Tag Archives: Barnes & Noble

How Tech Is Eating the Insurance World

Amazons and Apples and Googles. Oh my…

What do these companies have in common? Devout brand loyalty from the modern consumer coupled with world-leading technology. This poses a massive threat to insurance companies that value ownership of the customer above all else and are seriously lagging on tech. In a post-financial crisis world where financial brands are reflexively distrusted by modern consumers that have incredibly high digital UX standards, technology brands and emerging insurtech startups have a considerable advantage in winning future insurance business.

Amazon, Apple, Google and other tech giants don’t do anything small. It would be foolish for insurers to think that these disruptors will enter the industry to play nice and simply serve as their brokers or lead generators. They have capital in spades, massive captive audiences, piles of valuable data and are perfectly comfortable navigating complicated regulatory landscapes. Insurers like to hide behind this regulatory complexity as a reason to dismiss new market entrants, but this is simply a speed bump for those who want to make insurance a point of focus – not an insurmountable barrier to entry.

The Google Experience

Google dipped its toe in the industry in 2015 with Google Compare and then quickly withdrew in 2016. Insurers like to point to this as the shining example of how technology companies “don’t understand insurance” or how they “underestimate the complexity of the industry.” What they forget (or simply don’t mention) is Google’s core business model – advertising. What is the sixth most expensive word on Google AdWords? Insurance ($48.41 per CLICK!). Who buys that word and drives significant revenue to Google? Insurers. Google’s exit was not the result of execution failure or naivete; it was a consequence of rocking the boat with some of their highest-value advertising customers. The rest of the companies listed above, among countless other tech giants and well-funded startups, do not have that same conflict. Insurers are not immune to disruption from them.

Shifting Consumer Behavior

The modern consumer is a digital native and does not want to speak to people on the phone or fill out piles of paperwork. Consumers want to be offered insurance when it’s top of mind – how they want it, when they want it, from brands they trust, instantly.

One of the biggest problems we see with tech-insurance partnerships is insurers’ insistence on controlling the underwriting and sales process, which creates massive friction with technology companies that offer far superior digital experiences. Consumers don’t want to leave Amazon to start a separate purchasing process on an insurer’s website, and Amazon doesn’t want them to leave its site, either. This is something that is easily solved through API-driven technology systems and programmatic underwriting – words that often give insurers heart palpitations.

See also: What if Amazon Entered Insurance?  

Consumers don’t want to shop around for insurance on quote comparison sites. They don’t want to engage with insurance companies more than necessary or share troves of personal data through an insurance app. They want to purchase insurance when they need it, pay for what they use and never think about it again. Insurance incumbents have responded by building their own apps, offering discounts for more shared data and doubling down on advertisement spending.

Insurance in the Background

Insurance is an important feature, but not always the star product. It’s sold well to the modern consumer either purely digitally or as part of a broader offering – typically at the point of purchase for a non-insurance product or service. That’s an unpleasant thought for insurers that take a tremendous amount of pride in their history, processes and brands. However, letting pride and status quo dictate your business strategy is a good way to get your business killed.

Why not offer homeowners insurance in 15 seconds (not minutes) through fully digital workflow like Kin does? Why not combine cyber protection software and cyber insurance like Paladin Cyber does, so risk is reduced even further in the event of a cyber incident? Why not offer white-labeled SMB insurance to the millions of third-party retailers currently selling on Amazon? Or episodic renter’s coverage directly through Airbnb at the point of booking?

Here are a few reasons why insurers aren’t being more innovative:

  • insurers’ technology simply can’t support seamless distribution through digital platforms
  • insurers/agents/brokers insist on owning the customer
  • insurers don’t want to alienate their traditional distribution network of brokers and agents
  • insurers want full underwriting control through traditional, and often analog, methods
  • insurers don’t want to share data with tech companies but expect tech companies to open their proprietary analytics models to insurers.

This simply will not work.

The Everything Store

Apple already disrupted the warranty space by owning the whole AppleCare stack for themselves. Google has the conflicts discussed earlier. Facebook has the same. As a result, I believe Amazon is the most likely tech giant to make a big splash in the insurance industry as they continue to build their “Everything Store.”

We already see what they’re doing in healthcare, their investment in Acko in India, and rumors about an imminent play in banking. They recently acquired Ring, which has obvious insurance applications, for a reported $1 billion. The writing is on the wall. While I’m not entirely convinced that consumers will search Amazon.com for auto or home insurance, having millions of third-party seller merchants, adding 300,000 in the U.S. in 2017 alone, is a good starting point as far as addressable commercial insurance markets are concerned.

See also: 11 Ways Amazon Could Transform Care  

I am a huge admirer of what Jeff Bezos has built at Amazon, and I’m modeling Boost after what they did in the data storage and hosting space with AWS. It would be foolish for anyone to underestimate the impact a company like Amazon can have on any industry – no matter how old, established or huge the insurance incumbents’ businesses may be. Just ask Barnes & Noble, Walmart, media companies or any grocery store right now.

Will Insurers Ever Learn From Amazon?

You may (or may not) remember that when Amazon.com began in the late 1990s, the single focus of the company was selling books online. One product category, one type of manufacturer, one market focus — people who buy books. At the time, virtually everyone in the publishing industry scoffed at the idea that anyone would want to buy a book they couldn’t first touch. Today, Amazon.com sells all types of products from all types of manufacturers to all types of individuals and businesses every day of the year. No one is scoffing any more — except perhaps the insurance industry.

Just like the publishing industry two decades ago, the insurance industry in facing a once-in-a-generation digital disruption and transformation, and I’m not sure the industry knows it. Let’s look at the distribution of insurance through the lens of an Amazon.com-like buying experience.

Most insurers and distributors automatically start with the typical objections: “Insurance is complex,” they say; or, “What about the regulatory restrictions?”; or, “My agents have to explain the product benefits to the customer.” The knee-jerk reactions make sense in an industry that is mostly agent-centric and that seemingly treats customers with at least some contempt.

We have, after all, built rules around every aspect of insurance: who can buy, what they can buy, when and how they can buy, who they are, where they are located, what they want to insure, how much insurance they need, how much it costs. There are licensing and appointment rules, compliance and regulatory issues, insurance company underwriting requirements, rating rules, policy issue guidelines, premium remittance standards and distributor channel conflict rules, and these may all be different depending on the kind of product – life, accident and health, property and casualty, individual, group, association, employer and so forth. While many of these rules make sense, many others are simply vestiges of “the way things have always been done.” That is a problem for our industry.

The reality is that a consumer doesn’t care about most of the nitty-gritty, inside baseball, that affects all of the above. The consumer cares about being in control of the insurance purchase experience like he is in control of every other shopping experience. That’s not to say the consumer wants to go it alone without an agent necessarily. But it does mean the consumer wants to be able to make that choice — and, today, she can’t. Increasingly, consumers are being schooled on how to buy everything through the convenience of a digital market; why not all of their insurance?

It won’t be long before insurance consumers will expect to access products from multiple carriers, shop, compare, buy their policy with the credit card they pull from their wallet and have their policies, ID cards, welcome letters, privacy notices, etc. instantly delivered to their own online account (not through a carrier). How about the convenience of going to a digital marketplace that remembers each consumer for subsequent transactions? Maybe like Amazon Prime?

I’ve always wondered what the executives at Barnes & Noble, Borders, Simon & Schuster, HarperCollins and Penguin (not to mention Circuit City and J.C. Penney and Sears) were thinking back in the 1990s as Amazon.com started to gain traction. I wonder the same thing now about some insurance executives.

Savvy insurers and distributors will meet consumers where they want to be met and transact business in the digital marketplace. Or they won’t. But if the industry doesn’t go there quickly, someone else will – of that, I’m sure.

Does CGL Cover for Data Breach?

In a highly anticipated May 26 decision, the Connecticut Supreme Court ruled that two commercial general liability (CGL) insurers, Federal Insurance and Scottsdale Insurance, are not required to cover losses in connection with the mysterious disappearance of computer tapes containing employment-related data, including the Social Security numbers, of approximately 500,000 current and former IBM employees in Recall Total Information Management, Inc. v. Federal Ins. Co.[1] Although the insurers in Recall Total won this particular battle, Recall Total’s value as precedent value as insurer-ammunition in their war against data breach coverage under CGL policies is severely limited by a highly unusual fact pattern. Recall Total can reasonably be read to assist insureds facing more typical kinds of data breaches, like the Target breach and many others.

Below is a brief summary of the facts, the key coverage issue, the ruling and five takeaways.

The Facts

The facts of Recall Total are unusual, to say the least: The computer tapes at issue, which belonged to IBM, fell off the back of a transportation subcontractor’s van near a highway exit ramp.[2] About 130 of the tapes were then removed from the roadside by an unknown person and never recovered.[3]

In the wake of this highway misadventure, IBM incurred more than $6 million in expenses to address the incident, including notification, call center services and credit monitoring.[4] IBM sought indemnification from its vendor, Recall Total Information Management (Recall), which had contracted with IBM to transport off-site and store the computer tapes at issue.[5] Recall settled with IBM and, in turn, sought indemnification from its transportation subcontractor, Executive Logistics (Ex Log), which lost the tapes after they fell off its van during transit. Ex Log agreed to pay more than $6.4 million to Recall and assigned to Recall its rights under a $2 million primary CGL policy and a $5 million umbrella policy following a coverage tender and denial.[6] Ex Log and Recall then initiated coverage litigation.[7]

Key Coverage Issue: Was There a “Publication”?

ExLog’s CGL policy at issue, similar to the current ISO standard form CGL policy,[8] states in relevant part that the insurer “will pay damages that the insured becomes legally obligated to pay … for … personal injury.”[9] The policy defines the key term “personal injury” to include “injury … caused by an offense of … electronic, oral, written or other publication of material that … violates a person’s right to privacy.”[10]

The Ruling

The intermediate appellate court, in a decision adopted by the Connecticut Supreme Court, appeared ready to find, or at least was not averse to finding, “publication” satisfied if there was any evidence of access to the data. Based upon the unique facts, however, the intermediate appellate court determined that the “publication” requirement was not satisfied because there was no evidence that the data on the tapes, which could not be read by a personal computer, “was ever accessed by anyone”[11] — let alone used it for “any improper purpose.”[12]

As the intermediate appellate court stated, there was not even any evidence that the party who took the tapes “even recognized that the tapes contained personal information.”[13] Under these unique facts, and the fact that no IBM employee had suffered any injury, the court determined that it was “unable to infer that there has been a publication” and concluded that “[a]s the complaint and affidavits are entirely devoid of facts suggesting that the personal information actually was accessed, there has been no publication.”[14]

In a brief per curiam opinion, the Connecticut Supreme Court affirmed on the basis that there was no “publication,” noting that “[t]here is no evidence that anyone ever accessed the information on the tapes or that their loss caused injury to any IBM employee.”[15]

Takeaways

  1. The “Access” Lacking in Recall Total Is Present in Many Data Breach Cases

Recall Total is of limited utility to insurers seeking to avoid CGL coverage for data breaches given its peculiar factual setting. As the decision makes abundantly clear, it hinged on the fact that there was no evidence of access to the sensitive data. In fact, there was no evidence that the data could be accessed — or even that the party who took the tapes was aware that they contained sensitive data. This is in stark contrast to a typical data breach fact pattern, in which there is no question that sensitive information was accessed. In breaches like Target, and innumerable others, information is specifically identified and targeted by the actors taking it, and then used for criminal activity. In those cases, there is abundant evidence that the data in question was accessed.

  1. Other Courts Have Found the CGL “Publication” Requirement Satisfied Without Proof of “Access” in the Data Breach Context

Although “access” to data may be required under Connecticut law, courts in other jurisdictions have appropriately determined that the CGL “publication” requirement can be satisfied without proof that data was accessed. In one recent case involving the alleged posting of confidential medical records on the Internet, for example, the Eastern District of Virginia determined that “publication” does not require proof of “access”: [T]he issue is not whether a third party accessed the information because the definition of “publication” does not hinge on third-party access. Publication occurs when information is “placed before the public,” not when a member of the public reads the information placed before it. By Travelers’ logic, a book that is bound and placed on the shelves of Barnes & Noble is not “published” until a customer takes the book off the shelf and reads it.[16]

The bottom line: access to data storage devices alone, including laptops, may suffice to satisfy the “publication” requirement in other jurisdictions — and even in Connecticut under a different set of facts.

  1. Insureds Must Be Prepared to Fight to Secure CGL Coverage

The insurance industry has made it abundantly clear that it does not want to cover “cyber” and data privacy related exposures under CGL policies. Although there is potential valuable coverage under CGL policies, insureds should expect that they will need to fight to secure it. Insurers routinely assert, among other things, that there has been no “publication” of data. The good news is that if insureds decide to fight for coverage, they may well prevail. Many courts have upheld coverage for data breaches and other claims alleging violations of privacy rights in a variety of settings.[17]

  1. Insureds Should Be Aware of New CGL “Data Breach” Exclusions

Insurance Services Office (ISO), the insurance organization responsible for drafting standard-form CGL language, recently promulgated a series of data breach exclusionary endorsements.[18]   The exclusions became effective in most states in May 2014 and began appearing on new placements and renewals, in various forms, almost immediately.[19] Although it is important to be aware of new, potentially limiting, coverage terms, it also is important to recognize that the applicable policy in a data breach situation — where breaches often are discovered long after the “occurrence” that triggers coverage — may predate the newer exclusions. Where policies do contain the newer exclusions, insureds should not assume that they necessarily void coverage. Coverage will depend on myriad factors, including the particular facts of the case, specific policy language and applicable law.

The very existence of the exclusions, moreover, illustrates the insurance industry’s awareness that there is valuable potential data breach coverage under CGL policies. Indeed, when ISO filed the newer exclusions, it acknowledged that there currently may be data breach coverage for data breaches under CGL policies and advised that the new exclusions may be a “reduction in personal and advertising injury coverage”: “At the time the ISO CGL and CLU policies were developed, certain hacking activities or data breaches were not prevalent, and, therefore, coverages related to the access to or disclosure of personal or confidential information and associated with such events were not necessarily contemplated under the policy. As the exposures to data breaches increased over time, stand-alone policies started to become available in the marketplace to provide certain coverage with respect to data breach and access to or disclosure of confidential or personal information. . . . To the extent that any access or disclosure of confidential or personal information results in an oral or written publication that violates a person’s right of privacy, this revision may be considered a reduction in personal and advertising injury coverage.[20] 

The implication is that the insurance industry understood there was CGL data breach coverage in the absence of the new exclusions.

  1. Organizations Are Advised to Consider Cyber Insurance

Given the insurance industry’s clear indication that it does not want to cover data breaches under CGL policies, organizations are advised to consider purchasing cyber insurance. In addition to providing defense and indemnity coverage in connection with claims arising out of a data breach, among many other types of cybersecurity and data privacy-related exposures, cyber policies generally cover a range of “crisis management” expenses, such as attorney “breach coach” fees, notification to potentially affected individuals, forensics, credit monitoring, call centers, ID theft protection and public relations efforts, which often are required after a breach of any consequence.

Cyber insurance coverage can be extremely valuable, but choosing the right insurance policy presents a real and significant challenge. There is a diverse and growing array of cyber products in the marketplace, each with its own insurer-drafted terms and conditions that vary dramatically from insurer to insurer—and even between policies underwritten by the same insurer. Because of the nature of the cyber insurance and the risks that it is intended to cover, a placement should include the involvement and input, not only of a capable risk management department and a knowledgeable insurance broker, but also of in-house legal counsel, information technology professionals and compliance personnel, among other key internal players — and insurance coverage counsel well-versed in this challenging and dynamic line of coverage.

[1] — A.3d —-, 2015 WL 2371957 (Conn. May 26, 2015), aff’g 83 A.3d 664 (Conn. App. Ct. 2014).

[2] Recall Total, 83 A.3d at 667.

[3] Id.

[4] Id. at 668.

[5] Id.

[6] Id.

[7] Id.

[8] The current standard industry form states that the insurer “will pay those sums that the insured becomes legally obligated to pay as damages because of ‘personal and advertising injury,’” which is defined to include “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.” ISO Form CG 00 01 04 13 (2012), Section I, Coverage B, §1.a., §14.e.

[9] Recall Total, 83 A.3d at 672.

[10] Id.

[11] Id. at 673.

[12] Id.

[13] Id. at n.9 (emphasis added).

[14] Id. at 672 (emphasis added).

[15] Recall Total, 2015 WL 2371957, at *1.

[16] Travelers Indem. Co. of America v. Portal Healthcare Solutions, LLC, 35 F.Supp.3d 765, 771 (2014).

[17] See, e.g., Hartford Cas. Ins. Co. v. Corcino & Assocs,. 2013 WL 5687527, at *2 (C.D. Cal. Oct. 7, 2013) (upholding coverage in a data breach case for statutory damages of $1,000 per person under the CMIA and statutory damages of as much as $10,000 per person under the California Lanterman-Petris-Short Act under a policy that covered damages that the insured was “legally obligated to pay as damages because of … electronic publication of material that violates a person’s right of privacy”).

[18] One of the exclusionary endorsements, entitled “Exclusion – Access Or Disclosure Of Confidential Or Personal Information,” adds the following exclusion to the standard form CGL primary policy:

This insurance does not apply to:

Access Or Disclosure Of Confidential Or Personal Information

“Personal and advertising injury” arising out of any access to or disclosure of any person’s or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of non public information.

This exclusion applies even if damages are claimed for notification costs, credit monitoring expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by you or others arising out of any access to or disclosure of any person’s or organization’s confidential or personal information.

CG 21 08 05 14 (2013).

[19] See Roberta Anderson, “Coming To A CGL Policy Near You: Data Breach Exclusions,” Law360, April 23, 2014.

[20] ISO Commercial Lines Forms Filing CL-2013-0DBFR, at pp. 3, 7-8 (emphasis added).