July 18, 2013 by Pranab Pandey
The moment a user presses the send button on an email, vital data—such as the identity of both sender and recipient, the date and time that the message was sent, and the contents of the message itself—are completely exposed to anyone looking to intercept an email and steal valuable personal information. Indeed, standard email transactions are not able to verify the integrity of email messages. End users have no way of determining whether an email was tampered with during transfer or even if its purported sender wrote it. The information sent across this extremely vulnerable channel is often quite sensitive. Credit card numbers, addresses and legal contracts are just a few examples of the personal information that is routinely emailed in the insurance industry with little thought to the fact that hostile third parties could easily intercept it.
The fallout of a data theft incident can be very serious for any brokerage or insurer. You could get a call from an upset customer informing you of an unauthorized transaction on their credit card that occurred because of an intercepted email between your brokerage and an insurer. When a broker faces a security breach such as this, they can experience significant harm to their brokerage’s reputation and, possibly, an E&O claim. (Ed. note: See also “The Price of Privacy” in the May 2013 issue of Canadian Insurance Top Broker.) As a broker, you can significantly decrease your chances of experiencing such an unpleasant event by implementing Transport Layer Security, better known as TLS.
What is TLS?
TLS is recognized across multiple industries as the best low cost email security solution for businesses, such as brokerages and insurance companies. It is a cryptographic protocol that uses digital certificates to verify email servers. For an analogy, think of the codes that the military uses to scramble messages, making them unintelligible to the enemy. Similarly, TLS protects the emails (and attachments) you send over the Internet by encrypting them, making them very difficult to intercept and decode. TLS is an open standard, meaning that it is publicly available, unlike some proprietary solutions. Once implemented between a broker and an insurer (both parties must have TLS enabled), all emails between the partners are transmitted securely.
There are many benefits of implementing TLS including ensuring your brokerage complies with privacy legislation such as the Personal Information Protection and Electronic Documents Act (PIPEDA). Principle 7 of PIPEDA, for example, states, “personal information shall be protected by security safeguards appropriate to the sensitivity of the information.” TLS can certainly be considered one of these safeguards and will therefore help brokerages that implement it comply. More and more brokers are adopting TLS because they have recognized its importance in keeping client data secure. “We heard about the benefits of TLS and at the low price of installing it, it was an easy decision for our office,” says Rick Orr, principal of Orr Insurance in Stratford, Ont. and a director with the Centre for Study of Insurance Operations (CSIO). “The obvious benefit is the encryption, which allows us to feel more confident about the security behind the emails that we’re constantly sending.”
Many insurers have already implemented TLS. The Dominion, for example, recently increased its commitment to security by deploying TLS across its organization. Ben Sapiro, manager of security and contingency at The Dominion says, “TLS provides an envelope, a tunnel that makes sure that information that travels across the Internet is safe. The good news is that there’s absolutely no change in the user experience. When you send an email, you type it in exactly the same way and you press the send button. Your mail server deals with all of the activity to set up that tunnel and deliver the email across it.” TLS email encryption is transparent to both the sender and the receiver. As a broker, your customers will have no idea that an extra layer of security has been provided to their personal information using TLS, unless you tell them. In April, Sapiro delivered an informative webinar on safeguarding network data and email with TLS that can be found on the CSIO website.
Costs and Benefits
There is a very low implementation cost associated with TLS. Brokerages need only purchase digital certificates, which tend to range in cost between $45 to $200 per year. “For us, it was $150 for a certificate installed on our server and suddenly there was a whole lot more ‘warm and fuzzy’ feeling about what everyone was sending over email,” says Orr. Implementation can be done quickly because only servers need to be modified rather than the brokerage’s computers. It is important to note, however, that TLS cannot be enabled on most web-based email services, such as Yahoo! Mail and Hotmail, so brokers should consider using a professional email server such as Microsoft Exchange Online or “Gmail for business.” Once given the project, it is possible for your IT team to have TLS fully implemented on your email server within just a few days. Should they require assistance in setting it up, they can consult the step-by-step procedures in the TLS Implementation Guide that is available free of charge to brokers on the CSIO website.
TLS can even be used as a marketing tool for brokerages. Once implemented, brokers can promote TLS during their sales process to communicate that they have secure email and take data security very seriously. And in a world where identity theft is now common, conscientious customers will be particularly interested in brokers who assure them that appropriate technology solutions have been implemented to protect their personal information. TLS implementation can also help strengthen business-to-business relationships. More and more businesses are becoming aware of the risks associated with sending unencrypted email and many of them now collaborate only with like-minded partners who also take email security seriously.
Perhaps more brokers will be convinced of the benefits of TLS by thinking about it this way: not adopting TLS is tantamount to sending an open postcard in the mail. Enabling TLS is simply good business practice because it will protect client data from personal identity thieves who mine email traffic for this information. TLS is an inexpensive technology solution that will also help you comply with privacy legislation, avoid potential E&O lawsuits and stay within your own BMS workflows when serving customers. Your IT service provider can answer questions about implementing TLS in your organization. Additionally, CSIO offers more information on the benefits of TLS and technical advice on implementation on its website (www.csio.com).
Pranab Pandey is manager, standards and business process improvements. He can be reached at firstname.lastname@example.org
Copyright 2013 Rogers Publishing Ltd. This article first appeared in the June 2013 edition of Canadian Insurance Top Broker magazine
This story was originally published by Canadian Insurance Top Broker.