Client Information Security Helping Organizations Protect Private Client Data


Kentucky Becomes 47th state with Data Breach Notification Law

Governor of Kentucky, Steve Beshear signed into Law – H.R. 232 in April 2014, making Kentucky the 47th state to legislate a Data Breach Notification Law. This law also restricts Cloud Service Providers from the utilization of student records/information.

The Kentucky Data Breach Notification Law obeys the same usual formation of many of the Data Breach Notification Laws in other states:

clip_image001 A breach of the security of the system happens when there is illegal gaining of uncontaminated and unpredicted computerized information that negotiates the security, confidentiality, and/or integrity of personally identifiable information maintained by the information holder as part of a database regarding multiple individuals that actually causes, or leads the information holder to reasonably trust has caused or will cause, identity theft or fraud against any resident of Kentucky.

The law does not refer to “entry” only gaining and appears to have a risk of harm spark.

clip_image001[1] “Personally Identifiable Information” means an individual’s first name or first initial and last name in combination with the individual’s (i) Social Security Number, (ii) Driver’s license number or (iii) Account number, (iv) credit/debit card number, in combination with any required security code, access code or password permit access to an individual’s financial account.

clip_image001[2] The good faith accomplishment of personally identifiable information by an employee or agent of the information holder for the purposes of the information holder is not a breach if the personally identifiable information is not used or subject to further unsanctioned revelation.

clip_image001[3] The notification required by the law must be made in the most convenient time possible and without unnecessary stay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable veracity of the data system.

clip_image001[4] Notice may be provided in writing and can be provided electronically if the E-Sign Act necessities are encountered.

For larger breaches, the law also contains substitute notice provisions similar to those in other states.

clip_image001[5] If a notification is required to more than 1,000 Kentuckians at one time under this law, all nationwide consumer reporting agencies and credit bureaus also must be notified of the timing, distribution and content of the notices.

However, the law does not require the Kentucky Attorney General to be notified of the incident, as is the case in a number of other states such as California, Maryland, Massachusetts, New Hampshire and New York.

clip_image001[6] The law excludes people and organizations that are subject to Title V of the Gramm-Leach-Bliley Act of 1999 and the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Covered entities, business associates and certain vendors have their own breach notification requirements.

Safeguards for Student Records in the Cloud:

The law helps protect student records/information at educational societies, public/private which includes any managerial entities that operate students in kindergarten through twelfth grade when stored in the “Cloud”. We can see more of this variety of laws, particularly in light of the Fordham Law School Study on the topic.

For purposes of this law, “student data/record” means –

Any data/material, in any medium or setup that concerns a student and is created or provided by the student in the progression of the student’s use of Cloud Computing Services or by an agent or employee of the educational society in connection with the Cloud Computing Services.

Student information includes that student’s name, postal address, email address and messages, phone number, documents, photos or unique identifiers.

Cloud Providers serving these societies in Kentucky need to be conscious of this law not only so they can take necessary steps to comply, but because it requires the Providers to confirm in their services treaties with the educational societies that the Providers will comply with this law.

Specifically, the law forbids Cloud Computing Service Providers from –

“Processing student information for any purpose other than providing, improving, developing or maintaining the honesty of its cloud computing services, except the provider receives express permission from the student’s parent.”

The word ‘Processing’ is defined vastly and it means to “use, admittance, collect, manipulate, scan, modify, analyze, renovate, unveil, stockpile, transmit, aggregate or get rid of student data.”

While the provider may support an educational society with certain research permitted under the Family Educational Rights and Privacy Act of 1974 (FERPA), it may not use the information to “advertise or facilitate advertising or to create or correct an individual or domestic profile for any advertisement use.”

Providers may not sell, reveal or process student information.


Protect Client Data – Properly Dispose of Old Computer Equipment

I recently received this question from an agency:

“Our agency does not have written guidelines for the preparation or disposal of used PC’s. I think we should have one, and it seems to me all agencies would have this same issue but I’ve not heard anything about this topic. Have you looked into this or written about it that I could reference? If not, do you know of suggested guidelines and software we could use?”

With today’s legal requirements it is prudent to make sure you destroy any private client data on all storage devices prior to disposing of the item. This will help prevent an unintended client data breach. Following are some suggestions on how best to prevent client data from getting into the wrong hands:

Computer hard drives: How you wipe data off of a hard drive so you can give the computer away will depend on what information you want to preserve. Your options are:


If you are giving the computer to someone else you may not want to eliminate all the valuable software along with your private information. However, just deleting your personal files does not make them unrecoverable. To completely destroy a file, you must use a data-shredding program. It takes a conventional “erase” a step further by actually writing over the file.


Completely reformatting your drive may seem like a good option, but this method doesn't eliminate data either -- the information can easily be restored using off-the-shelf data-recovery software. Many of the best data-erasing programs come from the same companies that produce data-recovery software. Set aside some time: This can take hours on large hard drives.

Power Tools

There is no better way to completely annihilate your data than to physically destroy the device that stores it. We still suggest a software shredder first, but if your personal data security justifies the extra effort, put on protective eyewear and gloves, then break out the power tools. Drilling four holes through the platters will ensure that they never spin properly again. Better yet, unscrew and remove the top lid of the drive, and go at the platters with a sander or angle grinder. Scuff the surface of the platters until all the shine is gone.

Flash Drives: Flash drives are different than hard drives. It has been found that various methods to “wipe” data off of a flash drive are unreliable. I recommend that you take a hammer to the drive. You want to make sure you smash the circuit board and chips.

Cell Phones: Modern cell phones are like computers, deleting data using menus may not truly delete it from the hardware. Always wipe your phone by deleting the data using menu settings and then performing a factory reset. Every phone has a different process, so check the phone's manual to restore the phone to its factory settings, or search YouTube for an instructional video. According to PCWorld no wipe solution is perfect. The only way to totally guarantee old cell phone data is gone for good is to take the phone apart and physically destroy the memory chip.

Physical Disposal:

Non-Profit: After you make sure you wipe all sensitive information from the device you may want to consider giving it to a local non-profit organization. Although be aware that many organizations have become more selective about what devices they will accept.


Check with your local city or county. Many have computer recycling programs. In my county all you need to do is take your equipment to a special recycling center.

Following are some additional resources:

Environmental Protection Agency

TechSoup - Ten Tips for Donating a Computer

Apple Product Recycling information

Dell Product Recycling information

HP Product Recycling information

Best Buy


The Number-One Way Criminals Steal Your Identity

Identity fraud increased substantially in 2008, reversing a four-year trend of decreasing incidents. Researchers say identity fraud increased by 22% last year and they anticipate another 22% jump in 2009, attributing the increases to crimes of opportunity driven by the economic downturn. What’s more, despite recent headlines and growing fears about online security and data breaches, old-fashioned theft is the most popular way thieves steal identities and perpetrate identity fraud.

According to 2008 claim data compiled by Travelers, burglary and theft of wallets, purses, and personal computers provide thieves the best opportunity to gain access to personal information. In instances where the victim knew their identity had been stolen, it was the result of personal property being stolen nearly 78% of the time. Travelers identifies the following as the top known causes of identity fraud:

  • 78%—burglary and theft of wallet/purse/personal identification/computer
  • 14%—online or data breach
  • >5%—change of address/postal fraud
  • 3%—lost credit card and other miscellaneous causes

More than 75% of the time, criminals use stolen information to open new credit card accounts or use the existing credit cards to make charges. Twenty percent of identity thieves will withdraw money from existing checking, savings, and online accounts and 16% open utility accounts in the victim’s name.

Steps you can take to protect your identity include guarding Social Security numbers and financial information and shredding documents such as receipts, credit/insurance applications, and bank statements.

Travelers Identity Fraud Expense Coverage is available as an endorsement on their homeowner’s policy for $25 annually and offers protection up to $25,000 with no deductible. Check with the companies you represent to see what coverage is available. This coverage is a great opportunity to educate your clients and offer them broader coverage for a small premium.


Protect Client Information

On September 1, 2009, Portland insurance agent Robert Spruill of Brooke Auto Insurance consented to a Cease and Desist order from the Oregon Department of Insurance. Spruill had not properly disposed of business records that contained sensitive client information.

According to the order, “On or before April 28, 2009, Spruill discarded over 1,000 insurance business records and/or other documents related to insurance transactions of Brooke Auto and Brooke Corporation into an unlocked garbage dumpster.”

“At the time he discarded the documents, Spruill had not developed reasonable safeguards to protect the security, confidentiality, and integrity of the personal information or data collected or acquired in the course of conducting his business, including disposal of that data.”

In his defense Spruill said that when he inquired of local police and the state of Oregon insurance division back in the fall of 2008, no one told him that discarding these records was wrong. Spruill was hit with an $11,000 fine. Fortunately for Spruill, $8,500 of that fine was suspended as long as he complied with the requirement of creating and implementing a client security policy for his agency.

It may seem obvious that you should never discard unshredded documents into an open and unlocked dumpster at the back of your office. Still, don’t be too smug. Do your producers have unencrypted laptops that are left in locked cars that could be stolen? Could employees take home files with sensitive client information in them even though doing so is against company policy?

Sensitive client information is the most radioactive element in today’s agencies. If leaked, it can cause serious repercussions to an agency’s reputation and brand, loss of revenues, loss of customers, regulatory or legal action, and damage to employee relationships. In the last 10 years, the need for client information security to be integrated into the overall risk management of every organization across the globe has increased tremendously.

The insurance industry deals with sensitive and personal client information. Client records contain data that include financial information, medical histories, birth dates, driver’s license numbers, and Social Security numbers. Such confidential data has to be protected at all times—during storage, access, transmission, and destruction—or the organization risks serious losses.

More than 88% of all data breach cases involve employee negligence. In 2008, data breach and information breach incidents cost U.S. companies $202 per compromised customer record. These costs include civil and regulatory penalties, administrative expenses, legal liability, defense costs, and cost of future business due to loss of customer confidence. Not only that, according to Factiva, a Dow Jones company, media coverage of companies that suffered an information security breach accounted for more than half the stories written about those companies.

Seventy percent of customers state they would consider moving their business if they became victims of a data breach. Clients today expect strong security practices from all companies they do business with. The way a business copes with these expectations decides whether the company survives or not.

Client information security should be a concern for every agency, regardless of size. Check out The Anderson Report on Client Data Security for some tools to help you start or enhance your security process.