IRDA Cyber Security Guidelines on Data Classification

Sameer Ahirrao -

All insurers regardless of size, complexity, or lines of business, collect, store, and share with various service providers, reinsurers etc, substantial amounts of personal and confidential policyholder information, including in some instances sensitive health-related Information.

 

While Information sharing is essential for conducting the business operations, it is essential to ensure that adequate systems and procedures are in place for ensuring that there is no leakage of information and information is shared only on need-to-know basis.

Further, due to rapid development of Information Technology, there are many challenges in maintaining confidentiality of information. The technology even though has many advantages, brings in risks associated with it like any other technology. With the fast growth of web based applications, the cyber threat landscape has been growing and there is concern across all sectors. Cyber risks have grown and cyber criminals have become increasingly sophisticated. For insurers, cyber security incidents can harm the ability to conduct business, compromise the protection of personal and proprietary data, and undermine confidence in the sector. It is observed that the level of awareness of cyber threats and cyber security within the insurance sector, as well as supervisory approaches to combat the risks, appear to vary across organizations.

Information obtained from regulated entities through cyber-crime may be used for financial gain through identity theft, misappropriation of intellectual property, or other criminal activities. Exposure of personal data can potentially result in severe harm for the affected policyholders, as well as reputational damage to insurance sector participants. Similarly, malicious cyber-attacks against an insurer’s and Insurance Intermediaries’ critical systems may impede its ability to conduct business.

To provide a framework for information owners to determine and classify the sensitivity levels for the information that Organization uses, processes, and stores. The unauthorized disclosure, modification, accidental or intentional damage, or loss of sensitive Organization information could constitute a violation of laws and/or regulations, may negatively affect customers, and impact Organization’s image as well as competitiveness in the market. Hence data needs to be classified based on its criticality to enable implementation of security controls commensurate with its criticality.

The Information Owner shall only classify information assets within their purview using one of the following four classification levels:

  • Internal
  • Public
  • Restricted
  • Confidential

Classification levels shall be defined based on the information asset’s relative risk, value, and sensitivity. Further, any personally identifiable information (PII), shall be identified and classified as PII in addition to being classified as per above data classification policy. Organization shall employ reasonable and appropriate safeguards to protect the integrity, confidentiality, and security of all PII. Any breach of this policy shall be considered as an incident and shall be treated as per the incident management policy.

Data Classification Process

Information owners shall ensure that the information assets for which they are responsible are assigned a classification rating (Confidential, Restricted, Internal, and Public) that properly indicates its business value and criticality to the organization. Owners shall review the assigned classification label at least every two years to address changed business value and risks, or as required by laws and regulations that impact Organization.

  • Confidential: Personal or company information that is classified as highly sensitive by senior management or laws and regulations that impact Organization. Normally this concerns personally identifiable information (PII) about customers, business partners such as agents, distributors, suppliers etc., or employees, or information that is of vital or strategic importance to the success of the organization (e.g., financial statements) and can provide it with a significant competitive edge (e.g., new product designs). Unauthorized disclosure of confidential information could substantially impact Insurance Company, its brand and/or reputation, and its customers.
  • Restricted: Will constitute of Information assets, which, if disclosed, would result in significant adverse impact, embarrassment, financial penalties, loss of stakeholder confidence and compliance penalties.
  • Internal Use Only: Will constitute of Information that is not intended for use by the public. This can include information posted on company intranet for employee use, such as phone directories or the Employee Handbook. Unauthorized disclosure of Internal Use Only information could moderately impact Insurance Company, its brand and/or reputation, and its customers.
  • Public: Will constitute of Information that is approved for release to the public by Organization’s senior management. Examples include information that is available from public or government sources, advertising, or information posted on an official; website. Disclosure of Public information will likely have little or no impact on Insurance Company, its brand and/or reputation, and its customers.

Data Privacy

Personally Identifiable Information (PII) is information about a person that contains some unique identifier, including but not limited to name, email, contact details or unique identification number, from which the identity of the person can be determined. PII may be further bifurcated into –

  1. Sensitive Personal Information
  2. Other Personal Information

Any incident of data privacy violation must be reported immediately to the concerned authority so that the exposure can be contained.

Identification of Personally Identifiable Information (PII)

Sensitive personal data or information of a person shall include information collected, received, stored, transmitted or processed by body corporate or intermediary or any person, consisting of:

  1. Password
  2. User details as provided at the time of registration or thereafter
  3. Information related to financial information such as Bank account / credit card / debit card / other payment instrument details of the users
  4. Physiological and mental health condition
  5. Medical records and history
  6. Biometric information
  7. Information received by body corporate for processing, stored orMedical records and history
  8. Processed under lawful contract or otherwise
  9. Any PII which is not considered SPI as per the above categorization will be treated as OPI.

Collection of PII

Organization or any person on its behalf shall obtain consent of the provider of the information regarding purpose, means and modes of uses before collection of such information

  • Organization or any person on its behalf shall not collect sensitive personal information unless –
  • The information is collected for a lawful purpose connected with a function or activity of the agency
  • The collection of the information is necessary for that purpose

While collecting information directly from the individual concerned, Organization or any person on its behalf shall take such steps as are, in the circumstances, reasonable to ensure that the individual concerned is aware of –

The fact that the information is being collected; and

  1. The purpose for which the information is being collected; and
  2. The intended recipients of the information
  3. Organization or any person on its behalf holding sensitive personal information shall not keep that information for longer than is required for the purposes for which the information may lawfully be used.
  4. The information collected shall be used for the purpose for which it has been collected
  5. Organization or any person on its behalf shall permit the users to review the information they had provided and modify the same, wherever necessary.

Storage, Transfer & Destruction of PII

  1. SPI will be accorded the same level of security as confidential information irrespective of the classification of such information.
  2. OPI will be accorded the same level of security as Restricted Information irrespective of the classification of such information.

Processing of PII

  1. The entire customers’ / employees’ data shall be classified as per “Asset Management Procedure”
  2. Personal data of customers/employees shall be securely stored, in manual or electronic form, and in accordance with the IT Act.
  3. Personal data of customers/employees shall not be stored for longer than is required unless otherwise mandated by any law.
  4. Personal data of customers/employees shall be used for the purpose for which it has been collected.
  5.  Access to the sensitive data shall be provided strictly on the basis of need to know.
  6. Backup of sensitive data on a removable storage media shall be kept in a safe and secure environment.

Disclosure of PII

  1. If any of the Organization’s customer/employee requests to view his/her own sensitive information collected, it shall be made available.
  2. Organization shall not disclose an individual's personal data outside Organization except:
  • When Organization expresses consent to do so, or in circumstances as agreed between Organization and the individual
  • When necessary, to our regulatory bodies and auditors
  • When Organization is required or permitted to do so by law
  • To any persons, including insurers and lenders who supply benefits or services to the individual
  • To fraud prevention agencies where required

3. Data protection tools like data loss prevention, digital rights management etc. shall be implemented to prevent unauthorized disclosure of sensitive data.

About Ardent Privacy

Ardent’s mission is to help enterprises implement meaningful security and privacy programs aligned to their business mission, building trust and protecting data assets. Ardent’s technology “TurtleShield” is a holistic software platform that empowers enterprise security, legal, and data teams to implement and manage data privacy within the organizations with rapid data asset visibility and actions to enable privacy compliance, govern AI risk ,meaningful data protection, and reduce cost of compliance and data breaches. Our unique and patented ML/AI-powered technology helps to discover, identify, inventory, map, observe and minimize personal, sensitive and business critical data at scale with oil drilling approach saving cost and reducing complexity.