
- Privacy Rights Clearinghouse, www.privacyrights.org
- Federal Cybersecurity Resources, www.dhs.gov/files/cybersecurity.shtm
- Federal Critical Infrastructure Protection Program, www.dhs.gov/files/programs/critical.shtm
- Insurance Information Institute Identity Theft Statistics, www.iii.org/facts_statistics/identity-theft.html
Stephanie Jones is South Central and Midwest Region editor for Insurance Journal, which covers the property and casualty insurance industry.