A few days ago this headline came out “Hackers steal customer info from insurance provider Nationwide”. Apparently some folks broke into Nationwide’s network in October and made away with a lot of personally identifiable information including Social Security numbers, dates of birth, etc. Why? Why did they have all this information in the first place? It’s not ALL required for insurance. Social Security numbers are used strictly as identifiers. The only time they are REQUIRED for insurance purposes is if the insured also participates in Medicare. And it’s not just Nationwide. It’s pretty much EVERY insurance company, insurance broker, insurance trust and on and on. We need to be cautious of giving out personal information, while companies need to be careful of what they keep as retained sensitive data.
When I started with Caliber Security Partners in early November one of the first things I did was attempt to enroll in the healthcare plan that is offered. I filled out all the paperwork detailing names, birth dates, medical history, etc. but I left the spaces for Social Security Numbers for me and my family blank. I’ve done it before, sometimes there aren’t any issues, sometimes there are. This time there was. I immediately got a call from our health insurance contact who said I must have forgotten to include social security numbers. “No,” I told them, “I left them intentionally blank as they aren’t necessary”. I was then informed, like I am almost every time, that they can’t process the enrollment without the numbers because the insurance company requires them.
I don’t blame this person for not knowing the law so I politely informed them that no, in fact the insurance company doesn’t require the numbers and that the only place in federal law where it states that social security numbers are to be collected is when the insured is also participating in Medicare. We’re not participating in Medicare, therefore the numbers aren’t required and I’m not going to provide them.
Then we went through the whole spiel about how if the insurance company didn’t need them they wouldn’t ask for them, etc. What is it about people and feeling compelled to fill in the blanks on a form? It’s okay to leave some spaces blank. Anyway, I reiterate that I’m not going to provide them, that they’re not required and that if they don’t believe me they should call the insurance company directly. “I’ll be in touch” they told me. I haven’t heard from them since but I received confirmation of my enrollment a couple of days ago. What’s the point of this story? There are two.
- If someone asks for sensitive information, or information that you don’t want to give out, ask them if it’s required. If not, politely inform them that you’re not comfortable sharing it.
- If you own a company, whether it’s insurance or anything else, make sure you are collecting JUST the information you are required to collect, and that you need to provide services to your customers. No more. If you aren’t collecting it, you don’t have to worry about protecting it and your customers don’t have to deal with all the pain when your systems get hacked and the information is stolen. Everybody wins.