Taking work home from the office has a whole different connotation when the data being worked on after hours contains the personal, financial, or medical information of customers. This often unsecured data gets left in taxicabs, hotel rooms, on park benches, and stolen from homes and parked cars. News reports over the past few months have brought to light several potentially devastating incidents of huge databases of personal information being stolen when laptops were lifted, or during office break-ins.
A frequently run TV commercial shows an automobile agent working on his laptop on the hood of his car at the scene of a wreck. He talks of “instantly downloading the customer information” and handling the claim. Is that really a good idea?
To gauge how high a priority the safety of insurance consumers' data appears to be, we spoke with four individuals in the industry and found a mix of perspectives on the safekeeping of records. (They also offer safety suggestions in the accompanying sidebar.)
Sharing their thoughts and experience below are Paul Peeples, vice president of Information and Technology for the Florida Association of Insurance Agents (FAIA); James Farmer, senior information architect, Florida Surplus Lines Service Office (FSLSO); James Tillman, president of Seva Technology, a Tallahassee encryption/technology firm; and Ronald N. Silverman, CIC, trainer, consultant, and owner of the Silverman Insurance Agency in Deltona.
Q. With so much focus on the safeguarding of data and computers as part of hurricane preparation, what is your sense of the focus on privacy protection of this data among insurance offices in our state?
Silverman: Privacy in insurance offices around the state ranges from, “very secure” to “down right scary.”
Peeples: Some are highly concerned, others are not.
Farmer: In the case of FSLSO and it being a public entity, we fall under Florida's Sunshine Law. However, in the case of “information specific to any particular policy or policyholder,” Florida statutes exempt this data from the Sunshine Law.
Q. How well taught are insurance professionals? Is vocabulary an issue? For example, if someone says their computer is “safe” because they use a password to get into a program, would they assume the data is “encrypted”? How careful do you find most people are with these repositories of critical information?
Silverman: “Safe and encrypted,” is relative to the agency and the companies they use. Most are. Our non-laptop home computers are “safe and encrypted,” based on the access protocols – even if a home antennae is used.
Peeples: They study Rules and Regulations on Security (three hours) as part of licensing.
Farmer: In our organization, personnel who take or access confidential information off the premises are aware of the confidentiality or privacy of said information. In general, security awareness training is a “must,” and can assist users in understanding how to properly protect data, as well as the terminology behind various protection mechanisms.
Q. What about connecting with the office computer from home? Is that pathway really secure?
Tillman: The connection between a worker's office and their home computer or laptop is almost always sufficiently secure because the communications are encrypted. The problem with that, however, can be that the worker's home computer is on a network that is not secure – most are not and some are even open to the Internet without protection. Without policies from the employer to require that home networks be secure, there is the possibility of someone compromising a telecommuter's home network and infiltrating the office network through a remote connection. Plus, a large percentage of home networks that use wireless systems do not secure them at all . . . making it possible for a hacker to infiltrate an organization's network without ever coming into the worker's yard. Access can be obtained from a car parked in the street.
Farmer: Part of an organization's security policy should be a remote-access policy. (See “Tips” in sidebar.)
Q. The recent headlined thefts also included office break-ins where computers were stolen – possibly for the hardware – and private information went out the office door. What do you suggest is the best way to protect this data at all times?
Silverman: A break-in of any kind is a crime. The essence of this question is the root of the entire subject. No matter how many protocols are used anywhere, (paper or electronic) crime cannot be totally protected against or controlled at any level in any business. This is not an insurance agency problem alone – it is a societal problem.
Farmer: Physical security controls (i.e., locked entryways, alarm systems) in a facility are, of course, the first step in deterring/preventing this type of incident. In addition to general office security, it is recommended that an organization's server room or data center be under even stricter access control, whereby only authorized persons have physical access to the room. It is also recommended that users either log off or shut down their PCs when away from them for any extended period of time.
Tillman: The key is to make it as difficult as possible to get at the data, even if the hardware is stolen. This requires making it hard to gain access to the files on the file system, and ensuring that the files are encrypted if the thief does gain access.
Q. For the “sort of tech-savvy” agent or staff person, how much more difficult is it to maintain these records as safely as possible?
Peeples: You have to build the security; you're only as strong as your weakest link. And, most problems come from an “inside” person. Many are only techie enough to function – they're not highly technical. They understand the risks, but I don't think they realize how at risk and responsible they are.
Silverman: A “sort of a tech-savvy” insurance staff person can be of great assistance. Most agencies have a tech person in the office who is the unofficial “fixer.” When that person cannot fix it, the vendor is called.
Q. Peeples and Farmer, in their relationships with state agent associations, were asked if they get a lot of inquiries regarding the best way to safeguard information within a given office's technology setting.
Peeples: The requests are growing – usually in reaction to a system break-in. More articles about data theft are causing interest. Agents requesting help with data importability and encryption came out of this discussion. But let's say they encrypt their data – what if you want to switch systems? How do you get data into the new system? That may be an expensive proposition. It's coming more often on the national radar, expect more encryption and proprietary programs.
Farmer: We do not receive many inquiries from external outlets, per se, but in speaking with our customer base, if we find that a user's information may not be quite as secure as it should be in their own organizations, we may occasionally make recommendations regarding enhancing the protection of that data.
Q. What is the main thing a producer needs to be able to tell a customer about the protection of their personal information?
Farmer: Customers need to be aware that their confidential information will not be provided to unauthorized entities without their authorization, or unless it must be disclosed as applicable by law.
In any cases where a business or company is asking for confidential information from customers, those customers have the right to ask how their information will be used, and why it is needed.
Silverman: Security is a very important subject in our agency, to the point of making sure that one client does not see another client's name. However, security inquiries exist, but are not prevalent. The real issue for people today is about their ability to get insurance altogether at an affordable price.
Q. While individual members of an office staff could be appropriately careful, someone at a home office with access to data, could just as easily compromise the security of the information, correct?
Tillman: Yes, even more easily. Without control over their telecommuter's home network security, organizations set themselves up to have all of their sophisticated network security systems completely bypassed.
Silverman: Absolutely. We are not the end-users. There is a chain of information that could be compromised. In fact, agencies are middlemen, so to speak. We would like to be able to tell clients that their information is safe with us, but we cannot guarantee it. The reason for this is that our office is as safeguarded as we can make it, but we just do not know who has access to what at the companies. All in all, we have not had any problems with security in 35 years in the business. And that says a lot.
Farmer: This is correct. But again, if proper controls are in place which limit authorized users to access of authorized information in a secure manner, companies can lessen the risks involved in providing this type of convenience to employees.
Q. Any other comments on this topic?
Peeples: Go look at it from 30,000 feet. Go through your processes and see what could happen. If you're working from home, how secure is the setting, how is the connection? If you don't feel knowledgeable enough, hire someone to evaluate your off-site operations. Are your papers locked up? It doesn't have to be just the computers. What about all the D&O, E&O, credit reports, and umbrella policy information?
The industry needs to be more proactive before this [mandated data security] gets done for it. At this point, it's not a big issue on Capitol Hill.
Silverman: The double-edged blessing and curse of the tech age is the fact that anything can happen. One client refused to give us his Social Security Number. I did not have a policy that was preferred that did not require it. He would not comply. I praised him for his tenacity. I wish I was more vigilant for myself and I truly wish that the delicate information that the companies need to underwrite was not necessary.
Farmer: I can't stress enough the importance of awareness training for all employees regarding the sensitive/confidential nature of information they may deal with.
Additionally, with the focus lately placed so much on laptops and remote access, removable media such as floppy disks, CD-ROMs, and the now-popular thumb drives make it just as easy to take information out of the office, and subsequently lose or misuse it.
Tillman: Fortunately, most organizations have begun requiring minimal security measures for their telecommuters' home computers. Even so, the policy and procedures required to truly secure a system are difficult to develop and implement, and even more difficult to enforce.
Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader
Your access to unlimited PropertyCasualty360 content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking insurance news and analysis, on-site and via our newsletters and custom alerts
- Weekly Insurance Speak podcast featuring exclusive interviews with industry leaders
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical converage of the employee benefits and financial advisory markets on our other ALM sites, BenefitsPRO and ThinkAdvisor
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.