Allstate Negotiating With California DMV Over Data-Security Flap

Allstate Insurance Co. is in the process of negotiating a settlement with the California Department of Motor Vehicles to restore the carrier's access to electronic driving records in the state.In January, California DMV officials indefinitely suspended the Northbrook, Ill.-based carrier's access to electronic driving records.

The suspension followed an investigation into what the state believed were negligent data-privacy practices by Allstate involving auto insurance claims processing.

The suspension of record access also comes months after Allstate had begun to implement vastly improved internal data security standards and procedures that would either meet or exceed requirements mandated by the state.

"The DMV suspended our privileges to access electronic records and did so without evidence of further breaches of driving record confidentiality," states Emily Daly, an Allstate spokesperson.

Allstate's security troubles in California trace back to August 2001, when the company received its first audit report from the DMV. California DMV officials reportedly discovered an inordinately high number of instances where the computer passwords of Allstate claims agents had been used in public view, enabling unauthorized access to state DMV databases.

Daly did not elaborate on the meaning of "public view" in the context of unauthorized password access.

Officials also said they uncovered cases of Allstate employees seeking driving records of relatives and friends, says Bill Branch, an official with the California DMV. Since the initial violation, Allstate had been given numerous warnings about the misuse of computer passwords, Branch notes.

Allstate has admitted that its security and customer confidence procedures had been lax in California claims offices, Daly states.

When the first audit occurred in 2001, Allstate pledged to take "decisive action" to meet California's tough privacy restrictions on DMV records.

"Allstate takes its obligation to safeguard the confidentiality of consumer information very seriously. We regret that the company's security and confidentiality procedures were not followed in some cases," Daly explains.

Steps taken

Among the steps that Allstate has taken is the appointment of what the company calls a "security administrator" in every California claims office. To ensure accountability, Allstate requires that administrators be part of Allstate's senior management team.

Allstate has 14 claims offices in nine different locations throughout the state.

Allstate has also promised to limit the number of employees that can access customer data to between two and six people per office. Determining this number depends on the volume and type of claims each office receives, Daly says. Previously, many of the adjusters in each claim office who handled auto claims had access to DMV information.

The carrier says it will beef up training for those who continue to have access to data. Training will be designed specifically to improve data-handling procedures. The company also has instituted a policy that will mandate that user IDs and passwords be changed every 60 days, says Daly.

Allstate also has begun to keep a more detailed log of DMV record requests and will conduct a greater degree of internal reviews for accountability. Each office is required to keep a detailed log of DMV record requests and maintain supporting documentation in each claim file for a minimum of two years.

"Allstate has cooperated with the DMV in addressing these issues, up to and including reimbursing the Department for the costs of the audits," Daly says. "We will continue to cooperate and look forward to working with the Department to ensure that confidential information is protected and that California drivers have access to insurance coverage and timely claim handling."

For reprint and licensing requests for this article, click here.
Security risk Core systems Compliance Data security
MORE FROM DIGITAL INSURANCE