Forcing Agencies to Protect Their Clients' Personal Data

(December 4, 2009)

All businesses with customers in the Commonwealth of Massachusetts will have to comply with this legislation by March 1, 2010.  Here is a unique look at regulation from the standpoint of effective agency operations. 

I am not a lawyer, so what follows is not legal opinion.  I am approaching this regulation from the standpoint of effective agency operations.  From that perspective, some general and valuable issues are clear to me.  The next two paragraphs are what I would say as an agency owner or manager.

From that perspective, some general and valuable issues are clear to me.  Were I an agency owner or manager, I would say, "I want to thank the legislators for enacting this regulation and allowing me the opportunity to improve my processes and implement some best practices at my agency.  I will become more efficient and more productive because of it.  I would also like to thank my fellow agency owners and principals who do not take this opportunity to make improvements at their agencies.  I will now have an even greater competitive edge once I have taken a good, hard look at how I operate and make some improvements to my operations as I prepare to comply with this regulation."

Or, I could take a hasty view — "Here’s another regulation the state is forcing us to comply with … How much is this going to cost me and how much time will it take?" 

I would tell the agency owner, and any other business owner, to approach this from the standpoint of the customers.  Put yourself in their shoes.  (Or think of your favorite bank, store, or credit card company.)  How would you feel if the company (or insurance agency) felt it a nuisance that it had to protect your personal information and in so doing, minimize your risk of identity theft?  I would be willing to bet that most of us would take our business elsewhere, especially if a loss of personal information were to occur and the company had done nothing to prevent it.

On the other hand, how would you feel about a company that took the protection of your personal information seriously?  Better yet, how would their reputation, and the trust you had in them, improve if you knew that they were making a few changes to better protect your information, comply with the law, oh, and incidentally, provide you with better service along the way?

If you (in your customers’ shoes) would have a better view of and more trust in ― and thus a stronger relationship with ― that company, why would your customers not have the same reaction?

Most agencies can say that they have lost customers over the past 12 months to another agency or even to direct writers.  Is the reason for the switch mostly price-related?  In the majority of cases, it probably was a factor.  So how do we counteract the price factor?
Think of a time when you knowingly paid more for something than you had to ― a new car, clothes, or even a dinner out.  Why did you do it?  Was it because of the reputation of the product?  Its reliability and quality?  Or was it because of the service available from the vendor?  Well, one effective way an insurance agency can convince clients to stay despite the fact that the cost of the insurance product is higher is to demonstrate to them these intangible values of reputation, reliability, quality, and service ― and to inspire a level of customer trust that causes a strong (and justifiable) loyalty that right is being done by them ― which brings us back to the protection of your clients’ personal information.

Oh, and there is nothing in this law that says you cannot tell your existing customers that you are taking measures to comply with it and that you do take the protection of their personal information seriously. 

In fact, I dare you to be the agency that tells them the opposite ― that you do not take the protection of their personal information seriously.  What effect will that have on your customer base?  Well, by not taking a good, hard look at your operations and identifying where there may be gaps, this is exactly what you are doing.  Don’t be that agency!

Ok, so we all can see, I hope, the opportunity that we have in front of us.  Now what do we do?

Here are the basics of the law:

  • All entities that own or license personal information (names connected to SSNs, drivers’ license #s) of a resident of Massachusetts must comply with this law by March 1, 2010.
  • Every agency must have a designated Security Officer and a written information security program (WISP) in place.
  • All employees must be trained on the WISP.
  • The safeguarding of personal information applies to physical security as well as electronic security (paper and computer files).
  • If a breach occurs, it must be reported and corrective actions must be taken.
    What does this mean for insurance agencies? A few examples:
  • Network security and password policies must be up-to-date and enforced.  No more yellow sticky notes with passwords!!!!!
  • Emails that contain personal information (PI) must be encrypted as much as is technically feasible and reasonable.
  • Any portable devices (e.g., laptops, thumb drives) that store PI (even in a copy of an email or other document) must be encrypted.
  • Wireless networks must be encrypted.
  • Paper records must be stored in a secure, locked area and accessible only to those employees who need access. Ideally, no files (even management system screens) should ever be visible to customers or other people who do not work for the agency.

Ok, so now what do we have to do?  Here is a list of steps to take in preparing for (and complying with) the law:

  1. Read the law.
  2. Designate a Security Officer/Manager.
  3. Have the Security Officer read the law.
  4. Conduct a security assessment based on the requirements of the law.(This can be a self assessment, or better yet, an assessment by an outside consultant with experience and an understanding of the law who will give you a truly objective review of your agency security.)
  5. With the gaps identified, create an action plan to close the compliance issues.
  6. Using the results of these steps, write your security program (WISP).
  7. Train all employees on the WISP.
  8. Monitor the items outlined on your WISP.
  9. Review and update your plan at least yearly.

In summary, it is much better for you as a business owner, not just an agency owner or principal, to look at this new law as an opportunity to strengthen the relationships you have with your insureds, improve your productivity and efficiency, and give your agency operations a thorough review.  If you come out on the other side of March 1, 2010, without reassurance that you already have all your bases covered and positive, lasting improvements in your agency’s operations, you’ll find that you missed more than just the compliance deadline. 

Jason Hoeppner