Skip to Main Content

From the Trust Perspective: Data security is a must for our organizations 

by League Associate Director Risk Management Services Bob Haynes

Data security continues to be a hot topic in the news as we hear on a routine basis of organizations that have been victimized by hackers, poor policy or inadequate security training for employees. At the League, we recognize that, in the administration of your benefits as well as in the management of various meetings and conferences, we are either the custodian or a conduit for sensitive information. This could be credit card numbers, personally identifiable information, or protected health information. As a result of this recognition, we have completed a payment card industry audit as well as a Health Insurance Portability and Accountability Act, also known as HIPAA, security audit to assess our current practices and determine how to shore up our weaknesses. We have implemented the recommendations of each audit.

Overall, our HIPAA audit was positive. According to the auditors, "the League has some areas of improvement remaining, but overall, presents a secure environment for the non-public information processed as part of its health-plan related activities."

Nevertheless, the audit was enlightening as to the scope of potential vulnerabilities. Specifically the audits assessed: administrative safeguards such as assigned security awareness and training, security incident procedures, contingency planning, etc.; physical safeguards such as facility access, workstation use, etc.; and technical safeguards such as wireless security.

We often think of data security as just the technical safeguards and tactics – like firewalls – to thwart hackers. However, we have learned that data security is much more than that. A solid data security program will include security awareness training for our employees, established procedures should there be an incidence of a breach, and physical safeguards on and within the premises to protect data (fire, theft, etc.)

We strongly encourage you to question whether you have done all that is necessary to build your own security program.

A good first step is to recognize that you probably have more data than you realize. For example, you may not store credit card numbers, but there may be vulnerability if they pass through your system. Additionally, vulnerabilities could exist in how you handle employee records, assess workers’ compensation claims, or use the Criminal Justice Information System for police – just to name a few.

Members of the property/liability insurance trust have free access to our e-Risk Hub at rms.nclm.org. Several valuable resources can be accessed, including:

  • Data Breach Cost Calculator within the Risk Manager Tools section to determine estimated costs for notification, credit monitoring, and PCI or HIPAA fines;
  • Employee security awareness training;
  • A checklist of activities in the event of a data breach;
  • Sample policies for mobile computing, personal device use, security policy 101, and more;
  • Templates and guides that can be used as a starting point for establishing a data breach response initiative.

A breach most often occurs because of failure to take relatively simple steps to improve security. It can happen because of something as innocuous as a simple mouse click by an employee untrained to recognize a phishing email or the lack of encryption on a laptop. Now is the time to address this important issue.