What is your agency’s data protection strategy?

Data is being bounced around very quickly in agencies today. Unless you have a strategy for how your agency will manage the data you collect, it will probably bounce right out of your control. This article will give you a simple framework for creating a data protection strategy for your agency and provide some helpful tips along the way. 


In 2021, it is especially important to spend time thinking about the data you collect and how you store and manage it. There are several reasons for this, but the most pressing are the legal and regulatory requirements being placed on businesses and cyber crime concerns. 


Legal and Regulatory Requirements:

There are many new laws that have been put in place to help protect consumers from the devastating effects of a theft of their personal information. They include:


  • Global Data Protection Rights Act or (GDPR)
  • California Consumer Privacy Act (CCPA)
  • New York Department of Financial Services Cybersecurity Regulation 


There are other laws as well, but these have been talked about the most because they provide significant protections for consumers and introduce hefty fines for lack of compliance. 


Cyber Crime Concerns:

Cyber crime, which includes, ransomware, electronic transfer fraud, identity theft, social engineering, and other schemes, use stolen data to perpetrate significant heists or achieve nefarious goals. These types of crimes are increasing rapidly all over the world and everyone is at risk. 


Understanding the law and cyber crime may seem like a daunting task, especially if you are unfamiliar or uncomfortable with these areas. However, once you take a little time to understand these “threats” and develop a strategy to protect your agency, the task will be more manageable. 


Step 1: Identify the data you need to protect.

In order for you to protect anything, you must first understand what it is you are protecting. When you buy a house, it is simple. You want to protect the house, so you buy insurance. With data, it is a little less straightforward, but it is the same concept. 


In today’s world, agency’s need to protect personally identifiable information or PII first and foremost. PII is any information that can be used to identify an individual. Some examples of PII are: (This is not an exhaustive list.)


  • Full name
  • Date of birth
  • Home address
  • Social security number
  • Drivers license number
  • Email address
  • Phone number
  • Employer identification number


Step 2: Map out the different data flows in your agency

Now that you know what data you need to protect, you need to understand how and where it is flowing within your agency. Here is a quick example of a data flow that may be present in your agency. 


Producer New Prospect Data Flow Components:

  • Data collection system (Online data collection/Paper/Computer document)
  • Agency computer (Producer email program, documents, etc.)
  • Account manager email system
  • New business analyst email system
  • Agency management system
  • Carrier rating system
  • Carrier underwriter email
  • Multiple carrier rating software
  • Customer Relationship management Software (CRM)


Step 3: Understand the options available to protect your sensitive data:

Once the data flows are mapped out, every component of each data flow should be analyzed to understand the level of protection needed to secure the data. Some components will have a higher sensitivity level than others and should be given more stringent security protocols. While other components may not carry as much risk and can get by with a lower level of security. These are decisions you will need to make based on legal requirements and data security best practices. Here are some data security best practices to look for in each of your data flow components. 


  • Secure document shredding
  • Utilize password managers across agency personnel
  • Transport Layer Security (TLS/SSL) security on the vendor’s website you are using. You can tell when this security protocol is in place because “https://” will be at the beginning of the URL. 
  • Website enforcement of strong passwords for its users. (Ie. 8 or more characters with Upper, Lower, Numbers and Special characters.)
  • Two-factor authentication offered by website vendors


As you proceed through this process, you may identify vulnerabilities in your agency’s data flows. The good news is once they are identified they can be mitigated. 


Step 4: Implement smart security solutions at your agency

There are many ways to improve data security at an agency, but it is important to recognize that not every security solution needs to be implemented in order to keep data secure. The process of securing data is just that, a process. It is an ongoing effort that involves everyone in the agency to tackle this important issue. There are definitely some basic components of data security that must be adhered to, but each additional layer of security will only serve to help make your agency more secure in the long run. Once you identify the options that are available to you to improve your data security, the next step is to prioritize and implement them at your agency. Here is a sample implementation plan an agency could use to improve data security with their production team. 


  • Ensure all producers are using a secure data collection method for their sales efforts. 
  • Require producers to have strong passwords for all the systems they enter personally identifiable information into.
  • Provide password management tools to producers


These three solutions can add a significant amount of protection to an agency. This additional protection will help your agency comply with legal requirements, ward off cyber criminals and ultimately protect your agency’s customers. 


Data protection is the most important part of your agency’s data strategy, but there are several other aspects of a data strategy that can be developed. Once you have your data protection strategy figured out, you can move on to other exciting areas of data strategy such as, agency automation and integrations. 


Kurt Thoennessen

CEO of RiskRevu and Personal Risk Advisor at Ericson Insurance Advisors