The New York Attorney General’s Office (NYAG) this year released a report outlining a record number of data breach notices filed with the office in 2017 – the highest since NYAG started receiving data breach notices in 2006.
In the report, the office stated in 2017, companies and other entities reported 1,583 data breaches to NYAG, exposing the personal records of 9.2 million New Yorkers – quadruple the number of New Yorkers impacted in 2016.
“The increase in data breaches will only continue as the migration from paper to digital continues,” said Steven Anderson, vice president of underwriting and product executive for cyber liability, privacy, network security and technology and E&O insurance products at QBE North America. “Data in many ways has become a commodity, and there are those who want to exploit someone else’s data so that they can profit either by selling that data or exploiting those in possession through the use of ransomware or other threat technologies.”
The NYAG report explained that New Yorkers’ exposed information in 2017 consisted primarily of social security numbers, which accounted for 40% of records exposed. This was followed by financial account information, such as credit card numbers, accounting for 33% of records exposed.
Hacking was the leading cause of the data security breaches at 44%, with another 25% of breaches due to negligence. The report attributed the increase in reported data breaches largely to the Equifax breach.
“It’s pretty clear that data breaches across the board are up, and therefore, more New Yorkers are impacted,” said Paige Schaffer, president and chief operating officer of Generali Global Assistance’s Identity and Digital Protection Services Global Unit. “I think one of the biggest reasons is the big breach with Equifax that we saw in 2017 that affected roughly half the population. The information is what’s critical in that – it included names, social security numbers, birth dates, addresses and even driver’s license numbers.”
Schaffer added that in New York, about 8.5 million residents were affected by the Equifax breach.
“Increasingly, there’s a trend of large-scale data breaches,” she said. “There are vast numbers of people impacted, and it could mean that hackers are getting savvier; that their methods are more successful than perhaps they were in the past. Either way, every year we’re just seeing more and more records being compromised.”
Indeed, this year’s NYAG report echoes trends identified in prior reports. In 2016, NYAG reported a record 1,281 data breach notices, representing a 60% increase over the 2015 reporting year. The 2016 breaches exposed the personal records of 1.6 million New Yorkers, representing a threefold increase over the prior year.
The 2017 breaches shattered those records, the report said. There were also a higher number of breaches affecting smaller amounts of people than in 2016.
The report pointed to Equifax as one of two mega-breaches (a breach that affects more than 100,000 New Yorkers) occurring in 2017. The next most voluminous breach occurred at Gamestop, which was discovered by the company on April 18, 2017. In this breach, more than 111,000 New Yorkers had their financial information exposed to hackers, the report said.
In addition to the two mega breaches, more than 30,000 New Yorkers had their financial information exposed after large breaches at the Online Traffic School, Polish & Slavic Federal Credit Union, InterContinental Hotels Group and Spiraledge Inc. Eleven more breaches that compromised between 10,000 and 30,000 New Yorkers’ personal information were reported in 2017, the report added.
Insurance Company Challenges
Challenges exist in the data breach space for insurance companies in particular as they require a “treasure trove” of stored sensitive information in order to do business with customers, Schaffer said.
“They are already a prime target for fraudsters, and while studies show financial institutions are the most targeted, insurance companies are right along with them,” she said, emphasizing that it is important for insurance companies to strengthen security procedures and always be at the forefront of developing new data security technologies.
“The other challenge is that consumers typically look at their insurance provider as someone they can trust and rely on,” she stated. “We’ve got research from an identity protection standpoint, and really, in the top three for who folks are comfortable buying identity theft protection from is insurance providers.”
As hacks seem to be evolving constantly, insurance companies should make sure their policies are ever-changing as well in order to keep up with emerging threats, Anderson said, adding that the insurance industry has seen success in continuing to grow from 15-20 years ago.
“For example, coverages such as business interruption, contingent business interruption and system failure were unheard of two years ago, but now those coverages are prevalent in the marketplace,” he said.
Initially, a policy with limited coverage was offered with no pre- or post-breach assistance, he explained, but now carriers offer expertise on the front-end before a breach occurs in order to mitigate the risk and cost.
“The challenge comes in making sure that the insureds and potential clients of the carrier see the insurance company as the expert and partner in these types of services, rather than just someone who can pay claims,” Anderson explained.
Preparing for a Breach
Schaffer stated that it’s also important for insurance companies to review the data they’re collecting and only collect what’s necessary to do business.
“If you don’t need it, don’t collect it,” she said. “After all, hackers can’t steal what you don’t have.”
Pat Cox, CEO of telecommunications security company TRUSTID, added that one solution to these challenges for insurance companies could come as the industry begins to rethink customer authentication strategies.
“Any industry that protects monetary assets by authenticating customers using their knowledge of accounts or their credit history is vulnerable to fraud because, thanks to data breaches, criminals have easy access to that information,” he said.
The proliferation of customer data on the dark web means that insurance companies need to rethink how much, if at all, they will rely on customers’ knowledge of personal information to grant account access, he stated.
He encouraged insurers to move quickly to reduce reliance on knowledge-based authentication and use more secure authentication approaches. For example, online channels could employ dynamic personal identification number (PIN) code generators or one-time password lists, while phone channels could use pre-answer authentication based on physical possession of a phone registered to a customer. Biometric approaches, such as voice analytics technology, are also making advances, although this technology can present its own set of challenges.
“As long as callers are authenticated based on their responses to questions about personal information, insurance companies will be vulnerable to account takeovers by fraudsters who can also answer those questions,” Cox said. “Selecting the right authentication technology can be a win-win-win that results in more satisfied customers, decreased costs and improved fraud fighting.”
At the end of the day, however, Schaffer warned that no matter how robust and secure a company’s security mechanisms are, nobody can be 100% protected from cyber threats. With this in mind, she encouraged companies to make cybersecurity a top priority that is reflected in all aspects of their business.
“It’s more ‘when’ not ‘if’ – that’s now the mainstay in cybersecurity,” she said. “The organizations that’ll fair the best in a data breach are the ones that are best prepared.”
Was this article valuable?
Here are more articles you may enjoy.