Sector Under Siege
The Target data breach of 2013, in which hackers accessed 40 million credit and debit card accounts and the personal data of up to 70 million people, will likely go down as the event that piqued public awareness of the just how vulnerable their personal information is in the hands of retail organizations.
Legislation addressing how companies handle personal data goes back decades — the Song-Beverly Credit Card Act of 1971 (a California statute), for example, was amended in 1990 specifically to address the misuse of personal information by retailers for marketing purposes. Since then, the world has changed. Cyber risk touches every business sector to varying degrees, and with cyber crime an increasingly lucrative activity, data breaches are — according to media column inches at least — bigger and more common than ever.
Since the Target breach, Verizon has identified two more U.S. retailers who it said have been hacked; and in the ensuing media storm, lawmakers are scrambling to protect consumers. In March, Congress rallied retailers to support a nationwide standard for retail companies to quickly notify customers in the event of data theft in order to increase accountability in the sector.
The push for tighter laws is being played out not just in the United States but across many global economies. In this country, however, the state system means that retailers must navigate a rapidly and constantly evolving patchwork of privacy rules and regulations. Last year, the California Supreme Court ruled that the Song-Beverly Act’s privacy protections do not apply to online transactions. But in late January 2014, S.B. 383 was passed to amend the Act to fill the perceived gap in consumer identity protection.
Many retailer clients of insurance recovery lawyer Linda Kornfeld, a partner at Kasowitz Benson Torres & Friedman, would argue that traditional general liability coverages do not cut it when it comes to data privacy law violations. In 2011, many of those that operated in California faced litigation for collecting ZIP codes from credit card transactions. The state Supreme Court ruled that — despite several California court decisions to the contrary — ZIP codes counted as personally identifiable information (PII), therefore the retailers had violated the Song-Beverly Act.
Around 150 class action lawsuits were filed, and retailers got burned by their general liability insurers, who refused to pay out on the grounds that they had triggered exclusions by violating a privacy statute in the state. “This then prompted coverage litigation,” Kornfeld said.
Other Courts Follow Suit
Kornfeld said some retailers are still relying on general liability coverage rather than specialist privacy and data breach products, and may be exposed in a similar way — particularly as the California situation was mirrored in Massachusetts in March 2013. More recently, similar court rulings have been handed down in Wisconsin and Washington, D.C.
“Since the ruling last year, there has been a flurry of class action litigation being filed in Massachusetts,” she said, noting that Apple was sued there as recently as January.
“Retailers must be in strict compliance with these statutes, because the courts don’t seem to be interpreting them very favorably for the retailers.”
Kornfeld added: “Retailers that don’t have privacy and data breach cover in their insurance portfolio already should seriously consider buying it. They need to look at whether the coverage matches their risks and if the premiums match their concerns about exposure.”
If they take the decision not to buy specialist cover, she said, retailers should study the language of their traditional liability coverages to ensure it is flexible enough to cover them against privacy violation issues — both under existing law and in the instance that new legislation creates an exposure during the policy period. She also recommended working with counsel who is up to date on the various legislative changes taking place across the United States.
“If a retailer is sued with respect to the ZIP code issue, then they need to be aggressive in pursuing coverage, because insurers are taking very strong positions against coverage and I don’t agree that those positions are meritorious,” she said.
Paul Bantick, underwriter for technology, media and business at Beazley, which has insured six of the 10 largest data breaches in the world, said most retailers are up-to-speed on ZIP code collection laws and are also well protected against fines and penalties stemming from privacy violations.
“I haven’t seen any significant cases related to this for a while,” he said. “Most companies have changed their business practices — once you stop collecting the ZIP codes the exposure goes away. If a retailer is violating privacy laws and collecting ZIP codes when they shouldn’t be, that is covered by the cyber policy, which covers cyber liability and third-party claims arising from privacy violations.”
However, Kornfeld argued that while retailers adapted their business practices in California after the class action lawsuits of 2011, they may not necessarily have done the same in other states.
According to Bob Parisi, leader of the network security and privacy practice at Marsh, ZIP code collection is “the least of retailers’ worries.” He said a more relevant concern is keeping up with state and federal privacy regulations including mandatory incident response plans that first emerged on the East Coast and are now working their way west across the country. “Now if retailers hold personally identifiable information and are operating in various states, they have to have an incident response plan in place that meets a certain minimum level of efficacy,” he said.
“Retailers are also subject to nongovernmental regulations in the form of payment card industry (PCI) regulations set by card companies that require companies holding credit card information to comply with their standards,” Parisi said.
Data Breach Protection
Concerns over data privacy are intrinsically linked to the risk of data breach — after all, it is highly unlikely consumers would be aware of any violations of privacy law by a retailer or pursue litigation against them unless they were made aware that their personal information had been lost or stolen. The response required by Target to deal with the fallout from its data breach cost the company $61 million — half of its quarterly profits — in Q4 alone. And there is no indication yet of the value of class action suits the company may face when it comes to cyber liability.
Retailers are right on the front line of this evolving threat. According to Cisco Systems, the retail sector had 60 percent more malware encounters than the cross-industry median in 2013, but it was by no means the most attacked sector. By comparison, the agriculture and mining, electronics and pharmaceutical/chemical sectors all registered more than 600 percent above the median, while energy, oil and gas was 430 percent higher.
Yet, there is no denying that when it comes to personal data, retail companies offer some of the most attractive targets due to the huge number of records they possess. “The retail sector is just as exposed as banks, health care, airlines or hotels. All these companies hold the same type of information. However, retailers have a severity to them right now,” said Bantick.
“Are retailers becoming a greater risk, or is it just that some hackers have found a way to get through security and have been able to replicate that on several retailers? I don’t know yet if there is some kind of ‘worst class’ developing,” he said. “Clearly, it’s a bad patch for retailers. Maybe it’s another industry’s turn soon.”
Notwithstanding the coverage litigation controversies seen in California, Parisi said, the insurance market has done a decent job keeping up with the threats retailers face and continuing to provide appropriate coverage. “The market has been behaving fairly well in terms of responding to losses, and offering broad, flexible coverage,” he said.
However, he added, recent high-profile losses have put some carriers off the class. “In the last couple of months, we have seen some carriers search their souls as to whether they want to continue to insure retailers, but that’s hardly surprising,” Parisi said.
“Some carriers are aggressively pursuing the risk and asking tough questions, but when they get their answers they are more than willing to put up their capital to insure the companies. Others want nothing to do with retailers whatsoever.”
Meanwhile, Bantick said, it is naïve to think any company can completely eliminate the threat of data breach, warning retailers that it is a case of if, and not when, they will be attacked. However, with retailers accounting for about 25 percent of its cyber portfolio, it is little surprise Beazley is one of the carriers happy to provide coverage against the risk. “It’s what we do,” he said.
Target Breach a Threat to All
Computer security breaches that enable the theft of confidential financial information are no laughing matter. Just ask the 110 million or so people who have been affected by the infamous hack into Target’s customer-facing systems. So why should we in the insurance industry be sitting up and taking notice?
Internet sources report that this particular break-in used a form of memory-scraping malware technology that captures information as it is being input at the point of sale, but before it can be encrypted in the retailer’s systems.
We in the seemingly safe insurance sector may feel bad for our friends in retail, but before we get to feeling too comfy, it would be wise to consider that retail isn’t the only industry using point-of-sale (POS) devices. In fact, such input devices are used in lots of industries — retail, hospitality and health care among them.
It is that final class of users that should give us pause in the insurance sector. In case you weren’t paying attention, the Affordable Care Act requires electronic record-keeping. This naturally involves uncountable points of sale in doctors’ offices, clinics, and hospitals, not to mention places like Wal-Mart that are beginning to offer insured health care services.
Many of the individuals affected by the Target, et al., breach are promising never to do business with the involved retailers again. But what if the breached party was a major broker or insurer?
In the Target heist, an executive reported that someone had actually installed the malware on its POS systems. How that was done is a mystery at this writing, but one has to assume that these systems were connected to the Internet — which would allow the thieves to then retrieve the stolen data remotely. So, it seems likely that the malware was also remotely introduced into Target’s systems, as well as those of Nieman Marcus and other affected retailers.
These kinds of attacks are not exactly on the cutting edge of technology, however. According to InformationWeek, “Memory-scraping attacks date from at least 2011, when security researchers first spotted an advanced version of the Trackr (a.k.a. Alina) malware, which can be controlled via a botnet.” So, it won’t just be the most advanced thieves who pull off these kinds of crimes. The less-sophisticated, whether here or abroad, will likely be able to do the same.
Personal financial information is an extremely valuable commodity on the black market, and if you’re a criminal, it seems surprisingly easy to steal. Hackers can sell the credit card numbers for $35 to $100 each, while gold or platinum credit cards go for $60 each, business credit cards for $80 and some platinum cards for $100, said Cisco security researcher Levi Gundert in a blog posting. Interestingly, the information stolen in the Target incident includes names, addresses, credit card numbers, PINs and other data that enable thieves to assume an individual’s identity — which could lead to far bigger losses for those who are victimized.
Here’s the bottom line. Many of the individuals affected by the Target, et al., breach are promising never to do business with the involved retailers again. But what if the breached party was a major broker or insurer? Can insurance companies and brokers — already involved in a dog-eat-dog competition for insureds — afford to have that kind of backlash aimed at them?
The answers remain to be seen, but it is clear that with cyber crime escalating and becoming easier to perpetrate, our industry cannot stand back and hope the boogeyman goes away.
Achieving More Fluid Case Management
Risk management practitioners point to a number of factors that influence the outcome of workers’ compensation claims. But readily identifiable factors shouldn’t necessarily be managed in a box.
To identify and discuss the changing issues influencing workers’ compensation claim outcomes, Risk & Insurance®, in partnership with Duluth, Ga.-based Healthcare Solutions, convened an April roundtable discussion in Philadelphia.
The discussion, moderated by Dan Reynolds, editor-in-chief of Risk & Insurance®, featured participation from four tenured claims management professionals.
This roundtable was ruled by a pragmatic tone, characterized by declarations on solutions that are finding traction on many current workers’ compensation challenges.
The advantages of face-to-face case management visits with injured workers got some of the strongest support at the roundtable.
“What you can assess from somebody’s home environment, their motivation, their attitude, their desire to get well or not get well is easy to do when you are looking at somebody and sitting in their home,” participant Barb Ritz said, a workers’ compensation manager in the office of risk services at the Temple University Health System in Philadelphia.
Telephonic case management gradually replaced face-to-face visits in many organizations, but participants said the pendulum has swung back and face-to-face visits are again more widely valued.
In person visits are beneficial not only in assessing the claimant’s condition and attitude, but also in providing an objective ear to annotate the dialogue between doctors and patients.
“Oftentimes, injured workers who go to physician appointments only retain about 20 percent of what the doctor is telling them,” said Jean Chambers, a Lakeland, Fla.-based vice president of clinical services for Bunch CareSolutions. “When you have a nurse accompanying the claimant, the nurse can help educate the injured worker following the appointment and also provide an objective update to the employer on the injured worker’s condition related to the claim.”
“The relationship that the nurse develops with the claimant is very important,” added Christine Curtis, a manager of medical services in the workers’ compensation division of New Cumberland, Pa.-based School Claims Services.
“It’s also great for fraud detection. During a visit the nurse can see symptoms that don’t necessarily match actions, and oftentimes claimants will tell nurses things they shouldn’t if they want their claim to be accepted,” Curtis said.
For these reasons and others, Curtis said that she uses onsite nursing.
Roundtable participant Susan LaBar, a Yardley, Pa.-based risk manager for transportation company Coach USA, said when she first started her job there, she insisted that nurses be placed on all lost-time cases. But that didn’t happen until she convinced management that it would work.
“We did it and the indemnity dollars went down and it more than paid for the nurses,” she said. “That became our model. You have to prove that it works and that takes time, but it does come out at the end of the day,” she said.
The ultimate outcome
Reducing costs is reason enough for implementing nurse case management, but many say safe return-to-work is the ultimate measure of a good outcome. An aging, heavier worker population plagued by diabetes, hypertension, and orthopedic problems and, in many cases, painkiller abuse is changing the very definition of safe return-to-work.
Roundtable members were unanimous in their belief that offering even the most undemanding forms of modified duty is preferable to having workers at home for extended periods of time.
“Return-to-work is the only way to control the workers’ comp cost. It’s the only way,” said Coach USA’s Susan LaBar.
Unhealthy households, family cultures in which workers’ compensation fraud can be a way of life and physical and mental atrophy are just some of the pitfalls that modified duty and return-to-work in general can help stave off.
“I take employees back in any capacity. So long as they can stand or sit or do something,” Ritz said. “The longer you’re sitting at home, the longer you’re disconnected. The next thing you know you’re isolated and angry with your employer.”
“Return-to-work is the only way to control the workers’ comp cost. It’s the only way,” said Coach USA’s Susan LaBar.
Whose story is it?
Managing return-to-work and nurse supervision of workers’ compensation cases also play important roles in controlling communication around the case. Return-to-work and modified duty can more quickly break that negative communication chain, roundtable participants said.
There was some disagreement among participants in the area of fraud. Some felt that workers’ compensation fraud is not as prevalent as commonly believed.
On the other hand, Coach USA’s Susan LaBar said that many cases start out with a legitimate injury but become fraudulent through extension.
“I’m talking about a process where claimants drag out the claim, treatment continues and they never come back to work,” she said.
Social media, as in all aspects of insurance fraud, is also playing an important role. Roundtable participants said Facebook is the first place they visit when they get a claim. Unbridled posts of personal information have become a rich library for case managers looking for indications of fraud.
“What you can assess from somebody’s home environment, their motivation, their attitude, their desire to get well or not get well is easy to do when you are looking at somebody and sitting in their home,” said participant Barb Ritz.
As daunting as co-morbidities have become, roundtable participants said that data has become a useful tool. Information about tobacco use, weight, diabetes and other complicating factors is now being used by physicians and managed care vendors to educate patients and better manage treatment.
“Education is important after an injury occurs,” said Rich Leonardo, chief sales officer for Healthcare Solutions, who also sat in on the roundtable. “The nurse is not always delivering news the patient wants to hear, so providing education on how the process is going to work is helpful.”
“We’re trying to get people to ‘Know your number’, such as to know what your blood pressure and glucose levels are,” said SCS’s Christine Curtis. “If you have somebody who’s diabetic, hypertensive and overweight, that nurse can talk directly to the injured worker and say, ‘Look, I know this is a sensitive issue, but we want you to get better and we’ll work with you because improving your overall health is important to helping you recover.”
The costs of co-morbidities are pushing case managers to be more frank in patient dialogue. Information about smoking cessation programs and weight loss approaches is now more freely offered.
Managing constant change
Anyone responsible for workers’ compensation knows that medical costs have been rising for years. But medical cost is not the only factor in the case management equation that is in motion.
The pendulum swing between technology and the human touch in treating injured workers is ever in flux. Even within a single program, the decision on when it is best to apply nurse case management varies.
“It used to be that every claim went to a nurse and now the industry is more selective,” said Bunch CareSolutions’ Jean Chambers. “However, you have to be careful because sometimes it’s the ones that seem to be a simple injury that can end up being a million dollar claim.”
“Predictive analytics can be used to help organizations flag claims for case management, but the human element will never be replaced,” Leonardo concluded.