Employers Navigate Risks of Unconventional Medicine
Nearly two years ago, a demolition project in downtown Philadelphia ended in tragedy when a heavy machine operator accidentally caused the collapse of an adjoining Salvation Army store, killing six people and injuring at least 14 others.
The excavator operator on the project was high as a kite, according to allegations.
Fear of that kind of tragedy has been gnawing at risk managers as medical marijuana legalization has spread in states across the country.
“The deadly impact is the same, no matter what the industry is,” said Sandy Little, risk manager for the Bar-S Food Company, at a presentation at RIMS 2015 in New Orleans.
Even in workplaces with a low risk of fatalities, mistakes made by impaired workers can cost employers dearly and even jeopardize reputations.
Little, along with attorney Bob Balkenbush of Thorndal Armstrong Delk Balkenbush & Eisinger, stressed that the current federal law remains clear, and employers should look at it as a resource.
Even in cities or states where medical or recreational marijuana is legal, the substance is still a Schedule I illegal drug at the federal level, and employers have no obligation to bend on policies prohibiting its use.
So far, said Balkenbush, most challenges brought by medical marijuana users have been shot down in the courts.
In James v. City of Costa Mesa (2012), a group of disabled individuals filed an ADA claim against the city for trying to shut down a collective that legally dispensed medical marijuana. The court ruled that under federal law, the group was illegally using marijuana; therefore the claim against the federal ADA was invalid.
In Ross v. RagingWire Telecommunications (2008), an employee was fired after his pre-employment drug test came back positive for marijuana. He sued the employer, claiming the company failed to accommodate him under the state’s Compassionate Use Act.
The court ruled in favor of the employer, indicating that the Compassionate Use Act was not intended to interfere with the right of employers to require pre-employment drug testing or to take drug use into consideration when making employment decisions.
Balkenbush cited several other cases where courts came down firmly on the side of employers, including cases where employers denied unemployment benefits to terminated marijuana users.
Most states, he said, are not allowing unemployment benefits for employees fired for violation of zero tolerance policies.
“Employers, for the time being, are protected,” he said.
Regardless of how many states eventually decriminalize marijuana, the law does not say that employers cannot have zero tolerance policies or fire individuals who test positive.
Of course, there are exceptions, Balkenbush and Little said. In a recent New Mexico case, the court required an employer to cover the cost of medical marijuana for the treatment of a work-related injury.
There’s also a possibility that the federal law could change within the next few years, Balkenbush cautioned, depending upon changes in the political climate.
For the time being, a well-written drug policy, frequently updated and consistently applied is key for all employers, said presenters. But it’s important to keep in mind that drug testing doesn’t always cast a wide enough net to detect whether an employee is a problem user.
It’s up to managers to be observant, Little said, and to pay attention to employees’ interactions with co-workers and customers.
She also stressed the importance of keeping the lines of communication open with employees regarding such substances. Make sure they’re aware of resources available to help, such as an employee assistance program.
Corporate Privacy: Nowhere to Hide
SCENARIO: In a small apartment in Atlanta, Pete scanned the hardware in front of him. His fingers flew as he deftly navigated multiple windows. A former defense contractor employee, Pete possessed a highly specialized set of skills.
He knew how to hack into almost anything, from network servers and credit card databases, to VoIP phone systems and video conferencing systems. An encryption expert, he knew how to exploit every weakness and sniff out every back door. Pete never met a digital lock he couldn’t pick.
Pete’s talents — and his reputation for discretion — kept him in demand, especially in certain circles.
His latest gig was gathering intel on Odyssey International for one of Odysseys’ top competitors, especially an inside track on any mergers or acquisitions Odyssey might have up its sleeve.
Pete pulled up his files for several key Odyssey execs and smiled smugly. People like Garry Buchanan made Pete’s job way too easy.
An encryption expert, he knew how to exploit every weakness and sniff out every back door. Pete never met a digital lock he couldn’t pick.
Odyssey’s U.S. head of new business development, Buchanan was tech-obsessed. From the moment Buchanan hopped into his Tesla Model S and engaged the autopilot until he arrived at work, Pete could peek at every email, calendar entry and company report. Buchanan’s smartphone let Pete keep track of him out of the car too, whether he was picking up a latte or checking in for a flight.
Accessing Odyssey’s network was a little tougher than Pete expected — its security was more sophisticated than most. But, like most companies, it spent more time protecting its customer and finance data. Its email server was far less secure. Its phone system was barely protected at all.
Around 8:15 a.m., Pete’s system alert let him know that Buchanan was on the phone. It sounded like Odyssey was researching a potential acquisition.
Pete tapped the screen to record the call and sent an encrypted file to the man who’d hired him.
Buchanan’s flight to London arrived on time. He’d checked into his hotel and stayed there all night. But Pete was drumming his fingers on his desk, aggravated. There were meetings on Buchanan’s calendar. But with whom? There was no data.
There had been a few vague email references, but nothing that had given Pete a clear picture of what was up. Buchanan seemed to be deliberately keeping the details under wraps.
“We’ll see about that,” said Pete, firing up more hardware. He checked the time and calculated the time difference. Buchanan would probably be leaving the hotel soon.
He’d found Buchanan’s Uber account the day before and guessed he’d be using the service. Sure enough, he’d already been picked up. “Gotcha,” said Pete, gaining unauthorized access to Uber’s “God View” and tracking the car’s route.
Ten minutes later, Buchanan walked into a café and was seated at a table out front. Pete watched in real time as Buchanan took a moment to take in the London scenery while waiting for his breakfast companions.
“Bless those Brits,” thought Pete. “And their millions upon millions of CCTVs.”
Buchanan’s two guests arrived a few minutes later. Pete was pleased to have a good angle on both of them. He locked on their faces and dragged the images into his facial recognition program. He got a match on both and searched their records. One was a visiting fellow at the University of Cambridge in the department of engineering. Interesting.
Pete kept digging. An hour later, Pete had enough data on both of them to get a picture of what Buchanan was up to and why Odyssey wanted this little excursion to be kept under wraps.
Time for another file upload to his new corporate benefactor. This info was hot.
“I should’ve charged him twice as much,” Pete thought ruefully as he sent his customer the information on his competitor’s latest move.
ANALYSIS: There are no more secrets. The lesson brought home by WikiLeaks and later by Edward Snowden is that privacy is a quaint notion of a bygone era. We are in, as it has been dubbed, the “Golden Age of Spying.”
Everyone now knows that the U.S. National Security Agency (NSA) has access — on a massive scale — to chat logs, stored data, voice traffic, file transfers, phone records, email and social networking data. It can also access web chats, Internet searches, text messages … the list goes on.
The agency has long had a certain amount of cooperation from major technology companies including Microsoft, Yahoo, Google, Facebook and Apple. Unbeknownst to some, it also engineered a weakness in an encryption standard, allowing back-door access to those companies, and their data.
Problem is, if you leave the back door open, you can’t guarantee that others won’t find their way in.
Now factor in the Internet of Things. Estimates suggest there could be up to 80 billion connected devices in use five years from now — devices that can monitor anything from the climate quality in your delivery trucks to whether the plant in your window needs more sun.
From your digital world to your physical world, everything will be hackable, trackable, visible. Everything will have the potential to be seen by someone you never intended to share it with.
That’s happy news for those set on malfeasance, either to steal corporate secrets or engage in disruption for fun or profit. But it’s troubling for businesses of all sizes as they face the challenge of protecting what they can and managing the rest.
“What you’re going to see is a more formalized way of communicating sensitive information and housing sensitive information,” said Randy Nornes, executive vice president with Aon Risk Solutions.
“So if you have key data that creates value for your firm, I think you’re going to see that the fundamental technology architecture that people use to store the really important stuff will be remote and distant, and it won’t be readily accessible through the Internet.”
But it’s the day-to-day actions of conducting business that organizations will have more trouble keeping behind locked doors.
“In a fully transparent world … companies will have to behave as if every action will be reported on the front page of their local paper,” said Nornes’ colleague Paul Kim, co-CBO of Aon Risk Solutions U.S. Retail operations.
Futurist and author David Brin said in a recent interview with “Variety,” that organizations can’t “count on anything staying secret for more than 10 years, that’s delusional on the border of psychosis.
“Get used to the notion that some day, someone is going to hear this conversation or read this document. And live and work as if anybody might be watching now,” Brin added.
Along with those inevitable leaks come serious risks to brand and reputation, which is why reputation risk management will need to develop at least as fast as privacy erodes.
That means using an extremely thorough process of scenario planning, and understanding exactly how any kind of breach, leak or competitive attack could affect the company’s value and its ability to conduct business.
“It’s not something that’s limited to the public relations team; it’s not something that’s limited to a chief communications officer,” said Chris Lukach, president of Anne Klein Communications Group, LLC.
“It’s something that needs to be shared among risk management, legal, HR, operations … . That to me is what makes companies prepared.”
There are multiple points at which hyper-transparency can result in a business loss, and insurance products will no doubt keep evolving to meet those needs. In a case where a release of confidential information might damage a company’s image, for instance, Tokio Marine Kiln is already underwriting a product that goes beyond traditional cyber insurance and helps companies insure against that spectrum of losses.
Explained Tom Hoad, underwriter at Tokio Marine Kiln, a Lloyd’s syndicate, risk managers have become increasingly sophisticated in the way they think about their exposures.
“[They’re asking], ‘Where are the key performance indicators for the company and what sorts of things can affect our ability to deliver on those things?’ … The preservation of brand equity, is very much at the forefront of that process.”
Complete coverage of 2015’s Most Dangerous Emerging Risks:
Corporate Privacy: Nowhere to Hide. Rapid advances in technology are ushering in an era of hyper-transparency.
Implantable Devices: Medical Devices Open to Cyber Threats. The threat of hacking implantable defibrillators and other devices is growing.
Athletic Head Injuries: An Increasing Liability. Liability for brain injury and disease isn’t limited to professional sports organizations.
Vaping: Smoking Gun. As e-cigarette usage rises, danger lies in the lack of regulations and unknown long-term health effects.
Aquifer: Nothing in the Bank. Once we deplete our aquifers, there is nothing helping us get through extended droughts.
Most Dangerous Emerging Risks: A Look Back. Each year since 2011, we identified and reported on the Most Dangerous Emerging Risks. Here’s how we did on some of them.
It was like something out of a Hollywood crime drama. The gang’s operations were meticulously planned and ran like clockwork. The cartel was managed by a team of shady Russian characters. Money flowed like a river.
But it wasn’t drug money. And it wasn’t from gun running or human trafficking. It was the spoils of ill-gotten insurance money from staged car crashes throughout New York City.
In 2013, an extended sting operation — involving the NYPD, the FBI, and the National Insurance Crime Bureau (NICB) — uncovered more than $400 million in fake injury claims from both real and set-up crashes in NYC.
The sting revealed dozens of key players, including doctors and lawyers on the take, a supporting cast of thousands of fake patients and patient recruiters, 100 phony medical clinics, and numerous crooked testing labs, medical-supply firms, and billing firms.
While most organized crime rings aren’t quite as ambitious as this one, they’re typically just as complex and also just as lucrative for the players involved.
Sophisticated professional fraud rings are actively bilking insurance companies of billions in no-fault auto/PIP, health care coverage, and workers’ comp claims fraud. Most operate using multiple false identities, targeting multiple organizations. They often recruit or “groom” insiders to assist in their schemes.
“These large rings, they’re highly adaptive,” said Tom Mulvey, assistant vice president, claim and SIU services, for ISO, an operating unit of Verisk. “It’s aggressive and it’s well camouflaged. These are dedicated perpetrators. They cross state lines and they spread their habit across a multitude of carriers. They’re not one-stop shopping — they make sure that everyone’s in play.
“Some of the camouflage they use is using numerous business names and locations,” he continued.
“They really work to cover their tracks; they artificially disburse their identities, they segment their volume. So rather than doing business with a carrier as a B2B, they [manipulate] their profile by operating as multiple businesses behind many identities.”
They’re also incredibly expensive to fight. But the cost of ignoring them is even higher.
According to information compiled by organizations such as the Insurance Information Institute (III) and the Coalition Against Insurance Fraud, property and casualty insurance fraud costs insurers approximately $33 billion a year — at least 10 percent of all losses, according to NICB.
But other organizations, including the FBI, place that number even higher, upwards of $40 billion.
Far from being a victimless crime, every policyholder foots the bill for this robust criminal activity, which continues to grow. NICB reports that the number of questionable insurance claims rose by 16 percent from 2011 to 2012.
The old wisdom was that a certain amount of fraud was simply a cost of doing business, and many insurers felt that a more proactive approach ran the risk of alienating good policyholders by investigating and delaying legitimate claims.
That strategy backfired, and fraudsters grew bolder and greedier. At some point, though, the costs rose so high that insurers realized they had to fight back.
Most insurance companies now employ special investigative units (SIUs), which utilize a variety of strategies and tools to detect and prevent fraud, with technology at the core of those tools.
A 2012 survey by the Coalition Against Insurance Fraud indicated that 95 percent of insurance companies are now using some form of anti-fraud technology. But this development is still fairly new — only half of survey respondents said they have been using this technology for more than five years, many had only been using it for two years at the time of the survey.
As insurers work to establish and improve their anti-fraud programs, they face questions about which technologies to invest in. There’s no single magic-bullet tool that will cover every base.
Experts say that a multi-layered program must be in place in order to make any kind of substantive difference.
The most common form of anti-fraud technology involves the use of business rules, or red flags. These systems test each transaction against a predefined set of algorithms or business rules to detect known types of fraud based on specific patterns of activity.
A rule might flag a claim for further investigation if it exceeds a certain dollar amount, occurs too soon after a policy is written, involves no witnesses, or if the claimant has submitted a high number of claims in the past year, for example.
The downside is that professional fraudsters are well aware of the various rules and thresholds typically used, and are skilled at flying just below the radar. They also know that flagged claims are likely to be subject to a database search such as ISO’s ClaimSearch, so they’ve even developed strategies to hoodwink the search engines.
“For every new technology, the thieves or fraudsters are going to be enthusiastically looking for ways to defeat the technologies,” said Jim Schweitzer, senior vice president and COO of NICB.
“The key is to find out who they are and what they’re doing before they get really good and begin to cause real harm to the industry and the general public.” — Tom Mulvey, assistant vice president, claim and SIU services, ISO
One attempt to get ahead of the thieves involves new software solutions called link analysis systems. These systems allow for a broader view than a straight database search, and can help identify the connections between players in a fraud ring, even when efforts have been made to blur those connections.
“Let’s say two vehicles have an accident,” said Stuart Rose, global insurance marketing director for SAS, a technology company involved in this area.
“You may have three or four different passengers involved. Two get injured and they go off to one medical provider. In six months’ time another accident occurs.
“It’s completely separate when looked at in isolation, but when you start to look at them combined, you start to see that the same insured was involved in both accidents. It may have been different vehicles.
“He may have been a passenger in both of them. But he’s going to the same medical provider. Another six months and the same thing happens.”
You start to see the same key person involved in all of these claims, said Rose.
“It’s a little like how LinkedIn or Facebook works. You start seeing all of those connections and how many degrees of separation there are from the insured.”
There are several key advantages to link analysis software. It can spot easily missed connections, such as multiple claim payments going to the same bank account, even when they’re all under different names. It can also catch the minor detail variations that fraud rings use to avoid detection.
“The payee, instead of Stuart Rose, may be Stuart Ross, or maybe even Steve Rose. They manipulate the ID just a little bit,” Rose said.
The Power of Volume
The more data that could be shared across the industry, the easier it would be for insurers to connect the dots. But insurers have been resistant to engage in any type of substantive data sharing due to privacy concerns.
Emerging tools on the market are a step in the right direction. ISO has been developing ClaimSearch DNA, an advanced link analysis program that works in conjunction with its existing ClaimSearch database. That allows users the benefits of link analysis beyond their own organizations’ data.
“It’s been built to uncover the camouflage and graphically demonstrate connections of entities through an ISO visual analysis tool called NetMap,” said ISO’s Mulvey. “It really unravels the cover-up that conspirators work so hard to develop.”
The DNA system works on top of the ClaimSearch database, which contains nearly a billion loss records. It is designed to search constantly for anomalies and associations in the database.
“The proactive nature of this approach really lends itself to operate as an early warning system using the broad scale of industry loss data,” said Mulvey. “So rather than waiting for an individual carrier to recognize suspicious activity, this will speed things up and recognize the emerging group very early in its development. That time to detection is very important.”
“Once you put those safeguards in place, it’s amazing how quickly those fraudsters disappear. It’s not always about catching them,” said Rose. “It’s more about deterring them or deflecting them.” — Stuart Rose, global insurance marketing director, SAS
Professional fraud rings are a lot like any other business, in that they need to go through a development stage, getting the right people and resources in place. In the meantime, these startup rings will be orchestrating claims to produce cash flow.
“The key is to find out who they are and what they’re doing before they get really good and begin to cause real harm to the industry and the general public,” said Mulvey.
To that end, some insurers have begun using predictive modeling to shorten that time to detection. Chubb reports a high degree of success using predictive models on its casualty claims for the past eight years.
Chubb’s Don Siegrist, vice president, home office SIU and recovery manager, said that the company has built models based on the attributes of its successfully closed SIU cases.
The models have yielded a high success rate in identifying the claims that should be referred to the SIU, and are able to do so weeks or sometimes months before adjusters might have been able to flag them — sometimes in a matter of days.
“What it does is, it changes the tone of the investigation,” said Siegrist.
“The evidence is fresher. People’s minds are fresher; they still remember what occurred in the incident. The evidence that’s there is more available and nothing’s been changed. It makes for a much more powerful investigation.”
Text mining is another technology that should be a key part of a fraud-fighting program. Much of what fraud investigators have to work with is unstructured data — the information that doesn’t fit into neat little boxes on a form or in a database field, such as doctors’ notes, police reports or adjusters’ notes.
“You’ll start to see things like maybe the same phrase is being used by multiple different claimants,” said Rose of SAS.
“That’s because they’ve been taught by these fraud rings to know exactly what to say to the insurance companies.”
“For every new technology, the thieves or fraudsters are going to be enthusiastically looking for ways to defeat the technologies,” — Jim Schweitzer, senior vice president and COO, NICB.
Social media analysis is sometimes part of the mix, although its use may be more limited in its effectiveness against professional fraud. Still, in a case like the NYC ring with thousands of minor players, it could have been used to investigate the many “patients” involved, some of whom undoubtedly failed to keep up the pretense of their injuries. Some may have even boasted about the scam.
“It’s amazing what people are willing to brag about,” said NICB’s Schweitzer.
“Law enforcement every day are solving cases where the individuals involved talked about [their crimes] with friends on Facebook or Twitter or some other social media. There is that human need for attention … letting people know, ‘Hey, I got away with this.’ It’s crazy but it’s true.”
Of course, none of these tools can wholly prevent fraud, Rose cautioned. But they can help insurers spot trends sooner, develop strategies based on those trends and get critical information to adjusters early on.
“Once you put those safeguards in place, it’s amazing how quickly those fraudsters disappear. It’s not always about catching them,” said Rose. “It’s more about deterring them or deflecting them.”