Insurer Adds Encryption to Prevent Data Leaks

American National Insurance Company (ANICO) had a potential data leakage problem a couple of years ago, prompting the insurer early last year to start encrypting desktops, laptops, disks, and sensitive email messages.

The $17.6 billion ANICO, which has 60,000 agents, 5 million policyholders, and three locations, previously had confidential information flowing freely among its employees, agents, and policyholders for the company. “We knew we had a data leakage problem but were not sure how significant it was,” recalls Ken Juneau, assistant vice president and director of enterprise architecture systems for ANICO, which offers life insurance, annuities, health insurance, credit insurance, pension plan services, and property and casualty insurance for personal lines, agribusiness, and commercial risks.

So the insurer first installed a content-monitoring tool, which discovered that 30 percent to 35 percent of its traffic flowing beyond its network perimeter included unprotected personal data, such as account information, medical data, or Social Security numbers. Not only was this sensitive data susceptible to eavesdropping, but it also was not properly secured on employees’ and agents’ laptops and PCs.

With the pressures of federal and state government mandates for protecting such information, such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and California Senate Bill 1386, ANICO found itself in the precarious position of possibly incurring catastrophic problems and fines from potential information breaches.

ANICO had to do something to plug up the leaks. The first step was determining what additional security products it needed. The conclusion: desktop encryption so employees and agents could exchange information securely; disk encryption in case a laptop or agent’s office machine was stolen; and automated encryption of sensitive email messages.

The insurer eventually pared its vendor selection down to Voltage Security and PGP Corp. The former had strong email encryption but nothing for disk encryption, so ANICO ended up choosing PGP. “To simplify our maintenance requirements, we wanted to minimize the number of vendors that we work with,” Juneau notes.

And by January of last year, the insurer had installed PGP Desktop Email, PGP Whole Disk Encryption, and PGP Universal Gateway. A big plus was that it was an appliance-based approach versus installing software on each user's desktop. “Because we deployed a security appliance [model] that resided on our network rather than software on all users’ PCs, our ongoing maintenance requirements [are] minimal,” Juneau says.

ANICO also needed a way to communicate with its customers who don't run encryption software, so it deployed PGP's Web Messenger feature, which sends those customers a message with a link to the insurance company’s Website, which then establishes a secure connection between them and ANICO's data center.

But the encryption implementation wasn't exactly plug-and-play: ANICO's three sites each run different email systems, so the deployment was a custom job at each of the sites. And there were some incompatibilities in how ANICO’s ISPs and PGP each handled email encryption, but eventually those problems were resolved.

One issue that's still outstanding, however, is user friendliness, Juneau says. The PGP user interface is not very intuitive, so when users move to new laptops or other devices, migrating the encryption functions can be cumbersome.

Still, Juneau says ANICO is comfortable with its decision to go with the PGP encryption solution. “Because we now identify and stop sensitive information from moving beyond users’ desktops, we have lowered the likelihood of litigation, additional expenses, and damage to our brand stemming from data leakages,” he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.