INFORMATION
SECURITY PLAN

Plan Terms

Please carefully review the definitions of these terms, because they are used frequently in this plan:

  • Plan refers to the Information Security Plan.
  • Agency refers to TRICOR Insurance.
  • Clients refers to the Agency’s clients, former and prospective clients.
  • Encrypted refers to the use of a program to put computer data into a coded format that cannot be read by unauthorized users.
  • Passwords refers to a string of characters that, when possible, is at least 8 characters long and contains the following: upper case letter, lower case letter, a number.
  • Private Information refers to non-public personal, proprietary and confidential information, of Clients, the Agency and/or Agency employees.
  • Systems refers to all agency computers, networks, copiers, scanners, FAX machines, voice mail/phone systems, and other storage devices (e.g. back-up tapes, USB and other portable drives, CDs, etc.) where Agency Private Information might be found (whether maintained on Agency equipment/servers or on equipment/servers managed by third parties or employees, wherever located).

Scope and Objective

This Plan for Agency is intended to create effective administrative, technical, electronic and physical protections to safeguard the personal information of the Agency’s Clients and employees, the Agency’s proprietary and confidential information, the physical security of our premises, and the integrity of our electronic systems so that they are best positioned to function smoothly without interruption.

This Plan sets forth the Agency’s procedures for electronic and physical methods of accessing, collecting, storing, using, transmitting, destroying, and protecting Private Information of Clients, the Agency and/or Agency employees and also the use of the Agency’s Systems by Agency employees and any authorized third parties, as deemed appropriate and/or required by applicable laws and regulations.

In formulating and implementing this Plan, we have:

  1. identified reasonably foreseeable internal and external risks to Agency’s security, confidentiality and/or integrity of electronic, paper or other records containing Private Information;
  2. assessed the likelihood and potential danger of these threats, taking into consideration the sensitivity of the Private Information;
  3. evaluated the sufficiency of existing Agency policies, procedures, and other safeguards in place to minimize those risks;
  4. designed and implemented an approach that puts safeguards in place to minimize those risks, consistent with the requirements of applicable laws/regulations; and
  5. included regular monitoring of the effectiveness of those safeguards.

All security measures contained in this Plan shall be reviewed and re-evaluated annually or when there is a change in applicable laws or regulations or in the business activities of Agency. The Agency reserves the right to modify this Plan at any time, with or without prior notice.

Employee Responsibility

It shall be the responsibility of each Agency employee to carefully read, understand and adhere to this Plan. Each employee with access to Private Information shall receive training as necessary on this Plan and confirm in writing that he or she understands the requirements and will adhere to it as a continuing condition of his or her employment. Failure to adhere to the requirements of this Plan shall subject the employee to disciplinary action by Agency, up to and including termination.

Ownership of Agency Information

The Agency regards all information contained, sent or received on the Agency’s Systems and/or Agency equipment (e.g., Agency computers and mobile electronic devices, email, text and instant messaging systems, social networks and message boards, whether maintained on Agency equipment/servers or on equipment/servers managed by others) as well as information contained in, sent or received by Agency employees about the Agency or relating to its business on non-Agency equipment, as the property of the Agency, and the Agency reserves the right to access, review, use and disclose any such information at any time, with or without notice to employee, in Agency’s sole discretion. Employees have no right to or expectation of privacy with respect to any such information (except for the Private Information relating specifically to them), and shall acquire no ownership or control rights over such information.

Information Security Coordinator

The Agency has designated the Network Administrator and the Vice President of Systems and Technology as the “Information Security Coordinators” to oversee implementation of this Plan.

The Information Security Coordinators will be responsible for:

  1. Initial implementation of this Plan;
  2. Training existing and new employees;
  3. Appropriate testing and evaluation of this Plan’s safeguards;
  4. Evaluating the ability of service providers to comply with this Plan and applicable laws and regulations;
  5. Reviewing the security measures in this Plan annually or when there is a change in applicable laws or regulations or in business activities of Agency; and
  6. Conducting training as necessary for all Agency employees with access to Private Information.

Special Protection for Private Information

Private Information is to be accorded the highest level of confidentiality by the Agency and employees.

Examples of Private Information include, but are not limited to:

  1. First name and last name, or first initial and last name, and any one or more of the following:
  2. Social Security number;
  3. driver’s license number, passport number, or state-issued identification card number;
  4. financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password; and/or
  5. personal or protected health information.

The information listed in 2-5 above, even if it is not connected with a name, should each be treated as Private Information because of the potential for identity to be stolen from possession of just the numbers or information.

Where Private Information is Stored

The Agency and its employees recognize that the Agency possesses Private Information in the following places, whether in the Agency’s premises or off site, and whether created or maintained by Agency or third parties on behalf of Agency:

  • hard copy and electronic files on Clients and employees, located at desks, in file drawers, storage areas and on the Agency’s Systems;
  • personnel files, Form I-9s, benefits information, payroll information, and direct deposit information for employees wherever located, including but not limited to hard copies at desks, in file drawers and other storage areas, and in electronic form on the Agency’s Systems;
  • off-site back-ups, in any form; and
  • third-party vendors entrusted with Private Information from the Agency.

This Plan is intended to protect Private Information possessed by the Agency from unauthorized access, dissemination and/or use. Private Information may not be disseminated, communicated or stored on or through any social media websites or services, at any time or for any reason.

Internal Risks to Private Information and Agency Security

To combat internal risks to the security, confidentiality and/or integrity of records containing Private Information, the following measures will be taken:

  1. Agency employees will access Private Information only for appropriate business purposes, as necessary, within their job duties.
  2. The Agency will encrypt and password-protect Private Information in its Systems to the extent reasonably practical, as determined by Agency management. Network and Agency Manager software will require a password change every 6 months.
  3. The Agency will retain only the last four digits of credit card numbers and will not retain bank routing numbers, personal bank account numbers and checks, and all credit- and banking-related information not retained will be destroyed in accordance with applicable law and Agency-designated business practices.
  4. Paper files containing Private Information will be locked when not in use so Private Information is not accessible to others, and electronic files containing Private Information will not be left accessible to others, such as on computers or portable storage devices accessible (e.g. computer screens must be locked when an employee using such files leaves his or her computer, even briefly). Paper and electronic files must not be removed from the Agency premises or accessed remotely unless specific authorization has been provided in advance, and then, the security of that Private Information must be maintained.
  5. Employees are expected to log off or lock their computers when they leave them unattended (such as when on breaks, at lunch, in a meeting or out of the office). The Agency will implement controls to terminate computer sessions and/or lock computers after a predetermined time of inactivity (e.g. 15 minutes).
    1. Agency computers will require a user ID and password and Agency mobile devices will require a password. Employee log-ins and passwords will be appropriately strong (with the minimum number of characters and other elements required by the Agency’s Systems). Electronic access to Private Information will be blocked after multiple unsuccessful attempts to log-in.
    2. Employees will keep mobile electronic communications devices (such as PDAs, BlackBerries, smart phones, etc.) with access to Private Information in their possession or in a secured location at all times, and Employees will not share passwords or other access information with others. If such a device is lost or missing, it will be reported to Technical Support immediately and a remote wipe will be initiated.
    3. Employees will not put any Agency data on thumb drives, laptops or other portable media, drives and devices unless authorized by the Agency. If so authorized, the thumb drives, laptops or other portable media, drives and devices must be password-protected and encrypted, and the portable mobile electronic communications devices and laptops must be password-protected and encrypted.
  6. Employees will adhere to the Agency document retention schedule and requirements. When it is appropriate to destroy Agency records, paper and electronic records containing Private Information must be destroyed in a manner in which Private Information cannot be read or reconstructed. Unless otherwise directed by the Information Security Coordinator, a commercial shredding company will be used to destroy paper documents. When computers, digital copiers, scanners and/or printers with electronic storage capacity, or portable electronic devices and media are discarded, such disposal should be coordinated with the Information Security Coordinator, and care needs to be taken to ensure that the hard drives or other storage media are destroyed in a manner that all data becomes unreadable.
  7. Employees are required to maintain carrier and other passwords in a password-protected and encrypted electronic folder that is also accessible by the Information Security Coordinator. The Information Security Coordinator shall be notified immediately of any employee ceasing to work for the Agency, so that he or she can take immediate action to deactivate all passwords to which the former employee had access.
  8. Employees that no longer work for the Agency must: (1) return to Agency all Agency information (including, but not limited to, any Private Information) in any form, whether stored on computers, laptops, portable devices, electronic media, or in files, records, work papers, etc.; (2) return all keys, IDs, access codes and/or badges; and (3) not access non-public Agency information (including, but not limited to, any Private Information).
  9. In accordance with the Agency’s human resources manual, access by the former employee to Agency email and voice mail accounts can be immediately disabled and access transferred to other Agency staff to assure a continuity of work, and inactivated when determined appropriate by Agency.
  10. Employees are required to report all actual or potential unauthorized access to, use of or disclosure of Private Information to the Information Security Coordinator.

External Risks to Private Information and Agency Security

In addition to the measures taken to combat internal risks, the following measures will be taken to minimize external risks to the security, confidentiality and/or integrity of records containing Private Information:

  1. Visitors to the Agency will be escorted within the office and will not have access to Agency computers or property that may contain Private Information.
  2. The Agency will maintain security measures so that its wireless networks cannot be accessed remotely by the public.
  3. During non-office hours, the Agency will be locked and have a central station-reporting security system activated.
  4. Cleaning crews and other vendors providing maintenance and repair services to the Agency’s premises will be appropriately screened, and no Private Information will be left out or accessible to such workers.
  5. Servers and other equipment at the Agency’s premises containing Private Information will be maintained in a secure location. This location will be locked and limited access will be given to non-IT personnel.
  6. Employees should not open any email attachment, link, or application where the employee does not reasonably believe the information expected to be accessed is from a trustworthy source. Employees will not use Agency equipment to access any application or software not approved by the Agency.
  7. The Agency will employ an email filter (hardware, software, or third-party provided) that works to restrict and eliminate viruses, spyware and other malware before getting to Agency desktop and portable computers. IT personnel will have the ability to override the filter in the event of the quarantine of a legitimate email.
  8. The Agency will maintain up-to-date network and firewall protection and operating system security patches on its Systems, servers and desktop and laptop computers, as well as other security measures deemed appropriate. The Agency will maintain security software, which includes malware protection with up-to-date patches and virus definitions, on its Systems and its servers, desktop and laptop computers, which is updated daily. Virus scans will be run monthly on user workstations and servers and documented.  If a system is believed to be infected with a virus or malware, the system will be removed from service and cleaned to the satisfaction of IT personnel and documented. If the system is unable to be cleaned, it will be wiped and rebuilt before being put back into service.
  9. All back-ups will be password-protected and encrypted and kept in a secured location off site. Critical system disaster recovery will be documented and tested annually.
  10. Agency employees should use care in communications (e.g., outgoing email and attachments) to ensure: first, that the Private Information needs to be sent by email and, if so, that it is transmitted using secure email in accordance with Agency policy. The Agency will provide a means to send encrypted email through a third party service.
  11. The Agency will create a secure SSL tunnel between its website and the consumer before allowing the consumer to enter any Private Information or to enter a password.
  12. When an employee accesses Agency Systems and/or Private Information from a remote location, the Agency’s secure SSL VPN connection must be used. Private Information transmitted across public networks or wirelessly should always be encrypted.
  13. Employees should not access Agency Systems or Private Information using non-Agency equipment (e.g., a home computer) unless authorized by the Agency and provided with appropriate firewalls and virus protection, and done through the Agency’s secure SSL connection. Employees will not store any Private Information on any non-Agency equipment.
  14. The Agency may monitor its Systems and equipment for unauthorized use, including but not limited to implementing hardware, software and/or procedural mechanisms to record and report activity for the Systems and equipment, without further notice to employees.
  15. The Agency will exercise due diligence in making sure third-party vendors that are provided Private Information have the requisite security controls and written plan in place, provide the Agency a written commitment to safeguard and store Private Information with at least the same level of security controls as the Agency maintains (as outlined in this Plan), and advise the Agency as to any actual, suspected or potential breaches of Private Information.
  16. The Agency will document all outside vendor contact with sensitive equipment or systems.

If a Breach of Private Information Occurs or is Suspected

A security breach occurs when there is an unauthorized acquisition, dissemination, use or loss of Private Information. Each employee shall be responsible for notifying the Information Security Coordinator whenever he or she learns that there has been or may have been a security breach that may have compromised Private Information or other Agency information about Clients, employees or Agency business.

The Agency will take the following actions in the event of a security breach:

  1. assess the security breach;
  2. consult counsel;
  3. review the requirements of the applicable state laws and regulations;
  4. notify the carriers whose policyholders insured through the Agency may have been affected by the event;
  5. notify individuals, regulatory and law enforcement authorities (if and as required and further as deemed appropriate by Agency management);
  6. take and document corrective actions to contain and control the problem;
  7. identify who will address any media inquiries; and
  8. draft the content of all communications regarding the event for potentially affected individuals and, if appropriate, the public.

Contact TRICOR for help in assessing your liability risk and the management of Data Security within your business. 877-468-7426

MANAGE YOUR
INSURANCE ONLINE

Online Account Access

ONLINE ACCOUNT ACCESS

Mobile App

MOBILE APP

Never be without access to important policy information: pay your bill, request a change to your coverage, access documents and auto ID cards, and more

TRICOR ONLINE

Asset 1 Asset 1 Agriculture Agriculture General Business Construction Education Transportation Transportation2 Public Entity Manufacturing Non-profit Beer and Wine Health Care Health Care Grow with Us Newspaper High Value Home Home Life Insurance Health Insurance Auto Insurance Umbrella Insurance Careers Form Contact Contact TRICOR Login Asset 3 Safety Consulting Risk Management Mission Driven Service Driven Pursuit of Excellence Collaborative Approach 401(k) Voluntary Benefits Asset 1 Paid Time Off Proactive Communication Community Minded Local Experts Recreational Vehicle Renters Insurance Condo Insurance Medicare Supplement Moving to a new location Remodeling or adding on to your store or warehouse Attending a tradeshow Having a special event Asset 1 Workers Compensation Online Services Small Chevron Med Chevron Large Chevron Small Diamond Medium Diamond Large Diamond Down Triangle Down Triangle Chevron Sliver Small Chevron Sliver Med Chevron Sliver Large Left Triangle 3 to 1 Right Triangle 3 to 1