Data risk management--Do no harm

How agents can protect client data

By Matt Cullina

When physicians begin practicing medicine, they vow not to harm their patients.

Insurance agents have the same professional responsibility to their clients, especially after collecting personal identity information. Agents need to steadfastly protect client data from identity thieves.

Ironically, even as increasing numbers of agents sell insurance products that provide data theft coverage and identity resolution services, many agents themselves are data security risks.

Solid foundational practices for securing data aren't difficult to implement. They don't have to be expensive or time-consuming. And they can reduce risk exposure. However, agencies and agents must adopt a different mindset if they are to become true stewards of client data.

The true cost of lax security

Like most small businesses, many agencies and agents focus on little other than straight-through processing. For agents, that's getting a policy issued as easily as possible. Data security isn't necessarily a priority. However, agencies should treat data as carefully as cash receipts, because losing data could result in hefty response costs. Proactive security measures reduce the risk of a breach; provide staff with a basic understanding of data systems, inventory and backup processes; and are significantly less expensive than reactive costs.

For small to medium-sized firms, proactive steps may run between $2,500 and $10,000. When done reactively, costs could run anywhere from $15,000 to more than $50,000 depending on the extent of the breach.

Forty-six states and the District of Columbia have enacted laws that mandate how companies must respond to a data breach. Those requirements can lead to significant costs in the event of a large data theft.

The main intent of the laws is to ensure that companies notify their customers and clients about a breach. A notification letter can be drafted in-house. But a legal review of the document to ensure that it complies with state notification requirements could run between $1,500 and $2,500. And printing and mailing costs range between $1 and $2 per letter. If 10,000 policyholders are affected, that adds up to $10,000 to $20,000.

The type of data stolen could drive up response costs even more. Identity thieves armed with stolen Social Security numbers can open new lines of credit and wreak havoc on victims' credit records. Under those circumstances, victims would benefit from credit monitoring, which runs between $25 and $100 per victim who signs up for it. Not all will. But if only 10% of 10,000 customers affected by a data breach opt for the service, an agency would incur $25,000 to $100,000 in credit monitoring costs.

Technically, state data breach notification laws don't require companies to offer credit monitoring, and state attorneys general have no authority to mandate it. But they could pressure companies, which have their reputations to consider, to offer the service.

Perhaps the greatest cost may be to the agent's reputation. Agents have a responsibility to protect their customers' data. Failure to do so could lead to a loss in business and leave them exposed to lawsuits.

State insurance regulators could review agents' and insurers' licenses in light of how they respond to a data breach.

Best practices to secure data

Agents and agencies lose customers' private data in different ways—all easily avoidable. Whether it's a misplaced box of paper files, a stolen laptop or a missing BlackBerry, agents should keep their eye on the ball by following best practices to secure information.

The first step for agents and agencies to take is to outline the process for receiving and handling sensitive data. What information do they have? Who has access to it? How is it stored, protected and destroyed?

This assessment may be done internally or by a contractor that has expertise in data risk management. Typically, outside firms are more familiar with the threat environment, risks, policies and procedures, as well as best practices associated with different business segments. They can also create a data risk management plan, which can reduce exposure to sanctions and litigation.

Here are five basic security measures to better protect customer data:

1. Shred it. Identity thieves get birth dates, driver's license numbers, Social Security numbers and other data by dumpster-diving or going through recycling bins. Use a crosscut shredder to destroy paper files containing customer data.

2. Lock it up. File storage cabinets, file rooms or other areas that store documents containing private data about customers and employees should be locked.

3. Use password-protection and encryption. Always encrypt sensitive information. Inexpensive or even free encryption functions are readily available. Create strong passwords for smartphones and laptops; change them quarterly.

4. Properly dispose of electronic devices and tools. Implement policies on how to destroy old computers, disks, tapes, CDs, memory devices and any other equipment that may contain sensitive data. It is often best to physically destroy the devices when they are no longer needed.

5. Screen all employees. Implement hiring practices for all employees, especially those with access to sensitive information. Use criminal and background screening companies. All employees who have access to sensitive information—including cleaning crews, technicians, administrative assistants, temporary employees—should sign a confidentiality and security document.

Insurance for agents

Even if agents do everything right to secure their clients' data, something could still go wrong—as it has recently for Sony Corp. and Citigroup Inc. So insurance is an important line of defense.

During the past 15 years, insurers have targeted large companies for high-risk cyber insurance programs. Now they're developing products for small business policyholders. More than 50 carriers offer cyber risk insurance programs.

Some errors and omissions policies cover the costs of breach notification, credit monitoring, forensic investigations and claims filed by data theft victims. The coverage also might be available under the agency's general liability or businessowners policy.

Insurers, however, want to cover good risks. To that end, some insurers are going beyond their normal underwriting protocols when determining whether to provide agents with a data breach coverage endorsement to their E&O policies.

Agencies should check with their E&O provider to see if it is offering premium credits for completion of a voluntary online data security training program.

Protecting client data is critical for agents who can't conduct business without clients' personal information. If agents don't manage that data well, the resulting reputational damage could leave them without much, if any, business.

The author

Matt Cullina is chief executive officer of Identity Theft 911, a provider of identity management, identity protection services, data security training programs, and data risk management solutions for businesses. Matt has 15 years of insurance industry management, claims, and product development experience. He spearheaded MetLife Auto & Home Insurance Co.'s personal product development initiatives, managed complex claims litigation, and served as a corporate witness for Travelers Insurance and the Fireman's Fund Insurance Co.