A breach of the Washington State Department of Licensing’s Professional Online Licensing and Regulatory Information System (POLARIS) database may have exposed the personal information of more than a quarter of a million professionals.
POLARIS doesn’t house insurance licenses, so Washington insurance professionals aren’t widely affected, with the exception of some insurance professionals who maintain other professional licenses.
Washington State has a recent history of data breaches
This data breach is a bit of deja vu following the 2020 data breach of the state’s unemployment system, which exposed more than 1.5 million users’ data – people who were already reeling from unemployment woes at the time.
Hopefully this doesn’t portend future trends for the state, but for some people, this is a double-whammy of personal information exposure. And it’s a reminder both of institutional-level data protection and personal-level privacy precautions. One person interviewed by the Times noted they hadn’t owned a business in Washington for 15 years, yet their Social Security number is now for sale from the breach.
Other reports note that POLARIS is maintained by Salesforce, yet there are no indications that the breach comes from Salesforce’s end. Washington’s professionals and government partners all await the cybersecurity report anxiously in order to have some closure and knowledge of how to stop and prevent these cyber breaches.
How professionals can work without POLARIS
Since late January 2022, Washington professionals trying to renew their licenses have been in limbo. The state has pulled down POLARIS and hired a third-party cybersecurity firm to sweep the system to discover the point of exposure, but in the meantime, professionals in bail bonds, real estate, and funeral directing (among others), have a slightly more manual option.
Instead of renewing, professionals doing business in Washington can submit an Intent to Renew form to the Washington Department of Licensing. By declaring an intent to renew your license, the state said, “Once submitted, we will not take action against your license based on its expiration date while POLARIS is down.”
Meanwhile, professionals are left scrambling to understand if their data is now for sale on the scummiest corners of the internet. State officials have organized a call center for those who have specific questions about the incident, which is available from 8 a.m. to 5 p.m. Pacific Time: 855-568-2052.
The future of cybersecurity
As we’ve heard about these breaches with increasing frequency, hopefully our state- and institutional-level cybersecurity practices will evolve. Cyber threats are becoming more sophisticated and rampant every day, but most of us expect our Social Security numbers and other sensitive personal information to be safe.
Whether it’s your phone company or state government, an apology and a retroactive investigation don’t seem adequate when you’re scrambling to freeze your credit and call your bank. As we’ve discussed before, insurance carriers can lead the charge by requiring clients to implement robust preventative measures before extending cyber coverage.
From an institutional perspective, we hope to see more businesses and, yes, even state governments, adopt some of the following practices for better data protection:
Have a plan: Whether it’s ransomware or a data breach, planning in advance can keep you from making panicked decisions and having emotions-based reactions.
Prevention through security audits: No matter how large or small the institution, having a third party proactively audit your security system for vulnerabilities can go a long way toward insulating your organization from attacks.
Establish a data chain of responsibility: Understanding who is in control of what data and when, who has access to sensitive information, and reviewing whether that is absolutely necessary on a regular basis is critical to monitoring safe data maintenance.
Shelf-life and expiration: We can’t be the only ones who think having your Social Security number leaked from records associated with your business that closed 15 years ago is… disappointing. The future of data security will be partially reliant on continued conversations of what to do with data after it has reached the limits of practical purpose. We will need to balance safeguarding records that are no longer part of a living data ecosystem but that still have a practical long-term historical value.
From a personal perspective, some of the same principles apply. While you can’t help what the state does with your information, some of the earliest flags of the data breach came from individuals who pay for personal data monitoring services and privacy protection. When their information began appearing on the dark web, they received alerts within hours or days. This monitoring is a good canary-in-the-coal-mine approach to preventing identity theft. And practicing good personal information hygiene is essential both to proactively prevent incidents and to react quickly if and when they occur.
While the insurance industry largely avoided this particular incident, cybercrime is on an upswing. If you’re interested in working on the leading edge of data security when it comes to managing your insurance professionals and their information, check out AgentSync.