Governance

Privacy and information security

Overview

By carefully and responsibly handling data, Allstate maintains a strong reputation, fosters positive business relationships and creates shared value. We provide identity protection products to millions of customers and help empower people with more control over their personal data. Our goals are to demonstrate transparency, offer solutions and lead others to do the same through four key avenues: policy and legislation, governance, products and services, and partnerships.

Because of the products and services we provide, customers entrust Allstate with their data. Consumers have an expectation of privacy and security around that data. This creates both business opportunities and constraints as we work to safeguard consumer data while using that data to better serve our customers.

We are an industry leader on privacy and information security. Allstate executives are influential speakers and thought leaders on privacy and security by design. This concept embeds privacy in our day-to-day business activities and makes it a key part of everything we do at the early stages of product design. We continually offer new related products and services that can better protect and empower customers. Learn more in our Customer-centric and responsible products topic section.

Accountability

Our privacy and information security teams collaborate closely but operate independently. Information security is concerned with the confidentiality, integrity and availability of data, including personal information, trade secrets and material nonpublic information, while privacy is focused on ensuring that an individual’s personal information is kept private and used appropriately across the information life cycle, including data disposal.

Information security

The Allstate Information Security team, under the direction of the chief information security officer and the Information Security Council (ISC), oversees and manages the information security program. This includes our information security policies and standards. The ISC consists of cross-functional senior leaders from across Allstate and is chaired by the chief information security officer and senior vice president of Information Security. It comprises officers from data privacy, technology, risk, information security, legal and other areas of responsibility. The ISC monitors risk, makes decisions on mitigation strategies and escalates identified risks as part of Allstate’s formal governance structure.

Privacy

The Allstate privacy team is led by the chief privacy officer, who is also the chief ethics and compliance officer and a senior vice president within Allstate. The enterprise privacy team governs personal information throughout the data life cycle, from collection to disposal. It also promotes our efforts to enhance privacy awareness throughout the workforce. The team conducts risk assessments to determine privacy impact across the enterprise and to our consumers.

Policies and practices

Our privacy policies and procedures support compliance with privacy laws, provide the foundation for compliance with future laws and support our efforts to be more privacy-forward.

Our information security program aligns with the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework and With support from , our program is designed to compliance with cybersecurity laws and regulations, such as the New York Department of Financial Services Cybersecurity Requirements for Financial Services Companies. Our information security policies and standards guide the decisions and actions of the Information Security Council.

Internal and external audits help us evaluate the effectiveness of our information security and privacy practices. We are continuously looking for vulnerabilities across the enterprise. We also perform ongoing rigorous tests and exercises to identify and resolve vulnerabilities. 

Privacy impact assessment process

The Allstate Privacy Impact Assessment Process applies to that involve the collection or new use of personal information. Our privacy professionals assess risks before new projects are delivered, which allows for proactive risk mitigation.

Security and privacy in product design

As we expand the circle of protection using innovative digital technologies, we’re building in security from the start. We ensure product development teams have the training to create products that adhere to Allstate’s security standards and help ensure applications are secure before production. Allstate’s Enterprise Business Conduct team has created a group that supports the development of new products, programs and services to ensure they are built with privacy, ethics and compliance in mind, and risks are mitigated before launch. 

Allstate Identity Protection

Allstate Identity Protection is reinventing privacy and identity protection by giving consumers the tools to see, control and protect their digital identities. It helps us maintain our privacy posture and has grown exponentially over the last few years with 4500 current clients and over 5.2 million In 2020, Allstate’s Identity Protection services were offered for free to all US residents including existing Allstate customers, helping over 200,000 Americans protect their identity.

Product offerings include identity protection and privacy management, as well as Allstate Digital FootprintTM on Allstate Mobile. We recently added a cyber product offering mobile device protection, anti-phishing, Wi-Fi scan and limited cyber-expense coverage. Read more about Allstate Identity Protection and Allstate Digital Footprint product in out Customer-Centric and Resposible Products section.

Anonymization

One of the best ways to protect a person’s privacy is to anonymize their data. Allstate’s Personal Information Anonymization Framework provides a mechanism to confirm that data has been properly anonymized, which allows the company to more freely use data with valuable data insights remaining intact. Anonymizing data virtually removes the privacy risk without compromising the value of the data.

Training

All Allstate employees receive regular training on Allstate’s privacy and information security policies. Our annual compliance confirmation process requires every global employee to complete courses and agree to follow appropriate company policies, with employees of National General, a recent acquisition, undertaking a separate training process. All employees must acknowledge and agree to comply with:

  • Our updated Global Code of Business Conduct, which contains specific sections and examples of protecting restricted or confidential information, including personal information.
  • Our Enterprise Information Security Policy, Information Technology Usage Policy or the appropriate subsidiary information security policies and standards. These documents govern our operations and help ensure company data is not inappropriately shared or altered.

The training covers company-specific risks and trends identified over the last 12 months. Allstate agency owners are under contractual obligations to maintain their own information security policies and controls. Allstate also provides privacy and information security training for new agency staff and communicates key information security responsibilities for all agency users annually.

Allstate employees are required to protect consumers’ personal information and keep it confidential. Our consumer privacy principles are detailed in the Privacy Policy, which applies to all employees:

  • We respect and protect the privacy of every individual’s personal information.
  • We request and retain only the personal information that is needed.
  • We communicate clearly how personal information is used, retained and disclosed.
  • We embed strong privacy protection practices in all business processes and systems.

Our Online Privacy Statement has more on Allstate’s practices related to collection, use and sharing of consumers’ personal information. Other entities within the Allstate family provide separate privacy statements; for selected examples of our range of privacy statements see The Allstate Foundation, Arity, Allstate Protection Plans, National General and Allstate Identity Protection website for information about their respective privacy practices.

Ethics, compliance and privacy assessments

We host Ethics, Compliance and Privacy Assessments to identify on a detailed level how each business area meets the required elements to maintain a mature and well-functioning privacy program. These assessments occur as needed based on identified risks, with at least one assessment for each business area every three years.

Privacy or security incidents

If employees have a privacy or security concern to bring to the attention of senior leadership, they are expected to report to the i-Report Line. The Global Code of Business Conduct also includes phone numbers and email addresses for reporting an incident.

If Allstate suspects or receives a report that personal information may have been compromised, the privacy team launches an incident response that includes investigation, notification and corrective action in partnership with the Information Security team and other areas, when needed. Senior leaders and the Board of Directors are kept appraised of privacy incidents as needed. The privacy team and other leaders help make sure that Allstate complies with the growing body of regulation that applies to the personal information.

Programs and initiatives

Cybersecurity and privacy programs are a priority at Allstate and are reported to the Board of Directors. The Board and Audit Committee oversee cybersecurity and by reviewing risk at multiple meetings. Outside professional groups benchmark both programs regularly, with positive results Our information security, cybersecurity and privacy continuously undergo independent assessments to evaluate their maturity.

 In 2020 and 2021, we completed thorough independent privacy program maturity assessments, which concluded that the privacy program was well defined and continues to mature year-over-year. During these assessments, the privacy program was evaluated and assessed relative to trends in the insurance and technology industries. In 2021, Allstate was noted as a leader of the insurance industry. Both the 2020 and 2021 assessments involved a fact-finding exercise that analyzed, evaluated and verified privacy program progress across privacy components through interviews with the privacy team and other enterprise stakeholders and reviews of relevant documents.

The information security and privacy programs support several key enterprise initiatives. Our cybersecurity program, aligned with directives from the Board of Directors, supports the evolving business environment while managing a dynamic threat and regulatory landscape. It addresses these priorities:

  • Access Control: Limits access to systems across the enterprise through strengthened authentication, network segmentation, and identity and access management.
  • Detect and Respond: Enhances monitoring of critical systems and extends the Global Security Fusion Center (GSFC) services to effectively monitor, detect and respond to threats.
  • Protect Data: Manages data consistent with Allstate’s risk strategy to protect the confidentiality, integrity and availability of information and to comply with laws and regulations.
  • Security Governance: Defines, consumes and monitors assets and security controls to meet Allstate and regulatory requirements.

We advanced our State Privacy Laws program to strategically approach consumer expectations of privacy and the dynamic regulatory environment, and we are identifying lawmakers, think tanks, policy institutes, thought leaders and journalists aligned with increased consumer control of data. We also focused on reducing the personal information footprint across Allstate in an effort to clean up the data landscape by removing extra copies of data. Our approach prioritizes scalability, repeatability and strategic technology deployment to ensure flexibility as state privacy laws change.

Employee awareness and training

Investing in a strong Integrated Digital Enterprise system with appropriate security controls is just one way we protect Allstate data. Our policies can only be effective when we effectively communicate these controls to our team.

Our security education and awareness teams lead extensive employee communication campaigns to reduce cyber risk from human error. They include phishing simulations with real-time feedback and training for employees who fail the simulation. Since beginning this program, we have seen significant improvement employees’ ability to recognize threats. For example, Allstaters have increasingly demonstrated their ability to identify a phishing email as evidenced by the low click rate on phishing simulations emails of 7% compared with the industry average of 12%. The awareness program is also assessed by Gartner Employee Awareness Survey which measures employee secure behaviors and decision making. For the fourth year in a row, Allstate outperformed industry peers and other Fortune 500 companies in all 33 categories with a Secure Behavior score of 93/100.

We provide on-demand and topic-specific training customized for current issues. We offer more advanced and specialized role-based training to employees in higher-risk roles. For example, employees who may access HIPAA-protected health information or work with payment card information receive additional training on secure practices. We evaluate our training results using:

  • Metrics across survey responses
  • Test and assessment results
  • Performance trends
  • Impact on the business or return on investment

In 2021, Allstate’s Business Information Security Officers group delivered 133 training sessions tailored to their specific areas of responsibility, with a total audience of 8,860 employees.

Beyond formal training programs, we have yearlong awareness activities. Allstate’s internal information security site has guidance on how to report incidents, alerts of ongoing threats, resources for pro bono training and computer donations, and how to use information security services and processes to keep data secure. In October 2021, we aligned our security messages with the Department of Homeland Security’s Cybersecurity Awareness Month and saw record-breaking participation in our events. At our keynote, employee attendance increased by 15% over 2020, our highest ever, and 96% of survey respondents said they learned something new about cybersecurity.

Security and privacy in our supply chain

Our security and privacy requirements extend to suppliers who . Allstate emphasizes the importance of privacy and data security with suppliers through our procurement standards, practices and contracts. We established a security assessment program for suppliers that evaluates the privacy impacts of proposed process changes. We also require all contingent workers who have access to our network to complete training on Allstate’s security policies and to adhere to the privacy expectations described in our Supplier Code of Business Conduct.

TOP