On this Web page you will find three major sections:
(1) Agency Information Security Planning: Includes a prototype agency information security plan, webinars on creating an agency security program and on complying with HIPAA and sample agency website disclaimers to manage E&O exposures.
(2) Implementing Secure Email (with TLS): Articles, FAQs and a webinar to assist agencies in implementing TLS secure email. Also includes a list of known carriers that have TLS available for their agencies.
(3) Information Security Articles: to raise agency awareness of important security risks and to provide guidance on managing these risks.
(1) Agency Information Security Planning
ACT Prototype Agency Information Security Plan & Companion Article
ACT developed this prototype security plan for agencies to use in developing their own written security plans customized to their own operations. This prototype plan also serves as a great checklist for agents to use in formulating their security program.
In addition to the plan itself, you will find an article discussing the importance of agencies' having a written security plan and how to use ACT's prototype security plan most effectively. The article also provides agencies with a series of steps to take to put a strong security program in place.
Click here for the ACT article,"ACT Releases Prototype Agency Information Security Plan"
Click here for the PDF version of the ACT Prototype Agency Information Security Plan
Click here for the word version of the ACT Prototype Agency Information Security Plan (Best to "save" this Word document to your desktop to avoid prompt for a password. If you "open" the document, click "cancel" when you get the password prompt to open it.)
Implementing an Effective Information Security Program in your Agency
Recorded webinar (Jan 13, 2011)
This webinar highlighted the major security risks independent agencies face and the practical steps they should take to protect the privacy of their private client & employee personal information whether in paper or electronic form. The session outlined how federal and state law, as well as good risk management practice, have made it mandatory for agencies to implement an information security program that is anchored by a written security plan. The program also covered the numerous free tools and articles that ACT has produced to assist agencies with their security program-- including a prototype agency information security plan. Steve Aronson, Aronson Insurance, Ted Joyce, N B Independent Brokerage, and Jeff Yates, ACT Executive Director, were the presenters.
To view the recorded webinar, click here
To view PDF of the presentation slides, click here
HIPAA-HITECH Requirements for Independent Agent "Business Associates"
Recorded webinar (May 11 2012)
This recorded webinar and the accompanying slides provide a great roadmap for independent agents as to how to comply with HIPAA & HITECH, if they are acting as "business associates" under HIPAA, handling individually identifiable "Protected Health Information" while producing and servicing life or health insurance. This briefing was provided to ACT's HIPAA Work Group by Bob Chaput of Clearwater Compliance.
Click here for webinar recording
Click here for PDF of presentation slides
Sample Agency Website Disclaimers
Protect your agency from E&O exposure by including a Privacy Statement & Disclaimers on your agency websites and social media sites. These sample disclaimers can be used as a starting point. For sample Privacy Statements, please review the Privacy Statement on the IIABA website as well as that used by other independent agencies and organizations. For more details on the E&O risks arising from agency websites and the use of social media, please see the ACT articles "Don't Get Caught on the Web" and "Agency E&O Considerations when using Social Networking" found below on this web page.
See also Articles below for information on E&O considerations relating to agency websites and use of social media.
In addition, on the "Websites & Social Media" page, you will find ACT's guide, Creating a Social Web Policy for Your Agency, along with links to sample agency social media policies.
(2) Implementing Secure Email with TLS
Protect Your Clients with Secure Email Using TLS
Agencies and carriers are encouraged to implement an efficient and cost effective approach to secure email by enabling their email servers for TLS (Transport Layer Security) email encryption. This article explains how TLS works. click here.
TLS Email Encryption-- Agents' Frequently Asked Questions
This document builds upon ACT's article, "Protect Your Clients with Secure Email Using TLS," and provides answers to agents' most frequently asked questions, including giving examples of carriers that are enabled for TLS for their agents. click here.
Insurance Carriers Enabled for TLS Email Encryption for their Agencies Several insurance carriers have reported to ACT that they support TLS email encryption for their agencies provided the agency has also enabled TLS on its inhouse or hosted mail servers. With some of these carriers, once the agency enables TLS, they are automatically enabled with the carrier. With other carriers, the TLS enabled agency must specifically request the carrier to turn on TLS with the agency. For further information regarding which carriers are enabled for TLS with their agents and whether this is automatic or requires the agent to request TLS from the carrier, please Click here.
ACT Recorded Webinar: Protecting Independent Agent Clients with Secure Email Using TLS Recorded May 13, 2010 (Demo in last 15 minutes puts more focus on implementation on Microsoft 2007 Exchange Server). Features Jim Rogers (The Hartford) & Tim Woodcock (Courtesy Computers)
PowerPoints (including screen-shots of TLS implementation and detailed notes; and selected regulatory information):
May 13, 2010 session (focusing on Microsoft 2007 Exchange Server in last 15 minutes) click here Aug 18, 2009 session (focusing on Microsoft 2003 Exchange Server in 2nd half) click here
* When you download the PowerPoint, it is best to save it to your desktop, so you are not prompted for a password.
(3) Security-related Articles
Agency Strategies to Send & Receive Personal Data Securely
This article recommends ways agencies can secure their email and their websites when their clients' personal data is being transmitted. It defines the major types of “personal data” that should be "encrypted" when traveling over the Internet, as well as outlines the resources that are available from ACT to assist agencies in protecting their clients' and employees' personal data.
Free, Public Wi-Fi Can Be Dangerous to Your Health
(From Steve Anderson's "techtips", linked to with permission)
Steve Anderson provides a great overview of the risks when connecting at public Wi-Fi sites and then outlines steps you can take to protect your computer. This article appeared in his weekly "techtips" blog, which is free and well worth subscribing to.
“Bring Your Own Device” (BYOD) Opportunities & Risks
This ACT article by Danielle Johnson of InsurBanc discusses the risks involved when employees access the agency's systems with their personal smart phones, tablets and PCs, and it then provides practical guidance to help businesses formulate their policies and security strategies when they authorize employees to use their own devices to access company systems.
Combat Cybercrime and Protect Your Agency with Simple Security Steps
Keyloggers secretly installed on your computer can steal your agency's passwords and wipe out your bank account. This article recommends several steps for agencies to take to protect themselves by keeping a wary eye and practicing proactive online security techniques and policies. InsurBanc's Danielle Johnson takes the agency through a series of questions in order to evaluate its online security practices and then recommends the steps it should take if it becomes a victim of Cybercrime.
Independent Agents Fined For Not Having Written Security Plans
This article discusses the importance of agencies having and implementing a written security plan in order to protect their clients’ personal information and to meet increasingly specific state privacy requirements. The article then provides links to information and resources that will assist agencies in building a viable security strategy and plan to protect their clients and their business.
Don't Get Caught in the Web!
Managing Agency Website E&O Exposures
Sabrena Sally identifies major agency website E&O exposures and provides several tips, along with sample website disclaimers, to help agents manage those risks.
Agency E&O Considerations When Using Social Media
A lot has been written about how agencies can use social networking tools to enhance their online marketing and market reach. This article explores how the use of social media can impact the E&O risks agencies face and recommends specific steps agencies can take to mitigate those risks, so that the agency can get the full benefit out of these new tools.
ACT's Webinar "Agency E&O Considerations when Social Networking"
This webinar explores the major agency E&O risks involved with social networking and provides specific guidance on how agencies can manage those risks. Presenters were Sabrena Sally (Westport Insurance/Swiss Re), Colleen Murphy (Goldberg Segalla), David Hulcher (IIABA) and Rick Morgan (ACT Social Web Work Group Chair).
Click here for the PowerPoint (Best to "save" document to desktop to view it.)
Click here for Webinar recording. (We apologize for some audio drop-outs that occur about 35 minutes into the recording.)
Improving the Handling of Passwords in the Real-Time Environment
At its February, 2009 meeting, ACT approved this major business case to encourage carriers and vendors to improve the way passwords are handled in the real-time environment. The problem today is that real-time transactions frequently error out because the user’s password has expired. It then takes the agent 5-10 minutes to update the password on the carrier Web site, the agency system real-time tool, and to begin the transaction all over again. The Business Case outlines the pros and cons of the current real-time environment and then provides carriers with several recommendations to improve their real-time password workflow-- most of which are in practice today with some carriers. The recommendations include giving agents advance notice before passwords expire; considering non-expiring, more complex passwords for real-time transactions or at least passwords of a longer duration (such as annual); implementing password synchronization with the vendor systems so agents can make password changes in the midst of real-time transactions; and working with vendors to develop a delete user real-time transaction.
Security Alert: Time to Move from Internet Explorer 6 to a Newer Version For more details, click here
Information Security Concerns in Hotels and Hotspots
This article outlines the major security risks facing computer users in hotels and wireless hotspots and outlines practical steps you can take to protect yourself in these environments. Full story
Ongoing Security Risk Monitoring for Agency Owners and Security Managers
The reports and guides below give the agency a good picture of the major security issues they should be covering in their procedures and audits. However, specific security risks are continually arising, so it is important for agencies to monitor sites and receive regular updates on the specific new security risks that arise and may affect them.
Protecting Agency Customer Information from Identity Theft
This report discusses key issues agencies must tackle to safeguard private customer information, prevent identity theft, implement an effective security policy, and protect agency data both while at rest in the agency's systems as well as in transit to and from the agency. Click Here
Managing the Security Risks of Portable Devices
This article focuses on the special security risks presented by laptops and other portable devices and the specific steps agencies can take to manage these risks. It also discusses the importance of agencies taking pro-active steps on the security issue overall to safeguard their core data and the confidentiality of their customers' information, as well as to fulfill their legal obligations. click here.
The Independent Agent's Guide to Systems Security
This guide lays out the risks and steps to take, and includes a self assessment tool and sample security policy. It is written for the agency business leader. Download Here
Note: Use this older report for further information on security risks, doing security assessments, etc., but please note it has not been updated since its 2005 publication. See ACT's Prototype Agency Information Security Plan & Companion article at the top of the page for ACT's latest information on agency security policies.
Protecting Agency Security Takes Center Stage
This article discusses the lessons to be taken from the recent major profile identity theft cases, the importance of effective agency password management, and the availability for download of a comprehensive agency security guide from ACT. click here
Take Charge of Your Agency's Digital Security
Alvito Vaz, Progressive Insurance, provides agency principals with a clear and succinct overview of the security issues they should be thinking about. click here
ACT Guidelines for Multiple Passwords
ACT has approved recommended password formatting guidelines for companies and vendors and urges companies and vendors to adopt them. These guidelines, when adopted, will permit agents to use a common password for several company and vendor systems, alleviating the current password nightmare that agency employees are experiencing. At the same time, the adoption of the guidelines will enhance security at the agency level because agency employees will no longer have to maintain lists of passwords. These guidelines were revised by the ACT Governing Council on September 21, 2003.
Protecting Your Client's Most Private Information