New Banner

iwx-febmar2017-whpng

The Chain of Consumer Data Security

FebMar2016-Hayashi

One of the hottest topics these days is data security. Target, Home Depot, Sony, Ashley Madison, eBay, and the federal government’s Office of Personnel Management are just a few of the entities that have had data breaches in the public eye. Financial services, including insurance companies, haven’t been immune either. Anthem, JPMorgan Chase, Premera Blue Cross Blue Shield, and others have fallen victim to data breaches. As a result, we are witnessing a torrent of activity from lawmakers and regulators as they seek to require entities to take adequate precautions to safeguard consumer data.

Five Easy Ways that Agents Can Create a More Secure Agency Office Environment: Data Security, Systems Software, Email, Physical Security, Breach Response Plan

An example of this regulatory action occurred in April of last year. The NAIC Cybersecurity Task Force adopted the Principles for Effective Cybersecurity Insurance Regulatory Guidance. Twelve principles were enumerated and provided expectations for insurance regulators, insurance carriers, producers, and other regulated entities. This same task force, in October of last year, adopted the Cybersecurity Bill of Rights, which laid out the rights of insurance consumers. Beyond insurance regulatory actions, cybersecurity bills have been introduced in Congress and states have been passing additional laws or enhancing existing laws pertaining to data security.

Protecting consumer information is clearly a priority for insurance carriers these days. Beyond the regulatory environment, potential costs involved with a data breach are substantial to say the least. The 2015 Cost of Data Breach Study conducted by Ponemon Institute showed that the average consolidated total cost for a data breach is $3.8 million. However, larger breaches can obviously cost much more. For example, the Anthem data breach is estimated to cost the insurer well over $100 million (according to ZDnet.com). The JPMorgan Chase data breach is estimated to cost $1 billion (according to Protection Group International) despite the bank spending $250 million annually on cybersecurity.

While insurance carriers (and often IMOs) have IT and compliance professionals to assist them with data security, agents typically don’t have the same resources available. As a result, agents can be a weak link in the chain of consumer data security. It therefore makes sense for insurance carriers and IMOs to offer guidance and support to their agents in an effort to help protect consumers, agents, and ultimately those same IMOs and insurance carriers.

Here is an example of the type of information that insurance carriers and IMOs can share with agents:

Five Easy Ways that Agents Can Create a More Secure Agent Office Environment:
  1. Data Security Policy
    • Establish a policy for safeguarding your client data. It is critical that you and your employees know what should be done to protect client data. Having a written policy could also help demonstrate that you are conscientious about protecting client data which could help reduce your exposure in the case of a regulatory investigation or litigation.
    • Provide regular training to your employees on the policy. The 2015 Data Breach Investigations Report by Verizon (“The Verizon Report”) showed that the top four attack patterns that accounted for nearly 90% of all incidents involved people. Regular training helps reinforce the importance of the policy and improves consistency in employee performance.
    • Periodically test for compliance with the policy (e.g., conduct a mini “audit” over the lunch hour or after employees have left in the evening). You will learn who may need additional training.
  2. Systems and Software
    • Have a firewall to prevent unauthorized access to your systems.
    • Utilize good anti-virus software and keep it up-to-date.
    • Install software security patches when they become available – especially those designed to fix security vulnerabilities.
    • Require strong passwords to be utilized for all system access (including email) and on computers, laptops, tablets, phones, routers, etc. Microsoft offers tips for creating a strong password (http://windows.microsoft.com/en-us/windows-vista/tips-for-creating-a-strong-password). In addition, passwords should be changed regularly and all computers and devices should be secured (require the password to be entered) when not in use. This will help prevent unauthorized access or viewing of confidential information by clients, the office cleaning service, family members, guests, FedEx delivery personnel, etc. Passwords should not be written down and left where someone could find them (e.g., on a sticky note under a keyboard).
  3. Email
    • Encrypted email should be utilized whenever any confidential information will be sent or received via email. A wide selection of email encryption software is available to meet the needs of businesses of all sizes.
    • Train employees how to identify suspicious emails and not to open the emails or attachments. The Verizon Report showed that 23% of people who received phishing messages opened them and 11% opened the attachments.
  4. Physical Security
    • Ensure the office is secure after hours. This seems obvious, but consider the following examples:
        The cleaning service may leave the door(s) unlocked while they are working which could allow someone to enter the office undetected. The cleaning service may also forget to secure the office once they are done cleaning.
      • If a home office is utilized, other family members or guests may have access to confidential information.
      • Others may have access to the office after hours (property management, maintenance personnel, other service providers, etc.).
    • Ensure consumer data isn’t available to unauthorized individuals. Examples include, but are not limited to:
      • Lock up all confidential information before leaving each day and during the day when others (e.g., clients, guests, service providers) are present. In other words, don’t leave client files, notes, statements, illustrations, applications, flash drives, etc. out for anyone to see or take. Don’t forget to lock any file cabinets or storage areas that have this type of information as well.
      • Confidential information should not be left on copiers, fax machines, printers, etc.
      • Unneeded documents should be shredded or placed into a secure bin for shredding at a later time or by a shredding service.
    • Keep laptops, tablets, phones and other devices secure at all times. Many electronics with confidential information are stolen from cars, restaurants, etc. Keep these items with you or at least secure them out of sight (e.g., in the trunk of a locked car).
    • Electronic equipment such as printers, copy machines, scanners, and fax machines often use digital technology and may retain a copy of everything that passes through them on a hard drive. Before disposing of any equipment, ensure that the hard drive is erased to prevent someone from accessing confidential information later. This obviously applies to computers and other devices as well. Microsoft offers guidance on disposal of computers and other devices (https://www.microsoft.com/security/online-privacy/safely-dispose-computers-and-devices.aspx). In addition, you can always contact the manufacturer of the equipment for guidance, the company from whom you leased the equipment, or hire a data security specialist to assist you with erasing hard drives.
  5. Breach Response Plan
    • Have a plan in the event there is a data breach. Knowing what to do and who to contact ahead of time will make the process easier and ensure nothing gets overlooked.
    • Data security requirements will likely continue to grow over time.
    • Know insurance carrier requirements. Insurance carriers typically require agents to provide them with prompt notification of a data breach, cooperate in determining which consumers are affected, and assist with remediation efforts.
    • As with any plan, practice is recommended. Practicing will help identify missing steps and allow a chance to update anything that has changed since the plan was developed.

Data security requirements will likely continue to grow over time. Only by enhancing measures along the entire chain of consumer data security can the risk be effectively managed. Take the time to provide guidance and insights to agents with whom you work. After all, working to prevent a data breach is still the most prudent strategy for managing this risk and could save everyone’s time, money, and reputation.


Roger Hayashi, CLU®, ChFC®, Co-Director: Compliance and Risk Mitigation Assistance Program, brings over 25 years of experience in the insurance and financial services industry. He has held compliance management roles in a number of large insurance companies and broker dealers and leverages this experience to assist clients with their unique compliance needs, including risk assessment and remediation, sales practice issues, policy and procedure development and/or enhancement, training, and other consulting services as requested by our clients. (www.currincompliance.com)

You may also like...