A Summary of Allstate's Approach to keeping customer data and company technology safe and secure

Company
Privacy & Information Security
Go Up Next Section

In today’s world of hyper-connectivity and big data, customer privacy and data security has been thrust into the collective conscience. We recognize how the quality of Allstate’s security program impacts our company’s reputation and our customers’ trust in us.

We sell a promise to help our customers live a good life even in times of uncertainty. Customers experience the integrity and value of this promise, in part, through our ability to protect their information. By carefully and responsibly handling their information, we can advance our reputation among consumers, driving strong business relationships and creating shared value.

Definition

Ensuring customer privacy and preventing loss of customer data.

Protect

Investing in a strong, integrated digital enterprise system with appropriate security controls is just one way we protect our customers’ data. We understand it comes down to people.

HIGHLIGHT STORY

Our Security Operations Center investigates suspicious network security-related events, from virus-infected computers to external attacks against Allstate servers. Think of it as guarding the front door to your house – when the SOC sees suspicious behavior, it makes sure the door is secure and letting only invited guests come inside.

Read More Read More

Governance

The Information Security Counsel, which consists of leaders from across Allstate, reviews and ensures the alignment of information security program initiatives (including, but not limited to cybersecurity related initiatives), changing regulatory and industry requirements, and other information security-related matters brought to the attention of the ISC.

The Executive Vice President of Allstate Technology and Strategic Ventures has executive oversight of the ISC.

If employees have a security incident to bring to the attention of senior leadership, there are phone numbers and email addresses in the Global Code of Business Conduct (formerly the Code of Ethics) where they can make a report. Additionally, they can alert their managers or members of the Privacy or Information security teams.

Policies

Allstate has clear customer privacy requirements as detailed in our Privacy Policy Statement (for Allstate insurance companies):

  • We do not sell our customers’ personal or medical information to anyone.
  • We do not share our customers’ information with nonaffiliate companies that could use it to contact our customers about their own products and services, unless permitted pursuant to a joint marketing agreement.
  • We require persons or organizations that represent or assist us in servicing our customers’ policies and claims to keep their information confidential.
  • We require our employees to protect our customers’ personal information and keep it confidential.

Please see our Privacy Policy Statement for more on how Allstate protects our customers’ personal information.

In addition to our Privacy Policy, Allstate has implemented Annual Compliance Confirmation, meaning every employee must annually review and agree to the terms of the following as a condition of employment:

  • Our updated Global Code of Business Conduct, with specific sections and examples for protecting personal data and confidential information.
  • Our Enterprise Information Security Policy or applicable subsidiary information security policy. The EISP references our Information Technology Usage Policies, the Enterprise Security Standards, and supporting documentation which all govern our operations and help ensure customer data is not shared or altered inappropriately.

Because Allstate agency owners and their staff are not Allstate employees, they are not covered in the Annual Compliance Confirmation process. Instead, we provide specific cybersecurity training for new agency staff as well as key cybersecurity responsibilities for all agency users on an annual basis.  

Risk Assessment

Allstate leverages a risk-based approach in establishing our information security program, which maps to both the National Institute of Standards and Technology Cybersecurity Framework, as well as ISO 27001, with support from other standards and best practices.

Our information security practices have been and continue to be subject to audits by internal and external auditors.

Training

Investing in a strong, integrated digital enterprise system with appropriate security controls is just one way we protect our customers’ data. We understand it comes down to people. Training our employees to maximize the value of these controls is a critical and complementary part of our cybersecurity management.

Our Annual Compliance Confirmation provides foundational education for all employees regarding their responsibilities and basic policies and must be renewed annually as a condition of employment. Each year, employees review that training and go further into details about specific risks relevant over the last 12 months in the company or worldwide. We offer many more advanced training opportunities to employees identified as being in higher-risk roles. Additionally, we provide on-demand and topic-specific trainings, allowing us to customize training programs to current issues.

Our dedicated security team operates phishing simulations with real-time feedback and training for the employees who fall for the attempt.

We evaluate our training results using four different levels, tracking metrics across survey responses, test and assessment results, performance trends and impact on the business or return on investment.

Engage

We use a personal approach to engage employees, with an internal campaign to convey messages about good password practices and traveling safely.

Supply Chain Data Security

Allstate emphasizes the importance of customer privacy and data security with suppliers through our procurement standards, practices and contracts. We have established a security assessment program for our suppliers, which could result in on-site assessments for critical suppliers. We also require all contingent workers who have access to our network to take a training course on Allstate’s security policies.

See Sustainable Procurement for more information.