Do you realize that every one of the individuals whose personal data was accessed on the Anthem site will have to spend ­the rest of their lives watching their backs? With name, address, date of birth and Social Security number, anyone can have access to your birth certificate and thereby steal your identity. Yes, addresses change over the years, but current addresses can be found easily using hundreds of different websites. The only thing that can’t be duplicated is a Social Security card. Yours should be in a safe deposit box.

​This just drives me to the more general “things that bug me” about careless use of industry technology. Let’s look at my top five.

1. The ACORD AL3 standards (used for policy download) still include fields for credit card name, number, expiration date and the security verification code as well as all the customer and bank information to set up Electronic Funds Transfer (EFT). With the security issues that we are dealing with today, there is no reason to send this data in download. No carrier should be doing this. Why don’t we delete the fields from download? By the way, the same can be said for Social Security numbers.
   
   
2. So, why does an agency want to store a customer’s Social Security number? I’m sorry, but if you remarket a product, you should ask the customer for the information again. You can improve customer relations by saying you don’t store sensitive personal data. Going a step further, how are you protecting your insured’s name/address/driver’s license? If someone gets that information, they can go to the department of motor vehicles and get a license in that name and be your “customer” in many ways.
   
   
3. How many agencies operating with in-house automation (versus a cloud-based system) have not encrypted their databases? These systems include enough information to steal identities. An encrypted database is a major part of breach regulations, and it helps protect an agency against lawsuits if their system and/or data is hacked. Did any of these agencies read the comment a couple years ago that when a small business’s data is compromised 40 percent of those businesses fail within a year? That’s scary. [Editor's note: Another 40 percent fail after that. Get cyberliability coverage for your agency!!!!]
   
   
4. How many agencies have put a paper shredder at every desk in the office? Everything with a name, address or any personal information should be shredded. One central shredder is too easy to forget as you leave work in a hurry. Trash cans at desks should be very small. Anything to encourage the destruction of paper. And there are very reasonably priced shredders available today.
   
   
5. Maybe what is most frightening are the number of agencies that use one password for their systems and/or their carriers’ sites because it’s too much work to maintain more than one. This is the old story of the staff member who leaves the agency in less than the best of circumstances and uses that password to steal or damage the agency’s data. I heard an agency say, in the last couple months, that individual passwords are too much trouble. And why aren’t we using two-level security? Particularly if you have off-site workers, shouldn’t you be certain it is the right person logging into your system? Whether you ask a “secret question,” return a second security code or recognize incoming IP addresses, do something to protect your agency and your customer’s data.

While I think most agencies are very conscious of the need to protect their customers’ data and many have security procedures, there are quite a few that don’t. Even if only 10 percent are careless, it reflects on all independent agents, and it can hurt a lot of people. A breach can potentially put an agency out of business. For those who still have no security procedures, get a copy of ACT’s “The Independent Agent’s Guide to Systems Security​”. That’s a start. Who knows—you may find yourself motivated to take cyber security to the next level, and that’s an important step up for all of us.

Mele Fuller heads MLF Data Services and is a consultant to IIABA's Agents Council for Technology (ACT). ACT's mission is to bring the stakeholders in the independent insurance agency distribution system together to advance the use of the most effective business processes, practices and technologies, in order to enhance productivity, service, marketing, sales and security. A key focus for ACT is to keep informed on the strategic trends that will drive future consumer expectations and business opportunities.​

Don't let your agency get dogged by a data security breach caused by not being careful enough with client information.​