Security experts warn of increasing data breaches and privacy risks

By Anthony Brino
10:22 AM

On October 3, the data systems used by Nationwide Insurance agents were hacked, exposing the names, drivers license numbers, dates of birth and Social Security numbers of several thousand customers 

"We discovered the attack that day, and took immediate steps to contain the intrusion," the Ohio- based automotive and property insurance provider told customers. In early November, Nationwide confirmed the information and identities that were compromised and says no medical information or credit card numbers were stolen. The FBI is now investigating the incident.

Data breaches, via hacking and other exposures, are growing more common, information security analysts said at the Professional Liability Underwriting Society's (PLUS) recent conference in Chicago.  

The breaches are leading to more costs and occasionally fines, and more claims are being paid out, as the cyber liability market matures, said Jake Kouns, director of cyber security and technology risks underwriting at Markel Insurance.

In 2011, there were 1,041 recorded breaches in the form of personal identity losses, up from about 800 in 2010, according to a study by the research firm Advisen. Hacking accounted for 30 percent of data breaches in 2011, Advisen found; fraud accounted for 17 percent and stolen laptops for 9 percent. 

As of late November, there's been more than 1,800 data breaches in 2012, according to the Open Security Foundation's database.

[See also: 3 steps to HIPAA security in the cloud]

While data breaches are growing more common in part because of the increased connectivity between so many parties and locations, cloud-based data services and Software as a Service (SaaS) offer potential for stronger data protection than what many organizations can afford on their own, panelists at the PLUS conference said.

“From a business standpoint, the cloud is very compelling and may be safer," said Michael Carr, senior VP of errors and omissions underwriting at the insurance firm Argo Pro, as JDSupra reported.

Healthcare organizations are facing financial pressure already, and the risk of data breaches is something more are adapting to, in tandem with efforts to modernize IT systems, adopt electronic health records and join health information exchanges (HIEs). 

As some HIEs, health organizations and government agencies turn to cloud-based services, Carr said that cyber risk insurers are increasingly evaluating the use of cloud computing in underwriting assesments. Cyber insurance policies for both cloud-based systems and in-house data systems can get murky, Carr said, when vendor agreements don't always extend liability to data service providers.

Some of the largest data breaches in 2012 have hit healthcare organizations.

In April, Emory Healthcare in Atlanta said it misplaced 10 backup disks with information for more than 315,000 patients. In February, St. Joseph Health System in California told about 31,800 patients that some of their medical information may have shown up on internet searches after a series of incorrect settings on provider's software system for in-patient services.