Tag Archives: tcpa

The Bad Actors Among Lead Sellers

In today’s online shopping environment, lead sellers and lead-buying marketers alike work well together toward the same goal of delivering a great customer experience; however, they often struggle with an array of challenges along the way.

The Evolution of the Lead Seller-Lead Buyer Relationship

The relationship between online lead sellers and lead buyers began as a very simple one, in the late ’90s. The lead seller was also the lead generator—who dealt directly with the lead buyers.

But it wasn’t long before small- and medium-sized publishers realized they could make money by generating leads that they would then sell to the large lead generators that had direct relationships with the lead buyers.

This resulted in lead generators that would also aggregate leads generated by smaller publishers. By the mid-2000s, the large generators and aggregators began to monetize individual leads further by sharing them with other large generators and aggregators that had unique end-buyer relationships.

Initially, this transpired in a private, trusted transaction environment with strict rules in place that were easily enforced. Two companies worked together to maximize the monetization of each other’s leads. Collectively, they made more money, and the consumer had more options available. It was a win-win-win for everyone in the ecosystem.

As more of these private sharing arrangements developed (driven by the additional monetization opportunity), the technology evolved to support it. Hence the ping post ecosystem, which publishers, aggregators and generators leverage to best monetize leads. Much like in a stock exchange, sellers and buyers come together to create an efficient market with a variety of options for the consumer, and the highest bidders are typically the entities with the best consumer offer.

See also: Changing Business Models, ‘New’ ERM  

The Present State of the Lead Seller-Lead Buyer Relationship

In insurance, the relationship between sellers and buyers is generally strong, as long as the publishers, aggregators and generators play by the rules.

For example, leads should only get sold to a certain number of buyers in a shared-lead world, and exclusive leads should only be sold to one buyer. Other examples of rules include:

  • No manipulation of the consumer data
  • No recycling of leads later
  • No fake leads
  • No non-TCPA-compliant leads
  • No incentive-driven leads
  • No unauthorized sales to stated end-buyers

It is the “bad actors” that don’t play by these rules in the ping post ecosystem that can cause significant problems. We can look to the evolution of the mortgage and education verticals to learn how to solve these problems.

Solutions for Today’s Lead Seller Challenges

TCPA Compliance. One of the most stressful challenges that lead sellers face today is TCPA compliance. Given that TCPA case filings increased more than 940% between 2010 and 2015, coupled with the fact that consumers are being encouraged to file suits by some law firms, the TCPA has become a huge hurdle for sellers to overcome.

Both lead sellers and buyers must avoid exchanging non-TCPA compliant leads and make sure they have persuasive evidence of consent in the event they, or end-buyers, face a complaint or lawsuit.

Measuring Consumer Intent. Another challenge sellers face is gaining the ability to measure the intent of each consumer.

With insights into the individual consumer journey, you gain the ability to measure the intent—and therefore the value—of each lead. There are technology solutions available that enable you to measure consumer intent.

Those Bad Actors Not Playing by the Rules. Many lead buyers are actively leveraging technology to validate consumer data as “good data” and some using de-duping solutions to minimize buying the same lead twice.

In the ping post ecosystem, much of the data on the origin and history of a lead is “contributed data.” The challenge of eliminating old or recycled leads, dupes, fake and no-intent leads stems from a lack of ability to verify that “contributed data” as fact. For example, an insurance lead aggregator buys a lead from another aggregator or from a generator and agrees to only sell the lead once and only to one, specific insurance provider. This is contributed data, but there is no way to validate it as fact. What sometimes happens is a bad actor will sell that lead to other insurance providers or hold it for a week or so then sell it again—a recycled lead. There is no transparency and little accountability.

To validate contributed data as factual, you have to establish a “chain of custody” to verify that each lead seller participating in the ping post system is playing by the rules. Then, if there is ever a problem or complaint, you have data to help the lead generator or buyer that is experiencing a problem identify where in the chain the problem occurred and expose the bad actor.

The Most Crucial Area for Improvement

Improving Lead Value – To continually improve relations with their buyers, sellers always seek ways to cultivate greater value in their leads.

The simplest solution is for sellers to distribute the highest-intent leads possible and do everything possible to eliminate selling “no intent” leads to their clients.

To best accomplish this, sellers must require any upstream publishers and generators to adhere to the simple rules that sellers and buyers have established and have a mechanism in place to verify any contributed data surrounding exchanged leads. If anyone is still following the antiquated practices of a bad actor, it’s going to catch up to them eventually.

See also: Developing Programs for Shifting Channels  

Bad actors are bad news for the entire ecosystem, leaving a bad taste in the mouth of buyers, that can cloud relationships with reputable sellers and result in a deterioration of value to all participants. By exposing the bad actors, sellers can avoid a race to the bottom, ensure they deliver a great consumer experience and deliver high-intent leads—and the resulting growth opportunities—to buyers.

Technology is available to the lead-gen industry today to enable the chain of custody and associated data trail. We encourage everyone to join this insurance industry initiative.

Telemarketing: Why You Could Get Sued

The Telephone Consumer Protection Act (TCPA) requires prior written consent for calls and texts to consumers’ mobile phones and for prerecorded telemarketing calls to residential landline numbers.

TCPA lawsuits filed by consumers are on the rise — growing by a factor of 12 from 2010 to last year — and a number of large insurance brands have been part of multimillion-dollar TCPA settlements.

To mitigate TCPA risk, Jornaya works with brands that are dialing out on third-party leads and leads generated from their own websites. The process begins with ensuring that the websites where consumers are interacting display TCPA-compliant consent language and that consent to be contacted was given by the consumer.

After a consumer agrees, and when a brand leverages a call center to get consumers on the phone and deliver warm transfers, how does the brand know that the consumer gave consent to be called and that there is proof of it?

How the Lead Form to Warm Transfer Practice Works

Consumers fill out lead forms, and the publisher’s call center (or separate entity that acquired the lead in the ping/post ecosystem) dials the consumer to make contact, qualifies the consumer’s intent to get an insurance quote, receives the consumer’s agreement to speak with an insurance agent and warm transfers the call to the brand.

Typically, when the live call is transferred, the consumer’s Caller ID is what the brand sees; therefore, it appears that the consumer is calling the brand directly.

In actuality, the call was transferred via the third-party call center. If the publisher of the lead being called was not the same company that is placing the calls, then that publisher has sold the lead to another entity that is dialing/transferring the lead to your brand.

See also: Why Buy Cyber and Privacy Liability. . .  

This puts your brand two steps away from the lead form being filled out, making it difficult—if not impossible—to ensure that the consumer was exposed to TCPA-compliant language and gave the appropriate consent to be contacted.

Without a way to ensure that consent was provided, and without persuasive proof of that consent,  the brand is taking on the risk of being sued for violating TCPA law simply by answering the inbound phone call. With an increase in these kinds of call marketing practices, we’ve seen a parallel increase in these lawsuits.

An insurance carrier or agent has no idea whether there was consent because he doesn’t know the origin of the phone call. If it’s an actual consumer calling directly, you’re fine. If it’s a warm transfer from a call center that dialed a consumer that filled out a lead form, it may not be possible to get that proof of consent. At a minimum, it will require a significant amount of effort to piece together all the steps the call went through.

Some brands still aren’t concerned about the TCPA exposure with regard to warm transfers, because they assume the burden lies only with the company that is actually dialing the phone–in this case, the call center.

But the fact that you’re not the one making the outbound call does not necessarily absolve you of the responsibility nor dissuade attorneys from dragging you into the lawsuit, costing time, money and damage to your brand. Recently, lawsuits have popped up from this practice, where all parties involved are named in the lawsuit, including the brand buying the warm transfers.

See also: Ransomware Threat Growing for Phones  

What You Can Do to Protect Your Brand

  1. The first step is to work with your call sources/partners to understand how they are driving calls to you. Explicitly ask them if they are driving calls via warm transfers.
  2. If they are, ask them if they are dialing out to consumers who have filled out an online or mobile lead form.
  3. If they are, it is critical that you have a way to trace the call data to the original lead form.
  4. You then need to know definitively that the consumer consented to be contacted on the lead form and have persuasive proof the appropriate consent took place.

How Bad Leads Are Like Fake News

“Fake news” is a hot topic in the wake of the 2016 election. We’ve found ourselves questioning articles we read before we share them on our Facebook page or tweet it out to our followers. The internet is littered with stuff like the “Pope Francis shocks world, endorses Donald Trump for president” story, and it can be frustrating and time-consuming trying to determine if the news you’re reading is fake.

Similarly, many insurance marketers are challenged each day with the frustrating and time-consuming task of separating “fake leads” from legitimate leads.

Agents refer to low-quality leads as aged leads, fraudulent leads, manufactured leads, manipulated leads. Whatever you call them, they are leads sold to you that should not be sold at all. Those who are not following through on promises made or adhering to the directives in the ping post ecosystem are perpetuating this problem.

See also: Don’t Believe Your Own Fake News!  

Nothing diminishes agent morale more than when customers say they never filled out a form or they filled it out two months ago. Our recent work with insurance providers in examining the origin and history of leads purchased has revealed that as many as one out of every three leads are from consumers having no, or very low, intent.

Without clarity into the lead generation process and where consumers are in their purchasing journey, agents and carriers are often subject to fake leads, aged leads, a negative customer experience and ultimately, wasted spend and wasted effort.
Additionally, if a consumer never filled out a form (or did so months ago) and receives calls, insurance marketers are ripe targets for TCPA lawsuits.

As Jornaya clients have found, including one auto and home insurance company that shared its experiences in a recent case study, two key metrics that are especially effective in gauging consumer intent are lead duration and lead age.

Lead duration is the amount of time it takes a consumer to fill out a lead form, from the moment the first form field is filled out to the moment the form is submitted. A lead form that was filled out in less than five seconds is probably not a real person, likely the work of a bot, or automated program.

For recent aggregated data from insurance clients, we found that 17% of leads had a duration of under five seconds!

Generally, our clients have found that consumers who took two to 60 minutes to fill out the lead form had a much higher likelihood to convert.

Lead age is the actual, measurable time from the instant a consumer submits an online lead form — i.e., when the lead was born — to when the agent receives it.

Many leads that carriers and agents buy are actually much older than advertised. For recently aggregated data from insurance clients, we found that 13% of leads were more than one week old! Typically, leads that were more than an hour old had a much lower propensity to convert.

Armed with new consumer journey intelligence, insurance marketers can work more confidently with lead providers to improve these metrics or take action on the data to only buy leads that fall within the ideal duration and age parameters and then reinvest those dollars in better leads.

So, what now?

We have partnered with lead generators and aggregators to lead the charge in minimizing the bad leads, and we are working to recruit additional partners to the effort. We’re also partnering with a growing number of insurance carriers and agents to initiate actions that will expose and minimize the impact of bad actors in the insurance lead gen space.

This will have a positive impact on the ecosystem in a variety of ways:

  1. It will help lead buyers spend less time and money on no-intent leads. This will foster higher performance because those brands can spend more on leads feeling confident that they are higher-quality. This also means that they can scale their lead programs confidently without worrying about strong starts that go awry once they start to scale.
  2. Lead sellers will be confident that everything will become more efficient and effective for every lead they exchange with the ping post ecosystem. They will have fewer returned leads from buyers, which will allow them to accurately forecast monetization and improve their matching decisions. Not to mention that their lead buyers will be more satisfied with their service and increase demand for more leads. New insurance providers will initiate lead-buying programs, and carriers and agents that stopped buying leads will jump back onboard.
  3. There will be less TCPA exposure for all the players in the ecosystem.
  4. The fake leads will not survive – they will be flushed out, exposed and eliminated.

We’ve already seen first-hand how knowing where consumers are in their shopping journey can help brands drastically improve their lead programs and results. We look forward to expanding partnerships on both the lead seller and buyer sides and returning to the original promise of a great experience for the consumer and insurance provider.

See also: Are You Still Selling Newspapers?  

For more information on improving lead quality in your insurance marketing lead generation programs, read our white paper How Insurers Can Hit a Lead Gen Home Run.

Another Reason to Consider Cyber Insurance

Here a breach, there a breach, everywhere a data breach.

Verizon’s most recent 2013 Data Breach Investigations Report remarks that “[p]erhaps more so than any other year, the large scale and diverse nature of data breaches and other network attacks took center stage” this year.1 And no organization is immune from a breach. The last two years have seen some of the world’s most sophisticated corporate giants fall victim to some of the largest data breaches in history. It is clear that cyber attacks — including data breaches — are on the rise with unprecedented frequency, sophistication and scale. They are pervasive across industries and geographical boundaries. And they represent “an ever-increasing threat.”2 The problem of cyber risks is exacerbated, not only by increasingly sophisticated cyber criminals and evolving malware, but also by the trend in outsourcing of data handling, processing and storage to third-party vendors, including “cloud” providers, and by the simple reality of the modern business world, which is full of portable devices such as cellphones, laptops, iPads, USB drives, jump drives, media cards, tablets and other devices that may facilitate the loss of sensitive information.

While data breaches and other types of cyber risks are increasing, laws and regulations governing data security and privacy are proliferating. In its most recent 2013 Cost of Data Breach Study, the Ponemon Institute reports that U.S. organizations spend on average $565,020 on post-breach notification alone.3 Companies may also face lawsuits seeking damages for invasion of privacy, as well as governmental and regulatory investigations, fines and penalties, damage to brand and reputation and other negative repercussions from a data breach, including those resulting from breaches of Payment Card Industry Data Security Standards. The Ponemon Institute’s recent study reports that the average organizational cost of a data breach in 2012 was $188 per record for U.S. organizations ($277 in the case of malicious attacks) and that the average number of breached records was 28,765, for a total of $5.4 milion.4 The study does not “include organizations that had data breaches in excess of 100,000” records,5 although large-scale breaches clearly are on the rise. In the face of these daunting facts and figures, it is abundantly clear that network security alone cannot entirely address the issue; no firewall is unbreachable, no security system impenetrable.

Insurance can play a vital role in a company’s efforts to mitigate cyber risk. This fact has the attention of the Securities and Exchange Commission. In the wake of “more frequent and severe cyber incidents,” the SEC’s Division of Corporation Finance has issued guidance on cybersecurity disclosures under the federal securities laws. The guidance advises that companies “should review, on an ongoing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents” and that “appropriate disclosures may include” a “[d]escription of relevant insurance coverage.”6

While some companies carry policies that are specifically designed to afford coverage for cyber risk, most companies have various forms of traditional insurance that may cover cyber risks, including Insurance Services Office (ISO)7 standard-form commercial general liability (CGL) policies. There may be significant coverage under CGL policies, including for data breaches that result in disclosure of personally identifiable information (commonly termed “PII”) and other claims alleging violation of a right to privacy. For example, there is significant potential coverage under the “Personal and Advertising Injury Liability” coverage section (Coverage B) of the standard-form ISO CGL policy, which currently states that the insurer “will pay those sums that the insured becomes legally obligated to pay as damages because of ‘personal and advertising injury.’”8 “Personal and advertising injury” is defined to include a list of specifically enumerated offenses, which include “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.”9 Coverage disputes generally focus on whether there has been a “publication” that violates the claimant’s “right of privacy”—both terms are left undefined in standard-form ISO policies, and courts generally have construed the language favorably to insureds and have found coverage for a wide variety of claims alleging misuse of customer information and breach of privacy laws and regulations.10 There may also be coverage under the “Bodily Injury and Property Damage” section of the standard CGL form (Coverage A), which states that the insurer “will pay those sums that the insured becomes legally obligated to pay as damages because of ‘bodily injury’” that “occurs during the policy period.”11

As courts have found coverage for various types of cyber risks, however, ISO has added limitations and exclusions purporting to cut off CGL lines of coverage. For example, in response to a number of cases upholding coverage for breach of the Telephone Consumer Protection Act, the Fair Credit Reporting Act and other privacy laws, the current ISO standard form contains the following exclusion, which is applicable to both Coverage A and Coverage B:

This insurance does not apply to:

Recording And Distribution Of Material Or Information In Violation Of Law

“Personal and advertising injury” arising directly or indirectly out of any action or omission that violates or is alleged to violate:

  1. The Telephone Consumer Protection Act (TCPA), including any amendment of or addition to such law;
  2. The CAN-SPAM Act of 2003, including any amendment of or addition to such law;
  3. The Fair Credit Reporting Act (FCRA), and any amendment of or addition to such law, including the Fair and Accurate Credit Transactions Act (FACTA); or
  4. Any federal, state or local statute, ordinance or regulation, other than the TCPA, CAN-SPAM Act of 2003 or FCRA and their amendments and additions, that addresses, prohibits or limits the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information.12

Insurers have raised this exclusion, among others, in recent privacy-breach cases.13

More sweepingly, as part of its April 2013 revisions to the CGL policy forms, ISO introduced an endorsement, titled “Amendment Of Personal And Advertising Injury Definition,” which entirely eliminates the key “offense” of “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy” (found at Paragraph 14.e of the Definitions section of Coverage B):

With respect to Coverage B Personal And Advertising Injury Liability, Paragraph 14.e. of the Definitions section does not apply.14

And the latest: ISO has just filed a number of data-breach exclusionary endorsements for use with its standard-form primary, excess and umbrella CGL policies. These are to become effective in May 2014. By way of example, one of the endorsements, titled “Exclusion – Access Or Disclosure Of Confidential Or Personal Information And Data-Related Liability – Limited Bodily Injury Exception Not Included,” adds the following exclusion to Coverage A:

This insurance does not apply to:

Access Or Disclosure Of Confidential Or Personal Information And Data-related Liability

Damages arising out of:

(1) Any access to or disclosure of any person's or organization's confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information; or

(2) The loss of, loss of use of, damage to, corruption of, inability to access or inability to manipulate electronic data.

This exclusion applies even if damages are claimed for notification costs, credit-monitoring expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by you or others arising out of that which is described in Paragraph (1) or (2) above.15

The endorsement also adds the following exclusion to Coverage B: This insurance does not apply to:

Access Or Disclosure Of Confidential Or Personal Information

“Personal and advertising injury” arising out of any access to or disclosure of any person’s or organization's confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit-card information, health information or any other type of nonpublic information.

This exclusion applies even if damages are claimed for notification costs, credit-monitoring expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by you or others arising out of any access to or disclosure of any person's or organization's confidential or personal information.16

ISO states that “when this endorsement is attached, it will result in a reduction of coverage due to the deletion of an exception with respect to damages because of bodily injury arising out of loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data” and that “[t]o the extent that any access or disclosure of confidential or personal information results in an oral or written publication that violates a person's right of privacy, this revision may be considered a reduction in personal and advertising injury coverage.”17 While acknowledging that coverage for data breaches is currently available under its standard forms, ISO explains that “[a]t the time the ISO CGL and [umbrella] policies were developed, certain hacking activities or data breaches were not prevalent and, therefore, coverages related to the access to or disclosure of personal or confidential information and associated with such events were not necessarily contemplated under the policy.”18 The scope of this exclusion ultimately will be determined by judicial review.

Although it may take some time for the new (or similar) exclusions to make their way into general liability policies, and the full reach of the exclusions remains unclear, they provide another reason for companies to carefully consider specialty cyber insurance products. Even where insurance policies do not contain the newer limitations or exclusions, insurers may argue that cyber risks are not covered under traditional policies. The legal dispute between Sony and its insurers concerning the PlayStation Network data breach highlights the challenges that companies can face in getting insurance companies to cover losses arising from cyber risks under CGL policies. Sony argues that there is data breach coverage because “[t]he MDL Amended Complaint… alleges that plaintiffs suffered the ‘loss of privacy’ as the result of the improper disclosure of their ‘Personal Information’ [which] has been held to constitute ‘material that violates a person’s right of privacy’.”19 However, the insurers seek a declaration that there is no coverage under the CGL policies at issue, among other reasons, on the basis that the underlying lawsuits “do not assert claims for … ‘personal and advertising injury’.”20 The Sony coverage suit does not represent the first time that insurers have refused to voluntarily pay claims resulting from a network security breach or other cyber-related liability under CGL policies. Nor will it be the last. Even where there is a good claim for coverage, insurers can be expected to continue to argue that cyber risks are not covered under CGL or other traditional policies.

As far as data breaches are concerned, cyber policies usually provide some form of “privacy” coverage. This coverage would typically provide defense and indemnity coverage for claims arising out of a data breach that actually or potentially compromises PII. By way of example, the AIG Specialty Risk Protector specimen policy21 states that the insurer will “pay … all Loss” that the “Insured is legally obligated to pay resulting from a Claim alleging … a Privacy Event.” “Privacy Event”22 includes:

  1. any failure to protect Confidential Information (whether by “phishing,” other social engineering technique or otherwise) including, without limitation, that which results in an identity theft or other wrongful emulation of the identity of an individual or corporation;
  2. failure to disclose an event referenced in Sub-paragraph (1) above in violation of any Security Breach Notice Law; or
  3. violation of any federal, state, foreign or local privacy statute alleged in connection with a Claim for compensatory damages, judgments, settlements, pre-judgment and post-judgment interest from Sub-paragraphs (1) or (2) above.23

“Confidential Information” is defined as follows:

“Confidential Information” means any of the following in a Company’s or Information Holder’s care, custody and control or for which a Company or Information Holder is legally responsible:

  1. information from which an individual may be uniquely and reliably identified or contacted, including, without limitation, an individual’s name, address, telephone number, Social Security number, account relationships, account numbers, account balances, account histories and passwords;
  2. information concerning an individual that would be considered “nonpublic personal information” within the meaning of Title V of the Gramm-Leach Bliley Act of 1999 (Public Law 106-102, 113 Stat. 1338) (as amended) and its implementing regulations;
  3. information concerning an individual that would be considered “protected health information” within Health Insurance Portability and Accountability Act of 1996 (as amended) and its implementing regulations;
  4. information used for authenticating customers for normal business transactions;
  5. any third party’s trade secrets, data, designs, interpretations, forecasts, formulas, methods, practices, processes, records, reports or other item of information that is not available to the general public[.] 

There are numerous specialty cyber products on the market that generally respond to data breaches. A policy offering the privacy coverage will often offer coverage for civil, administrative and regulatory investigations, fines and penalties and, importantly, will commonly offer “remediation coverage” (sometimes termed “crisis management” or “notification” coverage) to address costs associated with a security breach, including:

•     costs associated with post-data breach notification

•     credit-monitoring services

•     forensic investigation to determine cause and scope of a breach

•     public relations efforts and other “crisis management” expenses

  • legal services to determine an insured’s indemnification rights where a third party’s error or omission has caused the problem.

Cyber insurance policies offer other types coverages, as well, including media liability coverage (for claims for alleging, for example, infringement of copyright and other intellectual property rights and misappropriation of ideas or media content), first party property and network interruption coverage, and cyber extortion coverage. The cyber policies can be extremely valuable. But selecting and negotiating the right cyber insurance product presents a real and significant challenge. There is a dizzying array of cyber products on the marketplace, each with their own insurer-drafted terms and conditions, which vary dramatically from insurer to insurer—even from policy to policy underwritten by the same insurer. Because of the nature of the product and the risks that it is intended to cover, successful placement requires the involvement and input, not only of a capable risk management department and a knowledgeable insurance broker, but also of in-house legal counsel and IT professionals, resources and compliance personnel—and experienced insurance coverage counsel.