Those in the insurance industry have another errors and omission (E&O) risk to consider these days and they have technology to thank for it. Anyone in the insurance industry that possesses, stores, transmits or disposes of customers’ personal information has a duty to protect that personal information. Failure to do so opens up agencies to E&O exposures.
“When you think about the typical information you give an insurance agent – name, date of birth, health insurance information, social security numbers – they do have a significant amount of personal data,” says Sabrena Sally, senior vice president and head of agent and broker business for Swiss Re Corporate Solutions in the U.S. “With each state having regulations that addresses that data and federal regulations also out there, there are third and first party exposures that agencies face.”
It would be tough to find anyone in the industry that isn’t holding personal data of some kind. Even commercial lines agencies have their own employees’ personal data on hand and often the data of their clients’ employees as well. Commercial lines agencies also typically sell personal lines products as well as employee benefit services, says Sally.
In addition, the increased use of Internet sales portals gives agents the ability to expand into other regions, but it also increases an agent’s vulnerability and liability, which many still don’t realize.
“If agencies are doing business in multiple states they must be aware of what their obligations are in the different states to protect personal data and they need to stay abreast of the different regulations,” says Sally.
Failing to follow these regulations and requirements could be costly and devastating to any size agency, with penalties, fines and the costs of customer notification and credit monitoring if a breach occurs.
The real problem isn’t the fact that the industry has this personal information but how aware insurance professionals are of their vulnerabilities and how vigilant they are in protecting sensitive customer information, says Josh Schmidt, vice president and chief information security officer for Vertafore.
“There was a perception [in the insurance industry] that they weren’t as much of a target as banks because they don’t take large deposits and carry cash,” says Schmidt. “Now, it doesn’t matter. If you have consumer personal information, you are just as much of a target.”
Vertafore is a software service provider that works with the insurance industry to protect sensitive information. It also works as a cloud service provider for the industry to store important data. While industry awareness of data security exposures may not have been stellar in the past, Schmidt says there has been a shift occurring lately.
Instead of just asking questions about software and cloud security, Vertafore’s clients have become better at overseeing third party data management, including vetting security measures of third party providers and incorporating security requirements into contracts with these entities, he says. All of which Vertafore welcomes.
“I take that as a good sign that the insurance industry as a whole is realizing that there is risk in data and they need to take precautions in managing those risks,” he says.
Sally says Swiss Re Corporate Solutions has also seen improvement in industry awareness, but there is still a learning curve, particularly with smaller agencies. Sally says this learning curve became especially apparent in 2011 when the company introduced an insurance agents E&O policy that included a low limit of $10,000/$25,000 for first party data breach exposures and a $1 million limit for third party claims. The coverage is automatically built into a policy but for agents to qualify they had to comply with relevant state and federal regulations and many agencies were not on top of these. Since then, demand and education levels have improved.
“We never intended to replace a standard cyber liability policy and we are hearing more frequently that agencies are seeking that out in the market,” says Sally.
The company is also a partner of the Big “I”’s Agents Council for Technology (ACT), which helps agencies identify the most effective business processes, practices and technologies.
Vertafore’s Schmidt says agencies should be mindful of the fact that using a third party provider like a cloud service to manage personal data does not take them off the hook if a privacy breach occurs.
“You, as the organization who collects the data from the consumer, are still ultimately responsible,” he says. “You can never hand off all your liability to a third party because they are not the ones soliciting the data from the end consumer.”
Schmidt says there are multiple steps agencies should take to make sure their data is safe, including: properly vetting service providers; identifying and address security risks; and implementing multiple layers of protection of data through passwords and encryption. He says it’s important that agencies stay data focused.
“Understand the data you have, where it is located, your compliance obligations and how you are protecting that data where it is,” he says. “These days, you can’t just put up a firewall and have some antivirus software on work stations and assume you are protected because you aren’t.”
Sally recommends that agencies incorporate standard written procedures about data security so that every employee is aware of how the agency collects, handles and stores personal data. Procedures could include:
- Only allowing authorized individuals in the agency to access personal data;
- Outlining how data can be used within a business;
- Addressing whether employees can put customer personal data on their individual devices and take it out of the office, and if so what is the protocol for that;
- Putting in place proper physical security procedures for data servers or personal files.
Agents should also update their own E&O checklists to include addressing their clients’ procedures and protections for personal data and if they are properly insuring that data.
“If you are having a robust discussion with your customer about protecting their assets and business, you need to address if they have an exposure to a breach of personal data as well,” she says.