Saturday, April 21, 2007

Insurance Industry Apathy

So I attended and exhibited at I-Day this week. Buffalo, NY! Woo-hoo! Over 1,500 members of the insurance industry from upstate NY, northern Ohio and western Pennsylvania. And do you know what I came away with? The biggest lesson I learned was that the average insurance agent isn't the slightest bit concerned with the privacy and security of their clients' information. These were agents and brokers of MAJOR insurance companies - and they were neither aware of requirements like GLBA and breach notification laws, nor were they interested in learning about them.

As a consumer of both business and individual insurance policies of all sorts, I was mortified that there was such apathy concerning whether my personal information was safe.

I suppose it shouldn't be that surprising. Agents are sales people and they have one thing in mind. But they make most of their money from recurring revenue - policies that continue to renew without the agent lifting a finger. If that's the case, you would think (or at least, I would think) that the privacy of their clients' information would be important to them. Well, at least on that day, it wasn't as important to them as the bloody mary station down the hall.

During the event, I have to admit, I was more than a little annoyed by these people who seemed to care so little about their clients. But a day removed from it now, my frustration has moved from the individual agents to the companies and brokerages that they work for. It is the employer who has the responsibility to build this awareness and concern into their employees. Yes, I want my sales people spending their time selling. But there is no excuse for a large insurance company who doesn't regularly address security and compliance issues with their employees, brokers and agents.

So I petition all of you, whether you're Allstate, Farmers, Liberty Mutual, AIG, Progressive, State Farm, Nationwide, The Hartford or Geico - PLEASE take awareness more seriously. Your agents have NO IDEA what their responsibilities are. Shoot, they don't even know what threats are out there and what regulatory requirements apply to them. PLEASE help them to protect our data. PLEASE help them to CARE about protecting our data. And PLEASE do it soon. Because right now, they are prime targets for security breaches. After what I saw this week, if I was a social engineering criminal, your agents would be my first stop.


Friday, April 13, 2007

You've been breached!

My last post described the typical requirements of the various breach notification acts that your business is likely subject to, and some of the steps you should take to avoid a breach. But what if you've already had a breach? Perhaps you're reading this today and tomorrow you'll get a call from your IT director with some bad news. What are you going to do?

Your first reaction is probably to call your lawyer. And I certainly can't argue against that. However, I do want to caution you - legal council is important in these situations - but if they are allowed to drive your response to the breach, it will almost certainly be at the cost of customer relationships.

Your lawyers will be able to advise you on your responsibilities and liabilities. But they will likely advise you in ways meant to protect your company from any possible legal ramifications. They probably won't try to view the breach from your customers' eyes, with consideration for how you can best save those relationships.

If my company suffered a breach, my first call would be to the team at Identity Safeguards. Identity Safeguards was founded by John Davidson & Rick Kam. John experienced ID theft first hand some years ago. It was such a terrible experience that he decided to build a company that would be dedicated to helping individuals recover from such situations.

The company has evolved over the years and now spends most of their time helping companies and institutions deal with data breaches. They help your management team establish a comprehensive plan for assessing the breach, alerting your customers and helping the impacted individuals protect themselves. Their work is conducted from your customers' point of view - and as a result, they help you to tell your clients about the breach without losing their confidence in you. If you have had a breach, I strongly recommend that you contact them immediately.

Once you have a trusted advisor on your side who can help you address the breach without losing your customers, the rest of your work is relatively elementary. You'll need to take active steps to make sure that such a breach can't happen again. You'll need to be sure your responses are in compliance with all applicable legislation (this is really where your legal team can be helpful) and you'll need to engage the authorities to see if they can identify and prosecute the criminals (don't get your hopes up - less than 10% of these types of cases are ever prosecuted).

But saving those client relationships is absolutely job #1. And for that, hiring an expert like Identity Safeguards is worth every penny.


Friday, April 6, 2007

What you Need to Know about Breach Notification and Privacy Laws

Have you ever heard of California law SB 1386? Chances are good that if you do business in the United States, whether you have heard of it or not - and even if you're not in California - this law impacts you.

SB 1386 was a groundbreaking statute that first took effect July 1, 2003. You can find the actual bill here, but boiled down, it exists to protect the personal privacy information of all California residents. If your business has acquired such personal information (which includes SSN, driver's license number, account or credit card numbers, etc.), and you realize that at some point, you did not have complete control over that data, you must alert each individual in writing of the potential breach of their information.

The law also establishes provisions for civil suits by impacted residents, creating a basis for class action suits against your company should such a breach occur.

To date, well over 50 companies and institutions have been required to alert individuals of the risk of identity theft due to this law.

"So what?", you say, "I don't do business in California". Since SB 1386 took effect, 33 other states have approved similar legislation and several others are considering it - as is the Federal Government. The University of Georgia has put together some great resources, including a map of the states with approved legislation.

What are the REAL Impacts of Breach Notification Acts?
So chances are pretty good that at least one of these laws impacts your business. But what are the real impacts? Let's look at an example. A financial services firm with 3,000 clients obviously stores protected data. One day, they realize that a laptop with client records was stolen from the back seat of a car. The likely impacts of this event include:
  • Written notification to each client at a cost of approximately $3,000.
  • To try to maintain their clients' confidence, they elect to provide 1 year of credit reporting services for each of their clients (this is becoming the norm). At a cost of $50 per client, that will run them $150,000.
  • Depending on their state, they may be subject to fines reaching as high as $150,000.

So that creates the potential for over $300K of hard costs. But what about the soft costs? How many clients are going to leave because of this event? How many clients are going to file suit? If this company only lost $300K, it would be a miracle. In reality, an event like this could cripple a small company.

Now, what happens if you're a local or regional retailer? Do you know whether your systems record the credit card numbers that you take? Do they store them unencrypted? You might easily have 100,000 consumers' information. Can you imagine the cost should you be breached?

What Should You Do?
So clearly, the impacts of these laws are real and they are significant. The question then becomes, what do you need to do to protect your company?

For starters, you need to take data security seriously. This starts with security policies and procedures. For example, you probably have back-up tapes of servers and databases. What is your policy for handling and storage of those tapes? Is that policy followed by your IT organization? What about password management? Do you have employees that share passwords? Or do you have systems whose administrative password is left blank? These are common issues for SMBs but it is precisely these issues that could result in a breach of your data. Establishing a thorough set of information security policies and then training your team to follow them is a critical step in protecting your data and your company.

In addition, you do need to make sure your networks, servers, workstations, desktops, mobile devices, etc. are all protected from breach and inappropriate access. If you're a mid-size company with just a handful (or less) of IT people, you probably don't have the security expertise needed to evaluate and implement a sufficient level of security around your technology. Bringing on a consultant to help this process will be money well spent. However, be warned - if the consultant you hire works for a company that sells security appliances or other network devices, they may have an agenda when they walk in the door (to sell you expensive technology).

Ideally, you'll find a security consultancy that is vendor-neutral. Ask them if they resell hardware and whether the company receives any income from such sales. If they do, my advice is to keep looking. This is exactly why my company doesn't resell hardware at all. We want to be completely neutral and be able to advise our clients strictly based on what is in their best interest. I don't want this to be a commercial about Pervasive Solutions - I just want to underscore that if you bring in a hardware reseller to audit your security, don't be surprised when their recommendations come back with six figures worth of equipment that is "mandatory".

Admittedly, this is a really high-level glance at this subject. The implications of the various Breach Notification Acts and Privacy Laws vary by state. But in the end, the message is clear - if you have a breach, you must publicly disclose it. Regardless of the hows and the direct costs, that type of disclosure can have such a detrimental impact on customer confidence that you really need to do everything you can to protect yourself. Get serious about security NOW.

If you have questions or would like my help, please feel free to give me a call or shoot me an email. I look forward to hearing from you.


Sorry for the silence...

I can't believe it has been almost two weeks since my last post. I need to apologize to those of you who keep tabs on this blog. The last two weeks have been great for business, but it has kept me running nearly non-stop. Some highlights:
  • We have added clients in three more states bringing out total coverage to 21 states.
  • We have solidified designs for a new product/service offering that will significantly improve the security of SMBs at a very low cost to them. Stay tuned for more on that...
  • I have been selected to write a monthly column for Business Strategies magazine. My section will be titled, "Risk Management".
  • We were featured in the Rochester Democrat & Chronicle's business section. You can see the article here.

There are a few other highlights, but I think you get the gist. Anyway, no excuses. I do apologize and will work to ensure these hiatuses don't happen in the future.

Thank you for your patience.