Securing Data Security

Amalgamated Family of Companies moved to a more automated, rules-based data security solution that ensures encryption and compliance.

Insurance Networking News, May 1, 2012

Joe McKendrick

Should data security be automated to the point where the process of achieving it is completely invisible to end users? Automation is the holy grail of data security to many security experts and vendors who envision the day when information is locked down and secured before anyone touches it.

However, not everybody agrees with this goal, arguing that long-term data security may be more assured when informed users are part of the process. That's a view shared by Richard Timbol, security manager at Amalgamated Family of Companies, who sees data security as an employee's responsibility as much as the company's. "If you put too much responsibility on the corporate side, you're doing a disservice by not improving the education level of your employees, of their responsibilities to protect live data," he says. "It's good for employees to have that knowledge. We believe in a strong security awareness posture, and not just to have a bunch of big brother rules forced upon employees."

Amalgamated is a group of companies that includes a life and health insurer, a property/casualty brokerage, a third-party administrator, a medical management firm, a computer outsourcing company and a printing and graphics company. Across the various business units, employees and applications manage large volumes of sensitive data every day, including insurance policies, customer health information and other personal data. "Up to 75 percent of our data is sensitive data," Timbol says. "We manage a lot of health information and data for our clients. So that's a significant part of the data we generate on a daily basis."

Thus, ensuring the security of this data and compliance with industry standards such as the Health Insurance Portability and Accountability Act (HIPAA) is a high priority. "At the end of the day, regardless of what our business lines are and what we're doing, we handle a lot of personal information," says Timbol. "We need to ensure that we're providing our clients with the best privacy possible, as well as complying with all of the various state and federal regulations."

E-mail Issues

Data security has many fault lines, and among the most prominent is e-mail. Amalgamated employees exchange significant amounts of information with partners and customers via e-mail messages. To meet security requirements, the company originally relied on employees to manually encrypt messages containing sensitive data. However, those posed risks, such as employees not understanding when they needed to encrypt a message, or failing to notice a Social Security number or other sensitive data hidden at the bottom of a message forwarded to them after multiple back-and-forth exchanges.

Inbound e-mail filtering also posed problems. The company lacked the ability to provide detailed, customized reports on what was being blocked. This made it impossible for the company to investigate false positives, an important business requirement. "We have a couple of scenarios," says Timbol. "There's corporate-to-corporate data: Whether we're the covered entity or the business associate, we have to trade information with our vendors. So we have to ensure that transmission is secure. Then, of course, we also communicate directly with the end users of the information."

To address these concerns and meet privacy and HIPAA compliance standards, Amalgamated moved to a more automated, rules-based solution based on Proofpoint Enterprise Privacy, a data loss and prevention suite.

Balancing Act

Amalgamated's approach is to automate a great deal of this information, but still keep employees engaged in the process. The challenge, Timbol explains, is that if you do everything in the background, you take the responsibility away from the employees who don't know what's going on. "We believe very firmly that every employee should be a guardian of that information. We didn't want to totally take away the responsibility from them. We wanted them to be aware of what they need to be secure."

At the same time, Timbol continues, "we didn't want to put too much of the onus on the individual," he continues. 'Everyone has bad days, right? Someone may forget to encrypt a message, especially if they're in a hurry, or get sidetracked. These things happen."

The key, Timbol continues, was to be able to provide a data security "safety net." If the individual "mistakenly did not do what they needed to do to protect the information, then we had a process in place that would ensure that the data is still secured."

For more information on related topics, visit the following channels:

• Data Management
• Enterprise Technologies