By Daniel J. Doherty, Global Insurance Executive
Just last week, the New York State Department of Financial Services (DFS) enacted a cybersecurity regulation that is the first of its kind in the United States. Now, banks, insurance companies and other financial services institution regulated by the DFS are required to establish and maintain a cybersecurity program. The aim is to protect New York State consumers and financial institutions from the increasing threat of cyberattacks. This is a very real concern, as 66.2 percent of financial organizations faced at least one cybersecurity attack last year.
The key piece of the New York State DFS regulation is the strict requirement for protecting non-public information (NPI). This means payment card numbers, social security numbers (SSN), drivers’ licenses numbers, birth dates, and other security codes must be encrypted both in transit and at rest. For insurers who regularly capture and store these pieces of information, compliance will be especially challenging. Just think of all the personal data that moves in and out of their call centers, with customers calling to pay a bill, change a policy or enroll in a new plan on a daily basis. And, under the New York State DFS regulation, the data isn’t the only thing that must be protected. Any information system that data touches must be secured.
Another challenge that the US insurance industry will be faced with under the new regulation involves call recordings. It is a known fact that a majority of insurers record all customer calls to demonstrate compliance with other existing legislation. Many rely on the practice of “stop/start” to block NPI, such as payment card numbers, from recordings by pausing the recording when the customer is reading out his or her card information. But, stop/start systems are increasingly inadequate. If you’re required to record 100 percent of calls and are using a stop/start policy, guess what? You’re actually not recording the full call, and therefore you are not compliant. Moreover, who is to say that the agent isn’t dabbling in fraudulent activity while the recording is stopped? There’s also the concern that an agent may forget to stop the recording, unintentionally documenting the customer’s information and leaving it vulnerable in the event that the recording is breached.
While the New York State DFS regulation is a positive step toward safeguarding sensitive information and augmenting cybersecurity programs, it will surely come with its fair share of headaches. We will likely see similar regulations emerge – like the pending EU GDPR – so compliance will only become more difficult. Semafone is here to ease some of the burden by helping call centers keep NPI out of physical and IT infrastructures completely. As they say, criminals can’t hack the data you don’t hold. This solution effectively encrypts data as it is collected and as it is in motion, while reducing your stockpiles of data at rest – just waiting to become victim of a high-profile, brand-damaging data breach.
To learn more about the New York State DFS regulation and call center data security, read Ben Rafferty’s article in Insurance Thought Leadership here.