Email Encryption Policy

In an effort to protect the Personal Information of applicants and insureds, RPS started encrypting Email. The following sections attempt to explain parts of our process so that our business partners (Retail Agencies and our Markets) can understand our process.

What is Email Encryption Anyway?
A method that changes typical Email into an unreadable format, without some type of key, password, or secure site.

Why is Email "at risk" in the first place?
When we send you an Email, it travels various places along the Internet before reaching you. Our concern is not inside our RPSins.com domain, nor once inside your domain, but that it could be intercepted along the way. If it is not encrypted, then anyone intercepting that Email could read both the content and any attachments, such as schedules, driver lists, or other materials that contain the Personal Information of our applicants or insureds. By encrypting the Email with our SecureMail service, it requires a password to open either the body of the Email or those attachments -keeping our clients' material safe.

Are there laws that require Email Encryption?
Yes. Some states have passed laws that mandate that any Personal Information about their residents be encrypted. There are rules about sending Email, notebook computers in the field, mobile storage devices (flash drives, hard drives and CD/DVD), and how we safely store data on our servers. In addition, there are Federal standards as well, which you're probably used to merely from a visit to your doctor's office. Our attempt is to both comply with the various laws and court cases, but also be sensitive to the trust you and our clients have placed in us about keeping Personal Information private.

Is there another way to do Email Encryption?
Yes. There is the possibility of our IT people and your IT people working together to create encryption between our domains (RPSins.com is our domain). This process takes time and resources from both our IT departments. While this may become a future solution, it was important for us to get started, so we selected the current method of encrypting the Email on our end using our tools. As these tools become more common, we expect the domain to domain method to become more viable.

Can I ask that you NOT encrypt the Emails you send to me?
Sorry, but we cannot do that. We're aware that reading an encrypted Email does take an extra step, but we've done our best to deploy something as simple as possible. We need to be in compliance with the laws, and protect our client data, so please do not ask any of our staff to remove encryption for you or your office, as they cannot do so.

What if I cannot GET the Email you sent me on your Encryption Service?
Of course we don't want encryption to stop the business process! Our staff will be happy to help you, or resend the Email if needed. When you received the Email it should tell you both who in our office sent it, and the Subject of the Email. Rather than give you a bunch of instructions to follow, we'd prefer that you call our staff member, and let them walk you through the process. Besides, that helps us learn how we can better describe the process for the future.

Why is some Email encrypted, while other items are not?
Not all Emails contain Personal Information. When our staff can send Email without encryption we realize it's easier for you to receive, read, and process, so we try to use the encryption only when necessary. If the item does not have the Personal Information components, and is not subject to state nor federal requirements to be encrypted, our staff will send it via regular Email. These laws change regularly, and it is our attempt to keep our people informed and audited to remain in compliance. When we can send you Email that does not need to be encrypted, we will do so.

What is this enrollment process?
Our IT staff designed an internal service, rather than sending you to a vendor service. As such, we need to "know it's you" when you pick up the Email. We ask you to create a password so that you're the only one that can read the Email that we protected. We've tried to make getting registered as easy as possible, and if you forget your password we have a button to click to help you.

Does everyone at my office need their own password credentials?
Yes. While there may be teams at your office that share Email regularly, we need to assign each distinct Email address their own password. Inside our company, sharing passwords is not allowed Ã¢â'¬" but those decisions are up to you inside your company. We realize that Producer/CSR or perhaps Underwriter/Assistant may very well share passwords, but we will still require one per address, and we cannot share them with anyone else.

I have all kinds of these services popping up. How am I to keep track of all these passwords?
This is up to your security policies inside your own company, but we are aware that users that have many of these type encryption services are often using a common password for many of them. We do not select the password you choose, so if you use the same one for our service that you've used for other services, we cannot detect that strategy. Your company needs to measure the risk of reusing passwords in this manner versus tracking unique passwords for each encryption process.

Why doesn't RPS use my encryption solution?
We realize that many of our business partners will have to create their own methods of Email encryption, and when you send us encrypted Email using your own tools, we will take the extra step to open it, just as we are asking you to use our tool when we send it. Until these processes become more streamlined, we'll use ours when we start a conversation, and you'll use yours when you start one . We'll all get past this just like when other technology has changed. For the moment, when we send one, we have to use the security tools connected to our systems.

Can I forward an encrypted Email to my assistant to open?
No. The message will require your password credentials, and they cannot reach that Email from their credentials. To do so would violate the purposes of encryption. Once you retrieve the Email, if it is appropriate for you to share it with your assistant inside your office domain, that is fine.

Can I Reply from your Encryption Service Engine?
Yes. There is an option to Reply from inside our service, which means that your reply is also protected without you having to use any other process or tool.

I don't have an Encryption Service Tool. May I use yours?
No. Our tool is designed to require one of our staff to be involved in the process. So unless the Email you want to send should be read by one of our staff members, you should not send it from inside our service tool.

Sometimes I see "Secure Mail" and sometimes I see "Web Secure". What is the difference?
We most commonly use the Secure Mail method, except when our target recipient does not have the ability to receive using that tool, or the attachments make the Email too large. Those larger Emails are handled by our Web Secure process, but because of their size they expire 60 days after sending, while the Secure Mail ones don't expire. We're hopeful that if we've sent you a larger sized Email (using Web Secure) that you will pick it up well before the expiration date. But as you can imagine, storage for very large Emails becomes difficult, so we had to create some threshold for size and storage timing.

What is Personal Information anyway?
This varies between state and federal laws, so rather than interpret each of those for you, let's address the RPS description we've told our staff, realizing that as these laws change we must update their process. If the Email body or attachments contain both the personal name and then any of the following components together, depending on the state or federal requirement, we may need to encrypt that Email:

Complete personal address of the resident of the state in question;
Driver's License number and date of birth (like might be on driver schedules);
Social Security Number (common for personal lines accounts);
Credit Card number (possible on personal lines accounts for billing / invoice issues).
Banking or Financial Account Numbers, or passwords thereto.

As you can see, there are many potentials that push things into a "need to encrypt" status. Many applications for insurance contain combinations of this information. It is also possible that the original application contents forced encryption, while subsequent parts of the Email conversation do not. Our staff will attempt to NOT encrypt those Emails that are merely clerical, commentary, etc, when they do not contain the information we need to protect, however, they are trained to err on the side of caution, so may have encrypted an Email on the principal, "better safe than sorry."

Who do I contact if the RPS employee I talk to cannot answer my questions?
We prefer you start with the local person you work with and let them help you. But if you still have concerns, please contact one of these officers, depending on the area of your question:
Compliance Officer: Bob Markham
Operational Issues: Scott Anderson
IT / Technical: Mike Roy.

Find it Fast

RPS Events

May
17 - 19
RPS First Premium - Florida Specialty Agents Conference
May
18
RPS Technology & Cyber: NMRIC Executive Forum
May
18 - 19
RPS Tampa & Ft. Lauderdale: Specialty Agents Convention

See all Events

Knowledge. Relationships. Trust and Confidence.

Tel (866) 595-8413 Fax (630) 285-4075

Risk Placement Services, Inc.

The fastest-growing property & casualty insurance wholesaler in the country!

Navigation