Welcome to Encryption Nation
Stop putting passwords on sticky notes, require passwords for desktops and encrypt all backups.
Technology is enabling independent insurance agencies to conduct business faster than ever. With the press of the return button on a computer, agencies can launch a targeted e-mail marketing campaign to a specific customer niche in seconds.
While technology is well and good, agents that haven’t done so already need to get smart about encryption. With electronic insurance transactions and correspondence, agents and customers transfer a lot of confidential information. Moreover, insurance agencies and other businesses are fast approaching a legal mandate that they encrypt any customer information that they transmit through the Internet or store on their laptops, flash drives, backup tapes and any other devices that may contain digital records of their customers’ personal information.
Encryption — for those who have never heard of it — refers to a relatively simple process of rendering data so that only persons with a key can understand it. Without this so-called key, any information stored on a computer, tape drive or elsewhere is effectively useless. It’s simple, and relatively cheap to do. And given the extent of high-profile data breaches in the past several years, it’s a process that probably should have become routine in any insurance setting years ago.
Nevada was the first state in the nation to require businesses to encrypt any personal information that gets transmitted electronically.
Personal information includes things like names, social security numbers, credit card numbers and any other data that leaves consumers open to identity theft if that information were to fall into the wrong hands. Although the Nevada law is fairly toothless — it doesn’t spell out fines or penalties for businesses that fail to comply — it shows the direction that state governments are moving with respect to becoming proactive about protecting citizens’ personal information.
Massachusetts enacted a similar law this year that goes a step farther by requiring businesses to encrypt data that is both transmitted or stored. It also mandates that businesses formalize their written computer security procedures for anyone who has access to customers’ personal information. The law carries pretty significant fines — $5,000 and up — for businesses that ignore it. The deadline for complying with some parts of the law in the Bay State is May 1, 2009, and Jan. 1, 2010 for other parts of the law.
Whether other states will follow Nevada’s and Massachusetts’ lead, is anyone’s guess. But it’s fair to say that with two states’ encryption laws on the books, plus 44 states with data breach notification laws in place, the momentum is building.
The Independent Insurance Agents & Brokers of America’s ACT Working Group, which is a partnership of independent agents, companies, technology vendors, user groups and associations dedicated to enhancing the use of technology and improved work flows within the independent agency system, maintains an ongoing report about data security in the independent agencies. Most of it is pretty common sense stuff.
Among the procedures recommended: Stop putting passwords on sticky notes, require passwords for desktops and encrypt all backups. For agents looking to outsource that responsibility, the report recommends considering an outside data center, some of which even employ armed guards.