WE ARE THE GOOD HANDS
PRIVACY & INFORMATION SECURITY
In today’s world of hyperconnectivity and big data, customer privacy and data security have been thrust into the collective conscience. We recognize how the quality of Allstate’s security program impacts our reputation and customers’ trust in us. We sell a promise to help customers live a good life even in times of uncertainty, which includes protecting their information. By carefully and responsibly handling their data, we can advance our reputation among consumers, driving strong business relationships and creating shared value.

What Privacy & Information Security Mean at Allstate

Allstate’s promise to help customers live a good life includes our commitment to protect personal information. We take careful and vigorous measures to help ensure everything we share, acquire, collect, retain, store and process is protected and private. We safeguard personal information and protect it from unauthorized or accidental access, disclosure or misuse.

ALLSTATE PRIVACY AND SECURITY PROGRAMS

We have robust teams and programs to manage our privacy and information security risks.

Information security protects all information, including personal and nonpersonal information — such as trade secrets and material nonpublic information — while privacy is focused on the personal information of individuals. Privacy and information security are governed separately within Allstate, though the two teams work closely together. Privacy has been identified as an area of operational risk and falls under the oversight of the Operational Risk Council, formed in 2017. The Operational Risk Council is overseen by the Enterprise Risk and Return Council.
Allstate’s information security program, including our policies and standards, is developed, monitored, managed and updated by the Allstate Information Security team under the direction of the Allstate Chief Information Security Officer and the Information Security Council (ISC).
The ISC is led by the Chief Information Security Officer, who is also the Senior Vice President of Information Security. The ISC is comprised of cross-functional, high-level leaders from across Allstate — including the Chief Privacy Officer. The ISC is charged with monitoring, making mitigation decisions and escalating information security risk as part of Allstate’s formal governance structure. The ISC actively monitors information security risk and, as a decision-based forum, has the authority to direct mitigation or escalate risks that are outside established tolerances. The Operating Committee has directed that the ISC will have delegated authority from the Enterprise Risk and Return Council (ERRC) for information security risk oversight.
The decisions and escalations of the ISC are guided by the Allstate Information Security Strategy and the National Institute of Standards and Technology Cybersecurity framework. Allstate leverages a risk-based approach in establishing our information security program, which maps to both the NIST Cybersecurity Framework as well as ISO 27001, with support from other standards and best practices.
Our information security practices have been and continue to be subject to both internal and external audits.

Privacy at Allstate

The Allstate privacy team, along with its policies and programs, is managed by the Chief Privacy Officer, who is also the Chief Ethics and Compliance Officer. The privacy team works with liaisons and experts across the enterprise to communicate with and educate employees on our privacy practices, and act as our front line for privacy. In 2017, Allstate updated our internal privacy policy to better align with the standards and supporting documents from the Allstate Information Security department. In 2018 and looking into 2019, Allstate is working to develop stand-alone guidelines, specific to privacy, aligned to standards from the NIST framework and Privacy by Design. Privacy by Design is an approach to design that builds trust and minimizes risk to personal information during the development phase of a technological tool or process.

The privacy team also works to ensure that third-party risk assessments are done for entities or applications that store or capture personal information and that privacy impacts of proposed process changes are evaluated.

If Allstate suspects that personal identifiable information may have been compromised, the privacy team is responsible for the incident response: the investigation, notification, response and corrective action. If necessary, the incident and response may be escalated up to the Operational Risk Council and the Board of Directors. The privacy team and other leaders help make sure that Allstate remains in compliance with the growing body of regulation that applies to the personal information for which Allstate is responsible.

POLICIES

Employees are trained on Allstate policies, and our external privacy statements are transparent and accessible for stakeholders.

Allstate has implemented an Annual Compliance Confirmation, meaning every employee must complete two mandatory training courses a year and agree to follow the appropriate company policies. , which educates employees on the security and privacy policies, standards and processes. All employees must agree to the following:

  • Our updated Global Code of Business Conduct, with specific sections and examples for protecting restricted or confidential information, including personal information.
  • Our Enterprise Information Security Policy, Information Technology Usage Policy, Enterprise Security Standards or the appropriate subsidiary information security policies and standards. These documents govern our operations and help ensure company data is not shared or altered inappropriately.

Because Allstate agency owners and their staff are not Allstate employees, they are not covered in the Annual Compliance Confirmation process. We provide specific cybersecurity training for new agency staff as well as key cybersecurity responsibilities for all agency users every year. Agents are also required to maintain a written information security policy for each agency.

Allstate has clear customer privacy requirements as detailed in our Privacy Policy Statement (for Allstate insurance companies):

  • We do not sell our customers’ personal or medical information to anyone.
  • We do not share our customers’ information with nonaffiliate companies that could use it to contact our customers about their own products and services, unless permitted pursuant to a joint marketing agreement.
  • We require persons or organizations that represent or assist us in servicing our customers’ policies and claims to keep their information confidential.
  • We require our employees to protect our customers’ personal information and keep it confidential.
Please see our Privacy Policy Statement for more on how Allstate protects customers’ personal information.

TRAINING

Training employees to maximize the value of these controls is a critical and complementary part of our cybersecurity management.

Investing in a strong, integrated digital enterprise system with appropriate security controls is just one way we protect Allstate data. We understand that our policies can only be effective when we communicate these controls with our team. Our Annual Compliance Confirmation provides foundational education for all employees regarding their responsibilities and basic policies; 100% of our global employees complete mandatory compliance confirmation and the associated training annually. The training also provides further detail about risks identified over the last 12 months as specifically relevant in the company or worldwide. We use a personal approach to engage employees. Our dedicated security marketing communications and security education teams collaborate on a year-round internal campaign to convey messages about strong security practices, such as password security and traveling safely. Our dedicated security education team also operates phishing simulations with real-time feedback and training for the employees who fall for the attempt and notifies leadership when an employee falls for the attempt multiple times. Additionally, we provide on-demand and topic-specific training, allowing us to customize programs to current issues. We offer more advanced and specialized training to employees in higher-risk roles. For example, users who may access HIPAA-protected health information or developers working with payment card information receive additional training on secure practices.
We evaluate our training results using four levels, tracking metrics across survey responses, test and assessment results, performance trends and impact on the business or return on investment.
If employees have a privacy or security incident to bring to the attention of senior leadership, they can alert members of the Information Security team via the new CyberSOC hotline and email addresses. Additionally, there are phone numbers and email addresses in the Global Code of Business Conduct where they can make a report.

SECURITY IN OUR SUPPLY CHAIN

Our security and privacy requirements extend to suppliers who have access to, store or use Allstate data.

Allstate emphasizes the importance of customer privacy and data security with suppliers through our procurement standards, practices and contracts. We have established a security assessment program for our suppliers, which could result in on-site assessments for critical suppliers. We also require all contingent workers who have access to our network to take a training course on Allstate’s security policies.
Highlight Stories
Allstate’s Zero Waste Zone
American Municipal Power, Ohio
Big Data and Innovation
Allstate Good Life Sprint and Stride 5K Walk/Run
Allstate’s National Catastrophe Team
Building the Cybersecurity Workforce of the Future
Allstate Supplier Diversity Mentoring Program
Recognized as Being an Employer of Choice for Veterans and Military Families
Privacy Awareness Campaign
Nashville Water and Sewer
Investing in the Land
Allstate’s Florence Response
Lurie Children’s Hospital
Free Financial Management Curriculum for Survivors
Training Domestic Violence Counselors
2017 Renewal Award Winner - Lost Boyz
Global Code of Business Conduct
The Perspectives Charter Schools and Allstate Partnership
From Haiti, with Love: Allstate Careers
Providing Opportunities for Veterans
Supporting State and Regional Domestic Violence Coalitions and Service
Impact Community Capital
Security Awareness Campaign
Lost Purse Short Film