Brian Duperreault, CEO of Hamilton Insurance Group, delivered these remarks to the recent Global Insurance Forum, held by the International Insurance Society (IIS) in New York City. It’s a real pleasure to be with you at what is arguably one of the most important annual events in our industry. I was just 18 years old when the International Insurance Society had its first global meeting in Austin, Texas. I entered the industry in my 20s and joined the IIS in my 30s. Since then, I’ve benefitted professionally and personally from the knowledge I’ve gained and the friends I’ve made at these annual meetings. Today, I’m going to talk about an issue that represents a distinct threat to our industry. I might even go so far as to call it an existential threat. But, like all threats, it also represents a great opportunity. In it could lie the seeds of a legacy of meaningful change for each of us charged with leading our industry. So I’m going to address the question: Can we disrupt ourselves? I’m going to start by saying a few words about Twitter. Bear with me. I do have a point to make that’s relevant to insurance. Twitter has one billion registered users so far... about one human out of every seven on Earth. Only 6% of Twitter users are over the age of 45. More than 300 million active users—most of them under 45—join Twitter each month. Twitter started as a platform for sharing personal moments. It’s morphed into an information delivery system that plays a major role in distributing news, marketing products and affecting the outcome of political and social developments. And this instant, real-time communication comes with the restriction that you can only use 140 characters to get your message across. Twitter’s simple idea completely disrupted the way we communicate. I used Twitter as an example of disruption last week when I spoke at the Young Professionals Global Forum in London. I called that speech "Risk in 140 Characters." Since then, the CEO of Twitter has stepped down amid charges that the platform isn’t evolving as quickly as it should, and there’s been a lot of soul searching about how this disruptive form of social media can keep current in this ever-changing, ever-evolving age of disruption. In spite of Twitter’s challenges, I believe the metaphor is a good one. It’s time to select, analyze and price risk, faster and more efficiently – the equivalent of risk in 140 characters. The young professionals I spoke to last week are all digital natives. As Don Tapscott, who studies the digital economy, says: They’ve been bathed in bits since they were born. They embrace technology and use it to navigate their world, their relationships and their work swiftly and creatively. These digital natives are mobile, wireless and connected with their peers all over the globe. Meanwhile, in the other corner, I—and most of my friends here in this room—are digital immigrants. We’ve had to make a deliberate and conscious choice to adapt to digital ways of doing what we used to do on paper, over the telephone, or through other physical or, at best, analog, means. Even though it was our generation who invented the Internet, many of us have the feeling of being strangers in a strange land. Using search engines and apps to navigate life and work doesn’t come naturally to us. We digital immigrants tend to shun social media or dabble around the edges, still thinking Facebook, Twitter, SnapChat and Instagram are trendy chat rooms where younger people tell everybody what they’re up to a thousand times a day. But the truth is that social media, which erupted onto the scene as a means of personal contact, has quickly morphed into a powerful engine of collaboration with profound ramifications for business development. Digital natives know that. And because they know it, and use that knowledge to great effect, they are leaping ahead of the digital immigrants in our generation. There’s a term for this: digital lapping. And this lapping of one generation by another is the basis for the disruption that’s blowing apart traditional business models. For digital natives, disruption is the new normal. You know what I’m talking about. How many music stores saw iTunes coming? How many taxi dispatchers saw Uber coming? How many hotel chains saw Airbnb coming? How many Blackberry execs even saw the iPhone coming? Well, maybe they saw the iPhone coming, but it’s an understatement to say their reaction was too little, too late. Pick any industry, and you can see the pattern emerging. The automotive industry is a telling example. Sergio Marchionne, CEO of Fiat Chrysler, recently said he’s “more determined than ever to pursue industry consolidation lest technology disrupters beat the auto industry at its own game.” Marchionne’s warning came after a meeting at Google and Tesla, and after spending almost an hour in a driverless car. “The agenda needs to be moved,” he said, “or all these technology disrupters will come in and make our life incredibly uncomfortable.” Clearly, all industries are facing massive disruptions because of technology. With new models of service delivery, new categories of products and restructured value chains, society and the customer expect far more than traditional businesses can offer. These expectations represent a potentially bleak scenario for the insurance industry, because in many respects we are way behind the curve as far as technology is concerned. And we are groping in the dark for an effective solution to attract digital natives to the industry. Digital natives are the much-discussed, much-researched Millennials. Born in the eighties and nineties, they’re the offspring of the Baby Boomers. They’re sometimes known as Echo Boomers or the App Generation. Millennials are the most diverse generation we’ve ever had. In the US, 35% are non-white, and researchers who study generational differences say they are the most tolerant generation yet, believing everyone should be part of the community. We’ve been studying Millennials for quite a while, so we know a lot about them:

• They want to be team players.
• They want their careers to have purpose.
• They want to build new things that matter.
• They use social media to collaborate. They crowd-source everything from fundraising to business capital.
• They fight for worthy causes by alerting each other to things that distress them.
• They don’t see much difference between work and leisure, and don’t see the point of rigid work schedules and being tied to an office.
• They see hierarchy as an obsolete impediment to team progress. They need to get things done, and waiting for permission doesn’t strike them as sensible.

Now, does that list describe how the typical insurance company operates? I don’t think so.That’s a red flag that we need to pay attention to. Consider this:

• Almost half of insurance professionals in the U.S. are over the age of 45.
• 25% of all the people working in our industry will be eligible to retire in just three years.
• That means that, in just five years, there will be 400,000 open positions in the U.S. alone.

Five years ago, Accenture warned that it’s hard to attract Millennials to a career in insurance. Accenture noted that “the industry’s apprentice structure—with its long learning curve and slow promotions—in no way suits a Millennial’s expectation of getting rapid feedback, or working in a flat organization that offers dynamic career development.” Since then, more alarm bells have been rung. Recently, a report found that only 5% of high school and college graduates thought a career in insurance was worth looking at. When asked why, they said they thought the industry was dull and conservative and doesn’t offer much of a chance to make a difference. For someone whose whole career has been dedicated to an industry that promises to protect, that really hurts. At the very least, we’ve done a terrible job in helping people to understand the value in what we do. With hundreds of thousands approaching retirement in an industry that’s dismissed as boring and static, and with disruption looming on the horizon, I believe we’re staring into the jaws of a crisis. Millennials are not only our future workforce, they’re our future customer base. And our industry, quite simply, is not prepared to attract the numbers we need, with the skills we need, to take charge of the disruption we know is coming. The men and women in this room have presided over some of the great developments in our industry: Catastrophe modeling, deregulation and globalization all happened on our watch. We’re not strangers to bold moves. Innovation isn’t a foreign concept. But collectively we don’t seem to know how to crack this nut: How do we attract hyper-connected, entrepreneurial digital natives into the generally old-school world that so desperately needs them? I know there are pockets of energy devoted to finding a solution to this problem. MyPath has been established by the Institutes and affiliates as an industry-led effort to raise awareness of insurance as a career, and to provide information about the industry as well as job opportunities. Hamilton USA, the US operations of Hamilton Insurance Group, is one of the industry partners participating in MyPath. And there’s Tomorrow’s Talent Challenge, an awareness campaign established by Valen, which provides predictive analytic and modeling capabilities to the industry. Valen is so concerned about the lack of interest the digital generation is showing in insurance that it created Tomorrow’s Talent Challenge “as a rallying cry for the insurance industry to band together to sell exciting, innovative careers in insurance to Millennials.” These are laudable efforts – driven by the same sense of urgency that I’m outlining here. But they’re not enough. We need a focused, coordinated strategy embraced by some of the major players in our industry. We need a collaborative commitment like the one announced a few months ago. In January, as many of you know, a consortium of eight companies from our sector announced a far-reaching initiative to provide insurance to the underserved. My company is proud to be one of the partner companies. We referred to the new entity as the Microinsurance Venture Incubator - or MVI. Quite a mouthful. This morning, we announced that the venture has a much better name. After inviting more than 100,000 employees in our partner companies to help us name the MVI, we chose Blue Marble Microinsurance. This is a great name. It really captures the spirit of our venture. It reminds us of how connected we all are – ever more so in this digital age. Blue Marble Microinsurance takes a holistic view of our world, planning to extend protection to a broader portion of the population by providing insurance in a socially responsible and sustainable way. It offers people on the wrong side of the digital divide the stability and potential for growth that insurance makes possible. Blue Marble Microinsurance’s company partners know that the ability to manage and finance risk is critical to the development of society – any society, but most urgently to those struggling to gain a stable toehold in their pursuit of education, jobs and a prosperous future. Research and development enabled by Blue Marble Microinsurance will bring affordable insurance products to the developing world. Technology is at the base of this global project, using innovative apps to connect consumers and products on a micro level – but what drives it is our industry’s collaboration, our sense of purpose and our focus on the future. What we learn from Blue Marble Microinsurance could truly shift the insurance paradigm. Yes, it has the potential to reduce the cost of risk analysis and product distribution and delivery. And, through reverse innovation, the application of that knowledge in the developed world could be one of the most enduring legacies of this project. I have to admit to a huge sense of satisfaction at watching this concept unfold. It was three years ago – almost to the day - that I addressed the annual IIS meeting in Rio and outlined a plan for a coordinated industry effort focused on microinsurance. At the time, I said that this wasn’t the sort of project that could be tackled by one company. Many had tried, but none had succeeded. I’m delighted that Joan Lamm-Tennant is now leading the development of Blue Marble Microinsurance. Joan poured her heart and soul into taking an idea outlined in Rio in 2012 and making it a reality three years later. This initiative is a shining, innovative example of what happens when we work together to find creative risk solutions. So if we can find a way to offer coverage to literally billions in developing markets around the world, I know we can figure out how to redefine our work environments, our human resources policies and our recruiting programs in such a way that digital natives will be beating down the doors to join us. Last week, I challenged the leaders of tomorrow to take charge of their destiny and find ways to attract Millennials into the insurance industry. Today, I’m inviting you, as today’s leaders, to work together to develop a strategy for our disruption, leveraging the talent and skills of the digital generation. As I said last week, insurance should be catnip to a Millennial looking for a purpose-driven career. Let’s invite these digital natives in, make them feel welcome and give them the benefit of our considerable experience and expertise. Then, let’s step aside and let them lead the way. We have one of those rare opportunities to leave a lasting, collective legacy – one that ensures the insurance industry stays relevant and innovative and becomes the No. 1 career choice for any young person who wants to make a difference, be part of a team, keep the world working – for generations and generations to come. Blue Marble Microinsurance is proof that, when we collaborate, exciting things happen. Let’s take a disruptive step to the future – together.

Most of us don’t think twice about opening and maintaining multiple free email accounts where we live out our digital lives. And we’re getting more and more comfortable by the day at downloading and using mobile apps. Yet those behaviors can harm us. ThirdCertainty sat down with David Duncan, chief marketing officer for threat intelligence and security company Webroot, to discuss how cyber criminals are hustling to take advantage of our love of free Web mail services and nifty mobile apps. Infographic: Where malicious phishers lurk 3C: Phishing attacks leveraging our love of Google, Apple, Yahoo, Facebook and Dropbox are skyrocketing. How come? David Duncan, Webroot chief marketing officer Duncan: There are 10 times more phishing attacks based on emulating tech companies than financial firms. You’d think it would be the other way around, but it’s not. The focus is on stealing information from your various email accounts because it’s easier to spoof people into acting on something that appears to come from Google or Apple than from Bank of America or Citibank. Free resource: Stay informed with a free subscription to SPWNR 3C: Because we’re less suspicious of Google and Apple than big banks? Duncan: Yes. Phishers prey on the fact that we see those brands as trustworthy brands. 3C: What ruses should folks watch out for? Duncan: It’s the typical ones. You’ll get something advising you of the need to change your password or share your contacts. They’ll send you a link to click. A certain percentage of gullible users will click on the link and follow instructions to give up their credentials. I can’t say I know of any specific new strategies other than the fact that the focus is on impersonating big domains like Google and Yahoo because people don’t think too much about something that appears to be coming from those trusted sources. 3C: Is there really a one-in-three chance the average person will fall for a phishing scam? Duncan: Yes, there is a 30% chance of Internet users falling for a zero-day phishing attack over the course of the year. It used to be about one out of every seven phishing emails actually got through. But we’re human beings, which means we’re gullible. 3C: What about mobile apps? What’s the risk there? Duncan: A year ago, we tracked about 8 million mobile apps, and around 75% were trustworthy and 10% were benign. So 15% were malicious or suspicious. Now we’re classifying 15 million mobile apps, and we’re finding 35% to 40% are suspicious or malicious in character. 3C: That’s a pretty significant change. Duncan: People don’t think of installing an app on their mobile device as installing a potentially unwanted application that’s being delivered from an untrustworthy app store. 3C: So is this mostly an Android exposure? Duncan: Probably 90% is Android, maybe 10% is iOS. Apple has a more secured kind of walled guard for verifying and authenticating the source of applications. But it also depends on what users are accustomed to. If you go over to certain geographies in the world, people may not necessarily always go to the iTunes store. There are a lot of third-party websites where even iOS apps are cheaper or they’re free.

The well-trailed difficulties in recruiting data scientists or other analytical roles, followed by the equivalent challenge in retaining them long enough to recoup your investment, have been likened to "talent wars." There are hotspots around the UK, but it seems all areas to some extent share this experience. London is perhaps the most challenging place to retain your talent. In my own experience, it has been easier to recruit in South Wales and Bristol (the latter being particularly good for having a pool of analytical talent), while much harder in Bournemouth and Edinburgh, for example. Several factors can improve your odds, including how you advertise, whether or not you use an agency and especially how clearly you explain the role. Here are six tips: Role description Providing clarity on the role and what you expect from candidates is harder than it sounds in this sector. So many terms that you might use (like "analysis," "insight," "intelligence," "data," "modeling," "reports," "presentation," etc) are open to interpretation, and some very poorly skilled candidates use this language to describe what they can do. For this reason, I recommend avoiding technical jargon as much as possible (apart from specifying any exact software in which you require expertise). Seek to describe the role in terms of the outputs you require the person to be capable of delivering. For example, do you want a candidate who can produce analytical reports or someone who can influence marketing leaders and present information that is sufficiently persuasive to change strategy or guide design of a new campaign or product. Advertising and Agencies Advertising your role is another conundrum for the would-be hiring manager. Given the high fees charged by some recruitment agencies, for little visible effort, it's not surprising to see the growth of companies investing in their own recruitment portals and greater use of LinkedIn by recruiting managers. The latter approach has the advantage, for well-connected professionals, of both tapping into their existing networks and approaching those who both understand the language they use and may be best placed to know analysts ready for a move. However, the novelty factor has now worn off, and with so many recruitment consultants also bombarding LinkedIn users it is harder and harder to get your message across. I would certainly encourage use of your own company advertising (to tap into fans of your brand) and LinkedIn as a first step. However, despite all the charlatans in the industry, I have still seen real benefit from specialist agencies that genuinely know this market. Having recruited analysts for more than a decade now, I’ve found these informed specialist recruitment agencies few and far between and those I trust to be even rarer. However, among this rare breed, I am happy to recommend MBN recruitment. The firm always understood my brief and provided viable appropriate candidates as well as pragmatic advice on salary and approach to wooing the undecided. Motivating and Retaining As all insight leaders will be only too well aware, even though finding the right analytical talent in the first place is challenging, it can be even harder to keep them motivated, engaged and ultimately retain them long enough to see their potential realized and value added to the business. Every journey starts with a single step, as the Chinese proverb goes, and it is really important to start well. For anyone who has not yet read it, taking the approach recommended in “The First 90 Days” can be a recipe for any new hire (especially at a more senior level) to hit the ground running and make the right first impression. On-Boarding Coaching I’m also conscious that leaders of insight teams are even harder to find, so many organizations are needing to appoint, to the growing number of these roles, candidates with strong generic competencies but little or no experience of customer insight. Coaching at Work magazine recently published an article on on-boarding coaching and its growing popularity. Laughlin Consultancy can see a need for trained executive coaches with a background in customer insight leadership to help support this population to be as effective as possible through their first 90 days and so are providing that service. Performance Management Continuing motivation and engagement of analysts could be a blog post topic (if not a book) in its own right, but for now suffice to say that there is a natural tendency for this population to be more cynical. Marshall Goldsmith described most performance management systems as an occupational hazard at best, and there is a need to flex the company policy to better work for these skilled people. I was struck when reading “Punished by Rewards” as to the importance of not relying on bonuses or internal recognition systems to bribe them to work hard or give a high score in the next engagement survey - rather being genuinely interested in the work that they do and reclaiming the essential importance and nobility of that craft. For performance reviews, I would also recommend taking the approach recommended by Nancy Kline. Competencies and Career Paths One final recommendation, to achieve motivated and retained capable analysts, is to invest in a clear career path for them. People, especially analytical people, want to understand clearly how their skills match up to the ideals for each role and potential routes for their development if they can improve and "up-skill." I have seen skilled analysts become very motivated by simply having clearly documented competencies for different technical roles and seniority within them. When you add to this clarity as to potential career routes through that matrix, it can lead to conversations and planning that result in those analysts staying for many years not just months. I hope those tips are helpful to you. Please do share what has worked for you, too.

Dov Michael wrote an informative article on the relationship between optimism and longevity. (Hats off to The Doctor Weighs In.) Optimism provides a mortality advantage. Optimists live longer than pessimists, it seems. Michael writes, “There is real scientific evidence, accruing at an accelerating rate, that optimistic disposition leads to better health; the converse is true for pessimism. “Optimists are twice as likely to be in ideal cardiovascular health, according to a new study led by Rosalba Hernandez, a professor of social work at the University of Illinois.” In recent posts, we’ve explored how loneliness is a killer, as is anger. Resilience is important to longevity, too. The problem is that your doctor can’t do much to make you more optimistic. In fact, sometimes doctors inadvertently do the opposite. They can’t make you a less angry person or a less lonely person. In many ways, your health too important to trust to a doctor.

On May 29, 2015, the Montana Supreme Court affirmed the application of the notice-prejudice rule in cases of third-party claims for damages. Atlantic Casualty Ins. Co. v. Greytak, 2015 MT 149, OP 14-0412 (Mt. 2015). The rule requires the insurer to establish prejudice as a condition to denying coverage when an insured fails to provide timely notice of a claim. Background This case arose from a lawsuit initiated by GTL Inc. against John P. Greytak and Tanglewood Investors Limited Partnership (collectively, Greytak), based on Greytak’s failure to pay GTL for obligations arising from a construction project. In response, Greytak filed construction defect counterclaims against GTL. Greytak and GTL later entered into a settlement whereby GTL would notify its insurer, Atlantic Casualty Insurance Co. (Atlantic), of Greytak’s claims. According to the agreement, if Atlantic did not defend GTL or initiate a declaratory judgment action regarding coverage, then GTL would allow a $624,685.14 judgment to be entered against it and Greytak would pursue Atlantic only for recovery of the judgment. GTL notified Atlantic of Greytak’s counterclaims approximately one month after the agreement with Greytak and approximately one year after GTL first received notice of Greytak’s potential counterclaims. Atlantic initiated an action in the U.S. District Court for the District of Montana seeking a declaration as to whether it was required to defend or indemnify GTL. The District Court granted Atlantic’s motion for summary judgment and found that (a) Atlantic did not receive timely notice of Greytak’s claims against GTL and that (b) Montana law did not mandate Atlantic to demonstrate prejudice from GTL’s untimely notice. Greytak subsequently appealed to the U.S. Court of Appeals for the Ninth Circuit, which certified the question regarding the application of the notice-prejudice rule in the third-party liability context to the Montana Supreme Court. Montana Supreme Court Decision The Supreme Court followed the majority of jurisdictions, and its own ruling issued a week earlier when it adopted the notice-prejudice rule in the first-party context, and held that prejudice must be demonstrated to deny coverage when an insured provides untimely notice of a claim. The court reasoned that the purpose of the notification requirement was to provide the insurer with the opportunity to “defend its interest and to prevent or mitigate adverse judgments.” Additionally, the court noted that Montana public policy required a narrow and strict interpretation of insurance coverage exclusions to accomplish the “fundamental protective purpose” of insurance. Despite discussing the rationale of the rule, which includes mitigating adverse judgments, the court declined to address the merits of the insurer’s claims of prejudice, reasoning that such determination was outside the scope of the certified question. Significantly, however, two justices issued separate specially concurring opinions, which effectively concluded that when an insurer receives notice of a claim almost a year after the insured engaged in litigation, executed a settlement agreement without the insurer’s knowledge and deprived the insurer of any opportunity to defend its interest and to prevent or mitigate adverse judgments, prejudice is presumed as a matter of law. Moreover, in her special concurrence, Justice Laurie McKinnon proposed a limited exception to the notice-prejudice rule to provide that prejudice to the insurer would be presumed as a matter of law when an insured failed to notify the insurer of a pending lawsuit until after judgment has been entered.  Implications of the Decision As a result of the Montana Supreme Court’s holding, Montana courts affirmatively join the majority of jurisdictions that similarly hold that the notice provision of an insurance policy is essentially ineffective to deny coverage for late notice of a claim, unless the insurer can demonstrate that it was prejudiced by the untimely notice. Notwithstanding and based on the Supreme Court’s analysis, if the insurer can establish that it was deprived of the opportunity to defend its interest and to prevent or mitigate adverse judgments or that the delay was not merely technical, then there is sufficient basis to deny coverage. The court did not specifically state whether its holding was limited to occurrence-based policies, but quoted the “as soon as practicable” notice language from the typical commercial general liability policy, and footnoted that this language did not impose a specific time within which the insured must provide notice. Thus, whether the court would impose the notice-prejudice rule to claims made and reported policies is an open question under Montana law, but given the court’s footnote, it appears it would likely join the majority of jurisdictions that do not require an insurer to demonstrate prejudice resulting from late notice under a claims made and reported policy.

Some thought that my previous article, "How to Vastly Improve Catastrophe Modeling," advocating an "open-source" approach to cat models that would aggregate all human knowledge at any point in time, was  anarchist and pacifist in the tradition represented by beauty-contest participant Gracie Lou Freebush of the movie "Miss Congeniality" in her pursuit of "world peace" and sundry such altruistic ends. Some felt I was preaching from the pulpit, asking sinners to atone. Others praised the article. Some people challenged the article by saying cat models platforms from private providers were important for insurers building entry barriers and maximizing profits. Surely, maximizing profits is a fair goal. But let us examine the issues here. Just because a particular private provider has better models than others today for specific regions and perils, does that mean that it will remain better than other models from newer providers over time? At the least, just as with the "iPhone, Apple-app and app-store" ecosystem and "android-phone, android-app and app-store," there need to be multiple options to ensure that we stay on the cutting edge of innovation. The insurance industry needs to see competition between competing innovation ecosystems, so that newer and better model-providers have multiple options to fairly make more money from their innovations, thereby improving the fidelity of models used by insurers at all points of time. Essentially, a simple choice of allying with one platform vendor for all time is not a good choice for any insurer, and insurers need to "follow the models" to make their money. So encouraging platform providers that might be more attractive for the newer and better model providers is in the best interest of all insurers. Other choices are not as enlightened as they might seem. Some insurers are paying and supporting a particular private provider to construct a platform owned and operated by that provider in exchange for joint competitive advantage. The OASIS approach I recommend, on the other hand, is an attempt by a group of insurers (with some overlap to the other group) to construct a platform owned mutually by these insurers (and available to new joiners). Perhaps there is space for even more types of ecosystems so that there is competition to draw in the best models as well as to fit the "empire-building" objectives of some insurers. The competitive advantages to insurers could come from being part of a closed/semi-open group owning the platform or getting competitive advantage through it in some way. But competitive advantage could also come through innovative relationships between insurers and model providers (dis-intermediating the platforms in some sense), just like the Internet-applications industry does not care about the telecommunications industry that provides the channel to market. That is the most likely outcome when the dust eventually settles. After all, while the laws of majority do not work in the matters of the truth (fidelity of models to underlying reality), no one person/provider has a monopoly over the truth (of models), and in the end it is the truth (of the models) that matters (in conferring lasting competitive advantage). Insurers tend to spend upward of 20% of their IT budget on catastrophe modelling. This expenditure is expected to rise rather than fall. OASIS is an strategic catastrophe modelling option for insurer looking to reduce this expenditure. One of the strategies is to use OASIS for development, testing and usage of their own models (i.e. in their own infrastructure) rather than risk placing these into the cloud provided by a private platform provider. Used this way, OASIS can help reduce the cost of development and testing and usage of internal models. Also, insurers need to create and maintain their own applications for multi-model comparison and blending if they want to use OASIS along with private platforms. These kinds of strategies will drive down the average cost of catastrophe modeling in the enterprise and the industry, thereby improving the transformative business case for various uses that currently are not cost-effective. Insurers that start on the OASIS journey will reach these transformative business cases before than others.

With each passing brand name mega-breach—Home Depot, Target, JPMorgan Chase, Anthem—it becomes ever more urgent for government and industry to get on the same page about how to protect consumers. Sadly, not all laws are created equal, and there are few better examples of this homespun truth than a would-be federal law currently wending its way through Congress. The Data Security and Breach Notification Act of 2015, in its current form, has a long way to go before it should become the law of the land. The Data Security and Breach Notification Act of 2015 says it “aims to tackle the nation’s growing data security threats and challenges.” So far, that sounds pretty good to me. The bill was written by Energy and Commerce Committee Vice Chairman Marsha Blackburn (R-TN) and Rep. Peter Welch (D-VT), making it a bipartisan effort. The goal: to implement “a comprehensive plan to help safeguard sensitive consumer information and shield Americans from the harmful consequences of cyber attacks.” I’ve written elsewhere about the need for a federal breach notification law, so in theory I’m on board. A strong federal law that requires businesses and government entities to inform people that their personal information has been compromised in a data breach can absolutely be a good thing…if it’s done right. The problem with this proposal is that there are far more effective laws already on the books in several states, and they could be preempted were the bill to pass. If that weren’t bad enough, the proposed bill could also supersede stronger rules already put in play by the FCC with regard to telephone, broadband Internet, cable and satellite user information. The undermining of better laws is bad, but worse is the way the Data Security and Breach Notification Act of 2015 underscores a continuing failure of our leaders to fully understand the nature of the problems we face in the mare’s nest that is consumer privacy and data security. In a widely publicized survey conducted by the Pew Research Center, “91% of adults in the survey ‘agree’ or ‘strongly agree’ that consumers have lost control over how personal information is collected and used by companies.” Data breaches, and the identity theft that flows from them, have become the third certainty in life. We need a strong federal law, but as I argued in my op-ed about the Data Breach Disclosure Box, any proposed bill that threatens to weaken existing laws has to be challenged, quickly and without equivocation. Why It’s an Issue Senior Policy Counsel at New America’s Open Technology Institute Laura Moy eloquently outlined the problems this bill could create in her testimony before the House of Representatives. In a wide-ranging discussion of the major concerns raised by the bill, Moy pointed out some of the laws that could be preempted. One was California’s Song-Beverly Credit Card Act, which made it illegal to record a credit card holder’s personal identification information during a transaction. Another law in Connecticut outlawing the public posting of any individual’s Social Security number was also named. Both state laws represent solid advances in the realm of data security, and both might be preempted were the bill moving through Congress to succeed. And here’s the really bad news: they would be two of the less alarming casualties. The problem with the bill hinges on the way that it tries to separate privacy from data security, but they are inextricably intertwined. This could weaken or even eliminate protections for the many kinds of information – like your email address, for one — that fall outside the bill’s narrow definition of the personal data that is covered. That’s why this matters so much. As Moy argued during her testimony, “Many laws that protect consumers’ personal information [can] be thought of simultaneously in terms of both privacy and security.” I will go one step further and say that I do not believe it is possible to discuss data security until we have a worst-case scenario definition of what constitutes personally identifiable information in the eyes of an identity thief. To give an example of the kinds of preemption that are possible here, Florida’s privacy law includes email and a consumer’s username-password combination in its definition of personal information, the logic being that consumers use the same combination for many different login pages, including financial accounts. Eight other states currently mandate the same standard—California, Missouri, New Hampshire, North Dakota, Texas, Virginia and, as of July 1, Hawaii and Wyoming. Under the currently proposed bill, a business would not have to notify you if your email and username-password combination were involved in a breach. Meanwhile, the above kinds of information continue to be highly exploitable data points in an identity thief’s toolkit. In addition to the exemption of breaches that “only” include email addresses or user login details, the bill is unclear about personal information related to telecommunications, cable and satellite customers, which hinge on a trigger of “authorized access,” and Moy believes it may supersede important protections created by the Communications Act. Most alarming is the prospect of less robust notifications regarding compromised customer proprietary network information (CPNI) – that includes texts, phone calls, every location where you were when you made this or that phone call, your location when you didn’t make a phone call and the location of all your network-connected devices. All this information could be breached, and this proposed law in Congress says you don’t need to know about it. The same goes for what you watch on television, including any items you may have purchased on pay-per-view. All of it could, hypothetically, be out there open to public perusal. Every site you ever visited on line. Every call. Every text. And what about your protected health information (PHI)? Critics note the bill doesn’t mention it, which at first blush seems like a four-alarm-fire level of non-comprehension. However, whether the product of partisan warfare or common sense, it’s actually a bit of good news. Because it has been entirely carved out here, most forms of PHI actually would still be covered by the notification requirements of the HIPPA/HITECH Act — with a few notable preemptions of existing state law affecting over-the-counter purchases and other health-related items. Defining Harm According to the narrow logic of the proposed legislation, a breach of any of the above information will not result in financial damage, which is the reason it isn’t covered. It’s a position easily brushed aside with one mind-blowing word of refutation: extortion. Scam artists have countless tricks up their sleeves, and the onus to anticipate the adaptive nature of crime falls on legislators. A single text or rented video could potentially ruin a person’s life, and fraudsters know that. If the wrong person has access to the above data points—and any of those bytes contain information that might harm you professionally or personally—they most certainly could be used against you for financial gain. A recent Science study showed that with just a few data points (Instagram posts and tweets) it was possible to re-identify anonymized data about credit card purchases with the unique consumer who made them. While it may seem off the beaten path, the proposed bill, with its narrow definition of what should be covered, would not cover a glitch in Instagram’s code that revealed protected accounts to the public. For the end user unaware that their private posts were viewable, and that those posts could be used to re-identify data that is publicly available, the above hypothetical scenario featuring a “financially harmless” compromise (that revealed every purchase made on an individual’s credit card) could be a life changer—and not for the better. What we really need in the federal government is someone in a position of authority with the expertise and knowledge to make sure anyone exposed in a breach knows about it, and is informed about the potential fallout as far as current intel permits as quickly as possible. Call this person a Breach Tzar, if you will. Since data-related crimes are often quite ingenious, isn’t it best to err on the side of caution? The fact is that any federal law aimed at protecting consumers from the danger of identity-related crime needs to be best-in-class, and far better than all the existing state laws combined, and, while it should go without saying, it must not supersede stronger existing protections afforded by non-state agencies. There is still a yawning gulf between what’s been done so far and what needs to happen in the realm of cyber legislation. The protections we deserve are a work in progress, one that the entire constellation of consumer advocates and data-security experts must solve in concert. In the same way that data-related crimes are constantly evolving, we need to get into the habit of responding to the very biggest picture we can imagine.

Are you and your Customer Insight team too often frustrated that you're not making a difference in your business? Do your internal customers ever criticize what they receive from your team, asking, "Where's the insight?" Sometimes this is because of technical skills or barriers that need to be addressed, but very often it's because of poor communication. Do you need to get a better brief? What I mean is this: Marketers or other stakeholders within your business can come to Customer Insight and ask for a piece of data/analysis/research. If the analyst just gives them what they asked for (or a version of that based on their understanding of what they heard), it's often a recipe for disappointment. Analysts can feel limited by work that's not creative or using their technical skills. Your internal customers can be disappointed, to receive something other than what they meant, and that doesn't meet their real need. This communication challenge is of, course, well-known in the field of project management. This tree swing example normally helps to illustrate this dilemma. But there is more, beyond the challenge of documenting requirements clearly, in a good brief. Have you also found that what your internal customers doesn't ask for is what they really need? Is what they want not what they need? That's my experience, too. So, to help analysts improve their questioning skills in this area, I've been borrowing a technique from the world of leadership coaching. Trained coaches will likely have come across Socratic questioning. It is a style of inquiry, aimed at helping the one being questioned to critique his own thinking, assumptions and viewpoint. Working with both experienced and junior analysts, I've found that the principles of Socratic questioning can help them in questioning what they are asked to provide, to get to the real need. Here's a very brief intro to this style of questioning, as proposed by the great Socrates himself: Conceptual clarification questions: "What exactly does this mean?"; "Can you rephrase that, please?"; "Can you give me an example?" Probing assumptions: "You seem to be assuming...?"; "Please explain why/how...?"; "How can you verify or disprove that assumption?" Probing rationale, reasons and evidence: "Why is this happening?"; "Would it stand up in court?"; "How can I be sure?" Questioning viewpoints and perspectives: "Another way of looking at this is..., does this seem reasonable?"; "What would... say about it?"; Probing implications and consequences: "Then what would happen?"; "Why is... important?"; "How does... fit with what we learned before?" Given previous advice on being action-oriented throughout any customer insight work, I find it helps to add another line of questioning to this model. That is to explicitly ask what action is going to be taken as a result of this request. This is important, to avoid precious analyst time being taken up with questions that are just out of curiosity. You need to know what action is planned. None of the above is intended to be used word for word, or imposed without intelligent interpretation, in the language and culture of your organization. However, applied sensibly, I've seen that it can help empower analysts to question more and to improve their skills in eliciting real business needs. When the real need is understood and captured in a clear brief, then you stand a much better chance of getting real insight. What have you found works? How do you get a better brief?

Self-driving cars will transform personal travel and, in doing so, will pose some interesting questions for insurers. One question that insurers seem not to have addressed so far involves the ethical issues raised by self-driving cars. And there's one particular issue of ethics that could have a significant influence on the liability exposures presented by self-driving cars.

Picture yourself relaxing back in a self-driving car. You've just dropped off your son, who has run off along the pavement ahead of you. Your car pulls out and accelerates, but suddenly six cyclists swerve into its path. A collision is imminent, and your self-driving car's computer has to make a split-second decision. Should the car swerve out of the way of the cyclists, saving their lives, but in doing so mount the pavement and kill your son? Or should it carry on and plow into the cyclists, saving your son's life?

Remember that the decision isn't yours: It's to be taken by your self-driving car's computer. Should the computer be programmed to reduce the overall number of casualties (and so avoid the cyclists but kill your son), or should it be programmed to put your interests first (and so collide with the cyclists)?

Classic ethical scenario

Some of you will recognize this as one of the classic scenarios used to stir debate in philosophy and ethics. It illustrates two ethical positions: utilitarianism and deontology. The former would say to swerve, for six lives are saved at the cost of one. The latter would say "carry on," for your interests are being put first.

The purely financial implications for insurers are clear: A self-driving car programmed according to utilitarian ethics will carry a lower liability exposure than one programmed according to deontological ethics.  Will we see insurers turning to philosophers for help in deciding which car models fall into which rating categories?

Programmed by humans

The key point here, though, is not the employment prospects of philosophers but the recognition that all those algorithms underpinning the decisions made by self-driving cars will be programmed by human beings. Just like you and me, they'll be full of opinions and preconceptions, which will in turn influence the preferences coded into the decisions your self-driving car will take.

And as the big data supporting those decisions builds, so will the complexities that those algorithms have to handle. For example, if the six cyclists were wearing health tracking devices that told your self-driving car's computer that they were all octogenarians, should it still swerve into the path of your only child?

Embedding choices

The permutations are endless, but one dimension is fixed. It is that insurers using big data for underwriting and claims decisions need to recognize that choices are going to be embedded into those algorithms, and those choices often have an ethical dimension that needs to reflect the values of that insurer and the needs of the regulatory framework it operates within. Simply saying, as some insurers now do, that "it was the data that made the decision" will not hold water.

The U.S. Court of Appeals for the 9th Circuit has issued its long-awaited decision in the Angelotti Chiropractic Inc. v Baker case. In what can only be considered a resounding win for both the legislature’s power to create the workers' compensation system and the Department of Industrial Relation's authority to enforce the provisions of SB 863, the appeals court has, in its 32-page decision, upheld the portions of the lower court's decision that were favorable to the DIR and reversed the portion that had challenged the validity of the statutory scheme. The result is a knockout, but not necessarily final, victory for the legislature and employer community's efforts to rein in lien litigation madness.

One of the hallmarks of the most recent reforms to the worker's compensation system in SB 863 was the adoption of both lien filing and lien activation fees. The intent of the fees was to filter out some of the less valid liens, encourage realistic settlement of liens before litigation and ultimately reduce the backlog of pending liens. Under the structure legislatively created, liens filed before Jan. 1, 2013, (the effective date of the statute) would be subject to an "activation fee" of $100 to actively pursue the lien before the W.C.A.B. Additionally, all pending liens as of Jan. 1, 2013, were required to have paid an activation fee by Jan. 1, 2014, or else be dismissed by operation of law. The second prong of the effort to reduce the backlog was to require lien claimants filing after Jan. 1, 2013, to pay a $150 filing fee. The challenge in this case was to the lien activation fee only, but the case has been watched carefully as similar arguments have been made in opposition to the lien filing fee. For many, Angelotti was considered a bellwether case on the lien fee validity.

Not surprising, shortly after its passage, the issue of the validity of the lien fee provisions in SB 863 was attacked in court with various challenges. In a ruling with what appeared to have the most potential for the challengers, a lower court had previously ruled that the plaintiffs in the Angelotti litigation had demonstrated a substantial likelihood of prevailing in their efforts to have the lien activation fee provisions declared unconstitutional. While by no means final, the resulting decision was accompanied by a temporary restraining order prohibiting the DIR from enforcing the lien activation fee provision. In its decision, the lower court rejected some of the plaintiff's arguments that the lien activation fee violated constitutional prohibitions under the takings clause and the due process clauses of the U.S. Constitution. That part of the claim was dismissed. The lower court, however, was much more impressed with the equal protection arguments advanced by the plaintiffs, finding that the different treatment of institutional lien claimants vs. direct medical providers did not constitute a rational distinction. As a result of the temporary injunction, the DWC suspended its enforcement of the lien activation fee provisions but appealed the ruling.

In its decision, the appeals court upheld the district court's rulings dismissing the plaintiff's causes of action based on the takings and due process arguments, finding that the lower court's rationale was well-founded. (The dismissal of those issues had been sought by the Angelotti plaintiffs.) However, in response to the defendant’s appeal of the restraining order and the failure to dismiss the equal protection claim, the court soundly rejected the lower court’s ruling that plaintiffs had established a probability of prevailing on an equal protection argument, reversing that holding and vacating the existing restraining order prohibiting the DIR from enforcing the lien activation fee provisions. That argument was based on the different treatment between institutional lien claimants (such as insurance companies) and private lien claimants (such as individual practitioners).

In reversing the lower court, the circuit court found the distinctions created by the legislature were both rational and within the wide latitude of the legislature to create:

"The legislature's approach also is consistent with the principle that 'the legislature must be allowed leeway to approach a perceived problem incrementally.' Beach Commc'ns, 508 U.S. at 316; see also Silver v. Silver, 280 U.S. 117, 124 (1929) (stating that '[i]t is enough that the present statute strikes at the evil where it is felt and reaches the class of cases where it most frequently occurs.'). Targeting the biggest contributors to the backlog-an approach that is both incremental, see Beach Commc'ns, 508 U.S. at 316, and focused on the group that “most frequently” files liens, see Silver, 280 U.S. at 124,-is certainly rationally related to a legitimate policy goal. Therefore, on this record, 'the relationship of the classification to [the Legislature's] goal is not so attenuated as to render the distinction arbitrary or irrational.'"

The appellate court further noted it was the plaintiff's burden to negate "every conceivable basis" that might have supported the distinction between exempt and non-exempt entities. The circuit (appellate) court said the district court did not put the plaintiffs to the proper test in this regard, instead rejecting the argument made by the defendants (DIR) that the activation fee was aimed at clearing up a backlog of liens. The circuit court found multiple flaws with the lower court’s analysis on this argument, including that it failed to give proper deference to the legislature's fact finding. Instead, the court held the proper application of correct legal principles demonstrated the plaintiffs, rather than showing a likelihood of success, actually showed no chance of success:

"...that plaintiffs have no chance of success on the merits because, regardless of what facts plaintiffs might prove during the course of litigation, 'a legislative choice is not subject to courtroom fact-finding and may be based on rational speculation unsupported by evidence or empirical data.' See Beach Commc'ns, 508 U.S. at 315. Thus, the presence in the commission report of evidence suggesting that non-exempt entities are the biggest contributors to the backlog is sufficient to eliminate any chance of plaintiffs succeeding on the merits."

While the plaintiffs in this matter have further appeal rights, it does not appear that under this decision the plaintiffs will be entitled to a trial at the lower court. The court not only vacated the injunction but took the unusual step of reversing the trial court's denial of defendant's petition to dismiss the equal protection cause of action. As noted in the above quote, the legislative authority to fashion a remedy effectively eliminated any chance of plaintiff's prevailing.

Comments and Conclusions:

While the decision in this appeal took some time to come, the finality of the decision, and the tenor of the court's ruling, will undoubtedly be considered well worth the wait. By reversing the lower court's failure to dismiss the equal protection clause, the appellate court left very little opening for preservation of this lawsuit. While the plaintiffs can both ask for a rehearing and appeal to the U.S. Supreme Court, those levels of appeal come with rapidly diminishing probability of success.

With the DIR no longer hamstrung by the restraining order, we can anticipate a rapid enforcement of the lien regulations requiring activation fees. What will be a fascinating sideshow to this will be what happens to the provisions of Labor Code § 4903.06(a)(5), the requirement to pay the activation fee on any pre-1/1/13 lien claim on or before 1/1/14, a date long since passed. The DWC stopped collecting activation fees pursuant to the now vacated restraining order shortly after the TRO issued. Interestingly the language on the W.C.A.B.’s website indicated lien claimants were not obligated to pay the activation fee to appear at a hearing or file a DOR. However, it makes no mention of the dismissal language in 4903.06.

It is highly likely that few if any lien claimants paid activation fees by 1/1/14. It also seems unlikely, though not necessarily impossible, that the DIR or W.C.A.B. will be able to enforce the dismissal by operation by law provisions without allowing some kind of grace period for lien claimants to comply with the activation fee requirement before lowering the boom on liens without such fees. Lien claimants are now in something of a no man's land with the faint hope that a further appeal may save them from the lien activation cost, but the compliance clock will probably be ticking, and once it stops the jig will be up on their liens.

It would certainly make sense for any current lien claimants, especially those who are set for hearings, to start looking into complying with the activation fee requirements. Showing up at the W.C.A.B. on a pre- 1/1/13 lien claim without having paid the activation fee may very well result in dismissal in the very near future. For defendants, with the TRO no longer in force, it is game on as far as activation fees are concerned. I intend to start raising the issue tomorrow…(or at least at my next hearing with a pre-1/1/13 lien claim).

On a side note, a similar case in state court, Chorn v Brown, was also recently decided in an unpublished decision. In that case, a lien claimant had challenged the lien statutes on both activation and lien filing fees. The case has been dismissed for lack of subject matter jurisdiction in the superior court. As a practical matter, the dismissal is really more of a procedural issue than a substantive one. The court of appeal noted the proper remedy for Chorn was to pursue a petition for writ of mandamus in the court of appeal, a step Chorn has actually initiated. However, a petition for writ of mandamus requires an appellate court to decide the issue has merit, a rather dubious proposition at this point. However, it is one more step to finally clearing up the DIR/DWC/W.C.A.B.'s authority to deal with the lien morass that, while somewhat abated in the past couple of years, continues to plague the system.