ERRORS & OMISSIONS DATA BREACH LIABILITY: IT’S SERIOUS BUSINESS
implementing new technology and training.
Will Your Agency Information Security Procedures Allow You Coverage Benefits? Liability from cyber attacks is on the rise and the media is constantly reporting on companies being hacked, exposing protected personal information. What’s an agency to do to protect their client’s information? This article will shed some light on this topic.
Why should my agency care about protecting personal data?
information generated in consumer’s credit reports is kept secure. !"Gramm-Leach Bliley ACT applies to “financial institutions” and requires business to have reasonable procedures in place to ensure the security and confidentiality of customer information.
For an average size agency the potential cost of a data breach per agency is about $255,000.
Is my agency legally required to protect personal information? There are a number of federal laws that apply to protecting personal information and as of today 46 states have laws on the books as well. Understanding how both state and federal laws apply to your information security procedures is important because the fines for not compiling can cripple your business. A few of the federal laws that may apply are below and you can also learn more by visiting the Legal Advocacy section of IIABA’s national Website at www.iiaba.net: !"Fair Credit Reporting Act requires that
24
!"What procedures need to be in place to protect personal information based on the nature and size of my !"Are there different security requirements for personal data stored internally and data transferred outside of the
As an insurance agent you collect, use, and store what is likely considered personally identifiable information on a daily basis and in doing so you have an obligation to secure this information whether it is in electronic or paper form. Both state and federal privacy laws require businesses to implement and maintain reasonable procedures to protect personal data. Not doing so creates an exposure to financial loss in the way of fines and penalties, the
cost of handling a data breach including the notification, third party liability for damages caused by the data breach, and the potential cost of replacing computer equipment. In addition, a data breach can have a devastating e ect on the trust and loyalty of customers and can quickly ruin the reputation of the agency. Also keep in mind that the cost of implementing a security plan can be much less than the total cost of handling a data breach.
!"Are there differing definitions and requirements for protecting general personal information versus personal
So what’s at stake for your agency? The exposure is staggering. For an average size agency the potential cost of a data breach per agency is about $255,000. See the sidebar above for how that figure is determined. Unfortunately, the common reaction when
While computer hacking is on the rise, the majority of breaches occur from stolen or lost equipment. numbers of that size are tossed out there is that IT COULDN’T HAPPEN TO ME!
What is considered private personal information that needs to be protected?
!"What is considered up-todate encryption methods?
This may vary by state but in general it is a combination of first and last name in combination on other data elements. These may include:
!"How is a data breach defined?
!"Social security number.
!"Financial account numbers or credit/debit card numbers along with security access codes or passwords. !"Health records.
!"Health Insurance Portability and Accountability Act (HIPAA) requires the security of health data. In the past several years many states have passed laws or regulations to protect the consumer’s personal information so you need be familiar with the requirements these impose on your operation. Understanding state and federal requirements is a daunting task. Here are some of the basic questions that you should consider when reviewing both federal and state laws. !"Do I collect the types of personal information that is required to be protected? Specifically, what information needs to be protected?
WISCONSIN INDEPENDENT AGENT
The National Conference of State Legislatures Website (ncsl.org) offers links to state legislation involving security breaches of personal information.
What is the potential cost of a data breach to the average agency? Civil penalties can be substantial for breaches of data with penalties up to $150,000 per breach as an example in one state. Keep in mind that these are just penalties and don’t include actual costs handling a data breach, including notifying those parties affected or the indirect costs the breach will have on the business in terms of loss of the trust of customers. A 2011 study by Symantec showed an average cost per compromised record of $214. The factors in their estimation included: legal fees, disclosure expense to contact affected parties, consulting help, and
NOVEMBER 2012
!"Policy numbers.
What personal information do you have in your files? The first step to protecting personal information is assessing what personal information you have in your files and who has access. Remember it’s not only data but all personal information whether electronic, paper, or voice. Take the time to do an assessment looking at the flow of information both into and out of the agency. This includes archived data, data in transit over your system, mobile devices that may leave the office, and of course that paper files. Meet with all agency staff (sales, accounting, and HR) to get a better feel for their access, including finding out if any outside contractors store customer information. When inventorying customer information keep in mind that information can be stored in or accessible through a number of different places both internally
NOVEMBER 2012
!"File cabinets should be locked and work stations clear of hard copy personal information.
!"Who sends personal information to your business? Customers, carriers, or credit agencies?
!"Appropriately screen cleaning crews providing service.
!"Secure the area containing networks servers and limit access.
!"How do you receive personal information? This can include e-mail, Website, fax, social media, or by mail.
!"When employees leave the agency make sure that all agency owned security equipment (all keys) and computers are returned, and system access terminated.
!"What kind of personal information do you collect? Credit/debit cards, social security information, drivers IDs? Who is using that information and has access? Employees, carriers, customers, vendors?
!"All agency computers and mobile devices should require passwords that are required to change every 90 days and employees should log off or lock their computers when left unattended. Staff should not share passwords.
!"Where is that information stored? Branch offices, file cabinets, files at home, servers, database, disk tapes, lap tops, desktops, cell phones?
!"Implement encryption software on all laptops and mobile devices along with ability to wipe clean if lost.
!"Is information accessible from outside the agency or on devices used in the field?
!"Driver’s license number. !"What are my notification responsibilities should a breach occur?
and externally including in file cabinets, on PC hard drives and servers, laptops, cell phones, CD’s, flash-drives, carriers Website, call centers, and agency management system providers. Let the following help guide your discussion:
A key risk management measure to limit your exposure from data breaches is to only keep the data you need and for only the length of time that you need it. Exercise care and implement a procedure for deposing of sensitive information. Currently, 29 states (including Wisconsin) have laws governing the disposal of personal data. Wisc. Stat. §134.97 specifies how an agency should dispose of personal information. Remember if it’s not in your system, it can’t be stolen.
What are some of the exposures agencies are facing in the protection of personal information?
!"Don’t keep personal information on hard drives of desktops, laptops, and mobile devices. !"Do not leave portable devices unattended while out of the office, especially in cars. Protecting data transmitted over the agency network and computers, portable devices, Websites, and home computers is critical. There is exposure to data loss from viruses, hackers, spam, and malware. Specific attention needs to be paid to securing e-mails CONTINUED ON NEXT PAGE
The Future One 2010 Agency Universe Study done by the Big “I” reveals that on the average
Exposure to a breach of data is posed by both internal and external threats. They can also be considered both physical and virtual exposures. Internal protections start with the physical security of the data contained in the office. This includes the access to the premises and work areas including security of computers, servers, and the network. While computer hacking is on the rise, the majority of breaches occur from stolen or lost equipment. Here are some risk management considerations to combat physical threats:
agencies have 1,188 personal lines customers
!"Secure the building with a security system for authorized access only.
X $214 cost per record).
WISCONSIN INDEPENDENT AGENT
including standard and non-standard auto, homeowners and specialty lines. Let’s say a producer lost a laptop that had customer information on it or a server was hacked. For the average agency that could translate into an expense of about $255,000 (1,188 customers
25