The intersection of valuable and personally identifiable digitized information and the increasing incidence of cybersecurity breaches makes the creation and maintenance of a cybersecurity plan one of the most pressing concerns for every insurer doing business in the U.S. This article lays out a basic framework for a cybersecurity plan, an insurer, particularly an insurer holding health data, can use when designing and updating its cybersecurity program.

The news has been full of reports of cyberattacks on American businesses and the resulting breaches of companies’—and their customers’—most sensitive data. Insurers, particularly health insurers, are not immune to these attacks; criminal attacks in health care are up 125 percent since 2010, and are now the leading cause of data breaches. However, health insurers are not the only insurers that maintain the kind of medical and personal information that has been the targeted: Carriers writing accidental death and dismemberment, disability and long-term care insurance also have reason to gather and retain sensitive medical information, which could make them targets. Auto insurers and other liability writers may gather detailed personal information about both insureds and claimants who have suffered bodily injury. So it is not terribly surprising that in June 2015, the North Dakota state workers compensation carrier announced that its server suffered a breach that may have led to the disclosure of consumer information. And other insurers also maintain information other than health data that could be a tempting crime target. For example, financial guaranty companies have detailed financial information on their insureds, while surety companies may also obtain detailed financial pictures of individuals as well as businesses.

Originally published in Bloomberg BNA's Privacy & Security Law Report, 14 PVLR 1545, 08/24/2015.