Keeping customer data protected is the highest priority for every agent and broker in our distribution channel. Having to communicate to your customers that their private information has been breached can cripple a business, and such a breach can cost thousands of dollars in rectification and penalties and lead to possible loss of company contracts.
To fully address this, the ACT Security Issues Work Group has created the Agency Cyber Guide 1.0, which can be accessed at: www.independentagent.com/ACTCyberGuide. This guide addresses most cyber-security requirements and provides compliance resources for each and every requirement.
We are providing this Agency Cyber Guide 1.0 at no cost to Big "I" members. Some individual regulatory resources listed are also free, such as an updated Agency Cybersecurity Policy template, which Big "I" member agencies can download and brand. Use of this policy puts agencies in compliance with the requirement for having a written security policy.
Federal acts such as the Gramm-Leach-Bliley Act, and state laws such as those from the New York Department of Financial Services and other specific state data privacy laws, are just some of the requirements with which agents must comply.
The ACT Agency Cyber Guide 1.0 is divided into three clear sections: Compliance and Protection Roadmap; Costs and Penalties for Noncompliance; and Regulations, Descriptions, Resources.
Compliance and Protection Roadmap
The burden is placed upon the agent to properly collect and protect customer information, which means complying with all state and federal laws regarding this subject. Federal acts such as the Gramm-Leach-Bliley Act (GLBA), and state actions such as the regulations from the New York Department of Financial Services (NY DFS), are addressed in the guide. The 10 major regulations under the GLBA are discussed so the agent can clearly understand the process of compliance.
Costs and Penalties for Noncompliance
Costs are not just relegated to lost business. Noncompliance with the required regulations may come with a substantial penalty. Penalties can vary by state as do the data breach communication requirements.
Penalties can be assessed as civil penalties per resident affected and/or per breach, and additional penalties for actual economic damages can be assessed. Noncompliance also is punishable by other state-specific deceptive-trade practices laws or as prescribed by the state attorney general.
Regulations, Descriptions, Resources
All regulations listed in this section are required for compliance with the GLBA and other emerging regulations, such as those from the NY DFS. The ACT Agency Cyber Guide 1.0 discusses these in greater depth:
- Risk Assessment
- Written Security Policy
- Incident Response Plan
- Staff Training & Monitoring
- Penetration Testing and Vulnerability Assessment
- Access Control Protocol
- Written Security Policy for Third-Party Service Providers
- Encryption of Non-Public Information
- Designation of Chief Information Officer
- Audit Trail
- Implementing Multi-Factor Authentication
- Procedure for Disposal of Non-Public Information
ACT will monitor the changing cyber-security regulatory environment and update this guide as needed. We urge you to CLICK HERE to access the ACT Agency Cyber Guide 1.0 and work to ensure your agency and your customers' precious data are protected as you begin your road to mandatory compliance of these Data Privacy Regulations!