Data Protection Compliance for the Insurance Industry


Insurance companies are desirable targets for cyber attackers because they work with sensitive data. To ensure the safety of customers’ personal information, insurance companies have to follow strict data protection requirements. These requirements oblige companies to implement the best cybersecurity practices or face considerable fines for non-compliance.


In this article, we discuss data protection compliance for insurance companies and how to safeguard customer data.


Types of data insurers work with


If banks hold the money, insurers hold the data. 


Insurance organizations have to process personal data of their customers to underwrite risks and provide the most favorable services. Personal data is the lifeblood of insurance services, as only comprehensive and accurate information about clients allows insurance companies to provide viable and sustainable offerings. 


For instance, to achieve risk-based pricing of premiums and process claims, insurance providers need data about customers’ health and criminal convictions. In the case of employee insurance, an insurance company needs an employment contract as the legal basis for creating a policy. 


Depending on the type of insurance services provided, insurers collect a wealth of data on individuals covering their health, property, vehicles, and even pets. Here are the most common types of sensitive data that insurance providers have to deal with:


Sensitive data that insurance providers have to deal with

As you can see, most of the data collected by insurance organizations is protected. That’s why the insurance industry must do its best to protect customers’ data. By complying with data protection requirements, insurance organizations demonstrate that they’re taking ongoing efforts to ensure customers’ privacy protection.


Read also: 7 Best Practices for Banking and Financial Cybersecurity Compliance

Data breaches in the insurance industry


Where does the threat come from?


Cyber attacks in the insurance industry often don’t target system vulnerabilities but instead target careless employees and subcontractors. 


According to Verizon’s 2020 Data Breach Investigations Report, the most common outsider attacks on the insurance and financial industry are scams, phishing attacks, and pretexting attacks. There are also common insider threats like misdelivery and misconfiguration by careless employees. Malicious insiders may conduct insurance fraud, aiming to defraud an insurance provider in order to benefit financially.


Data breaches in the financial and insurance industries


Here are several high-profile data breaches of insurance organizations that happened in 2019:


  • State Farm, the largest insurance provider in the US, reported a data breach as a result of a credential stuffing attack. An attacker was able to obtain usernames and passwords of some policyholders’ accounts. Fortunately, no personally identifiable information (PII) was viewable, and no related fraud was detected.


  • Pacific Specialty Insurance Company became the victim of a phishing email campaign that compromised the credentials of several employee email accounts. Pacific discovered the attack after noticing suspicious activity in employee email accounts, and a forensic investigation revealed unauthorized access to some employee accounts. As a result of this incident, PII of Pacific customers was compromised, including names, social security numbers, financial information, health insurance data, and driver’s license numbers. 


  • First American Financial, a real estate insurance company, inadvertently exposed more than 800 million personal and financial records on its website. The leaked records included social security numbers, bank account numbers, driver’s license images, mortgage and tax records, and wire transaction receipts. 


Data breaches may result in loss of customer loyalty and considerable fines. They may even jeopardize insurance businesses. This is why protecting personal data should be the main priority for the insurance industry.


Read also: Insider Threat Statistics for 2020: Facts and Figures


Data protection requirements for the insurance industry


Reduce the risk of data breaches with regulatory compliance. 


Insurance providers are obliged to follow data protection requirements and can face strict penalties for non-compliance. Let’s take a look at the major regulations, acts, and standards that protect personal data in the insurance industry.


Depending on the type of sensitive data collected and processed in order to provide insurance services, organizations have to comply with the following:


 To protect personal data:

  • The General Data Protection Regulation (GDPR) aims to secure personal information of European Union residents . Insurers that provide services to EU residents must comply with GDPR requirements regardless of where their businesses are registered and where business activity occurs.
  • The California Consumer Privacy Act (CCPA) controls the collection, use, and sale of personal information of California residents. Insurance companies operating in California are subject to CCPA regulations, which include disclosure obligations and requirements related to consumer privacy rights.


To protect healthcare data:

  • The Health Insurance Portability and Accountability Act (HIPAA) regulates health data in the US. This act aims to prevent fraud and abuse of personal healthcare data. US insurance providers dealing with medical records are required to protect sensitive data in compliance with HIPAA requirements.


To protect financial data:

  • The Gramm–Leach–Bliley Act (GLBA) is a US federal law that requires insurance companies to explain their information sharing practices to customers and to protect customers’ sensitive data. It also obliges insurers to track employee’s activities, especially those that relate to accessing protected customers’ records.
  • The Sarbanes–Oxley Act (SOX) aims to make the activity of US insurance organizations more transparent and secure. It also prevents fraudulent actions and protects financial records. To meet SOX requirements, insurance organizations have to document every communication and financial operation. 
  • The Payment Card Industry Data Security Standard (PCI DSS) is a set of standards that guarantee the security of credit card processing. Insurance providers around the world must have PCI DSS compliance solution if they accept credit cards or store information about them (such as for payment of insurance policy premiums).


Note: In addition to these major data protection measures, insurance organizations may also have to comply with other local and international laws and regulations regarding customers’ personal data.


Read also: How to Pass an IT Compliance Audit


8 best practices for data protection compliance


Take these steps to ensure compliance with data protection requirements.


Complying with data protection requirements can be a real challenge for insurance providers. Here’s a list of eight best practices that will help you properly protect your customers’ sensitive data with minimal effort:


Best practices for complying with insurance data protection requirements


1. Appoint a data protection officer. Designate one or more employees to be responsible for controlling data protection measures in your organization. Meeting this GDPR and PCI DSS obligation will provide you with significant benefits when ensuring data protection, passing security audits, and responding to security incidents.


2. Conduct a risk assessment. Before protecting your customers’ information, you need to know what types of sensitive data you work with and how this data is stored and processed. Only after determining what your valuable assets are can you assess the cybersecurity risks and start mitigating weak spots in your data protection.


3. Ensure secure access to data. Protect access to your critical assets by implementing a policy of zero trust or least privilege. These policies allow you to control who can access your customers’ information and what actions they can perform with data. Access to your IT infrastructure can be strengthened with multi-factor authentication. If you deal with passwords, it’s best to use password management solutions. 


4. Monitor user activity. Employee activity monitoring is one of the main requirements of cybersecurity acts, standards, and regulations including SOX, PCI DSS, and GLBA. By using a dedicated IT solution, you can continuously record all actions of your employees and get audio and video logs of security events. Modern solutions with AI-based behavior analytics [PDF] can immediately inform you about any abnormal employee activity and help you prevent a data breach long before it happens.


5. Manage privileged employees. Employees with privileged access to your IT infrastructure are the most common targets of cyber attackers. To prevent misuse of their privileges, use privileged access management solutions that monitor employee activity. To avoid credential abuse, you can enhance privileged user access with one-time passwords or additional credentials for shared accounts.


6. Reduce third-party risks. Most data protection regimes require you to monitor who accesses important data and for what purposes. You may be required to audit insurance applications that third-party service providers are using for accessing customer data or to check server access directly. Therefore, the best way to ensure data protection and insurance security compliance is to monitor third-party vendors with dedicated cybersecurity tools.


7. Encrypt data. To ensure the safety of critical data both at rest and in transit, make it unreadable for possible misusers. Data encryption is required or recommended by the GDPR, LGBA, PCI DSS, and other regulations, laws, and standards. Use encryption to avoid customer information compromise in case of a data breach. This measure can also save you from paying millions of dollars to affected customers.


8. Prepare for a fast incident response. The requirements we’ve mentioned also require you to develop an incident response plan, which will help you mitigate the consequences of a data breach. You can make an incident response plan as a separate document or as part of your cybersecurity policy. With this plan, cybersecurity officers and regular employees will know what actions they should take for each type of security incident, who they should inform, and within what time frames. Data protection requirements establish different time frames for notifying a supervisory authority about a breach of personal data. For instance, the GDPR sets a 72-hour notification deadline after you become aware of a cybersecurity incident.


All these best practices to comply with data protection requirements will not only improve the security of your insurance organization and help you avoid penalties but will also increase customer trust and loyalty.


Whitepaper on insider threat program


Meet data protection requirements with Ekran System


Comply with all requirements using one solution.


Deploying designated cybersecurity software for employee monitoring will allow you to process and store customer data securely and in compliance with relevant laws, regulations, and standards. With Ekran System deployed as an insider threat management platform, you’ll get more than just user monitoring. 


Ekran System offers the following functionality for insurance company compliance:

  • User activity monitoring for controlling employee activity in near real time and recording user sessions in video and audio formats with metadata  
  • Privileged access management for securing critical endpoints and getting full visibility over the activity of privileged users (can be used to set granular access and manage permissions for sensitive customer data)  
  • Identity management for ensuring that only authorized employees have access to your critical assets (two-factor authentication and additional credentials for shared and built-in accounts can be used to verify identities)
  • Quick incident response for getting alerts and notifications in case of suspicious events so you can respond to them quickly using special functionality for warning users and blocking undesired processes
  • Security incident investigation for generating advanced reports in a searchable format and investigating security events in detail with session analysis

As you can see, Ekran System can enhance your corporate security with a range of functionalities for meeting all data protection requirements in one go. 


Learn more about Ekran System’s architecture and deployment




Working closely with personal data makes the insurance industry vulnerable to attacks and puts insurers’ businesses in jeopardy in case of data leaks or abuse. To ensure the security of customer data, insurers must comply with various data protection requirements including those imposed by HIPAA, GDPR, CCPA, SOX, PCI DSS, LGBA, and other acts, regulations, and standards. Following such a wide range of requirements may be challenging for insurance providers. Ekran System is an all-in-one solution that can help you reduce the compliance overhead.


With insurance data protection compliance solutions like Ekran System, you can meet legal requirements and industry standards regarding continuous user monitoring, including monitoring of privileged employees and subcontractors. Ekran System also provides functionality for data encryption and identity management as well as fast incident detection and response. Protect your sensitive data by downloading a free trial of Ekran System right now!