Insurance Industry

The Government Beckons

Insurance carriers can create the best defenses in the world to protect customer data. But the government may ask them to give it up regardless.
By: | August 31, 2016 • 7 min read

Like Apple, insurance carriers and brokers hold an enormous amount of sensitive client information.

Unlike Apple, they are unlikely to find themselves in a highly public battle with the FBI should they resist demands for that data, as the tech giant did last spring in a dispute with the agency over the information in a terrorist’s locked iPhone.


But in the future, companies in the insurance space should be on the lookout for requests from regulators in other circumstances. Not necessarily in the wake of a mass shooting, but in the aftermath of any number of cyber hacks, the course of investigating a car crash or as part of the effort to secure crucial energy infrastructure.

And according to at least one expert, they should consider dumping the use of smartphones for conducting any kind of company business.

Investigators may request insurance company client data collected or transmitted through smartphones, said Theodore P. Augustinos a partner with Locke Lord LLP. Although for now, he said, the dilemma is more theoretical than actual.

“The government could subpoena geolocation data collected through a fitness app,” he said, and that data could come into play if the insurance company received it.

Theodore P. Augustinos, partner, Locke Lord LLP

Theodore P. Augustinos, partner, Locke Lord LLP

Investigators could also be interested in insurer-collected behavioral data, such as drinking and driving habits recorded by one or more apps that measure telematics and geolocation, said Hart Brown, vice president, organizational resilience, HUB International.

“That real-time data could be very powerful in a crime or accident investigation,” Brown said.

The crucial difference between the insurance community and Apple is that “Apple’s technology prevented access to the data,” Augustinos said.

In contrast, the insurance industry erects no technology barriers to the data it collects for its own use.

After 2015’s spate of cyber attacks that compromised 100 million records in health care — now the top industry for cyber attacks, according to recent IBM research — insurers should be “concerned” about federal investigators possibly seeking information, said Adam Cottini, a managing director in the cyber-liability practice with Arthur J. Gallagher & Co.

He predicts more and varied attacks, and more investigations, in industries involved in national security and critical infrastructure.

“We’ll see a level of investigative activity that rivals what we saw with the iPhone. Marine, utilities, water companies, the power grid — insurers house information from these industries, and the information they provide may rise to the level of national security and critical infrastructure.”

“An attacker who has your business card knows who you are, your employer, your position and the address to the device in your pocket during meetings and conversations.” — Michael Nash, president, Privacy Research, Inc.

For now, those records don’t usually involve locked technology such as smartphones. As they have historically, investigators such as the FBI may request or subpoena that data as they see fit, Augustinos said, and “companies will continue to release client data as they see fit.”

Investigators fish for data wherever they can, and insurers may be the source of last resort for that kind of information.

“If they meet resistance from the telecom providers and device manufacturers, they may go to the carrier next,” Brown said.

Whether investigators request information from insurers, and whether insurers release it, will play out on a case-by-case basis, Brown said.

“Information has value, and protecting it creates brand value. Insurers want to be good citizens and will cooperate with an investigation of an identified threat, but we won’t see companies sharing information in a blanket manner.”

Hackers Know: To Err Is Human

Human behavior that leaves data and networks vulnerable to hackers is a bigger and more immediate problem than government intrusion, said Michael Nash, president, Privacy Research, Inc.


He is unequivocal about the dangers the widespread use of smartphones pose for all companies, not just insurance carriers.

“Smartphones are not appropriate for business use. People don’t understand that their trusted personal devices are computers — computers unprotected by effective antivirus software and firewalls, which makes them inherently untrustworthy.”


Smartphones can be compromised over the cellular network, he said, and also through Wi-Fi, Bluetooth, and NFC (Near Field Communication, the technology that allows transferring photos between phones by tapping their backs together).

“Your phone can be compromised anywhere — your home, the train, a coffee shop.” Some countries, especially China and Turkey, are notorious for attacks on travelers’ phones, he said.

Even locked networks, such as those in hotels, can be “spoofed” by opportunistic hackers waiting to prey on gullible users. Once the device is brought back to the office and joins the company’s network, the devices can be used as an entry point for network penetration.

“All an attacker needs is a cell phone number,” Nash said in an interview conducted on his own cell phone, which rang through a landline number, sparing him the necessity of divulging his cell phone number.

He recommends omitting cell phone numbers from business cards.

“Your cell phone number is an address for the device. An attacker who has your business card knows who you are, your employer, your position and the address to the device in your pocket during meetings and conversations.”

Not only can hackers access data on the phone, they can turn on the camera and microphone remotely without the owner’s knowledge — a great espionage tool in corporate meetings and secured areas. And turning the phone off provides no protection, Nash said.

Cottini sees risks when employees use the same device for business and personal use.

“Employees can slip up and send business emails from their Gmail accounts,” he said.

“Then the confidential business information is stored on the device, which isn’t secure, and the provider’s cloud system, which may have fallible security.”

 Adam Cottini, managing director, cyber-liability practice, Arthur J. Gallagher & Co.

Adam Cottini, managing director, cyber-liability practice, Arthur J. Gallagher & Co.

Whether or not the information has value to an intruder, Cottini said, the corporation’s intellectual property is vulnerable. Despite the high financial or reputational cost to corporations of smartphone-related losses, he doesn’t see corporations abandoning smartphones or returning to the outdated two-device model, one for personal use and one for business.

The solution, he said, and an imperfect one because it depends on human behavior, resides in training and technology.

“Ideally, you want a culture of security and awareness built into training programs that would check an employee’s habits of using a Gmail account,” Cottini said.

Employees can also use encryption apps, “but they’re useless — not if, but when — people use traditional cloud email to transmit corporate messages.”

Although it isn’t yet commonplace, Cottini said, virtualization technology exists now to separate employees’ personal assets on their phones from corporate assets, which when used correctly prevents corporate assets from residing on the phone.

Companies would have to approach those solutions delicately so employees don’t feel bullied, Cottini said.

“Employees will ask, ‘Why am I being told what to do with my own device?’”

No Fix in Encryption Alone

Long before the Israeli company Cellebrite Mobile Synchronization broke into the San Bernadino terrorist’s encrypted iPhone, a YouTube search for “how to break into iPhone” produced more than 6 million results, confirming what hackers and risk managers already knew: any encryption can be broken, inviting speculation that the iPhone-breaking incident may have been political theater to create a legal precedent for investigations involving locked technology.

“If you can make the technology, someone with enough resolve can break into it,” said Cottini.

Breaches of encrypted data are so routine that states are toughening their data breach laws; in July, Tennessee will become the first state to remove its encryption safe harbor.


This game of whack-a-mole calls for vigilance.

“You need multiple rings of security,” Cottini said, not just encryption.

“If hackers get to the other side of your firewall, you need to change all the failed protections that let them in. You need access controls, so only highly vetted people have access to sensitive data.

“Companies run the risk of complacency around their data,” said Kristen Gaebel, director, financial services regulatory practice, PricewaterhouseCoopers. Take a long, hard look at privacy and data protections, she advised.

“Perps are getting more sophisticated, and companies need to constantly evolve training, governance and risk assessment to identify susceptibilities.”

“Catch the bad guys by surprise,” Cottini said. “Rotate your defenses to be random. If they’re static, the bad guys will catch you.” &

Susannah Levine writes about health care, education and technology. She can be reached at [email protected]

More from Risk & Insurance

More from Risk & Insurance

4 Companies That Rocked It by Treating Injured Workers as Equals; Not Adversaries

The 2018 Teddy Award winners built their programs around people, not claims, and offer proof that a worker-centric approach is a smarter way to operate.
By: | October 30, 2018 • 3 min read

Across the workers’ compensation industry, the concept of a worker advocacy model has been around for a while, but has only seen notable adoption in recent years.

Even among those not adopting a formal advocacy approach, mindsets are shifting. Formerly claims-centric programs are becoming worker-centric and it’s a win all around: better outcomes; greater productivity; safer, healthier employees and a stronger bottom line.


That’s what you’ll see in this month’s issue of Risk & Insurance® when you read the profiles of the four recipients of the 2018 Theodore Roosevelt Workers’ Compensation and Disability Management Award, sponsored by PMA Companies. These four programs put workers front and center in everything they do.

“We were focused on building up a program with an eye on our partner experience. Cost was at the bottom of the list. Doing a better job by our partners was at the top,” said Steve Legg, director of risk management for Starbucks.

Starbucks put claims reporting in the hands of its partners, an exemplary act of trust. The coffee company also put itself in workers’ shoes to identify and remove points of friction.

That led to a call center run by Starbucks’ TPA and a dedicated telephonic case management team so that partners can speak to a live person without the frustration of ‘phone tag’ and unanswered questions.

“We were focused on building up a program with an eye on our partner experience. Cost was at the bottom of the list. Doing a better job by our partners was at the top.” — Steve Legg, director of risk management, Starbucks

Starbucks also implemented direct deposit for lost-time pay, eliminating stressful wait times for injured partners, and allowing them to focus on healing.

For Starbucks, as for all of the 2018 Teddy Award winners, the approach is netting measurable results. With higher partner satisfaction, it has seen a 50 percent decrease in litigation.

Teddy winner Main Line Health (MLH) adopted worker advocacy in a way that goes far beyond claims.

Employees who identify and report safety hazards can take credit for their actions by sending out a formal “Employee Safety Message” to nearly 11,000 mailboxes across the organization.

“The recognition is pretty cool,” said Steve Besack, system director, claims management and workers’ compensation for the health system.

MLH also takes a non-adversarial approach to workers with repeat injuries, seeing them as a resource for identifying areas of improvement.

“When you look at ‘repeat offenders’ in an unconventional way, they’re a great asset to the program, not a liability,” said Mike Miller, manager, workers’ compensation and employee safety for MLH.

Teddy winner Monmouth County, N.J. utilizes high-tech motion capture technology to reduce the chance of placing new hires in jobs that are likely to hurt them.

Monmouth County also adopted numerous wellness initiatives that help workers manage their weight and improve their wellbeing overall.

“You should see the looks on their faces when their cholesterol is down, they’ve lost weight and their blood sugar is better. We’ve had people lose 30 and 40 pounds,” said William McGuane, the county’s manager of benefits and workers’ compensation.


Do these sound like minor program elements? The math says otherwise: Claims severity has plunged from $5.5 million in 2009 to $1.3 million in 2017.

At the University of Pennsylvania, putting workers first means getting out from behind the desk and finding out what each one of them is tasked with, day in, day out — and looking for ways to make each of those tasks safer.

Regular observations across the sprawling campus have resulted in a phenomenal number of process and equipment changes that seem simple on their own, but in combination have created a substantially safer, healthier campus and improved employee morale.

UPenn’s workers’ comp costs, in the seven-digit figures in 2009, have been virtually cut in half.

Risk & Insurance® is proud to honor the work of these four organizations. We hope their stories inspire other organizations to be true partners with the employees they depend on. &

Michelle Kerr is associate editor of Risk & Insurance. She can be reached at [email protected]