Hackers Targeting Insurance Instant Quote Sites
The New York Department of Financial Services issued a cybersecurity fraud alert (“Alert”) to all regulated entities, particularly those utilizing public-facing websites that display nonpublic information (“NPI”), even if redacted. According to the Alert, data thieves have been attacking websites that provide auto insurance and, in so doing, display redacted NPI—for example, a driver’s license number. DFS believes the hackers are using the information to fraudulently apply for pandemic and unemployment benefits.
Data thieves employ a variety of techniques in order to access a consumer’s information, including (i) examining the site’s coding (ii) intercepting and decoding unredacted NPI by using developer debug tools (iii) manipulating the site’s redaction technology to expose unredacted NPI (iv) purchasing a policy with fraudulent payment information, and (v) using social engineering techniques to extract information from insurance agents following up on leads.
Regardless of the methods employed, companies providing insurance quotes need to be aware of the likelihood that they have been targeted and employ security measures to mitigate their risk of compromising consumer data. The Alert implores insurance companies (and their vendors) across all lines of insurance to examine website analytics and traffic measures for abnormalities such as an unusual number of abandoned quotes in a short timeframe. DFS also urges companies to investigate their server logs for evidence of unauthorized access to NPI.
The Alert also prescribes preventive and remedial measures for insurance companies, including:
- Reviewing NPI policies, and only display NPI, whether redacted or not, where there is a compelling reason to do so.
- Reviewing security controls such as Secure Sockets Layer (SSL), Transport Layer Security (TLS), and HTTP Strict Transport Security (HSTS) and Hypertext Markup Language (HTML) configurations.
- Limiting access for third parties using developer tools to modify or manipulate web content.
- Ensuring that the NPI is obfuscated throughout the entire pathway.
- Ensuring privacy protections are updated and effectively protect NPI by reviewing who is authorized to see NPI, which applications use NPI, and where NPI resides.
- Scrubbing public code repositories for proprietary code.
- Blocking IP addresses of suspected unauthorized users and implement a quote limit per user session.
The Alert outlines some of the ways that insurers generating leads and providing instant quotes may be vulnerable. Its guidance is instructive for all insurance companies regardless of jurisdiction or line of business. However, the notification requirements to regulatory authorities and to consumers following a data breach vary from state to state. Jurisdictions with insurance-specific cybersecurity regulations have generally promulgated regulations substantially similar to either the National Association of Insurance Commissioners Insurance Data Security Model Law or the DFS’s Cybersecurity Regulation (NY Regulation 500).
Read the full Alert on the DFS website.
Joint Considerations for Cannabis Industry Employers
During this webinar, we will discuss employment and benefits issues that employers in the cannabis industry face as they form and grow their businesses.
2022 Projections in the North American Auto Industry
2021 was challenging for the auto industry in Mexico and the United States, and 2022 is similarly projected.
Leaders in the automotive and manufacturing industries will benefit from a panel discussion where their industry peers and Clark Hill attorneys will discuss the key legal and supply chain issues.
2022 California Labor & Employment Conference
From new regulations regarding COVID-19 to critical employee rights updates, join us to keep your business prepared and in compliance.