Rossander’s Security Reader

If your wallet is ever lost or stolen, you need to immediately contact the issuers of all the credit cards and identity documents and begin the process of getting new cards.

About once a year, lay out the contents of your wallet on a photocopier. Copy both the front and back so you have a record of all the card numbers and phone numbers.

Be sure to keep the copy in a very safe place. When you make a new sheet, be sure to shred the old one so it can not be misused.

File a police report immediately in the jurisdiction where your credit cards or wallet were stolen. Do not wait until you return home. Promptly calling the police shows to the credit providers that you were diligent and will be the first step toward their investigation.

Consider calling the three national credit-reporting agencies to place a fraud alert on your name and social security number. That will make it a bit harder for the thief to open new accounts in your name.

If you are traveling, keep your identity document (passport or drivers license) separate from your wallet. You should also carry a photocopy of the first two pages of your passport in a third pocket whenever traveling abroad.

This article was originally published in the Oct/Nov 2006 edition of The Agent Newsline, a publication of Westfield Insurance.

We all know about the rising threat of identity theft, and hear how it can affect a person’s life. Along with businesses, legislatures around the country are also under a lot of pressure to do something about identity theft. Here are some tips to help you keep your customers’ Social Security Numbers (SSNs) and your agency safe. It’s not just a good practice – in almost all states, it’s the law.

• If you don’t absolutely need the SSN, don’t ask for it. Take the field off forms unless it is absolutely necessary.
• If you only need the SSN once, use and destroy. Don’t record a copy or make a note "just in case." If you must ask for the SSN, protect it carefully:
  • Watch records that get posted on a web site. Be cautious of spreadsheets with SSNs, which can get found via a search engine. Keep documents with SSNs in secured folders.
  • For log-ons to web sites, don’t use the SSN unless the web site also requires a password or PIN for access.
  • Several states explicitly ban the selling, renting, trading, etc. of any list containing the consumer’s SSN, so don’t give out a consumer’s SSN to anyone.
  • Only print or show the last four characters from the SSN.
  • SSNs may not be printed on any ID card required for the individual to receive products or services. That means that SSNs generally may not be printed on the proof-of-insurance card. This includes embedding the SSN using a barcode, smart chip or magnetic strip.
  • Unless the message is encrypted, don’t request or send SSNs via e-mail.
• When sending mail, do not print the SSN on anything mailed to the individual unless required by law. The news tends to highlight the technology-based hacks and compromises but research continues to show that most identity theft is committed based on paper records and the largest single source of stolen SSNs is still physical mail theft. (The second source is trash.)
  • If you do send a document with a SSN in the mail, be sure the SSN is not visible through the envelope. Also watch postcards, top-sealed mailers with open sides or envelope window openings.
  • The "required by law" exception applies primarily to certain HR records like your W-2. There may be a few state laws requiring us to send SSNs by mail either to a state agency or to the individual but as a general rule, avoid putting any document with the consumer’s SSN in the mail unless it is strictly required.
• Destroy everything when it is no longer necessary. As soon as that retention period runs out and the record is no longer necessary, make sure that it is properly destroyed.
  • Paper documents should generally be destroyed by shredding. While the FACTA Disposal regulation allows other means of destroying paper documents, shredding is almost always the most reliable and cost-effective way.
  • Make sure that all electronic media (hard-drives, floppy-disks, thumb-drives, CD-ROMs) get sent back to your IT department for wipe. Make sure that the data has been irrecoverably destroyed first before donating or throwing away.

The average cell phone has a life expectancy of 18 months. What happens to all your personal information when you upgrade your phone? In too many cases, that personal information gets passed along to the next user.

Personal information can include:

This is not an all-inclusive list. Modern phones also include calendars, memo pads, to do lists and other applications, all of which you might have used and which might have personal or business information that should be kept private.

Most phones include a delete function but independent reviews of those delete functions show them to be mostly pretty poor. Good hackers can undelete the information on most common cell phones with only a little specialized equipment and knowledge. To protect your privacy:

• Treat a phone’s text message service with the same caution that you use for unsecured email. Be especially professional in your use of text messaging.
• Make sure that your old information is really gone before giving the phone to a friend, family member, charity or try to sell it online. (If all else fails, a 2½ lb sledge hammer does a very reliable job of making the data unreadable – but it won’t be worth much when you’re done.)

For additional information and a real-life scenario, read this recent story from CNN.com.

This article was originally published in the Jul/Aug 2006 edition of The Agent Newsline, a publication of Westfield Insurance.

State Laws Require Notification of Security Breach

States are aggressively requiring companies to tell consumers if there is a security breach affecting the consumers’ personal information. As of May 8, 2006, 28 states have enacted laws and another 17 have legislation pending. There are also several competing federal bills that require breach disclosure. You need to know how to keep your agency compliant with these new laws.

The Security Breach laws require notification anytime there is reasonable belief that a person’s private information is at risk of identity theft or fraud. Most of these laws are very similar to each other, though there are some state-to-state differences. Contact your local legal counsel for specifics.

What is a "security breach?"
The laws generally define a "security breach" as the unauthorized acquisition of computerized data that compromises the security or confidentiality of personal information. In most states, laws do not apply to employees or agents using personal information in good faith for a business purpose, as long as the information is not later used for an unlawful purpose or subject to unauthorized disclosure.

What is included in personal information?
Personal information includes an individual’s name (first name or initial plus last name) in combination with at least one of the following:

• Social security number
• Driver’s license number or state identification number
• Account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account
  Note: In general, if the data elements are encrypted, or otherwise made unreadable, that would not constitute a breach.

What to do if your agency has a breach
Notify the people who may be affected as soon as possible. Some states, such as Ohio, require notification no later than 45 days after you discover or find out about the breach. Some specific exceptions to the 45 day requirement apply, such as a request by law enforcement.

You can provide notification in writing or by other means as specifically allowed in the law. The notification must include a description of the information which was potentially compromised and an explanation of the consumer’s rights. Most states also require you to provide a toll-free contact number for consumers to call for more details.

Working with Westfield

When you own and process all customer information yourself, this law is fairly straightforward. If you share information with a business partner or vendor, the responsibilities are more complicated. This has led to some misunderstandings. At least one news bulletin claimed that agents have no obligations under this law if the information systems of an insurance carrier are breached. In fact, the law requires that the company processing the data notify the company which "owns or licenses" the consumer information and that the "owning" company must notify the consumer. According to the Westfield Agency Agreement, the Independent Agency owns the relationship with the consumer and the consumer’s information.

This approach to notification is a result of lessons learned in the CardSystems breach. (CardSystems was a credit card processor for MasterCard, Visa, etc.) When CardSystems attempted to notify consumers, many threw the notice away unopened because they did not recognize the company and assumed it to be junk mail. Many legislators concluded that the notice must come from the company with which the consumer has the relationship in order to be effective.

If your agency has a breach, Westfield will work with you to determine who should notify the customer – the company or your agency. Often, it may make more sense for Westfield to notify the customer, and we will work with your agency to find the solution that is in the best interests of the customer if this situation arises. Westfield stands ready to assist in the notification to any Westfield consumers in the event of a breach either to Westfield’s systems or to your agency’s systems.

Westfield has also taken aggressive steps to safeguard all customer data. These days, an ounce of prevention is worth far more than a pound of cure.

Identity theft is the deliberate assumption of another person’s identity, usually to gain access to their credit. Identity theft is the fastest-growing crime in North America and is estimated at over $5 billion per year in the US alone. To protect yourself from identity theft:

• Limit your credit card use. Keep your account information in a safe place that lets you immediately cancel all your credit cards if your wallet is lost or stolen.
• Check your accounts each week online. You can catch unusual activity more quickly than if you wait for monthly statements.
• Shred credit-card receipts, pre-screened credit-card offers and other such documents because they contain private information.
• Mail letters from the post office. Install a lock on your home mailbox.
• Don’t order checks preprinted with your driver’s license or SSN number. If you can keep your address off the checks, do so.
• Don’t carry your social security card. Don’t give out the number unless it is absolutely necessary or legally required (employers, landlords etc.). If you have your SSN on your drivers license, be equally careful about who sees your license.
• Don’t give out personal information to telemarketers who initiated the call to you. Get a phone number to call marketers back if it is an offer you’d like to pursue. Get a company name and web URL and check them out with the Better Business Bureau.
• Never speak to anyone claiming to be from a collection agency about anything regarding a third party – and make clear to others that you expect the same protection.
• When shopping online, make sure the company is reputable and displays an approved security symbol. Also, make sure you log out of the site when finished.
• Request your own credit report each year and check the reports for inaccuracies. If you’ve been the target of identity fraud, check the data every six months.
• If you believe that you have been a victim of identity fraud, keep copies of police reports and records of who you talked to and when, so that you can back up the claim of fraud with skeptical lenders.