There’s a tempest amid the recent spring shower of cyber insurance cases. It isn’t the Recall Total case,^[1] or the Travelers v. Federal Recovery Services case reported the week before.^[2] Although those two cases have garnered a great deal of media and other attention from those seeking, and seeking to provide, guidance surrounding insurance coverage for cybersecurity and data privacy-related liability, those cases are, by and large, relatively insignificant. The tempest case is Columbia Casualty Company v. Cottage Health System.[3] In Columbia Casualty, CNA’s non-admitted insurer, Columbia Casualty, seeks to avoid coverage under a cyber insurance policy for the defense and settlement of a data breach class action lawsuit. This is one of the first cyber/data privacy disputes under a cyber insurance policy that has resulted in litigation. Columbia Casualty warrants close attention by any organization that currently purchases, or is considering purchasing, cyber insurance, as well as by those insurance intermediaries, outside coverage counsel and other parties who seek to capably assist organizations in this complex area. Irrespective of the ultimate merits of CNA’s coverage positions, Columbia Casualty illustrates that the devil is in the details when placing cyber insurance coverage. Although this type of coverage can be extremely valuable, and is likely to soon become a nondiscretionary purchase for many, if not most, organizations, it is particularly challenging to place successfully. Below is a factual summary of the Columbia Casualty case, a summary of the coverage issues and some takeaway thoughts for avoiding the two important potential coverage issues highlighted by the case: (1) broad exclusions relating to cybersecurity/data protection practices and (2) the misrepresentation defense. The Facts Underlying Data Breach Litigation and Regulatory Investigation Columbia Casualty arises out of a data breach incident that resulted in the release of private electronic healthcare patient information stored on network servers owned, maintained or used by the insured, Cottage Health System (Cottage).[4] In the wake of the breach, Cottage faced a putative class action lawsuit alleging that “the confidential medical records of approximately 32,500 patients at the hospitals affiliated with [Cottage] were negligently disclosed and released to the public on the Internet.”[5] The lawsuit sought damages for alleged violation of California’s Confidentiality of Medical Information Act.[6] The lawsuit settled in April 2015 for $4.1 million.[7] Cottage’s cyber insurer, CNA, funded the settlement pursuant to a reservation of rights.[8] Following the settlement of the data breach lawsuit, CNA filed its coverage litigation, in which CNA seeks declarations of non-coverage. In particular, CNA seeks declarations both that it: (1) “is not obligated to provide Cottage with a defense or indemnification in connection with any and all claims stemming from the data breach,”[9] and (2) is entitled “to reimbursement in full from Cottage for any and all attorney’s fees or related costs or expenses … in connection with the defense and settlement of the class action lawsuit and any related proceedings.”[10] The Cyber Insurance Policy CNA issued to Cottage its NetProtect360 cyber insurance policy with limits of $10 million.[11] The policy provides coverage for, among other things, “privacy injury claims.”[12]   Based on CNA’s complaint, there is no dispute as to whether the data breach lawsuit triggers the policy coverage. Those familiar with the off-the-shelf NetProtect360 policy form likely would agree that it does. And CNA does not allege otherwise. The Coverage Issues CNA denies coverage for the defense and settlement of the data breach lawsuit on two principal bases, which are discussed in turn. Exclusion for “Failure to Follow Minimum Required Practices” CNA relies upon an exclusion in the NetProtect360 policy, titled “Failure to Follow Minimum Required Practices,” which states: Whether in connection with any First Party Coverage or any Liability Coverage, the Insurer shall not be liable to pay any Loss:

• Failure to Follow Minimum Required Practices based upon, directly or indirectly arising out of, or in any way involving:
• Any failure of an Insured to continuously implement the procedures and risk controls identified in the Insured’s application for this Insurance and all related information submitted to the Insurer in conjunction with such application whether orally or in writing;…[13]

Citing this exclusion, CNA alleges that coverage is precluded because its insured purported to do certain things relating to various aspects of network and computer security. In particular, CNA alleges that its insured failed to “continuously implement the procedures and risk controls identified in its application,” to “regularly check and maintain security patches on its systems” and to “enhance risk controls,” among a host of “other things”:

41. Upon information and belief, the data breach at issue in the Underlying Action and the DOJ Proceeding was caused as a result of File Transfer Protocol[14] settings on Cottage’s internet servers that permitted anonymous user access, thereby allowing electronic personal health information to become available to the public via Google’s internet search engine.
42. Upon information and belief, the data breach at issue in the Underlying Action and the DOJ Proceeding was caused by Cottage’s failure to continuously implement the procedures and risk controls identified in its application, including, but not limited to, its failure to replace factory default settings, its failure to ensure that its information security systems were securely configured, among other things.
43. Upon information and belief, the data breach at issue in the Underlying Action and the DOJ Proceeding was caused by Cottage’s failure to regularly check and maintain security patches on its systems, its failure to regularly re-assess its information security exposure and enhance risk controls, its failure to have a system in place to detect unauthorized access or attempts to access sensitive information stored on its servers and its failure to control and track all changes to its network to ensure it remains secure, among other things.
44. Accordingly, Columbia is entitled to a declaration that it is not obligated to defend or indemnify Cottage in connection with the Underlying Action or the DOJ Proceeding and that coverage for the claims and potential damages at issue in the Underlying Action and the DOJ Proceeding is precluded pursuant to the Columbia Policy’s Failure to Follow Minimum Required Practices” exclusion.[15]

CNA does not allege that its insured acted willfully, that it acted recklessly or even that it was grossly negligent. The Misrepresentation Defense In support of its misrepresentation defense, CNA relies principally upon the policy “Application” condition in the policy, which states, among other things, that the insurance policy “shall be null and void if the Application contains any misrepresentation or omission … which materially affects either the acceptance of the risk”:

1. Application

• The Insureds represent and acknowledge that the statements contained on the Declarations and in the Application, and any materials submitted or required to be submitted therewith (all of which shall be maintained on file by the Insurer and be deemed attached to and incorporated into this Policy as if physically attached), are the Insured’s representations, are true and: (i) are the basis of this Policy and are to be considered as incorporated into and constituting a part of this Policy; and (ii) shall be deemed material to the acceptance of this risk or the hazard assumed by the Insurer under this Policy. This Policy is issued in reliance upon the truth of such representations.

• This Policy shall be null and void if the Application contains any misrepresentation or omission:

• made with the intent to deceive, or

• which materially affects either the acceptance of the risk or the hazard assumed by the Insurer under the Policy.[16]

Citing this condition, CNA alleges that it is entitled to a declaration of non-coverage because its insured’s “application for coverage … contained misrepresentations and/or omissions of material fact” relating to its purported “failure to maintain the risk controls identified in its application”:

51. The Columbia Policy’s “Application” condition provides that the Columbia Policy “shall be null and void if the Application contains any misrepresentation or omission: a. made with the intent to deceive, or b. which materially affects either the acceptance of the risk or the hazard assumed by the Insurer under the Policy.”
52. The Columbia Policy’s “Minimum Required Practices” condition provides that, as a “condition precedent to coverage,” Cottage warrants that it shall “maintain all risk controls identified in the Insured’s Application and any supplemental information provided by the Insured in conjunction with Insured’s Application for this Policy.”
53. Upon information and belief, Cottage’s application for coverage under the Columbia Policy contained misrepresentations and/or omissions of material fact that were made negligently or with intent to deceive concerning Cottage’s data breach risk controls.
54. Upon information and belief, the data breach at issue in the Underlying Action and the DOJ Proceeding was caused by Cottage’s failure to maintain the risk controls identified in its application, including, but not limited to, its failure to replace factory default settings to ensure that its information security systems were securely configured.
55. Accordingly, Columbia is entitled to a declaration that it is not obligated to defend or indemnify Cottage in connection with the Underlying Action or the DOJ Proceeding based on Cottage’s breaches of the Columbia Policy’s “Application” and “Minimum Required Practices” conditions.[17]

Again, note that CNA seeks to avoid coverage even to the extent its insured’s alleged misrepresentations or omissions “were made negligently.” The Takeaway Tips

1. Beware Of Broadly Worded Cybersecurity/Data Protection Exclusions

The California Court in Columbia Casualty should reject outright CNA’s attempt to avoid coverage based on a ridiculously broadly worded, open-ended exclusion, which, if enforced literally as interpreted by CNA, would largely, if not entirely, vaporize the coverage that CNA sold under the NetProtect360 policy. For starters, exclusions are to be read narrowly against CNA under established rules of insurance policy construction,[18] and broad exclusions that would render coverage illusory are not permitted in California[19] or elsewhere.[20] Nor is the exclusion, as interpreted by CNA, consistent with an insured’s reasonable expectations concerning the coverage afforded under the NetProtect360 policy,[21] which, as represented by CNA in its marketing materials, offers “exceptional first- and third-party cyber liability coverage to address a broad range of exposures,” including “security breaches” and “mistakes”: Cyber Liability and CNA NetProtect Products CNA NetProtect fills the gaps by offering exceptional first- and third-party cyber liability coverage to address a broad range of exposures. CNA NetProtect covers insureds for exposures that include security breaches, mistakes and unauthorized employee acts, virus attacks, hacking, identity theft or private information loss and infringing or disparaging content. CNA NetProtect coverage is worldwide, claims-made with limits up to $10 million.[22] To be sure, the fact that any insured reasonably can be expected to make mistakes, i.e., to be negligent, in the complex areas of cybersecurity and data protection is a principal reason for purchasing cyber liability coverage. Putting aside the merits of CNA’s contentions, the type of “Failure to Follow Minimum Required Practices” exclusion found in the off-the-shelf NetProtect360 is regrettably common, and, as the Columbia Casualty illustrates, may be read by insurers to significantly undermine, if not completely vitiate, coverage, requiring insureds to become engaged in coverage litigation as a predicate to obtaining coverage. The good news is that, although certain types of exclusions are unrealistic given the nature of the risk an insured is attempting to insure against, cyber insurance policies are highly negotiable. It is possible to cripple inappropriate exclusions by appropriately curtailing them, or to entirely eliminate them -- and often this does not cost additional premium.

2. Guard Against a Misrepresentation Defense

We have seen it in the D&O context for years, and it’s coming to cyber: the insurer’s misrepresentation/concealment defense. Provisions like the ones that CNA relies upon in Columbia Casualty are contained in some form in the majority of insurance applications and policies. And, while certainly not unique to cyber insurance, these types of provisions can be more troubling in the cyber context because of the subject matter being insured. Cyber insurance applications can, and usually do, contain myriad questions concerning an organization’s cybersecurity and data protection practices, seeking detailed information surrounding technical, complex subject matter. These questions are often answered by technical specialists, moreover, that may not appreciate the nuances and idiosyncrasies of insurance coverage law, such as the fact that, depending upon applicable law, there is a risk that an unintentional misrepresentation may suffice to allow an insurer to deny coverage.[23]  So what can be done? One line of attack is to negotiate significantly better policy terms relating to the application and misrepresentation. Another worthwhile strategy is to have coverage counsel involved in the application process. It often makes sense for coverage counsel to engage outside computer security consultants to assist with the application process. The application process can be valuable, shining a spotlight on current cybersecurity risk management practices that may reveal potential weaknesses that should be addressed. But, clearly, managing the process with an eye toward potential future claims is advisable. The CNA case illustrates the importance of embracing a cohesive, team approach and being mindful of potential future coverage disputes when placing this type of coverage.   [1] Recall Total Info. Mgmt., Inc. v. Federal Ins. Co., --- A.3d ----, 2015 WL 2371957 (Conn. May 26, 2015). [2] Travelers Prop. Cas. Co. of Am., et al. v. Federal Recovery Servs., Inc., et al., No. 2:14-CV-170 TS (D. Utah May 11, 2015)). [3] No. 2:15-cv-03432 (C.D. Cal.) (filed May 7, 2015). [4] See CNA Complaint For Declaratory Judgment And Reimbursement, ¶¶2-3. Cottage operates a network of hospitals located in Southern California. See id. [5] Kenneth Rice, et al. v. INSYNC, Cottage Health Sys., et al., Case No. 30-2014-00701147-CU-NP-CJC (Ca. Super. Ct. Jan. 27, 2014), ¶1. [6] Id. ¶¶68, 80. According to CNA’s complaint, Cottage also faces an ongoing investigation by the California Department of Justice regarding potential HIPAA violations. See Complaint For Declaratory Judgment And Reimbursement, ¶¶6, 22. In its declaratory judgment action, CNA also disclaims coverage for this proceeding. See CNA Complaint For Declaratory Judgment And Reimbursement, ¶¶46-49. [7] See Order Granting Final Approval of Proposed Class Action Settlement and Judgment (Apr. 15, 2015), Findings in Support of Final Settlement Approval ¶2.B.; see also Class Action Settlement And Release Agreement, § 3.1. [8] See CNA Complaint For Declaratory Judgment And Reimbursement, ¶5. [9] Id. ¶8. [10] Id. ¶9. [11] Id. ¶22-23. [12] Id. ¶25. [13] Id. ¶26. A separate policy “condition” states as follows:

1. Minimum Required Practices

The Insured warrants, as a condition precedent to coverage under this Policy, that is shall:

1. follow the Minimum Required Practices that are listed in the Minimum Required Practices endorsement as a condition of coverage under this policy, and
2. maintain all risk controls identified in the Insured’s Application and any supplemental information provided by the Insured in conjunction with Insured’s Application for this Policy.

Id. ¶27. [14] This is used to transfer files between computers on a network. [15] Id. ¶¶41-44 (footnote reference and emphasis added). [16] Id. ¶27. CNA also cites to a “Warranty” provision in the insurance application, stating as follows: Applicant hereby declares after inquiry, that the information contained herein and in any supplemental applications or forms required hereby, are true, accurate and complete, and that no material facts have been suppressed or misstated. Applicant acknowledges a continuing obligation to report to the CNA Company to whom this Application is made (“the Company”) as soon as practicable any material changes…all such information, after signing the application and prior to issuance of this policy, and acknowledges that the Company shall have the right to withdraw or modify any outstanding quotations and/or authorization or agreement to bind the insurance based upon such changes. Further, Applicant understands and acknowledges that: 2) If a policy is issued, the Company will have relied upon, as representations, this application, any supplemental applications and any other statements furnished to this Company in conjunction with this application. 3) All supplemental applications, statements and other materials furnished to the Company in conjunction with this application are hereby incorporated by reference into this application and made a part thereof. 4) This application will be the basis of the contract and will be incorporated by referenced into and made a part of such policy. Id. ¶31. [17] Id. ¶¶51-55 (emphasis added). [18] See, e.g.,. 2 Couch on Insurance § 22:31 (“the rule is that, such terms are strictly construed against the insurer where they are of uncertain import or reasonably susceptible of a double construction, or negate coverage provided elsewhere in the policy”); see also 17A Couch on Insurance § 254:12 (“The insurer bears the burden of proving the applicability of policy exclusions and limitations or other types of affirmative defenses.”). [19] See, e.g., Armstrong World Indus., Inc. v. Aetna Cas. & Sur. Co., 52 Cal. Rptr. 2d 690, 705 (Cal. Ct. App. 1996) (rejecting the insurers’ approach where “the insurers’ approach would essentially render the asbestos manufacturers’ insurance coverage illusory”). [20] See, e.g., Allan D. Windt, 2 Insurance Claims and Disputes § 6:2 (6th ed. updated Mar. 2015) (“a court will not allow an exclusion to eliminate coverage that is expressly and specifically provided for in the same policy form. More generally stated, a policy will not be interpreted to create illusory coverage. For example, in the context of analyzing the absolute pollution exclusion, discussed in § 11:11, some courts have refused to apply the exclusion as written based upon what was, in effect, the conclusion that the exclusion would cause the coverage to be illusory.”). [21] See, e.g., 2 Couch on Insurance § 22:11 (“the rule is that the objectively reasonable expectations of applicants and intended beneficiaries regarding the terms of insurance contracts will be honored even though a painstaking study of the insurance provisions would have negated those expectations”). [22] https://www.cnapro.com/html/Our_Products/OurProducts_CNANetProtect.html [23]See, e.g., Rafi v. Rutgers Cas. Ins. Co., 872 N.Y.S.2d 799 (N.Y. App. Div. 2009) (“although misrepresentations made by an insured must be material, they may be innocently or unintentionally made”).

In 2013, Amazon CEO Jeff Bezos announced to the world that the online retailer would begin to develop a "drone-to-door" delivery service for its loyal customers. Dubbed Amazon Prime Air, the system would deliver packages directly to your doorstep in just 30 minutes after an order is placed, setting a new and higher bar for "fast delivery."

However, after a variety of issues and concerns were addressed by increasing regulations added by the Federal Aviation Administration (FAA), it  appeared that Bezos' announcement would never get off the ground. But after two years of waiting for the FAA, Amazon will finally get to test these drones on U.S. soil -- or, should I say U.S. air? -- bringing customers one step closer to having their Tide detergent refilled by a delivery drone.

Despite the U.S. government dragging behind on approvals, for retail and civilian use, sales for drones aren't expected to slow any time soon. Companies like Teal Group, an aerospace research firm, estimates that sales of both military and civilian drones will total more than $89 billion by 2023.

Other big companies, such as State Farm and AIG, are also getting into the drone business. In fact, State Farm is the first insurance company in the U.S. to receive regulatory approval to test drones for commercial use. With drones popping up in so many different industries, it makes me wonder, what impact will drones have on companies' customer experience -- good and bad?

The Good

State Farm plans on changing the insurance industry for the better, using drones to aid in natural disaster relief. For instance, instead of State Farm spending the money (and time) to ship hundreds of claims adjusters out to natural disaster sites to assess damages, the company will send only a handful of agents equipped with a drone partner to more efficiently survey damaged property.

Jason Wolf, a property defense attorney and shareholder at the Florida-based firm, Koch Parafinczuck & Wolf, stated in an interview to ClaimsJournal.com: "I envision a time when, after a catastrophe, an adjuster pulls up to a neighborhood and opens the trunk of his car and presses a few buttons on his tablet device, and the drone does an immediate survey of everything and streams it all right to his tablet device, and he knows exactly where to go first and what's most significant within minutes. Costing very little money, the insurance company has a sense of everything that needs to be done in a very short amount of time."

Imagine all the headaches this could mitigate for customers and employees after the chaos caused by unfortunate losses created by natural disasters.

It's interesting, too, how this type of surveying will require additional training, but training we might be familiar with. Much like a police officer who trains alongside his dog in a K-9 unit, insurance adjusters will train alongside their partner – only, in this industry, it would be a drone.

While there is debate in the insurance world about how drones will operate, one thing is for sure - they will be operated and used to speed up services and save on cost, making customers' lives a little easier. As such, claims assessment aided by a drone will yield quick turnarounds and an even quicker payout to the insured.

Additionally, insurance companies will start offering drone insurance to owners of unmanned aircraft systems (UAS). RiskandInsurance.com noted that the general types of coverage that will be required for the use of UAS and ancillary business activities will include liability, personal injury, invasion of privacy, property and workers' compensation. The publication also mentioned that, given the conservative nature of the insurance industry, carriers could place stricter guidelines on drone coverage than the FAA does.

Once regulated and insured, drones will be sent out into the community to collect data. For example, what if someone's home flooded? Well, insurance companies could send their drone to the flooded house and survey the area for all damages, speeding up the process for families affected.

There is also the use of drones for the collection of data by third parties. Imagine that Ford is looking to target advertisements for a new truck to areas where the road conditions would demand the use of four-wheel drive. Ford hires an agency to send out drones to specific cities where it is looking to advertise.

This drone will collect data on road conditions and take images of cars on the road to make sure a majority of drivers are in trucks, and will then report back on economic conditions. Ford doesn't want to be advertising where citizens can't or won't pay for the product.

In a world becoming more drone-centric, these types of background checks and data collections via UAS will become increasingly more frequent.

The Bad

The government review process for a drone is 120 days, but, by the end of the process, Amazon says the technology of the drone submitted for regulation is outdated. Therefore, Amazon must update its filing and submit to the FAA for regulation, starting the 120-day review process all over again.

The other concern of the FAA is air traffic. Coming down with a few regulations on drone flight, the FAA is requiring that drone controllers have sight of the drone at all times and that they must operate under 400 feet.

Exelis, a global aerospace, defense, information and services company, was featured in an article on Engadget recently, discussing its development of an air traffic control system for drones. Nearly ready for testing at the FAA approved drone-testing sites, the low-altitude monitoring system would keep tabs on compact aircrafts flying at or under the mandated 400 feet.

It'll be interesting to see how industry giants, such as Amazon, overcome these obstacles to create a non-invasive customer experience with drone technology.

Once regulated, the next issue is invasion of civilian privacy. Private and civil liberties advocates have raised doubts about the legitimacy of facial recognition cameras, thermal imaging cameras, open Wi-Fi sniffers, license plate scanners and other sensors commonly used by drones in the civilian sphere.

Civilian uses of drones for hobby are already causing issues, most notably at the White House, but across the country, as well. The LA Times reported last June that while LA Kings hockey fans were celebrating their Stanley Cup victory, a group noticed a drone flying over their heads filming the scene. Angry at the invasion of privacy, the crowd knocked the drone out of the sky using a T-shirt and then smashed it to bits with a skateboard.

In Los Angeles, flying a drone in public is not illegal, but LAPD Cmdr. Andrew Smith commented that, "It was kind of an eye-opener for us, that this something we really need to pay attention to." While the Kings fans reactions may seem a little over the top, the general population seems to feel the same way when they see a drone overhead.

With no official laws on the books regarding the use of domestic drones, the right to privacy becomes a large topic of concern for many citizens. The American Civil Liberties Union states on its website, "Congress has ordered the Federal Aviation Administration to change airspace rules to make it much easier for police nationwide to use domestic drones, but the law does not include badly needed privacy protections."

It will be interesting to see how industries promote drone use to their customers, without raising fears about a threat to privacy. After all, customers may not always be right, but they are always the customers.

Drones will also need to be protected from cyber attacks.

"Cyberattacks on your PC - they can steal information, and they can steal money, but they don't cause physical damage, whereas cyber-attacks in a UAV or a car can cause physical damage, and we really don't want to open that can of worms," said Kathleen Fisher, the previous program manager of the DARPA project in a statement to NextGov.com

The Pentagon is currently working on developing code that will protect a Boeing Little Bird unmanned aircraft from being hacked. Defense industry programmers are rewriting software to safeguard the computer onboard the helicopter drone and aim to have the project completed by 2017.

The Future

It's exciting to think about what drone technology will bring to companies and their customers - and to people everywhere. Let's face it, if we think we have seen the complete potential of what customer experience has to offer, then, well, we're being naive. The new drone technology will reinvent customer experience once again. And the best part? We all get to see how it unfolds.

The future seems endless for drones. Whether you feel they are an invasion of privacy, or they will begin to make our lives easier and aid society in ways that haven't even been thought of yet, drones aren't going anywhere any time soon. If you need to put it in perspective, a white paper featured on Cognizant.com notes that 40,000 drones are expected to deploy in 2015, and this is a number that will continue to increase each year. This industry is ready for take-off.

If you haven't come face-to-face with a drone yet, don't worry, you will.

One of the most telling episodes of Kodak’s slide into bankruptcy was how it incorporated digital capabilities into its Advantix camera system. Kodak spent more than $500 million to develop and launch the Advantix in 1996. The system capitalized on emerging digital capabilities— especially the digital sensors that Kodak engineers had invented two decades earlier—to capture date, time, shutter speed and lighting conditions to produce better pictures. The strategy culminated in the Advantix Preview camera, which allowed photographers to preview shots and mark how many prints they wanted. Kodak gave users no ability to save the digital images, however. The Advantix required traditional silver halide film and prints. Advantix flopped. Why buy a digital camera and still pay for film and prints? Kodak wrote off almost the entire cost of development. Kodak’s strategic blunder was not because of a lack of technological prowess; it was because of an inability to embrace business model innovation. Kodak was the market-leading photo film, chemical and paper business. It bet its future on “the hope that demand for digital images would sell more film.” As a result, Kodak protected its traditional business to the bitter end—until others leveraged digital to make film irrelevant. Judging from recent comments by Carlos Ghosn, Nissan’s chief executive, we might one day read about how Nissan repeated the pattern of Kodak’s decades-long blunder and demonstrated the dangers of standing still during a period of industry innovation (like what's happening in insurance). Ghosn has championed his company’s efforts to develop autonomous driving technologies to allow cars to operate without human intervention. And, unlike some other large automakers (such as Toyota), Ghosn does not dispute the technical feasibility of driverless cars. But Ghosn views the choice of semi-autonomous vs. driverless as a strategic decision—and he is clear that his choice is to use autonomous technologies as incremental enhancements to cars with drivers. As reported by the Associated Press via the New York Times: Ghosn said Nissan sees autonomous vehicles as adding to driving pleasure, and a totally driverless car is not at the center of the automaker’s plans. The autonomous driving Nissan foresees will assist or enhance driving. Nissan may end up with a driverless car, but that was not the automaker’s goal, he said. "That is the car of the future. But the consumer is more conservative. That makes us cautious." In other words, Ghosn’s strategy is to hope that the demand for autonomous technologies will sell more cars. Like Kodak, he is aiming to reinforce Nissan’s current business model rather than embrace business model innovation. By being cautious, however, Ghosn risks emulating Kodak’s failure by waiting for others to leverage driverless technologies to make traditional cars irrelevant. He also risks ceding emerging business innovations to Google, Uber and others willing to make driverless cars their explicit primary goal. The unanswered question is whether Ghosn, behind the scenes, is parlaying his technological forward-mindedness into strategic preparedness. Carlos Ghosn need not shed his caution. But, as I previously argued, trillions hang in the balance. Given those stakes, has Ghosn hedged Nissan’s strategic bets in case the driverless “car of the future” comes more quickly than he expects? Some argue that, of course, Nissan won’t be caught flat-footed even if driverless cars come sooner than expected. Look, for example, at its research partnership with NASA. But research is not enough. A trap that market-leading companies fall into is believing that they can catch up if their initially cautious strategies turn out to be wrong. One lesson that Paul Carroll and I found in our study of thousands of large company failures is that it is very hard to excise denial from multiple layers of the organization—even after objective evidence argues for doing so. Another lesson is that, while it is possible to catch up on raw technical expertise, it is hard to catch up after yielding multiple product-oriented learning cycles to competitors. Take electric hybrid cars. A former senior technologist of one of the big automakers told me his company considered but rejected hybrid electric cars before Toyota launched the Prius. The automaker was at first dismissive of the Prius and then surprised by its market success. It did jump into the market with its own offering. But, the technologist bemoaned, it has not been able to catch up. With each model, Toyota gets further ahead. The company ceded too many learning cycles to Toyota. The same could be happening with driverless cars. Nissan espouses caution about driverless cars. Whatever research is going on in its labs is mostly hidden from the public (perhaps to not confuse the market or provide succor to competing strategies). Google, on the other hand, will soon release 25 prototype driverless cars onto the streets of Mountain View, with plans to launch 75 more. Google’s self-driving cars have logged a collective 1.7 million miles and are adding about 10,000 miles per week, mostly on city streets. Google has not cracked all the issues involved with driverless cars. It has, however, created the ability to learn faster. Kodak, as evidenced by its own tongue-in-cheek marketing video, ended up play “grab ass” for years with digital photography. Late attempts to “get serious” were too late. Even now, 40 years after Kodak engineer Steven Sasson invented the digital still camera, Kodak still struggles to realize the potential of its IP portfolio. Likewise, every market-leading department retailer of the 1950s and '60s, such as Macy’s, Woolworth’s and Ames, thought it could contend with discount retailers like Wal-Mart if the need arose. Only Dayton Hudson took the discounting business model seriously. Rather than watch and wait, Dayton Hudson formed a discounting business unit and unleashed that subsidiary to compete as hard as possible against the traditional business. That discount subsidiary was named Target. Of the more than 300 department-store chains in the U.S. in the late 1950s, only Dayton Hudson/Target successfully moved into discount retailing. Most of the others preceded Kodak on the path to bankruptcy. Rather than following in the footsteps of Kodak and all those defunct department stores, Nissan should be more like Dayton Hudson. Instead of just betting on caution, Nissan should also unleash innovators to create its own driverless offering and charge them with competing as hard as possible against its traditional business.

Although some improvements in workers' compensation claim results require large investments, resources and complex implementation phases, others require more commitment than dollar investment and are simple in execution yet sublime in positive impact. The seven suggestions that follow are field-tested and proven effective. These seven will not only improve the results of your work comp program but will enhance workers’ respect for their jobs and increase cooperative attitudes. Best of all, these seven can be initiated quickly and with moderate to low effort: Quick-Tip: Seven Suggestions + Negligible Resources = Zero Excuses 1) Before and after each shift, supervisors can ask if anyone is hurt. This is easy to implement where crews already have before and after meetings. By asking the question, supervisors remind employees that proper work comp reporting is a job requirement. The question also discourages workers who arrive with an existing problem from making it worse on the job or blaming it on the job. This can also reduce late reports. If any injury or illness is identified, then it can be managed immediately. 2) Provide injured employees with a “rights and responsibilities” manual that is branded with the company logo. Many state WC offices provide adequate templates for this purpose. The manual serves as a reminder to employees that the WC process is connected to their employer and their job. 3) Devise a simple monthly WC/safety summary report that goes to executive management. Place a copy on public bulletin boards so staff is aware that executives monitor the related programs. This promotes the seriousness of WC and safety. 4) Work with your third-party administrator (TPA) or insurer to institute a “no fill” list of dangerous narcotic prescriptions that will automatically trigger a refusal and review by appropriate medical resources. Most claim organizations have such lists already. It is a matter of demanding this level of service from your claims or managed care vendor. 5) Require supervisors to make weekly calls to employees out on temporary total disability (TTD) and have weekly chats with employees on modified duty. This would be a simple general talk to ask how they are doing and if they need anything. This is a powerful motivator and reminder of the employee’s value and the fact that a return to their regular job is anticipated. It can also identify problems in the claim that need to be addressed. 6) Write a simple standard “Return to Work (RTW) Expectation” letter that will immediately be given to every claimant’s treating doctor. This will cause doctors to recognize your transitional duty program, understand their expected role and enhance cooperation. The letter will reduce the likelihood of a claimant’s refusal to participate in early RTW and reduce the reliance of doctors on a claimant’s version of RTW opportunities. 7) Make employees aware of WC costs in personal terms. “Dollars” are not as meaningful as referring to units produced or operating time. For example, if employees are aware they work the first 45 minutes of every shift or produce a certain number of pieces per shift, week or month just to cover WC costs they will relate to the problem. Track costs creatively to have impact. Give these a try. Commit to changing the WC perspective in your organization. My experience says it will pay off.

There is one element of human behavior that is not very well appreciated by most people -- for the most part, socialized humans follow the law. However, people acting completely rationally will also take advantage of the law. They will not break the law, but nearly all of us will push the boundaries to accomplish our missions. We do this every day driving our cars. We exceed the speed limit all over the place -- maybe not by much; as we know, police officers are rather tolerant of someone going five miles per hour over the limit and much less tolerant of someone going ten over. Part of this behavior stems from the fact that, with very little exception, laws, rules and regulations are restrictive -- they tell us what we can't do but don't tell us what we can do. For the most part, this is because it is really very hard to determine what will be allowed -- it's much easier to describe what won't be allowed. When we combine law-abiding people who want to get their job done along with restrictive laws, we end up with what are commonly known as loopholes. Loopholes exist because someone who needs to get something accomplished found a way to do so regardless of some proscription. Take California's independent medical review (IMR). IMR was conceived to expedite medical decisions outside of the court system. (Whether this mission is accomplished is the subject of much debate -- and is not the subject of this post.) But IMR has produced an unintended consequence that arises from people doing their jobs, and doing the job well, within the constricts of the law. There is a faction of the workers' compensation industry whose job is to minimize ultimate claims costs. These are good, law-abiding, citizens. They follow the law ... carefully and considerately. What they have discovered is that an IMR denial of treatment is a final determination, and a final denial of treatment within the workers' compensation context means that item can be removed from consideration when establishing a Medicare Set-Aside trust. In other words, something that a workers' compensation payer would have been liable for before IMR is no longer a continuing liability to either the injured worker or to the federal government. This also means that the cost of treatment is shifted from worker's comp to Medicare. Although this may be perfectly legal, and certainly even prudent from the workers' compensation payer's viewpoint, my bet is that this was not intended by the authors of SB 863, nor any other medical treatment limitation law in any other state. The unintended consequence challenges the future of workers' compensation. The purpose of workers' compensation, as we have said time and time again, is to make it affordable for an employer to take care of injured workers. We all get that. But I think we forget a fundamental concept: The obligation is the employer's. We don't fulfill this mission when we shift the responsibility to someone else, such as the federal government via Medicare or Social Security. Doing so, regardless of legality, invites scrutiny. And when there's enough scrutiny there's inquisition. And when there's enough inquisition, there's interference. We're on the cusp of that now. The public image of workers' compensation couldn't be lower. There are many talking about skimpy benefits, of wrongfully denied medical treatment, of passing the buck and of otherwise shirking responsibility. These are acts that are, for the most part, the product of people working within the law to accomplish their missions and jobs without regard or even an idea of negative consequences. This is now playing out with California IMR. California IMR has been under attack since inception. The California Third District Court of Appeals, in Ramirez v. WCAB (SCIF), No. C078440, has granted review to test its constitutionality. Ramirez joins a case already pending at the 1st DCA, Stevens v. WCAB (Outspoken Entertainment), No. A143043, which also seeks to have IMR declared invalid. The basis of these cases is that fundamental rights of due process are violated because there is no legal review process. Perhaps those challenging IMR have an argument. And just because someone is acting within the bounds of the law doesn't make that action right, correct or good policy. When OSHA released its recapitulation of prior research on the adequacy of workers' compensation, it was seen by many as overreaching based on faulty research. Maybe, but this industry should be fearful, because OSHA's report is, in reality, the dog barking because someone is intruding on its property and territory. It may not be trespassing, and there may be invitation, but the dog doesn't know that and doesn't care. Eventually, the dog will bite. The states won't like that at all.

Earlier this year, a group of eight leading insurers and brokers established a consortium to promote microinsurance ventures in developing countries, unsurprisingly called Microinsurance Venture Incubator (MVI). Together, AIG, Aspen Insurance, XL Catlin, Guy Carpenter, Marsh & McLennan, Hamilton Insurance, Transatlantic Reinsurance and Zurich plan to launch 10 microinsurance ventures over the next 10 years. While conventional insurance targets middle to high-income urban dwellers, microinsurance targets rural residents living on the edge of poverty. Most popular are microinsurance products that offer life, health, accident or property insurance. However, to really be the "can-do" coverage for the poor, it is not enough for microinsurance to be affordable and accessible; it also has to be tailored to the unique environment in which it is being offered. After all, context is king. So with the context of "poor people deserve innovation too," here are five examples of innovative microinsurance schemes that target different risk pools: 1. The Use of Technology to Combat Fraud Insurers providing livestock insurance in India have been struggling with high claims ratios, mostly because of fraud. Typically, to get coverage, a veterinarian would place an external plastic tag on the animal's ear as an indication that that specific animal is insured. However, this produced zero controls in place, and insurers learned that these plastic tags somehow made their way to dead cattle, way too frequently. Nowadays, India’s IFFCO-Tokio (ITGI) insurance company is using radio frequency identification (RFID) chips that are injected under the skin of the animal (which is less painful than tagging!). These chips are accessible through a reader, which allows an insurance official to easily verify that the RFID reading coincides with the identification number on the policy, when a farmer reports a claim. This results in fewer fraudulent cases and faster claim processing. Almost a fairy tale ending if it wasn't for the high price of these microchips. Nonetheless ITGI is using a combination of external plastic tags and RFID chips to control their costs yet still prevent excessive fraud. It's working. 2. Forming Index-Based Insurance to Build Trust Another promising innovation is index-based insurance, where an external indicator triggers payments to clients rather than the traditional "I'm calling to report a claim." Kilimo Salama, AKA Safe Farming, combines mobile phone payment system with solar powered weather stations to offer farmers in Kenya "pay as you plant" insurance. Here's how it works:

• A farmer goes to an approved dealer and buys a bag of fertilizer, which he pays 5% extra for to get climate coverage.
• The dealer scans a special bar code, which immediately registers the policy with the insurance provider and sends a text message confirming the insurance policy to the farmer's mobile phone.
• When data transmitted from a particular weather station indicates drought or other extreme condition is taking place, the farmer registered with that station automatically receives payouts via a mobile money transfer service.
• Similarly, a more recent entrant called ClimateSecure says it will “work hand-in-hand with [its] clients, meteorologists, financial experts and other brokers in order to build indexes that most accurately reflect [their] clients’ risk."

3. Targeting the Cash Poor by Relaxing Liquidity Constraints In China, pork composes roughly 48% of livestock production, with most pigs generally raised in small numbers by rural families in their backyards, forcing Chinese hog farmers to face the risk of hog diseases. Yet, despite the obvious benefits of microinsurance products, the demand is still low because of cash constraints and a lack of trust in insurance providers. Yet a pig insurance scheme, which offered credit vouchers that allowed farmers to take up insurance while delaying the premium payment until the end of the insured period, coinciding with when pigs are sold, saw their insurance premiums go up by 11%. By the same token, telecommunications companies embed insurance premiums in their service contracts, with the advantage of offering (oftentimes free) coverage as part of a pre-existing plan. In Africa, for instance, free insurance is linked to phone data usage; the more airtime one buys, the more coverage he/she gets. 4. Product Bundling to Attract Customers The 2014 winner of the prestigious Hult Prize, NanoHealth, is a social enterprise that not only offers microinsurance but also tackles chronic diseases by providing door-to-door diagnostics via its network of community health workers, which it equips with a low-cost point-of-care device called Doc-in-a-Bag. This startup is slowly but surely creating India's largest slum-based electronic medical record system and disease landscape map. 5. Coverage Within Reach via Garbage in, Coverage out Forget bitcoin, garbage is the new currency with this Indonesian startup called Garbage Clinical Insurance (GCI), which was founded by a 26 year-old doctor named Gamal Albinsaid. Through GCI, community residents are encouraged to recycle and get healthcare coverage at the same time because trash is translated to funds that can later be used to pay for medical insurance. In sum, in this micro world of microinsurance, where only 260 million of the world's low-income citizens are covered, words like big data and claim history could not matter less. What matters is how quickly an insurer can scale, how low can its margins go and how clearly can it communicate its offering to the low-income farmer all in the name of for-profit social enterprise. Expect more entrants.

CareFirst BlueCross BlueShield stepped forward on Wednesday to disclose yet another major breach of a health care insurer, this one affecting 1.1 million people. Hackers accessed a database to steal the names, user names, birth dates, email addresses and subscriber ID numbers of about 1.1 million current and former CareFirst customers and business partners. The company said that no passwords were taken because those are encrypted and stored in a separate system, and that no Social Security numbers, medical claims or credit cards appeared to be compromised. But Richard Blech, CEO of encryption company Secure Channels, was critical of CareFirst, saying the company trivialized what was hacked in the data breach. “The data stolen is enough to ruin someone’s life,” Blech says. “Trying to mitigate the damage should not be the goal. Heath insurance firms cannot ignore the responsibility to protect their customers.” Dave Frymier, chief information security officer at Unisys, concurs. “Breaches like this can literally create life-or-death issues for consumers,” Frymier says. “If stolen health records are used to obtain care by a criminal, fraudulently purchased medical procedures are listed on the records of people who did not have the procedures. That can create critical medical issues in the future. Organizations seem to only invest in cybersecurity after they are attacked. Few seem willing to invest to prevent the attacks in the first place.” Baltimore-based CareFirst is the third health care insurer to disclose a major data breach this year, following Anthem, which had the records of 80 million people compromised, and Premera Blue Cross, which saw data for 11 million people exposed. Why is the healthcare industry being targeted by data thieves? The basic explanation is two-fold: The type of data that health care organizations amass – ranging from research work to patient records – has high value in the cyber underground; and the industry currently exhibits uniformly poor security policies and practices. ​“Healthcare companies are prime targets for hackers,” says Greg Kazmierczak, CTO of data security vendor Wave Systems. “Not only should the database have been encrypted, but access to the database should have been protected by two-factor authentication. Without strong encryption and access management, expect medical fraud and identity theft to run unchecked.” The question of the moment: How many more major data breaches will have to be disclosed before healthcare organizations move assertively to shore up security? “It’s time for the healthcare entities to shift gears to modern data-security defenses and join their peers in other industries who’ve already learned how to mitigate these threats,” says Mark Bower, global product management director at HP Security Voltage. The data breach was discovered after CareFirst retained forensics firm Mandiant to audit its security systems. Mandiant found evidence of access to a single database containing data originating from CareFirst’s websites and online services. Anyone who created profiles on the insurer’s website before June 20, 2014, was affected. Other healthcare organizations are likely to conduct similar audits. Security experts predict that disclosure of other major hacks will be forthcoming, for some time to come. “The medical industry as a whole has to up its game in security maturity, especially basics like patching, security controls and incident detection,” says Gavin Reid, vice president of threat intelligence at network security firm Lancope. Ken Westin, senior security analyst at Tripwire, adds: “In general, healthcare organizations are not prepared for the level of sophistication associated with the attacks that are coming at them. As we saw with the recent tidal wave of retail breaches, attackers often take advantage of vulnerabilities that are endemic within an industry.” In the meantime, the burden rests with the individual consumer to limit dissemination of personal data in the health care field. “Share only with trusted providers that have a need to know,” Lancope’s Reid advises. “Be vigilant if you ever come across a medical bill in your name that covers services you didn’t receive – even if there is no associated bill or charge.” Meanwhile, healthcare organizations need to embrace a security mindset from the board room to the patient room. Until that happens, data thieves will continue to plunder their employee, patient and partner data. “Ongoing assessments and tests are critical to identifying areas of vulnerability before sensitive data is at risk, especially since many breaches aren’t obvious to the organization,” says Jay Schulman,  managing principal at Cigital. ‘It’s not only about building effective software that adhere to compliance standards, but healthcare  organizations also need to build security in so that applications and software can tell you when something is going wrong.”

News outlets around the country are broadcasting the horrible scenes from Northern Mexico, Texas and Oklahoma of devastating floods that have killed many. Once tallies are completed, property damage will likely be in the billions of dollars. Once again, a disaster raises interest not only in the insidious nature of catastrophic flooding, but in how the insurance industry, in concert with the federal government, more specifically the National Flood Insurance Program (NFIP), tackles – or sidesteps – the vexing problems associated with this peril. Stories abound of the heart-breaking losses as a result of flooding; homes are whisked away downstream, people’s prized possessions are destroyed and, most importantly, lives are lost. Amid the recent rampant devastation brought on by the Texas floods, what struck us was one simple statement by a local news correspondent on the scene, who described the victims’ plight: “Some residents are lucky; they have flood insurance.” “Lucky” hardly describes the harsh reality these flood victims are experiencing. Having flood insurance with the NFIP is akin to having jumbo shrimp, in the infamous description of the oxymoron by comedian George Carlin. To understand why, consider that property damage to a house comes in three varieties: (1) damage to the actual structure, (2) damage to the contents within the structure or (3) expenses associated with not being able to live in the structure as a direct result of a flood claim and having to live elsewhere. The standard HO3 policy form has all three of those potential loss sources adequately covered. That raises the question: What does the NFIP flood policy cover?

Your Building

The maximum the NFIP will pay for the dwelling structure, referred to as Coverage A, is $250,000, even if the dwelling is worth more. There is no amount of additional premium one can pay to get more coverage for this policy. If the dwelling is worth more, the homeowner is forced to purchase another flood insurance policy to cover an amount over and above $250,000.

Your Contents

The maximum the NFIP will pay for losses to contents, referred to as Coverage C, is $100,000, again, even if the homeowner owns more than that amount. The homeowner is still out of luck even if he acquires a second flood policy to cover excess losses to the dwelling, as those types of policies do not generally cover contents. To make matters even worse, if the homeowner is “lucky” enough to have a flood insurance policy through the NFIP and should suffer a flood loss to contents, the content valuation reimbursement will be depreciated. The homeowner will NOT be reimbursed for a new carpet when forced to rip up that damaged 20-year-old carpet and will receive just enough funds from the claim to buy another 20-year-old carpet. In other words, the claim’s valuation basis via the NFIP is the actual cash value (ACV) of the damaged item, not the current replacement cost value (RCV) after applying the policy deductible. Worse, the homeowner is forced to fill out mountains of paperwork to detail what was damaged and account for when the item was purchased and the cost. Then there are the contents in basements, which can represent a whole separate problem. Try filling out the paperwork a few hundred times over for all a household’s valuables, knowing that, regardless of whether those items are meticulously itemized, the homeowner STILL will not be paid the cost to replace them.

Loss of Use

Should a homeowner have a flood loss and need to live elsewhere while the damage is being repaired, expenses for the Loss of Use, Coverage D, is entirely borne by the homeowner. It doesn’t matter if it’s a small amount of damage requiring a one-day stay at a hotel or extensive damage requiring a new home; the homeowner is responsible to pay for all living expenses out of pocket. If the NFIP policyholder doesn’t already feel lucky enough, then there are the lingering questions surrounding the NFIP’s solvency.  Both Hurricane Katrina and Superstorm Sandy left the NFIP with few funds to pay claims, and if the homeowner is lucky enough to have flood insurance through the NFIP she will have to wait – oftentimes months! By now, you get the point. Flood insurance through the NFIP really is not insurance; it’s something else altogether. For starters:

1. The NFIP is not risk-based. Two homes with very dissimilar flood exposure could pay the exact same rate.
2. The NFIP has done little to discourage risk-taking, by subsidizing low rates for homes that have had multiple claims payments.
3. The policies do not meet homeowners’ needs. The coverage gaps are large and the headaches dealing with getting paid are quasi-medieval – certainly not consumer-friendly.

The industry can and must do better. All the tools and resources needed to adequately price and manage risk are present. New models and maps stand ready to evaluate risk, estimate loss costs and aggregate exposure. Abundant excess capital is available, and in many cases is standing on the sidelines looking to jump in the game. What better source of risk-based premium is there than the inland flood exposures now monopolized by the NFIP and, ultimately, the taxpayers? This is the opportunity for growth, innovation and applying commonsense risk management thinking that the industry not only is starving for, but has been praying for the past 30-plus years. The industry must now ask itself: Does it want to sustain its legacy groupthink by maintaining the status quo, or does it want to remain relevant, now and in the future, and be a part of the solution?

This article might seem out of place coming from a policyholder advocate who is often at odds with property adjusters. However, I feel for them. Their job is not easy and is further complicated by the system that has evolved. Having prepared property claims for more than 20 years, I have seen the process change into what it is today -- and the change is not favorable to the policyholder. Historically, the adjuster was the point person for the insured to interact with. The adjuster was given authority to make judgments as to coverage and measurement of property and business interruption claims, often relying heavily on their expert accountants and engineers to form their opinions. Today, the adjuster is still the point person, but there is a group in the shadows that makes most of the decisions. Much of the authority has been taken away from adjusters, oftentimes putting them in the middle between the ultimate decision makers and the insured. This leads to confusion, delay and frustration by all parties involved. I liken it to the “Telephone Game” -- where you get a group together in a circle and whisper something to the person next to you; by the time the message makes it around the circle, whatever you said has been distorted into something completely different. Just like the game, the insurance process suffers from a communication breakdown that confuses issues and delays resolution. Some would say this evolved out of necessity for the insurance companies. They do need to be on alert for fraud, so close management of the process by those paying the bills is reasonable. However, the point of assigning an adjuster is to avoid micromanaging the process and to delegate some of that authority. Additionally, the adjusters are the closest to the loss and need to be able to make decisions on ambiguous issues. Having them go back to their superiors to clear every agreement defeats the purpose of having an experienced adjuster. There are better ways to prepare for the challenge of claims than pointing fingers: 1. Adjuster Selection - the policyholder may be able to specify certain adjusters and even have them written into the policy. Even though they are subject to the same system, experienced adjusters are more likely to have clout with the insurance company. This may allow them to have more freedom than those adjusters who are less experienced. Additionally, the adjuster will appreciate being a part of your program and will be less likely to create problems. 2. Leverage Underwriters - the insurance business has two sides: sales and claims. These sides do not necessarily communicate. Often, the policyholder can feel that one thing was sold and another is being adjusted. Make sure that the claims side knows that you are willing to involve the sales side if differences arise. While this is not something you want to do on every claim, it can be an effective way to correct the claim adjustment team on issues you feel strongly about. 3. Policy Acumen - Do not assume the adjuster knows how your policy should respond better than you do. Involve your broker and coverage counsel when facing interpretation issues. Often, we see an adjuster make claims of fact about adjustment methods that conflict with our experience with several previous claims. 4. Claim Stance - It is the duty of the policyholder to prepare the claim. Prepare your claim as you see it and be prepared to defend it. Do not leave it up to the adjuster and his team to tell you the number. Understand the areas of your claim that might be subject to debate and prepare your best arguments. Recognize the strengths and weaknesses of your claim and anticipate adjustment attempts. 5. Empathize - It is common to think that the adjuster is out to get you and just wants to minimize your claim. Though it does happen, for the most part, the adjuster is just doing his job. If there are unreasonable positions coming from the adjuster, he is likely just the messenger. Working with the adjuster instead of against him, showing empathy, may just get him to empathize with you and your position. Help him help you! Like with anything, preparation is the key to success. Add a dose of a positive attitude, and you might even enjoy the process. It’s a better approach than the blame game. When you are faced with an insurance claim, having the right perspective, a little understanding and being prepared will make a huge difference. Incorporating these steps will improve your claim outcomes and will help make the most out of any claim situation.

I am a senior citizen. While this distinction entitles me to a variety of perks like discounted movies and bus fare – as well as the occasional free doughnut (seriously) — it’s also a ticket to the identity theft lottery. Turning 50 gets you an invitation to AARP, and turning 65 gets you a Medicare card. What’s this have to do with identity theft? Take a close look at a Medicare card. The identification number? It’s a combination of the cardholder’s Social Security number and one or two letters. Health insurers no longer include Social Security numbers on the cards they issue to people. The concern was that using SSNs needlessly increased the risk of identity theft, which was, and continues to be, rising exponentially. When health insurers made the change, they stopped being co-conspirators in what has become a national epidemic. According an article by reporter Robert Pear in the New York Times, private insurers under contract with Medicare are not permitted to use SSNs on insurance cards when providing medical or prescription drug benefits. But in a serious case of “Do as I say, not as I do,” Medicare has used Social Security numbers on more than 50 million benefit cards, heedless of the warnings of privacy advocates, consumer protection officials, federal auditors and investigators working on identity theft cases. Section 501 of the Medicare Access and CHIP Reauthorization Act of 2015, a bipartisan provision written by Rep. Sam Johnson (R-TX) and Rep. Lloyd Doggett (D-TX), signed into law recently by President Obama, finally mandates the removal of Social Security numbers from our Medicare cards. (Well, let’s just say it begins the process — and, like all processes in Washington, let’s hope it actually gets done before my toddler is eligible for Medicare.) The new law is clear: Social Security numbers must not be “displayed, coded or embedded on the Medicare card.” More than 4,500 of my fellow seniors enroll in Medicare every day. It is estimated that over the next 10 years, some 18 million more of us are projected to qualify, which will bring the total Medicare enrollment to 74 million by 2025. What Lit the Fire? After years of begging, cajoling and warning to no avail, what finally forced both parties in Washington to get off their butts and get it right? Pear speculates that is wasn’t one thing but a set of circumstances starting with the nearly universal digitization of medical records and, of course, ending with a culture plagued by highly effective hackers. Consider that in just the first quarter of 2015 more than 91 million Social Security numbers were exposed to unauthorized persons in just two data compromises: Anthem and Premera. What the new system will look like is still anyone’s guess. Here’s what we know, according to the New York Times article: SSNs will be replaced by a “randomly generated Medicare beneficiary identifier.” Additionally, Medicare officials have eight years to get the new system completely up and running—four years to issue cards to new beneficiaries and four more years to reissue cards to existing beneficiaries. It was unclear whether those two four-year items were to happen simultaneously, but since we’re talking about a government timeline there is an argument for erring on the side of forever. Like all major government initiatives, this will be no small feat. But it is a critical one if we are to stop hearing the pitter-patter of scammer feet tap dancing on the finances of senior citizens. Why did it take so long? Why does the IRS still require SSNs? Because we’re talking about the government. The record speaks for itself:

• 2004 – The Government Accountability Office warns we must reduce our dependence on Social Security numbers as individual identifiers.
• 2007 – The White House Office of Management and Budget directs federal agencies to “eliminate the unnecessary collection and use of Social Security numbers” within two years.
• 2008 – The inspector general of Social Security calls for the immediate removal of Social Security numbers from Medicare cards. The departments of Defense and Veterans Affairs launch major initiatives to delete Social Security numbers from their identification cards.

How about the Department of Health and Human Services, which supervises the Medicare program? Well, let’s just say that according to the Times, the GAO felt that HHS was moving—shall we say—glacially and that it really was all about money. (Forget the fact that identity theft costs America and Americans billions annually.) The Medicare agency is no small operation. It pays close to 1 billion claims from 1.5 million healthcare providers every year. While I understand that the HHS has considerable budgetary and logistical issues when dealing with the identification quagmire, it is nothing compared with the expense and uproar caused by identity theft in the lives of the people HHS serves. That’s a long way of saying that this identification card “modification” is long overdue. In the meantime, what can you do if you’re concerned that your Social Security number is in the wrong hands? Because the number can be used to perpetrate many types of crimes, not just credit-related, the problem can be difficult to track. But it’s still important to check your credit reports regularly for signs of fraud — like new accounts you didn’t authorize. You can get your free annual credit reports from AnnualCreditReport.com, and you can get a free credit report summary, updated every month on Credit.com, to watch for changes. That said, we are not living in a “So it is written, so it is done” age. Congress has to sit on the HHS to get 100% compliance with the law as it was passed. And we have to sit on Congress. And while we are sitting on our favorite 535 federal lawmakers, perhaps they can ask the IRS what’s taking it so long to make some changes — including killing the SSN as identifier — so Americans can stop being such sitting ducks in the sights of miscreants.