Security is Not an Afterthought

Over the weekend the Washington Post reported that Facebook allowed user data access to an app developer called Cambridge Analytica. The app developer collected the data using the permissions granted to it by Facebook under its Terms of Service. The big data of 50 million people was used to help the 2016 Trump Campaign. Data collected included education, work history, birth dates, likes, relationship status, religion, and political affiliation.

Here are the issues:

1. While permission was sought from the individuals whose account it was, no permission was given or sought from the person’s friends.
2. The data shared went beyond the privacy settings the users established in Facebook, even if they gave permission to the app.
3. There is a consent decree between Facebook and the FTC mandating privacy protections. The maximum fine for violating the decree is $40,000 per person. At 50 million people, that is potentially millions or hundreds of millions of dollars in fines.
4. Mark Zuckerberg initially tried to delegate the response to this mess to his legal team. On 3/21/18, he went on CNN and said “he was sorry it happened.”

Sorry is not good enough. Mark Zuckerberg admitted that he doesn’t know if there are other apps that are doing the same thing. He will need to do forensic audits of possibly hundreds of apps. EU and US privacy rules have been broken. There are calls for Mark Zuckerberg to testify to various committees in the UK, US, and EU. Massachusetts and Pennsylvania have opened investigations. Fifty billion in market capitalization of Facebook has disappeared this week alone!! This is just the latest example of security issues bringing a firm down. Think of Experian or Target. Experian is being sued by San Diego this week for a data breach of 3.1 million people, including 250,000 in San Diego.

What are the lessons for insurance CIO’s? Security matters. Security is not an afterthought. If you ignore regulations that govern data privacy and security, your firms reputation, your reputation, and possibly the firm itself can be destroyed. The stakes are high. Did I mention that the stakes are high? There are numerous laws that have emerged such as the New York State Cybersecurity regulations which went into effect in 2017 and the General Data Protection regulation in the EU which goes into effect in May 2018. There will be more security regulations emerging across insurance. Yet, we still hear some CISOs say that their CEO wants to spend the least amount possible on security and that security needs to be prioritized against other IT projects within an overall fixed IT budget. Some CEOs won’t spend the money for a CISO, believing another executive can handle security in their spare time. NIST audits are a must. Remediation must occur and a good faith effort to address security deficiencies and protect consumer data, including health data, must be made.

I hope I won’t be reading about your carrier in next week’s news.