Rossander’s Security Reader

Law enforcement agencies are reporting a recent uptick in the number of lost or stolen laptop computers. It’s not clear yet whether this is a random fluctuation, a consequence of the troubled economy or something else but it is a disturbing trend.

Laptop computers represent one of most significant information risks for any company because of the sheer volume of confidential information that they can hold. Worse, even if you don’t think you’ve ever saved a confidential document onto your computer, the computer will almost certainly have the access credentials needed to access information that is centrally held. One stolen laptop can put all of your data at risk. In those situations, the state-level breach disclosure laws put the burden on the breached company to show that their information was not compromised. When in doubt, the company must disclose. So unless you know positively what information got stolen, you might have to assume that all of it was and notify everyone in your database. Thousands of notifications, leading to lawsuits, wasted time, panicked customers and, most seriously, a loss of trust with your customers.

For most companies, there are two thin lines that protect your customer information.

One is each individual employee’s practice of protecting the computer itself. The vast majority of laptop thefts are crimes of opportunity so don’t give the criminal the opportunity. Have a policy that requires your staff to keep their laptops locked up at night. If leaving the computer at the office, put it in a desk drawer or cabinet – out of sight, out of mind. Don’t assume that the door lock will be sufficient to keep the thieves out. (See this Times article for an example of how easily a professional thief can impersonate his/her way into a supposedly secured office.) If your staff are taking the computer home, make sure they know to either bring it in with them or lock the computer in the trunk if they have to stop on the way. Never let the computers be left exposed.

The second line of defense is encryption. Scrambling your data can provide protection in case the unthinkable happens. That encryption, however, is no stronger than the key used to unlock it. For many companies, the encryption is based on a password (often the same password used to log onto the computer in the morning). Always pick a strong password. Don’t just pick a word, capitalize the first letter and add some numbers at the end. This is a natural tendency for english-speakers and the hackers know it. They optimize their cracking routines to break passwords in this pattern and will crack them in mere minutes. Use whole sentences instead. Whole sentences are easy to remember but far harder to break.

And never, never, never write down your password and leave it with the device you are trying to protect. That would be like buying a $3000 security door for your home, then leaving the key in the lock. You’d never be that careless at home. Don’t let people be careless at work, either.

If you have a laptop, protect it. Even one loss is too many.

Credit report reminder

For those of us on the "trimester plan" for reviewing our credit reports, it’s time to ask for your free copy of your credit report from the next agency.

This article was originally published in the Jul/Aug 2006 edition of The Agent Newsline, a publication of Westfield Insurance.

State Laws Require Notification of Security Breach

States are aggressively requiring companies to tell consumers if there is a security breach affecting the consumers’ personal information. As of May 8, 2006, 28 states have enacted laws and another 17 have legislation pending. There are also several competing federal bills that require breach disclosure. You need to know how to keep your agency compliant with these new laws.

The Security Breach laws require notification anytime there is reasonable belief that a person’s private information is at risk of identity theft or fraud. Most of these laws are very similar to each other, though there are some state-to-state differences. Contact your local legal counsel for specifics.

What is a "security breach?"
The laws generally define a "security breach" as the unauthorized acquisition of computerized data that compromises the security or confidentiality of personal information. In most states, laws do not apply to employees or agents using personal information in good faith for a business purpose, as long as the information is not later used for an unlawful purpose or subject to unauthorized disclosure.

What is included in personal information?
Personal information includes an individual’s name (first name or initial plus last name) in combination with at least one of the following:

• Social security number
• Driver’s license number or state identification number
• Account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account
  Note: In general, if the data elements are encrypted, or otherwise made unreadable, that would not constitute a breach.

What to do if your agency has a breach
Notify the people who may be affected as soon as possible. Some states, such as Ohio, require notification no later than 45 days after you discover or find out about the breach. Some specific exceptions to the 45 day requirement apply, such as a request by law enforcement.

You can provide notification in writing or by other means as specifically allowed in the law. The notification must include a description of the information which was potentially compromised and an explanation of the consumer’s rights. Most states also require you to provide a toll-free contact number for consumers to call for more details.

Working with Westfield

When you own and process all customer information yourself, this law is fairly straightforward. If you share information with a business partner or vendor, the responsibilities are more complicated. This has led to some misunderstandings. At least one news bulletin claimed that agents have no obligations under this law if the information systems of an insurance carrier are breached. In fact, the law requires that the company processing the data notify the company which "owns or licenses" the consumer information and that the "owning" company must notify the consumer. According to the Westfield Agency Agreement, the Independent Agency owns the relationship with the consumer and the consumer’s information.

This approach to notification is a result of lessons learned in the CardSystems breach. (CardSystems was a credit card processor for MasterCard, Visa, etc.) When CardSystems attempted to notify consumers, many threw the notice away unopened because they did not recognize the company and assumed it to be junk mail. Many legislators concluded that the notice must come from the company with which the consumer has the relationship in order to be effective.

If your agency has a breach, Westfield will work with you to determine who should notify the customer – the company or your agency. Often, it may make more sense for Westfield to notify the customer, and we will work with your agency to find the solution that is in the best interests of the customer if this situation arises. Westfield stands ready to assist in the notification to any Westfield consumers in the event of a breach either to Westfield’s systems or to your agency’s systems.

Westfield has also taken aggressive steps to safeguard all customer data. These days, an ounce of prevention is worth far more than a pound of cure.