Factor Compliance into Wearable Tech Plans
More employers are considering whether to encourage or even require employees to use wearables to reduce workplace injuries, lower workers’ comp claims and even lower health care benefit costs. But they should take note: any potential exposure to workers’ private health information could subject employers to rules under the Health Insurance Portability and Accountability Act (HIPAA).
Wearables such as Google Glass, smart safety helmets and any number of sensor-enabled devices can identify hazardous conditions on worksites such as toxic chemical fumes or equipment under excessive pressure. Employers are also looking into clothing that carry embedded biosensors, actuators and gyroscopes to follow movement, heart rate, stress level, fatigue, and countless other metrics … all of it connected wirelessly to mobile devices and computers.
But can the use of such devices expose employers to claims of HIPAA violations? What kind of due diligence will they need to do in order to ensure that their use of wearables can’t come back to haunt them later?
Julie Anderson, a principal at AG Strategy Group in Washington, D.C. said this is a murky area as policy always lags behind the development and use of technology. HIPAA was passed in 1996, and nine years later in 2005 HIPAA released its first privacy rule as it related to health care data. In 2013 those rules were updated.
“It’s a complex set of issues, and it can take that long for policymakers to react to what’s happening in the marketplace, particularly regarding how health care entities are using technology and handling the data they collect,” Anderson said.
“It is possible that all technology providers in the chain of custody of personal health care data from the wearable manufacturer to the Internet service provider to the cloud provider could someday be subject to HIPAA.” — Julie Anderson, principal, AG Strategy Group
The first category of those required to comply with HIPAA are individuals or entities that come into contact with personal health care data which could be sensitive, she said. The second category are business associates, such as an accounting firm that audits claims data containing personal care diagnostic codes for a health care insurance company. That accounting firm has to enter into a business associate agreement with the insurance company, which is a contract mandated by the federal government and enforced by the Health and Human Services Dept.
In 2013 the regulation changed, and the business associate definition was broadened to include technology and manufacturing companies that receive, transmit or store personal health care data, Anderson said.
“It is possible that all technology providers in the chain of custody of personal health care data from the wearable manufacturer to the Internet service provider to the cloud provider could someday be subject to HIPAA,” she said. “But for employers who urge their workers to use wearables, this is a murky area of law not established in case law, so it’s unclear whether they would be held liable.”
If employers are outsourcing the management and storage of their employees’ data collected from the wearables, as well as the decision-making based on that data, then every single entity that touches that data in theory needs to be HIPAA compliant, Anderson said. That could also mean the employer has potential exposure, if employees view their data on the third-party website using the employer’s computer.
“Plaintiff attorneys may want to sue as many parties as possible,” she said.
Employers considering the use of wearables first should make sure their third-party providers are covered by a business associate agreement that they have entered into with a HIPAA-covered entity such as a health care clearinghouse, Anderson said. Employers should also make sure these parties are HIPAA compliant where applicable, if they are handling personal health information.
“If it’s a situation where an employer is mandating the use of wearables which can interact with personal and private activities, and employees are not involved in policymaking, that could be inviting a world of hurt in terms of legal action,” she said. While the law is not yet settled in this area, “if they have employee participation in the development of those policies governing voluntary participation, it becomes harder for a plaintiff attorney to say the employer did this to an employee.”
David Gibson, vice president at Varonis Systems Inc., a New York City-based software vendor for the management and protection of unstructured data, said the first question employers should ask themselves is whether they are storing any health or patient-related data as a result of wearables, which would then make the company itself a business associate to a HIPAA-covered entity.
Employers also have to know exactly where that data is warehoused, he said.
“You might be surprised, but a lot of companies lose track of where their sensitive data is stored,” Gibson said. “Furthermore, the data they store — particularly in file shares and Intranets — is often not very restricted. A lot of organizations are turning to automation to find health-related data that they have lost track of, and to make sure only the right people have access to it and are using it correctly.”
Another key component is figuring out when employers no longer need to keep the data, he said. A lot of organizations are determining what data should be kept for regulatory compliance or to protect themselves if they find themselves in court, and what data can and should be deleted.
To minimize risks, employers should also consider trimming their collection wishlists at the outset.
“It used to be easy to believe that more data is better, even if you weren’t sure if or how you would use it all,” Gibson said. “But organizations really need to start limiting what they collect to what they really need.”
Michael H. Cohen, founder of the Michael H. Cohen Law Group in Beverly Hill, Calif., said that even if HIPAA does not technically apply, because no insurance claims are being submitted electronically with respect to the information, mirror-HIPAA privacy and security provisions in state law could create liabilities for companies.
“HIPAA compliance is therefore best industry practice,” Cohen said.
At minimum, compliance obligations include appointing a privacy and security official, conducting HIPAA/privacy and security training for employees, putting in place a robust set of privacy and security policies and procedures — including provisions for employee discipline in case employee negligence leads to data breaches, and conducting a risk management analysis.
“Because wearables are a relatively new technology, we are likely to see data breaches and reports of penalties in the news long before we see regulation specifically targeted to company use of wearables,” he said. “An ounce of legal prevention is more cost-effective than responding to a pound of regulatory penalties or lawsuits.”
The Weakest Link
It’s not easy being responsible for fraud prevention at a major corporation. The methods of attack are multiplying, the tactics ever more sophisticated and Machiavellian. It’s hard to keep up with all the new monikers for these techniques, let alone ensure your organization is impenetrable.
The infection of systems with malware through spam-like phishing attacks evolved some years back into “spear phishing” of specific individuals, using gathered personal information about them to make the attacks seem more believable. “Whale phishing” or “whaling” is spear phishing but for bigger fish — in other words, CEOs, CFOs and other senior executives with the power to authorize major money transfers or release sensitive data.
One recent scheme attacked the CEOs of 20,000 organizations and succeeded in implanting malware in the systems of 2,000 of them.
Most organizations have caught on to malware-based attacks, and have various layers of software protection in place to identify and block any suspicious activity. But wise to the fact that malware alone might not be good enough, fraudsters are increasingly using human interaction, simulating situations and impersonating individuals, organizations and authorities to get what they want.
IBM researchers have reportedly uncovered a new type of attack they are dubbing “dire wolf,” whereby malware from an attachment sits dormant within an organization’s network until it detects a user is navigating to a bank website. It then creates a fake pop-up frame telling the user the website is having problems and to call a number for help with their banking needs.
At the end of the phone is an English-speaking operator who asks for confidential login details — as soon as this information is given the fraudsters immediately access the user’s bank account and instruct a large wire transfer.
Scams involving thorough background research to inform the invention of false scenarios, websites and companies are known in some quarters as “pretexting.”
Richard Thomas, principal of Ernst & Young’s fraud investigation and dispute services practice refers to the tailoring of these attacks to individual targets as “speartexting.” Don’t be surprised if that term is the next to enter the lexicon.
One of the most prevalent “speartexting” scams (see — it’s catching on) is for an individual in the finance department of a company to be sent an email purportedly from the CEO, CFO or senior executive informing them the company is involved in a highly confidential acquisition and the individual will shortly receive communication from a major law firm sending wire transfer instructions — and due to the sensitive nature of the deal, this must be kept secret.
Thanks to the mining of information from personal emails, private servers and publicly available sources, the hackers are able to convincingly portray the executive’s tone and may, for example, know he or she is on first name terms with the finance person — who is likely flattered the CEO has chosen them for this task. The target then receives a call or email from a fake lawyer, providing wire instructions and reiterating the importance of confidentiality. You know the rest.
“These fraudsters prey on human nature — the desire to help clients, solve problems right away and frankly to protect their own jobs. That’s a very effective play,” said Greg Bangs, chief underwriting officer of global crime at XL Catlin.
The scale of this kind of crime, and its cost to corporate America is unfathomable — literally. There is no reliable data on the monetary value of losses associated with this new wave of sophisticated spearing scams but it undoubtedly runs into billions of dollars. According to sources, individual losses so far have ranged from tens of thousands to, staggeringly, tens of millions.
It’s safe to assume the gangs perpetrating these crimes — believed primarily to operate in Eastern Europe, Russia, China and other parts of Asia — are now extremely wealthy.
“It’s incredibly lucrative for the fraudsters,” said EY’s Thomas. “The more clients I speak to about this issue, the more I hear of it being successful. And it’s costing companies more than just the loss — there is then the cost associated with investigating the issue and increasing controls to prevent it happening again. Billions of dollars are being spent annually on protecting companies in the U.S.”
The cost of these so-called “socially engineered” schemes is particularly difficult to gauge, not only because the practice is relatively new but also because so many instances go unreported.
“These fraudsters prey on human nature — the desire to help clients, solve problems right away and frankly to protect their own jobs.” — Greg Bangs, chief underwriting officer of global crime, XL Catlin
“Many organizations don’t want their customers thinking there is a failure in their systems or a weakness in their controls so they brush it under the carpet,” said XL Catlin’s Bangs.
“We strongly recommend all attacks be reported to the police. The only way we are going to stop these people is by providing law enforcement with enough information about ongoing scams to help them prevent them before they get worse.”
“Companies need to decide whether they want to stop the fraud and keep it internal or try to control the fraud, get law enforcement involved and hope they’ll be able to one day catch the criminals and possibly recover their money or other people’s lost money,” said Chris Giovino, director of forensic investigation, crime and cyber evaluation risk quantification at Aon Global Risk Consulting, adding, “If you’ve already sent a wire transfer within the last 24 hours the bank has a strong chance of freezing the account and having the money returned before it washes out to another account.”
The latest scams have primarily been aimed at large organizations due to their attractive bounties and array of executives to target. However, anyone can become a victim and the attackers are moving down the food chain.
“Perhaps not ‘mom and pop shops,’ but smaller private companies and nonprofits will be as vulnerable to this as larger organizations going forward,” said Bangs.
Michael Peters, himself a certified hacker (one of the good ones), computer forensic examiner, and IT director for the Risk and Insurance Management Society (RIMS), believes Wi-Fi is the weak spot most likely to be exploited in the next generation of scams.
“The more our world advances towards wireless technology, the more people trust entering their private details over wireless connections. Cars and planes now offer wireless technology, which is going to open up a plethora of vulnerability for hackers to target,” he said.
This is bad news considering the chances of recouping money or catching the criminals in the wake of a successful scam are low, and most traditional insurance policies still don’t cover this kind of loss as they fall in the gap between conventional crime and cyber policies.
“We are not having a lot of success in recovery through crime policies when it comes to social engineering losses,” Giovino said. “It’s a very gray area, but I do know that brokers, on behalf of policyholders, are working with carriers to address this and some carriers are rewriting policies to be more inclusive and bring them up to date.”
Response and Prevention
EY’s Thomas said it is vital companies put response plans in place so they can react quickly if they fall victim to an attack.
“The first priority for businesses is to recover lost data or money — call the bank; stop the payment,” he said, noting that it is not uncommon for companies to get so caught up in establishing how they were duped that they neglect to take this fundamental step.
Companies should immediately change their banking passwords, obtain a list of pending transactions and recent wire transfers, and inform law enforcement, he added.
“You then need to understand what has happened — the goal of the perpetrator; whether there is an insider threat, either deliberately or inadvertently, from someone in the organization; and whether there are any ‘sleeper mechanisms’ within the network that could be deployed against you at a later date,” Thomas explained. This, of course, requires the expertise of internal or third party IT experts.
Next, companies need to establish how they can control their environment to ensure they don’t become victims again.
“Companies can fight back from a pre-loss position, as this is preventable,” said Giovino, placing the risk manager at the heart of the process.
“The risk manager is pivotal. Although this sounds like a security or finance problem, the risk manager is the person in the company who owns the problem because the loss is potentially insurable and restitution or recovery can only come from insurance.”
The first line of defense is the best and latest software to filter out as much suspicious activity as possible. RIMS’ Peters is responsible for protecting not only his organization but the data of 11,000 member companies, and employs four layers — or “sentries” — of protection and redundancies, from anti-spam and anti-malware programs to desktop client protection.
But the biggest challenge with social engineering is that it preys more on human behavior than system flaws.
“You are only as strong as your weakest link, which is your end user,” admitted Peters. That’s why organizations must implement written protocols and procedures, backed up with staff training to instill awareness — as well giving staff the confidence to question their superiors if they smell a rat.
Indeed, Bangs added, that training must include senior executives too as they are primary targets.
“If a company [mandates that] anyone initiating a wire transfer must have secondary approval, it must be inculcated into the mindset of everybody that this policy cannot be overridden — even by the CEO or president.”
“I do believe that with a combination of training and a hard look at technology and processes, companies can mitigate most of this risk,” added Thomas.
Once software, protocols and training have been implemented, the system should then be tested with fake scams to root out potential weaknesses.
The final defense against social engineering is insurance — although not everyone can access it yet.
“The insurance industry has not kept up with the exposure or developed response policies,” said Peters. And that, broadly speaking, is true — traditional commercial crime, funds transfer fraud or computer fraud policies are unlikely to provide cover because these crimes involve individuals or organizations being coerced to act of their own accord; the criminal does not actually steal the property themselves, nor do they use the target company’s computers to do it.
AXIS is one of only a handful of insurers to have already developed a social engineering fraud coverage endorsement as part of its commercial crime insurance product, addressing the risks organizations face when cyber criminals pose as senior executives to manipulate employees into transferring funds.
“Our decision was to be more proactive rather than reactive to this evolving need for coverage,” said Lisa Block, vice president and commercial crime product manager at AXIS. “Social engineering is a hot topic of discussion in the crime insurance sector right now. Instead of remaining silent on this issue as some carriers have, we decided to offer an affirmative statement of coverage for this specific type of loss.”
And it appears the tide is turning. “The insurance industry is very focused on this,” Thomas said. “Companies are concerned. As dialogue continues, we continue to see changes in the way companies address this risk through insurance and how insurers address this risk in their policies.”
“We feel that crimes of this nature that result in a financial loss for insureds should be legitimately covered going forward,” added Bangs, revealing that XL Catlin will also roll out a product extension later this year covering social engineering fraud, also known as fraudulent impersonation.
But carriers won’t issue coverage without carefully assessing an insured’s ability to protect itself.
Yet more reason to ensure the culture of caution and awareness seeps through every pore of every organization. The cyber criminals are, as ever, one step ahead of corporate America.
Only education, and a willingness by victim organizations to come forward when attacked, can erode their advantage.
Detention Risks Grow for Traveling Employees
It used to be that most kidnapping events were driven by economic motives. The bad guys kidnapped corporate employees and then demanded a ransom.
These situations are always very dangerous and serious. But the bad guys’ profit motive helps ensure the safety of their hostages in order to collect a ransom.
Recently, an even more dangerous trend has emerged. Governments, insurgents and terrorist organizations are abducting employees not to make money, but to gain notoriety or for political reasons.
Without a ransom demand, an involuntarily confined person is referred to as ‘detained.’ Each detention event requires a specialized approach to try and negotiate the safe return of the hostage, depending on the ideology or motivation of the abductors.
And the risk is not just faced by global corporations but by companies of all sizes.
“The world is changing. We see many more occasions where governments are getting involved in detentions and insurgent/terrorist groups are growing in size and scope. It’s the right time for a discussion about detention risks.”
— Tom Dunlap, Assistant Vice President, Liberty International Underwriters (LIU)
“Practically any company with employees traveling abroad or operations overseas can be a target for a detention risk,” said Tom Dunlap, assistant vice president at Liberty International Underwriters (LIU). “Whether you are setting up a foreign operation, sourcing raw materials or equipment overseas, or trying to establish an overseas sales contract, people are traveling everywhere today for so many reasons.”
Emerging Threats Driven By New Groups Using New Tools
Many of the groups who pose the most dangerous detention threats are well versed in how to use the Internet and social media for PR, recruiting and communication. ISIS, for example, generates worldwide publicity with their gruesome videos that are distributed through multiple electronic channels.
Bad guys leverage their digital skills to identify companies and their employees who conduct business overseas. Corporate websites and personal social media often provide enough information to target employees who are working abroad.
And if executives are too well protected to abduct, these tools can also be used to identify and target family members who may be less well protected.
The explosion of new groups who pose the most dangerous risks are generally classified into three categories:
Insurgents – Detentions by these groups are most often intended to keep a government or humanitarian group from delivering services or aid to certain populations, usually in a specific territory, for political reasons. They also take hostages to make a political statement and, on occasion, will ask for a ransom.
In other cases, insurgent groups detain aid workers in order to provide the aid themselves (to win over locals to their cause). They also attempt prisoner swaps by offering to trade their hostages for prisoners held by the government.
The most dangerous groups include FARC (Colombia), ISIS (Syria and Iraq), Boko Haram (Nigeria), Taliban (Pakistan and Afghanistan) and Al Shabab (Somalia).
Governments – Often use detention as a way to hide illegal or suspect activities. In Iran, an American woman was working with Iranian professors to organize a cultural exchange program for Iranian students. Without notice, she was arrested and accused of subversion to overthrow the government. In a separate incident, a journalist was thrown in jail for not presenting proper credentials when he entered the country.
“Government allegations against detainees vary but in most cases are unfounded or untrue,” said Dunlap. “Often these detentions are attempts to prevent the monitoring of elections or conducting inspections.”
Even local city and town governments present an increased detention risk. In one recent case, a local manager of a foreign company was arrested in order to try and force a favorable settlement in a commercial dispute.
Ideology-driven terrorists – Extremist groups such as Boko Haram and ISIS are grabbing most of today’s headlines with their public displays of ultra-violence and unwillingness to compromise. The threat from these groups is particularly dangerous because their motives are based on pure ideology and, at the same time, they seek media exposure as a recruiting tool.
These groups don’t care who they abduct — journalist, aid worker, student or private employee – they just need hostages.
“The main idea here is to shock people and show how governments and businesses are powerless to protect their citizens and employees,” observed Dunlap.
Mitigating the Risks
Even if no ransom demands are made, an LIU kidnap and ransom policy will deliver benefits to employers and their employees encountering a detention scenario.
For instance, the policy provides a hostage’s family with salary continuation for the duration of their captivity. For a family who’s already dealing with the terror of abduction, ensuring financial stability is an important benefit.
In addition, coverage provides for security for the family if they, too, may be at risk. It also pays for travel and accommodations if the family, employees or consultants need to travel to the detention location. Then there are potential medical and psychological care costs for the employee when they are released as well as litigation defense costs for the company.
LIU coverage also includes expert consultant and response services from red24, a leading global crisis management assistance firm. Even without a ransom negotiation to manage, the services of expert consultants are vital.
“We have witnessed a marked increase in wrongful detentions involving the business traveler. In some regions of the world wrongful detentions are referred to as “business kidnappings.” The victim is often held against their will because of a business dispute. Assisting a client who falls victim to such a scheme requires an experienced crisis management consultant,” said Jack Cloonan, head of special risks for red24.
Without coverage, the fees for experienced consultants can run as high as $3,000 per day.
Given the growing threat, it is more important than ever to be well versed about the country your company is working in. Threats vary by region and country. For example, in some locales safety dictates to always call for a cab instead of hailing one off the street. And in other countries it is never safe to use public transportation.
LIU’s coverage includes thorough pre-travel services, which are free of charge. As part of that effort, LIU makes its crisis consultants available to collaborate with insureds on potential exposures ahead of time.
Every insured employee traveling or working overseas can access vital information from the red24 website. The site contains information on individual countries or regions and what a traveler needs to know in terms of security/safety threats, documents to help avoid detention, and even medical information about risks such as pandemics, etc.
“Anyone who is a risk manager, security director, CFO or an HR leader has to think about the detention issue when they are about to send people abroad or establish operations overseas,” Dunlap said. “The world is changing. We see many more occasions where governments are getting involved in detentions and insurgent/terrorist groups are growing in size and scope. It’s the right time for a discussion about detention risks.”
For more information about the benefits LIU kidnap and ransom policies offer, please visit the website or contact your broker.
Liberty International Underwriters is the marketing name for the broker-distributed specialty lines business operations of Liberty Mutual Insurance. Certain coverage may be provided by a surplus lines insurer. Surplus lines insurers do not generally participate in state guaranty funds and insureds are therefore not protected by such funds. This literature is a summary only and does not include all terms, conditions, or exclusions of the coverage described. Please refer to the actual policy issued for complete details of coverage and exclusions.
This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Liberty International Underwriters. The editorial staff of Risk & Insurance had no role in its preparation.