For Agents Facing Evil Internet Wizards, Security is a Matter of Liability as Well as Downtime
In 2001, Boston-area independent agent Peter Anderson noticed that his agency’s network server was dramatically losing hard disk space. The last time he’d checked it, there were 16 gigabytes available. Two weeks later, he had barely more than a gigabyte free.
His agency, Marshfield, Mass.-based Anderson Insurance Services Inc., had been the victim of an anonymous miscreant who had buried a hidden folder deep within his hard drive and was using all that space to share out movies over the Internet. It took Anderson, a past-president of the Applied Systems Client Network, and a part-time technical support staffer, a full workday to find the buried file and resolve the issue.
Luckily for Anderson, the attack was not disruptive. It merely dragged down the server’s response time for the agency’s normal operations.
“My only regret is I never watched any of the movies,” Anderson told Insurance Journal.
On another occasion, Anderson gave a rating vendor that is now different in structure and strategy permission to activate its Internet rating service on his agency’s server. They installed it without a password and the agency suffered denial of service attacks that crippled operations for nearly three days and took a combined 25 hours of Anderson’s and a technician’s time to repair.
As much as these experiences taught Anderson to redouble his agency’s information security efforts– including a more robust firewall and automatically updated anti-virus and spyware applications, he was relatively lucky. A survey of 62 high-tech agencies conducted by insurance industry software and networking provider IVANS Inc. and released in March showed that viruses, worms and hackers are the major concerns agents have about the Internet today.
Eighty percent said viruses and worms were the top concern, while 42 percent said hackers came next in their hierarchy of Internet worries. Blocking pop-ups, Web sites and regulatory compliance all trailed badly.
While agents are right to fear the costs associated with any downtime or data loss their networks might suffer thanks to Internet evildoers, these pale in comparison with the potential costs of having their clients’ information stolen and used in identity-theft schemes.
According to Marcia Jenson, assistant vice president of marketing at Kansas City-based Internet liability managing general agency Euclid Managers, the potential exposures are mind-boggling.
“If agencies keep their clients’ information on a database that is accessible via the Internet or hackers find some way to break into it and steal, use or disclose that information, then they have exposures for lawsuits from their clients,” Jenson told
Agency held liable
“An employee or someone outside the company could steal that personal information and sell it to someone else for use in a crime or use it themselves to steal the clients’ identity. Further the personal information could just accidentally be made public. In both instances, the insurance agency would be liable for failure to prevent unauthorized access, identity theft and invasion of privacy.
“It’s possible,” Jenson added, “that a virus could get into a system and spread to their customers. If one of their customers, let’s say, is a larger commercial company and the virus goes to all of their customers, the chain of financial loss could come back to them.”
These risks are multiplied by the recent privacy mandates inherent in federal statutes such as Gramm-Leach-Bliley, Sarbanes-Oxley and the Health Insurance Privacy and Portability Act.
Check E&O policies
Jenson said she knows of no insurance coverages geared specifically toward the Internet risks faced by insurance agencies, but urged agencies to check their general liability and E&O policies for Internet liability coverage. The field of Internet liability law is developing quickly, but there’s no reason for agents to dawdle when it comes to protecting their clients’ data.
Hackers will continue to target data-rich sources such as ChoicePoint and Lexis/Nexis, but as the big fish invest more in security, it will be soft targets in financial services arena such as insurance agencies that could be the next targets, according to Andrea Banyas, director of marketing and communications for IVANS.
Carriers have already begun to demand tougher security policies from their agency partners, and the trend will only grow, noted T.C. Kaiser, IVANS’ vice president of offering management and development.
“With the insurance industry’s distribution model,” Kaiser said, “everybody who has an agency management system has that data right there. Insurers are trying to figure out how to keep that secure without mandating to agents, ‘Here’s what you have to do.’
“As more and more people are leveraging transactions over the Internet, carriers ask: ‘Do I know that everybody who has credentials to use my Web site is still a valid employee? Who’s that end-user base? Who’s making sure those IDs and passwords are up to speed?”
Michael Foy, chief financial officer for the Exeter, N.H.-based Foy Insurance Group, said some of his carriers have asked his agency to guarantee in writing that its end of the information chain is secure.
“We’re supposed to notify the insurer of any employee convicted of a felony,” Foy said. “We’re supposed to notify the insurer of any breach of data. But we can’t sign anything yet, because our comment back to them is, ‘What are we going to have our employees sign? The beginning of this issue is how do we bring the knowledge of not disclosing this personal client information right to lowest common denominator, which would probably be that clerical person who answers the phone?’”
IVANS’ Kaiser said that small- to medium-sized agencies face an uphill battle in that it’s often a challenge just to get their information systems up and running properly from an efficiency perspective, leaving aside the security concerns. He said IVANS is working on a “security in a box” product that would package together all the essential elements agencies need to protect them from Internet miscreants.
Anderson, meanwhile, suggested that agents who really think they’re out of their depth when it comes to securing their network ought to consider an application service provider, or ASP, to host their data. Software providers such as XDimensional, AfW Online and TAM Online allow agencies to outsource data-hosting and security so they can focus on selling insurance.
“I think ASPs are a very good solution,” Anderson said. “It’s something less sophisticated agencies should consider. Even with the security challenges we have today, I don’t think we’ve seen the beginning of it yet. I think we’ll soon be facing challenges we couldn’t even dream of yet at the moment.”
Source: “Technology and the Independent Agent: A Survey Conducted by IVANS, March 2005.”