When an organization, especially an insurance company, is hit with a law suit related to a data breach, you can expect that there will be some details published about the allegations. This can help us understand the possible causes and impacts from a data breach.

The class action lawsuit launched by former employees of Illinois-based insurance broker Arthur J. Gallagher has some intriguing clues about what led to the breach and how the breach may have been handled more appropriately. It also provides teaching points on how a breach should or should not be managed.

A long time to wait for a breach notification

It’s always extremely troubling when a company that suffers a data breach takes 9 months to notify affected individuals. In this case, the data breach apparently occurred in September, 2020, but the company did not notify affected individuals until June, 2021.

Even giving the company the benefit of the doubt, that they may not have realized what data was affected, any ransomware incident capable of affecting a business’s network and operations should be treated as potentially being a breach of all customer information. As soon as this is even a possibility, a notification should be made to individuals, as well as on the company’s website.

Managing personal information

The lawsuit claims that affected individuals who may have heard about the breach, but were not notified, likely assumed that their data wasn’t impacted. So, they were apparently unaware for 9 months that their data was at risk.

A laundry list of impacted data

It’s also very alarming and suspicious when you see that a breach has impacted a list of impacted personally identifiable information (PII) that includes:

  • Customer and potential customer information
  • Employee information
  • Social Security numbers
  • Tax identification numbers
  • Driver’s license information
  • Passport information
  • Dates of birth
  • Usernames and passwords
  • Financial account information
  • Credit card information
  • Electronic signatures
  • Medical records

This wide range of data types suggests that a lot of valuable information may either have been stored in a single system, or that systems and data that should have been segregated with higher protections may have been easily accessible by the ransomware across the company’s network.

Lessons learned from the Arthur J. Gallagher breach

Any potentially affected individuals need to be notified as soon as it is known that their data may have been compromised. Notifications should also be posted and made easily accessible on the company’s website, for individuals looking to see if their data was affected. They may not have received a notification, and people in this situation need to know where they can learn more.

When large amounts of PII are being collected and stored, then there is no debating the need for privacy protections, including conducting a Privacy Impact Assessment (PIA), and putting proper technical safeguards in place to protect data against threats such as malware.

There are countless ways in which a company with these kinds of valuable data can be attacked, and there is no single technical safeguard will be effective against all of them. With this in mind, there must be a balance of security and privacy protections that include “people, processes and technologies”.

Keep employees engaged to defend against phishing and ransomware attacks

Because there will always be vulnerabilities, even with safeguards in place, all employees need to be trained in privacy and security awareness policies, procedures and best practices. You should think of employees as being the first and last lines of defense. Employees can avoid threats that firewalls and gateway filters aren’t designed to stop, and they can limit damage by knowing when and how to report incidents.

It’s not always easy to teach employees about these risks, especially if they aren’t engaged, and have many priorities. That’s why a gamified learning approach provides the most value in a security awareness program.

Click Armor’s gamified learning platform provides a range of engaging content that has been shown to measurably improve proficiency of employees in spotting threats such as phishing attacks. Traditional security awareness training programs lack the ability to not only engage employees but motivate them to improve their defensive abilities.

To find out if your awareness program needs more engagement through gamification, download our free checklist using the button below.