A four year old's employment records (or how not to handle a data breach)
2015/05/28
Yesterday one of my four year old twins received a letter from a major health insurance carrier (we’ll leave them nameless, tempting as it is). The letter states that the carrier had a data breach and that his information may have been included. The list was pretty extensive, including name, address, telephone number, email address, date of birth, social security number and employment history. That’s a pretty big list and everything you need to steal an identity. They assure me that no health information was shared, but I think they have their priorities wrong. I don’t care if the thief knows I have high cholesterol, but I do care that they have my social security number. I admit I am curious about the employment history of my four year old – I think he has been holding out on me. I wondered how he had so many Legos. The challenge? We’ve never had a policy from this particular carrier. Their FAQ site (a whopping four pages of minimal information) says it could have been because they process for other carriers, but nope, none of them either. So I set out to find out more information, particularly whether others in the family were affected, since we are all on the same policy (Mom, Dad and five small kids). I started my quest at 8:45am, on the website, and then the phone center opened at 9am. What a frustrating two hours. After talking to 11 people, from 4 different companies, do I know the answer to any of the questions? Not a single one. It all started with the vendor that the problem was outsourced too. I feel for those phone clerks, as they were provided almost no information. I then found a way to the carrier (a blog post in its own right), who didn’t know any more, but managed to transfer me to two other insurance companies, neither of whom had a clue why as they didn’t have a breach and I was never their customer. My concern is that this means they don’t even know what was stolen, where it was stolen, who’s information was stolen and more. If they don’t know that about me, what about you? I honestly don’t know how you protect yourself. You can’t really go off the grid. I could do without credit cards, and go to cash, but I can’t do without utilities or health insurance. I also understand that identity theft is big business, but the protections taken by major companies feel so lax. This is the FIFTH major breach of our family in less than 18 months. My credit card, from a major bank, has been replaced three times (only one breach was their own). So to the point of the post, for those still with me: If I was responsible for data security at any of these firms, I’d fire myself. There are solid, dependable companies doing security work. If you r company has not hired one to test your security, do it. Do it today. You should be doing penetration tests, at least annually. You should have solid company policies on data access, and that access should be extremely limited. People need information to do their jobs, but they don’t need all the information. Does your company have a data governance policy? If not, start today. We all know that IT budgets are limited and that our user communities, including our customers, want more and broader access. I just caution that you move with speed, but not without safeguards. Everything can be breached. Your firewalls, your apps, your website and even, as in the case of one breach, your cash registers. More important than all of this, though, is how you handle the breach when it occurs. Even with the most amazing safeguards, some pretty smart people, and governments, are hacking into private data. When it occurs, it should not be a shock to your company. You shouldn’t mobilize a task force after it happens. You should never consider this an IT problem – it is a major problem for the most senior levels of your company, and your reputation. Your company probably has, I hope, an IT Disaster Recovery (DR) plan. Does it include a data breach? Many don’t. They worry about floods, power outages, even pandemics, but not a data breach. Even if your DR plan does include data breach, are the actions your company will take fully laid out? If you are going to use a vendor, have they been chosen and briefed and is the conduit of key information already prepped? Is the spokesman for your company prepared and ready to speak publicly immediately? In my case, the time between the public announcement of the breach and the time we received the letter was over three months. Three months! Hopefully this post will cause at least one reader to start asking questions in their company and that those questions will be well received. You don’t want to be the next company in the news, do you?
[…] Some of you may remember my post this spring about the breach of my family’s information by a major health insurer. […]