Beyond PCI Compliance: The Data Security Standards All Insurers Must Know
Insurance companies process massive amounts of sensitive information for every policyholder, including payment data. A single security lapse can expose that data to misuse, theft, and other forms of fraud. Even without a breach, the consequences of improper data management can be steep.
In this article, we’ll explore how and why data security standards are enforced, and what can happen if your company is out of compliance.
Monitoring Security Standards
Financial Industry Regulations
Some of the regulations are administered within the private sector. Perhaps the most well-known payment security measure is PCI compliance. Mandatory for every business that accepts, processes, stores, or transmits credit card information, the Payment Card Industry provides a comprehensive set of data security standards (PCI DSS) designed to protect payment information.
Beyond PCI compliance, each credit card company (Visa, MasterCard, Amex, Discover) has their own distinct requirements that businesses must follow to process their individual card-types. Meanwhile, all electronic fund transfers are regulated by the National Automated Clearing House Association (NACHA). The American Institute of Certified Public Accountants (AICPA) also performs a comprehensive audit to ensure all personally identifiable information is protected through an approved set of Service Organization Controls (SOC).
Government agencies are also responsible for enforcing security standards. One example is the Gramm-Leach-Bliley Act (GLBA), enacted by Federal Trade Commission (FTC). The GLBA requires financial institutions to safeguard personally identifiable information and disclose any data-sharing practices to their customers. The Federal Communications Commission (FCC), U.S. Department of Health and Human Services (HHS), and the U.S. Department of Treasury all have their own extensive lists of regulations that companies must follow when handling sensitive information.
Compliance Evaluation Methods
Each regulating body determines compliance according to their own standards and policies. In general, compliance is measured through an accredited third-party audit, a verified self-report, a remote or onsite network scan, or some combination of them all.
SecurityData protection guidelines and mandates are designed to minimize the risk of a breach. Your level of compliance provides a valuable measurement of your company’s current security systems and processes. If you find you are struggling to maintain the standards set forth by governing agencies, it is a good indication that you have security gaps that must be addressed.
Liability & RiskWhether it’s a malicious attack or simple human error, there is always some degree of vulnerability, no matter how slight. If your company does experience a breach, your compliance certifications demonstrate that you have taken every precaution set forth by security experts.
Security can affect your reputation in both directions. Showing compliance with industry security standards gives your customers and prospects more reason to trust you with their business. Conversely, if you have any security gaps and experience a breach, confidence in your business will drop dramatically, and, in some cases, irreversibly.
The Cost of Noncompliance
PenaltiesDepending upon the nature of your non-compliance, consequences can include anything from a simple warning to high-impact penalties, including:
- Termination of rights to accept a particular card-type,
- Punitive fines (upwards of hundreds of thousands of dollars),
- Responsibility to reimburse all related losses and legal fees, and
- Jail time, if found complicit in a crime.
According to a recent article in the Journal of Marketing, “a single data security incident can inflict serious damage to the firm's reputation, lead to significant customer churn, and increase customer acquisition costs.”
High profile breaches have been shown to affect the stock prices and reputations in larger enterprises, though many have the resources and public loyalty to recover. However, small- and medium-sized businesses can find themselves in an even more precarious position following a breach, since they often do not have the years of established trust, leaving them more vulnerable to customer churn and acquisition challenges.
Vulnerability to Data Breach
If your company is not able to keep up with the necessary security measures, you’re probably also leaving your data open to fraud. The standards are updated regularly to address increasingly sophisticated technology and methods of attack, which is why the reviews and audits occur so frequently. More than just a legal and procedural issue, compliance guidelines are a way to ensure you are taking important measures to secure your data.
Compliance Challenges and Solutions
The resource-intensive process of achieving and maintaining compliance can be cost-prohibitive, and unfortunately, many companies are struggling to keep up. Compliance demands a dedicated, ongoing commitment from multiple departments — including IT, Accounting, Legal, and Human Resources — to constantly monitor, adapt, update, communicate, and report on security measures.
One way to dramatically reduce the burden on your internal team is to partner with a 100% compliant third-party provider. Your payments provider will securely manage all your payment data, keeping it off your network, and therefore assuming the vast majority of compliance requirements.
For more details on data security standards, visit our compliance certifications page.
As the lead writer at One Inc, Patricia is passionate about helping insurance companies successfully overcome modern industry challenges. She offers news, stories, and tips to help insurance professionals improve sales and retention, enjoy greater operations efficiency, and provide the most value to your policyholders.