Small Business Owners Dismiss Risk of Data Breach

As the number of data breaches involving smaller businesses continues to grow, a new survey by The Hartford finds 85% of small business owners believe a data breach is unlikely, and many are not implementing simple security measures to help protect their customer or employee data.

data breach

“Most of the business owners surveyed believe they are not at risk, when in fact smaller businesses are increasingly being targeted,” said Lynn LaGram, assistant vice president of small commercial underwriting at The Hartford. “As cyber criminals set their sights on smaller firms, it is important for business owners to take proactive measures to protect data and minimize the likelihood of a breach.”

The Hartford Small Business Data Protection Survey found that business owners varied in their adoption of eight data protection “best practices” to help reduce a business’s risk of a breach:

  • Lock and secure sensitive customer, patient or employee data—48%
  • Restrict employee access to sensitive data—79%
  • Shred and securely dispose of customer, patient or employee data—53%
  • Use password protection and data encryption—48%
  • Have a privacy policy—44%
  • Update systems and software on a regular basis—47%
  • Use firewalls to control access and lock-out hackers—48%
  • Ensure that remote access to their company’s network is secure—41%

The Hartford survey also found that nearly two-thirds of business owners believe a data breach violates trust and would jeopardize their relationships with customers, patients, and employees. More than a third say they have a more negative opinion of companies that have recently experienced a breach, based on the companies’ handling of the breach.

About a third of business owners say they would have difficulty complying with government notification requirements, and nearly half acknowledge it would be impossible for a small business to completely safeguard customer, patient or employee data.

“Given the potential business and reputational costs of a data breach, it’s also important for business owners to have insurance in place to help them respond and recover quickly and effectively in the event of a breach,” said LaGram.

The Hartford Small Business Data Protection Survey of 501 U.S. small business owners with fewer than 50 employees was developed by The Hartford and fielded by the Pert Group in January 2012. Margin of error is +/- 4%.

ID Federation Takes Shape

It is no secret that one of the greatest headaches for independent agencies is the need to deal with creating and maintaining passwords for each insurance company and other business partners. One large bank agency manager recently said that she and her staff have to manage 5,500 different IDs and passwords for the bank’s agency employees.

An exciting development that will hopefully help is the creation of ID Federation, Inc. This industry organization released the first public version of a Trust Framework that will enable agency employees (and carrier employees) to create federated, digital identities that would be trusted by multiple carriers and other business partners.

Here is how it would work. The typical agency (called a “user authority”) would contract with a vendor (“identity provider”), which would create digital identities for each of the agency’s employees (“users”). These digital identities (SAML tokens) would be passed to carriers (“relying parties”) that have established a trust relationship with the agency’s identity provider, pursuant to the Trust Framework that both the vendor (identity provider) and carrier (the relying party) have agreed to. The agency employee (user) would only have to log on to the identity creation and management tool (identity provider) that the agency has selected and then would be able to conduct business with his or her multiple carriers, whether using Real Time or logging on to the carrier’s website, without entering carrier-specific passwords. The agency and carrier, of course, would continue to be governed by the business agreement that runs between them. Some very large agencies might become trusted identity providers directly (rather than using a vendor), and one large bank agency has already done so.

You will find an excellent overview about the ID Federation in this PowerPoint presented at the Feb. ACT meeting. The next steps are for vendors to build the identity creation and management tools for agencies to use; for these identity providers to establish trust relationships with the carriers; and for carriers to be able to accept digital identities (SAML tokens) to authenticate their agency users in place of passwords.

Federated, digital identities would greatly reduce this enormous pain point for agencies today. They would result in a significant step forward for carriers to provide this for their agents.

Electronic Proof of Insurance—The Time Has Come

How many times have your clients received a traffic ticket because they couldn’t find their insurance card in the glove compartment? Or if they did find the card and give it to the police officer, did the officer hand it back, saying it had expired? In this scenario, the client now has to take time off of work to show up for a court appearance with a little piece of paper in hand to prove that they did, in fact, have insurance in force at the time they were pulled over.

The digital consumer—your client—is not going to stand for this antiquated and paper-based process much longer. If they can use their smart phone to get through TSA airport security and board an airplane, why can’t they use that same phone to prove they have auto insurance in force when asked by a police officer?

In a small but growing number of states they can.

Electronic ID cards

State legislators and regulators are beginning to update laws to recognize the increasing use of paperless technology by allowing insurance companies to provide policyholders with electronic ID cards. Converting from the antiquated paper-based system to an electronic display of proof of insurance will save insurance companies the cost of printing and mailing ID cards to all policyholders. It will also save law enforcement and court personnel time and money because they will no longer need to process tickets written for drivers who have coverage but forgot to put proof of insurance in the car.

This is a dynamic issue with state legislatures. Here is a short list of the states that have already made (or are making) this change:

  • Alabama—Alabama will soon publish a first‐of‐its‐kind regulation allowing motorists to electronically display proof both at registration and during traffic stops starting January 1, 2013.
  • Arizona—Gov. Brewer signed HB 2677, authored by Representative Dial, on March 27.
  • California—Assemblyman Gatto introduced AB 1708, legislation allowing insurers to provide proof of insurance to a mobile e lectronic device.
  • Colorado—An existing Colorado regulation allows motorists to show proof of coverage electronically when they register their vehicles, and will consider legislation to expand it to traffic stops.
  • Idaho—Gov. Otter signed SB 1319 into law on March 27, 2012.
  • Louisiana—In April, HB 1130 by Rep. Greg Cromer was unanimously approved by representatives and was sent to the Senate. The original ID card or photocopies of it are currently the only proof insurance state law permits.
  • Minnesota—Minnesota made the change to e-Card in 2012.
  • Mississippi and Maryland may also consider legislation to allow electronic proof of coverage in 2012.
  • [Update] Seventeen states that approved electronic proof of coverage laws in 2013 are: Alaska, Arkansas, Colorado, Georgia, Indiana, Iowa, Kansas, Kentucky, Maine, Mississippi, North Dakota, Oregon, Tennessee, Texas, Utah, Washington and Wyoming. This list is likely to grow even longer in 2013 as legislation is awaiting signature by governors in Illinois, Missouri and Wisconsin.
  • In total as of June 18, 2013: The states that allow electronic proof of insurance coverage are: Alaska, Alabama, Arizona, Arkansas, California, Colorado, Florida, Georgia, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Minnesota, Mississippi, North Dakota, Oregon, Tennessee, Texas, Utah, Virginia, Washington and Wyoming.

State insurance agent associations across the United States have always prided themselves on their lobbying ability and efforts. I can’t think of a better use of those relationships and resources than to encourage every state to submit legislation to allow electronic proof of coverage.

I encourage every agent to approach their state association and ask them to add this lobbying effort to their legislative agenda. Supporting this change will make the lives of every agency client better.

Will We Ever Go Paperless?

A national scientific telephone survey conducted by Poll Position found that 56% of Americans said they don’t think the United States would ever be a paperless society, while 20% said yes, one day we’ll all go paperless. Twenty-four percent of Americans were undecided or had no opinion on the question.


paperlessThe 18-29 age group had the strongest opinion and 63% said the United States would never be a paperless society and 23% said we could be a paperless society. Results from men and women were similar, with 56% of men and women both saying we could never be a paperless society.

Poll Position’s scientific telephone survey of 1,142 registered voters nationwide was conducted December 6, 2011, and has a margin of error of ±3%. Poll results are weighted to be a representative sampling of all American adults.

Poll Position is a unique non-partisan news, polling, and social media company founded and led by two award-winning CNN news and polling veterans. More information is available at

When Does Consumer Profiling Go Too Far?

The New York Times recently published an article titled How Companies Learn Your Secrets. The article, authored by Charles Duhigg, is a fascinating case study of what is possible when you track and then analyze the buying habits of your customers. It also looks at how to alter those buying habits for the company’s benefit.

You're having a baby!

The article details how Target learns about customers’ buying habits and then sends targeted coupons based on a customer’s current “life stage.” It started in 2002 when two colleagues from the marketing department stopped by Andrew Pole’s (a statistician) desk and asked an odd question: “If we wanted to figure out if a customer is pregnant, even if she didn’t want us to know, can you do that?” The story details how Pole has been able to answer that question, and others, simply by data mining individual customer purchase information and habits.You're having a baby!

Target has effectively invested in research about how to use this data to accurately discern what life events are taking place in their customers’ lives. Then they experimented to determine which life events provide the best opportunities to alter a consumer’s habits. They have exploited those habits to the tune of tens of billions of dollars in increased revenue.

For example, Target can predict about as well as any over-the-counter pregnancy test which customers are pregnant and when their babies are due, completely based upon when and how much of which seemingly unrelated products they are buying. There is an interesting anecdote in the article about how one incredulous father found out his teenage daughter was pregnant by opening junk mail coupon offers from Target.

Target has also learned that revealing how much they know about a customer’s personal life can really creep customers out. The company has developed strategies to be more subtle with its offers so that they meet needs with perfectly matched offers that are mixed with intentionally irrelevant offers. This way, prospects think of serendipity instead of Big Brother. Target found, through testing, that as long as prospects don’t feel like they are being spied on, they will take advantage of offers that are specifically tailored to them based on things other people aren’t supposed to know.

The insurance industry gathers a tremendous amount of information about consumers. Until recently the tools that analyze this data have been expensive and complicated. That is starting to change as technology costs continue to drop. Being able to accurately profile prospects and customers will allow you to target your messages more specifically. Getting the right marketing message to the right person at the right time is key to building long-term profitability.

But how much profiling is too much? Just because you can do it doesn’t mean you should. Unfortunately, there is no easy answer to this question. Businesses of all types will want to take advantage of these new data mining tools, but should keep consumer perception in mind at the same time.