Tag Archives: phone

The Mystery of the Millennial Buyer

For several years, I’ve heard clamor from the agency world about how Millennials’ demands are so different from previous insurance buyers. Well, as a Millennial insurance buyer, I’m here to say… we still have some work to do. We still have a lot of work to do.

According to Accenture Outlook: Who are the Millennial shoppers? And what do they really want?, Millennials are exceptionally loyal …if they feel they’ve been treated right. And, we all know it’s cheaper to keep a customer than it is to get a new one.

“Right” is an incredibly subjective term and can certainly get lost in translation in the insurance world. “Right,” in the insurance world, typically means paying exactly what is fair for losses. No more, no less. That’s understandable, and, as someone in the insurance world, I understand the sentiment.

But I’d like to help you to understand how I define “right” as a Millennial insurance buyer.

Educate, don’t sell

The days of the uninformed insurance buyer are long gone. The added value of the agent is around education. Take a step back and help the Millennial customer understand the fundamentals of risk management and see that insurance is one of many tools used to manage risk. Millennials will identify the value that you bring to the purchasing transaction and remain loyal customers rather than commodity-buyers.

Empower them to make good financial choices

You empower Millennials to make smart financial decisions through education. This also means explaining the upsides and downsides of different policy options. For example, explaining how deductibles and premiums correlate, rather than trying to get them to take the lowest deductible. Millennials expect that, when they come to you asking for help in the realm of personal finance, you’ll be looking out for their best financial interests, rather than your commission check. As soon as a Millennial believes you’re NOT looking out for her best interest and are more interested in the sale, you have just made yourself the commodity.

No more fancy terminology

We have an epidemic of insurance buyers who have no clue what they’re buying. “Limit,” “peril,” “liability,” “occurrence” – these are not words the Average Joe and Average Jane have any practical reason to know, outside of purchasing insurance. Millennials won’t settle for someone who isn’t able (or willing) to give the layman’s definition of these terms. This requires you to have a real command of the fundamentals of risk and insurance, rather than a command of policy forms and exclusions.

Embrace technology to increase service

Sure you have a Facebook and a Twitter, maybe you even post regularly, but that’s not what will retain Millennials. Make yourself and your agency available to them on their terms: phone, email, text or social media. Encourage them to take pictures and videos of all their belongings if they don’t want to make an inventory list. Send periodic, non-marketing text messages to encourage safety. (Example: “With the coming cold weather, be sure you clean off your furnace and think about getting it inspected. Build-up can reduce efficiency, which costs you more money and might even cause a fire.”) These are the types of things that will differentiate you and your team from every other agent out there.

As an aside: If you want to serve Millennials, you must make online payments easy. Most Millennials don’t own stamps and are using the same checkbook they got when they were 16 and opened their first checking account.

Humanize them at claim time

Millennials want to be treated like the humans they are when claims hit, which, in all reality, isn’t asking much. Instead of aiming for that minimum threshold, exceed expectations by doing the following when you are notified of their claim: 1) Make sure they’re okay, 2) Check in and see how they’re doing and if they’re worried about anything (lawsuits, another loss, further injury, claim not getting paid, etc.), 3) Make sure you’re communicating with them, in addition to the adjuster, 4) Explain to them how this might affect future premiums. Claims are your time to shine, and, if treated well, Millennials can be some of the most loyal customers you’ll have.

In closing …

Insurance is a paper and a promise

Without anything more tangible than that, it’s not too much to ask to be treated well, as a smart and autonomous human being. If you can show that to your Millennial customers and follow it up at claims time, you’ll crack the nut that is the Millennial insurance-buyer.

The views expressed by the author are the author’s alone and do not necessarily represent the views of Aon or its affiliates. The standard information provided in this blog is for general purposes only and should not be construed as, or used as a substitute for, financial or other professional advice.

Connected Humans, Version 3.0

Whether you commute to work on public transport to work or fly between busy airports to serve your clients, wherever you go you will see people glued to their phones, tablets or e-readers. More than likely, all these devices are connected to the Internet in real time over a mobile network or capable of connecting via Wi-Fi.

There is so much written on the connected car and the connected (“smart”) home, but we also need to open a discussion about connected humans.

Let me clarify: I have no interest in talking about social networking. I’m more interested in connections from the perspective of tracking health and biometric data to be used by the healthcare and insurance industries for pricing.

A decade ago, we were limited by the technology and the computing power of hand-held devices. Wearables and ingestible devices were nowhere in the ecosystem. It made perfect sense to use historical data to price and sell products based on stale census information.

Technology drivers

Fast forward to the current time. Computing power has scaled exponentially over the last decade. We have devices that can track, store and filter essential lifestyle and health data, and we have predictive analytic capabilities that would make historic rating methods look like the Stone Age.

Market demographics

The growth rate of Millennials earning paychecks is not keeping pace with the growth in the aging population living off savings. If that was not bad enough , buying behaviors of Millennials indicate that insurance is not one of their top priorities. There are numerous surveys you can find online that point to this problem.

We have heard of “gamification” and customer engagement in the context of banking and financial services, to attract Millennials, but insurance and healthcare companies have barely touched the tip of the iceberg on this. The amount of biometric data that can be harvested and used for predictive analytics could include a host of items, including blood pressure, heart rate, vitamin count, sleep patterns, activity metrics and blood sugar, just to name a few. All this information, harvested and analyzed to price and sell a host of new products to new market segments with lifestyle diseases like diabetes or obesity, opens the route to gamification of healthcare apps and much better life insurance pricing. Providers today stop at just providing discounts on the fringes as I see it, not truly revisiting pricing.

With technology evolving at the pace it is and with our ability to get more out of the data through predictive analysis, the healthcare and insurance segment could look very different 10 years from now.

There is a school of thought that says privacy issues will limit the use of biometric data, but, if there is a business model that works for weight watchers and diabetic forums, there is a business case and a market segment to change the way insurance and healthcare products are priced and sold.

Hertz has begun to pitch itself as a used-car sales channel, allowing the consumer to test drive a car for an extended renting period and then buy or not buy the car. In the insurance or healthcare context, if pricing were driven by behavioral patterns and biometric statistics, you could offer an extended free look or evaluation period allowing a skeptical diabetic or obese customer to try devices, see the effects on their health and the corresponding premium discounts and then make a decision on locking into the product.

Insurance and healthcare have not truly embraced the technology and buying behavioral shift of customers. What remains to be seen is who leads the charge. Will it be insurance and healthcare companies? Will it be technology giants like Google, which are already tracking a lot of what people do? Or will it be a company like Tesla and Uber, which have disrupted traditional industry segments where they were never the incumbent.

‘Phone Spoofing’ – Yes, It Can Happen to You

Not so long ago, a senior executive at Insurance Thought Leadership received a phone call on his smartphone in which the caller claimed to be returning a call.  The ITL executive politely let the caller know that he hadn’t called. Then came another “returned” call… and another. Each caller said he had received a call from the ITL executive’s mobile number and that the caller hadn’t left a message. All told, the ITL executive received about a call a day for about a week.

Naturally, he called his mobile provider to find out what was going on. The provider said it sounded like “phone spoofing.”

How It Works

Spoofing is effectively falsifying a piece of identifying information, like a return email address. “Phone spoofing” relates to the number that shows up on caller ID — someone appears to be calling from that number but doesn’t own that number and is really calling from somewhere else.  Spoofing is used to trick people into picking up calls they otherwise wouldn’t (and get around the National Do Not Call Registry). For a shady caller from outside the area – and often the country – a local number is less likely to raise suspicion.

The real target of the scam is the person on the receiving end of the spoofed call. In the past year, attorneys general in Arkansas, Ohio, Pennsylvania and Rhode Island (among others) have all issued warnings related to phone spoofing scams.

If the recipients do answer the calls, they’re treated to a lovely conversation with ethically challenged telemarketers, debt collectors or scammers. And, as with most sketchy callers, they don’t leave a message if the target doesn’t answer. If the recipients are curious about who called, all they have to go on is the spoofed (false) number that appeared in their caller ID. The result: numerous angry “return” calls to the wrong person. In effect, the real owner of the spoofed number is collateral damage.

Spoofing technology is unfortunately cheap and widely available. As a result, anyone with a smartphone can be a victim — though the scam works just as well on landlines.

What to Do to Protect Yourself

The Truth in Caller ID Act of 2009 prohibits anyone in the U.S. from “knowingly transmit[ting] misleading or inaccurate caller identification information with the intent to defraud, cause harm or wrongfully obtain anything of value….” The act also includes penalties of as much as $10,000 per violation, and related FCC rules note that telemarketers are supposed to display an accurate phone number that can be called during regular business hours.

That all sounds good, but… there are a couple of problems with this scenario as it plays out in the real world. The nature of phone spoofing can make it tricky to figure out who actually made the call in the first place. Moreover, many of the perpetrators are based outside the U.S., effectively placing them beyond the reach of the law. While there has been an attempt to enact an updated version that expands the law’s reach to include calls made to recipients in the U.S. from outside the U.S., it’s naturally moving at the speed of Congress. And, of course, enforcement of that law against telemarketers, etc. based overseas will present an additional hurdle.

Another issue to consider: The FCC tends to view the recipient of the call as the primary victim of a phone spoofing scam. Consequently, “the intent to defraud, cause harm, or wrongfully obtain anything of value” noted in the Truth in Caller ID Act focuses on actions taken against the recipient of the call (as opposed to real owner of the number in question).

In a somewhat related matter, in late 2013 the Federal Trade Commission (FTC) decided not to amend its Telemarketing Sales Rule to address caller ID spoofing because it didn’t believe that the proposed changes would have any effect on the problem.

As you may have guessed by now, stopping this isn’t easy. It’s fairly difficult – if not impossible – to completely eliminate the risk of having your number used in a caller ID spoofing scam. One step you can take to decrease the likelihood is to reduce the number of places in which your phone number can be found online. In effect, don’t give out your number unless you have to. This includes web contests and other online forms. And if it is required for an online purchase, don’t save that information for next time. That way it – and your credit card details – won’t be there to steal if an intruder subsequently breaks into the retailer’s network.

What to Do if It Does Happen to You?

For starters, you can file a complaint with the FCC.

But, although it’s unlikely that the information on your smartphone itself has been compromised (unless there is an additional, unrelated intrusion), your realistic options are unfortunately somewhat limited once your number is used as part of a spoofing scam.

1)    You can block incoming calls, leave a message explaining what happened and, in effect, hope it stops before too long; or

2)    You can change your number. Of course, that also means notifying friends, family and professional contacts (and perhaps changing your business cards, too).

If you don’t feel safe, you can also take the extra step of changing your passwords (which is never a bad idea).

And if you would like more information, you can check out the FCC’s Caller ID and Spoofing page.

The silver lining here is that phone spoofing doesn’t equate to your phone – or the data on it – being accessed by someone else. Of course, that doesn’t make it any less annoying or disconcerting if it happens to you.

Happy Ending

In the case of the spoofing against the ITL executive, the system worked as well as possible. The authorities, working with the carrier, tracked the spoofing back to a scam artist in Germany, and an arrest was made.

OCR Nails Hospice For $50K In First HIPAA Breach Settlement Involving Small Data Breach

Properly encrypt and protected electronic protected health information (ePHI) on laptops and in other mediums!

That’s the clear message of the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) in its announcement of its first settlement under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule involving a breach of ePHI of fewer than 500 individuals by a HIPAA-covered entity, Hospice of North Idaho (HONI).

The settlement shows that the Office of Civil Rights stands ready to penalize these healthcare providers, health plans, healthcare clearinghouses and their business associates (covered entities) when their failure to properly secure and protect ePHI on laptops or in other systems results in a breach of ePHI even when the breach affects fewer than 500 individuals.

HIPAA Security & Breach Notification For ePHI
Under the originally enacted requirements of HIPAA, covered entities and their business associates are required to restrict the use, access and disclosure of protected health information and establish and administer various other policies and safeguards in relation to protected health information. Additionally, the Security Rules require specific encryption and other safeguards when covered entities collect, create, use, access, retain or disclose ePHI.

The Health Information Technology for Economic and Clinical Health (HITECH) Act amended HIPAA, among other things to tighten certain HIPAA requirements, expand its provisions to directly apply to business associates, as well as covered entities and to impose specific breach notification requirements. The HITECH Act Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information, or a “breach,” of 500 individuals or more (Large Breach) to the Secretary of HHS and the media within 60 days after the discovery of the breach. Smaller breaches affecting less than 500 individuals (Small Breach) must be reported to the Secretary on an annual basis.

Since the Breach Notification Rule took effect, the Office of Civil Rights’ announced policy has been to investigate all Large Breaches and such investigations have resulted in settlements or other corrective action in relation to various Large Breaches. Until now, however, the Office of Civil Rights has not made public any resolution agreements requiring settlement payments involving any Small Breaches.

Hospice Of North Idaho Settlement
On January 2, 2013, the Office of Civil Rights announced that Hospice of North Idaho will pay the Office of Civil Rights $50,000 to settle potential HIPAA violations that occurred in connection with the theft of an unencrypted laptop computer containing ePHI. The Hospice of North Idaho settlement is the first settlement involving a breach of ePHI affecting fewer than 500 individuals. Read the full HONI Resolution Agreement here.

The Office of Civil Rights opened an investigation after Hospice of North Idaho reported to the Department of Health and Human Services that an unencrypted laptop computer containing ePHI of 441 patients had been stolen in June 2010. Hospice of North Idaho team members regularly use laptops containing ePHI in their field work.

Over the course of the investigation, the Office of Civil Rights discovered that Hospice of North Idaho had not conducted a risk analysis to safeguard ePHI or have in place policies or procedures to address mobile device security as required by the HIPAA Security Rule. Since the June 2010 theft, Hospice of North Idaho has taken extensive additional steps to improve their HIPAA Privacy and Security compliance program.

Enforcement Actions Highlight Growing HIPAA Exposures For Covered Entities
While the Hospice of North Idaho settlement marks the first settlement on a small breach, this is not the first time the Office of Civil Rights has sought sanctions against a covered entity for data breaches involving the loss or theft of unencrypted data on a laptop, storage device or other computer device. In fact, the Office of Civil Rights’ first resolution agreement — reached before the enactment of the HIPAA Breach Notification Rules — stemmed from such a breach (see Providence To Pay $100000 & Implement Other Safeguards).

Breaches resulting from the loss or theft of unencrypted ePHI on mobile or other computer devices or systems has been a common basis of investigation and sanctions since that time, particularly since the Breach Notification rules took effect. See, e.g., OCR Hits Alaska Medicaid For $1.7M+ For HIPAA Security Breach. Coupled with statements by the Office of Civil Rights about its intolerance, the Hospice of North Idaho and other settlements provide a strong warning to covered entities to properly encrypt ePHI on mobile and other devices.

Furthermore, the Hospice of North Idaho settlement also adds to growing evidence of the growing exposures that health care providers, health plans, health care clearinghouses and their business associates need to carefully and appropriately manage their HIPAA encryption and other Privacy and Security responsibilities. See OCR Audit Program Kickoff Further Heats HIPAA Privacy Risks; $1.5 Million HIPAA Settlement Reached To Resolve 1st OCR Enforcement Action Prompted By HITECH Act Breach Report; and, HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On Website. Covered entities are urged to heed these warnings by strengthening their HIPAA compliance and adopting other suitable safeguards to minimize HIPAA exposures.

Office of Civil Rights Director Leon Rodriguez, in OCR’s announcement of the Hospice of North Idaho settlement, reiterated the Office of Civil Rights’ expectation that covered entities will properly encrypt ePHI on mobile or other devices. “This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.” said Rodriguez. “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.”

In the face of rising enforcement and fines, the Office of Civil Rights’ initiation of HIPAA audits and other recent developments, covered entities and their business associates should tighten privacy policies, breach and other monitoring, training and other practices to reduce potential HIPAA exposures in light of recently tightened requirements and new enforcement risks.

In response to these expanding exposures, all covered entities and their business associates should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration the Office of Civil Rights’ investigation and enforcement actions, emerging litigation and other enforcement data, their own and reports of other security and privacy breaches and near misses, and other developments to determine if additional steps are necessary or advisable.

New Office Of Civil Rights HIPAA Mobile Device Educational Tool
While the Office of Civil Rights’ enforcement of HIPAA has significantly increased, compliance and enforcement of the encryption and other Security Rule requirements of HIPAA are a special focus of the Office of Civil Rights.

To further promote compliance with the Breach Notification Rule as it relates to ePHI on mobile devices, the Office of Civil Rights and the HHS Office of the National Coordinator for Health Information Technology (ONC) recently kicked off a new educational initiative, Mobile Devices: Know the RISKS. Take the STEPS. PROTECT and SECURE Health Information. The program offers health care providers and organizations practical tips on ways to protect their patients’ health information when using mobile devices such as laptops, tablets, and smartphones. For more information, see here.

For more information on HIPAA compliance and risk management tips, see here.