Allstate’s promise to help customers live a good life includes our commitment to protect personal information. We take careful and vigorous measures to help ensure everything we share, acquire, collect, retain, store and process is protected and private. We safeguard personal information and protect it from unauthorized or accidental access, disclosure or misuse.
ALLSTATE PRIVACY AND SECURITY PROGRAMS
We have robust teams and programs to manage our privacy and information security risks.
Information security protects all information, including personal and nonpersonal information — such as trade secrets and material nonpublic information — while privacy is focused on the personal information of individuals. Privacy and information security are governed separately within Allstate, though the two teams work closely together. Privacy has been identified as an area of operational risk and falls under the oversight of the Operational Risk Council, formed in 2017. The Operational Risk Council is overseen by the Enterprise Risk and Return Council.
Allstate’s information security program, including our policies and standards, is developed, monitored, managed and updated by the Allstate Information Security team under the direction of the Allstate Chief Information Security Officer and the Information Security Council (ISC).
The ISC is led by the Chief Information Security Officer, who is also the Senior Vice President of Information Security. The ISC is comprised of cross-functional, high-level leaders from across Allstate — including the Chief Privacy Officer. The ISC is charged with monitoring, making mitigation decisions and escalating information security risk as part of Allstate’s formal governance structure. The ISC actively monitors information security risk and, as a decision-based forum, has the authority to direct mitigation or escalate risks that are outside established tolerances. The Operating Committee has directed that the ISC will have delegated authority from the Enterprise Risk and Return Council (ERRC) for information security risk oversight.
The decisions and escalations of the ISC are guided by the Allstate Information Security Strategy and the National Institute of Standards and Technology
Cybersecurity framework. Allstate leverages a risk-based approach in establishing our information security program, which maps to both the NIST Cybersecurity Framework as well as ISO 27001
, with support from other standards and best practices.
Our information security practices have been and continue to be subject to both internal and external audits.
Privacy at Allstate
The privacy team also works to ensure that third-party risk assessments are done for entities or applications that store or capture personal information and that privacy impacts of proposed process changes are evaluated.
If Allstate suspects that personal identifiable information may have been compromised, the privacy team is responsible for the incident response: the investigation, notification, response and corrective action. If necessary, the incident and response may be escalated up to the Operational Risk Council and the Board of Directors. The privacy team and other leaders help make sure that Allstate remains in compliance with the growing body of regulation that applies to the personal information for which Allstate is responsible.
Employees are trained on Allstate policies, and our external privacy statements are transparent and accessible for stakeholders.
Allstate has implemented an Annual Compliance Confirmation, meaning every employee must complete two mandatory training courses a year and agree to follow the appropriate company policies. , which educates employees on the security and privacy policies, standards and processes. All employees must agree to the following:
- Our updated Global Code of Business Conduct, with specific sections and examples for protecting restricted or confidential information, including personal information.
- Our Enterprise Information Security Policy, Information Technology Usage Policy, Enterprise Security Standards or the appropriate subsidiary information security policies and standards. These documents govern our operations and help ensure company data is not shared or altered inappropriately.
Because Allstate agency owners and their staff are not Allstate employees, they are not covered in the Annual Compliance Confirmation process. We provide specific cybersecurity training for new agency staff as well as key cybersecurity responsibilities for all agency users every year. Agents are also required to maintain a written information security policy for each agency.
- We do not sell our customers’ personal or medical information to anyone.
- We do not share our customers’ information with nonaffiliate companies that could use it to contact our customers about their own products and services, unless permitted pursuant to a joint marketing agreement.
- We require persons or organizations that represent or assist us in servicing our customers’ policies and claims to keep their information confidential.
- We require our employees to protect our customers’ personal information and keep it confidential.
Training employees to maximize the value of these controls is a critical and complementary part of our cybersecurity management.
Investing in a strong, integrated digital enterprise system with appropriate security controls is just one way we protect Allstate data. We understand that our policies can only be effective when we communicate these controls with our team. Our Annual Compliance Confirmation provides foundational education for all employees regarding their responsibilities and basic policies; 100% of our global employees complete mandatory compliance confirmation and the associated training annually. The training also provides further detail about risks identified over the last 12 months as specifically relevant in the company or worldwide. We use a personal approach to engage employees. Our dedicated security marketing communications and security education teams collaborate on a year-round internal campaign to convey messages about strong security practices, such as password security and traveling safely. Our dedicated security education team also operates phishing simulations with real-time feedback and training for the employees who fall for the attempt and notifies leadership when an employee falls for the attempt multiple times. Additionally, we provide on-demand and topic-specific training, allowing us to customize programs to current issues. We offer more advanced and specialized training to employees in higher-risk roles. For example, users who may access HIPAA-protected health information or developers working with payment card information receive additional training on secure practices.
We evaluate our training results using four levels, tracking metrics across survey responses, test and assessment results, performance trends and impact on the business or return on investment.
If employees have a privacy or security incident to bring to the attention of senior leadership, they can alert members of the Information Security team via the new CyberSOC hotline and email addresses. Additionally, there are phone numbers and email addresses in the Global Code of Business Conduct
where they can make a report.
SECURITY IN OUR SUPPLY CHAIN
Our security and privacy requirements extend to suppliers who have access to, store or use Allstate data.
Allstate emphasizes the importance of customer privacy and data security with suppliers through our procurement standards, practices and contracts. We have established a security assessment program for our suppliers, which could result in on-site assessments for critical suppliers. We also require all contingent workers who have access to our network to take a training course on Allstate’s security policies.