Rossander’s Security Reader

Halloween is a time for scary stories – tales of vampires and ghouls rising from the dead to terrify innocents – a time when things that you thought were dead and buried come back to haunt you.

Unfortunately, the analogy between badly written email and the undead is all too appropriate. A hasty word can return to haunt you long after you hit the send button and thought the conversation was over. Careers have been destroyed, money lost and relationships ruined when an email returned from beyond.

The problem is that we have a bad habit of treating email as a very casual form of communication. We think of it as an extension of our last phone conversation or a continuation of the chat in the hallway. We assume that the recipient understands the context and correctly interprets our tone. When third parties read your message, however, they assume that you spent as much time crafting and wordsmithing your message as you would have in the days of typewritten memoranda. They may or may not understand (or care about) the context of the message and they will interpret the tone according to their own preconceptions.

Legally, email is a type of formal business communication. The contents of the message are not protected. You have no right of privacy in your email, either sent or received. Any email can be subpoenaed and forced into the public record. Or it could be saved, forwarded or posted to the internet by one of the recipients. When you write your emails, you must assume that it will be read by an unknown and unforeseen audience. Assume that anything you write will come out at the worst possible time and in the worst possible light.

Be professional in your email. Include enough context that the unforeseen reader understands the message. Be personable yet professional in tone. (In particular, never use sarcasm in email.) Never write anything that you would be embarrassed to see on the front page of tomorrow’s newspaper. Remember, email can come back to haunt you.

This article was originally published in the Oct/Nov 2005 edition of The Agent Newsline, a publication of Westfield Insurance.

Based on recent identity theft events, it is clear that U.S. businesses are operating in an increasingly hostile environment. Identity theft remains the fastest growing category of crime in the U.S. Criminals are getting more creative and more technologically adept every day. In this age of rapidly rising threats, every company needs to take serious steps to ensure the security of the private information in their custody.

What does Westfield do to keep your information safe?
Westfield holds private infromation in trust for you and our policy holders. Rest assured, we take our responsibilities seriously. We have never suffered a serious compromise of our data or systems and work hard to keep it that way. Here’s how:

• Dedicated security team. In early 2005, Westfield created and filled new roles dedicated specifically to information security. These people are charged with the coordination and continuous improvement of information security. We also formed a corporate security response cabinet with responsibility for all security-related issues. This group was formed in recognition of the increasingly blurry distinction between the physical and the electronic perimeters.
• Password protection. Westfield has password complexity standards and requires our employees to change passwords every 60 days. We continuously upgrade hardware and software in order to make sure our systems are patched for security vulnerabilities.
• External defense. We also commission external vulnerability scans and penetration tests. With your interests in mind, we regularly conduct internal scans of our systems and defenses and use that information to improve our systems.
• Disaster plan. Westfield also has moved aggressively to guarantee our ability to operate even after a potential physical disaster. Mainframe data is mirrored real-time to an off-site facility. In addition, we conduct semi-annual tests of our business continuity plans.
• Mandatory shredding policy. All office paper must be shredded. Even in this electronic age, most identity theft occurs as a result of access to physical copies of the information.

We want you to know that we take precautions to protect the private informaiton you’ve entrusted to us.

Shredding… It’s now the law

The Federal Trade Commission’s regulation on the disposal of information went into effect on June 1, 2005. According to the regulation, any information about an individual that is derived from a consumer report or is a compilation of such records must be properly destroyed. Much of the information routinely used in insurance operations has some connection to a consumer report and is covered under this regulation.

Failure to comply with the regulation could result in fines and/or in lawsuits if the information is misused to commit identity theft. This law implements the "disposal provision" of the Fair and Accurate Credit Transaction Act of 2003 (FACTA).

For more information on the FTC regulation, visit www.ftc.gov and search on "disposal".

The regulation includes several examples of ways to comply and to ensure that the consumer’s private information remains protected during the disposal process. Westfield requires that all papers be secured until they are ready for disposal and has contracted with an accredited shredding company to make sure that the papers are thoroughly and properly destroyed.