Does My Agency Need a Security Plan?

Over the past decade, our industry has focused on disaster, perpetuation, workflow, and operational plans.  Each of these serves a purpose and is crucial to agency operations.   Security planning is no different.  As insurance agents, it is our responsibility to make sure that we protect our client information to the best of our ability.  Advancements in technology have not only helped our agencies to perform more efficiently, but have also allowed potential cyber criminals the ability to gain access to our most valuable asset, our client data.

  • Federal Laws – On September 23, 2013, the Health Information and Portability Accounting ACT (HIPAA) Omnibus rule was enforced. Independent agencies that are focusing on health insurance products are likely to be considered “business associates” under this new rule. Business associates are now required to comply with portions of the HIPAA Privacy and Security Rules. Also under this ruling, the Department of Health and Human Services (HHS) is now required to perform periodic audits of business associates to determine compliance with HIPAA. Penalties for not being compliant can range from $100 to $1.5 million. Securing Protected Healthcare Information (PHI) from an administrative, physical, and technical perspective is a major portion of the HIPAA Security Rule.
  • State Laws – Currently, 47 of the 50 states have data breach laws in effect. These laws vary on the condition of a data breach, along with the definition of Personal Identifiable Information. Penalties vary among states, but Florida just enacted a law that gives a business 30 days to notify their clients once a data breach is discovered. Failure to provide notice of a data breach within 30 days will result in a $1,000 per day fine per breach, then up to $50,000 for each 30-day period up to 180 days, then an amount not to exceed $500,000.  (Penalties apply per breach, not per individual)

North Carolina legislation requires the business to notify “without unreasonable delay”.  This term is used in most of the state laws, which could leave some discussion on the timing of the notification. To prevent any potential penalties, agencies should have a plan in place to move as quickly as possible.

Virginia has a regulation that states that all insurance agents/agencies must have a security plan. If your agency is doing business in the state of Virginia, you need to have a written security plan. Otherwise, you could be fined by the state for non-compliance.

  • Cyber Liability – Underwriting requirements for cyber liability policies are now asking specific questions about the way we protect client information. Does your agency have firewalls? Do you enforce and use Malware protection, Spyware protection, and Virus protection software?  Establishing a written security plan would help to document these security issues and prevent potential exposures.
  • Common Sense – This is probably the most important aspect. Our client data is extremely valuable to our agencies. Protection of this data is essential to our business.  Not protecting this information could create monetary penalties, reputational risks, and even criminal penalties.

So, does your agency need a security plan?  Well, the simple answer is “yes”.

To learn more about the importance of having a security plan and what should be included, join us for a free IIANC member webinar on January 27 at 2pm. Click here to register for the webinar >>>

Also, you can contact me to learn more about developing a customized security plan for your agency – grobertson@iianc.com or 336-253-3618.