Brian Bartosh, chair of the ACT Agency Security Issues Work Group and president of the Top O'Michigan Insurance Agency in Alpena, Mich., warned that, "A virus that spreads throughout an agency's systems can bring our work to a standstill and take considerable time and money to fix.

"A security breach exposing our customers' personal information could expose an agency to significant potential liability and severely damage the agency's reputation in its community?a reputation that the agency has spent years building."

Jeff Yates, ACT executive director, said, "ACT felt it was extremely important to develop a guide specifically focused on the security risks facing agents and brokers and to present the recommendations in non-technical language that would be readily understood by agency business leaders."

The ACT guide takes the reader through "A Day in the Life of an Independent Agent" to provide a context for the security risks agencies are likely to face.

The report also includes a security self-assessment tool, a sample agency security policy, and guidance on choosing an outside security consultant if desired.

ACT said the last section of the tool provides recommendations to assist an agency to prepare in advance should a security breach occur, so that the agency does not have to resort to "ad hoc" action after the fact.

Mr. Yates added that, "The report also drives home that managing security risk is an ongoing and never-ending process.

"New employees need to be trained on the policy; compliance must be monitored and traffic ?logged' for any unusual activity; security should be brought up periodically in staff meetings to keep the issues front and center for the staff; and just as one security ?hole' is plugged, an agency must be prepared for another one to emerge."

The report says agencies should:

? Have an individual login and password for each employee and understand the need to keep this information strictly confidential.

It noted that Logins and passwords determine who has access to your systems, your data and your customer's confidential information. It cautioned that the agency's procedures should assure that an employee's access to the agency's and carrier's systems is terminated immediately when the employee is no longer employed the agency.

? Activate the access controls on the agency management system and restrict access to confidential customer and employee information to only those employees who have a business need to access that information.

? Have employees sign a confidentiality agreement acknowledging and protecting the agency's ownership of all of its data and policyholder information and agreeing not to copy, transmit it or post it to a Web site except as authorized by the agency.

? Have a security policy covering incoming and outgoing emails; prohibitions on opening attachments in emails from unknown sources, downloading music or video files, and accessing non-business websites.

Also, have restrictions on downloading applications without permission and prohibitions on family member use of agency computers. Each of these activities carries the risk of infecting the agency's systems with a virus or other "malware."

? Have firewalls as well as protection from viruses and other types of "malware" at both the network level and on the agency's desktops and laptops.

This protection software should be updated with new virus definitions on a daily or other regular, scheduled basis. Operating system security updates should also be made on a timely basis after assuring that the "bugs" have been worked out of these updates.

? Take special care to keep the firewall and virus protection within laptops up-to-date, because of the likelihood laptops will be used in public locations having wireless connections, where the agency's network level firewall and virus protection are not available.

? Determine what types of agency data may be kept on PDAs and laptops, because of the risk that these items can be lost. If confidential agency data needs to be kept on the laptop, then this data should be encrypted, if possible.

? Activate security features and change default settings when wireless networks are used.

? Actively manage the logs generated by its systems for any unusual activity that suggests Spyware or some other unauthorized use of the agency's systems.

The report can be downloaded at www.independentagent.com/act.