Attorney Advertising

Articles Posted in Insurance

sunrise-963348-m.jpgThere was an interesting article in Wired.com, the magazine, recently that put a new twist on an old topic: What’s the best way to make sure the internet, and all of the information that travels on it every day, is safe? How do you really make cybersecurity, secure? After all, the safer the information, the more secure people will feel, and the use of the web, for everything from e-commerce to portable electronic healthcare records, will grow. The flip-side is just as true: the more hacks, hackers and data-breaches, the slower the pace of progress. The good will be harder to come by if the bad is hard to avoid.

Peter W. Singer, who wrote the article, entitled, “How to Save the Net: A CDC for Cybercrime,” which was posted on 08.19.14, 6:30 a.m., proposes an interesting idea.

The CDC, otherwise known as the Centers for Disease Control, is much in the news recently. Chances are, if you’ve seen news stories about the Ebola outbreak in West Africa, or the MERS outbreak earlier this year, the CDC has come up in more than just passing. It’s the clearinghouse for health related information, combating communicable diseases, the world over. There was just an article, by Betsy McKay, Nicholas Bariyo, and Drew Hinshaw, that appeared in the August 23-24, 2014 Weekend Edition of the Wall Street Journal in the Review Section, which talks about the invaluable help the CDC gave to another country that used to be at risk of virulent Ebola outbreaks. Uganda used to send blood samples to the CDC’s facilities in Atlanta, to be screened for Ebola. Now, thanks to technology and training the CDC provided, Ugandans do the same for themselves, in country, which lets them detect outbreaks of the deadly virus sooner, respond to them quicker, and stop them before they do large scale damage.

A central clearinghouse for ideas, both proven and proposed, to safeguard digital information seems like a good idea. Having a one size fits all approach, in which the government entity is the one upon whom everyone fighting the problem relies, may not be. That’s not really even the job the CDC is doing with Ebola.

Look at how the Federal Trade Commission is policing cybersecurity: the whole point of the its Reasonable Precautions cybersecurity standard, and its enforcement, and codification, on a case by case basis, is that “Reasonable Precautions” become reasonable, or not, based on the particular facts of a given situation. What might be the right protection for digital information exchanged between wholesale distributors and retailers, might not be sufficient to protect information between retailers and consumers, and that in turn might not be enough to safeguard patients’ healthcare histories when they are exchanged among medical providers. What might be a commercially reasonable effort to safeguard information in one industry, might not be in another.

The FTC encourages individual companies, and the industries in which they compete, to voluntarily join together to ensure data security. By making the terms Industry Standard Practices and Commercially Reasonable Efforts mean something substantive, companies can protect themselves against FTC enforcement actions for lax data security, as we’ve previously noted. Look no further than the April 7, 2014 decision of U.S.D.J. Esther Salas, in The Federal Trade Commission, Plaintiff, v. Wyndham Worldwide Corp., et al., Defendants, Civil Action No. 13-1887 (ES), United States District Court, D. New Jersey, to see why. If a company can’t figure out what the FTC wants it to do to protect its customers’ data, then it should create, and live by, Industry Standard Practices which will become Commercially Reasonable Efforts if all the major companies in the industry implement them. Many companies already say they do this anyway, right in their privacy policies. Instead of meaningless legal verbiage, make the terms mean something concrete; show they can work, and the FTC will have little to complain about, even if those efforts occasionally fail. Some of the most vulnerable industries, including retail, are banding together to do just that.

The Retail Industries Leaders Association, or RILA, as we previously noted, formed a voluntary clearinghouse, known as the Retail Cyber Intelligence Sharing Center, or R-CISC, to develop and share industry leading practices in cybersecurity, by communicating amongst themselves information they learn regarding threats and defenses. The reported backers of the initiative have put in a lot of effort: they’ve conferred with cybersecurity experts and involved interested government agencies. They also have a lot at stake: credit cards and financial information are common targets; just ask the RILA members.

One main benefit of a CDC for the wired world, according to Peter W. Singer, is the trust and confidence it will bring to all those who rely on it. By bringing the best and brightest together under one centralized government-funded roof, it would allow users to know that independent experts, with their best interests in mind, were on the job, fighting off the bad guys. That’s a good thing; but is that the only way to achieve it?

What if the businesses which hold their customers’ information on line were held accountable for not doing enough to protect that data? What if they faced the loss of business, and profits, as well as a government enforcement action, if they didn’t do enough? What lengths would they go to in order to keep their customers’ trust?

If you look at some quotes in the RILA press release, from the people involved in forming the R-CISC, you’ll see that trust is a recurring theme there, too:
Continue reading

crowbar-854266-m.jpgThere are a few recent news stories that business owners, fraud investigators, and consumers should be aware of. Though not necessarily related, they point out the ever-growing need to protect digital information and the consequences for those who do not. Cybersecurity, it seems, is something that will affect everyone, eventually.

The topic of the first story, unfortunately, is common; the numbers, thankfully, are not, though we should all hope they stay that way. According to an article by Danny Yidron in the Wall Street Journal, which was last updated at 2043 hrs Eastern Time on August 5, 2014, a gang of Russian hackers has amassed 1.2 billion stolen user names and passwords from approximately 500 million unsuspecting people. According to the private security firm that discovered the theft, Hold Security in Milwaukee, the hackers obtained the information from 420,000 websites, allegedly ranging from leaders in major industries to small businesses and personal websites. No measurable harm evidently has come from the theft, at least not yet. The hackers reportedly so far are using the data only to send spam messages on social media accounts. That doesn’t mean the people whose information was stolen are free and clear: There is a growing trend in recent years, according to the report, where cybercriminals amass online credentials for later use. While that later use isn’t specified, it shouldn’t be all that hard to determine. Consumers, according to the report, often use the same user names and passwords across various websites. If a hacker learns a user name and password for one account, it’s not that hard to imagine that the hacker also could gain access to the consumer’s other accounts, including on websites that store, or have access to, the consumers’ financial information, including credit card numbers.

In order to see the harm that was done already, merely because the hackers have the user names and passwords, you have to remember that just exposing your customers’ confidential information sometimes is enough to trigger an enforcement action by the Federal Trade Commission to force businesses to take reasonable precautions to protect their customers’ digital information. If you remember the LabMD case, which we already spent some time discussing, the FTC’s claims of unfair or deceptive acts or practices in, or affecting, commerce, were directed against LabMD for allegedly inadvertently posting the confidential information of less than 10,000 individuals on a file sharing platform that was intended to share music files instead. During the FTC’s administrative law trial against LabMD, it reportedly did not even plan to present any witnesses who were the victims of the alleged ID theft; exposing the information, allegedly, was enough.

We’re not comparing the theft of user names and passwords to exposing confidential health information, which allegedly is what occurred in the LabMD case. Allowing the theft of user names and passwords could lead to some real trouble, though, especially if it leads to the theft of user financial information, such as credit card numbers. That leads straight to the second news story.
Continue reading

football-1134963-m.jpgWhat does investigating Insurance Fraud have in common with the FIFA World Cup currently taking place in Brazil? More than you might think, especially if you’re a world-class goalie trying to stop a penalty kick.

The hardest job in all of soccer, or football as the rest of the world calls it, arguably is that of the goalkeeper on a penalty kick. Think of how big that goal really is. Now think of how small that keeper actually is. There is no comparison between the two. Add in the fact that tied games are decided on penalty kicks, and you’ll understand the pressure involved, especially when you’re playing for the World Cup and know that two World Cup Finals have been decided on penalty shootouts. Many people complain about how unfair it is to decide a game that way, especially when, as they see it, a goalie has to get lucky to stop a penalty kick. Just yesterday, Sunday June 29, 2014, an article in the New York Times by Rob Hughes lamented the fact that Brazil just beat Chile on penalty kicks, especially because Chile’s last one didn’t go in because it hit the goalpost.

How does a keeper have any chance at all to stop the open, unimpeded shot, from 12 yards away, when the penalty-taker has all that room to kick at? As it turns out, he does it in much the same way a fraud investigator detects a lie: He does his homework, knows what to look for, and then goes on instinct. Unlike a fraud investigator, though, not many people expect the keeper to get it right.

A study recently was conducted to see if there was any way to help the goalkeepers with their nearly impossible task. It came up with a few answers, which also, though inadvertently, may give some pointers on how to conduct a fraud investigation. Entitled “The development of a method for identifying penalty kick strategies in association football”, it is authored by Benjamin Noël, Philip Furley, John van der Kamp, Matt Dicks and Daniel Memmert, and is published in the Journal of Sports Sciences.
Continue reading

the-maze-2-1008265-m.jpgFiguring out whether someone is lying or telling the truth isn’t easy, as we’ve previously written.

Investigating Insurance Fraud isn’t easy, either. Just ask anyone who works in SIU, and they’ll tell you about the legwork involved: the interviews to take; the documents to get and go over; the data to analyze. And it all comes down to one thing: Is the person who’s making the claim, telling the truth or lying? That, as we’ve previously written, probably is the hardest question for the fraud investigator to answer.

If the insured is lying about something important, something material and relevant to the investigation of the claim, chances are here in New York he won’t recover anything. If the insured claims he had a lot of expensive, scheduled, jewelry stolen, but it wasn’t, chances are he’s not going to recover anything under his policy. If the insured claims that, when his house burned down, he had a lot of costly new electronics and clothes destroyed, and he’s telling the truth, he’ll get what he’s entitled to under his homeowner’s policy. If he’s lying, though, chances are he won’t get a dime, even for the house.

It’s not always easy, though, to know when somebody’s lying. We’ve all heard the classic telltale signs: A person is lying when he blinks rapidly; looks away; looks up and to the side; has dry mouth. The only problem is, so has the liar. Ask yourself: is someone who is basically trying to steal money, and has to lie to get away with it, going to advertise that he’s lying?
Continue reading

puzzles-1439091-2-m.jpgAs we just talked about in our last article, in order for an insurance company to deny a first-party property claim in New York because of arson, and make that denial stand up in court, it has to prove that the insured intentionally caused the fire, and it has to do so by clear and convincing evidence. That is not always an easy burden of proof to meet. There reportedly is an exciting new tool being developed that might make proving arson, i.e., that a fire was intentionally set, easier and help arson investigators become even more effective in determining who caused the fire.

Researchers from the University of Alberta and the Royal Canadian Mounted Police, working in tandem, have developed a new computer program that can pinpoint the presence of gasoline in debris taken from a fire scene. What makes this so important is that gasoline, according to the researchers, is the most common accelerant found in arson fires; evidently preferred by arsonists everywhere. By making it easier to detect, and confirm, the presence of gasoline, you stand a good chance of making arson easier to prove and less profitable to attempt.

What makes the new tool so helpful, is that it often is difficult to confirm the presence of an accelerant in debris taken from a fire scene. No two houses, buildings, or fire scenes, are exactly alike; they contain different mixes of materials. Different materials leave behind different chemical compounds when burned, and these can mask the presence of an accelerant such as gasoline. The researchers, in effect, developed a computer filter that can by-pass the background noise to pinpoint the tell-tale signs of gasoline. They developed their tool by examining data from 232 samples taken from fires across Canada; by using real-life debris rather than merely relying on simulations, the researchers say their tool is dependably accurate.

Currently, determining whether there are traces of an accelerant left behind at a fire scene is time-consuming work. According to the researchers, the Royal Canadian Mounted Police have two separate forensic scientists examine each sample to see if their findings agree; this can take several hours for each sample, and there normally are three to four samples per fire. The newly developed computer program shrinks this time substantially. The first scientist still will have to analyze the debris herself, but will be able to confirm her findings in seconds, rather than hours, by using the computer program. A second forensic scientist will not have to analyze the debris unless the computer program’s findings disagree with those of the first scientist.
Continue reading

candle-light-burning-1437374-m.jpgIt takes a lot to deny a first-party property claim in New York because of arson. It is not much easier to make that denial hold up in court. As we’ve previously mentioned, when an insured seeks to recover for fire damage under his own policy of insurance, i.e., when he makes a first-party property claim, the burden of proof is on the insurer to establish the affirmative defense of arson, and it has to do so by clear and convincing evidence. Perhaps the best way to understand what that abstract legal rule means, though, is to see how it is applied to actual, real-life claims. There is a case, from not that long ago, Maier v. Allstate Ins. Co., 41 A.D.3d 1098, 838 N.Y.S.2d 715 (3rd Dept. 2007), that does a good job of showing just what type of evidence you need in order to establish an arson defense in a civil case.

The Plaintiff in Maier v Allstate, supra, owned a home in the Town of Sand Lake in Rensselaer County, in upstate New York. For a long time he lived half of the year in Sand Lake and the other half of the year he rented a home in Florida. The same day he was going to move to Florida permanently, a fire completely destroyed his Sand Lake house. The Insured tried to recover for the property damage under his homeowner’s policy of insurance with Allstate; he submitted a sworn statement in proof of loss, making claim to recover a total of $240,000.00 for damage to the house, personal property, and debris removal. The insurance carrier paid off the $92,000.00 remaining on his mortgage, pursuant to the standard mortgagee clause in the policy, but denied the Insured’s claim. When the Insured sued to recover under his policy, the insurance carrier asserted arson as an affirmative defense. After a bench trial, the carrier won and the complaint was dismissed. Not liking the verdict, the Insured appealed. The Appellate Division, Third Department, upheld the verdict. In other words, the carrier met its burden of establishing, by clear and convincing evidence, that the Insured intentionally caused the fire. The evidence the insurance company used, and the trial and appellate court relied on, shows how arson sometimes can be established through even conflicting, circumstantial evidence.

Arson means that the fire was intentionally set. One thing you normally look for to establish arson is the presence of an accelerant, which is a combustible material used to help start, or spread, the fire; think of a flammable liquid such as gasoline. If you find evidence that an accelerant was used, chances are the fire did not start accidentally. Here, there was conflicting evidence about whether or not an accelerant was used:

  • The County’s fire investigator used a specially trained dog to determine that traces of accelerant were found near the entrance to a bedroom that had a burnt-out mattress. The Insured argued the dog’s actions did not clearly confirm the presence of an accelerant; the court disagreed.
  • The insurance company’s origin and cause investigator, based on his own inspection, determined that the fire began in the same location, on the burnt-out mattress. Presumably he determined this from the burn patterns on the mattress.
  • The lab analysis of the mattress, however, found no traces of an accelerant.

Continue reading

butterfly-1427284-m.jpgMost people by now have heard of the Heartbleed bug. It’s the programming flaw in one of the most common encryption methods on the internet: OpenSSL. It makes what should be secure websites, and the personal information they contain, vulnerable to hackers. It is more important, though, than just another internet threat. Every business should consider whether it can be liable for depending on the vulnerable encryption software in the first place. This is especially important in light of the Federal Trade Commission’s efforts to ensure that businesses take reasonable precautions to protect their customers’ digital data.

The same day the Heartbleed bug was announced, April 7, 2014, Federal District Court Judge Esther Salas, upheld the Federal Trade Commission’s right to police corporate cybersecurity practices. As we previously mentioned, the court denied Wyndham Worldwide Corp.’s motion to dismiss a suit the FTC brought against it which arose out of three separate alleged hacking incidents that occurred over a two year period.

According to a story by Matt Egan published on April 8, 2014 in Fox Business.com, the FTC sued Wyndham Worldwide Corp. and three subsidiaries, alleging that Wyndham, unreasonably and unnecessarily, exposed consumers’ personal data to unauthorized access and theft that resulted in hundreds of thousands of customers having their payment card account information exported to a domain registered in Russia and a fraud loss of more than $10 million. The suit reportedly alleged that, among other things, Wyndham:

  • Failed to use readily available security measures like firewalls;
  • Allowed software to be configured inappropriately;
  • Failed to ensure hotels implemented adequate information security policies;
  • Failed to remedy known security vulnerabilities.

[Emphasis supplied]

What makes the ruling especially relevant to the Heartbleed bug is the way that the encryption software the bug affects is developed and maintained.
Continue reading

illustration-card-1441198-m.jpgJust in case anyone thinks that cybersecurity is nothing more than an esoteric exercise for computer geeks and technicians, of no importance to the average person or business, the Heartbleed bug has come along to show us all how wrong that is. It was only just discovered two weeks ago and its impact was felt around the world almost immediately.

According to an article in the April 9, 2014 Daily Mail, the Heartbleed bug bypasses the normal safety features of websites. It can affect many of those sites that you might have noticed, which begin with an “https://” in front of their internet address, and which often appear with the symbol of a lock, both of which are supposed to mean they are safe. The bug, though, makes them vulnerable. It reportedly could affect more than 500,000 websites
The bug reportedly allows hackers to bypass normal encryption safety measures to get at encrypted information, including the most profitable types such as credit card numbers, user names, and passwords. The unauthorized user can even obtain the digital keys to impersonate other servers or users and eavesdrop on communications.

It’s not considered malicious software or malware because it is more of programing flaw; but that really is not important. What is important is that the flaw, and the vulnerability, went undetected for more than two years until it recently was discovered, independently, by researchers at Google and the Finnish company Codenomicon. A fix is possible, and reportedly fairly easily applied. The problem seems to be that the fix has to be manually applied by the people who run each individual site. That, unfortunately, will take time.
Continue reading

classified-1432995-m.jpgThere are a few recent developments in the field of cybersecurity that businesses, individuals, and fraud investigators alike should take note of. One is a recent case which, if followed, could expand a business’ liability for security breaches and the others are new tools businesses possibly could use to protect against that same liability.

Digital information, including how to protect it and prevent fraud, is always a fascinating topic. New advances in digital security go hand in hand with ingenuous ways to steal digital information. It is fun to follow, in the same way it is fun to watch Wile E. Coyote chase the Roadrunner: the chase never really ends, they always come back for more, and they use bigger and better gadgets every time.

Cybersecurity, though, is more than just a fun-read. It has real-world implications. According to a report published in the Wall Street Journal, Federal District Court Judge Esther Salas, on Monday, April 7, 2014, upheld the Federal Trade Commission’s right to police corporate cybersecurity practices to ensure businesses take reasonable precautions to safeguard their customers’ data. The FTC reportedly sued Wyndham Worldwide Corp. and three subsidiaries, in 2012, after hackers broke into the company’s corporate computer system and the systems at several individual hotels, between 2008 and early 2010, and allegedly stole credit and debit card information from hundreds of thousands of customers. The FTC alleged that Wyndham did not take reasonable measures to protect its customers’ information from theft. It cited what it alleged were wrongly configured software, weak passwords and insecure computer servers. Wyndham argued that the FTC did not have the statutory authority to police corporate cybersecurity. The FTC argued that its authority came from its 100 year old statutory power to protect consumers from businesses that engage in unfair or deceptive trade practices. There was no finding of liability, but the court reportedly upheld the FTC’s right to bring the suit. The lawsuit reportedly seeks to have the court order Wyndham to improve its security measures and fix whatever harm its customers suffered.

With the possibility of federal enforcement of what amounts to a “reasonable-precautions” cybersecurity standard, businesses, not just fraud investigators, should pay attention to the potential tools at their disposal to protect their clients’ information.

The technological advances in keeping things secret are ingenuous. Much like the mythical jackalope, or my favorite, the basselope, they use things that do not seem to have anything to do with each other, to come up with something better: A more effective lock and key to turn away prying eyes from private information they should not see.
Continue reading

cosmos-lighting-1-1024026-m.jpgInsurance fraud, how it’s committed and how it’s solved, always is an interesting topic. It’s like a crime drama. Whether it’s Castle, The Mentalist, or NCIS, you get to see the end result and then figure out how it happened; and you inevitably learn about a couple of mistakes that help it along and a few more that eventually bring it to an end. Real-life examples are not always as compelling as highly-rated TV shows but they do illustrate the problem and show what investigators should, and should not, do to bring it to an end. The ones we will be talking about in this post are Rental Car Fraud, a smart-phone app, and, once again, the Target Data Breach. They have a lot more in common than you might think.

Rental Car Fraud, a subset of the ever-popular Auto Fraud, is growing at an alarming rate, according to an article in the March 12, 2014 edition of the Claims Journal by Denise Johnson. The concept is simple: rent a series of cars; use them to commit crimes and then dump, and maybe even burn, them when you’re done; and conceal your identity by using fake or stolen ID. The cars are hard to trace and the connections between them even more difficult to figure out. According to Kraig Palmer, an investigator with the California Highway Patrol who recently spoke at the Combined Claims Conference in Orange County, Calif., stolen ID’s are not hard to come by and can be relatively cheap at about $50 each. The fraud is not easy to solve. According to the article, Palmer said he worked on one case that involved 103 vehicles, which resulted in 72 arrests. Another involved 3 main suspects who rented 42 cars from 2 different rental agencies. One of the suspects was a preferred customer, which evidently made it easier for him to rent the cars and harder for the companies to trace him. Those incentive programs reportedly often allow a customer to register on-line without even having to set foot in the rental agency.

There are certain things a claims adjuster or SIU rep should look for when faced with an auto claim for property damage or bodily injury that involves a rental car. Kraig Palmer, according to the Claims Journal story, suggested they look for unusual patterns, such as whether one person rented more than one vehicle involved in the occurrence. Howard J. Hirsch added a few more, which appeared in the January/February 2011 edition of Auto Rental News; though he referred the tips to auto rental counter agents, fraud investigators might be able to use them as well:

  • The customer owned a vehicle, but it is not being serviced or repaired [at the time he rents the car].
  • The customer inquires about extra insurance before it is offered.
  • The customer is a walk-in and does not own a vehicle.
  • The customer has a local address and an out of state license.
  • The customer only requests a one-day rental.
  • The customer pays in cash.
  • The customer pays for the rental with someone else’s credit card.
  • The customer presents a foreign driver’s license with no passport.

Continue reading