American National Insurance Company (ANICO): Securing customer data on laptops & in email

• Customer Profile: Insurance; 60,000 agents; $17.6 billion in assets; 5 million policy holders
• Goals: Protection of customer data; regulatory compliance
• Solution: PGP Universal™ Gateway Email; PGP® Desktop Email; PGP® Whole Disk Encryption
• Deployment: Deployment of 10 servers in 3 locations; integration with content filter; diverse environment
• Benefits: Security; customer privacy; regulatory compliance

American National Insurance Company chose the PGP® Encryption Platform to protect sensitive information on laptops and in communication with insurance agents and policyholders.

The American National family of companies offers a broad line of products and services, including life insurance, annuities, health insurance, credit insurance, pension plan services, and property and casualty insurance for personal lines, agribusiness, and commercial risks. American National Insurance Company (ANICO) is headquartered in Galveston, Texas, and has more than $17.5 billion in assets.

The Challenge

ANICO has thousands of agents who have sold insurance policies to millions of individuals and businesses throughout the United States. The company's many divisions and marketing systems all have different needs and demands, making the introduction of new technology at ANICO a challenge.

Compliance requirements. ANICO must comply with regulatory legislation that includes the U.S. Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and California Senate Bill 1386 as well as more than two dozen similar state laws related to privacy and security breaches. HIPAA requires organizations that handle personal health records to protect the privacy of individually identifiable health information. GLBA includes requirements for the financial services industry to protect personal financial information. Breach notification laws such as California Senate Bill 1386 require organizations to notify consumers if their personally identifiable information has been subject to a security breach.

"We have a very complex environment, so when I received the assignment to implement measures for compliance at ANICO, I knew it would be a tough job," says Ken Juneau, AVP and Director of Distributed Systems at ANICO. To help identify and implement a data protection solution, Juneau worked with a core team that consisted of the Chief Compliance Officer, who initiated the project; the Chief Risk Officer and the HIPAA Compliance Officer.

Privacy policy enforcement. Aside from government-mandated privacy regulations, ANICO also needed to ensure customer privacy because doing so was simply good business. "As an insurance company, we promise our customers that we'll keep their information private. We need to make sure we keep this vow because otherwise, we risk losing the customer's trust," Juneau says.

Securing large amounts of data. ANICO's insurance agents and business partners need large amounts of very sensitive data. The agents access confidential information through a Web-based portal. "We were concerned about cached pages and downloaded data on their laptops," Juneau says. "Securing this vast amount of information was a little like boiling the ocean."

Laptop encryption. ANICO also must protect data at rest. Juneau and his team discussed what would happen if a laptop or agent's office machine were stolen. "This equipment usually contains not only our own, but also our customers' data," he says. "We decided that full disk encryption was the only way to effectively protect these machines."

Need to protect communication. Locally stored information was not the only security risk. "Email has become a mission-critical application," says Juneau. "Our organization cannot operate without it, but electronic messaging is also a potential security risk." Juneau and his team wanted a scalable way to protect sensitive emails, preferably a cost-effective application that has no footprint and is integrated in the mail flow. A low need for administrative support and compatibility with Lotus® Notes Domino and Microsoft® Exchange were additional requirements.

Automated email classification. Before Juneau could secure the information, he needed a way to identify it. "Because the volume of email is so large, we licensed an intelligent content-filtering system," he explains. When choosing a vendor for filtering email, ANICO needed technology that would not only monitor and record emails, but also block or route them.

Encrypt only sensitive email. The project team intuitively knew that sensitive data was in only a portion of ANICO's emails. Rather than encrypt all communication, the solution should be intelligent enough to recognize and encrypt only sensitive data.

Ease of doing business. ANICO's primary requirement was the ease of doing business. The company's agents are both its customers and its sales force. "Our goal is to be the easiest insurer to work with, so the solution had to be seamless and operate smoothly," Juneau says. "Most agents are not technologists. The solution would have to work in the background."

Looking for proof. Although the need for data protection was clear to Juneau, he found it difficult to substantiate the case. "We had to prove there was a problem, but we couldn't find any usable results. Even though we're in the risk-quantification business, we had a hard time calculating the risk because we had no data on the cost and frequency of data loss," Juneau explains. "Since that time, The Ponemon Institute has conducted an independent study that shows the cost of actual security breaches, which would have been extremely useful to us." (A copy of the study can be obtained from http://www.pgp.com/insight/research_reports/index.html [registration required].)

Juneau needed to demonstrate a return on investment (ROI) from the proposed data security technology. He talked to other insurance companies, looked at reports in the media, and asked ANICO's attorneys about pending security-breach lawsuits, but the evidence was inconclusive. In the end, the project team found proof in its own network. "We sampled some email from our Exchange server, went through it page by page, and saw red flags everywhere," Juneau says. "Inclusion of Social Security numbers was the most common problem, followed by various HIPAA and GLBA issues. This was the proof we needed to convince our executive council that we had a compliance issue."

The Solution

The team approached several security vendors to see which could provide solutions capable of meeting ANICO's data security needs.

One-vendor solution. "We decided not to pick and mix components but to buy a platform because we had many issues to fix. We wanted to use a single vendor for encrypting data at rest and in transit so we could avoid competing technologies on our laptops and finger-pointing between vendors if a problem occurred. The PGP Encryption Platform offered a single solution to address all our problems."

Laptop encryption. Juneau chose PGP Whole Disk Encryption because the technology provides a quick, easy, and reliable way to protect data on agents' laptops from security breaches through loss or theft. "One of our concerns was that agents might forget their password and hence lose all the data on their laptop, so the software's recovery token feature was very important to us," Juneau says. The whole disk recovery token is a one-time-use passphrase users can request from the ANICO help desk when they've forgotten their password.

Flexible email encryption. "We really needed a flexible email encryption solution to accommodate all our internal and external communication partners," Juneau explains.

The bulk of the company's internal email users secure their mail using PGP Universal™ Gateway Email, which is installed as a secure mail gateway on the server level. To ensure email is encrypted both ways with ANICO's business partners, the company uses PGP Universal™ Satellite, a small program that runs in the background on their desktops and laptops and automatically encrypts and decrypts email according to corporate policy. For other email recipients, the PGP Universal™ Web Messenger service provides access to encrypted messages via a secure website. Finally, because the company had already deployed PGP Whole Disk Encryption to the agents' laptops, the agents use PGP® Desktop to transparently encrypt their email.

"The PGP Encryption Platform was the only solution to provide this level of flexibility for email and to cover full disk encryption as well," Juneau adds.

The Results

The content filter was inserted into the primary mail flow, and it checks each email for sensitive content. Sensitive emails are then routed to PGP Universal Gateway Email, a server-based email encryption gateway that automatically ensures the content is delivered securely to the recipient. "I especially like that we have not had to install anything on the desktop of the average user," Juneau notes.

Fast deployment. Juneau's team performed 10 clean installs of clustered PGP Universal™ Servers: three in Missouri, three in New York state, and four in Texas. "It was easy," Juneau says. "We flicked a switch, and the gateways started encrypting email." The same servers are also used to manage the client-based PGP products.

Professional field engineers. Setting up the server clusters took less than a week per location. "The on-site support we received from PGP® field engineers was great," Juneau says.

Dynamic to demands. "The PGP® sales representative and the field engineering and support teams really know their business," Juneau says. "ANICO has very diverse environments. We like to say that we're one enterprise, but for each location, the firewall configurations and hardware are different. The PGP® engineers reacted very dynamically to the various situations. PGP Corporation managed its side of the project extremely well."

Summary

Juneau's high level of satisfaction with the project motivated him to speak publicly about it at a recent industry conference. "ANICO doesn't usually provide case studies," he says. "The only reason we agreed this time was because of the great support we received from PGP Corporation, which made the entire project much easier for us."

Successful project completion. ANICO completed the project in early 2006. The solution works as expected, the number of help desk calls has been minimal, and there are no outstanding software issues. "Best of all, we've had no administrative overhead," Juneau says. "All in all, this has been a very successful project."

The PGP Encryption Platform. The PGP Encryption Platform reduces the complexities of protecting business data by enabling organizations to deploy and manage multiple encryption applications cost-effectively from a single management console. Deployed with the first encryption application, the PGP Encryption Platform makes installing a separate or additional infrastructure unnecessary when the organization needs other encryption applications. The PGP Encryption Platform supports the broadest range of integrated applications to secure email, laptops, desktops, instant messaging (IM), PDAs, network storage, FTP or bulk data transfers, and backups.