Spurred by the prescient reporting found in this space (and, just maybe, by the Anthem data breach, which occurred a week later), insurance regulators have recently engaged in a flurry of regulatory activity relating to cyber security issues.

a lead state in the multi-state combined financial and market conduct examination. The financial and market conduct examinations will investigate all aspects of the data breach. A major component will include analyzing Anthem’s information technology systems to determine what protections were in place and what actions could have been taken to minimize data losses.

  • The New York Department of Financial Services created an Anthem consumer alert page, as well.
  • On the same day, New York also released a “Report on Cyber Security in the Insurance Sector.” The report summarized the findings of a DFS cybersecurity survey, conducted from 2013 through 2014, which drew responses from a significant cross-section of regulated insurance companies. The survey questioned a total of 43 insurance providers (21 health insurers, 12 property and casualty insurers, and 10 life insurers) about their information security framework; about the budget and costs associated with cybersecurity; about corporate governance around cybersecurity; and about their cybersecurity plans.

The DFS also reviewed the enterprise risk management (ERM) reports that insurers were required to file for the first time in 2014.  (By statute, ERM reports must now be filed every April 30.)  These reports informed the DFS’s understanding of how cybersecurity fits into an insurer’s overall risk management strategy. In the coming months, the Department will proceed with initiatives to help regulated insurers strengthen their cybersecurity protections. These initiatives will include implementing enhanced regulations that require institutions to meet heightened cybersecurity standards; researching the possibility of stronger third-party vendor warranties and representations to insurers; and including cybersecurity assessments in the DFS’s examination process.

On the subject of third-party vendors, DFS Superintendent Benjamin Lawsky noted that “the regulations we’re considering include getting warranties from third party vendors about their security protections.”  The Superintendent explained, “The fear we all have is for a catastrophic attack to occur that would cause us to look around and ask why we didn’t have these regulations in place.”

  • Compare these efforts to the Connecticut Insurance Department’s new requirements in its examinations of insurers, mentioned in our recent blog post Connecticut’s Financial Analysis unit now routinely includes analysis of each insurer’s cybersecurity protocols and procedures, including incident reporting and escalation procedures, backup and recovery procedures and penetration testing.

Making Encryption the Norm

A number of putative class actions based on the data breach have already been filed against Anthem.  A recurring theme of the complaints in those actions is Anthem’s alleged failure to encrypt personal and private consumer data.  As one commentator noted:

Insurers aren’t required to encrypt consumers’ data under a 1990s federal law that remains the foundation for health care privacy in the Internet age – an omission that seems striking in light of the major cyberattack against Anthem … Encryption uses mathematical formulas to scramble data, converting sensitive details coveted by intruders into gibberish.  Anthem, the second-largest U.S. health insurer, has said the data stolen from a company database that stored information on 80 million people was not encrypted … The main federal health privacy law – the Health Insurance Portability and Accountability Act, or HIPAA – encourages encryption, but doesn’t require it.

  • Where HIPAA and other federal laws fall short in requiring encryption of personal data, states have stepped into the void. New Jersey saw a bill requiring encryption by health insurers signed into law in January 2015.The law states that health insurers

shall not compile or maintain computerized records that include personal information, unless that information is secured by encryption or by any other method or technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person.

The statute states expressly that compliance requires more than just the use of a password protection computer program.  It must render the information “unreadable, undecipherable, or otherwise unusable’ by anyone who manages to bypass the password protection.

According to cybersecurity experts, current encryption technology can limit the amount of data that even ‘authorized users’ can view at one time, making it more difficult to compromise massive amounts of data.  An effort is underway across technology industries to make encryption the norm. As an example, Google has been moving its systems towards encryption—Gmail, YouTube and Google search are all encrypted for users.

So far, the encryption legislation appears to focus on health insurers—an example, no doubt, of Monday-morning quarterbacking related to the Anthem breach.  But property-casualty insurers, life insurers, reinsurers and the third parties with which they deal also store vast—and increasing—amounts of confidential financial and medical data about consumers and businesses.  We can therefore expect that the sorts of initiatives already underway will expand and broaden.  And, just as surely as insurers and others will be working to meet new regulatory requirements for data encryption, hackers and others are working on new and improved decryption methods.