Privacy and information security
By carefully and responsibly handling data, Allstate maintains a strong reputation, fosters positive business relationships and creates shared value. We provide identity protection products to millions of customers and help empower people with more control over their personal data, which builds trust.
We are an industry leader on data privacy and information security. Allstate executives are influential speakers and thought leaders on privacy and security by design. Privacy is embedded in our day-to-day business activities and is a key part of everything we do at every stage of product design through delivery. Our privacy and security requirements extend to suppliers who have access to, store or use Allstate data, and we emphasize the importance of consumer privacy and data security with suppliers through our procurement standards, practices and contracts. We continually offer new products and services that can better protect and empower customers.Learn more in our Products and technology topic section.
The Board prioritizes its responsibility to oversee data protection efforts, including policies and systems designed to prevent and, if necessary, respond to cyber threats. The Board and Audit Committee provide oversight of our privacy and cybersecurity programs, which are designed to protect and preserve the confidentiality, integrity and continued availability of all information maintained by or in the care of Allstate. Our privacy and information security teams collaborate closely but operate independently. Internal and external privacy and information security audits help evaluate our programs' effectiveness. We are continuously looking for vulnerabilities across the enterprise, performing ongoing rigorous tests and exercises to identify and resolve vulnerabilities.
As the first line of defense, Allstate Information Security (AIS) has Risk and Governance teams that monitor adherence to Information Security policies and standards as well as the personal information privacy standard.
The Allstate Information Security team and the Information Security Council (ISC) are under the direction of the chief information security officer, who oversees the information security programs, including policies and standards. The ISC consists of senior leaders from across Allstate, including privacy, technology, risk, information security, legal and other areas of responsibility. The ISC monitors risk, decides on mitigation strategies and escalates identified risks as part of Allstate's formal governance structure.
Privacy and cybersecurity
The Allstate privacy team is led by the chief privacy officer, who is also the chief ethics and compliance officer and a senior vice president at Allstate. The enterprise privacy team governs personal information throughout the data life cycle, from collection to disposal. It also promotes privacy awareness throughout the workforce. The team conducts risk assessments to determine privacy impact across the enterprise and to our consumers. The cybersecurity program is regularly reviewed and tested by Allstate's internal audit function, with quarterly status reports provided to the audit committee and the full Board. The audit committee receives semiannual reports from its independent cybersecurity advisor.
Policies and practices
- We respect and protect the privacy of every individual's personal information.
- We request and retain only the personal information that is needed.
- We communicate clearly how personal information is used, retained and disclosed.
- We embed strong privacy protection practices in business processes and systems.
Our Online Privacy Statement has more on Allstate's practices related to collection, use and sharing of consumers' personal information. Other entities within the Allstate family provide separate privacy statements; see The Allstate Foundation, Arity, Allstate Protection Plans, National General and Allstate Identity Protection websites for information about their privacy practices.
Our information security program aligns with the National Institute of Standards and Technology's (NIST) Cybersecurity Framework and ISO 27001. With support from other industry standards and best practices, our program is designed to support compliance with cybersecurity laws and regulations, such as the New York Department of Financial Services Cybersecurity Requirements for Financial Services Companies. Our information security policies and standards guide the decisions and actions of the Information Security Council.
Privacy impact assessment process
The Allstate Privacy Impact Assessment (PIA) Process applies to projects that involve the collection or new use of personal information. Our privacy professionals assess risks before new projects are delivered, which allows for proactive risk mitigation. PIAs are reviewed and approved by Allstate's Enterprise Business Conduct team.
Security and privacy in product design
We ensure product development teams have the training to create products that adhere to Allstate's security standards and help ensure applications are secure before production. Allstate's Enterprise Business Conduct team has created a group that supports the development of new products, programs and services to ensure they are built with privacy, ethics and compliance in mind, and risks are mitigated before launch.
Allstate Identity Protection
Allstate Identity Protection (AIP) is reinventing privacy and identity protection by giving consumers the tools to see, control and protect their digital identities. These tools have allowed AIP to grow exponentially, with over 4,734 current business clients. As of year-end 2022, over 3 million identities were being protected through AIP.
AIP product offerings include identity protection and privacy management (Allstate Digital FootprintTM on Allstate Mobile), and a cyber product offering with mobile device protection, anti-phishing, Wi-Fi scan and limited cyber-expense coverage. Read more about Allstate Identity Protection and Allstate Digital Footprint in our Customer-centric and responsible products section.
One of the best ways to protect a person's privacy is to anonymize their data. Allstate's Personal Information Anonymization Framework determines when data can be fully anonymized as well as when data can be transformed in less stringent ways while still reducing privacy risks. When data is properly anonymized, privacy concerns can be eliminated and data can be safely shared and used. It allows the company to more freely use data without losing the integrity of data or data insights.
Allstate employees receive regular training on Allstate's privacy and information security policies. Our annual compliance confirmation process requires every global employee to complete courses and agree to follow appropriate company policies. All employees must acknowledge and agree to comply with:
- Our Global Code of Business Conduct, which contains specific sections and examples of protecting restricted or confidential information, including personal information.
- Our Enterprise Information Security Policy, Information Technology Usage Policy or the appropriate subsidiary information security policies and standards. These documents govern our operations and help ensure company data is not inappropriately shared or altered.
The training covers company-specific risks and trends identified over the last 12 months. Allstate agency owners are under contractual obligations to maintain their own information security policies and controls. Allstate also provides privacy and information security training for new agency staff and communicates key information security responsibilities for all agency users annually.
Ethics, compliance and privacy assessments
We conduct Ethics, Compliance and Privacy Assessments to identify on a detailed level how each business area meets the required elements to maintain a mature and well-functioning program. These assessments occur as needed based on identified risks, with at least one assessment for each business area every three years.
Privacy or security incidents
Employees are directed to immediately report any suspected privacy or security incident to Allstate Information Security or to Enterprise Business Conduct. The Global Code of Business Conduct provides phone numbers and email addresses for reporting a suspected incident.
If Allstate suspects or receives a report that personal information may have been compromised, the privacy incident team launches an incident response that includes investigation, notification and corrective action in partnership with the Information Security team and other areas, when needed. Senior leaders and the Board of Directors are kept apprised of privacy incidents as needed. The privacy team and other leaders help ensure that Allstate complies with the growing body of regulation that applies to personal information.
Programs and performance
Allstate periodically conducts an independent privacy program maturity assessment. We evaluate the privacy program and compare it to trends in the insurance and technology industries. In our most recent maturity assessment, we analyzed, evaluated and verified progress across privacy components through interviews with the privacy team and other enterprise stakeholders and reviews of relevant documents. In 2021, an independent assessment concluded that our privacy program was well defined, matured year-over-year and was a leader in the insurance industry.
The privacy and information security programs support several key enterprise initiatives and address these priorities:
Our State Privacy Laws program helps us strategically approach consumer expectations of privacy and the dynamic regulatory environment.We created an Enterprise Data Initiative that reduced the personal information footprint across Allstate, which better protects and secures personal information while still providing services that matter to consumers. Our approach prioritizes scalability, repeatability and strategic technology deployment to ensure flexibility as state privacy laws change.
Employee awareness and training
Our security education and awareness teams lead extensive employee communication campaigns to reduce cyber risk from human error. We run phishing simulations with real-time feedback and training for employees who fail the simulation. Since beginning this program, we have seen significant improvement in employees' ability to recognize and report threats. The awareness program is assessed by the Gartner Employee Awareness Survey, which measures employee security behaviors and decision-making. Allstate outperforms industry peers and other Fortune 500 companies in all 33 categories, with a Secure Behavior score of 94%.
We provide on-demand and topic-specific training customized for current issues. We offer more advanced and specialized role-based training to employees in higher-risk roles. For example, employees who may access Health Insurance Portability and Accountability Act (HIPAA) protected health information or work with payment card information receive additional training on secure practices. We evaluate our training results using:
- Metrics across survey responses
- Test and assessment results
- Performance trends
- Impact on the business or return on investment
Allstate's Business Information Security Officers (BISO) group delivers training and year-long awareness activities. In 2022,199 BISO training sessions were conducted with a total audience of 14,184 employees with sessions tailored to their specific areas of responsibility.
In 2022, 97% of more than 2,000 survey respondents said they had learned something new about cybersecurity after attending Allstate events during the Department of Homeland Security Cybersecurity Awareness Month events.
Security and privacy in our supply chain
Our security and privacy requirements extend to suppliers who have access to, store or use Allstate data, as well as open source and licensed software and purchased hardware. Allstate emphasizes the importance of privacy and data security with suppliers through our procurement standards, practices and contracts. We established a security assessment program for suppliers that evaluates both privacy and security impacts of proposed process changes. We also require all contingent workers who have access to our network to complete training on Allstate's security policies and to adhere to the privacy expectations described in our Supplier Code of Business Conduct.
We partner with organizations such as The Atlantic and the Aspen Institute to share perspectives on enhancing data privacy protections. In 2022, we celebrated the 18th year of supporting the Aspen Institute at its Aspen Ideas Festival , where Allstate's CEO talked about the cost of privacy in the digital age. The discussion sparked thought leadership about what privacy means today and how consumers can take control of their privacy and know when it has been lost. As the event sponsor, we discussed our role in protecting digital privacy and ways to empower customers with more control over their personal data through our products, championing consumer data privacy rights.