Under Lock & Key

How Pacific Blue Cross's David Crumpton works with employees daily to improve security

David Crumpton is as enthusiastic about learning as he is about doing his job well. He has four degrees—a BS in science, an MBA, a JD, and an MA—and four certifications—certified privacy specialist, certified internal auditor, fraud examiner, and group benefits associate. He has served as an officer in the Canadian military, is a long-distance runner, does yoga and weight training regularly, and continues to take classes to improve his skills.
David Crumpton is as enthusiastic about learning as he is about doing his job well. He has four degrees—a BS in science, an MBA, a JD, and an MA—and four certifications—certified privacy specialist, certified internal auditor, fraud examiner, and group benefits associate. He has served as an officer in the Canadian military, is a long-distance runner, does yoga and weight training regularly, and continues to take classes to improve his skills.

Today is the age of big data, and no industry is more inundated with it than insurance. From monthly statements, to complete medical histories, to customer service records, to credit card numbers, insurers collect tens of millions of bytes of consumer information to maintain a competitive edge.

The data allows the companies to conduct deep analyses of customer behaviour and helps uncover new service opportunities, eliminate unprofitable ones, and target the right services to the right customers at the right time. However, the information’s incredible value also puts it at risk of being hacked, stolen, or even accidentally misplaced, so protecting it all is a full-time job. At nonprofit insurance provider Pacific Blue Cross (PBC), that job belongs to David Crumpton, whose educational and collaborative initiatives are constantly improving the organization’s security

PBC is the largest provider of health and dental benefits in British Columbia, serving 1.5 million members through 8,000 employer plans, and Crumpton is its in-house corporate counsel, director of compliance, and chief privacy officer. As the steward of privacy and one of the people responsible for ensuring the safety of all PBC’s data, Crumpton has a hand in anything and everything that might generate member information.

Take, for instance, MyGoodHealth.ca, a wellness website launched last year—by Pacific Blue Cross and other Blue Cross Canada organizations—where people can find information on everything from eating healthy to exercising and managing the stress in their lives.

“I was heavily involved in understanding the types of information this site would be collecting and what would be done with it,” Crumpton says.

People today are more concerned than ever about how their personal data is being handled, and Crumpton must ensure their trust isn’t breached.

By the Numbers

# 1
PBC is the biggest provider of health and dental benefits to the private sector in British Columbia

1993
The year David Crumpton joined CU&C Health Services Society (PBC’s predecessor)

200
Amount of terabytes of data PBC has on file

1.5 m
Number of members PBC serves

$220 k  
Amount PBC gave back to the British Columbia community in 2012

He provides privacy training to new employees as part of their orientation to PBC and to new customer service representatives in the company’s call centre. “We work hard here to raise awareness about data protection and privacy among our 700 employees and consultants,” he says. “I make sure people get the training they need and understand the importance of handling personal information, whether it’s for customers or employees.”

On the rare occasion when a mistake does happen, he instructs the service staff to make every correction possible and to take the opportunity to learn from the experience and make sure it doesn’t happen again.

Crumpton also works diligently with the information security team to come up with ideas for improving processes. “I try to share insights that may have come to my attention from feedback from our members, stakeholders, and our employees about potential problems, and they share things with me on changes that are happening to our firewalls and other internal security changes we’re undergoing,” he says. “We’re constantly trying to update our system and adopt data best practices in the industry. We have to. It’s a moving target.”

One notable practice PBC adopted came as a result of the nonprofit’s desire to be transparent with the handling of personal information. “There is no legal requirement under BC’s Personal Information Protection Act to notify persons of a privacy breach,” Crumpton says. Nonetheless, he adds, “We decided it was important to provide notification in those rare cases when we make a mistake. Our approach of breach notification has been well received by our members and stakeholders.”

Going forward, as the amount of data PBC collects and the number of ways the organization uses it both continue to grow, Crumpton is committed to finding new and better methods for protecting member privacy and reduce data risk. “We’re currently exploring the possibility of creating a privacy [and] information-security steering group to provide advice and to help control and manage the personal and confidential information we collect,” Crumpton says. He and his team can only rest knowing the data’s as safe as it can be.