Skip Ribbon Commands
Skip to main content

Security and Privacy

Updated March 1, 2021

This section of the ACT website includes articles on agency information security, implementing secure email with TLS, and general information security articles.

New Cybersecurity Resource for Independent Agents: Agency Cyber Guide 3.0

ACT How do you best protect your agency from cyber threats and prepare your agency to recover should disaster strike? The ACT Security Issues Work Group has collected the following resources to help you protect your agency against tomorrow's threats. Understand risks, discover solutions, and check out the wealth of resources available.  
In recent years, text messaging has moved quickly into the professional setting, providing independent agents with a quick and simple way to communicate with clients. The expansion of text messages to and from independent agents brings challenges along with the opportunities. - developing proper workflows and policies for text messaging, properly preserving text messages in the agency’s management system, potential E&O exposures related to text messaging. This downloadable memorandum focuses on just one of these challenges – i.e., how to meet the legal requirements for text messaging.
The ACT Security Issues work group, in conjunction with IIABA created this sample cybersecurity policy to help agencies easily comply with the requirement to have a cybersecurity policy in place. This policy is directed toward 'employees' throughout. If the Agency uses independent contractors as well as employees, the Agency will need to broaden the policy to cover this group, such as by substituting 'Agency Users' for 'employees' wherever the term appears and defining 'Agency Users' to include all categories of the Agency's workers.
​​ Did you know that GLBA and NAIC regulations require you need to have a Privacy Policy listed on your agency website? Check out our new IIABA & ACT free template you can download and use for your agency.
In 2016, Big I General Counsel did an in-depth review of the GLB Act and provided significant insights on the data security, carrier contract, and overall information security implications of this mandatory federal act.
Every small business owner should prioritize using effective software to prevent virus infection. Here's a succinct article on how to ensure you're protected.
All the firewalls, operating system patches, and defenses are for naught if your agency staff is not properly trained. One errant click or opened file can leave your data vulnerable. Find out the clear steps to train agency staff.
Password creation is becoming something of an art for most insurance agents. With the ever increasing need to update passwords for carrier websites, management systems, rating vendors, banks, and other entities, secure passwords are mandatory. Our topic for this posting is to help agents determine how to develop a strong and secure password.
With the continued usage of wireless technology, most independent agencies have incorporated wireless routers within their agency. Wireless routers allow computers to connect to the agency network to access information on the system and the internet. Potential hackers can have a field day with gaining access to your agency data if the router is not re-configured from the factory settings. In this agency security briefing, we will focus on what agency owners need to know about their wireless routers and how to resolve potential threats to your network.
Insurance company agency agreement wording for both Property Casualty agents and Group Health agents require unequivocal compliance with all current state and federal privacy and data breach response laws. Failure to do so puts the agency in potential breach of contract and liable for all claims incurred by the insurance company under the indemnification clause in their agreement. This could cause serious financial harm for most agencies and agency owners.
Agents beware - If you’re running unsupported software on your computer to access the Internet, process emails, or receive files via USB devices, you could be putting your data at risk and opening yourself up to a cyber breach.
In this June 2014 ACT article, the authors Teresa Addy and Jim Rogers share more background on SignOn Once; as an industry standard, the benefits, and guidance for carrier and vendor participation. SignOn Once is a collaborative industry effort to create a safe and standard way to secure ID/password authentication. This solution is not specific to any individual carrier or vendor, the aim is to get as many parties participating so that independent agents reap the benefits of one potential single ID and password set.
The final HIPAA Omnibus Rule which goes into effect on September 23, 2013, impacts all independent agencies which sell health insurance and which are “Business Associates” under HIPAA. ACT’s HIPAA Work Group prepared the attached article to raise agent awareness about the final HIPAA Omnibus Rule, provide guidance on the key compliance measures they should take and reference a number of resources agencies can use to help them comply. This final rule will now require HHS to conduct periodic audits of Business Associates as well as Covered Entities for compliance with HIPAA and authorizes HHS, as well as state attorney generals, to impose significant fines directly on Business Associates which are not in compliance. This article is relevant to all agencies – even if they do not sell health insurance – because it provides security measures they should take and references resources they can use to formulate their general security plans and procedures, in order to to be compliant with the federal and state privacy and data breach notification laws that do apply to them (because of the PII (personally identifiable information) that they do handle).
The authors provide nine great tips for agencies to follow to protect against data breaches, which can destroy an agency’s reputation and cost a lot of money to remedy. The article also points to resources the agency can access to get further information and to implement the recommendations. The authors seek to simplify an increasingly complex subject – laying out a series of manageable steps – in the hope that agencies will take action now to bolster their current agency security procedures where needed.
This article recommends ways agencies can secure their email and their websites when their clients' personal data is being transmitted. It defines the major types of “personal data” that should be 'encrypted' when traveling over the Internet, as well as outlines the resources that are available from ACT to assist agencies in protecting their clients' and employees' personal data
The mingling of personal devices into the business environment is now commonplace. Technologists are concerned about how the “bring your own device” (BYOD) trend influences the security of the employer’s network, applications, and data. This article gives an overview of the trend and provides some practical guidance independent agencies can use to manage the BYOD phenomenon. It discusses opportunities and risks presented by BYOD practices, which are driven by the outflanking of business technology by personal technology.
Like traditional crime, cybercrime covers a broad scope of criminal activity and can occur anytime and anyplace. What makes it different is that the crime is committed using a computer and the Internet. You may recognize some of its most common forms such as identity theft, computer viruses and phishing, and at a corporate level, computer hacking of customer databases.
This article outlines the major security risks facing computer users in hotels and wireless hotspots and outlines practical steps you can take to protect yourself in these environments.
This report discusses key issues agencies must tackle to safeguard private customer information, prevent identity theft, implement an effective security policy, and protect agency data both while at rest in the agency's systems as well as in transit to and from the agency.
The following insurance carriers have reported to ACT that they support TLS email encryption for their agencies provided the agency has also enabled TLS on their mail servers.
This article discusses the importance of agencies having and implementing a written security plan in order to protect their clients’ personal information and to meet increasingly specific state privacy requirements. The article then provides links to information and resources that will assist agencies in building a viable security strategy and plan to protect their clients and their business.
Agency websites have become a core component of the marketing strategy for many independent agencies, but they also may present errors & omissions exposures that must be managed. This article explores some of the major E&O exposures that may arise and provides several E&O tips for mitigating those risks, as well as sample website disclaimers.
A lot has been written about how agencies can use social networking tools to enhance their online marketing and market reach. This article explores how the use of social media can impact the E&O risks agencies face and recommends specific steps agencies can take to mitigate those risks, so that the agency can get the full benefit out of these new tools.
Protect your agency from E&O exposure by including a Privacy Statement & Disclaimers on your agency websites and social media sites. These sample disclaimers can be used as a starting point. For sample Privacy Statements, please review the Privacy Statement on the IIABA website as well as that used by other independent agencies and organizations. For more details on the E&O risks arising from agency websites and the use of social media, please see the ACT articles 'Don't Get Caught on the Web' and 'Agency E&O Considerations when using Social Networking' found below on this web page.
TLS Email Encryption-- Agents' Frequently Asked Questions
The world has changed for independent agents and brokers. In the past, agencies primarily had to protect the paper within the physical perimeter of their agencies. Today, most of the information an agency relies upon has been digitized; most of the work is done on computer; and the agency is connected to the outside world through the Internet. These changes have been very beneficial, but they have greatly complicated the job of protecting the security of the agency’s systems and data.
Over the past year, ACT’s Agency Security Work Group has been working to develop a business tool designed specifically to assist independent agency business leaders and their employees in understanding and protecting against the security issues they face. This new ACT Guide—“The Independent Agent’s Guide to Systems Security; What Every Agency Principal Needs to Know”—is now available for download from ACT’s website at The report also includes guidance on securing outside security help, an Agency Security Risk Self-Assessment Tool, a sample Agency Information Security Policy, and steps to consider should a security breach occur.
This Plan for Agency is intended to create effective administrative, technical, electronic and physical protections to safeguard the personal information of the Agency’s Clients and employees, the Agency’s proprietary and confidential information, the physical security of our premises, and the integrity of our electronic systems so that they are best positioned to function smoothly without interruption.
While using Real Time is the best option for moving sensitive client data between agents and carriers, independent agencies and carriers still must use email in certain circumstances and are in need of workflow friendly secure email solutions. Proprietary email solutions create inefficient agency workflows, require the retention of additional passwords, and require agents to go to the carrier Web site to retrieve email. Agencies and carriers are encouraged to implement a much more efficient and cost effective approach to secure email by enabling their email servers for TLS (Transport Layer Security) email encryption. This article explains how TLS works.
Laptops, Windows based portables, and smart phones allow agents and brokers to stay in touch with their customers and offices and to have access to their agency systems from anywhere at any time. These portable devices will continue to get better and better offering larger disk storage, very convenient user interfaces, fully functional Office suites, as well as wireless Internet access, email, and Internet browsing. We expect use of these devices by agency principals and producers in the field to continue to increase dramatically.
American citizens are becoming increasingly concerned with the privacy of their health and other personal information. Clients want to know that their agents and brokers have taken the steps necessary to safeguard the private information that they obtain on them and that this information is only used for permitted business purposes.
The current disparity of carrier handling of passwords within the real-time environment is reducing the benefits of real-time workflows and is discouraging some agency employees from using Real Time. In this report, the ACT Real-Time Management Work Group makes the business case for changes in carrier and vendor password handling in the real-time environment based upon new password workflows that some carriers and vendors have already started to implement.
The purpose of this ACT report is to heighten agencies’ awareness about the importance of taking steps within their businesses to safeguard the privacy of non-public personal information about their clients and prospective clients, whether it be the individually identifiable medical information that is governed by HIPAA or other non-public personal information that is impacted by other federal and state laws.
​127 South Peyton Street
Alexandria VA 22314
​phone: 800.221.7917
fax: 703.683.7556

Follow Us!

​Empowering Trusted Choice®
Independent Insurance Agents.