The Internet and mobile technology revolutions have enabled agents to communicate with clients from anywhere, creating opportunities to reach out to new consumers and provide enhanced services and responsiveness.

But these developments have also multiplied the security risks that agencies must manage in order to protect clients’ personal data.

It is no wonder then that errors & omissions underwriters offering data breach coverage to agencies are increasingly asking if they encrypt or use other protective measures to safeguard client personal data when it is transmitted.

Agencies should know which types of personal information they collect, where it is retained and who has access to it. They also need to decide if they need to keep this sensitive data.

If an agency decides it must keep personal information, it should limit access only to employees who need to see it. This is especially true for protected health information under the Health Insurance Portability and Accountability Act, or HIPAA.

There are several ways to protect personal data transmitted to agencies and their employees. Below are some recommended practices:

Remove Personal Data from Personal Devices
Ensure that personal data is kept off of personal computers, mobile devices and thumb drives, which have a significant risk of loss or theft. Train employees using personal computers and mobile devices to remove any emails with personal data as soon as they are read.

In addition, consider conducting an audit to make sure any computers and mobile devices accessing agency applications are password-protected. Also use software that can delete all data from personal devices if they are lost or stolen—thereby restoring them to their original manufacturer’s state.

Secure Email
Email is one of the most significant forms of communication to encrypt when sending messages with personal data to carriers and clients. Some prominent examples of emails containing personal data include sending insurance applications to carriers for a quote or to clients to complete or to sign, and sending insurance policies to clients.

When emailing carriers and general agents, the Agents Council for Technology recommends using Transport Layer Security secure email.

TLS is an open standard that must be implemented by both an agency and carrier. Once this is done, all emails between an agency and carrier are sent securely in a manner that is transparent to the end users. In other words, an agent or carrier underwriter can avoid going to a proprietary website to pick up each email—a practice that many underwriters refuse to do and is inefficient for agency employees.

But TLS is not a solution for communicating with clients because many of them lack TLS capability. Instead, an agency can use proprietary email.

When an agent sends a secure email to a client using a proprietary solution, the client accesses it on the email vendor’s secure website. The secure email tool also enables a client to send a secure email back to an agent.

There are a number of vendors, such as AppRiver and RPost, which can help agencies with TLS-hosted emails, proprietary emails and other useful tools.

Employ Real Time
Email is often used to share applications and other information between agencies and carriers and general agents, especially in commercial lines. But real time offers a more efficient and secure method to handle these communications by automatically encrypting information and keeping it within management systems for agency and carrier.

The industry also has potential to use activity notifications to communicate other types of messages directly between agency and carrier systems—such as additional underwriting information—without having to manage a morass of emails in employees’ mailboxes.

Protect Agency Websites
It is critical to provide secure website connections for consumers when asking them to provide personal data on a website for functions such as receiving a quote.

Use a secure https tunnel before a consumer can fill out any form requiring personal data—just as shopping and bank websites typically do. Whether or not a form is protected, there is always a risk that a consumer will enter private and personal data.

Otherwise, consider limiting forms to specified fields that only ask for basic contact information, such as name, phone number, email or address, and noting on the page with the free-form text field that it is unsecure and should not be used to provide any private and personal data.

Similarly, when providing clients with the capability to access insurance information or documents online, create an https connection before any information can be accessed. It is best to work with a website provider that can help with the technical aspects of creating a secure website capability.

Meanwhile, some agency E&O providers require agencies to post a privacy statement on their website if it provides an option for consumers to submit personal data.

It is important to customize a website privacy statement relative to tracking agency data collection, usage, sharing and protection practices. Honda’s financial services website privacy statement provides a good example of the types of information that are typically included in such statements.

Jeff Yates (jeff.yates@iiaba.net) is executive director of the Agents Council for Technology. The full-length version of this story is available on ACT’s website.