Sunday, February 8, 2015

Insurance Companies and Other Large Soft Data Targets

Insurance is supposed to make you feel more secure, but it is having the opposite effect this week after a data leak at one of the largest insurance companies in the United States. The Anthem data leak affects around 80 million customers, which makes it sound similar in size to the 2014 JPMorgan address book data leak. In truth, the Anthem data leak is far more serious. The leaked data included not just names and addresses, but dates of birth and Social Security numbers. For most customers, the leak also included information about employment history and the identity of immediate relatives. Now your confidential personal information is in a criminal organization’s data warehouse in China — or at least, that is investigators’ best guess as to where all that data went. Feeling secure yet?

The insurance industry is a large soft target for criminals wanting to steal personal data. Its information technology is a generation behind the technology that you find in retail and banking, two of the more obvious targets. Anthem in a statement said it had state-of-the-art information security technology, and that is surely true, but that wasn’t the technology that gave way when intruders broke in and started poking around. Anthem’s statement is like boasting about the burglar alarms on your windows while you leave your doors unlocked. But Anthem is one of the largest and wealthiest insurance companies ever. There are hundreds of insurance companies that couldn’t afford the kind of technology that Anthem has. Many, I feel sure, don’t have the capacity to tell when outsiders have broken in to their data. That means the number of insurance company data breaches is fundamentally unknown.

There are other large soft data targets that I hope are already thinking about how they van bring their technology up to the level of retail, at least. You might think of schools and hospitals, but what about government tax and licensing authorities? Many of these government agencies operate on equipment so old they would actually save money if they could upgrade to an off-the-shelf retail-style system.

Pundits agree that we will see many more of these large data leaks. It is inevitable just because of flaws in management culture. I describe it as management by failure: the strategy is to wait until you see something break, and only then take a close look at what could go wrong.

“Management by failure” sounds like a mistake, but I am not sure it is. The typical large business enterprise is so complex, awkward, and unwieldy that senior managers couldn’t possibly keep track of the essential operational details. What else would you want managers to focus on but the most pressing problems that have the potential to bring down the company? And so, these large data leaks and other similar failures are perhaps just the price we pay for doing business with such large and ultimately unmanageable businesses.