Securing Personally Identifiable Information: Are You and Your Vendor on the Same Page?

By Naomi Botuck, CPCU, Director of SBU1/SBU2 Application Development, ISO

Technological advances over the past decade or so have made it possible for detailed personal information about individuals to be compiled and shared more quickly, easily, and cost-effectively than ever. And while the benefits to business, consumers, and society as a whole are numerous, a flurry of protection and privacy issues arise with each new advance.

For state and federal regulators, securing personal information has become a major concern, especially in the healthcare and financial industries. Fearing identity theft and other exposure from breaches in computer security, individuals have demanded accountability from corporations, organizations, and agencies that handle their personal data. State and federal regulators have responded with numerous pieces of legislation to enforce companies’ privacy promises about how they collect, use, and secure consumers’ personal information.

In the field of workers comp, the amount of personally identifiable information collected and electronically transported is enormous. With every claim, there are numerous pieces of personally identifiable information. For example, the online filing of an employer’s first report of injury (FROI) requires certain personal information for the individual and/or company submitting the report and the name, birth date, contact information (such as addresses and telephone numbers), Social Security number, wage rate, nature of accident and injury, initial treating medical provider, medical information, and other personal information for the injured worker. And, as its name states, the FROI submission is just the first of potentially many data transactions related to a claim.

Because litigation involving data privacy and security is growing, it’s critical for workers comp carriers to ensure the ongoing security and integrity not only of their own data-transport systems but also of the vendor systems they work with.

Vendors should be using stringent, industry-recognized security measures to protect against loss, misuse, and unauthorized viewing of the information you provide to them. And you should hold their systems up to the same scrutiny you use when evaluating and monitoring your own systems.

Any vendor you exchange data with should be maintaining physical, electronic, and procedural safeguards that comply with all state and federal regulations to guard nonpublic personal information. Before entrusting the personally identifiable information you are responsible for to any vendor, make sure you know what you’re dealing with.

Are they using best practices that include using data-protection procedures, including computer hardware and software tools, to guard system and data privacy and integrity? Are firewalls in place on all online-accessible systems? Is secure socket layer (SSL) encryption — the industry standard for encrypting digital communications between any two points across a network — being used to protect transmission of any information submitted?

Is the vendor using physical and procedural safeguards that include varying levels of security clearance to access electronically collected data and to physically access data storage facilities, encrypted off-site backup media, and full disk encryption of laptop computers and other company computers used off-site? Is the vendor limiting access to identifying personal information to those who have a bona fide business purpose for such access? Has the vendor instructed those with access on the importance of maintaining the confidentiality of such information?

Is the vendor monitoring its systems and networks to determine irregularities or suspicious access behavior? Does the vendor have a plan in place that provides procedures and protocols to follow in the event of any suspicious activity? Has it hired a trusted outside firm to monitor those systems and provide security alerts and proactive action against possible or presumed threats? Has an independent auditing firm reviewed the vendor’s system procedures and actual operation of those procedures?

Does the vendor’s system have current certification from a recognized independent information security services company, such as Cybertrust? These companies provide a thorough examination, review, and validation of a company’s security controls, policies, and procedures. For example, Cybertrust, one of the world’s largest providers of information security, uses a certification methodology that addresses threats across six categories of risk — electronic threats and vulnerabilities, malicious code, privacy issues, human factors, physical environment, and downtime issues. Cybertrust’s evaluation procedures under its perimeter certification security assurance program include external and internal network scanning of critical devices in the perimeter network, a network configuration review, on-site assessments of the physical environment, and reviews of information security policies and procedures.
And finally, is the vendor committed to ongoing testing and updating of its technology and security measures to protect personal information?

Choose your vendors with care. With increasing litigation and government actions designed to protect the privacy of consumers, you’ll want to be sure that vendors you entrust to transport nonpublic personal information related to your workers comp claims place the same level of importance on data security as you do.