How Secure Is Your Data?

Of course it's secure!  Why do "I" need to worry about it?  What information that I maintain could possibly interest anyone?  I have "IT" people that handle IT.  Do you?  How secure is your data...really?

Look at the news papers, listen to the radio, watch the nightly news, read blogs...talking about national & international theft rings illegally stealing computer data.  Have you checked your PC's temperature lately?  How's that virus coming along for you?  I swear I thought it was a legitimate attachment!  Why are those hackers trying to get at me?  Because it means $.  Those credit card, bank account & other financial account #'s, e-mail addresses, passwords, etc. that you store on your PC or network all mean $ for the hacker.  Why else would they bother?

Lot's of good questions & assumptions about who the potential targets are.  Bottom line, it's all of us (kids, students, parents, businesses, government...roaming gnomes, you & me) are targets.  What about the anti-virus software I have?  I can only guess that the software was effective for the virus(s) that are known about.  The hackers are releasing a new version today to attack us again.  It's not their (anti-virus fixing folks) fault; I can't plow the road tonight for the storm coming in this weekend & how can they?

What role do we play in the Property & Casualty insurance marketplace to protect our customer's data...personal data on individuals, business owners, their families, their employees, prospects, & anyone else they collect data on? 

I suppose the question to ask is what is our responsibility?  Plenty!  And it's not just conjecture, HIPPA requirements have been in place for years. No, HIPPA is not a character on Sesame Street or Barney.  Are we adhering to those standards in the P&C industry?   

From a data security standpoint, any business, including insurance agents & brokers that store, maintain or transmit "Personal Information" have a duty to protect that information from unauthorized access.  Without getting into specific local, state & federal legalities, there are a number of steps that need to be taken to ensure the protection of your clients or prospective clients from data compromise.

• 1) Establishment of User Identification Numbers "UID's ". Assigning UID's that cannot be specifically associated with the individual being granted access to personal information is tantamount. The UID should be assigned by the Security Administrator, rather than the individual being granted access. Suggestions.
• a. Name of favorite restaurant ie...McDonalds, JimmysPizza, ChezPierre
• b. Name of favorite sports team ie...Redsox (with apoligies), Yankees (with apologies), Cardinals, JoesBowlingLeague
• c. Name of favorite vacation destination ie...Nantucket, France, BVI's
• d. Never...Never Use vendor (management system, comparative rating, carrier, other) supplied "generic" UID's" or Passwords. That's an open invitation to a potential hacker!

• 2) User Passwords. Constructed of not less than a 7 (seven) digits consisting of at least 1 (one) ALPHA character, and 2 (two) numeric characters should be required. The passwords should be "diaried" to expire & reset not less than every 30 days. Following 3 unsuccessful attempts to log-into your network, users must be denied access & referred to the Data Security Administrator.
• a. Examples include
• i. SanFrancisco001
• ii. JoesPizza2
• iii. LeesMarket03
• iv. Other?

• 3) Alternative data access methods:
• a. Biometric access devices
• i. Optical identification
• ii. Finger Print Identification
• b. Dongle key's
• c. Next month's new technology

• 4) Control, maintenance & administration of data security UID's & passwords. This applies not only to the equipment used to access your "systems" in your office(s), but any remote equipment used ie...laptops, blackberry's, other electronic devices. If "personal information" can be transmitted by you or your employees by any means, you need to control it.
• a. A "Security Administrator" should be assigned to establish & maintain the assignment, maintenance & overall security of your data. They're responsibility is to assign, maintain & remove individuals authorized to access your data.
• b. A "Back-up" to the primary Security Administrator should be limited to 1 (one) other individual, preferably a "principal" owner of the business.
• c. Monitoring of & access to your "systems" should be performed by your "Security Administrator", but definitely also consider an outside, disinterested 3^rd party vendor in order to optimize data security.
• d. Data access by employees limited to the scope of their jobs. What is their "need to know" or retain such data.
• e. Employees leaving the firm should have their UID's & passwords disabled prior to or immediately in conjunction with termination.
• 5) Data Encryption: Whose responsibility is it? Yours! How do you protect yourself? Consider what medium is being used & how you're transmitting the data.
• a. Request written verification from the companies whom you write business with that the "Personal Information" that you're required to transmit to "their" proprietary web-sites are encrypted.
• b. What 3^rd part software do you use (comparative rating, state motor vehicle departments, personal or business credit rating, other)? What data does it contain& do you maintain or store it? Is it transmitted elsewhere electronically? Is it secure? Obtain written verification from any 3^rd party software providers that you use that it is secure.

• c. Unless you maintain a secure, encrypted web-site, don't solicit information containing Personal Information. Most sites I've seen are not!
• 6) Data Retention: How long do I keep it & what do I keep? Purging of data - if you purge it...they can't get it! Is it 7 Years???
• a. Without question, you'll choose to retain data on a customer depending upon the line(s) of business you write for that customer. But don't maintain it when/if your customer get's divorced, a child moves out of the house, the business doesn't retain that employee, you don't write the prospect, etc.
• b. Purge data on customers you haven't provided coverage for following their expiration
• c. Any data pertaining to an individual that you can't associate with a customer written or serviced by your agency.
• d. Other???
• 7) How do you monitor your systems, for security or otherwise?
• a. The responsibility falls upon you, the business owner/principal
• b. Delegate the responsibility to:
• i. An internal "Security Administrator".
• ii. A qualified networking services provider who can provide overall systems access & security to your network on your behalf.
• iii. Your brother-in-law?

• 8) Protection
• a. Ensure that all of your network equipment contains & employs the latest updates of Firewall or anti virus protection software available. Examples include but are not limited to Norton Anti-Virus & MaCaffee. Your network should also consist of current computer hardware & software to ensure that the protection you hope to employ will operate appropriately.
• i. Have automatic electronic updates scheduled daily
• ii. Don't open attachments (e-mail) unless the recipient knows the sender is.
• iii. Web-sites - access business related sites only.
• iv. Limit the people allowed to utilize or access your network only to those who have a "need to know" personal information in order to conduct business.
• b. Education & training of employees.
• i. Employees should be formally trained on data security due to the sensitive nature of the information they utilize in the performance of their jobs.
• ii. An annual review of your data security policy conducted with all employees to ensure that they're aware of any changes that may have been made & implemented.