Producers Must Bolster Tech Security

With the use of e-mail by insurance agents and brokers to transact routine business proliferating, tech security experts warn that a growing body of regulation, state law and litigation concerns will require greater attention to encryption and storage of communications.

The Agents Council for Technology, a technology association of agents, vendors and carriers, recently hosted two Web seminars dealing with the subject of how to make e-mail secure using Transport Layer Security (TLS).

Hosted by ACT Executive Director Jeff Yates, and available at the Web site of the Independent Insurance Agents and Brokers of America (www.iiaba.net) under ACT, the seminars review why agents need to encrypt e-mail and how they can go about doing it using TLS.

Mr. Yates and Jim Rogers, director of distribution technology at The Hartford, explained that ACT recommends agents and brokers use TLS because it is the most widely available form of encryption available and easily translated between users. It does not require creation of additional passwords or setting up an account on another server on the Internet.

The most popular forms of e-mail used routinely (Hotmail, Yahoo and G-mail) are not encrypted, noted Mr. Rogers. Sensitive personal information must be protected under the federal Gramm-Leach-Bliley Act (GLB) of 1999, but cannot be using those three e-mail systems.

By activating TLS software, users can transmit encrypted e-mails to a recipient with the same program and allow them to view the e-mail in real time. The encryption protects the data from personal identity thieves who mine e-mail traffic for this information.

Its ease of use is the major benefit and avoids having to create a separate identification and password to open e-mails, noted Mr. Jones. “We have enough passwords,” he remarked.

Mr. Yates pointed to another advantage to using TLS–the fact that many insurance carriers already use the system. “It is up to the agent to use it,” he said.

Besides GLB requirements, Mr. Rogers explained that a number of states are tightening up their regulation of electronic transmission of sensitive data and the definition of what such data details.

In Nevada, for instance, a law enacted last year makes it necessary for all firms doing business in the state to encrypt the electronic sharing of information, he said.

Massachusetts is working on a bill, expected to be passed early next year, which requires all sensitive data on the state's residents to be encrypted and sets fines for not doing so. Ohio requires reporting of security breaches of sensitive data within 15 days of the discovery of the act, he added.

Touching on how an agency goes about activating TLS, Tim Woodcock, president of Courtesy Computer, said there are a number of server providers that furnish TLS certificates to encrypt e-mail transmissions.

Implementation of the TLS certification should be done by the agency's chief technology officer or the agency's outside vendor, he advised.

After reviewing the technical aspects of turning TLS on, Mr. Woodcock noted agencies that purchase the programs now can enjoy tax advantages under the current federal economic stimulus program. Microsoft is also offering savings on the purchase of its program, he advised in the May seminar.

The increased use of e-mail raises not only security concerns but the need to archive data should an agent or broker be subject to a legal action.

Keith Crosley, director of market development at Sunnyvale, Calif.-based Proofpoint, said not only must data be secure, but the litigiousness of our society requires agents and brokers, if they are ever engaged in a civil or criminal action, to secure all e-mail records related to that legal request.

Securing and archiving all that e-mail data requires an enormous amount of storage space–much more than a typical insurance agency can handle, he said.

A data storage company such as Proofpoint offers two advantages over keeping the data in-house, Mr. Crosley pointed out.

o One, the capacity to securely store e-mails and support TLS encryption at a reasonable rate. Proofpoint offers such a system for less than $100 per user per year or less, he said.

o Second, no additional hardware is needed, he explained, and should there be any litigation, the cost and time of sifting through all that data is substantially reduced using their technology.

Rick Dales, vice president of product marketing at Proofpoint, noted that while 80 percent of all litigation is settled in two years, there are cases where a court action can drag on for five-to-seven years. Data relating to that action must be found, segregated and stored until the action is resolved.

He added that developing an in-house answer to holding and securing that data can prove to be an expensive proposition–all the more reason for agents and brokers to consider offsite solutions.

Rami Habal, director of product marketing at Proofpoint, noted that a major issue for in-house servers is data loss prevention. Using what is sometimes referred to as “cloud technology,” where information is stored off-site on another provider's server, is one answer to this issue.

Loss of data, he advised, is not limited to what is stored on a server–it also applies to the theft or loss of a desktop or laptop computer where that information could be stored.

Securing that data elsewhere, and then accessing it when needed through cloud technology, offers another layer of security to personal data for both the business and the customer, he said.