He emphasized that “while third-party administrators and vendors can offer promises and indemnity, security flaws still remain outside a carrier's control.”

According to Mr. Hersh, there are several daunting security challenges facing the insurance industry today.

Aside from the lack of control over critical portions of the value chain, “compliance remains challenging,” to meet the standards set under the Health Insurance Portability and Accountability Act of 1996. He added that compliance with SAS 70 (accounting standards for audits of service firms) and the Sarbanes-Oxley Act (involving corporate governance) are also a “constant struggle.”

“One of the biggest challenges, though, is simply the huge number of disparate systems, legacy and otherwise, at most carriers,” he said. While these systems might be individually secure and compliant, every significant change that affects all systems (Y2K, regulatory changes, etc.) presents another opportunity for a problem across the information technology board, he noted.

He also pointed out that older systems may not always have the ability to support modern security protocols, causing carriers to make them secure simply by not providing outside access to them.

In response, he said changes need to be made, such as legacy system replacements, while warning that addressing third-party security is a big problem.

“Until carriers decide they are willing to risk upsetting independent agents [by forcing] better security provisions and more severe penalties into contracts with vendors, TPAs, etc., or until regulators treat agents the way they treat carriers, no truly effective solution may exist,” he concluded.

“Carriers have made very good progress on securing their systems, and the more they consolidate systems, the easier this task becomes,” said Mr. Hersh.

“However, the third-party problem is similar to Internet providers' 'last mile' problem, in which getting high-speed Internet to a neighborhood is relatively cheap and easy, but getting it to the individual homes in the neighborhood is difficult and expensive,” he added. “For carriers, even overcoming their own security challenges won't be enough.”

Judy Johnson, principal solutions architect for insurance at the Jersey City, N.J.-based Patni Computer Systems Inc., said “the state of data security in the insurance industry is pretty much where it was a couple of years ago, although the activities of those interested in stealing data and identity records have increased substantially in that time.”

“It is not as though insurers do not recognize that data security is critical, and that continued legislative and regulatory efforts are not shining a light on the data security risks organizations face in a global economy,” she continued.

Instead, she explained, insurers have been dealing with other, more high-profile issues–including the economy, the possible effects of climate change and the need for profitability, “and over the years insurers have learned to accept abysmally bad data as par for the course.”

According to Ms. Johnson, “insurers are paying a lot more attention to IT infrastructure these days, and more discretionary spending is going to beef up these capabilities–several of which are data-related.”

However, she added, at least two issues are creating data security distractions in the industry. The first is the tendency to assume that technology advances will solve business problems seen as mainly tech-related–such as data security.

The second, she said, is a “growing tendency to outsource IT and business processes, and to believe–or hope–that outsourcing hands off compliance problems to the outsourcing vendor.”

Asked about other data security challenges, Ms. Johnson said “the growing need for insurers to collect information and to want to use it to better understand and manage their business”–for example, to provide a “single view of the customer”–represents “a major security challenge to those who do not understand that the more data you have and the better organized it is, the more valuable it becomes as a target for thieves.”

She emphasized that “advances in business intelligence must be accompanied by advances in data security,” adding that “I am not certain that perspective is obvious. You can use technology to help solve data security problems as long as you recognize what the threats are and where they come from.”

She predicted that progress on data security in insurance will be made “when something else happens to bring the issue top of mind–when companies not only have to announce that individual customer records may have been compromised, but executives, directors and shareholders are faced with understanding that the company's key detailed financials, business plans and strategies have been uncovered and may be used against them.”

Donald Light, senior analyst with Boston-based Celent, said that insurance companies, “except for possibly the very smallest ones, have made significant strides in improving data security, in terms of keeping unauthorized users away from data and also physically protecting the locations of the data.”

Agents and TPAs, however, “are much more of a mixed picture,” he noted. “Basic firewall protection and anti-phishing software are [often] in place, but a more sophisticated hacker trying to get into those organizations is going to have less of a difficult time than with an insurance company.” (“Phishing” involves sending an e-mail to trick a user into surrendering private information for identity theft.)

Mr. Light said the protection of physical assets remains a security challenge for many insurance organizations.

“Notebook computers are by definition portable and transportable, so humans transport them,” he noted, adding that taking measures to encrypt data on portable devices and making access more difficult for unauthorized users are not necessarily the highest priorities for insurers.

“Smart phones are another source of vulnerability, because by definition they are becoming more able to interact with e-mail and other forms of data that are available within the firewall,” Mr. Light observed. “A smart phone's ability to attack systems is going to be seen as a softer point of entry for the bad guys. Safeguarding that access point is in general a lower priority.”

Yet another threat is internal, in the form of disgruntled current or recent former employees, “especially when they are within IT and have higher levels of network access,” he pointed out. “This is a continuing source of vulnerability. There have been a few court cases in which [such employees] have planted disruptive devices or data bombs to get information they should not have access to.”

Will technology eventually solve the industry's security problems?

“Like so many other things, technology is one of the three legs of the stool,” said Mr. Light. “People and processes are the other legs. Everyone with a smart phone and everyone who takes a notebook outside the company's walls have to understand his or her security vulnerability.”

He added that “technology can solve some issues, but only in conjunction with security policies and processes. Staff must understand that this is part of their job.”

The future of security in the insurance industry “depends somewhat on external events,” said Mr. Light. “Certainly this is a ripe area for legislation and will continue to be.”

He pointed out that there have been well-publicized losses of data and data attacks, especially in insurance and financial services. These events, he said, “will help [the insurance industry] become more security-conscious and spend the money and carry out the steps.”

However, he added, “if things get quiet for a year or two…the total progress will be less.”

“IT departments and management as a whole have dozens of priorities they have to address,” he concluded. “Data security is one of those priorities. But is it in the top-five? The top-10? The top-100?”

This is a critical question, he noted, warning that the level of priority placed on data security will determine how successful future security measures will be.