Because of the products and services that Allstate provides to empower and protect consumers, we are often entrusted with their data. Consumers and regulators have expectations of privacy and security with that data, creating both business opportunities and constraints as we work to respect and protect consumer data while striking the right balance between enabling data use and managing it responsibly. Allstate is an industry leader in this area, with Allstate executives highly sought after as speakers and thought leaders in Privacy by Design, an approach that embeds privacy into our day-to-day business activities and makes it a key part of everything we do at the early stages of design. We value data privacy and identity protection so highly that we are offering new, related products and services. Learn more in our Customer-Centric and Responsible Products topic section.
Our privacy and information security teams collaborate closely but operate independently. Information security is concerned with securing all of the company’s data, including personal information, trade secrets and material nonpublic information, while privacy is focused on ensuring that an individual’s personal information is kept private and used appropriately across the information life cycle, including data disposal.
The Allstate Information Security team, under the direction of the chief information security officer and the Information Security Council (ISC), oversees and manages the information security program. This includes our information security policies and standards.
The ISC consists of cross-functional senior leaders from across Allstate and is chaired by the chief information security officer and senior vice president of Information Security. It comprises officers from data privacy, technology, risk, information security, legal and other areas of responsibility. The ISC monitors risk, makes decisions on mitigation strategies and escalates identified risks as part of Allstate’s formal governance structure.
The Allstate privacy team is led by the chief privacy officer, who is also the chief ethics and compliance officer. The enterprise privacy team governs personal information throughout the data life cycle, from collection to disposal. It also champions our efforts to enhance privacy awareness throughout the workforce. Additionally, the team conducts risk assessments to determine privacy impact across the enterprise and to our consumers.
Policies and practices
We take employees’ and consumers’ privacy and security seriously.
Our privacy policies and procedures are designed not only to ensure compliance with all applicable privacy laws, but also to build for strategically sustainable compliance in the future as technology and legislation evolve. In addition, in 2021 we will launch an enterprisewide data ethics framework to ensure we consider not only what “can” we do with consumer and employee data, but what “should” we do.
Our information security program aligns with the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework. This is a collection of standards, guidelines, and practices to promote the protection of critical infrastructure. Allstate’s information security strategy and the NIST cybersecurity framework guide the decisions and actions of the ISC. Allstate uses a risk-based approach to establish our information security program. It maps to the NIST Cybersecurity Framework and ISO 27001, with support from other standards and best practices, and is designed to ensure compliance with cybersecurity laws and regulations, such as the New York Department of Financial Services Cybersecurity Requirements for Financial Services Companies. ISO 27001 is an information security standard developed by the International Organization for Standardization; the most recent version was released in 2013.
Our information security practices and privacy practices are subject to internal and external audits, which help us evaluate the effectiveness of our information security program. We conduct daily vulnerability analyses across the enterprise using an automated process. We also perform ongoing, rigorous tests and exercises to identify and resolve vulnerabilities.
Our privacy and information security programs, policies and practices are regularly assessed. When nearly all of our workforce transitioned to remote work virtually overnight, Allstate was prepared. Our transition to working from home was seamless. We maintained the information security controls and protections we experienced in the office, as well as continued connectivity to internal Allstate resources. Through our commitment to privacy and information security, we can build for a more flexible future workplace.
Security and privacy in product design
As we expand the circle of protection using innovative digital technologies, we’re building in security from the ground up. We use internal privacy standards, aligned with the NIST guidelines and Privacy by Design, which minimizes risk to personal information during development. We ensure product development teams have the training to create products that adhere to Allstate’s security standards and ensure all systems are secure before production. Our training plans are continuously updated, including a new training module for developers rolling out this year. Allstate’s Enterprise Business Conduct team has created a “strategic resource group” to ensure new products, programs and services are built with privacy, ethics and compliance in mind throughout development.
Allstate Identity Protection
Allstate Identity Protection is reinventing privacy and identity protection by giving consumers the tools to see, control and protect their digital lives. In 2020, as everyone’s lives became more digital, Allstate offered free identity protection to all U.S. residents, not just Allstate consumers, starting in April and extending through the end of the year. We helped over 200,000 Americans protect their identity online in 2020. Read more about this in our Customer-Centric and Responsible Products section.
All employees receive regular training on Allstate’s privacy and information security policies. We have an annual compliance confirmation process that requires every employee to complete training courses and agree to follow appropriate company policies. One of the courses, Living Our Shared Purpose, includes information security and privacy topics. As part of the training, all employees must acknowledge and agree to comply with the following:
- Our updated Global Code of Business Conduct, which contains specific sections and examples of protecting restricted or confidential information, including personal information.
- Our Enterprise Information Security Policy, Information Technology Usage Policy or the appropriate subsidiary information security policies and standards. These documents govern our operations and help ensure company data is not inappropriately shared or altered.
The compliance confirmation and associated training for the above policies are required annually for our global employees.
The training provides further detail about company-specific risks and trends identified over the last 12 months. Allstate agency owners are under contractual obligations to maintain their own information security policies and controls. Allstate also provides specific privacy and information security training for new agency staff and communicates key information security responsibilities for all agency users annually.
- We respect and protect the privacy of every individual’s personal information.
- We request and retain only the personal information that is needed.
- We communicate clearly how personal information is used, retained and disclosed.
- We embed strong privacy protection practices in all business processes and systems.
Please see our Online Privacy Statement for more on Allstate’s practices related to collection, use and sharing of consumers’ personal information. Other entities within the Allstate family provide separate privacy statements; see The Allstate Foundation, Arity, Allstate Protection Plans and Allstate Identity Protection for information about their respective privacy practices.
Privacy or security incidents
If employees have a privacy or security concern to bring to the attention of senior leadership, they are expected to alert members of the Information Security team and the Privacy team via the Allstate Global Security Fusion Center hotline and accompanying email addresses. The Global Code of Business Conduct also includes phone numbers and email addresses for reporting an incident.
If Allstate suspects or receives a report that personal information may have been compromised, the privacy team launches an incident response that includes investigation, notification and corrective action in partnership with the information security team, when needed. If necessary, the incident and response may be escalated to the Operational Risk Council and the Board of Directors. The Privacy team and other leaders help make sure that Allstate complies with the growing body of regulation that applies to the personal information for which Allstate is responsible.
Programs and initiatives
Cybersecurity and privacy programs are a priority at Allstate and get reported to the Board of Directors. Additionally, both programs regularly undergo benchmarking by outside professional groups, with positive results.
Our information security programs continuously undergo independent assessments to evaluate its maturity. The assessment captured the current state of our information security maturity and targeted a maturity range that we plan to reach by focusing on our strategic objectives. We identified key aspects that will drive success of our Transformative Growth strategy and implemented aggressive targets to achieve them.
Also in 2020, we completed a thorough independent privacy program maturity assessment, which concluded that the privacy program was well defined and continues to mature year-over-year. The assessment was designed to evaluate current state maturity and progress against 2019 recommended program enhancements. During this assessment, the Privacy Program was also evaluated and assessed relative to trends in the insurance and technology industries. To complete the 2020 assessment, a fact-finding exercise analyzed, evaluated and verified Privacy Program progress across privacy components through interviews with the privacy team and other enterprise stakeholders.
Under the broad program headings, both the information security and privacy programs continue to drive several key enterprise initiatives. For example, in 2020, we strengthened our Step Change Program, a prioritization and execution mechanism that builds on our information security program. It is aligned with directives from the Board of Directors, supporting the evolving business environment while managing a dynamic threat and regulatory landscape. The program addresses the following priorities:
- Access Control: Limits access to systems across the enterprise through strengthened authentication, network segmentation, and identity and access management.
- Detect and Respond: Enhances monitoring of critical systems and extends the Global Security Fusion Center (GSFC) services to effectively monitor, detect and respond to threats.
- Protect Data: Manages data consistent with Allstate’s risk strategy to protect the confidentiality, integrity and availability of information and to comply with laws and regulations.
- Security Governance: Defines, consumes and monitors assets and security controls to meet Allstate and regulatory requirements.
In 2020, we also continued to advance the State Privacy Laws program, a framework used to ensure that we have a strategic way of approaching consumer expectations of privacy and the dynamic regulatory environment. Our approach prioritizes scalability, repeatability and strategic technology deployment to ensure flexibility as the landscape of State Privacy Laws continues to change.
We also created the Enterprise Data Acceleration Program, a new enterprise-wide cross-functional initiative to reduce the personal information footprint across the company. This thoughtful approach to data demonstrates our values around protecting and securing personal information while still providing services that matter to consumers.
Investing in a strong Integrated Digital Enterprise system with appropriate security controls is just one way we protect Allstate data. Our policies can only be effective when we effectively communicate these controls to our team.
Our security education and security awareness teams lead extensive employee awareness campaigns, including phishing simulations with real-time feedback and training for employees who fail the simulation. As part of the training, relevant leadership is notified when an employee fails the test multiple times. Since beginning this program, we have seen significant improvements in employees’ ability to recognize threats. By utilizing the Gartner Employee Awareness Service, we better understand the way we communicate about information security. For the third year in a row, Allstate outperformed industry peers and other Fortune 500 companies in all categories of secure behaviors and decision-making.
We provide on-demand and topic-specific training, allowing us to customize programs based on current issues. We offer more advanced and specialized role-based training to employees in higher-risk roles. For example, employees who may access HIPAA-protected health information or work with payment card information receive additional training on secure practices. We evaluate our training results using four levels:
- Metrics across survey responses
- Test and assessment results
- Performance trends
- Impact on the business or return on investment
In 2020, Allstate’s Business Information Security Officers group delivered 135 training sessions tailored to their specific areas of responsibility, with a total audience of 12,353 employees. But beyond our formalized training programs, our awareness activities continue all year long. Allstate’s internal information security site provides important resources, such as how to report incidents, alerts of ongoing threats, resources for pro bono training and computer donations, and guidance on using information security services and processes to keep data secure. In October 2020, we celebrated the Department of Homeland Security’s Cybersecurity Awareness Month and saw a 181% increase in traffic to the new internal site.
Training accountability goes beyond the security education team; it’s underscored by education from the Privacy team, the Information Security team, annual compliance and other groups, where the messaging is carefully coordinated to reinforce the importance of information security policy.
Security in our supply chain
Our security and privacy requirements extend to suppliers who have access to, store or use Allstate data. Allstate emphasizes the importance of consumer privacy and data security with suppliers through our procurement standards, practices and contracts. We established a security assessment program for suppliers that evaluates the privacy impacts of proposed process changes. Privacy issues are tracked through remediation. We also require all contingent workers who have access to our network to complete a training course on Allstate’s security policies.
Our expectations for privacy protection are outlined in our Supplier Code of Business Conduct.