Data Security Nightmares

The inordinate time, money and effort it takes for independent agents to secure their firms’ IT systems and customer personal information could better be spent elsewhere—like sales.

While systems and data security will never disappear as a major agency concern, there are ways to spend less energy addressing the threats, preserving more time to compete for business and serve client needs. Innovative technologies are available to combat viruses, spam and data breaches; efficient methods are accessible to secure emails and attachments that are routinely exchanged among agents, carriers and other partners and initiatives are underway to pare down or eliminate the vast array of user names and passwords required to transact business.

As Jeff Yates, longtime executive director of the Agents Council for Technology puts it, “Dramatic advances in security have come to the forefront.”

Just in time, too. A hodgepodge of complex and oft-confusing laws require more focus on data security issues involving customer and employee personally identifiable information. The cost of failing to comply with these regulations is significant, not to mention the reputational repercussions of a publicized data breach.

As society and the business world become more mobile, these risks proliferate. Lost smartphones, tablets and laptops create serious exposures, but so do unsecured websites, content and emails. A problem is that sometimes the cure can be worse than the ailment—such as the case with multiple user IDs and passwords to secure transactions.

The biennial Agency Universe survey recently published by Future One, a cooperative effort of the Big “I” and more than 16 leading independent insurance agency companies, asked respondents what they considered to be the most important technology challenge confronting agencies today. The top two responses were “protecting the security of agency systems and confidential information” (44%) and “ensuring confidentiality of data transmitted” (40%). Both issues jumped ahead of the top challenge cited two years ago—creating an effective Internet marketing presence.

Yates chalks up the heightened concerns around security to the stringent laws governing data breaches involving personally identifiable information. These run the gamut from the Gramm-Leach-Bliley Act and HIPAA at the federal level to varying rules now on the books in 46 states—and counting.

Once a breach occurs, agencies are required to discern the cause, nature and extent of the breach; identify potentially affected parties and comply with legal requirements to ensure victims are immediately notified of the possible theft of their personally identifiable information. Litigation and regulatory penalties are possible.

Agents are acutely cognizant of the risks posed by systems and data security. So are errors & omissions liability insurers. “E&O carriers want to know what protections we have in place with respect to our clients’ personal and business data,” explains Armond Schwing, principal at third generation Schwing Insurance Agency, Inc., in New Iberia, La. “We make a commitment to our clients when we protect them and their businesses through the sale of insurance products, but we also must make a commitment to protect their data.”

When these efforts to protect data are subpar, the result can be financially catastrophic, says Lisa Parry-Becker, vice president at Langhorne, Pa.-based agency William B. Parry & Sons. “I met a fellow agent who told me he had recently experienced the theft of a new workstation from the office,” she explains. “He wasn’t sure how much data was on the workstation, but he complied with the regulations and notified clients and monitored their credit situations for one year. When all was said and done, it cost him $75,000.” Ouch!

Agents are not taking systems and data security for granted. Many agencies like Dean & Draper Insurance Agency in Houston have implemented what IT Manager George Douty calls the “standard stuff.” He elaborates, “We’ve set up firewalls at each of our locations that filter incoming emails, helping us block literally several million invalid emails per month. We also educate users on emails that might be phishing schemes or have an embedded virus. We’ve seen very convincing phishing scams that look like an email from the postal service or LinkedIn. Each time we get one, we send a print screen of it to users, along with a description of why it is invalid. We’re very proactive here.”

So is Eustis Insurance and Benefits, Inc. Keith Oufnac, vice president of IT, touts the Metairie, La.-based agency’s intrusion detection system. “It’s simple, inexpensive and keeps an eye on who is trying to attack our website—putting in the wrong password or attempting a SQL injection, for instance,” Oufnac says. “It happens all the time.”

Other agents tell similar tales. “I’ve sat down with my tech guy and looked at the log-in on my firewalls, and there are these robotic systems that are programmed to go out and randomly break into every IP address they can find,” says Steven Aronson, president of Aronson Insurance in Newton and Needham, Mass. “There are hackers spending 24 hours a day at this for the simple reason that there is a pot of gold there. When I saw that, I put a much higher level of firewall in place. For me, No. 1 is to keep the bad guys out.”

When it comes to customer personally identifiable information, email is particularly vulnerable. Most agencies encrypt their communications to carriers and clients when personal data is included. Others like Burnette Insurance Agency have gone a step further, securing its email traffic in the cloud. “We have a significant benefits practice involving customer health information like Social Security numbers, so we made the decision to convert everything digitally and contracted with a cloud provider to secure the data on its servers,” says Stan Burnette, president of the Suwanne, Ga.-based agency.

There are other ways to secure emails among agencies, carriers and general agents. ACT recommends the implementation of transport layer security (TLS) secure email, in which emails among the parties flow securely in a transparent manner. Unfortunately, not all agency clients will have TLS capability, Yates notes. “In such cases, the agency would need to implement a proprietary email solution; this way when the agent sends a secure email to the client, the client would access it on the email vendor’s secure website, and vice versa,” he explains. He cited a number of vendors that can help agencies with both TLS hosted emails and proprietary emails, such as AppRiver and RPost.

Burnette recently purchased AppRiver. “Our biggest fear is that a customer sends an email to us with personally identifiable information in it, and then we send it to the carrier,” he says. “That used to get us really nervous. No longer.”

Mike Harris, chief information officer at MHBT Inc., a Dallas-based agency, had similar concerns about his customers emailing census data and other private information. “What we’ve done is invest in a cloud-based system called box.com that allows us to share and store files and other content online in a secure environment,” Harris explains.

The Glatfelter Agency in York, Pa., leverages software from Zywave for a comparable purpose. “When my staff needs to send HIPAA-protected information back and forth with clients, the data is automatically encrypted,” says Ken Mazzie, the agency’s vice president of employee benefits. “We also have a dropdown box on Outlook so when I need to send an email that has confidential information inside it, such as an attachment with personally identifiable data, the box automatically encrypts it. Then, when the customer replies to the email it also comes back to me encrypted.”

Many agents expressed significant concerns over the security of data that travels along with their employees’ mobile devices. “One thing that scares the hell out of me is USB drives that are taken home and lost,” says Oufnac. “We have protocols here about the data that can reside on these devices, but one never knows. So we’ve password protected the drives and all our other mobile tools.”

“We encrypt every portable device that might leave this office,” Aronson chimes in. “While we don’t permit employees to have any personally identifiable information on their iPads, thumb drives or laptops, I can tell you that my iPad has emails on it. Consequently, we now require an eight-digit password instead of the usual four digits, and we’ve set up a secure [virtual private network] between the office and my home.”

Laptops and other mobile devices connected to the servers at Burnette Insurance Agency require dual authentication—user name and password—plus a token with a one-time password. “The log-in password on the system changes every 30 seconds—if you don’t sign in fast you have to start all over,” Burnette says. (Yates offers another smart tip—a remote “wiping” device so if a laptop or other mobile tool is lost or stolen, the content can be remotely erased.)

Tech-savvy agents not only secure their agency—they also share what they are doing.“We have an obligation to tell clients what we are doing ourselves about IT security—it would be foolish not to share it,” says Aronson. “That’s what it really means to be a ‘trusted advisor. ’”

Russ Banham is an IA senior contributing writer.