Data breaches make national news these days. Target and Home Depot are prime examples. Like these retailers, should your data become breached, you must notify each individual affected by the breach. If the number of affected individuals exceeds 500, you may also need to report the breach to a government organization and, in some cases, the media. As a trusted advisor in charge of protecting your clients’ future, nothing will hurt your reputation more than telling them you introduced them to the world of identity theft.
Each state has defined their own fine structure when it comes to the breach of PII. On average they run between $1,000 and $100,000 per incident. Some states base an incident as a collective, others provide that each individual affected is a separate incident.
Health Insurance Portability and Accountability Act (HIPAA)
According to the 164.308(a)(1) Security Rule provision of HIPAA, any covered entity or business associate must “Implement policies and procedures to prevent, detect, contain, and correct security violations.” It further states that entities must “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held,” and “Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.” As Windows XP cannot pass an audit relating to this provision, any entity running the unsupported operating system is in violation due to willful neglect and is subject to a minimum of $50,000 per violation and an annual maximum of $1.5 million.
Health Information Technology for Economic and Clinical Health (HITECH)
Subtitle D of the HITECH acts extends the HIPAA Security Rule and Notification Rule not only for covered entities, but upon business associates, vendors of personal health records (PHR) and related entities if a breach of unsecured protected health information (PHI) occurs. This is known as the “Omnibus Rule.” Per the Agents Council for Technology HIPAA workgroup, “Agencies which sell any health insurance products (medical, dental, vision, long term care, Medicare supplements) for companies like Blue Cross/Blue Shield, Humana, Aetna, Principal, Delta Dental, etc. are likely to be Business Associates and their agent agreements will include provisions that require them as Business Associates to comply fully with the HIPAA Security Rule, as well as with the portions of the HIPAA Privacy and Data Breach Rules that are applicable to them.” This extension again causes any organization running Windows XP to be further subjected to the fines mentioned above.
Cyber Liability, Professional Liability, Errors and Omissions Policies
All cyber liability and many professional liability and errors and omission policies include provisions relating to the protection and security of consumer data. Many policies provide that the carrier will not pay damages for any known defect or bug that could reasonably be expected to cause harm. Knowing that you are running unsupported and unpatched operating systems, which expose vulnerabilities, such as CVE-2014-6332 aka WinShock, would violate a similar provision lurking within your policy causing you to be liable and uncovered.
Payment Card Industry Data Security Standard (PCI DSS)
Do you take credit cards? Do you store credit card numbers in your agency management or accounting system? If you do your merchant account provider requires that you must “Ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches installed.” Running Windows XP will cause you to be out of compliance with this requirement.
So many more…
If you are subject to the Sarbanes–Oxley Act of 2002 or Gramm–Leach–Bliley Act through ownership of or by a bank, mortgage company, or other financial organization, running Windows XP will fail the audit. What about your agreement with carriers? Have you actually read it? What does that say about the protection of consumer data?
© 1983-2017, Insurance
All Rights Reserved -
1415 Halsey Way, Suite 314 |
75007 | Phone: (800) 383-3482
1415 Halsey Way, Suite 314 | Carrollton, TX 75007
Phone: (800) 383-3482