Yet our industry seems disturbingly comfortable with tolerating the "cracks" when it comes to the security of the huge volumes of personal, sensitive data we handle daily.

At an industry conference panel earlier this year, I brought up the problem of ensuring data security in the insurance industry. Another panelist–a respected analyst–dismissed the entire subject, however, asserting data security is "a lights-on issue." In other words, as long as we flip the switch and turn on the "lights" of our security systems, all should be fine. Why even discuss something that can be so easily dealt with?

Presumably, then, any security breach that does occur happens because "something slipped through the cracks" of our defenses–either technological or personal. It's regrettable, but what can one do?

The problem with blithely dismissing the issue of data security is while it provides a convenient excuse for inaction, it also smacks of negligence. First, "switching on" security systems that are inadequate accomplishes little, except for possibly fostering a false sense of safety. Second, many security breaches take place because laptops or other devices are stolen or lost–no switch to be flicked there. Yet data security clearly is not at the top of insurers' priority list.

A September 2006 study of "IT as a Business Enabler"–co-sponsored by IASA and the Robert E. Nolan Company–confirms my worst fears about the industry's lack of urgency on this matter. The survey of IASA member companies found improving efficiency and productivity was the most important return sought from technology investment. Incredibly, decreasing risk was rated as the least important benefit.

Meanwhile, according to the InformationWeek 2006 Global Security Survey, 57 percent of U.S. companies were hit by viruses in the past year, and 18 percent were hit by denial-of-service attacks. In the insurance industry alone, says online data breach watchdog privacyrights.org, more than a million customers have been affected by data breaches since the beginning of this year. I guess we just should tell them "something slipped through the cracks."

Perhaps you find it unbelievable that an industry as risk-averse as ours would take such chances, especially in the current restrictive regulatory environment. Undeniably, however, the insurance industry has a history of keeping its head planted firmly in the sand when it comes to technological advancement. In the past, I have praised the industry's conservative approach to buying and using technology, but the praise ends when penury–or just plain laziness–allows data breaches that could lead to identity theft and financial brokenness for customers and negligence lawsuits and federal charges for carriers.

Why isn't data security a front-burner issue for the insurance industry? The simple answer is no one has been seriously burned–yet. There have been no multimillion-dollar lawsuits or federal indictments–yet. There have been no Spitzer-style investigations of the industry's data-protection failures–yet. Still, the number and seriousness of data breaches is increasing every year, and there are no easy solutions.

No, you can't simply flick a switch and expect to be protected from criminals whose insidious expertise is such they can crack a system, steal everything, and be gone–covering their tracks–within 20 minutes. Data is the lifeblood of the insurance industry, and data protection must become a business priority. If that doesn't happen, it may be the industry's lifeblood that begins "slipping through the cracks."