• The federal Gramm-Leach-Bliley Act requires independent agencies and brokers to proactively implement administrative, technical, and physical safeguards to protect customer non-public personal information.  See “Key Considerations in Setting Up & Implementing an Agency Security Policy” below for practical guidance on setting up and implementing an agency security policy.
• Many agencies are also now covered by a state identity theft law which may require an agency to notify a customer and take other remedial steps (such as procuring credit reports for the customer) if the agency is involved in the customer’s non-public personal information being lost, stolen, misdirected, or otherwise the subject of a security breach.  Many of these laws, however, provide a safe harbor if the affected data is encrypted.
• Beyond the legal requirements, being proactive about securing customer personal information is just good business, given the devastating impact of having to notify customers that their most sensitive information may have been compromised.  In addition, taking proactive steps to prevent a security breach is very likely to be less costly than cleaning up the mess that typically occurs after a breach has occurred.
• Many agencies are surprised to learn that the most significant security threats they face are not posed by external parties hacking into their systems.  See “The Three Biggest Security Threats Most Agencies Face” for what the biggest threats are.
• Back ups represent a major security risk.  The work group recommends that back ups be encrypted and kept in a secure place.  Many of the identity theft cases involve back ups.
• There has been a proliferation of PCs, portable devices, and removable media (zip drives, memory sticks, CDs,) taken outside of agencies potentially creating a major new security risk for agencies.  Agencies are encouraged to have their security policy address each of these items specifically.  Agents should not store customer and policy information on them, if at all possible.  Rather, it is preferable that this sensitive information be accessed from the agency’s system through a password protected Virtual Private Network when needed.   If there is a possibility customer and policy data will be kept on these devices, then the work group recommends that the data be encrypted.  Many of the identity theft cases involve lost or stolen PCs and other types of portable devices.
• Agencies should avoid sending customer non-public personal information by unsecured email, because regular email is like sending an open postcard through the mail.  The report presents several additional recommendations to help protect data while in transit to and from the agency.
• If an agency handles individually identifiable health information for clients or employees, then it also may be subject to the federal HIPAA law.  Click here for ACT’s report discussing HIPAA.

1. An employee theft or inadvertent mistake that exposes customers’ personal information to unauthorized parties.  (An example of an inadvertent mistake would be opening an email attachment containing a virus from an unknown source.)
2. Physical loss or theft of a computer, portable device, back up tape or other removable media—all containing customers’ non-public personal information.  As these devices have become more portable, and they are regularly taken outside the agency premises, this security risk has multiplied significantly.  Also, the substantial risk of a break-in to the agency’s offices and the theft of its computers is often overlooked when an agency develops its security policy.
3. Loss or theft of a password permitting unauthorized individuals to gain access to customers’ personal information.

• No more passwords on sticky notes.  Passwords should be kept hidden and private.  Agents should note that their carrier agreements are likely to make them responsible if an unauthorized party gains access to the carrier’s systems using an agency password.
• Escort your visitors throughout the office.  Know your night-time cleaning crew.
• Desktops should be password protected, and employees should log off of their system when they go to lunch, attend a meeting, or leave in the evening.
• How secure is your physical office when you leave in the evening?
• Keep non-public customer and policy information off of PCs, portable devices, and removable media.  Encrypt any of this non-public electronic information that leaves the agency office, whenever possible.  See sections below for more details.
• Encrypt back upsand keep them in a secure place.
• Also be thinking, do I even need to be keeping particular types of sensitive personal information in my system, or can I just pull it from a third party source when I need it?
• Would I be better off housing my systems and/or my back ups in a hosted data center employing 24 hour security, the latest security technologies, procedures, and data traffic monitoring, and perhaps even an armed guard?

• Thinking through and then implementing a security policy based upon an assessment of the specific risks your agency faces.
• Developing and implementing written security procedures.
• Employee education and training on all of the security risks, the security policy and the procedures.
• Conducting security audits by outside experts periodically to identify security “holes.”
• Taking specific steps to secure the physical perimeter of the agency, escorting any guests in the office, and prohibiting guests from accessing agency systems while in the office.
• Implementing password protected firewalls that protect the perimeter of your systems from intrusion by unauthorized persons and viruses.
• Diligently managing passwords, so that only authorized persons gain access to your system, their identity is authenticated, and terminated employees’ access is immediately cut off.
• Limiting employee access so that they only view the information they need to see.
• Implementing the latest versions of anti-virus, anti-SPAM and intrusion software on desktops, servers, PCs and other portable devices, continuously updating them, and activating automatic updates wherever possible.
• Auditing employee activity regularly for compliance with the security policy and procedures.
• Monitoring systems traffic continuously for unusual activity that indicates a breach may have occurred.
• Implementing specific procedures for back ups, PCs, home computers, portable devices, and removable media.  Keep non-public customer and policy information off of these devices wherever possible and encrypt them when they contain such sensitive data.
  

IMPORTANT RESOURCE:
CLICK HERE to access ACT’s “Agency Cyber Guide 1.0” for more details and a sample written agency security policy template - These have been updated as of January, 2018.

• When agency employees seek to access customer and policy data remotely from the agency’s system using a PC, home computer or other portable device, the entry of an individual password should be required to access the agency system and that transmission should be secured and encrypted, wherever possible.
• Unsecured email—including unencrypted insurance applications and other attachments—is analogous to sending an open postcard through the mail.  Agencies should be mindful of this when they need to transmit customer non-public personal information to carriers and customers.  Real-time interfaces, in contrast, enable the agency to send policy data to carriers in a secured and encrypted manner.  If real-time is not available, then the agency should consider using desk-top faxing to transmit application information to carriers.  The industry is actively working on recommendations to enable agencies and carriers to send secure email to each other using a consistent and efficient workflow.
• When interacting with your agency system remotely using a wireless connection, it is important to connect through your agency’s virtual private network (VPN).  The WEP encryption protocol provided with the wireless connection can be easily broken by a determined hacker.  (The WPA encryption protocol is much more secure than WEP.)
• When you deploy wireless access points, understand that you run the risk of extending your network outside of your building.  This technology raises a number of specific security issues that are best handled by a technology professional.

• For a definition of encryption and for more details on encrypting back-ups, click here.
• Click here for more detailed treatment of the specific security precautions agencies should consider for laptops, PDAs, smart phones, and removable media (zip drives, CDs, memory sticks, etc.) and the importance of keeping non-public customer and policy information off of them whenever possible.  If there is the possibility that this type of non-public information might be put on these devices, then they should be encrypted.  This includes specific security precautions to consider for home-based computers and 'BYOD' devices. 
• Agency management system vendors are also tightening the security features of their systems.  Some are starting to look at data encryption, because of the safe harbor encrypted data is given under some state identity theft laws.  In addition to considering encryption, some businesses would like to limit the display of and mask sensitive information, such as social security numbers, from all of the system’s users except essential users of the information.  The work group urges agents to discuss their security needs with their vendors, so that vendors can plan for additional needed capabilities.  Please refer to the ACT 'Independent Agent's Guide to Systems Security' for additional discussion.
• The work group also identified some of the most sensitive data elements for which encryption should be considered, in those cases where it is not feasible to encrypt the entire database.  Many of these specific elements are referenced in the various state identity theft laws.  For additional background, please check out the ACT article "Keeping Agency Data Secure".
• For more information on the Gramm-Leach-Bliley Act and Identity Theft laws, click here. 
• For a state-by-state breakdown on Data Breach reporting requirements, go to the Mintz-Levin website.