One of the hottest topics these days is data security. Target, Home Depot, Sony, Ashley Madison, eBay, and the federal government’s Office of Personnel Management are just a few of the entities that have had data breaches in the public eye. Financial services, including insurance companies, haven’t been immune either. Anthem, JPMorgan Chase, Premera Blue Cross Blue Shield, and others have fallen victim to data breaches. As a result, we are witnessing a torrent of activity from lawmakers and regulators as they seek to require entities to take adequate precautions to safeguard consumer data.
An example of this regulatory action occurred in April of last year. The NAIC Cybersecurity Task Force adopted the Principles for Effective Cybersecurity Insurance Regulatory Guidance. Twelve principles were enumerated and provided expectations for insurance regulators, insurance carriers, producers, and other regulated entities. This same task force, in October of last year, adopted the Cybersecurity Bill of Rights, which lay out the rights of insurance consumers. Beyond insurance regulatory actions, cybersecurity bills have been introduced in Congress and states have been passing additional laws or enhancing existing laws pertaining to data security.
It makes sense that smaller organizations are often targets for those seeking to steal data. Smaller organizations typically don’t have IT departments, Compliance personnel, Internal Auditors, and huge budgets to protect consumer information. As a result, it may be easier for thieves to steal from these smaller organizations.
Protecting consumer information should clearly be a priority for agents. If an agent has consumer information become lost or stolen, that could quickly cause a dramatic loss of reputation and business for that agent.
Here are five easy steps for agents to take:
- Data Security Policy
- Establish a policy for safeguarding your client data. It is critical that you and your employees know what should be done to protect client data. Having a written policy could also help demonstrate that you are conscientious about protecting client data which could help reduce your exposure in the case of a regulatory investigation or litigation.
- Provide regular training to your employees on the policy. The 2015 Data Breach Investigations Report by Verizon (“The Verizon Report”) showed that the top four attack patterns that accounted for nearly 90% of all incidents involved people. Regular training helps reinforce the importance of the policy and improves consistency in employee performance.
- Periodically test for compliance with the policy (e.g., conduct a mini “audit” over the lunch hour or after employees have left in the evening). You will learn who may need additional training.
- Systems and Software
- Have a firewall to prevent unauthorized access to your systems.
- Utilize good anti-virus software and keep it up to date.
- Install software security patches when they become available – especially those designed to fix security vulnerabilities.
- Require strong passwords to be utilized for all system access (including email) and on computers, laptops, tablets, phones, routers, etc. Microsoft offers tips for creating a strong password (https://windows.microsoft.com/en-us/windows-vista/tips-for-creating-a-strong-password). In addition, passwords should be changed regularly and all computers and devices should be secured (require the password to be entered) when not in use. This will help prevent unauthorized access or viewing of confidential information by clients, the office cleaning service, family members, guests, FedEx delivery personnel, etc. Passwords should not be written down and left where someone could find them (e.g., on a sticky note under a keyboard).
- Encrypted email should be utilized whenever any confidential information will be sent or received via email. A wide selection of email encryption software is available to meet the needs of businesses of all sizes.
- Train employees how to identify suspicious emails and not to open the emails or attachments. The Verizon Report showed that 23% of people who received phishing messages opened them and 11% opened the attachments.
- Physical Security
- Ensure the office is secure after hours. This seems obvious, but consider the following examples:
- The cleaning service may leave the door(s) unlocked while they are working which could allow someone to enter the office undetected. The cleaning service may also forget to secure the office once they are done cleaning.
- If a home office is utilized, other family members or guests may have access to confidential information.
- Others may have access to the office after hours (property management, maintenance personnel, other service providers, etc.).
- Ensure consumer data isn’t available to unauthorized individuals. Examples include, but are not limited to:
- Lock up all confidential information before leaving each day and during the day when others (e.g., clients, guests, service providers) are present. In other words, don’t leave client files, notes, statements, illustrations, applications, flash drives, etc. out for anyone to see or take. Don’t forget to lock any file cabinets or storage areas that have this type of information as well.
- Confidential information should not be left on copiers, fax machines, printers, etc.
- Unneeded documents should be shredded or placed into a secure bin for shredding at a later time or by a shredding service.
- Keep laptops, tablets, phones and other devices secure at all times. Many electronics with confidential information are stolen from cars, restaurants, etc. Keep these items with you or at least secure them out of sight (e.g., in the trunk of a locked car).
- Electronic equipment such as printers, copy machines, scanners, and fax machines often use digital technology and may retain a copy of everything that passes through them on a hard drive. Before disposing of any equipment, ensure that the hard drive is erased to prevent someone from accessing confidential information later. This obviously applies to computers and other devices as well. Microsoft offers guidance on disposal of computers and other devices (https://www.microsoft.com/security/online-privacy/safely-dispose-computers-and-devices.aspx). In addition, you can always contact the manufacturer of the equipment for guidance, the company from whom you leased the equipment, or hire a data security specialist to assist you with erasing hard drives.
- Breach Response Plan
- Have a plan in the event there is a data breach. Knowing what to do and who to contact ahead of time will make the process easier and ensure nothing gets overlooked.
- Know insurance carrier requirements. Insurance carriers typically require agents to provide them with prompt notification of a data breach, cooperate in determining which consumers are affected, and assist with remediation efforts.
- As with any plan, practice is recommended. Practicing will help identify missing steps and allow a chance to update anything that has changed since the plan was developed.
Data security requirements will likely continue to grow over time. Take the time to protect your practice by protecting consumer information. After all, working to prevent a data breach is still the most prudent strategy for managing this risk and could save everyone’s time, money, and reputation.