Encrypting Back-ups

Most locally-run back-up systems do provide options for encryption of the data, and using this capability is highly important given the great exposure of these back-ups.  Several of the recent identity theft incidents have involved back-up information that was outside the business location.  If the data on the back up media is encrypted, and it is somehow lost, misplaced, or stolen, then the agency may fall within the safe harbor provided within applicable state identity theft laws.

Laptops, PDAs, Smart Phones, and Removable Media (Zip Drives, CDs, Memory Sticks, etc.)
 
 Below are the work group’s recommendations relating to protection of data on portable devices:

 These devices represent a high risk area for loss or theft, because they are highly portable and often are used outside of the premises of the agency.  The following examples provide a good measure of the level of risk presented by these devices.  In a recent six month period in London, 63,135 mobile phones (an average of three phones per taxi), 5,838 PDAs and 4,973 laptops have been left in licensed taxi cabs.  In Chicago, taxi drivers recently reported that during a six-month period, 21,460 PDAs and Pocket PCs were accidentally left behind in their cabs. 

 Agencies should consider implementing very specific procedures, training, and device monitoring with respect to PCs, portable devices and all forms of removable media.  These procedures can spell out which types of data will be permitted on these devices and/or removable media, which specific individuals are authorized to have them, and at what point each type of data should be removed from them.  These devices and removable media can be regularly checked to make sure the agency’s procedures are being followed.

 As a threshold question, the agency should decide whether it is going to permit customer non-public personal information or policy data to be put on any of these devices.

 Rather than storing customer and policy data on laptops and portable devices, it should be accessed directly from the agency system through a secured and encrypted transmission, whenever possible.  Access to the agency network should require the entry of a password to get beyond the agency’s firewall.

  If there is the possibility that customer non-public personal information or policy data will be kept on laptops or portable devices, the agency should consider encrypting the entire hard drives of these devices and employing the software that can send a “poison pill” to these portable devices to destroy the data in the event they are lost or stolen.  Once again, many of the identity theft cases involve these types of devices, and encrypted databases might enable the agency to come within the safe harbor of its state identity theft law.

 Entry of individual passwords also should be required to access the PC, portable device, or removable media, wherever possible. 

 Change the default password and password reset capability that often comes with these devices.

 Agencies may also want to provide users with physical security protections for their laptops, such as privacy screens (to prevent “shoulder surfing” by third parties) and anti-theft cable locks.

Home Based Computers

Agency security policies and employee training can specify that employees not store any customer or policy data on home computers, or other hardware that is not managed by the agency’s security systems.  The agency policy can require employees to access this data directly from the agency system through a secured and encrypted transmission.  Access to the agency network can require the entry of a password to get beyond the agency’s firewall.

Agency System Database Security Issues, Including Encryption

 Many agency system vendors are working to enhance the security safeguards provided by their systems in many ways.  These include providing hosted solutions where the agency’s systems are housed in a data center with 24 hour security, providing remote encrypted back ups, implementing new access controls that can restrict access to customer sensitive information to only authorized employees, etc. 

 Many agency system vendors have started to think about encrypting sensitive data elements within their systems, but these plans are still in the formative stage. Encryption of sensitive customer data within the agency system would provide an additional layer of protection, should the agency’s other security measures be breached and data becomes exposed to an unauthorized party.  The encryption of sensitive data elements may provide the agency a safe harbor under some state identity theft laws should there be a security breach relating to these systems. 

 The work group expects identity theft laws to continue to evolve, and several federal identity theft bills are pending, some of which treat required security breach notifications differently if specified data elements are encrypted.  Also, it would not be surprising to see more regulators start to expect that businesses employ some level of data encryption to comply with customer privacy laws, as database encryption technologies become more commonly used.

 Looking beyond the legal requirements, consumers certainly have the expectation that trusted business partners will keep their non-public personal information confidential.  For example, many consumers would be greatly upset if their itemized personal property schedules were improperly accessed.

 For all of these reasons, the work group recommends that agencies provide their agency system vendors with the information they need to continue to explore encryption as an important security protection layer, including the types of data encryption they would like to see in their systems.

Specific Sensitive Non-Public Consumer Data Elements for Possible Encryption

The work group identified some of the most sensitive data elements for which encryption should be considered.  Many of these specific elements are referenced in the various state identity theft laws.  Of course, it remains important for all parties to continue to monitor the evolution of the identity theft and privacy laws for changes in any requirements and specified data elements that would need to be encrypted to receive safe harbor protection.  Some of the most sensitive data elements that should be considered for encryption are:

 Date of birth

 Any personal information used to authenticate individual (mother’s maiden    name, place of birth, etc.)

 User name and password data

 Social Security number, driver’s license number, state identification card number

 Account number, internal agency customer number, employee identifier number, and any security code, access code or password used in conjunction with these numbers 

 Credit card or debit card number, and any security code, access code or password used in conjunction with these numbers.  (See the Payment Card Industry (PCI) Data Security Standard for more details on the security requirements for credit cards.  Sensitive authentication data for credit cards should not be stored, even if encrypted.  https://sdp.mastercardintl.com/pdf/pcd_manual.pdf )

 Any personally identifiable medical information

 Credit scores and other personal financial or underwriting information

 Claims financial and medical information

 Policy numbers tied to financial account type products, such as annuities and cash value life policies.

 “Sticky Notes” and other generic note taking and comments fields where employees may park sensitive consumer information “temporarily.”  Agency management systems, Outlook, and other software tools provide these fields.  (Employees can be trained not to park sensitive consumer information in these note taking/comments fields even temporarily, unless they are properly encrypted.)

 Name & address.  Whereas this is typically public information, when these data elements are coupled with the above data elements, the risk of compromising sensitive non-public consumer information rises significantly.  The encryption of name and address greatly reduces this risk and may provide greater protection from having to make security breach notifications.

The Gramm-Leach-Bliley Act (GLBA) requires independent agencies and brokers, along with insurance carriers and other financial institutions, to proactively implement administrative, technical, and physical safeguards to ensure the security and confidentiality of their customers’ non-public personal information.  GLBA does not specify the specific security safeguards that must be implemented, but the FTC has expressed its expectations that certain levels of security safeguards be provided, and we expect insurance regulators to follow a similar approach.

An excerpt from the law:

15 USC, Subchapter 1, Sec. 6801. Protection of nonpublic personal information

 (a) Privacy obligation policy
It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers' nonpublic personal information.

(b) Financial institutions safeguards
In furtherance of the policy in subsection (a) of this section, each agency or authority described in section 6805(a) of this title shall establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards -
(1) to insure the security and confidentiality of customer records and information;
(2) to protect against any anticipated threats or hazards to the security or integrity of such records; and
(3) to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.

(Please check statute for any changes since October 25, 2006)

California’s Identity Theft Law
California’s law (Civil Code Section 1798.82) defines a “breach of the security of the system” as the “…unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business.”  The law triggers when the person or business discovers or is notified that unencrypted “personal information” “…was, or is reasonably believed to have been, acquired by an unauthorized person.”  See http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.pdf.

Other States’ Identity Theft Laws

These sites have state by state listings of identity theft legislation: http://www.ncsl.org/programs/lis/CIP/priv/breach.htm; http://www.pirg.org/consumer/credit/statelaws.htm

The members of the ACT Emerging Security Issues Work Group are:
Mele Fuller, Safeco, Chair
Cindy Adams, Holmes Murphy
Donna Barr, Marsh, Inc.
Toby Emden, Travelers
Ed Higgins, Thousand Islands Agency
Chris Kinsman, Vertafore
Rick LaCafta, Travelers
Gray Nester, BB&T Insurance
Sean Pelletier, EMC Insurance
Jim Rogers, The Hartford
Bob Slocum, The Slocum Agency
Jill Spranzo, The Hartford
Steve Tetzloff, EMC Insurance
Angelyn Treutel, Treutel Insurance Agency
Terra Trogstad, MetLife Auto & Home
Paul Tuten, IVANS
Tony Vallone, Cincinnati Insurance Company
Alvito Vaz, Drive Insurance
Tim Woodcock, Courtesy Computers
Jeff Yates, ACT Executive Director