Tag Archives: federal law

New Attack Vector for Cyber Thieves

It has become commonplace for senior executives to use free Web mail, especially Gmail, interchangeably with corporate email. This has given rise to a type of scam in which a thief manipulates email accounts. The goal: impersonate an authority figure to get a subordinate to do something quickly, without asking questions. The FBI calls this “CEO fraud,” and a surge of these capers has resulted in scammers stealing a stunning $750 million from more than 7,000 U.S. companies from October 2013 through August 2015.

Here is an example where the scammer targets an attorney from a big city in the Northeast.

Attack vector: The scammer gathers intelligence about real estate transactions handled by an attorney and drills down on a specific deal in which the law firm is handling the purchase of a $450,000 home for a client. The scammer learns this attorney is in the habit of using his personal Gmail account interchangeably with his law firm’s email. As the transaction approaches the final step, the attorney’s paralegal receives a spoofed email that appears to come from her boss. She instantly follows a directive to cancel a check for $450,000 that she is about to mail and instead wires the funds into an account designated by the scammer.

More video: Scammers exploit trust in Google’s platform

Distinctive technique: The funds initially get routed to another law firm in the Southwest. A subordinate in this law firm also appears to have been spoofed by the scammer to be prepared to move funds once again, this time into an account set up in a U.S. branch office of Sumitomo Bank, a giant global institution with headquarters in Tokyo. “At this point, it is not likely the $450,000 will ever be recovered,” says IDT911 Chief Privacy Officer Eduard Goodman. “Once a transfer like this is made, you can’t really unring that bell.”

Wider implications: U.S. consumers are well protected by federal law, and banks usually will reimburse individual consumers victimized by cyber criminals. However, banks are under no legal obligation to offer any relief to businesses, large or small, that have been tricked like this. Most of the $750 million lost in documented cases of CEO fraud has most likely been absorbed by the duped business entities.

Infographic: More Americans living with data insecurity

Excerpts from ThirdCertainty’s interview with Goodman. (Answers edited for length and clarity.)

3C: Businesses are losing one heck of a lot of money to CEO fraud.

Eduard Goodman, IDT911 chief privacy officer

Goodman: Yeah, absolutely. This one was for about $450,000. There is another woman with a ballet company who recently lost about $100,000. It’s significant chunks, let’s put it that way. And because this is happening in a business setting, it’s a little bit different in that your bank won’t stand behind you. It’s caveat emptor. There is no consumer protection. When something like this happens to your business, you’re out of luck.

3C: Why aren’t suspicious transactions flagged more often?

Goodman: The government will tend to go after companies for anything that may have to do with consumer violations. But when businesses impact other businesses, the government doesn’t do a damn thing, even if the victim is a really small business and they’re essentially consumers in and of themselves. Banks have that unfair advantage to say, ‘Well, sorry, should have flagged it, but we just process it for you.’

3C: So by using free Web mail this attorney sort of invited spoofing?

Goodman: He kind of comingled accounts, that’s the thing. He had his law firm’s email, and he also had a personal Gmail account. He would send emails from both accounts. That is something that has become a very common practice. He probably had previously emailed himself something from his actual work account into his Gmail account. This scammer probably got into his Gmail account, and then made the connection to his law firm account.

Then it was off to the races. The paralegal gets the wire transfer request from an email that’s very close to an authentic law firm email except there’s an extra letter in the domain name. It looks very credible.

3C: Could this have been avoided?

Goodman. Yes, by taking the extra 45 seconds to make a phone call. Pick up the phone and verify things instead of getting caught up in the workday.

Key Misunderstanding on Oklahoma Option

Most critics and supporters of the Oklahoma option (OKO) have one thing in common: a misunderstanding about the applicability of the Employee Retirement Income Security Act (ERISA). In part, this misunderstanding is widespread because it hasn’t yet garnered the attention of tax authorities and attorneys, and those of us who aren’t tax attorneys are reluctant to engage this subject because we fear we will be misinterpreted as giving tax advice.

Let me be absolutely clear—nothing in this article should be construed as tax advice, as I am not qualified to offer such advice.

But the ProPublica and NPR journalists who assume ERISA must govern the taxation of OKO benefits simply because it governs the taxation of Texas nonsubscription (TXNS) benefits[1] aren’t qualified, either.

Put simply, ERISA’s governance of OKO workplace injury claims has yet to be demonstrated in any way, and it was certainly not confirmed by rulings in 2015 by two federal judges for the Western District of Oklahoma who considered the jurisdiction of federal courts over OKO-based claims and appeals processes..

There was never any intent in the Oklahoma legislation to have ERISA govern the OKO, and the term “ERISA” never appears—not once!—in the language of the Oklahoma law. Even more importantly, two-and-a-half years after passage, there is zero case law to support any claim that ERISA applies to OKO.

These revelations may be counterintuitive for industry insiders and regulators, but what should be intuitive is that state and federal court systems are in charge of ruling on state and federal laws. Consultants, employers, employees, investigative journalists, insurance carriers, brokers, attorneys, ivory tower experts, doctors and conference debaters don’t get to make such calls. The only ones whose opinions matter are the judges in a position to make these determinations, and the only two judges known to have had the opportunity to consider any issue concerning the relationship between the OKO and ERISA concluded that the judges did not have jurisdiction over cases where the employer sought to have ERISA govern employee appeals of decisions regarding occupational OKO claims.

In April 2015, Judge Joe Heaton of the U.S. District Court for the Western District of Oklahoma issued an order regarding ERISA’s applicability to the occupational accident components of OKO plans in the case of Cavazos v. Harrah Nursing Center (aka Marsh Pointe) that, in part, reads:

“Marsh Pointe alleges … that, pursuant to the Oklahoma [Employee] Injury Benefit Act, it has elected to be exempt from the Administrative Workers’ Compensation Act and become a ‘qualified employer’ by meeting certain requirements including the adoption of a written benefit plan. That well may be. Nonetheless, the case [filed by the plaintiff] arose ‘under the workmen’s compensation laws’ of the State of Oklahoma. As such, it may not be removed to any district court of the United States.”

Judge Heaton’s ruling was a narrow one, aimed only at determining whether the federal court could exercise jurisdiction over the case before it. That case had been removed by the employer to federal court from the Oklahoma Workers’ Compensation Commission (OWCC), based on the assertion that ERISA ought to govern the employee’s pursuit of a claim against her employer’s OKO plan. The court held that, regardless of whether ERISA applied to certain aspects of the OKO plan, the employee’s claim arose under Oklahoma’s WC laws and, therefore, a specific federal jurisdictional statute (28 USC §1445(c)) prevented removal of the case to federal court. Judge Heaton sent the matter back to the OWCC, and his order made it crystal clear that such cases cannot be removed to the federal court system.[2] In other words, ERISA (a federal law) does not give federal courts jurisdiction over the occupational accident claims of employees whose injury benefit plans are governed by the OKO (a state law)—no matter how frequently ERISA is referred to in an employer’s benefit plan and regardless of whether ERISA applies to other aspects of that benefit plan.

The Cavazos case was the first real opportunity we had to see whether removal of such claims to the federal courts was possible. Then, in September, Judge Stephen Friot (from the same Western District Court of Oklahoma) followed Heaton’s logic in Vasquez v. Dillards, our second opportunity to see whether federal court involvement in the OKO claims process was available. The decision read:

“The court concludes that the [Oklahoma Employee Injury Benefit Act] is part of Oklahoma’s statutory scheme governing occupational injuries and workplace liability; in other words, the OEIBA is part of Oklahoma’s statutory scheme governing workmen’s compensation.”

The case before Judge Friot was a bit different procedurally, but it came to the same result. In the Vasquez case, the employee received an adverse decision from her employer regarding her claim for benefits under the employer’s OKO plan. She then sought review by the OWCC as provided for in the Oklahoma statute. The employer removed the case to federal court, contending that the company’s plan was governed by ERISA and, therefore, that ERISA pre-empted state law on the issue and that the federal court had exclusive jurisdiction. The employee moved to remand the case to the OWCC. Judge Friot sided with the employee and remanded the case, which was to be expected post-Cavazos. The ruling in Vasquez (which features a more detailed discussion than the one provided by Judge Heaton in Cavazos) concludes that 28 USC §1445(c) (the same jurisdictional statute relied upon by Judge Heaton) barred removal of the case to the federal court, even if, as Judge Friot specifically presumed for purposes of his ruling, the “plan under which [the employee files] claims may be … an ERISA plan.”

The explicit—and antiquated—language from the 1974 ERISA law indicates that ERISA doesn’t apply to “workmen’s compensation.” ERISA’s authors recognized a long tradition of federal deference to individual states on workers’ compensation issues. While the OKO is different from traditional workers’ compensation, in the only cases known to address the issue thus far, the federal court system has concluded that it cannot exercise jurisdiction over the on-the-job injury claims of OKO employees.

Die-hard ERISA champions, as it turns out, can cling just as stubbornly to obsolete ideas as can workers’ compensation stakeholders. But OKO supporters don’t need to win such folks over; the law is already on the side of progress. The OKO clearly seeks to stand on its own, and it doesn’t want ERISA as a crutch. Being free from ERISA has advantages beyond tax implications. The OKO clearly sits much closer to traditional workers’ compensation than does TXNS—and, as such, OKO may be regularly accepted as a replacement in the state’s important oil and gas industry. In both Texas and Oklahoma, the larger energy companies almost always require traditional workers’ comp to be held by contracted companies. That won’t change in Texas, but it very well could in Oklahoma. Moreover, these federal court orders should provide solace to the Sooner State because they suggest the oversight and development of this new creation will be the responsibility of Oklahomans.[3]

[1] See “Inside Corporate America’s Campaign to Ditch Workers’ Comp,” an installment in the Insult to Injury series.

[2] The court remanded the case just two days after it was removed without seeking briefs from either party.

[3] To date, all three branches of the Oklahoma state government have actively or tacitly supported the OKO. At worst, the state has adopted a wait-and-see approach to this new alternative. At best, Oklahomans—sans attorneys—are eager to discover whether the incredibly promising early gains made possible through the OKO are sustainable over the long term.

At WorkersCompensationOptions.com, we’re convinced the gains are sustainable. There’s nothing theoretical about our promise of delivering superior care to employees at reduced costs to employers. We’re already doing it in Oklahoma, and we at WCO are proud to be part of this long overdue transformation.

LiveMed Brings Digital Human Touch

Many tasks and actions have been replaced by digital solutions. This is nothing new. However, sometimes nothing beats a face-to-face with a customer. Now, using a VideoTech platform, Silicon Valley start-up LiveMed replicates the physical face-to-face with a digital one.

I’ll start with an event that happened to me last year. I’ll skip the details, other than to say I was required to confirm my identity and sign a document by a department in a financial institution.

With my passport and utility bill in hand, I went in search of a branch (which isn’t as easy as it used to be, even in Central London). It didn’t help that the fax machine at the first branch I found was out of order, so I had to find another one, which I did! After much back-and-forth on the phone between the department, the branch and me, we completed the process, and I was on my way.

What struck me at the time was how out-of-date this financial institution was. Not just technically or digitally but also in terms of customer experience. And it was completely unnecessary.

Digital FinTechs and InsurTechs have been onboarding new clients in less than 10 minutes, without any physical interaction. Identities can be proven and verified in a matter of minutes with background checks, a photo of your passport and a selfie.

The use of eSignatures is widespread. In the U.S., the Electronic Signatures in Global and National Commerce Act is a federal law put in place to facilitate the use of electronic signatures in commerce (long-form definition on Wikipedia, here). In the European Union, the equivalent regulation is the Electronic Signature Directive (see Wikipedia reference here) that defines the use of eSignatures in electronic contracts within the E.U.

Both these legislative frameworks require the same thing, which is that electronic signatures are regarded as equivalent to written signatures.

Given all this, was it really necessary for me to spend several hours inconvenienced and, frankly, wasting time?

Last month, I wrote about the use of VideoTech in the claims handling process In that piece, I talked to InsurTech startup Vis.io about its use of video technology to both reduce cost for insurers and improve the customer experience for claimants.

This week, I move to the front end of the insurance process—client onboarding and policy administration—and talk to LiveMed. To tell me how their solution brings together the use of video, customer identification and eSignatures, I Skyped with Silicon Valley-based co-founder and CEO Yair Ravid.

Ravid explained to me, “LiveMed is a platform that allows financial institutions to confirm customer identity remotely, collect signatures remotely and provide a video record of the customer engagement.”

The way it works is simple.

When a face-to-face discussion is required, the insurer emails a link to the customer. This can be for events such as confirming a customer’s understanding of the insurance policy conditions or witnessing the signing of all parts of the policy agreement.

The customer activates the link and is connected via a live video to an insurance agent. The agent uses the LiveMed platform to conduct a secure, face-to-face discussion with the client. The platform allows documents to be shared between the two parties, which they can both review and amend in real time, before both parties sign electronically and the document is locked down.

The whole session is recorded and kept for several years in case a customer disputes the policy conditions or that he even signed the policy in the first place. (If you are interested in an example of a policyholder disputing an electronic signature, read this article in the Insurance Journal about Bonck v White.)

Knowing whom you’re talking to

While digital facial recognition technology (and other biometric measures) are advanced and sophisticated, humans remain better at visual identification. In some jurisdictions, that remains the only option because biometrics are not yet permitted for identity verification.

“Humans understand the face holistically,” according to the study “The Limits of Facial Recognition” by Tim De Chant. And visual identification still carries great weight in the process of verifying a customer’s identity and in fraud detection. Humans are better at assessing if we are who we say we are or if our claim is suspect.

There will always be occasions when a face-to-face meeting is required to complete a transaction. LiveMed enables this human interaction without requiring the customer to go to a branch or an insurance agent to visit the customer’s home.

More than a VideoTech platform

Behind the video interaction, LiveMed’s algorithms verify the authenticity of documents supplied by the customer. Ravid told me, “When a customer brings in a fake document, we have a high success rate at identifying if it is a fake. We’ve developed a solution that takes real IDs, studies different parameters against them and then compares these with the documents being presented. The institution still relies on human judgment, but LiveMed gives the agent a reliable tool to help with the decision.”

The LiveMed platform uses webRTC, an open-source platform that provides browsers and mobile applications with real-time communications (RTC) capabilities via simple APIs. It also runs as a cloud or an on-premise solution to cater to an institution’s specific requirements and policies on security, data and technology.

It is a device-independent platform that delivers both mobile and web. Ravid explained, “We’ve worked hard to make this very easy to use for the customer. Simply click on the link, go online with the agent, finalize or review the document, open the signature box and then sign with their finger. Simple!

“We take any format document or webpage, whatever, and turn them into a series of pictures. This allows changes, sketches and amendments on the screen by both parties, [in] real time. Then these pictures, or pages, are locked and put together and sent to both parties as a record. We are patenting the technology because we believe it to be unique.”

The old-fashioned ways are no longer viable

Asking a customer to come into a branch carrying paper documents just isn’t going to cut it any more. Nor is the cost of sending a representative to meet the customer. In this digital, mobile age, time is precious, and money is tight.

We are also in the consumer protection age of regulation. Financial institutions need to be able to prove beyond doubt that their conduct is acceptable and that customers fully understand the financial decisions they are making.

This requires evidence both parties can rely on should there be a dispute. (See my previous research notes on RecordSure and its use of AI for compliance monitoring.)

With LiveMed, the finance institution “sees” the person in real time without the inconvenience or cost of a physical, in-person meeting. And because the transaction is completed there and then, the insurer doesn’t have to wait for documents to be sent and processed. And both parties can be certain there are no mistakes (that it’s right the first time) because everything is checked and verified on the video call.

What next for LiveMed?

Ravid is one of three co-founders who bootstrapped LiveMed and took the start-up through the UpWest Labs accelerator in Palo Alto. LiveMed has now raised its first $400,000 from seed funding on its way to raising $1.5 million in a Series A. The minimally viable product (MVP) is built and in pilot with several financial institutions, and the new funding will enable the LiveMed to launch the platform into the U.S. financial services market.

This article was first published at www.dailyfintech.com 

Obamacare Expands Into Workers’ Comp

The Affordable Care Act (ACA) was created to expand healthcare coverage. Unfortunately, the act has overstepped its bounds and will dip into the workers’ compensation coffers by requiring mandatory reporting for Medicaid beneficiaries.

Medicaid originated in 1965 to cover low-income people with children who had disabilities. State and federal governments fund Medicaid, with the state being the primary administrator. Each state receives direction for the program from the federal government, but eligibility for the program is based on income and assets.

Now the new twist. As of Oct. 1, 2016, state Medicaid programs will be able to recover all of the proceeds from a settlement that were expended on a beneficiary’s behalf. Medicaid will be able to attach a beneficiary’s third-party liability settlement (including workers’ compensation) for the entire amount of the beneficiary’s award – not just the amount allocated to medical expenses. This means funds intended to compensate beneficiaries for pain and suffering, lost wages or any damages other than medical expenses could be subject to the reach of state Medicaid agencies seeking recovery.

This will affect many employers because adoption of ACA has afforded broader coverage under state Medicaid programs, which now include individuals within 133% of the federal poverty level (roughly $32,252.50 for a family of four in 2015) and under the age of 65 years. Medicaid now covers a greater percentage of the workforce.

Since the inception of the Secondary Payer Act (MSP), the primary focus for Centers for Medicare and Medicaid Services (CMS) has been on Medicare reimbursement, primarily because there was a lack of federal direction to the states to recognize Medicaid’s rights and because, before ACA, the majority of Medicaid recipients were unemployed. The lack of recovery process has placed a tremendous burden on state Medicaid programs, because many of them are paying for treatment for individuals who are now covered by workers’ compensation. Medicaid needs to be reimbursed for these expenditures, because voluntary reimbursement has not been successful, resulting in many state programs experiencing insolvency.

The federal laws regarding the rights and responsibilities of recovery from parties in injury cases such as workers’ compensation had to change. These changes translate into digging deeper into an employer’s pockets and taking away more control from the employer.

The National Conference of Insurance Legislators (NCOIL) is developing a model for legislation to assist in recovery efforts. If adopted, this legislation would apply to all workers’ compensation and personal injury claims for medical payments coverage and third party payments for bodily injury from insurers and self-funded primary plans. Rhode Island, West Virginia, Vermont and Kentucky are already exploring “intercept” programs to help comply with the mandatory reporting requirements. Employers that operate in many jurisdictions may have to navigate many different programs as each has distinct reporting and repayment provisions.

Workers’ compensation was never intended to be part of Medicaid. It is only because of the expanded benefit rights from ACA that more employed individuals are Medicaid recipients. Now, not only do employers have to be concerned with MSP rights for Medicare, but they also have to be concerned with Medicaid. While Medicare is a standard set of federal rules, Medicaid will vary from state to state, so compliance is not consistent.

Employees and carriers alike have to be concerned that any settlement arising out of a work-related injury could be subject to “interception” on behalf of the state Medicaid program. No winners here.

While there is no escaping the law, employers can minimize problems by ensuring that they only accept claims that arise out of the course and scope of employment (AOECOE). If an injury did not occur at work or if work did not exacerbate a condition, then it is not a work-related injury and is outside the scope of the Medicare and Medicaid Secondary Payer Acts.

The EFA-STM Program, a book-end solution for the diagnosis and management of soft tissue injuries, has proven effective in helping all stakeholders – employers, physicians and employees – by helping deliver better care for the work-related injury and identifying whether there is a change in condition; i.e. is it work related or not? The program not only is of benefit for the reduction of workers’ compensation claims, it is instrumental in helping all stakeholders navigate the Secondary Payer Acts.

Please join us for the Emerging Trends in Workers’ Compensation Summit in Carlsbad, CA, on Jan. 28, 2016. To get the special ITL rate of $175, use this promotional code: EMERGE2016.

Fraud: the Cost You Will Never See

Do you know one of the large drivers of your insurance costs may be something you will never see listed as a line item by your agent or insurer? This is not a hidden fee the industry masks. It is not one you could ever find or have disclosed. It is the cost we all share for insurance fraud, which is the second largest financial crime in America (behind tax evasion).

In Iowa, the crime of insurance fraud happens when a person or business provides false information to an insurance company in a claim for benefits or in an application for insurance, with the intent to defraud the insurance company. Federal laws also contain provisions related to insurance fraud.

Before being appointed insurance commissioner, I do not recall thinking about insurance fraud much. Because of my experience in the insurance industry, I certainly knew that there was insurance fraud.  I recall stories I heard second- and third-hand of people who filed claims on boats that became ruined and then were insured after the fact, or of healthcare providers that billed health plans for procedures that never occurred. But I admittedly did not think about insurance fraud much.

People often think of these types of acts as victimless crimes, because no one is hurt except big insurance companies. However, we are all victims of these acts because fraud affects how much we pay for our insurance.

Insurance regulators see all types of fraud and know the cost is great. According to the Coalition Against Insurance Fraud, nearly $80 billion in fraudulent claims are made annually in the U.S. This figure encompasses all lines of insurance. The Federal Bureau of Investigation estimates that fraud costs each insurance consumer in the U.S. between $400 and $700 annually in increased premiums. These are calculable costs, which probably are far less than the total cost we all pay as insurance consumers, because a lot of fraud is not reported.

In Iowa, we would like to think that there is no insurance fraud. However, the statistics demonstrate a much different picture. On average, the Iowa Insurance Division receives 1.97 referrals each day of potential insurance fraud. From Jan. 1 to Sept. 17, 2015, my team processed 532 referrals with a reported financial impact of $3.7 million. However, only about one quarter of the 532 referrals reported what the financial impact was. Therefore, the $3.7 million is far less than the total financial impact.

Fraud prevention and elimination is a major effort for insurance regulators and insurance companies. It is an area where regulators and companies collaborate. In 42 states and the District of Columbia, fraud bureaus receive and review potentially fraudulent insurance claims. States have robust laws in place to protect consumers and the insurance marketplace from insurance fraud. Companies are required by state statutes to report insurance fraud.

Although these reporting requirements and laws help protect our markets and mitigate the cost of insurance fraud, it is far from eliminated. The need to mitigate or eliminate fraud presents huge opportunities for insurance companies and entrepreneurs to develop innovative tools to combat insurance fraud.

As we all now recognize, insurance companies are big data companies. They possess vast data on their policyholders. This puts insurance carriers in an evolving position to better help deter and eliminate fraud. With advancing data analytics, predictive modeling and simply more data, catching and possibly preventing fraud should become easier.

State insurance departments operate within tight budget constraints. In Iowa, we see innovation and technological developments as very helpful in aggregating data and identifying trends and issues. We are looking to these developments to help us increase efficiency in our investigations so we can combat insurance fraud and protect our consumers.

However, I have no false hope that all fraud will be eliminated. I have every belief that those who want to continue to do damage by committing insurance fraud will also be innovative and adapt to change. In other words, while technology and innovation will help find fraud, the scammers will soon figure out how to get around the new detection methods, too.

Fraud is a fact in every industry, and insurance is no different. However, I believe in the insurance industry there is more opportunity and incentive to commit fraud because of the value of the items insured and the amount of money in play. In addition, because insurance fraud is seen as a victimless crime, it may even be viewed as justifiable. Insurance regulators and companies are improving the capabilities to combat fraud using more technological tools. Credit card companies made tremendous strides in cutting down fraud, and insurance is working toward that goal, too. Innovators and companies that figure out how to succeed in this area will have lower prices and increased market share, and in the end that rewards consumers.