• Licensed insurance entities are required to develop a comprehensive written customer information security program pursuant to Sections 501, 505(b), and 507 of the federal Gramm-Leach-Bliley Act and corresponding sections of State regulation (when applicable).
  We believe that the administrative, physical, and technical safeguards outlined below are appropriate to the size and complexity of our operation and the nature and scope of our activities. This program is designed to describe how we:

  1. ensure the security and confidentiality of customer information;
  2. protect against any anticipated threats or hazards to the security or integrity of the information; and protect against any unauthorized access to or use of the information that could result in substantial harm or inconvenience to any customer.

Staff Training and Awareness

• We have designated an individual or committee to oversee our information security program.
• We have a policy requiring employees to verify the identity of persons requesting customer information.
• Employees are instructed to keep customer information confidential when outside of the professional setting (such as where conversations could be overheard).

Service Provider/Other Provider(s) Oversight

• We have designated an individual or committee to oversee our information security program
• The agency exercises due diligence in selecting its service providers (such as checking references prior to retaining).
• The agency requires all service providers to execute a service provider agreement.

Disposal of Information

• Documents containing customer information are shredded or otherwise destroyed before disposal.
• Electronic files or media containing customer/consumer information are destroyed or 'wiped' prior to disposal.

Maintenance and Review of Program

• We monitor, evaluate and adjust our information security program, as appropriate.

Physical Safeguards: Security of Agency Office Premises

General Office Security

• All access points to the premises are adequately secured by locks or locking devices.
• Our internal policy outlines which individuals have keys to the premises.
• We have a policy against the duplication of keys.
• We have a policy to secure keys immediately from terminated employees.
• Our premises is sufficiently lit at night.

Visitor Policy and Reception Area

• Visitors are greeted immediately upon entry to the premises.

Access to Agency Files and Hardware

• Our internal policy requires employees not to leave consumer/customer information open to public view.

Technical Safeguards: System Security

Anti-Virus Software

• Anti-virus protection software is installed on the network.
• Anti-virus protection software is installed on all office computers.
• Office computers are scanned for viruses on a regular basis.
• Our policy prohibits our employees from disabling anti-virus software.
• We have activated the automatic update feature for virus definitions.
• We have activated the automatic update feature for the antivirus program.
• We have a procedure in place to deal with a virus infection.

Anti-Spyware Software

• Anti-spyware software is installed on all office computers.
• Office computers and servers are scanned with anti-spyware on a regular basis.
• Our policy prohibits employees from disabling anti-spyware software.
• The automatic update features for anti-spyware definitions have been activated.
• We have activated the automatic update feature for the anti-spyware program.

Firewalls

• Our office is equipped with a network firewall.
• Our office computers are equipped with individual firewalls.
• Our Internet Service Provider (ISP) uses filters to help prevent access to unauthorized users.
• Our workstations' file-sharing capability has been shut off or disabled.
• We have a procedure in place to update the firewall software.
• We have a policy in place to test the integrity of our firewall and other intrusion protection systems.

Network and Program Password Protection

• Access will be denied if the correct password is not entered after a certain number of attempts.
• Employees are instructed not to share their passwords.
• Employees are instructed not to leave their passwords in a visible location.
• We have a procedure for removing individuals from system access immediately upon termination.

Data Backup

• The agency backs up network data on external media (tapes, CD's and/or DVD's) at least weekly.
• Back-ups are stored safely in a secure offsite location.
• Backups are tested at least quarterly. These tests should be done as a restore from the backup tapes to a separate location (test environment), not just a validation that the backup ran successfully.

Laptops

• Our internal policy prohibits staff/guests from using personal laptops and hardware on our computers and network without permission.
• Access control software is installed on all employee laptops that contain agency information or that have access to agency systems.
• Laptops are patched with the latest operating system patches.
• Laptops are equipped with up-to-date firewall and virus protection software.

Email Policy

• We have a policy relative to the monitoring of employee emails.
• Employees are instructed not to open and to delete emails from unknown sources or with unusual captions.

System User Instructions

• Our internal policy prohibits employees from downloading or installing software on the agency’s computer system without prior approval.
• Employees are instructed not to download files from unknown sources.
• Our internal policy prohibits our employees from using instant-messaging software.

User Monitoring

• Our agency monitors network traffic to detect any unusual activities.
• Our agency actively manages the logs produced by the security components available on our system (firewall, wireless router, proxy server, fax server, etc.).