December 12, 2016 by Angela Stelmakowich, Editor
Data breaches involving personal and health-related information are a “huge risk for those in the insurance industry” given that the shelf-life of the data likely runs as long as the affected individual remains alive, Kevvie Fowler, national leader of cyber response for KPMG in Canada, suggested at an industry event last week.
The sobering observation was made during a panel discussion, Navigating today and tomorrow’s risk landscape, at KPMG‘s 25th Annual Insurance Issues Conference in downtown Toronto.
How long is the shelf life of personal and health-related information? “Hopefully, infinite, but in reality, as long as the individual who owns the record stays alive,” Fowler told attendees, estimating that would likely be “40 or 50 years on average.”
Citing a recent KPMG review of some top breaches – involving a million records or more and taking place from Dec. 2013 to the end of Apr. 2016 – he reported personal and health-related information was the category most often involved.
That sort of information – “other” and financial data were the other categories – includes “medical and insurance information, personally identifiable information, usernames, passwords, anything along those lines,” Fowler said.
“A lot of people in the insurance industry have” all three types of information, he pointed out. And the shelf life of personal and health-related information dwarfs that of other information types, expected to be “a few weeks or a few months tops” before the breach is discovered and records cancelled.
Fowler argued that cyber criminals are looking for the longest possible expiring date. In some cases, criminals are “breaking into the banks, they’re walking right by the financial data and they’re downloading personal and health-related information.”
Other developing risks in the cyber space include cyber extortion-driven attacks.
“That’s a massive issue now for organizations,” including those in the insurance industry, Fowler said. These attacks can, for example, mean people are unable to get on a company website, make policy changes or apply for policies, he noted.
“It really brings organizations down to a screeching halt,” Fowler told attendees.
However, cyber criminals are not necessarily even hitting organizations before getting paid; they are simply threatening to attack.
Called proactive extortion, “instead of sending an email, trying to entice someone to click on a link to infect a machine or to open a delicious attachment,” Fowler said, criminals are just selecting an organization and sending an email containing a threat.
These emails, Fowler noted, might say something like the sender has not “done anything yet, but if you don’t pay us a ransom,” ransomware will be installed or the organization’s website will be disabled via a DDos attack.
Consider the liability associated with a warning that was received, but ignored. It is “important that organizations have a protocol in place to actually deal with these to qualify them and, where required, to actually act on,” Fowler emphasized.
“Doing the right thing is half of the equation; being able to demonstrate proper oversight and governance at the senior levels of an organization are equally as important to put yourself in a cyber-defensible position,” he said.
All companies need to keep on top of cyber security issues, Fowler advised.
Noting that Canada is expected to have mandatory breach notification requirements released early in 2017, he suggested that the obligations could promote more breach-related legal activity.
The United States and United Kingdom currently have the highest breach-related spending; they also have very strong breach notification laws and plenty of breach-related litigation, Fowler said.
That means when “a breach happens or if directors get sued, other individuals get sued, there’s a lot of precedence,” he explained.
Fowler expects that after Canada’s new requirements come into force, there will be an uptick in related activity here as well.
“If you go back even a few years ago, we had less than five cases before the courts relating to breach litigation,” he told attendees. “Now we have over 25 cases actively moving through the courts,” he reported.
“That precedence will now be set here in Canada. So if breaches happen, plaintiffs will be able to capitalize. And with victims capitalizing, of course, there will be greater impact on Canadian organizations,” Fowler added.
More Coverage from KPMG’s 25th Annual Insurance Issues Conference