Protecting customer information from identity theft

It seems that hardly a day goes by when the term "identity theft" is not mentioned in national news headlines. The issue goes far beyond just threats to individual consumers. Third parties, such as insurance agencies that handle customers’ sensitive personal information, also need to educate themselves about the issue and take all possible steps to prevent becoming a victim of this growing problem.

The following report was prepared by the ACT Emerging Security Issues Work Group, which includes agent, carrier and vendor volunteers working to enhance the security of independent agencies and carriers. It contains some valuable information and advice on this timely topic.

Highlights of the report

The federal Gramm-Leach-Bliley Act (GLBA) requires independent agencies and brokers to proactively implement administrative, technical and physical safeguards to protect customer non-public personal information. See “Key Considerations in Setting Up & Implementing an Agency Security Policy” below for practical guidance.

Many agencies are also now covered by a state identity theft law which may require an agency to notify a customer and take other remedial steps (such as procuring credit reports for the customer) if the agency is involved in the customer’s non-public personal information being lost, stolen, misdirected or otherwise the subject of a security breach. Many of these laws, however, provide a safe harbor if the affected data is encrypted.

Beyond the legal requirements, being proactive about securing customer personal information is just good business, given the devastating impact of having to notify customers that their most sensitive information may have been compromised. In addition, taking proactive steps to prevent a security breach is very likely to be less costly than cleaning up the mess that typically occurs after a breach has occurred.

Many agencies are surprised to learn that the most significant security threats they face are not posed by external parties hacking into their systems. See “The Three Biggest Security Threats Most Agencies Face” for more information.

Backups represent a major security risk. The work group recommends that backups be encrypted and kept in a secure place. Many of the identity theft cases involve backups.

There has been a proliferation of PCs, portable devices and removable media (zip drives, memory sticks, CDs) taken outside of agencies potentially creating a major new security risk for agencies. Agencies are encouraged to have their security policy address each of these items specifically. Agents should not store customer and policy information on them, if at all possible. Rather, it is preferable that this sensitive information be accessed from the agency’s system through a password-protected Virtual Private Network when needed. If there is a possibility customer and policy data will be kept on these devices, then the work group recommends that the data be encrypted. Many of the identity theft cases involve lost or stolen PCs and other types of portable devices.

Agencies should avoid sending customer non-public personal information by unsecured e-mail, because regular e-mail is like sending an open postcard through the mail. The report presents several additional recommendations to help protect data while in transit to and from the agency.

If an agency handles individually identifiable health information for clients or employees, then it also may be subject to the federal HIPAA law. (For more on HIPAA, see www.independentagent.com/act, “Agency Improvement Tools.”)

Key considerations in setting up and implementing an agency security policy

A successful security strategy requires that an agency take proactive steps and implement multiple layers of protection. No single security measure is adequate by itself. Some of the major steps for an agency to consider taking include:

Thinking through and then implementing a security policy based upon an assessment of the specific risks your agency faces.

Developing and implementing written security procedures.

Employee education and training on all of the security risks, the security policy and the procedures.

Conducting security audits by outside experts periodically to identify security “holes.”

Taking specific steps to secure the physical perimeter of the agency, escorting any guests in the office and prohibiting guests from accessing agency systems while in the office.

Implementing password protected firewalls that protect the perimeter of your systems from intrusion by unauthorized persons and viruses.

Diligently managing passwords so that only authorized persons gain access to your system, their identity is authenticated and terminated employees’ access is immediately cut off.

Limiting employee access so that they only view the information they need to see.

Implementing the latest versions of anti-virus, anti-SPAM and intrusion software on desktops, servers, PCs and other portable devices, continuously updating them and activating automatic updates wherever possible.

Auditing employee activity regularly for compliance with the security policy and procedures.

Monitoring systems traffic continuously for unusual activity that indicates a breach may have occurred.

Implementing specific procedures for backups, PCs, home computers, portable devices and removable media. Keep non-public customer and policy information off of these devices wherever possible and encrypt them when they contain such sensitive data.

The three biggest security threats most agencies face

While a security threat can come at an agency from many directions, the following threats are probably most likely to cause the typical agency to experience a security breach:

An employee theft or inadvertent mistake that exposes customers’ personal information to unauthorized parties. (An example of an inadvertent mistake would be opening an email attachment containing a virus from an unknown source.)
Physical loss or theft of a computer, portable device, back-up tape or other removable media – all containing customers’ non-public personal information. As these devices have become more portable and they are regularly taken outside the agency premises, this security risk has multiplied significantly. Also, the substantial risk of a break-in to the agency’s offices and the theft of its computers is often overlooked when an agency develops its security policy.
Loss or theft of a password permitting unauthorized individuals to gain access to customers’ personal information.

Some common sense precautions to consider to mitigate these security threats

No more passwords on sticky notes. Passwords should be kept hidden and private. Agents should note that their carrier agreements are likely to make them responsible if an unauthorized party gains access to the carrier’s systems using an agency password.

Escort your visitors throughout the office. Know your night-time cleaning crew.

Desktops should be password protected, and employees should log off of their system when they go to lunch, attend a meeting or leave in the evening.

How secure is your physical office when you leave in the evening?

Keep non-public customer and policy information off of PCs, portable devices and removable media. Encrypt any of this non-public electronic information that leaves the agency office, whenever possible.

Encrypt backups and keep them in a secure place.

Ask yourself: Do I even need to be keeping particular types of sensitive personal information in my system, or can I just pull it from a third party source when I need it?

Would I be better off housing my systems and/or my backups in a hosted data center employing 24 hour security, the latest security technologies, procedures and data traffic monitoring, and perhaps even an armed guard?

Protecting agency data while in transit

Some of the important steps and approaches for an agency to consider to protect data in transit include:

When agency employees seek to access customer and policy data remotely from the agency’s system using a PC, home computer or other portable device, the entry of an individual password should be required to access the agency system and that transmission should be secured and encrypted, wherever possible.

Unsecured e-mail – including unencrypted insurance applications and other attachments – is analogous to sending an open postcard through the mail. Agencies should be mindful of this when they need to transmit customer non-public personal information to carriers and customers. Real-time interfaces, in contrast, enable the agency to send policy data to carriers in a secured and encrypted manner. If real-time is not available, then the agency should consider using desk-top faxing to transmit application information to carriers. The industry is actively working on recommendations to enable agencies and carriers to send secure e-mail to each other using a consistent and efficient workflow.

When interacting with your agency system remotely using a wireless connection, it is important to connect through your agency’s virtual private network (VPN). The WEP encryption protocol provided with the wireless connection can be easily broken by a determined hacker. (The WPA encryption protocol is much more secure than WEP.)

When you deploy wireless access points, understand that you run the risk of extending your network outside of your building. This technology raises a number of specific security issues that are best handled by a technology professional.

To drill down into these issues more deeply, go to www.independentagent.com/ACT, “Agency Improvement Tools” for the full electronic version of this report (with additional details), as well as for ACT’s other reports on agency security. For more information about the ACT Emerging Security Issues Work Group, or ACT (Agents Council for Technology), please contact Jeff Yates, ACT’s Executive Director, at jeff.yates@iiaba.net.

This article reflects the views of the author and should not be construed as an official statement by ACT.