Corporate Privacy: Nowhere to Hide
SCENARIO: In a small apartment in Atlanta, Pete scanned the hardware in front of him. His fingers flew as he deftly navigated multiple windows. A former defense contractor employee, Pete possessed a highly specialized set of skills.
He knew how to hack into almost anything, from network servers and credit card databases, to VoIP phone systems and video conferencing systems. An encryption expert, he knew how to exploit every weakness and sniff out every back door. Pete never met a digital lock he couldn’t pick.
Pete’s talents — and his reputation for discretion — kept him in demand, especially in certain circles.
His latest gig was gathering intel on Odyssey International for one of Odysseys’ top competitors, especially an inside track on any mergers or acquisitions Odyssey might have up its sleeve.
Pete pulled up his files for several key Odyssey execs and smiled smugly. People like Garry Buchanan made Pete’s job way too easy.
An encryption expert, he knew how to exploit every weakness and sniff out every back door. Pete never met a digital lock he couldn’t pick.
Odyssey’s U.S. head of new business development, Buchanan was tech-obsessed. From the moment Buchanan hopped into his Tesla Model S and engaged the autopilot until he arrived at work, Pete could peek at every email, calendar entry and company report. Buchanan’s smartphone let Pete keep track of him out of the car too, whether he was picking up a latte or checking in for a flight.
Accessing Odyssey’s network was a little tougher than Pete expected — its security was more sophisticated than most. But, like most companies, it spent more time protecting its customer and finance data. Its email server was far less secure. Its phone system was barely protected at all.
Around 8:15 a.m., Pete’s system alert let him know that Buchanan was on the phone. It sounded like Odyssey was researching a potential acquisition.
Pete tapped the screen to record the call and sent an encrypted file to the man who’d hired him.
Buchanan’s flight to London arrived on time. He’d checked into his hotel and stayed there all night. But Pete was drumming his fingers on his desk, aggravated. There were meetings on Buchanan’s calendar. But with whom? There was no data.
There had been a few vague email references, but nothing that had given Pete a clear picture of what was up. Buchanan seemed to be deliberately keeping the details under wraps.
“We’ll see about that,” said Pete, firing up more hardware. He checked the time and calculated the time difference. Buchanan would probably be leaving the hotel soon.
He’d found Buchanan’s Uber account the day before and guessed he’d be using the service. Sure enough, he’d already been picked up. “Gotcha,” said Pete, gaining unauthorized access to Uber’s “God View” and tracking the car’s route.
Ten minutes later, Buchanan walked into a café and was seated at a table out front. Pete watched in real time as Buchanan took a moment to take in the London scenery while waiting for his breakfast companions.
“Bless those Brits,” thought Pete. “And their millions upon millions of CCTVs.”
Buchanan’s two guests arrived a few minutes later. Pete was pleased to have a good angle on both of them. He locked on their faces and dragged the images into his facial recognition program. He got a match on both and searched their records. One was a visiting fellow at the University of Cambridge in the department of engineering. Interesting.
Pete kept digging. An hour later, Pete had enough data on both of them to get a picture of what Buchanan was up to and why Odyssey wanted this little excursion to be kept under wraps.
Time for another file upload to his new corporate benefactor. This info was hot.
“I should’ve charged him twice as much,” Pete thought ruefully as he sent his customer the information on his competitor’s latest move.
ANALYSIS: There are no more secrets. The lesson brought home by WikiLeaks and later by Edward Snowden is that privacy is a quaint notion of a bygone era. We are in, as it has been dubbed, the “Golden Age of Spying.”
Everyone now knows that the U.S. National Security Agency (NSA) has access — on a massive scale — to chat logs, stored data, voice traffic, file transfers, phone records, email and social networking data. It can also access web chats, Internet searches, text messages … the list goes on.
The agency has long had a certain amount of cooperation from major technology companies including Microsoft, Yahoo, Google, Facebook and Apple. Unbeknownst to some, it also engineered a weakness in an encryption standard, allowing back-door access to those companies, and their data.
Problem is, if you leave the back door open, you can’t guarantee that others won’t find their way in.
Now factor in the Internet of Things. Estimates suggest there could be up to 80 billion connected devices in use five years from now — devices that can monitor anything from the climate quality in your delivery trucks to whether the plant in your window needs more sun.
From your digital world to your physical world, everything will be hackable, trackable, visible. Everything will have the potential to be seen by someone you never intended to share it with.
That’s happy news for those set on malfeasance, either to steal corporate secrets or engage in disruption for fun or profit. But it’s troubling for businesses of all sizes as they face the challenge of protecting what they can and managing the rest.
“What you’re going to see is a more formalized way of communicating sensitive information and housing sensitive information,” said Randy Nornes, executive vice president with Aon Risk Solutions.
“So if you have key data that creates value for your firm, I think you’re going to see that the fundamental technology architecture that people use to store the really important stuff will be remote and distant, and it won’t be readily accessible through the Internet.”
But it’s the day-to-day actions of conducting business that organizations will have more trouble keeping behind locked doors.
“In a fully transparent world … companies will have to behave as if every action will be reported on the front page of their local paper,” said Nornes’ colleague Paul Kim, co-CBO of Aon Risk Solutions U.S. Retail operations.
Futurist and author David Brin said in a recent interview with “Variety,” that organizations can’t “count on anything staying secret for more than 10 years, that’s delusional on the border of psychosis.
“Get used to the notion that some day, someone is going to hear this conversation or read this document. And live and work as if anybody might be watching now,” Brin added.
Along with those inevitable leaks come serious risks to brand and reputation, which is why reputation risk management will need to develop at least as fast as privacy erodes.
That means using an extremely thorough process of scenario planning, and understanding exactly how any kind of breach, leak or competitive attack could affect the company’s value and its ability to conduct business.
“It’s not something that’s limited to the public relations team; it’s not something that’s limited to a chief communications officer,” said Chris Lukach, president of Anne Klein Communications Group, LLC.
“It’s something that needs to be shared among risk management, legal, HR, operations … . That to me is what makes companies prepared.”
There are multiple points at which hyper-transparency can result in a business loss, and insurance products will no doubt keep evolving to meet those needs. In a case where a release of confidential information might damage a company’s image, for instance, Tokio Marine Kiln is already underwriting a product that goes beyond traditional cyber insurance and helps companies insure against that spectrum of losses.
Explained Tom Hoad, underwriter at Tokio Marine Kiln, a Lloyd’s syndicate, risk managers have become increasingly sophisticated in the way they think about their exposures.
“[They’re asking], ‘Where are the key performance indicators for the company and what sorts of things can affect our ability to deliver on those things?’ … The preservation of brand equity, is very much at the forefront of that process.”
Complete coverage of 2015’s Most Dangerous Emerging Risks:
Corporate Privacy: Nowhere to Hide. Rapid advances in technology are ushering in an era of hyper-transparency.
Implantable Devices: Medical Devices Open to Cyber Threats. The threat of hacking implantable defibrillators and other devices is growing.
Athletic Head Injuries: An Increasing Liability. Liability for brain injury and disease isn’t limited to professional sports organizations.
Vaping: Smoking Gun. As e-cigarette usage rises, danger lies in the lack of regulations and unknown long-term health effects.
Aquifer: Nothing in the Bank. Once we deplete our aquifers, there is nothing helping us get through extended droughts.
Most Dangerous Emerging Risks: A Look Back. Each year since 2011, we identified and reported on the Most Dangerous Emerging Risks. Here’s how we did on some of them.
It was like something out of a Hollywood crime drama. The gang’s operations were meticulously planned and ran like clockwork. The cartel was managed by a team of shady Russian characters. Money flowed like a river.
But it wasn’t drug money. And it wasn’t from gun running or human trafficking. It was the spoils of ill-gotten insurance money from staged car crashes throughout New York City.
In 2013, an extended sting operation — involving the NYPD, the FBI, and the National Insurance Crime Bureau (NICB) — uncovered more than $400 million in fake injury claims from both real and set-up crashes in NYC.
The sting revealed dozens of key players, including doctors and lawyers on the take, a supporting cast of thousands of fake patients and patient recruiters, 100 phony medical clinics, and numerous crooked testing labs, medical-supply firms, and billing firms.
While most organized crime rings aren’t quite as ambitious as this one, they’re typically just as complex and also just as lucrative for the players involved.
Sophisticated professional fraud rings are actively bilking insurance companies of billions in no-fault auto/PIP, health care coverage, and workers’ comp claims fraud. Most operate using multiple false identities, targeting multiple organizations. They often recruit or “groom” insiders to assist in their schemes.
“These large rings, they’re highly adaptive,” said Tom Mulvey, assistant vice president, claim and SIU services, for ISO, an operating unit of Verisk. “It’s aggressive and it’s well camouflaged. These are dedicated perpetrators. They cross state lines and they spread their habit across a multitude of carriers. They’re not one-stop shopping — they make sure that everyone’s in play.
“Some of the camouflage they use is using numerous business names and locations,” he continued.
“They really work to cover their tracks; they artificially disburse their identities, they segment their volume. So rather than doing business with a carrier as a B2B, they [manipulate] their profile by operating as multiple businesses behind many identities.”
They’re also incredibly expensive to fight. But the cost of ignoring them is even higher.
According to information compiled by organizations such as the Insurance Information Institute (III) and the Coalition Against Insurance Fraud, property and casualty insurance fraud costs insurers approximately $33 billion a year — at least 10 percent of all losses, according to NICB.
But other organizations, including the FBI, place that number even higher, upwards of $40 billion.
Far from being a victimless crime, every policyholder foots the bill for this robust criminal activity, which continues to grow. NICB reports that the number of questionable insurance claims rose by 16 percent from 2011 to 2012.
The old wisdom was that a certain amount of fraud was simply a cost of doing business, and many insurers felt that a more proactive approach ran the risk of alienating good policyholders by investigating and delaying legitimate claims.
That strategy backfired, and fraudsters grew bolder and greedier. At some point, though, the costs rose so high that insurers realized they had to fight back.
Most insurance companies now employ special investigative units (SIUs), which utilize a variety of strategies and tools to detect and prevent fraud, with technology at the core of those tools.
A 2012 survey by the Coalition Against Insurance Fraud indicated that 95 percent of insurance companies are now using some form of anti-fraud technology. But this development is still fairly new — only half of survey respondents said they have been using this technology for more than five years, many had only been using it for two years at the time of the survey.
As insurers work to establish and improve their anti-fraud programs, they face questions about which technologies to invest in. There’s no single magic-bullet tool that will cover every base.
Experts say that a multi-layered program must be in place in order to make any kind of substantive difference.
The most common form of anti-fraud technology involves the use of business rules, or red flags. These systems test each transaction against a predefined set of algorithms or business rules to detect known types of fraud based on specific patterns of activity.
A rule might flag a claim for further investigation if it exceeds a certain dollar amount, occurs too soon after a policy is written, involves no witnesses, or if the claimant has submitted a high number of claims in the past year, for example.
The downside is that professional fraudsters are well aware of the various rules and thresholds typically used, and are skilled at flying just below the radar. They also know that flagged claims are likely to be subject to a database search such as ISO’s ClaimSearch, so they’ve even developed strategies to hoodwink the search engines.
“For every new technology, the thieves or fraudsters are going to be enthusiastically looking for ways to defeat the technologies,” said Jim Schweitzer, senior vice president and COO of NICB.
“The key is to find out who they are and what they’re doing before they get really good and begin to cause real harm to the industry and the general public.” — Tom Mulvey, assistant vice president, claim and SIU services, ISO
One attempt to get ahead of the thieves involves new software solutions called link analysis systems. These systems allow for a broader view than a straight database search, and can help identify the connections between players in a fraud ring, even when efforts have been made to blur those connections.
“Let’s say two vehicles have an accident,” said Stuart Rose, global insurance marketing director for SAS, a technology company involved in this area.
“You may have three or four different passengers involved. Two get injured and they go off to one medical provider. In six months’ time another accident occurs.
“It’s completely separate when looked at in isolation, but when you start to look at them combined, you start to see that the same insured was involved in both accidents. It may have been different vehicles.
“He may have been a passenger in both of them. But he’s going to the same medical provider. Another six months and the same thing happens.”
You start to see the same key person involved in all of these claims, said Rose.
“It’s a little like how LinkedIn or Facebook works. You start seeing all of those connections and how many degrees of separation there are from the insured.”
There are several key advantages to link analysis software. It can spot easily missed connections, such as multiple claim payments going to the same bank account, even when they’re all under different names. It can also catch the minor detail variations that fraud rings use to avoid detection.
“The payee, instead of Stuart Rose, may be Stuart Ross, or maybe even Steve Rose. They manipulate the ID just a little bit,” Rose said.
The Power of Volume
The more data that could be shared across the industry, the easier it would be for insurers to connect the dots. But insurers have been resistant to engage in any type of substantive data sharing due to privacy concerns.
Emerging tools on the market are a step in the right direction. ISO has been developing ClaimSearch DNA, an advanced link analysis program that works in conjunction with its existing ClaimSearch database. That allows users the benefits of link analysis beyond their own organizations’ data.
“It’s been built to uncover the camouflage and graphically demonstrate connections of entities through an ISO visual analysis tool called NetMap,” said ISO’s Mulvey. “It really unravels the cover-up that conspirators work so hard to develop.”
The DNA system works on top of the ClaimSearch database, which contains nearly a billion loss records. It is designed to search constantly for anomalies and associations in the database.
“The proactive nature of this approach really lends itself to operate as an early warning system using the broad scale of industry loss data,” said Mulvey. “So rather than waiting for an individual carrier to recognize suspicious activity, this will speed things up and recognize the emerging group very early in its development. That time to detection is very important.”
“Once you put those safeguards in place, it’s amazing how quickly those fraudsters disappear. It’s not always about catching them,” said Rose. “It’s more about deterring them or deflecting them.” — Stuart Rose, global insurance marketing director, SAS
Professional fraud rings are a lot like any other business, in that they need to go through a development stage, getting the right people and resources in place. In the meantime, these startup rings will be orchestrating claims to produce cash flow.
“The key is to find out who they are and what they’re doing before they get really good and begin to cause real harm to the industry and the general public,” said Mulvey.
To that end, some insurers have begun using predictive modeling to shorten that time to detection. Chubb reports a high degree of success using predictive models on its casualty claims for the past eight years.
Chubb’s Don Siegrist, vice president, home office SIU and recovery manager, said that the company has built models based on the attributes of its successfully closed SIU cases.
The models have yielded a high success rate in identifying the claims that should be referred to the SIU, and are able to do so weeks or sometimes months before adjusters might have been able to flag them — sometimes in a matter of days.
“What it does is, it changes the tone of the investigation,” said Siegrist.
“The evidence is fresher. People’s minds are fresher; they still remember what occurred in the incident. The evidence that’s there is more available and nothing’s been changed. It makes for a much more powerful investigation.”
Text mining is another technology that should be a key part of a fraud-fighting program. Much of what fraud investigators have to work with is unstructured data — the information that doesn’t fit into neat little boxes on a form or in a database field, such as doctors’ notes, police reports or adjusters’ notes.
“You’ll start to see things like maybe the same phrase is being used by multiple different claimants,” said Rose of SAS.
“That’s because they’ve been taught by these fraud rings to know exactly what to say to the insurance companies.”
“For every new technology, the thieves or fraudsters are going to be enthusiastically looking for ways to defeat the technologies,” — Jim Schweitzer, senior vice president and COO, NICB.
Social media analysis is sometimes part of the mix, although its use may be more limited in its effectiveness against professional fraud. Still, in a case like the NYC ring with thousands of minor players, it could have been used to investigate the many “patients” involved, some of whom undoubtedly failed to keep up the pretense of their injuries. Some may have even boasted about the scam.
“It’s amazing what people are willing to brag about,” said NICB’s Schweitzer.
“Law enforcement every day are solving cases where the individuals involved talked about [their crimes] with friends on Facebook or Twitter or some other social media. There is that human need for attention … letting people know, ‘Hey, I got away with this.’ It’s crazy but it’s true.”
Of course, none of these tools can wholly prevent fraud, Rose cautioned. But they can help insurers spot trends sooner, develop strategies based on those trends and get critical information to adjusters early on.
“Once you put those safeguards in place, it’s amazing how quickly those fraudsters disappear. It’s not always about catching them,” said Rose. “It’s more about deterring them or deflecting them.”
No Humbug on Safety for This Workplace
If you were to study some of the safest and most successful organizations, you’d see that many of them share a common philosophy: When the CEO takes ownership of the safety program, it sends a message to the entire company that safety is top priority. That universal truth is evident at organizations around the world — including the North Pole.
North Pole CEO Santa Claus is a stickler for safety, and he knows how to drive results. For the 2014 holiday season, there were only 15 OSHA recordable elf injuries, down 15 percent from last year. There were only two serious lost-time injuries in 2014, both Fleet Management employees, related to a trampling incident involving Donner and Blitzen. (Both reindeer have since received anger management counseling through the organization’s employee assistance program.)
Those injury statistics are quite remarkable, when you consider that the North Pole workforce is more than 10,000 strong, with 80 percent of elves involved in high-hazard work in toy manufacturing, product testing and quality assurance, packaging and warehouse operations.
Always New Challenges
Claus personally chairs the organization’s safety committee, which includes representatives from departments such as Toy Operations, Reindeer Fleet Management, Wish List Fulfillment, Sled Logistics and Sweets Services. Committee members take ownership of safety for their departments, leading weekly training sessions for their teams on job-specific issues such as avoiding slips and falls from spilled hot cocoa, and wearing safety goggles while product testing Nerf guns and using cut-resistant gloves to reduce the paper-cut risk for staff members tasked with opening and filing letters to Santa.
Santa faces unique risk management challenges every year. In the 1960s, a change to the Silly Putty formula caused widespread cases of chemical sensitivity among handlers. In 1996, a dozen product testers working on Tickle Me Elmo had to be treated for Reynaud’s Syndrome. “We should’ve seen that one coming,” said Claus ruefully, as he explained how stricter vibration protocols were put in place after that season.
The increasing trend toward electronic toys has brought its own set of challenges to Claus’ team. Many of the North Pole’s aging elves have been assigned to circuit board assembly because it is less physically demanding work than Big Wheel assembly or operating the Lego molding machines. However, the fine-detail nature of the work has led to complaints of eyestrain, leading Claus to invest heavily in magnifiers to accommodate his elder elves.
Claus is extremely proud of his return to work/stay at work program. Even elves with mobility issues can pitch in, delivering tools and parts anywhere they’re needed on the factory floor, via R/C Air Hog transport helicopters. Others conduct regular safety inspections enterprise-wide, using small camera equipped hobby drones. When the two workers involved in the reindeer trampling incident were suffering from PTSD, they were assigned to light-duty, low-stress tasks to aid in their recovery, including candy cane testing and topping coworkers’ cocoa with whipped cream. “They were kept at full salary,” explained Claus, “and we were able to put them in jobs that made them smile and made everyone around them smile. Surrounding them in happiness helped them heal from the trauma of that frightening incident.”
The most recent additions to the North Pole safety and workers’ comp program were championed by Claus’ wife, Jessica, who has taken on the role of Executive Vice President for Wellness and Ergonomics for the entire organization. Mrs. Claus has organized a required daily stretching program for the beginning of each work day. Everyone participates, even the Jolly old Elf himself. She also leads wildly popular Twister Yoga classes to keep workers limber and alert, and to help manage seasonal stress. Claus is an avid health advocate, sending out newsletters full of healthy holiday tips, including recipes for stevia-sweetened sugar cookies, reminders to replace a few servings of fruitcake with fresh fruit, and warnings about the dangers of excessive eggnog abuse.
Mrs. Claus, who is even more tireless than her globe-trotting husband, also oversees the in-house claims management team, and the on-site nursing staff. Simple injuries such as candy cane splinters are treated right away and elves are back on the job in mere minutes. Nurse case managers fulfil other roles as well, such as suggesting temporary reassignment for elves suffering from tinnitus from high-decibel jingle bells.
In 2015, Claus is planning on adding new elements to the program. A voluntary biometric testing program is in the works. A spare storage room is being refashioned into a fitness “PlayZone” equipped with two dozen large screen TVs connected to Xbox One and PlayStation Move, and fully stocked with high-action movement games and fitness programs. Mrs. Claus is also working with the in-house design and fabrication teams to develop a new line of elf shoes with fitness-tracker bells to help motivate workers to move more. “Elves thrive on friendly competition,” said the EVP. “I hope to tap into that by developing an app with a leaderboard showing everyone’s steps. Toy-making is all about teamwork and cooperation. This will give each elf a chance to show off and be a star.”
Santa Claus told Risk & Insurance® that while he couldn’t share the actual numbers, the ROI on the North Pole’s safety and workers’ comp investments is off the charts. But Claus said that he and Mrs. Claus are more focused on the real sprit of safety. “Safe and happy elves make safer games and toys,” said Claus. “That means safer kids all over the world. There’s a lot more riding on our safety program than cost control,” he added with a wink of his eye and a twist of his head.
Wishing you a safe and Happy Holiday season from WorkersComp Forum!