Allstate has assembled robust teams and implemented programs to manage our privacy and information security risks. Information security covers personal and non-personal information, including trade secrets and material nonpublic information, while privacy is focused on the collection, use and disclosure of an individual’s personal information. Privacy and information security operate separately within Allstate, although the two teams work closely together.
Allstate’s information security program, including our policies and standards, is developed, monitored, managed and updated by the Allstate Information Security team under the direction of the Allstate chief information security officer and the Information Security Council (ISC).
The ISC consists of cross-functional senior leaders from across Allstate, including the chief privacy officer and senior vice president of information security. The ISC monitors risk, makes decisions on mitigation strategies and escalates identified risks as part of Allstate’s formal governance structure.
At Allstate, privacy is the responsibility of The Allstate privacy team, along with its policies and programs, is led by the chief privacy officer, who is also the chief ethics and compliance officer. The enterprise privacy team governs personal information throughout the data lifecycle, from collection to disposal. The privacy team also works with liaisons and experts across the enterprise to engage with and educate employees on our privacy practices. The privacy team conducts risk assessments across the enterprise to determine impact to the overall Privacy Program. The Privacy Program factors reputation, compliance with laws and regulations, PI lifecycle process effectiveness, privacy incident levels and overall governance practices across the enterprise to determine the Programs risk level.
Policies and Procedures
Created through collaboration between industry and government, the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework consists of standards, guidelines, and practices to promote the protection of critical infrastructure. At Allstate, we use the NIST Framework as the basis for our strategy and program to better manage and reduce cybersecurity and privacy risk.
Allstate’s information security strategy and the NIST cybersecurity framework guide the decisions and actions of the ISC. Allstate uses a risk-based approach to establish our information security program, which maps to both the NIST cybersecurity framework as well as ISO 27001, with support from other standards and best practices. ISO 27001 is an information security standard developed by the International Organization for Standardization; the most recent version was released in 2013.
Our information security practices are subject to internal and external audits, which help us evaluate the effectiveness of our cybersecurity program. We conduct daily vulnerability analyses across the enterprise using an automated process. We also perform tests and exercises to identify and resolve vulnerabilities.
In early 2019, we created internal privacy standards to align with the NIST guidelines and Privacy by Design, a design approach that minimizes risk to personal information during the development phase of a technological tool or process by ensuring privacy risks are evaluated and addressed prior to product implementation. As of 2020, our California operations comply with the new California Consumer Privacy Act.
If employees have a privacy or security incident to bring to the attention of senior leadership, they can alert members of the Information Security team via the Allstate Global Security Fusion Center hotline and accompanying email addresses. Additionally, there are phone numbers and email addresses in the Global Code of Business Conduct that can be used to report an incident.
If Allstate suspects or receives a report that personal information may have been compromised, the privacy team launches an incident response that includes investigation, notification and corrective action in partnership with our cybersecurity teams when needed. If necessary, the incident and response may be escalated to the Operational Risk Council and the Board of Directors. The privacy team and other leaders help make sure that Allstate complies with the growing body of regulation that applies to the personal information for which Allstate is responsible.
All employees receive training on Allstate’s privacy and information security policies, and our external privacy statements are publicly available. Additionally, Allstate implemented an annual compliance confirmation process that requires every employee to complete annual mandatory training courses and agree to follow appropriate company policies. One of the courses, Living our Shared Purpose, includes information security and privacy topics. As part of the training course, all employees must acknowledge and agree to comply with the following:
- Our updated Global Code of Business Conduct, which contains specific sections and examples of protecting restricted or confidential information, including personal information.
- Our Enterprise Information Security Policy, Information Technology Usage Policy, applicable standards contained within or the appropriate subsidiary information security policies and standards. These documents govern our operations and help ensure company data is not inappropriately shared or altered.
100% of our global employees complete mandatory compliance confirmation and the associated training annually.
Additionally, the training provides further detail about company-specific risks as well as outside examples identified over the last 12 months. Allstate also provides specific privacy and cybersecurity training for new agency staff and communicates key cybersecurity responsibilities for all agency users annually. Agency owners are also required to maintain their own written information security policy.
- We do not sell our customers’ personal or medical information to anyone.
- We do not share our customers’ information with nonaffiliate companies that could use it to contact our customers about their own products and services, unless permitted pursuant to a joint marketing agreement.
- We require persons or organizations that represent or assist us in servicing our customers’ policies and claims to keep their information confidential.
Please see our Privacy Statement for more on Allstate’s collection, usage, disclosure and security practices of consumers’ personal information. Other entities within the Allstate family also publish privacy statements, please see The Allstate Foundation, Arity, SquareTrade, and Allstate Identity Protection for more information about their respective privacy practices.
Programs and Performance
Investing in a strong Integrated Digital Enterprise system with appropriate security controls is just one way we protect Allstate data. We understand that our policies can only be effective when we effectively communicate these controls to our team.
Allstate uses a personal approach to engage employees on data privacy and security. Our dedicated security marketing communications and security education teams collaborate on a year-round internal campaign to convey messages about strong security practices such as password security and travel safety. Our security education team also operates phishing simulations with real-time feedback and training for employees who fail the simulation. As part of the training, relevant leadership is notified when an employee fails the test multiple times.
Additionally, we provide on-demand and topic-specific training, allowing us to customize programs based on current issues. We offer more advanced and specialized role-based training to employees in higher-risk roles. For example, employees who may access HIPAA-protected health information or work with payment card information receive additional training on secure practices. We evaluate our training results using four levels:
- tracking metrics across survey responses
- test and assessment results
- performance trends
- impact on the business or return on investment
Security in Our Supply Chain
Our security and privacy requirements extend to suppliers who have access to, store or use Allstate data. Allstate emphasizes the importance of customer privacy and data security with suppliers through our procurement standards, practices and contracts. We have established a security assessment program for our suppliers, which includes on-site assessments for critical suppliers. During those assessments, privacy impacts of proposed process changes are evaluated, and privacy issues are opened and tracked through remediation. We also require all contingent workers who have access to our network to complete a training course on Allstate’s security policies.
Our expectations for privacy protection are outlined in our Supplier Code of Business Conduct.