The Future One 2010 Agency Universe Study done by the Big “I” reveals that on the average agencies have 1,188 personal lines customers including standard and non-standard auto, homeowners and specialty lines. Let’s say a producer lost a laptop that had customer information on it or a server was hacked. For the average agency that could translate into an expense of about $255,000 (1,188 customers X $214 cost per record).
Liability from cyber-attacks is on the rise and the media is constantly reporting on companies being hacked, exposing protected personal information. As an insurance agent you collect, use, and store personally identifiable information on a daily basis and in doing so have exposure to both regulatory penalties and potential first and third party liability. Included in Swiss Re Corporate Solutions new policy form is coverage for 1st and 3rd party breach of personal data. The Personal Data Protection, which is automatically afforded, provides limits of $10,000 per incident/$25,000 per policy period for a breach of the agency’s network security. Eligibility for 3rd party breach of personal data coverage, provided with a $1M policy sub-limit, is NOT automatic and is contingent upon the agency having security procedures in place to protect personal data and comply with various state and federal privacy laws.
Below are some things that every agency should be aware of when it comes to protecting your customers’ personal information. We will explore the agency’s general regulatory responsibilities for protecting personal data, the exposures faced by agencies, and provide some risk management guidance to help protect your operation and the data you keep. This information will provide you with a baseline understanding of what to consider in developing procedures to protect customer information and will help you take the necessary actions to position yourself to qualify for the 3rd party breach of personal data coverage under the Swiss Re E&O policy. You may also consider exploring the marketplace for a stand-alone policy offering increased limits and expanded coverage.
Things to Know About Data Breach Liability:
Why should my agency care about protecting personal data?
As an insurance agent you collect, use, and store what is likely considered personally identifiable information on a daily basis and in doing so you have an obligation to secure this information whether it is in electronic or paper form. Both state and federal privacy laws require businesses to implement and maintain reasonable procedures to protect personal data. Not doing so creates an exposure to financial loss in the way of fines and penalties, the cost of handling a data breach including the notification, third party liability for damages caused by the data breach, and the potential cost of replacing computer equipment. In addition, a data breach can have a devastating effect on the trust and loyalty of customers and can quickly ruin the reputation of the agency. Also keep in mind that the cost of implementing a security plan can be much less than the total cost of handling a data breach.
Is my agency legally required to protect personal information?
There are a number of federal laws that apply to protecting personal information and as of today 46 states have laws on the books as well. Understanding how both state and federal laws apply to your information security procedures is important because the fines for not compiling can cripple your business. A few of the federal laws that may apply are below and you can also learn more by visiting the Legal Advocacy section of IIABA’s national website at www.iiaba.net:
· Fair Credit Reporting Act requires that information generated in consumer’s credit reports is kept secure.
· Gramm-Leach Bliley ACT applies to “financial institutions” and requires business to have reasonable procedures in place to ensure the security and confidentiality of customer information.
· Health Insurance Portability and Accountability Act (HIPAA) requires the security of health data.
In the past several years many, states have passed laws or regulations to protect the consumer’s personal information so you need be familiar with the requirements these impose on your operation. Understanding state and federal requirements is a daunting task. Here are some of the basic questions that you should consider when reviewing both federal and state laws:
a. Do I collect the types of personal information that is required to be protected?
b. Specifically, what information needs to be protected?
c. Are there differing definitions and requirements for protecting general personal information versus personal medical information?
d. What procedures need to be in place to protect personal information based on the nature and size of my business? What does my state consider reasonable procedures?
e. Are there different security requirements for personal data stored internally and data transferred outside of the business’ secure network?
f. What is considered up-to-date encryption methods?
g. How is a data breach defined?
h. What are my notification responsibilities should a breach occur?
The National Conference of State Legislatures website offers links to state legislation involving security breaches of personal information. Click here to familiarize yourself with the state legislation where you have customers.
What is the potential cost of a data breach to the average agency?
Civil penalties can be substantial for breaches of data with penalties up to $150,000 per breach as an example in one state. Keep in mind that these are just penalties and don’t include actual costs handling a data breach, including notifying those parties affected or the indirect costs the breach will have on the business in terms of loss of the trust of customers. A 2011 study by Symantec showed an average cost per compromised record of $214. The factors in their estimation included: legal fees, disclosure expense to contact affected parties, consulting help, and implementing new technology and training. So what’s at stake for your agency? The exposure is staggering. For an average size agency the potential cost of a data breach per agency is about $255,000. See the sidebar above for how that figure is determined. Unfortunately, the common reaction when numbers of that size are tossed out there is that IT COULDN’T HAPPEN TO ME! What is considered private personal information that needs to be protected?
This may vary by state but in general it is a combination of first and last name in combination on other data elements. These may include:
· social security number
· driver’s license number
· financial account numbers or credit/debit card numbers along with security access codes or passwords
· health records
· policy numbers
What personal information do you have in your files?
The first step to protecting personal information is assessing what personal information you have in your files and who has access. Remember it’s not only data but all personal information whether electronic, paper, or voice. Take the time to do an assessment looking at the flow of information both into and out of the agency. This includes archived data, data in transit over your system, mobile devices that may leave the office, and of course that paper files. Meet with all agency staff (sales, accounting, and HR) to get a better feel for their access, including finding out if any outside contractors store customer information. When inventorying customer information keep in mind that information can be stored in or accessible through a number of different places both internally and externally including in file cabinets, on PC hard drives and servers, laptops, cell phones, CD’s, flash-drives, carriers website, call centers, and agency management system providers. Let the following help guide your discussion:
1. Who sends personal information to your business? Customers, carriers, or credit agencies?
2. How do you receive personal information? This can include email, website, fax, social media, or by mail.
3. What kind of personal information do you collect? Credit/debit cards, social security information, drivers IDs?
4. Who is using that information and has access? Employees, carriers, customers, vendors.
5. Where is that information stored? Branch offices, file cabinets, files at home, servers, database, disk tapes, lap tops, desktops cell phones.
6. Is information accessible from outside the agency or on devices used in the field?
A key risk management measure to limit your exposure from data breaches is to only keep the data you need and for only the length of time that you need it. Exercise care and implement a procedure for deposing of sensitive information. At last 29 states provide laws governing the disposal of personal data. Federal and state guidelines may require the agency to dispose of personal information in specified ways. To familiarize yourself with the state legislation where you have customers, click here. Remember if it’s not in your system, it can’t be stolen.
What are some of the exposures agencies are facing in the protection of personal information?
Exposure to a breach of data is posed by both internal and external threats. They can also be considered both physical and virtual exposures. Internal protections start with the physical security of the data contained in the office. This includes the access to the premises and work areas including security of computers, servers, and the network. While computer hacking is on the rise, the majority of breaches occur from stolen or lost equipment. Here are some risk management considerations to combat physical threats:
· Secure the building with a security system for authorized access only.
· File cabinets should be locked and work stations clear of hard copy personal information.
· Secure the area containing networks servers and limit access.
· Appropriately screen cleaning crews providing service.
· When employees leave the agency make sure that all agency owned security equipment (all keys) and computers are returned, and system access terminated.
· All agency computers and mobile devices should require passwords that are required to change every 90 days and employees should log off or lock their computers when left unattended. Staff should not share passwords.
· Implement encryption software on all laptops and mobile devices along with ability to wipe clean if lost.
· Don’t keep personal information on hard drives of desktops, laptops, and mobile devices.
· Do not leave portable devices unattended while out of the office, especially in cars.
Protecting data transmitted over the agency network and computers, portable devices, websites, and home computers is critical. There is exposure to data loss from viruses, hackers, spam, and malware. Specific attention needs to be paid to securing emails and personal information that is collected from the agency website. Agencies handle insureds applications on a daily basis where information is transmitted to the agency and then to carriers. Here are some things you can do to protect from external threats:
· Use a network professional to insure that are exposures are identified and addressed.
· Install strong firewall protection that is kept up-to-date to protect the agency network.
· Password-protect all agency WiFi connections.
· Implement virus and malware protection on servers, desktops, and portable devices and periodically update.
· All data back-ups should be password-protected and encrypted.
· Employees should always connect through office through a SSL/VPN connection.
· If collecting personal information through your website or providing insureds access to policy information, be sure you are using SSL connection (https).
· Check with carriers to verify data transmitted to them, including emails, is secure.
· Implement a solution to secure emails with both carriers and customers. Transport Layer Security (TLS) is a possible solution.
You may not be able to control what and how unsolicited information is transmitted to the agency but once you have it in your possession it is your responsibility to protect it. We encourage you to make the investment to proactively work with an IT solutions provider to secure data as opposed to incurring the costs after a data breach has occurred.
What resources are available to Big “I” members to help them address agency information security?
IIABA’s Agents Council for Technology (“ACT”) has developed information on protecting client information which is available on the Big “I” Risk Management Website – E&O Happens under the "Publications and Media" tab and menu item titled "Agents Council for Technology" or click here. A sample agency security plan is available as a starting point for the agency. The “Podcast” section also includes an excellent webinar recording entitled “Implementing an Effective Information Security Program in your Agency” and the most recent webinar called “Managing Agency E&O Exposure to Data Breaches and Cyber Liability”. To learn more about securing email using TLS encryption the website also has several articles and a recorded webinar. These materials can also be found at www.iiaba.net/ACT.
