Guidance for insurance brokers for ensuring your company and customer data is secure.
Security of physical records: Although much of our work is now based electronically, it is important that any physical trace of customer data (for example hard copy files or data stored on backup media and old IT equipment) is properly transported, archived and disposed of accordingly and in a timely manner.
Security of electronic data: All computer records come under the DPA, which includes any reference to customers, such as emails, database records and spreadsheets. Technology is constantly evolving, therefore, your security measures must also be reviewed and updated regularly. Operating systems (e.g. Windows 7) and browser software (such as Internet Explorer) must be kept up to date with the latest security updates at all times as new viruses can exploit vulnerabilities in your network.
Be aware that Microsoft will no longer support or update the popular Windows XP operating system and Office 2003 productivity software from April 8 2014. If you still use either of these products you will be putting customer data at risk as security fixes, known as “patches”, will no longer be available and hackers will inevitably take advantage of unprotected computers.
Remember that your network is only as secure as the weakest link, so make arrangements to upgrade to more secure products now.
For more information on dealing with the XP/Office 2003 support deadline, click here
Insurance brokers should implement an email security filter to block or quarantines potentially harmful emails. This would allow users to check the sender before opening and clicking on links within the email. Recent threats include emails that launch “kidnap and ransom” attacks where the threat of irreversible data theft is used to blackmail businesses. Consequently, as well as keeping their security software up to date, businesses need to be vigilant for fake emails (known as “phishing” attacks) that often look like they are from legitimate sources such as HMRC.
The best advice is:
Never respond to emails that request personal financial information
Never click on emails that you are not expecting or from unknown senders. If in doubt – delete it.
For more guidance on computer security and avoiding phishing attacks see the advice given here.
When sending customer data via email, for example as an attachment, it is vital that it is encrypted and that the encryption password is given verbally. Standard Word and
Excel password protection, especially of older versions of the software, is not adequate as it can easily be “cracked” by free online tools and should not be used.
Be aware that your staff are on the “front line” of data security, so their awareness of the risks and how to mitigate them will be key in protecting your business. Huge fines and reputational damage are common in the event of data loss, so data security the procedures should become a natural part of the working day for those in the insurance industry. Therefore, it is important to offer regular training on security procedures for physical, verbal and electronic data. Staff should also understand how to handle requests to access personal data, for example by phone, by verifying the identity of the caller and confirming the consent of the data subject.
For more information on fines levied by the Information Commissioner’s Office click here
Sharing and transferring data
Information is often transferred between insurance brokers, insurers and other business partners such as comparison websites, so it is prudent to check that the security provisions in place of any business partner is of a similar level to your own, or higher.
Prioritising data security and implementing best practice throughout the business will not only ensure you are compliant but also give the business the credibility and security to continue trading.