Time to update Washington’s antiquated data-breach notification law.
PREMERA’S decision to wait six weeks before notifying state authorities and customers about a major cyber attack on its system was inexcusable.
This is the same insurance giant that was warned by federal auditors last year that its network security procedures were inadequate. Customers entrusted Premera with their most personal information, from bank accounts and Social Security numbers to home addresses and medical records.
Premera Blue Cross officials claim hackers did not remove any customer data from their system, and that they had followed the federal law.
That’s cold comfort to the 11 million Americans, including about 6 million former and current Washington residents, potentially affected by this data breach.
Most Read Opinion Stories
Washington State Insurance Commissioner Mike Kreidler is right to lead a multistate investigation into Premera’s response to this hacking incident. The breach was found on Jan. 29, but the attack occurred back in May 2014. Premera contacted state officials March 17, of this year.
In a response Friday to an inquiry from U.S. Sen. Patty Murray, D-Wash., Premera President and Chief Executive Jeffrey Roe said the company did not immediately disclose the attack on the advice of Mandiant, a private cybersecurity firm. The concern was that notification to consumers or the media “would alert the attackers and could prompt them to download sensitive information.”
Kreidler’s staff said the insurance provider could have come to the state much sooner and asked for some confidentiality. Instead Premera kept the problem to itself — and from consumers — for six weeks.
Though Premera followed federal rules mandating notification within 60 days, it’s bad business to sit on this information while customers are clueless their personal information may be compromised.
State legislators should enact legislation requested by state Attorney General Bob Ferguson. ESHB 1078 passed the House unanimously but awaits a vote in the Senate Law and Justice Committee before a Wednesday deadline.
The bill would update the state’s antiquated data-breach notification law by requiring customers be notified within 45 days, along with information on how they can secure their identities. If more than 500 Washingtonians are affected, nonprofits, businesses and public agencies would also have to report to the Attorney General’s Office so the state could coordinate a response.
After this latest debacle, customers of Premera Blue Cross, Premera Blue Cross Blue Shield of Alaska, Vivacity and Connexion Insurance Solutions are being directed to premeraupdate.comto sign up for two years’ worth of credit monitoring and identification theft services.
That’s not enough.
Premera says it’s working with the FBI to find the culprits and prevent future attacks. Hackers will always cause trouble, but the company should notify customers more swiftly about any potential breaches of sensitive information.
Protect them better. Don’t delay fixing vulnerabilities identified by federal auditors.
For more information on how to protect yourself from identity theft, go to: atg.wa.gov/identity-theftprivacy
Information in this article, originally published March 29, 2015, was corrected March 30, 2015. A previous version of this story incorrectly stated the date that Premera Blue Cross first notified state officials of its data breach. It also incorrectly stated Premera waited six weeks before notifying authorities. Premera waited six weeks before contacting state authorities and customers, but had contacted the FBI in February.