E&O Risk Management: Meeting the Challenge of Change. Limiting Exposures to Data Breaches. INTRODUCTION. Insurance agents collect, use, and store personally identifiable information on a daily basis
Limiting Exposures to Data Breaches
Insurance agents collect, use, and store personally identifiable information on a daily basis
Agents face exposure to both regulatory penalties and potential first and third party liability for breaches of data.
Liability from cyber-attacks is on the rise and the media is constantly reporting on companies being hacked, exposing protected personal information.
Risks include physical risks, such as:
Perhaps the largest security risk arises from employee mistakes that often result from the failure to properly train them on agency procedures to protect the privacy of protected personal information.
Agencies have an obligation to secure protected personal information whether it is in electronic or paper form and to dispose of it appropriately
Fair Credit Reporting Act (FCRA)
Gramm-Leach-Bliley Act (GLBA)
Health Insurance Portability and Accountability Act (HIPAA)
Various state laws (at least 29 states) require reporting of security breaches…“Security Breach Notification Chart”:http://www.perkinscoie.com/statebreachchart/
These laws effectively require agencies to implement security plans, conduct training, and do security audits
Average cost estimated to be $214 per record, or about $250K for the average agency
Paper files in cabinets and on desks in premises
Archived files (paper and electronic) outside premises
Computer hard drives, laptops, cell phones, CDs, USB drives, agency management system providers, carriers, call centers, etc.
Majority of breaches occur from stolen or lost devices
Secure the building, server room, and file cabinets
Screen cleaning crews
Immediately prevent access to data when employees leave
Practice sound password security
Limit personal information on mobile devices
Secure WiFi connections
Virus and malware protection
Secure data backups and archived files
Connect remotely via SSL/VPN connections
Use secure SSL connections (https) to collect data
Secure email with Transport Layer Security (TLS)
Only keep the data you need and for only the length of time that you need it
Have written guidelines and training regarding employee use of all protected consumer information
Have written mandatory procedures in place for the proper disposal of sensitive information.