interFIRE Home interFIRE Home interFIRE VR Support Training Calendar Training Center Resource Center Message Board Insurance Info
 
PRIVACY AND CONFIDENTIALITY ISSUES - LIMITS ON ACCESS AND USE OF INFORMATION
By:
W. Lane Neilson
Neilson and Associates
1332 West Colonial Drive
Orlando, Florida 32854
407-843-6514
Fax: 407-843-0427
E-MAIL: LNEILSON@NTLAW.COM
WEB SITE: http://www.ntlaw.com/
W. Lane Neilson - March, 2000

Special thanks in the preparation of this paper are extended to Aimee Nocero, attorney at the firm of Neilson and Associates.
 


Table of Contents

Preface 1

 
I. THE INSURANCE COMPANY'S DUTY TO INVESTIGATE
A. Statutory Requirements
B. Case Law Requirements
C. Contractual Obligations
D. Other Reasons for Investigating
1
1
1
2
2

II. INVESTGATIVE RISKS TO AVOID

A. Invasion Of Privacy
1. Unreasonable Intrusion Upon The Seclusion Of Another
2. Publicity Given To Private Life
3. Publicity Placing A Person In A False Light
4. Appropriation Of Name Or Likeness
B. Trespass
C. Defamation
D. Breach of Contract
E. Bad Faith
F. Infliction of Emotional Distress
G. Interference with Business Relationship
H. Class Action Litigation

2
2
3
3
4
4
6
6
6
6
7
7
7

III. PROFESSIONAL INVESTIGATORS
A. Private Investigators
1. Licensing requirements
2. Surveillance/Investigation by Audio, Video, and Electronic Means
3. Insurer Liability for Private Investigators
B. Special Investigative Units (SIUs)
C. Public Sector Investigators and Public Information
1. Public Investigators
2. Public Records
a. Public Records Defined
b. Generally Available Public Records
c. Criminal History on Adults and Juveniles

3. Cooperation with Public Officials/Immunity Statutes,

8
8
8
8
11
12
13
13
13
13
14
15
17

IV. SOME LONGSTANDING CONCERNS IN REQUESTING INFORMATION

A. Constitutional Privacy Issues
1. Federal Constitutional Provisions
2. State Constitutions
B. Internal Revenue Code
C. The Freedom of Information Act, as amended
D. The Fair Credit Reporting Act, as amended
1. What is the Fair Credit Reporting Act?
2. What relevance does the FCRA have for insurance companies investigating claims?


18
18
18
19
20
21
21
21

22


V. THE PROLIFERATION OF FEDERAL "PRIVACY" LEGISLATION
A. Electronic Communications
1. Federal Wiretapping Act, as amended by the Electronic Communications Privacy Act
2. Computer Fraud and Abuse Act (CFAA)
3. Computer Matching & Privacy Protection Act of 1988
4. Telephone Consumer Protection Act of 1991
5. Cable Communications Policy Act
6. Children's Online Privacy Protection Act of 1998 (COPPA)
7. Gramm-Leach-Bliley Act of 1999
B. Other Federal "Privacy" Legislation
1. The Privacy Act of 1974
2. Privacy Protection Act of 1980
3. Federal Records Act
4. Right to Financial Privacy Act
5. Family Educational Rights and Privacy Act of 1974
6. Video Privacy Protection Act
7. Driver's Privacy Protection Act (DPPA)


24
24

24
26
27
27
27
27
28
28
28
29

29
29
29

29
29


VI. PROPOSED FEDERAL LEGISLATION
A. Electronic Communications
1. Consumer Internet Privacy Protection Act of 1999
2. Online Privacy Protection Act of 1999
B. Other Federal "Privacy" Legislation
1. Personal Information Privacy Act of 1999
2. Personal Privacy Protection Act of 1999
3. Freedom and Privacy Restoration Act of 1999
4. Financial Information Privacy Act of 1999
5. Children's Privacy Protection and Parental Empowerment Act of 1999
6. Social Security On-Line Privacy Protection Act
7. Genetic Privacy and Non-Discrimination Act of 1999
8. Medical Information Privacy and Security Act of 1999
9. Medical Privacy in the Age of New Technologies Act of 1999
10. Patients' Bill of Rights Acts
11. Depository Institution Customers Financial Privacy Enhancement Act of 1999
12. Standards for Privacy of Individually Identifiable Health Information

30
30
30
30
31
31
31
31
31
32
32
32
32
33
33
33
33
33

VII. THE EXCHANGE AND DISCLOSURE OF INFORMATION BY INSURERS

A. State Legislation Allowing Exchanges Between Insurers
B. State Legislation (Immunity Statutes) Allowing or Requiring Insurers to Provide Information to Public Officials
C. Data Bases Available
1. The All Claims Data Base
2. Property Insurance Loss Register (PILR)
3. Medical Index Bureau (MIB)
4. Database Technologies, Inc. (DBT)
5. Others
D. IRSG Principles
E. Sunshine in Litigation and Confidential Settlement Agreements
F. Internal and External Securitization of Data

33
34

35
35
35
36
36
37
37
37
38
39

VIII. OBTAINING INFORMATION FROM "PRIVATE" SOURCES OTHER THAN INSURERS
A. Banks and Financial Institutions
B. Employers
1. The Employee Polygraph Protection Act
2. Other Employment "Privacy" Statutes
C. Medical Providers
1. Confidentiality Statutes
2. Health Insurance Portability and Accountability Act of 1996 (HIPPA)
3. Federal Drug Abuse Office and Treatment Act
D. Authorization and Release Forms in the Electronic Age

IX. UTILIZING THE INTERNET

 


41
41
41
42
42
43
43
43
44
44

45

 

PRIVACY AND CONFIDENTIALITY ISSUES - LIMITS ON
ACCESS AND USE OF INFORMATION

PREFACE

The ideas expressed in this paper should not be considered as legal advice that might apply in any particular jurisdiction, claim situation, or lawsuit.

I.         THE INSURANCE COMPANY'S DUTY TO INVESTIGATE

A.        Statutory Requirements

Many states have statutes which require insurers to investigate claims.  For example, under Florida Statutes, 626.9541(l)(i)(3), it is an unfair claim practice for an insurer to fail to adopt and implement standards for the proper investigation of claims.  Also, under 626.9541(l)(i)(3)(d), it is an unfair claim practice for an insurer in Florida to deny claims “without conducting reasonable investigations based upon available information...”  That duty is also made apparent by Florida's reservation of rights statute, 627.426(1)(c), which states that the insurer does not waive any policy provision or defense by “...investigating any loss or claim under any policy...”  Another example of the insurer's duty to investigate can be found in California's Insurance Code 790.03(h)(3), which requires an insurer to adopt and implement standards for the prompt investigation and processing of claims.  See also, Pennsylvania Statutes 40 P.S. 1171.5(a)(10)(iii) and Texas Statues, V.A.T.S., Insurance Code, Art. 21.21-2 Section 2(B)(3).

With the proliferation of fraudulent claims and the desire of legislatures to curb premium increases needed to pay exaggerated and fraudulent claims, many states have also mandated the creation of anti-fraud units within insurance companies.  Typically, such units are statutorily required to investigate suspicious claims of all types.  For example, Florida Statutes, 626.9891(l), requires insurers with a certain premium volume to  “(a) establish and maintain a unit or division within the company to investigate possible fraudulent claims by insureds or by persons making claims for services or repairs against policies held by insureds; or (b) contract with others to investigate possible fraudulent claims for services or repairs against policies held by insureds.”

B.        Case Law Requirements

In addition to the statutory duty to investigate claims, the case law in many states indicates that an insurer who fails to promptly and thoroughly investigate a claim may be charged with bad faith.  See, for example: Beckman v. Safeco Ins. Co., 691 F.2d 898 (insurer has duty to conduct a reasonable investigation); Davy v. Public National Ins. Co., 5 Cal. Rptr. 488 (failure to investigate may evidence bad faith); American Fidelity & Casualty Co. v. Greyhound Corp., 258 F.2d 709 (5th Cir. (Fla.) 1958)(insurance company's negligence in handling claim, by not investigating and evaluating it, rendered company liable for excess judgment); Kohlstedt v. Farm Bureau Mutual Ins. Co. 139 N.W. 2d 184 (Iowa 1965)(insurer has duty to conduct good faith investigation of all aspects of case); Commercial Union Ins. Co. v. Liberty Mutual Ins. Co., 357 N.W. 2d 861 (Mich. Ct. App. 1984) (definition of bad faith includes insurer's failure to properly investigate claim); and Radio Taxi Service, Inc. v. Lincoln Mutual Ins. Co., 157 A.2d 319 (N.J. 1960)(reasonably diligent effort must be made to ascertain facts upon which good faith judgment as to settlement can be formulated).

C.        Contractual Obligations

The contractual rights and duties of the insurer and its insured are specified in the policy language.  Generally, policies require an insured to cooperate with the insurer's efforts to investigate any first-party claim, but do not specifically require the insurer to investigate that claim.  That is, the insurer may waive its right to investigate and simply pay the insured's claim. 

However, for third-party liability claims, the insurer typically has a duty to defend its insured, which generally requires the insurer to investigate the claim made against its insured.  An insurer's failure to reasonably investigate and timely pay or settle such a claim may give rise to an excess or bad faith judgment against the liability insurer.

D.        Other Reasons for Investigating

According to the most recent report published by Conning & Company, a Hartford, Connecticut insurance research company, fraud cost the entire insurance industry about $120 billion in 1995.  That same research company indicated that the extent of property and casualty insurance fraud alone reached $21 billion in 1996.  Such alarmingly high losses due to insurance fraud have prompted insurance companies to more vigorously investigate this growing burden on the industry and society as a whole.

Since insurance fraud costs the industry billions of dollars every year, the failure to thoroughly investigate claims can facilitate even greater amounts of fraud and, ultimately, threaten a company's viability.  The diligent investigation of claims should be undertaken to protect the company's viability as well as its insureds.  Furthermore, society as a whole should  benefit from the reduction in fraud that can be brought about by thoroughly and properly investigating suspicious claims.

II.        INVESTIGATIVE RISKS TO AVOID

Whenever an insurance company executes a plan of action for the investigation of a claim, the company must operate within the legal environment in which that claim is pending.  In today's legal environment, an insurance company and its representatives should consider and typically balance their right and duty to investigate against the insured's or third-party's right to privacy.

One way an insurance company can balance these two competing interests is by ensuring that its investigations of claims involve only the discovery of “material” facts and circumstances.  For an excellent discussion of what a “material” fact is, see Application Misrepresentation and Concealment in the Property Insurance Policy . . . The Elusive Elements of the Defense, by Clayton H. Farnham, THE FORUM, Vol. XX, Number 2, Winter 1985.  Otherwise, a suit for invasion of privacy and a variety of other causes of action may be asserted against the insurer.

 


A.        Invasion Of Privacy

Courts generally recognize a cause of action for invasion of privacy.  Mark v. Seattle Times, 635 P.2d 1081 (Wash. 1981).  The common law tort of invasion of privacy actually consists of four distinct kinds of actions:  (1) Unreasonable intrusion upon the plaintiff's seclusion or solitude or into his private affairs; (2) Public disclosure of private facts about the plaintiff; (3) Publicity which places the plaintiff in a false light in the public eye; (4) Appropriation, for the defendant's advantage, of the plaintiff's name or likeness.   See Industrial Found. of the S. v. Texas Indus. Accident Board., 540 S.W.2d 668, 682 (Tex.1976), cert. denied, 430 U.S. 931, 97 S.Ct. 1550, 51 L.Ed.2d 774 (1977). See also, Mark v. King Broadcasting Co., 27 Wash.App. 344, 618 P.2d 512 (1980).

1.         Unreasonable Intrusion Upon The Seclusion Of Another

This tort occurs when one person intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns. The person who engages in the intrusive behavior is subject to liability to the other for invasion of his privacy if the intrusion would be highly offensive to a reasonable person. Restatement of Torts, 2nd, 652A.

Unlike other privacy torts, this cause of action does not require disclosure of the private information to third parties. However, there is no liability if the information in question is a public record or if the activity occurred in a public place where there is no reasonable expectation of privacy.  Forster v. Manchester, 189 A.2d 147 (Pa. 1963).

Some courts have required that the intrusion be “substantial” in order for the conduct to be actionable. In Chicarella v. Passant, 494 A.2d 1109 (Pa. Super.1985), an accident victim alleged that an insurance company and its employees intentionally and substantially intruded upon his private affairs by obtaining hospital records of his injuries.  Rejecting this argument, the court held that a description of the plaintiff's medical treatment did not constitute a substantial intrusion and that the information in the medical records would not cause mental suffering, shame, or humiliation to a person of ordinary sensibilities.

Regardless of the nature of the information collected, the insurance company should also make sure that it collects information by lawful means. For example, unauthorized wiretaps, in addition to being illegal under the Electronic Communications Privacy Act, will support a cause of action for unreasonable intrusion. See Rhodes v. Graham, 37 S.W. 2d 46 (Ky. 1931).

2.         Publicity Given To Private Life

A cause of action for invasion of privacy may be pursued where one publicizes a matter about the private life of another if the matter publicized is one that:  (a) would be highly offensive to a reasonable person; and (b) is not of legitimate concern to the public. Restatement of Torts, 2nd, 652D.  Case law generally holds that it is not enough that the information is communicated to one or even several people to support this cause of action. Instead, the matter in question must be communicated to enough persons so that it “ ...must be regarded as substantially certain to become one of public knowledge.” Tureen v. Equifax, 571 F.2d 411 (8th Cir. 1978).

In that case, Equifax supplied a life and health underwriting history report to the plaintiff's health insurer, at the insurer's request. The court held that Equifax's disclosure to the insurer, without further disclosure, was not sufficient publication to support a cause of action for invasion of privacy.

This cause of action will also not be viable where the matter disclosed is one of legitimate public interest. In Cox Broadcasting Corp. v. Cohn, 420 U.S. 469, 95 S.Ct. 1029 (1975), the United States Supreme Court held that disclosure of the identity of a rape victim did not support a common law claim for publicity given to the private life of another, because news relating to crime is a matter of legitimate public interest. However, most states now have “rape shield” laws, which prohibit the disclosure of the identity of rape victims.

3.         Publicity Placing A Person In A False Light

Publicizing a matter about another person that places that person before the public in a false light is actionable if: (a) the false light in which the plaintiff is placed would be highly offensive to a reasonable person; and (b) the actor had knowledge of or acted in reckless disregard of the falsity of the publicized matter and the false light in which the other would be placed. Restatement of Torts, 2nd 652E.  See also, Larsen v. Philadelphia Newspapers, Inc., 543 A.2nd 1181 (Pa.Super 1988) quoting 652E as authority.

This theory has been used to sue information providers who supply erroneous information.  For example, in Dun & Bradstreet v. Greenmoss Bldrs., 472 U.S. 749,105 S.Ct. 2939 (1985), D&B disclosed a credit report with inaccurate information in it, which placed Greenmoss, the subject of the report, in a false light.  D&B defended the invasion of privacy claim by arguing that the credit report was a matter of public importance and that the plaintiff should, therefore, be required to show “actual malice” in order to prevail.  The Court rejected that argument and Mr. Greenmoss prevailed in the case.

It should also be noted that this cause of action is against the provider of the information, not the recipient.  Therefore, it is incumbent upon the information service provider to take reasonable steps to make sure that information supplied is accurate.  That is, an insurance company should take reasonable steps to avoid providing inaccurate information to others.

4.         Appropriation Of Name Or Likeness

Under this theory, one who appropriates the name or likeness of another to his own use or benefit is subject to liability to the other for invasion of his privacy.  Restatement of Torts, 2nd 652C.  This tort action is typically asserted in cases involving the use of photographs and audio of celebrities for product endorsements without their knowledge or consent.  More egregious examples include posting nude photos of people or models on the Internet.

Because this tort is frequently used by celebrities who are “public figures”, the plaintiff often has a high burden to meet.  That is, much of what “public figures” do and say is considered to be a matter of legitimate public interest.  A claim for invasion of privacy will not succeed if the disclosure involves a matter of legitimate public interest.  Carson v. Baskin, 30 So.2d 635 (Fla. 1947).

A few years ago, radio host Howard Stern ran for governor of New York.  An Internet provider, Delphi, used Stern's photograph in an advertisement without his permission, and Stern sued.  However, Delphi had used Stern's photograph specifically to advertise an online bulletin board which was established to debate Stern's candidacy. The court found that although Delphi had used Stern's likeness without his permission, the use was permissible because  his candidacy was a matter of public interest.  Stern v. Delphi Internet Services Corp., 626 N.Y.S.2d 694 (Sup. Ct. 1995).

For all types of invasion of privacy, it should be noted that the elements and exact requirements for bringing this suit vary among the states.  For example, in Florida, a cause of action for invasion of privacy will normally only lie if the information at issue is published to the world at large.  Publication to one or a few people will generally not support this cause of action in Florida.  See Santiesteban v. Goodyear Tire, Inc., 306 F.2d 9 (5th Cir. 1962).  Other states are less restrictive than Florida.

In Borquez v. Ozer, 423 P.2d 166 (Colo. Ct. App. Div. I 1995),  the plaintiff, Mr. Borquez, was a lawyer in the Ozer firm.  Mr. Borquez was gay, and when he learned that his companion was HIV positive, disclosed both his homosexuality and his need for testing to a partner in the firm.  Mr. Borquez asked that law partner to keep the information confidential, but the partner made no promise to do so.  Within a few days, Borquez's situation became common knowledge throughout the firm.

Mr. Borquez sued for invasion of privacy, and won a jury verdict which the Court of Appeals affirmed.  The Colorado Court of Appeals held that the disclosure of this “private matter” would be highly objectionable to a reasonable person because a strong stigma still attaches to both homosexuality and AIDS.  The court also held that the scope of the disclosure or publication has to be measured by the sensitive nature of the information and the relationship of the parties.  Unlike the case law in Florida, the Colorado court held that publication to the world at large is not required where the information is of a highly personal nature.  In Borquez's case, the information was found to be so personal that dissemination to his co-workers, who did not have a need to know, was held to be sufficient publication for the invasion of privacy claim.

Courts have required greater degrees of publication to support a claim for invasion of privacy where the information is of a less personal nature.  For example, a court has held that the disclosure to a small group of co-workers that a dismissed worker had been to a “career counselor” prior to discharge is not a sufficient publication to support a claim for invasion of privacy.  Croston v. Kamauf, 932 F.Supp. 676 (D. Md. 1996).  Also, a hospital counseling center's disclosure that one of the hospital's employees had been in counseling did not violate that employee's right to privacy.  Hanson v. Hancock County Mem. Hosp., 938 F.Supp. 1419 (N.D. Iowa 1996).

These cases indicate that the degree of publication necessary to constitute an invasion of privacy is a function of the nature of the information disclosed.  Therefore, insurance companies, like others, should consider exercising additional caution when handling claims that involve highly personal information, such as medical and mental health information.

Another growing problem is “Identity Theft.”  Identity theft occurs when someone acquires key pieces of someone's identifying information and impersonates that person when committing various crimes in that person's name.  The basic information sought by identity thieves  is a person's name, address, phone number, social security number, driver's license number, and credit card numbers.  These thieves also seek telephone calling card numbers, birth certificates and passports.  By obtaining this type of information, the identity thief is able to commit various types of fraud; such as going on spending sprees using the victims name, opening new financial accounts, taking over existing accounts, diverting mail, and applying for loans, credit cards, social benefits, etc.

Identity theft can leave the victim with a poor credit rating or bad reputation that may take years to correct.  With the increased use of the internet, more information than ever is available to the savvy identity thief.  In order to protect electronic transactions, more consumers are using various types of digital signature protection and other encryption methods.  Congress has passed the Identity Theft and Assumption Deterrence Act, codified at 18 U.S.C. 1028.  This act makes it a felony to knowingly use the identification of another person with the intention of committing any unlawful activity under federal or state law.

B.        Trespass

Trespass is the entering onto the property of another without permission or legal authority.  Prosser on Torts, 4th Ed 13.  To avoid potential liability for trespass, insurers and their representatives may include policy language to allow inspections of any insured's property, and obtain written permission or consent forms from the property owners prior to entry onto the property.  Also, when surveillance activity is undertaken, it should be conducted from public places to avoid claims of trespass.

C.        Defamation

Defamation is any written or oral communication about another which would expose the subject of those statements to hatred, contempt, ridicule, or which causes or tends to cause any person to be shunned or avoided.  See, for example, Layne v. Tribune Co., 146 So. 234 (Fla. 1933).  When conducting interviews during an investigation, insurance company representatives should take care to avoid making statements that could be considered as derogatory remarks about the insured or any other person.  In Nebraska, in order to have a cause of action for defamation, there must be: (1) a false and defamatory statement concerning the plaintiff; (2) an unprivileged publication to a third party; (3) fault amounting to at least negligence on the part of the publisher; and (4) either actionability of the statement irrespective of special harm or the existence of special harm caused by the publication. Norris v. Hathaway, 5 Neb.App. 544, 547‑48, 561 N.W.2d 583, 585 (1997). Accord, 50 Am.Jur.2d Libel and Slander 21 (1995); Restatement (Second) of Torts 558 (1977).

D.        Breach of Contract

Where the insurer has a duty to defend or investigate a claim  under its policy, and fails to do so in a reasonable manner, its insured may bring a breach of contract action against it.  Similarly, a lienholder or mortgagee may assert such an action against the insurer.  A failure to pay because of the lack of an appropriate investigation by the insurer is a claim many plaintiffs have alleged.  An arguable basis for that inappropriate investigation may be the insurer's invasion of the insured's or third-party claimant's privacy.

E.         Bad Faith

Creative counsel for claimants look for additional grounds for asserting “bad faith” claims.  In many states, bad faith claims can arise from a first-party claim or a third-party liability claim.  A typical allegation is that the insurer did not act fairly towards its insured.  The creative claimant's attorney will argue that any invasion of privacy amounts to a failure to act fairly towards its insured or is an unfair claims settlement practice that amounts to “bad faith”.

F.         Infliction of Emotional Distress

Although frequently pled, this cause of action rarely succeeds.  In order to prevail on a claim for infliction of emotional distress, the plaintiff must typically show that the defendant engaged in conduct so extreme and outrageous as to go beyond all bounds of decency, and which is regarded as atrocious and utterly intolerable in a civilized society.  Mere rudeness or lack of courtesy will not support a cause of action for emotional distress.  Mundy v. Southern Bell Tel. & Tel. Co., 676 F.2d 503 (11th Cir. 1982).  Also, many cases require that the plaintiff sustain some actual physical impact or bodily injury from the alleged tortious conduct. 

The Florida Supreme Court, in Time Ins. Co. v. Burger, 712 So.2d 389, 393 (Fla. 1998), held that in order to recover damages for emotional distress, the plaintiff must prove: (1) that the bad-faith conduct resulted in the insured's failure to receive necessary or timely health care;  (2) that, based upon a reasonable medical probability, this failure caused or aggravated the insured's medical or psychiatric condition;  and (3) that the insured suffered mental distress related to the condition or the aggravation of the condition.  In order for the insured to recover, these allegations must be substantiated by the testimony of a qualified health care provider.  Prior to Burger and the enactment of F.S.A. 624.155, emotional distress damages were generally unavailable absent physical contact arising out of the conduct of an insurer.

G.        Interference with Business Relationship

To sustain a cause of action for interference with a business relationship, the plaintiff must establish (1) the existence of a business relationship, which need not be evidenced by an enforceable contract; (2) knowledge of the relationship on the part of the defendant; (3) intentional and unjustified interference with the relationship by the defendant; and (4) damage to the plaintiff as a result of the breach of the relationship. G.M. Brod & Co. v. U.S. Home Corp., 757 F.2d 1526 (11th Cir. 1985).  This cause of action may arise where an investigator or adjuster inappropriately interviews a claimant's business associates, customers, or clients.

H.        Class Action Litigation

Class action suits are governed by Rule 23 of the Federal Rules of Civil Procedure.  A class action suit can be maintained if the following conditions are met: (1) the class is so numerous that joinder of all members is impracticable; (2) there are questions of law or fact common to the class; (3) the claims or defenses of the representative parties are typical of the claims and defenses of the class; and (4) the representative parties will fairly and adequately protect the interest of the class.  There has been a tremendous growth in class action lawsuits in recent years, due in part to the potential for large judgments.

For example, in Avery v. State Farm Mutual Automobile Ins. Co., 1999 WL 955543 (Ill.Cir. 1999) , the jury awarded the class of plaintiffs $243,740,000.00 for class-wide specification/direct damages, $212,440,000.00 for class-wide installation damages plus interest of $456,180.00.  These large sums were only for Count 1 of the complaint.  Counts II and II were questions of law decided by the judge.  The court awarded an additional $130,000,000.00  for violating the Consumer Fraud Act of Illinois, and also awarded punitive damages in the amount of $600,000,000.00.  The total damages awarded came to $1,186,636,180.00.  The case involved State Farm's requiring the use of non-OEM parts.

An example of an activity that may lead to class action type liability is the routine obtaining of credit reports without first getting a release.  If an insurance company engages in the repeated or regular practice of conducting improper investigations, including, for example, the invasion of persons' privacy, the insurance company could become the target of a class action suit, which could be extremely expensive to defend and settle.  Therefore, it is important that an insurance company conduct investigations with an awareness of this risk.

III.      PROFESSIONAL INVESTIGATORS

A.        Private Investigators

1.         Licensing requirements

An insurer's hiring of a private investigator is not prohibited by state insurance codes.   However, state statutes do establish regulations for the licensing of private investigators.  See, for example, Florida Statutes, 493.6100; Nebraska Statutes, 71-3202; Pennsylvania Statutes, 22 P.S. 13; and Texas Statutes, Vernon's Ann.Civ.St. Art. 4413(29bb) Sec. 13(a).  When hiring private investigators, insurance companies should determine that the private investigators retained are properly licensed in each jurisdiction where they will be working.  It could happen that a private investigator licensed in one state may cross over state lines and operate illegally.

2.         Surveillance/Investigation by Audio, Video, and Electronic Means

In an effort to detect and defend against the increasing volume of fraudulent claims, insurance companies frequently investigate suspicious claims by having investigators engage in video, audio, and electronic surveillance of claimants.  Employers, banks, merchants and even amusement companies have similarly responded to their losses from external and internal fraud and theft.

Despite the need to vigorously pursue investigations of suspicious claims, investigators must limit themselves to “reasonable” means of surveillance, or be subject to liability for the invasion of an individual claimant's right to privacy.  That usually involves the balancing of the insurer's right and duty to investigate the validity of claims filed against the claimant's right to privacy.

In the context of claim investigations involving surveillance, claimants may assert a claim or cause of action against the insurance company and its private investigator for unreasonably intruding upon their solitude or seclusion.  In determining whether to sustain such a claim for wrongful intrusion, the courts question:  (1) whether there was a legitimate purpose for the investigation that led to the intrusion; and  (2) whether the means employed in conducting the investigation were reasonable.

Courts have uniformly held that an individual who files a personal or bodily injury claim should expect that the insurance company will conduct a reasonable inquiry and investigation to determine the validity of the claim.  Pinkerton Nat'l. Detective Agency, Inc. v. Stevens, 132 S.E.2d 119 (Ga. 1963).  Therefore, when a claimant files a personal or bodily injury claim, that claimant's interest in privacy is sacrificed to the extent of a “reasonable” investigation. However, if the insurance company conducts the investigation in an offensive, objectionable, or unreasonable manner, it will be liable for wrongful intrusion even if it had a legitimate purpose for the investigation.

With regard to the means employed in conducting the investigation, the insurance company will not incur liability for invasion of privacy based on wrongful intrusion if the company conducted the surveillance in a “reasonable” manner.  As a general rule, surveillance of a claimant in a public place and from a public vantage point in which a passerby could have made the same observations does not constitute an invasion of privacy if conducted in a reasonable and non-obtrusive manner.  In Forster v. Manchester, 189 A.2d 147 (Pa. 1963) (1963), a private investigator took motion pictures of the plaintiff driving her car on public thoroughfares.  The court held that the motion pictures were a reasonable means of procuring evidence and did not constitute an invasion of privacy because the plaintiff was exposed to public observation.  Id. at 197.

In McLain v. Boise Cascade Corp., 533 P.2d 343 (Or. 1975), an investigator trespassed upon the border of the claimant's property to obtain a better position to videotape the claimant during day light hours.  In affirming the dismissal of the claim, the Oregon Supreme Court overlooked the trespass because the claimant was unaware that he was being videotaped and conceded that the activities filmed could have been observed by his neighbors or a passenger watching from an adjacent road.  Therefore, the Court found that the investigator's conduct could not constitute an unreasonable surveillance highly offensive to a reasonable person.  But see Alabama Electric Cooperative, Inc. v. Partridge, 225 So.2d 848 (Ala. 1969), where the jury found that hiding in an abandoned house near the claimant's home and using high-powered binoculars to videotape the claimant's family moving about their home was unreasonable.

In Unrah v. Truck Insurance Exchange, 498 P.2d 1063 (Cal. 1972), the California Supreme Court determined that the insurer's investigators went too far and held the insurer liable for “additional injuries” caused by the investigation.  In Unrah, the plaintiff was being investigated for workers' compensation fraud.  The investigator befriended the plaintiff, took her to Disneyland, and engaged in physically demanding activities while at the park.  A second investigator videotaped the events.  When the videotape was shown to the plaintiff, she suffered a mental breakdown.  This type of activity was held to go beyond the bounds of a reasonable investigation.

In addition, an action for invasion of privacy or wrongful intrusion does not result when an investigator obtains information about the claimant from public records or interviews acquaintances or friends of the claimant.  To the extent that third parties are willing to talk to investigators, the courts will not find a violation because the claimant made the information public when he/she voluntarily revealed it to others and assumed the risk that a friend or acquaintance in whom the claimant confided might breach the confidence.  Schupmann v. Empire Fire & Marine Ins., 689 S.W.2d 101 (Mo. App. 1985).

However, the revelation of too much information, especially unsupported allegations or innuendo, can lead to the imposition of liability on both the insurer and its investigator for invasion of privacy.  For example, in Republic Ins. Co. v. Hires, 810 P.2d 790 (Nev. 1991), the insurer's investigator conducted an intense investigation of a burglary loss claimant's neighbors, asking if they had any information that the claimant staged the burglary and if they were aware that the claimant's wife was involved in an affair with the neighbor who discovered the burglary.

If an insurer or its private investigator conducts an investigation in a malicious manner that is not reasonably limited to obtaining information needed for analyzing or defending a claim, or deliberately conducts an investigation so as to intentionally torment or frighten the subject of the investigation, the investigator and the insurer may be liable for wrongful intrusion.  In this area, insurance companies should be aware of two types of investigations that generally give rise to a sustainable cause of action for wrongful intrusion, namely:  (a) listening to or viewing, with or without the assistance of electronic devices, the purely private affairs of the claimant that could not be readily ascertained by the casual observer; and (b) obtrusive surveillance designed to make the claimant and the public aware of the surveillance, commonly referred to as “rough shadowing”.

With regard to electronic surveillance, insurance companies and investigators must be aware of federal and state wiretapping statutes that apply to all kinds of recording of the voice, such as tape-recording, videotaping, and using sound on video.  The Electronic Communications Privacy Act, 18 U.S.C. 2511(1), also known as the federal wiretapping statute, prohibits warrant-less wiretapping unless one of the parties to the conversation consents and the recording is not being made for the purpose of committing any criminal act in violation of the Constitution or laws of the United States or any state.  See United States v. Wright, 573 F.2d 681 (1978).

In addition, most states have statutes restricting the interception of “wire communications”.  For example, the California Privacy Act makes it unlawful to eavesdrop or record a confidential communication “intentionally or without the consent of all parties by means of any electronic amplifying or recording device”.  West's Ann.Cal.Penal Code 15 631 - 632.  See also, Coulter v. Bank of America Nat'l. Trust & Sav. Assoc., 33 Cal. Rptr. 2d 766 (1994).

In that case, Christopher G. Coulter sued Bank of America, where he worked as an automatic teller machine mechanic.  Anticipating litigation for sexual harassment that he would later file, Mr. Coulter secretly recorded more than 160 face-to-face and telephone conversations with various bank employees, supervisors, and officers.  When Mr. Coulter filed his suit for sexual harassment, the bank and eleven of its employees initiated a cross-complaint against Mr. Coulter for invasion of privacy and for violation of the California Privacy Act.  In dismissing Mr. Coulter's lawsuit, the trial court found in favor of the bank and the employees on their privacy act claim.  Rejecting Mr. Coulter's argument that he never disclosed the tapes to any third party, the California Appeals Court affirmed the trial court and held that “the statute is violated simply by the recording of confidential communications without the consent of all parties; violation does not require disclosure to a third party”.  Id. at 771.

Like California, Florida has a state statute that limits the scope of surveillance by wiretapping.  Florida Statutes, 934.03, applies to any person, and prohibits the intentional interception or the intentional use or disclosure of wire, oral, or electronic communications.

Effective October 1, 1974, the Florida Security of Communications Act was amended to prohibit a party to a conversation from recording that conversation without the consent of all parties to the conversation, provided that the conversation is not public or the intercept is not conducted for the purpose of obtaining evidence of a criminal act.  Florida v. News-Press Publishing Co., 338 So.2d 1313 (2d DCA 1976).  In that case, the 2d DCA held that tape recordings of conversations obtained without the knowledge and permission of all parties involved in those conversations were illegal intercepts because the Florida legislature intended to allow each party to a conversation an expectation of privacy from interception by the other party.

Similarly, Pennsylvania requires consent of all parties to the communication (See 18 Pa.C.S.A. 5704(4)); while in Texas, when one party consents to the recording of the communication, the recording is permissible. (See V.T.C.A., Penal Code 16.02(c)(4).)  In both Texas and Pennsylvania, not only is the person who improperly makes a recording subject to criminal penalties, but if anyone uses the information gained, with the knowledge it was illegally obtained, that person can also be subject to criminal sanctions.  Pa.C.S.A. 5703(3) and  V.T.C.A. Penal Code 16.02(b)(3).  Therefore, if an investigator illegally tapes a conversation and the insurance company is aware (or even suspects) that the tape was made illegally, the insurance company representative may be subjected to criminal sanctions.

With regard to what is known as “rough shadowing”, the  seminal case on point is Pinkerton National Detective Agency, Inc. v. Stevens, 132 S.E.2d 119 (Ga.App. 1963).  In that case, investigators, hired by an insurance company to determine the extent of injuries suffered by a bodily injury claimant, shadowed the claimant almost continuously for nearly four months, peeped and eavesdropped through her windows, and gave the claimant's neighbors the impression that the claimant was involved in some wrongful activity.  The court held that such behavior was unreasonable and invaded the claimant's right to privacy because the surveillance was not intended to acquire information but to intentionally and maliciously disturb, harass, and injure the claimant.

3.         Insurer Liability for Private Investigators

Whenever an insurance company retains a private investigator to assist with the investigation of a claim, the insurance company may become liable for the torts of the private investigator.  Noble v. Sears, Roebuck & Co., 33 Cal.App.3d 654 (1979).  In order to determine if liability attaches to an insurer for the tort committed by its private investigator upon the investigation's subject, one must first determine if the investigator is an agent of the  insurer, or an independent contractor.

Generally, an insurer who entrusts work to an independent contractor is not liable for the tortious acts or omissions of that contractor.  On the other hand, an insurer who entrusts work to an agent will be liable for the agent's conduct.  See Mahon v. City of Bethlehem, 898 F.Supp. 310 (E.D.Pa. 1995); and Baldassarre v. Butler, 625 A.2d 458 (N.J. 1993).

In determining whether a private investigator is the agent of an insurance company, courts will consider whether the insurer had the right to control the performance of the private investigator's work.  King v. Loessin, 572 S.W.2d 87 (Tex, Civ. App. 1978).  If the insurer exercised control over the manner in which the investigator went about his/her investigation, then the “independence” of the independent contractor relationship will fall away.   For example, see Pinkerton Nat'l. Detective Agency, Inc. v. Stevens, 132 S.E.2d 119 (1963), where the court held that the subject of the investigation had an action for invasion of privacy against both the detective agency and the insurance company.

If, on the other hand, control over the manner of the investigation remains with the private investigator, the independent relationship will remain in tact.  For “[I]f the employer is interested only in the results, and there is left to the party performing such services complete control over the details as to the method and manner of such performance, then the relationship of independent contractor exists.”  King v. Loessin, 572 S.W.2d 87, 89 (Tex. Civ. App. 1978); see also, AT&T v. Winback & Conserve Program, Inc., 42 F.3d 1421 (3d Cir. 1994).

In dealing with privacy concerns and the hiring of private investigators, insurance companies will want to make certain that the private investigator's conduct will not be deemed to establish an agency relationship if, in fact, the private investigator is acting as an independent contractor.  Likewise, the insurance company will usually want to make certain that its private investigators comply with appropriate general guidelines in undertaking their work, while not specifically directing the manner in which that work is undertaken.  By doing so, the prudent insurer can minimize the chance that it will be held liable for the misconduct of a private investigator.

B.        Special Investigative Units (SIUs)

Insurance companies have responded to the increased volume of fraudulent insurance claims by creating in-house special investigative units (SIUs) as part of their fraud control programs.  Additionally, an ever increasing number of states have legislatively mandated anti-fraud investigative units.  For example, Florida Statutes, 626.9891, requires that every insurer admitted to do business in Florida who in the previous calendar year had $10 million or more in direct premiums shall establish and maintain a division, either within or outside the company, to investigate possibly fraudulent claims.

Under the Pennsylvania Insurance Fraud Prevention Act, 40 P.S. 3701-101 et seq.,  the legislature established a seven member board comprised of the Attorney General, a representative of the Philadelphia Federal Insurance Fraud Task Force, four representatives of insurers and one representative of the average insurance purchaser. This board is responsible for overseeing all insurance fraud programs throughout the state. 

Texas has created a separate Insurance Fraud Unit within the Texas Department of Insurance to investigate and manage fraudulent insurance practices.  See V.T.C.A., Insurance Code, Art. 1.10D.  Similarly, in Nebraska, the Director of the Department of Insurance appoints people to serve in the Insurance Fraud Prevention Division.  44-6606

State requirements vary when mandating SIUs.  Some states require that the insurance company be accountable for staffing, for what the SIUs do, and the level of expertise of SIU personnel. Typically, the personnel in SIU units are experienced in the investigation of suspicious claims and may have substantial law enforcement backgrounds.

To protect insurance companies from potential tort liability for invasion of privacy claims that can arise from SIU investigations, SIU personnel must take the same precautions that private investigators and claims personnel do when handling suspicious claims.  That includes conducting a reasonable investigation in a timely, objective, and open-minded approach.  In addition, insurers may reduce their exposure to claims arising from SIU investigations by monitoring SIU compliance with company procedures and claim handling guidelines.

C.        Public Sector Investigators and Public Information

1.         Public Investigators

Conducting a reasonable and thorough investigation frequently requires that contact be made with public officials, including police investigators who work for the public good.  However, insurance companies must be careful not to violate a third-party claimant or insured's right to privacy when seeking information from public sector investigators.

Regardless of whether the public sector investigator is a federal, state, county, or municipal official, there will usually be a restriction upon the public investigator's ability to assist or cooperate with investigators who are not employed in the public sector. It may even be a crime for a public investigator to release certain information, such as that pertaining to an active or on-going criminal investigation.  See, for example, Florida Statutes, 119.07(3)(b), permitting law enforcement agencies to withhold information regarding an active criminal investigation, and 18 U.S.C. 1905, making it a crime for an officer or employee of any federal agency to release financial information or trade secrets without authorization.  However, once reports become public, public officials are often a valuable source of information in the investigation of claims to which their reports pertain.

2.         Public Records 

a.         Public Records Defined

Most states have statutorily defined what public records are.  For example, California's definition is as follows:

“Public records” includes any writing containing information relating to the conduct of the public's business prepared, owned, used, or retained by any state or local agency regardless of physical form or characteristics.  “Public records” in the custody of, or maintained by, the governor's office means any writing prepared on or after January 6, 1975.  California Public Records Act 6252.

Florida, on the other hand, has a more explicit definition.  Florida's statute states:

“Public records” means all documents, papers, letters, maps, books, tapes, photographs, films, sound recordings, data processing software, or other material regardless of the physical form, characteristics, or means of transmission, made or received pursuant to law or ordinance or in connection with the transaction of official business by any agency.  F.S.A. 119.011.

Moreover, Florida's legislature has expanded the above definition with the following statuatory language:

If public funds are expended by an agency defined in 119.011(2) in payment of dues or membership contributions to any person, corporation, foundation, trust, association, group, or other organization, then all the financial, business, and membership records pertaining to the public agency from which or on whose behalf the payments are made, of the person, corporation, foundation, trust, association, group, or organization to whom such payments are made shall be public records and subject to the provisions of 119.07.  F.S.A. 119.012.

For a state-by-state listing of public records Web sites, go to www.ntlaw.com/ state_public_records.htm.

b.         Generally Available Public Records

(1)  Electronic Data Base Information

Currently, personal information about an individual that is within public records can be legally collected without notice to or input by an individual insured or claimant.  Examples of public records that are now or soon may be available from your state, online, include the following: appellate court records; arrest records; articles of incorporation; bankruptcy records; civil court indices to lawsuits; corporate status reports; criminal records; death records; divorce records; FAA records; fictitious names; hospital liens; judgments; limited partnership records; mechanic's liens; motor vehicle and driving records; OSHA reports; probate records; police reports; professional licenses; real estate ownership; SEC reports; tax liens; UCC indices; voter registration records; watercraft ownership records; and workers compensation records.  As more government entities maintain public records electronically, and as more public records are marketed electronically by data base vendors, such information will become more readily available online.

Those who gather and use electronic data base information should recognize and respect the privacy interest that individual insureds and claimants have in personal information by (1) assessing the impact on the subject's privacy, in deciding whether to obtain or use personal information; and (2) obtaining and using only information that could be reasonably expected to support current or planned activities pertaining to the investigation or analysis of a pending claim.

(2)  Hard-copy Public Records

Records accessible to the general public are often an invaluable source of background information on both claimants and potential witnesses.  Furthermore, it is not necessary for the insurer to obtain an authorization to conduct a search of public records.  Frequently examined public records are those pertaining to litigation, driving history, and police reports.

Most trial level courts maintain Plaintiff and Defendant indices which an insurance company can access to determine whether the claimants have been involved in prior litigation.  These indices can lead to court files containing information concerning a claimant's past injuries, medical treatment, financial situation, and other prior losses.

In many states, the Office of the Secretary of State, Department of Transportation, or Department of Motor Vehicles will provide a written abstract of prior motor vehicle convictions, suspensions, and license revocations for any licensed driver in that state.  Those reports provide invaluable information concerning the claimant's prior driving record.

Police reports also represent an invaluable source of information.  However, sensitive data is frequently redacted from police reports when they are made public.  Also, care should be taken to follow the proper procedure for obtaining police reports where there are local requirements for that.

There are many other forms of “hard copy” public records available for inspection, ranging from real property ownership to handicapped parking permits, some or all of which may be needed to investigate a particular claim.  And, if such records are “public” records, there can be no invasion of privacy claim for the insurer's review of them.  As long as the insurance company uses the public information to assist it in the analysis or defense of a pending claim, obtaining such information will usually not result in an allegation of invasion of privacy claims.  However, a more delicate situation arises when an insurance company investigates the criminal history of an individual.

c.         Criminal History on Adults and Juveniles

(1)  An Adult's Criminal Record

There is no prohibition against an insurer conducting a courthouse search to obtain public records of criminal acts by an adult.  Most states provide that felony and misdemeanor convictions which result in a sentence other than supervision (i.e., probation or incarceration) are available as public record.  There are services available in most states which, for a minimal fee, will obtain an abstract of prior criminal convictions and certified copies of the conviction records.  Also, there are private data base companies that collect criminal records that are public record, and make that information available for a nominal fee.

However, in Westbrook v. County of Los Angeles, 27 Cal.App. 4th 157 (Cal.App.2 Dist. 1994), a private company that sold criminal background information was restricted by the court.  The company  asked the municipal courts of Los Angeles County to provide a monthly list of every person against whom criminal charges were pending in the 46 municipal courts.  Even though the information sought was public, the court denied the company's request on the basis that “while there is no question the court proceedings should not be conducted in secrecy, the public's right to information of record is not absolute.  Where that right conflicts with the right of privacy, the justification supporting the requested disclosure must be balanced against the risk of harm posed by disclosure.” Id.

Developed by the Federal Bureau of Investigation, the National Crime Information Center (NCIC) has a computerized, national law enforcement system that links more than 4,000 police agencies through the use of over 100 terminals in the 50 states, Washington D.C., and Canada.  The nine basic record files in the NCIC computer system consist of stolen motor vehicles, stolen articles, stolen, missing or recovered guns, stolen license plates, wanted persons, stolen securities, stolen boats, computerized criminal history, and missing persons.  The computerized criminal history file consists of arrest records going into the F.B.I. primarily from state and local agencies.  Those records contain the complete criminal history of each individual from arrest through the criminal justice system process, including court decisions, probation, and incarceration.  The NCIC prohibits use of its data base to non law enforcement personnel who seek to obtain the criminal history of an individual.  Therefore, if an insurance company seeks information from this data base, directly or indirectly, to obtain a criminal history on an individual, without authorization to do so, the insurer may be exposed to liability under a claim for invasion of privacy.

(2)  Juvenile Criminal Records

In general, juvenile records information from either law enforcement agencies or court records is not available to governmental non-criminal justice agencies, private organizations,  the media, or the public.  Federal law flatly prohibits the disclosure of juvenile records held by federal courts to non-criminal and non-juvenile justice agencies, private employers, the press, or the public.  Department of Justice Regulations prohibit state and local criminal justice agencies which are covered by their Regulations from disclosing juvenile record information to any non-criminal justice agency unless a statute, court order, rule or court decision specifically authorizes dissemination of the juvenile records.

Not one juvenile code authorizes the dissemination of juvenile record information to private employers, the media, or any other private group.  For example, Florida Statutes, 39.411 of the Florida Rules of Juvenile Procedure, provides in pertinent part as follows: “(3)...All court records required by this part shall not be open to inspection by the public.  All records shall be inspected only upon order of the court by persons deemed by the court to have a proper interest therein ...” However, such statutes generally give juvenile courts the discretion to release information to any party with a legitimate interest.  Thus, such records may be obtained with an appropriate Court Order.

Courts have analyzed whether insurance companies have a legitimate interest in obtaining juvenile records in the investigation of claims.  In People v. John F. & Steven H., 665 N.Y.S.2d 822 (1997), the defendants were charged with criminal offenses relating to an incident that occurred on July 2, 1994, allegedly causing injury to the complainant.  The criminal actions were disposed of by Youthful Offender findings pursuant to Criminal Procedure Law 720.20(3).  The court clerk duly sealed the court file pursuant to Criminal Procedure Law 720.35(2), which states in pertinent part as follows: “1.  A youthful offender adjudication is not a judgment of conviction for a crime or any other offense.  2.  Except where specifically required or permitted by statute or upon specific authorization of the court, all official records and papers, whether on file with the court, a police agency or the division of criminal juvenile services, relating to a case involving a youth who has been adjudicated a youthful offender, are confidential and may not be available to any person or public or private agency, other than an institution to which such youth has been committed, or a probation department of this state that requires such official records and papers for the purpose of carrying out duties specifically authorized by law ...”.

State Farm Fire and Casualty Insurance Company issued a homeowners insurance policy and an umbrella policy, which included John and Steven as covered persons.  In a civil lawsuit against John and Steven, Joseph Pierse alleged that on July 2, 1994, John and Steven negligently or willfully assaulted him about his face and head.  In providing a defense to John and Steven, State Farm desired to unseal the two criminal court files of John and Steven to obtain copies of the Certificates of Dispositions and plea allocution minutes, in the event that they entered guilty pleas.

In reviewing the Youthful Offender Law, the court stated that the primary purpose of the youthful offender process is avoidance of the stigma and practical consequences of a conviction for a crime.   In denying State Farm's motions to have access to the sealed files of the criminal proceedings against Youthful Offenders John and Steven, the court stated that the social policy goal of restoring a youth to the status that he or she previously held, after a successful termination of a criminal proceeding or after being adjudicated a youthful offender, far outweighed any pecuniary or economic reason of the homeowners' insurer in seeking to unseal the youthful offender records and disclaim coverage in the alleged battery victim's tort action against the juveniles.

High-profile crimes involving minors have contributed to changes in public attitudes about the juvenile justice system and a youthful offender's right to privacy.  More states are opening up their juvenile courts to some degree.  For example, court records and proceedings involving youths charged with offenses that would be considered felonies if committed by adults are public in Maryland and West Virginia.  In addition, Oklahoma and Arizona have passed laws creating a presumption of openness for all juvenile records.  Nevertheless, in order to prevent a claim for invasion of privacy in obtaining juvenile information, insurance companies should seek legal advice regarding the juvenile laws in the state where they want to obtain the juvenile information, before proceeding with the investigation of a juvenile's criminal history.

3.         Cooperation with Public Officials/Immunity Statutes

In Vogel v. Gruaz, 110 U.S. 311, 316, 4 S.Ct. 12, 15 (1884), the United States Supreme Court held that “it is the duty of every citizen to communicate to [the] government any information which [they have] of the commission of an offense against its laws.”  That would include corporate citizens such as insurance companies.  However, due to insureds and third-party claimants readily pursuing tort liability against insurance companies based upon allegations of defamation, bad faith, and invasion of privacy, insurance companies are often reluctant to disclose its suspicions about possible fraud or to disclose incriminating information about insureds and claimants.

In an effort to address those concerns, Ohio became the first state to enact “arson reporting immunity” legislation that was intended to assist insurers and law enforcement agencies in their respective efforts to combat insurance fraud, by providing limited immunity to insurers.  Since then, each of the 50 states and Washington D.C. have enacted various statutes to protect those who disclose information to law enforcement or governmental agencies in the fight against insurance fraud.

For example, Florida Statutes, 626.989(4)(c), provides qualified civil immunity to those providing information on suspected insurance fraud to state law enforcement officials as well as to the State's Division of Insurance Fraud.  See Pearce v. United States Fidelity & Guaranty Co., 476 So.2d 750 (Fla. 4th DCA 1985).  In addition, Pennsylvania has a comprehensive statute (Pennsylvania Statutes Annotated, 40 P.S. 474.1) which broadly immunizes good faith efforts to investigate fraud; as does Illinois in its Insurance Information and Privacy Protection Act, 215 ILCS 5/1014.

Some states, like Virginia, make reporting information on an insured to a law-enforcement agency or other government authority confidential by statute.  For example, Virginia Code Annotated 38.2-613(A) provides that an insurance institution shall not disclose any personal or privileged information about an individual collected or received in connection with an insurance transaction unless the disclosure is:  (6) to a law-enforcement or other government authority:  (a)  to protect the interests of the insurance company in preventing fraud upon it; or (b) if the insurance company reasonably believes that illegal activities have been conducted by the individual; or (c) upon written request of any law-enforcement agency, for all insured or claimant information in the possession of an insurance company or agent which relates to an ongoing criminal investigation.  In that situation, any information released to a law-enforcement agency pursuant to such a request shall be treated as confidential criminal investigation information and not be disclosed further except as provided by law.

Because immunity statutes vary from state to state, insurance companies must be familiar with the reporting/immunity statutes in its respective states.  That is particularly important since some immunity statutes only provide qualified immunity based upon the absence of malice or wilful intent.  Therefore, insurers should  exercise caution in their cooperative efforts with law enforcement officials, by insuring that all materials reflect a good faith, careful investigation that is coupled with objectivity and fairness.  Also, the insurer's letter transmitting information on file materials should document the absence of malice or adverse wilful intent.

IV. SOME LONGSTANDING CONCERNS IN REQUESTING INFORMATION

A.        Constitutional Privacy Issues

1.         Federal Constitutional Provisions

The Federal Constitution does not specifically mention privacy. However, the Fourth Amendment, which prohibits unreasonable searches and seizures, has been interpreted to imply a right of privacy. Beginning in the early 1960s, the United States Supreme Court decided a line of cases which held that privacy is an implied right under the Fourth and Fourteenth Amendments.  For example, in Roe v. Wade, 410 U.S. 113, 93 S.Ct. 705 (1973), the Court addressed the right to privacy in the area of birth control and abortion.

In Katz v. United States, 389 U.S. 347, 88 S.Ct. 507 (1967), the United States Supreme Court recognized a reasonable expectation of privacy for telephone conversations.  The Court in that Fourth Amendment case indicated that the attorney-client privilege turns on whether the communication enjoys a “reasonable expectation of privacy.”

Lower courts vary in the tests they apply to determine if there is a reasonable expectation of privacy.  Some courts hold that any disclosure, even inadvertent, will waive the privilege.  See, In Re Sealed Case, 877 F.2d 976, 980 (D.C. Cir. 1989).  Other courts have held that there must be a knowing relinquishment of the privilege.  See, Underwater Storage, Inc., 314 F.Supp. 546, 549 (D.D.C. 1970).

A “balancing test” is used to determine whether the attorney-client privilege has been waived.  This test is case specific and evaluates (1) the reasonableness of the precautions taken to prevent disclosure; (2) the amount of time taken to remedy the error; (3) the scope of the disclosure; (4) the extent of the disclosure; and (5) the overriding issue of fairness.  Alldread v. City of Grenada, 988 F.2d 1425, 1433 (5th Cir. 1993).

Although the Federal Constitution's privacy protections limit the power of the government because they apply to “state action” i.e., acts taken by the government, insurance companies should be aware of these safeguards whenever dealing with public officials.  For example, when there is an ongoing investigation by both public officials and insurers, the insurance company could be deemed an agent of the state, and would then be subject to constitutional provisions that would limit the government in its ability to gather evidence.  See Coolidge v. New Hampshire, 403 U.S. 443, 487, 91 S.Ct. 2022, 2049 (1971).  Thus, if an insurance company acts as an agent of the state, and fails to comply with Fourth Amendment requirements, evidence the company acquires may be inadmissible in court.

A court will likely deem the company a state agent if three conditions are met: (1) there is a manifestation by the principal that a person is acting for that principal; (2) there is acceptance by an agent of the relationship; and (3) there is an understanding that the principal is in control of the acts of the agent.  See, State v. Smith, 673 A.2d 1149 (Conn. App. 1995).  To avoid being classified as a state agent, an insurance company should neither give directions to, nor take directions from, any state agency, including law enforcement agencies.  See also, State of Utah v. Brenda Ellingsworth N0. 971456-CA (Utah. App. 1998), where a workers compensation claimant was found not to have been entitled to Fourth Amendment protections because the investigating employer, although a state entity itself,  had a purpose for investigating that was completely independent of law enforcement.

Similarly, in United States v Howard, 752 F.2d 220, 227 (6th Cir. 1985), and United States v Pervaz 118 F.3d 1, 5-6 (1st Cir 1997), the courts held that private investigations were not “state actions” because the parties' intent was “primarily to benefit private interest and not law enforcement.” Under this analysis, an investigation undertaken primarily to analyze or defend against a claim would not constitute state action.  However, until more courts adopt this analysis, the more cautious approach is for insurers to keep their investigations separate and independent from the investigations of public officials.

2.         State Constitutions

Some states have constitutional provisions which expressly provide citizens with a right of privacy. For example, 23 of Florida's Constitution guarantees each citizen a right of privacy, pursuant to the following language: "Every natural person has the right to be let alone and free from governmental intrusion into his private life except as otherwise provided herein. This section shall not be construed to limit the public's right of access to public records and meetings as provided by law."

By its terms, 23 only applies to governmental action.  Consequently, insurers in Florida should not be subject to a claim pursuant to this language, unless the insurer becomes too closely allied with law enforcement or some other agency of the state, in which case the company may be deemed an agent of the state.  As such, an aggrieved claimant may allege a violation of his state constitutional right to privacy due to the insurer's conduct as an agent of the government.

Also, a few states provide a constitutional right of access to public records.  For example, in Florida's Constitution, Art I, Section 24 provides access to any non-exempt public record made or received in connection with the official business of any public body, officer, or employee of the state of Florida, or persons acting on their behalf.  Prior to performing a public records search, a quick review of the specific state's constitution may reveal broader avenues for access to public records.

B.        Internal Revenue Code

Under 26 U.S.C. 6103, taxpayer records are deemed confidential, and may only be produced with the taxpayer's consent or pursuant to a subpoena.  Other provisions of the Internal Revenue Code provide for the confidentiality of IRS investigations and records maintained by the IRS.  For example, under 26 U.S.C.  7431, a taxpayer may bring a civil action against any person who willfully or negligently discloses any tax return information in violation of 26 U.S.C. 6103.

C.        The Freedom of Information Act, as amended

Passed in 1966, the Freedom of Information Act, 5 U.S.C. 552 (hereinafter FOIA), was originally designed to allow citizens access to government records and to prevent secret governmental activities.  Amended in 1996 to expand the definition of records to include electronically stored information, the FOIA now requires that records created after November 1, 1996 must be available on line.  In addition, the FOIA has been interpreted to cover records in a broad range of media forms, including audio recordings (Mobil Oil Corp. v. FTC, 406 F. Supp. 305 (S.D.N.Y. 1976)); videotapes (Murphy v. FBI, 490 F. Supp. 1138 (D.D.C. 1980)); and motion pictures (Save the Dolphins v. Dept. of Commerce, 404 F. Supp. 407 (N.D. Cal. 1975)).

The FOIA creates the presumption that the records of all federal agencies are open to the public.  However, given the explosion of information readily available on the Internet and computer data bases, the state and federal courts now appear to be favoring privacy interests over openness to justify sealing information that  once was considered public.

 Under the FOIA, the government is required to give individuals the records they request  unless the government asserts one of nine exemptions permitted by the FOIA.  Of those exemptions, the FOIA contains two exemptions that allow an agency to withhold information if it concludes that release would invade the privacy of individuals.  Exemption (b)(6) protects “personnel and medical files and similar files the disclosure of which would constitute a clearly unwarranted invasion of personal privacy”.  5 U.S.C. 552(b)(6).  In addition, exemption (b)(7)(C) applies to “records or information compiled for law enforcement purposes, but only to the extent that the production of such law enforcement records or information ... could reasonably be expected to constitute an unwarranted invasion of personal privacy”.  5 U.S.C. 552(b)(7)(C).

The FOIA also provides that a federal agency may delete from its published rulings and opinions identifying details, if necessary to prevent an unwarranted invasion of privacy.  However, the opinion must explain the justification for the deletion.  For all its promise, the FOIA appears to have fallen short of its original goal of providing full disclosure.  The courts, including the United States Supreme Court, have given the FOIA a narrow construction and have given the exceptions to disclosure a fairly broad construction. 

For example, in the Dept. of Justice v. Reporters Committee for Freedom of the Press, 489 U.S. 749, 109 S.Ct. 1468 (1989), the United States Supreme Court, relying on the personal privacy exemption, held that the disclosure of “rap sheets” (compilations of arrests, indictments, convictions, or acquittals) maintained on a centralized computer at the Department of Justice constituted an unwarranted invasion of privacy, even though the same information was publically available on paper from the original sources, such as local police departments.  Finding that there was a stronger personal privacy interest implicated by the disclosure of a rap sheet generated by a computer than by scattered records found from a diligent search of courthouse files, county archives, and local police stations, the Supreme Court narrowly interpreted “public interest” and held that those seeking personally identifiable information from government records must show an intent to use the information to examine the workings of the government.

Thereafter, the Supreme Court continued to permit federal agencies to withhold personally identifiable information on privacy grounds. For example, the Supreme Court in Dept. of Defense v. Federal Labor Relations Authority, 510 U.S. 487, 114 S.Ct. 1006 (1994),  held that the home addresses of government employees should not be disclosed to union organizers because the addresses did not relate to government operations and their release would not serve the public interest.

Other governmental agencies have also relied on the personal privacy exemption.  For example, in New York Times v. NASA, 920 F.2d 1002 (D.C. Cir. 1990), NASA cited the personal privacy exemption to justify withholding the cockpit tape from the Challenger disaster.  In addition, the Department of Education in Garnett Satellite Information Network, Inc. v. Dept. of Education, No. 90-1392 (D.D.C. 1990), relied on the personal privacy exemption to justify its refusal to release the names of persons who had defaulted on their student loans.  Furthermore,  the FBI in Schmerler v. Federal Bureau of Investigation, 900 F.2d 333 (D.C. Cir. 1990), invoked the privacy exemption to justify its refusal to disclose sixty-year-old records.

This trend towards relying on the exemptions of the FOIA has demonstrated how the presumption favoring disclosure originally embodied in the FOIA is becoming subservient to privacy interests.  In reshaping the boundaries established by Congress, courts have restricted access to information that could shed light on  government activities.

D.        The Fair Credit Reporting Act, as amended

Checking an insured's credit history can result in vital clues for insurance companies in unveiling fraud.  A consumer credit report typically includes employment history, income, current indebtedness, payment history on credit accounts and loans, bankruptcies, lawsuits or judgments against the subject, and tax and other liens against the subject's property.  Much of that information, however, is protected by the Fair Credit Reporting Act.

1.         What is the Fair Credit Reporting Act?

In 1970, Congress enacted the Fair Credit Reporting Act (hereinafter the Act), 15 U.S.C. 1681, to ensure that consumer  reporting agencies utilize reliable and accurate credit reporting practices while simultaneously maintaining the confidentiality of the consumer reports the consumer reporting agencies generate, by limiting access to those with a specific, limited, and legitimate interest in obtaining the information.  Essentially, the Act limits access to personal credit information.  St. Paul Guardian Ins. Co. v.   Johnson, 884 F.2d 881 (5th Cir. 1989); Hovater v. Equifax, Inc., 823 F.2d 413 (11th Cir. 1987).  The Act was designed to focus on the rights of consumers by promoting accuracy, fairness, and privacy in the files of every credit bureau or consumer reporting agency that regularly assembles consumer information for the purpose of furnishing consumer reports to third parties.  15 U.S.C. 1681(a).

In order to achieve its objectives, the Act restricts the circumstances under which a consumer reporting agency can properly disclose consumer reports, and the recipients of those reports.  Hovater, 823 F.2d at 417.  Two kinds of reports exist under the Act; a consumer report and an investigative consumer report.  A consumer report is defined as any communication of any information by a consumer reporting agency that is expected to be used in whole or in part to serve as a factor in establishing the consumer's eligibility for “credit or insurance to be used primarily for personal, family, or household purposes; employment purposes; or any other purpose authorized under 1681(b)”.  An investigative consumer report is defined as a report which delves into the consumer's character, general reputation, personal characteristics, and mode of living; which is obtained through personal interviews. 15 U.S.C.  1681(d).

The Act only permits disclosure of consumer reports to persons who intend to use the information for credit-granting, employment, insurance underwriting, governmental license or benefit eligibility, or in connection with a business transaction involving the subject of the report.  15 U.S.C. 1681(b).  The recipient of the consumer report is required to notify the consumer that it has obtained a report in two instances.

First, the recipient's duty to notify a consumer that it has obtained a consumer report is triggered only when a consumer's application for credit, insurance, or employment is denied based, in whole or in part, on the information contained in the report.  Unless adverse action is taken, users of the information obtained from a consumer reporting agency have no duty to notify the consumer that it reviewed such a report in making its determination.  In those cases, the Act affords protection through 15 U.S.C. 1681(g), which requires consumer reporting agencies to disclose information in their files to the consumer upon request only.

Second, the recipient's duty to notify is triggered when the recipient has ordered a consumer investigative report.  In that case, the recipient must notify the consumer within three (3) days of requesting such a report and disclose same upon request.  15 U.S.C. 1681(d).  See also Houghton v. New Jersey Mfr. Ins. Co., 795 F.2d 1144 (3rd Cir. 1986).

2.         What relevance does the FCRA have for insurance companies investigating claims?

In processing claims, insurance companies may seek information from consumer reporting agencies in the form of a consumer report or a consumer investigative report.  Currently, the three national credit agencies in the United States  are Equifax, TransUnion, and Experian (formerly TRW). 

In Houghton v. New Jersey  Mfr. Ins. Co., 795 F.2d 1144 (3rd Cir. 1986), the 3rd Circuit Court of Appeals addressed the issue of when a communication between a consumer reporting agency and an insurance company investigating a claim is subject to the Act.  In that case, Houghton filed suit against Bernice Rosenfeld, the insured of New Jersey Manufacturer Insurance Company  (NJMI), for bodily injuries resulting from an automobile collision.  NJMI requested that Equifax Services, Inc. conduct an investigation of Houghton and prepare a written report to assist in evaluating Houghton's claim.

Equifax submitted a report to NJMI that included information based on interviews with neighbors, an examination of Houghton's available credit files, and other relevant information.  After the case was settled, Houghton learned of the Equifax report and requested that NJMI disclose its substance to her.  After NJMI refused, Houghton filed suit against NJMI claiming that NJMI had violated her right to privacy under the United States and Pennsylvania constitutions when it violated the notice and disclosure requirements of the Fair Credit Reporting Act.

Stating that the communication between Equifax, the consumer reporting agency, and NJMI qualified as an investigative consumer report, the district court held that NJMI had violated the Act by not providing Houghton notice and disclosure of the report.  The court considered the report to be an investigative consumer report because portions of the report were obtained through interviews, a method specifically referred to in the Act's definition of a consumer investigative report.

In reversing the district court's holding, the 3rd Circuit held that the insurance company's request concerned only the genuineness of Houghton's bodily injury claim and not her eligibility for credit, insurance, or employment.  The appellate court in Houghton determined that the inclusion of insurance in the definition of a consumer report in the Act related exclusively to the underwriting of insurance and not the investigation of a claim for benefits under an existing policy.  Consequently, the court found no violation of the Act.

In Hovater v. Equifax, Inc., 823 F.2d 413 (11th Cir. 1987), cert. denied, 484 U.S. 977, 108 S.Ct. 490 (1987), the 11th Circuit followed the 3rd Circuit's Houghton opinion.  In Hovater, the insured filed a first party property claim for loss of his residence by fire.  After determining that arson caused the fire, the insurance company retained Equifax to obtain background information about Hovater in order to evaluate his claim.  After learning of the report, Hovater sued Equifax for negligently releasing a consumer report for a purpose not authorized under the Act.  The court held that a report, which an insurer procures from a credit reporting agency solely for use in evaluating the insured's claim for benefits under an existing policy of insurance, is not a consumer report that is governed by the Act.  See also, Cochran v. Metropolitan Life Ins. Co., 472 F.Supp. 827 (N.D.Ga. 1979); Kiblen v. Pickle, 33 Wash. App. 387, 653 P.2d 1338 (1982).

However, in St. Paul Guardian Ins. Co. v. Johnson, 884 F.2d 881 (5th Cir. 1989), the 5th Circuit held differently than the 3rd and 11th Circuits.  In this case, a homeowner's insurer, suspicious of a theft loss, obtained a copy of the insured's pre-existing credit report for the purpose of obtaining information as to whether the insured owned the property claimed as stolen.  In analyzing whether the credit report fell within the statutory definition of a consumer report and invoked the Act, the 5th Circuit held that the purpose for which the information contained in a credit report was collected governs whether that report is a consumer report under the Act.  Because the insurance company had obtained a copy of a pre-existing credit report which had been collected for purposes under the Act, the court held that the insurance company had violated the Act, even though the insurance company did not intend to use the report for a purpose under the Act.  See also Ippolito v. WNS, Inc., 864 F.2d 440 (7th Cir. 1988), and Beresh v. Retail Credit Co. Inc., 358 F.Supp. 260 (C.D. Cal. 1973) (holding that an insurer obtaining a credit report for purposes of evaluating the claim under an existing insurance policy was within the catch all provisions of the Act).

Therefore, as a general rule, the specific requirements of the Act always apply if an insurance company is obtaining a consumer credit report or consumer investigative report for purposes of making an underwriting decision.  If an insurance company is obtaining a consumer report for purposes of evaluating insurance claims under existing insurance policies, the insurance company should first make certain that the consumer report does not contain information that had previously been collected for one of the purposes under the Act such as determining an individual's eligibility for insurance.  And to avoid litigation regarding the appropriateness of obtaining a consumer credit report during the investigation of a claim, a written consent or authorization from the subject of the report should be obtained before the request for such a report is made to any consumer credit reporting agency.

In addition to the Federal Fair Credit Reporting Act, insurance companies need to be aware that many states have enacted statutes or rules which codify all or substantial portions of the Fair Credit Reporting Act.  For example, as of September 24, 1996, the Florida Insurance Commissioner approved a rule requiring insurers to disclose their use of credit checks to consumers and to keep records of such checks for state regulators to monitor.  In addition, California has passed the Consumer Credit Reporting Agencies Act, Cal. Civ. Code 1785.1, which indicates that a credit report issued to an insurance company for the purpose of investigating a claim is a consumer credit report and consumer credit reporting agencies are explicitly authorized to furnish credit reports for such purpose (unlike the Fair Credit Reporting Act).  Cal. Civ. Code 1785.11(a)(3)(C).

In order to assure compliance with the Federal Fair Credit Reporting Act and state statutes in obtaining consumer credit reports, the more cautious approach is for insurers to obtain the insured's authorization or written consent for the release of a credit report pursuant to the cooperation clause in the insurance policy.  See 15 U.S.C. 1681(b)(2) that authorizes the release of credit reports in accordance with the written instructions of the consumer to whom it relates.

V. THE PROLIFERATION OF FEDERAL “PRIVACY” LEGISLATION

A.  Electronic Communications

1.         Federal Wiretapping Act, as amended by the Electronic Communications Privacy Act

As an amendment to the 1968 Federal Wiretap Statute, the Electronic Communications Privacy Act, 18 U.S.C. 2510 (hereinafter ECPA), codified the common law tort of invasion of privacy as it relates to electronic communications.  Whereas the Federal Wiretap Statute made it unlawful for one to eavesdrop on or intercept another person's oral and wire (telephone) communications, the ECPA broadened that statute's scope to protect all forms of electronic/digital communications, such as data transmissions between computers, paging devices, e-mails, video transmissions, and telephone voice communications.

Generally, the ECPA prohibits any person (not just the government) from intentionally intercepting an electronic communication, or from disclosing the contents of any intercepted electronic communication.  18 U.S.C. 2511(1).  This prohibition applies not only to those who seek to break into an electronic communications system (such as hackers) but also to those who own and operate such systems (such as Internet access/service providers and private network operators).

However, this prohibition does not prevent an employer or agent of a provider of an electronic communication service from intercepting, disclosing, or using the communication in the normal course of his or her employment while engaged in any activity that is necessarily incident to the rendition of the service or to the protection of the rights or property of the provider of that service.  18 U.S.C. 2511(2)(a)(i).  Cases interpreting this “ordinary course of business” exception have involved telephone monitoring, and the courts have generally held that an employer may monitor an employee for as long as the communication is business-related.  See Epps v. St. Mary's Hospital of Athens, Inc., 802 F.2d 412 (11th Cir. 1986), (finding that the employer monitoring of a conversation between two employees, during which one employee criticized supervisors, was in the ordinary course of business because the call took place during work hours, and it concerned supervisory employees and the work environment); and Briggs v. American Air Filter Co., 630 F.2d 414 (5th Cir. 1980), (determining that an employer's monitoring of a business call, in which the employee revealed trade secrets to a business competitor, was within the ordinary course of business because the employer had suspicions that trade secrets were being revealed and listened only long enough to confirm that fact).

The ECPA provides various levels of privacy protection depending on: (1) the type of system (public or private) where the communication is found; and (2) whether the communication is in storage or in transit.  Typically, there are three main types of systems: a private network; a semi-public network or commercial services; and the Internet.

Private networks are essentially closed systems that operate within the same office.  E-mail communications on a private network raise a reasonable expectation of privacy (See, for example, United States v. Keystone Sanitation Company, 903 F.Supp. 803 (M.D.Pa. 1995), because the e-mail messages travel directly from one computer to another within the same office without any stops in between.

Semi-public networks or commercial services provide e-mail services to individuals or entities for a subscription fee.  Typically, access to those networks is password-protected.  Computers send messages over a reserved telephone network to the commercial network.  Stored on the commercial network, those messages are accessed via password by another member of the commercial service.  Such transmissions are subject to a reasonable expectation of privacy.  See United States v. Maxwell, 42 M.J. 568 (1995).

E-mail provided through the Internet typically uses ordinary telephone lines and intermediate computers to transfer information.  Operated by Internet service providers, Internet e-mail may be stored temporarily in one or more computers.  The Internet service providers assist in distributing electronic mail over the Internet and placing it into the recipient's computer or “mail boxes”, which may exist on the recipient's computer or on the host computer used by the recipient to access the Internet.  Since individuals can access e-mail through any device that provides web access, use of the web-based e-mail system reduces the insulation between stored messages and unauthorized access.  Although the ECPA provides internet users certain rights and safeguards, users and service providers of a web-based system must continue to ensure that effective security measures are developed and diligently applied and that all involved parties recognize the potential privacy risks with use of the web-based system. 

With regard to stored communications, the ECPA prohibits any person from unlawfully and intentionally accessing a stored electronic communication without authorization.  18 U.S.C. 2702.  Stored messages include those in the addressee's mailbox waiting to be picked up by the addressee, and records of private discussions between users.  Thus, stored e-mail messages can be obtained only pursuant to a search warrant.  For e-mail messages that have been in electronic storage for more than 180 days, the government need only obtain “an administrative subpoena authorized by a Federal or State Statute or a Federal or State Grand Jury or Trial Subpoena.”  18 U.S.C. 2703(b)(B)(I).

However, the ECPA does not provide users of a system with a right of privacy against the operator of the system, at least with respect to stored messages.  Since a system can be configured to store all messages that pass through it, the system operator effectively has the ability to review all messages that pass through the system.  It is illegal, however, for a system operator to divulge the contents of any communication stored on the system (other than to the intended addressee and other limited exceptions).

Other concerns regarding access to stored messages have generally arisen in the context of an employer reading an employee's e-mail sent from or received at an employer's address.  Employers can read messages sent or received via their companies' computer systems without violating employees' privacy rights.  Although the degree of protection under the privacy laws vary from state to state, cases addressing the privacy of business e-mails, thus far, have not found those communications to be protected.  See U.S. v. Maxwell, 42 M.J. 568 (1995); Smyth v. Pillsbury Co., 914 F.Supp. 97 (E.D. Pa. 1996); Flanagan v. Epson America, No. BC007036 (Cal. Super. Ct. Jan 4, 1991); and Bourke v. Nissan Motor Corp., No. BO68705 (Cal. Ct. App. July 26, 1993) (holding that the employees did not have a reasonable expectation of privacy with regard to their e-mail messages on the employer's system and that the provisions of the relevant California statute protecting private communications did not apply to e-mail messages in the workplace).

With regard to the transmission of any voice or electronic communications, the ECPA prohibits unauthorized interception, use, or disclosure of such communications in transit.  Therefore, the interception of private e-mail and other communications in transit requires a wiretap authorization.  Jackson Games, Inc. v. U.S. Secret Service, 36 F.3d 457 (5th Cir. 1994).  However, there are a limited number of exceptions.   For example, no protection exists for communications that are “readily accessible to the general public” such as those in public chat rooms.  18 U.S.C. 2511(2)(g)(I).  Also, an Internet service provider may intercept an injurious message if necessary to protect “the rights of property” of the Internet service provider.  18 U.S.C. 2511(2)(a)(I).

Finally, the ECPA provides for both criminal and civil remedies in the event of a violation.  Appropriate relief in a civil action may include actual damages suffered by the plaintiff, profits made by the violator, and attorney's fees and costs.  U.S.C. 2511(5)(a)(ii).

As on-line electronic communications like e-mail become more commonly used in our society, both privately and in the work place, insurance companies must remain aware of the Electronic Communications Privacy Act and its effect on using and obtaining electronic communications.  For example,  Internet service providers can reveal the contents of an OnLine communication or identifying subscriber information only pursuant to a search warrant or subpoena. 18 U.S.C. 2703.  Because the case law is still developing in this area and the criminal and civil penalties for violating the ECPA are strong, it remains a good practice for insurance companies to obtain an insured's authorization or release before attempting to obtain any information related to an insureds' electronic communications.

2.         Computer Fraud and Abuse Act (CFAA)

Another federal statute enacted to address data and communications privacy concerns is the Computer Fraud and Abuse Act.  Codified at 18 U.S.C 1030 (1994), the Computer Fraud and Abuse Act (CFAA) was designed to protect information in computer data banks, including information held by financial institutions, a consumer reporting agency, or a credit card issuer.  In addition, the CFAA prohibits certain actions when computers used by, or for the benefit of the U.S. Government or financial institutions (known as “federal interest computers”) are involved, or when there is interstate computer access.  Id. 1030(e).  The CFAA also prohibits intentional access to a federal interest computer which affects the ability of the government to operate that computer. 

Intended primarily to prevent unauthorized access to computer networks to protect the privacy of the information and communications associated with those networks, the CFAA also protects those networks from acts of sabotage, including alteration of data and impairment of network operations and use.  Authorizing the Secret Service to investigate any violation, the CFAA provides for a private cause of action for any person who suffers damage due to someone tapping into a computer system.  The Act also provides for criminal penalties up to ten (10) years for a first violation and twenty (20) years for a subsequent violation.

3.         Computer Matching & Privacy Protection Act of 1988

This Act is an amendment to the Privacy Act of 1974, 5 U.S.C. 552a; discussed below in this paper.  The amendment restricts the federal government's ability to keep track of people by matching information (such as social security numbers) regarding individuals that is maintained by different federal agencies.

4.         Telephone Consumer Protection Act of 1991

Codified at 47 U.S.C. 227, this Act prohibits the use of unsolicited fax advertisements, and restricts the use of automatic dialer systems to make telephone solicitations. The Act also allows the creation of a data base of customers who specifically do not want to be called by telephone solicitors. This statute is not intended to preempt state laws, and the states are free to enact laws that provide greater protection.

5.         Cable Communications Policy Act

Codified at 47 U.S.C 551 (1984), this Act prohibits a cable service operator from collecting personally identifying information about a customer without the customer's consent. It also prohibits disclosure of the customer's identifying information, including, but not limited to, information about the customer's viewing habits.

6.         Children's Online Privacy Protection Act of 1998 (COPPA)

Codified at 15 U.S.C. 6501 et seq., this act prohibits internet web sites from getting personal information from minors without parental consent.  In October of 1999, the Federal Trade commission issued its final rule regarding the act.  16 C.F.R. Part 312.  That rule requires commercial Web sites and other online services to post a detailed privacy notice that clearly states the type of personal information that is collected from children under 13, how that information will be used, and whether any of the information will be given to third parties.  Also, under this rule, the Web site must provide a method of obtaining verifiable parental consent before obtaining the information from the children.

7.         Gramm-Leach-Bliley Act of 1999 (a/k/a Financial Services Modernization Act of 1999)

This law became effective in November of 1999.  It primarily affects the banking and finance industry.  However, it also affects the interplay between the banking and insurance industries.  More specifically, the Act permits financial holding companies to engage in insurance activities, and will pre-empt any state laws currently prohibiting that practice.

The Act creates a new mechanism for protecting non-public customer information.  It provides customers with certain informational and non-disclosure rights with respect to the sharing of customer information between financial service organizations.  Consumers must be provided an annual privacy disclosure concerning privacy policies and information sharing, and consumers must be provided with an opportunity to opt-out with respect to the transfer of that consumer's information.

The Act requires federal banking and securities agencies to adopt customer privacy regulations.   The Act also specifically addresses the issue of “pretext calling” and identity theft, and provides for criminal sanctions for these type activities.

B.        Other Federal “Privacy” Legislation

1.         The Privacy Act of 1974

Codified at 5 U.S.C. 552a, this Act limits the collection and transfer of personal data on individuals by government agencies.  It provides that no government agency may disclose any record about an individual except pursuant to the written request of or with the consent of the person to whom the record relates.  However, there are several exceptions in the Act; which allow disclosure to employees of the agency itself, to law enforcement officers, to the Census Bureau, or to either house of Congress.  In addition, records of an agency may be produced pursuant to a subpoena.

Under this Act, an agency in possession of records is required to provide an individual with the information concerning that individual, upon his or her request, and is required to allow that person an opportunity to correct inaccurate information. The Act also  provides that the government agency maintain only such information about an individual as is relevant and necessary to accomplish a purpose of the statute which authorized collection of the information. If the agency fails to keep accurate information, or fails to provide an individual with a copy of his record upon request, the aggrieved person may bring a civil action in Federal District Court and may recover attorneys' fees upon prevailing.

Of particular interest in the context of the Internet is the fact that the Privacy Act extends only to those records that specifically identify an individual based upon name, identifying number, or other personal identification feature, such as photograph, fingerprint, or voice print.  Id. 552a(a).  Accordingly, the Act does not cover collections of information which do not identify that person based on a feature or attribute unique to that individual. For example, detailed information about a person's purchasing patterns and assets would not constitute a record under the Act unless that information was retained in a record designated by an identifying attribute of the individual.

2. Privacy Protection Act of 1980

Codified at 42 U.S.C 2000aa-2000aa-12, this Act limits the authority of federal law enforcement officers and employees to seize any work product materials possessed by a person reasonably believed to have a purpose to use those materials in a book, broadcast, or newspaper to be distributed to the general public, unless there is probable cause to believe that the person in possession of the materials has committed or is committing the criminal offense to which those materials relate.  The Act includes a specific exception which allows the seizure of child pornography.

3. Federal Records Act

The Federal Records Act, 44 U.S.C. 3101, provides citizens with access to historical documents contained in the national archives. In particular, this Act provides that people shall have access to records of federal agency activity which affect that individual.

4. Right to Financial Privacy Act

Codified at 12 U.S.C 3401-3412, this Act prohibits the federal government from obtaining access to the bank records of an individual or partnership of five people or less, unless the account holder consents, or the federal agent obtains a warrant or subpoena for the records. However, the Act permits the bank to disclose records of persons suspected of engaging in illegal activity.

5.         Family Educational Rights and Privacy Act of 1974

Codified at 20 U.S.C. 1232g, this Act applies to any school which accepts federal funds. Under the Act, a school may not release a student's records without either permission of the student or the student's parents.  This Act requires that the school release records to the student's parents within 45 days of the date of the request, and allows the student and/or parents an opportunity to challenge inaccurate information.

6.         Video Privacy Protection Act

Passed by Congress in 1988, the Video Privacy Protection Act, 18 U.S.C. 2710, also known as the Bork Bill, was created after the City Paper, a Washington D.C. weekly, published the titles of Judge Robert Bork's video rentals when he was a Supreme Court nominee.  The Video Privacy Protection Act makes it a crime to release individualized data about the videos any individual may rent or buy.  In addition, this Act requires a warrant, a grand jury subpoena, or a court order establishing probable cause and formal notice to the individual to obtain such information.

7.         Driver's Privacy Protection Act (DPPA)

Found at 18 U.S.C. 2721, this Act sets forth a general prohibition on the release of information contained in state motor vehicle registration records.  However, the Act sets forth numerous exceptions.  One of those exceptions, 18 U.S.C 2721(b)(6), permits the release of motor vehicle information “For use by any insurer or insurance support organization, or by a self insured entity, or its agents, employees or contractors in connection with claims investigation activities, anti-fraud activities, rating or underwriting.”  This exception allows the insurance company's investigation to include records available from state motor vehicle registration departments.

Both the Seventh Circuit Court of Appeal and the Tenth Circuit Court of Appeal have upheld the Driver's Privacy Protection Act as constitutional. See Travis v. Reno, 1998 WL 871038 (7th Cir. 1998) and State of Oklahoma, ex rel, Oklahoma Dept. of Public Safety v. U.S., 161 F.3d 1266 (10th Cir. Ok. 1998).

However, in a recent Fourth Circuit Court of Appeals case, the Driver's Privacy Protection Act was held to be unconstitutional as an infringement on states' rights.  See, Charlie Condon & the South Carolina Press Assoc. v. Reno, 255 F.3d 453 (4th Cir. 1998).  The United States Justice Department appealed that ruling to the United States Supreme Court.  On January 12, 2000, the United States Supreme Court issued its ruling.  Reversing the Fourth Circuit Court of Appeal's ruling, the United States Supreme Court upheld the Driver's Privacy Protection Act as constitutional because “drivers' information is an article of commerce, its sale or release into the interstate stream of business is sufficient to support congressional regulation.”  As such, the Driver's Privacy Protection Act will now be enforced in the states which make up the Fourth Federal Circuit, i.e., South Carolina, North Carolina, Virginia, West Virginia and Maryland, as well as in the remainder of the United States.

VI.       PROPOSED FEDERAL LEGISLATION

A.        Electronic Communications

1.         Consumer Internet Privacy Protection Act of 1999

Introduced by Representative Bruce F. Vento (D-Minnesota), the Consumer Internet Privacy Protection Act of 1999, H.R. 313, 106th Congress, 1st session, proposes to regulate Internet providers and prohibit their employees from disclosing to a third party any personally identifiable information provided by its subscribers without the subscribers' prior written consent.  The Act also requires that such service providers permit subscribers to review, verify, and correct all their personal information, at no charge to the subscriber.  The Act empowers the Federal Trade Commission to enforce its privacy provisions.  In April of 1999, the Act was referred to the House Subcommittee on Telecommunications, Trade, and Consumer Protection.  Given the recent controversy involving on-line service providers' efforts to sell information about their customers to marketers (i.e., America On Line's proposal to make available telephone numbers of its subscribers to CUC International, a mass marketing firm with which AOL had established a commercial relationship), this legislation may gain greater attention.  On April 12, 1999, this Act was referred to the Senate Subcommittee on Telecommunications, Trade, and Consumer Protection.

2.         Online Privacy Protection Act of 1999

Introduced by Senator Conrad Burns in the Senate on April 15, 1999, the Online Privacy Protection Act of 1999, S. 809, would require the Federal Trade Commission to prescribe regulations to protect the privacy of personal information collected from and about private individuals who are not covered by the Children's Online Privacy Protection Act of 1998 on the Internet.  In addition, this Act would require privacy disclosures on web sites, allow consumers to “opt-out” of giving information to third parties, and allow consumers to access their own personal data.  On July 27, 1999, this Act was referred to the Senate Subcommittee on Communications.

B.        Other Federal “Privacy” Legislation

1.         Personal Information Privacy Act of 1999

Introduced by Representative Gerald Kleczka on April 15, 1999, the Personal Information Privacy Act of 1999, H.R. 1450, is designed to protect individuals' Social Security numbers and other personal information. In particular, this bill would amend part A of title XI of the Social Security Act to prohibit the commercial acquisition or distribution of any person's social security number, as well as its use as a personal identification number, without the individual's written consent. In order for the individual's consent to be effective, the number holder must be informed of the purpose for which the number will be used.

In addition, this bill would amend the Fair Credit Reporting Act to prohibit a consumer reporting agency form providing a report in connection with a credit or insurance transaction not initiated by the consumer without the consumer's written consent.  This bill would also create a civil cause of action, with penalties to be the greater of either actual damages, or liquidated damages of $25,000 . If a violation of the Act is willful or done for profit, the liquidated damages are $50,000. The bill would also allow a prevailing plaintiff to recover attorney's fees.  On April 30, 1999, this bill was referred to the House Subcommittee on Financial Institutions and Consumer Credit.

2.         Personal Privacy Protection Act of 1999

Introduced by Representative John Conyers, Jr. (D-MI) on January 6, 1999 to the 106th Congress, the Personal Privacy Protection Act, H.R. 97, amends the Federal criminal code to provide protection from personal intrusion for commercial purposes.  The bill would make it a federal crime to stalk a person, enter onto private property to tape or record them, and then attempt to sell the recording to someone. However, the bill's prohibitions are inapplicable to official law enforcement activities.  On February 25, 1999, the bill was referred to the Subcommittee on Crime.

3.         Freedom and Privacy Restoration Act of 1999

Introduced by Representative Ron Paul (R-TX), the Freedom and Privacy Restoration Act, H.R. 220, would amend title II (Old Age, Survivors, and Disability Insurance) of the Social Security Act and the Internal Revenue Code of 1986 to prohibit any Federal, State, or local government agency from using a social security account number as the means of identifying any individual, except for specified social security and tax purposes. In addition, this bill  would prohibit the federal government from establishing any kind of national identity card.  On January 20, 1999, this bill was referred to the House Subcommittee on Government Management, Information and Technology.

4.         Financial Information Privacy Act of 1999

Introduced by Representative James A. Leach, the Financial Information Privacy Act of 1999, H.R. 30, 106th Congress, addresses threats to the privacy of financial information by making it unlawful to obtain or solicit customer information from a financial institution by the use of any false pretenses. This bill would require financial institutions to inform customers if the financial institution intends to sell the customer's personal information.  In addition, this bill would require institutions to give their customers the option of prohibiting disclosure of personally identifying information. On January 6, 1999, this bill was referred to the House Committee on Banking and Financial Services.

5.         Children's Privacy Protection and Parental Empowerment Act of 1999

Introduced by Representative Bob Franks (R-New Jersey), the Children's Privacy Protection and Parental Empowerment Act of 1999, H.R. 369, 106th Congress, 1st Session (1999), proposes to amend Title 18 of the United States Code to prohibit the sale of personal information about children without their parents' consent.   More specifically, this bill would prohibit the sale of information about children under the age of 16 in all media (including the Internet), prohibit the use of prison inmate labor for data processing of personal information about children, and prohibit the distributing or receiving of any such information when the person handling the information knows or has reason to believe that the information will be used to abuse or physically harm a child.  This bill authorizes civil suits by parents, and provides for the award of attorney's fees to a prevailing plaintiff.  On February 25, 1999, this bill was referred to the House Subcommittee on Crime.

6.         Social Security On-Line Privacy Protection Act

Introduced by Representative Bob Franks (R-New Jersey) as H.R. 367 to the 106th Congress (1st Session), this bill would prohibit “interactive computer services” (such as Lexis-Nexis) from disclosing to a third party an individual's Social Security number or other personal identifying information and from using an individual's Social Security number as an identifier to disclose personal information. On January 29, 1999, this bill was referred to the House Subcommittee on Telecommunications, Trade and Consumer Protection.

7.         Genetic Privacy and Non-Discrimination Act of 1999

Introduced by Representative Cliff Stearns on July 19, 1999, the Genetic Privacy and Non-Discrimination Act of 1999, H.R. 2555, would prohibit employers and health insurers from using genetic tests to discriminate among applicants. This bill would also prohibit the disclosure of an individual's genetic information without written authorization from the individual or his/her representative.  On July 26, 1999, this bill was referred to the House Subcommittee on Government Management, Information and Technology.

8.         Medical Information Privacy and Security Act of 1999

Introduced by Representative Edward J. Markey on March 10, 1999, the Medical Information Privacy and Security Act, H.R. 1057, would require specified parties (such as health care providers, health plans, public health authorities, law enforcement officials, health or life insurers, schools, universities, etc.) to allow individuals who are the subject of protected health information access to that health information and to establish safeguards to ensure the confidentiality, security, and accuracy of protected health-care information. This bill would also impose criminal and civil penalties for unauthorized use of protected health information.  On September 24, 1999, this bill was referred to the House Subcommittee on the Constitution.

9.         Medical Privacy in the Age of New Technologies Act of 1999

Introduced by Representative Jim McDermott on September 15, 1999, the Medical Privacy in the Age of New Technologies Act of 1999, H.R. 2878, would protect the privacy of health information in the age of genetic and other new technologies. On September 27, 1999, this bill was referred to the House Subcommittee on Government Management, Information and Technology.

10.      Patients' Bill of Rights Acts

The Patients' Bill of Rights Acts of 1999 are designed to protect patients in managed health care plans.  Introduced on January 19, 1999, these three bills include provisions which require a group health plan or health insurer that maintains medical records to establish procedures: “(1) to safeguard the privacy of any individually identifiable enrollee information; (2) to maintain such records and information in a manner that is accurate and timely; and (3) to assure timely access of such individuals to such records and information.”  The two bills introduced in the Senate are S.6 and S.1344 and the bill introduced in the House of Representatives is H.R. 358.  The House bill was referred to the Subcommittee on Employer-Employee Relations on February 24, 1999, Senate bill 6 has been referred to the Senate Committee on Health, Education, Labor and Pensions (HELP) on March 11, 1999, and Senate bill 1344 was indefinitely postponed by the Senate by Unanimous Consent on October 15, 1999.

11.      Depository Institution Customers Financial Privacy Enhancement Act of 1999

Introduced by Representative Edward Markey on March 25, 1999, the Depository Institution Customers Financial Privacy Enhancement Act of 1999, H.R. 1339, 106th Congress, 1st Session, would amend the Federal Deposit Insurance Act, the Federal Credit Union Act, the Bank Holding Company Act of 1956, and the Home Owners' Loan Act to require insured depository institutions (banks), depository institution holding companies, and insured credit unions to protect the confidentiality of financial information obtained concerning their customers. On April 16, 1999, this bill was referred to the House Subcommittee on Financial Institutions and Consumer Credit.

12.      Standards for Privacy of Individually Identifiable Health Information

President Clinton and the Department of Health and Human Services Secretary, Donna Shalala, have proposed new rules to protect personal health information.  The public comment period for this proposed rule ends February 20, 2000.  This rule proposes standards to protect the privacy of individually identifiable health information maintained or transmitted in connection with certain administrative and financial transactions.  The purpose of the rule is to limit the use and release of private health information without consent; to inform consumers  of their right to access their medical records and to also know if anyone else has accessed their medical records; to establish new disclosure requirements for researchers and others who seek access to medical records; and to impose new criminal sanctions.

VII.     THE EXCHANGE AND DISCLOSURE OF INFORMATION BY INSURERS

A.        State Legislation Allowing Exchanges Between Insurers

During the course of a claim investigation, the exchange of information between insurance companies can be very helpful to the insurer investigating a suspicious or fraudulent claim.  However, such an exchange raises the question of whether an insurance company may be held liable for an invasion of privacy when it shares information from its claim files with any other insurance company.

Some states have enacted statutes which allow insurance carriers to release claim files to other carriers under certain circumstances, without written authorization of the insured.  For example, 626.989(4)(d) of the Florida Statutes provides that:  “an employee whose responsibility it is to investigate claims relating to suspected fraudulent insurance acts may share information related to persons suspected of committing fraudulent insurance acts with other employees employed by the same or other insurers whose responsibilities include the investigation and disposition of claims relating to fraudulent insurance acts, provided the department has been given written notice of the names and job titles of such designated employees prior to sharing that information.”

Also, Illinois has enacted an Insurance Information and Privacy Protection Act, Chapter 215, Act 5, which provides in part as follows: “1014.  Disclosure Limitations and Conditions.  An insurance institution, agent, or insurance-support organization shall not disclose any personal or privileged information about an individual collected or received in connection with an insurance transaction unless the disclosure is:...(C)  to an insurance institution, agent, insurance-support organization or self-insurer, provided the information disclosed is limited to that which is reasonably necessary: (1) to detect or prevent criminal activity, fraud, material misrepresentation or material non-disclosure in connection with insurance transactions...”.

Along with permitting insurance companies to provide information to other insurance companies, Chapter 215, Act 5, 1022 of the Insurance Information and Privacy Protection Act provides immunity to an insurer who releases information in compliance with Chapter 215, Act 5, 1014.  Chapter 215, Act 5, 1022 provides in pertinent part as follows: “1022.  Immunity.  No cause of action in the nature of defamation, invasion of privacy or negligence shall arise against any person for disclosing personal or privileged information in accordance with this Article, nor shall such a cause of action against any person for furnishing personal or privileged information to an insurance institution, agent, or insurance support organization;  provided, however, this Section shall provide no immunity for disclosing or furnishing false information with malice or willful intent to injure any person.”

In addition to immunity statutes, common law privileges in some states provide significant and substantive protection for a wide range of communications, including information disclosures, that otherwise would create civil tort liability.  See, Restatement of Torts, 613, 593-598A.  This “conditional” or “qualified” common law privilege exists to promote the free flow of information to further a legitimate private or public interest.  The condition on the privilege is that the publication not be abused or widely distributed.  This privilege provides substantial protection for an insurer's disclosures concerning fraud investigations. 

An example of this qualified protection can be seen in Caswell v. Manhattan Fire & Marine Ins. Co., 399 F.2d 417 (1968), where a fire destroyed a portion of Caswell's restaurant in DeFuniak Springs, Florida.  After investigating that suspicious fire loss, the National Board of Fire Underwriters published a report to its member insurance companies that contained a detailed account of its investigation into the cause of the fire.  In discussing whether the report was privileged, the 5th Circuit stated that a communication is privileged when made in good faith and both the communicating party and the receiving party have an interest worthy of protection in its subject matter.  Id. at 421.  Further, the court stated that the National Board had an interest in warning all of its member insurance companies of potential risks in insuring the plaintiff against fire loss and that the member insurance companies would have a legitimate interest in that information.  Therefore, a libel action will not be successful if based upon information shared between two companies when both entities have a common interest in the information and the communication is reasonably calculated to protect or further such common interest.

B.        State Legislation (Immunity Statutes) Allowing or Requiring Insurers to Provide Information to Public Officials

As indicated above in this paper, each of the 50 states and Washington D.C. have enacted immunity statutes to protect those who participate in the fight against insurance fraud.  Because immunity statutes vary from state to state, insurance companies must be familiar with the reporting/immunity statutes in their respective states and exercise caution in their cooperative efforts with law enforcement officials.  Also, each insurer should determine its reporting requirements under such statutes, as in some states, insurers are required to report all suspicious claims.  See, for example, Florida Statutes, 626.989(4)(c); Nebraska Statutes, 44-6605;Pennsylvania Statutes, 40 P.S. 3701-304; and Texas Statutes, V.T.C.A., Insurance Code, Art 1.10D Sec. 6.

In addition, effective January 1, 1999, Virginia Code Annotated 52-40 mandates that any insurer who has reason to believe that a violation of 18.2-178 (obtaining money or other property by false pretenses) will be, is being, or has been committed shall furnish and disclose any information in its possession concerning the fraudulent act to the Department of State Police.  That statute also provides confidentiality from public inspection all papers, records, documents, reports, materials, or other evidence relative to the subject of an insurance fraud investigation in the possession of the Department of State Police and provides immunity from liability for insurers from defamation, invasion of privacy, and negligence for cooperating with the Department as long as the information is not disclosed with “malice or willful intent to injure any person”.  See Va. Code Ann. 52-39 and 52-41.

C.        Data Bases Available

1.         The All Claims Data Base

Insurance data bases containing information on claimants may represent the single most effective loss prevention weapon available to insurers in combating insurance fraud.  Not only can they help uncover patterns of possibly fraudulent claims activity but they can also alert insurers when those patterns appear in their markets. 

The National Insurance Crime Bureau (NICB), a non-profit organization, operates ClaimSmart, a data base of property/casualty claims used to detect, prevent, and prosecute fraudulent claims.  In addition, the American Insurance Services Group (AISG), which was recently acquired by the Insurance Services Office (ISO), operates the Index System, which tracks bodily injury and workers' compensation data by name, social security number, age, date of loss, body part injured, physician, attorney, and other key claim data elements.  It also operates the Property Insurance Loss Register (PILR), which tracks property losses arising out of any insured peril.

In August of 1997, the NICB and ISO announced that they would merge their individual claims data into an “all claims data base”, containing bodily injury, property, workers compensation, and vehicle claims.  That “all claims data base” would enable insurers to supply their claims information to one source and also access information from a single industry recognized source.  Under the NICB-ISO data integration agreement, ISO will manage data that insurance companies had previously been providing to NICB.  The NICB, insurers, and self-insured entities would have access to that data.  The NICB would continue to provide access to portions of the data to law enforcement personnel, at no cost to them.

However, the creation of the “all claims data base”  raised concerns with the national privacy rights movement.  In early March of 1997, Representative Edolphus Towns, D-New York, introduced into the House of Representatives the Insurance Claims Privacy Protection Act (H.R. 1029).  That bill attempted to create a firewall between criminal data bases and the all-claims data base by prohibiting an insurance crime bureau from accessing the all claims data base. In addition, that bill proposed to limit the disclosure of confidential information by property/casualty insurers and crime bureaus to law enforcement agencies, unless the access is deemed necessary to prevent an act of fraud upon it or unless the insurer or crime bureau reasonably believes illegal activities have been conducted by an individual.  The bill was referred to the House subcommittee on Crime and did not go any further.  However, if the bill had passed, it could have adversely affected state statutes that currently allow insurance companies to exchange claim information.

The all claims data  base is a reality today.  Insurers can access ISO ClaimSearch, which is a combination of the former ISO, AISG and NICB data bases.  ISO's target completion date for its ClaimSearch combination is the end of February 2000.  At that time, even though all of the data bases will be combined, the system still treats the information as three separate data bases.  By mid-year 2000, ISO hopes that the integration of this data will be complete, and that former divisions between the databases will no longer exist.

2.         Property Insurance Loss Register (PILR)

The Property Insurance Loss Register tracks property losses arising out of any insured peril.  Established in 1980 for fire, PILR thereafter extended its data base to include burglary and theft losses.  In 1991, PILR was further expanded to include any insured property peril.  Previously owned and operated by the American Insurance Services Group (AISG), PILR was recently acquired by the Insurance Services Office (ISO).  The information formerly maintained in a separate PILR database is now part of the ISO ClaimSearch data base discussed above.

3.         Medical Index Bureau (MIB)

The Medical Information Bureau (MIB) is a membership organization in Massachusetts which serves as a data bank of medical information for approximately 650 different insurance companies. MIB's members reportedly write 99% of the individual life policies and 80% of the health and disability policies sold in the U.S. and Canada. MIB maintains medical information on individuals, and member companies report significant consumer medical information to the MIB.

In 1995, the MIB reached an agreement with the Federal Trade Commission.  Under that agreement, whenever a consumer is rated for insurance, or turned down, due to an MIB report, the MIB will send a letter explaining the reasons for the action, along with MIB's name,

address and telephone number. These notice provisions are modeled after the notice provisions in the Fair Credit Reporting Act.  Under the agreement, consumers have the right to a free copy of their MIB report, and they may challenge inaccurate information.

4.         Database Technologies, Inc. (DBT)

Established in 1992 and headquartered in South Florida, Data Base Technologies, Inc. (“DBT”) is a national provider of on-line data base services and related reports to law enforcement and other governmental agencies, law firms, insurance fraud investigation companies, and other  qualified  entities.    DBT's products known as “Auto Track PLUS” and its new web-based version, “Auto TrackXP,” provide on-line access to national, state, and county public records.  Available search information includes, for example, current and past addresses, telephone numbers, neighbors, associates, professional licenses, driving histories, business profile reports, real estate, vehicles, and other assets.

5.         Others

There are many companies that offer public records and related investigative services online or on CD-ROM.  For example, CDB Infotek of Santa Ana, California, offers a wide variety of data base and search tools.  Also, Information America (IA), owned by West Publishing, is a large vendor of public records.

Run by the F.B.I., the National Law Enforcement Telecommunications System (NLETS) is a data base link that shares information with the National Crime Insurance Bureau, state motor vehicles departments, U.S. Customs, law enforcement impound lots, the National Crime Information Center, and other U.S. and Canadian law enforcement authorities.

Operated by the National Insurance Crime Bureau, Insurance Crime Information Services (ICIS) maintains a data base on suspicious workers' compensation claims, liability claimants, and property losses.  This data base can be accessed by insurance company SIU fraud investigators who are members of subscriber companies.

Known as Atlantis, the International Communication Network is a data base link run by IBM, and it shares information with NICB, state fraud bureaus, insurance companies, PILR, the Index System, vehicle manufacturers, shipping lines, and other bureaus in the United States and Canada.  Known as A-Plus, the Automated Property Loss Underwriting System is an underwriting data base that assists underwriters when they evaluate applications for insurance.  In addition, it maintains information on the claims history of potential insureds.

There are now literally hundreds of data base vendors in the United States.  The growth of this market is anticipated to continue around the world, as well as in the United States.

D.        IRSG Principles

At least fourteen computerized credit and information services follow their own industry guidelines, the Individual Reference Services Group Self Regulation Initiative (IRSG).  These guidelines are designed to ensure the accuracy and reliability of information.  The IRSG Principles include the following precepts: (1) to acquire individually identifiable information only from sources know as reputable; (2) to restrict the distribution of non-public information through safeguards appropriately calibrated to the type of use made of the information; and (3) to furnish individuals with information contained in the services and products that specifically identifies them, unless the information is publically available, in which case the company will advise the individual how they may obtain information directly from the source.

The Principles also provide that subjects of reports shall  have the opportunity to correct inaccurate information in their records, and that non-public information shall be released only for “APPROPRIATE” uses. The Principles define “APPROPRIATE” as uses that are reasonable under the circumstances, and which reflect a balance between the individual's privacy and legitimate business or government uses. The recipient of non-public information must agree to limit the use and re-dissemination of non-public information.

Furthermore, the Principles provide that when non-public information is disclosed, it will not include specifically identifying information such as the individual's social security number, mother's maiden name, or unpublished telephone number. Under the Principles, an information service shall inform an individual about the nature of public records and non-public information which it distributes about that individual.

When the subject of the information is about a person younger than eighteen years of age, non-public information about that person will not be disclosed except for the limited purpose of locating missing children.  Also, signatories to the IRSG Principles are subject to annual review by independent outside reviewers.

E.         Sunshine in Litigation and Confidential Settlement Agreements

When a claim or lawsuit is settled, it is not uncommon for the parties to agree to keep the terms and provisions of the agreement confidential for a variety of reasons. However, the use of confidential settlement agreements has been criticized in recent years, particularly with regard to manufacturers of dangerous products.

Nine states have enacted statutes or court rules that limit a party's ability to shield settlement agreements in secrecy. Those states are Florida, New York, North Carolina, Georgia, Oregon, Virginia, Delaware, Texas and Oregon. Of those statutes, Florida's is one of the strongest.

The right to incorporate a confidentiality provision into a settlement agreement is governed by Florida Statutes, 69.081, known as Florida's “Litigation in the Sunshine Act”. This Act prohibits a confidential settlement agreement which has the effect of concealing a "public hazard.”  A "public hazard" is defined in this statute as “An instrumentality, including but not limited to any device, instrument, person, procedure, product, or a condition of a device, instrument, person, procedure or product that has caused and is likely to cause injury.”  Therefore, this Act would apply primarily to products liability cases.

Even if a settlement document is protected from discovery due to a confidentiality clause in it, that does not prevent discovery about the underlying facts. See, Smith v. TIB Bank of the Keys, 687 So.2d 895 (Fla. 3d DCA 1997),  in which the court held that the plaintiff in a fraud case could not rely on a confidentiality agreement in an unrelated case to avoid answering deposition questions. The court held that Ms. Smith had to answer deposition questions which the defendant bank posed, even though the answers might put her in breach of a confidentiality agreement with her former employer, or else her case against the bank would be dismissed.

Settlement offers and statements made during settlement negotiations are generally privileged from discovery. See Rule 408 of the Federal Rules of Evidence and most states' rules of evidence.  Also, states with mediation rules of procedure or statutes usually make all discussions held during a mediation conference confidential and non-discoverable.

F.         Internal and External Securitization of Data

In today's information age, the exchange of information is greater than ever.  Attorneys are using this ability to swap information over the internet.  For example, a deposition or statement of a company representative in one case can be accessed via the internet and used against that same representative in another case.  There are also web pages set up to elicit information, complaints and responses from individuals that can be used at a later time against various companies.  One such wed-site is www.fordtruckssuck.com. There are many other sites where people are encouraged to share their complaints.  For example, the Personal Injury Law Forum is at http://www.prairielaw. com/pi/index.shtml.  Companies should consider monitoring the internet for derogatory statements and data compilation being made to use against them in litigation.

In order to maintain the privacy and integrity of its records, the insurer in today's world of electronic piracy should take greater preventions than in past years to safeguard its electronic data.  Such precautions may include the use of firewalls, passwords, and encryption software.  An example of software that is available is PGP, which stands for “pretty good privacy.”  More information on that software can be found at  http: //www.pgp.com/asp_set/ products/tns/intro.asp.  This privacy software can aide in protecting communications on the internet.

Another company providing products/software to permit secure transactions is Hilgraeve.  Hilgraeve has various packages which they call DropChute.  Depending on the type of security the purchaser desires, they claim to assure delivery to the requested party with complete encryption protection.

Although the Electronic Communications Privacy Act makes eavesdropping illegal, insurers and their attorneys should take reasonable steps to protect the privacy of their communications.  Whenever an insurer and its counsel communicate over e-mail or through the use of cellular telephones, each party should make sure that its messages are encrypted.  Encryption has the twin advantages of shielding information and establishing an intent to keep that information private.

Encryption is such a valuable security tool that two states, Iowa and South Carolina, require attorneys to encrypt any sensitive material which they send over the Internet.  See, Iowa Supreme Court Board of Professional Ethics and Conduct, Op. No. 96-01 (Aug. 29, 1996) and South Carolina State Bar Assn. Ethics Advisory Comm.,  Advisory Op. No. 94-27 (Jan. 1995).

However, an unencrypted electronic communication may not violate an attorney's ethical requirements in some states.  For example, see Illinois State Bar Assn. Comm. On Professional Ethics, Op. 96-10 (May 16, 1997).  See also, California Evidence Code 952 (West 1994), which states that “A communication between a client and his or her lawyer is not deemed lacking in confidentiality solely because the communication is transmitted by facsimile, cellular telephone, or other electronic means between the client and his or her lawyer.”

The American Bar Association has issued a formal opinion as to the confidentiality of e-mail correspondence.  In ABA Formal Opinion 99-413, issued March 1999, the association stated:

A lawyer may transmit information relating to the representation of a client by unencrypted e-mail sent over the Internet without violating the Model Rules of Professional Conduct (1998) because the mode of transmission affords a reasonable expectation of privacy from a technological and legal standpoint. The same privacy accorded U.S. and commercial mail, land-line telephonic transmissions, and facsimiles applies to Internet e-mail. A lawyer should consult with the client and follow the client's instructions, however, as to the mode of transmitting highly sensitive information relating to the client's representation.

Some state bar associations have adopted similar provisions.  However, the key language is that the more sensitive the information that is being transmitted, the greater the precautions that should be taken.  For example, Pennsylvania and Arizona expressly caution lawyers to consult with clients before sending unencrypted e-mail. North Carolina advises lawyers against using e-mail, while Iowa prohibits using e-mail without client consent, encryption or a similar security system.

The Florida Bar has not yet taken a formal position on whether an attorney who communicates with his client via e-mail must use encryption technology to protect the attorney-client privilege.  However, in Gomberg v. Zwick, Friedman & Goldbaum, 693 So.2d 1065 (Fla. 4th DCA 1997), (involving the use of a facsimile machine) a Florida Court of Appeals held that “... an attorney who designates the method for sending communications concerning a client has the duty to protect the confidentiality of communications sent via that mode.”  In view of this holding, when an attorney sends sensitive information over the Internet, the use of encryption technology would be prudent.

A significant federal case involving encryption is Bernstein v. U.S. Dept. of Justice, 176 F.3d. 1132 (9th Cir. May 1999)  In that case, a Berkeley, California mathematician sued the State Department after they told him that he would have to register as an arms dealer under the International  Traffic in Arms Regulation if he wanted to publicize an encryption program he had developed.  According to the then-current law, distributing data or encryption software without governmental approval was (under certain circumstances) a criminal act punishable by ten years in prison and fines of a million dollars or more.  The court of Appeals for the Ninth Circuit affirmed the lower court's ruling that the government's regulations were an unconstitutional infringement on free speech.  The Court stated that encryption codes contain expressions of ideas and cannot be suppressed indefinitely by government officials.

Recently, on September 30, 1999 the Appeals Court granted an en banc rehearing. The Court stated that the case will be reheard by the en banc court pursuant to Circuit Rule 35-3. The three-judge panel opinion, Bernstein v. U.S. Dept. of Justice, 176 F.3d 1132 (9th Cir. 1999), is withdrawn.  If ultimately successful in its challenge of the export-control laws, this suit will clear the way for cryptographic software to be treated like any other kind of software; and will allow computer and network users much more freedom in building and exchanging their own cryptography solutions.

As the use of e-mail increases and concerns about its security grow, several commercial enterprises have begun to offer services directed toward making e-mail a more secure process.  For example, DeLoitte & Touche and The Merchant Bank of the Thurston Group announced in January, 1997 plans to start NetDox, a joint venture which plans to guarantee the private delivery of e-mail documents and provide certification of receipt of the messages it handles.  In encrypting messages, the NetDox system will use an “electronic thumbprint” for each document to be used as verification of private delivery.  This system may work well for law firms and insurance companies who send documents for which timely private delivery and verification of receipt are critically important. 

VIII.    OBTAINING INFORMATION FROM “PRIVATE” SOURCES OTHER THAN INSURERS

A.        Banks and Financial Institutions

The “Right to Financial Privacy Act” is briefly discussed earlier in this paper.  Also, banks are generally considered to have an implied duty to keep their customers' accounts secret, unless there is some public duty to disclose. See 10 Am.Jur. Banks,  332. Some state courts, including those in Florida, allow the customer a cause of action for unauthorized disclosure of account information. See Mahlomich v. First National Bank, 224 So.2d 759 (Fla. App. 1986).  However, in Barnet Bank of West Florida v. Hooper, 498 So.2d 923 (Fla. 1986), the Florida Supreme Court stated that under special circumstances, banks have a duty of disclosure (where bank had a duty to disclose suspected fraud of one customer to another customer of the bank).

Although bank records are confidential, they are not privileged from discovery. Therefore, parties in a civil or criminal action may subpoena bank records.  For example, in  U.S. v. Miller, 425 U.S. 435, 96 S.Ct. 1619 (1976), the defendant sought to suppress the use of his bank records, which the government had obtained through a valid subpoena. The Supreme Court rejected the defendant's argument that the bank records were his “personal papers,” and held that the records were the property of the bank. The Court also noted that under the Bank Secrets Act, 12 U.S.C. 1829b, the bank was required to maintain the account records precisely because of their potential relevance to investigations and prosecutions of financial crimes.  Because the bank was a party to the transaction, the Court held the bank was authorized to disclose those records.

During an insurer's investigation of a claim prior to litigation, it may need to obtain records from banks or other financial institutions.  A written, and usually notarized, release signed by the bank's account holder will typically be required to obtain those records.

B.        Employers

There is generally no right of privacy concerning one's work history.  For example, Florida Statutes, 768.095, provides that an employer who discloses information about a former employee's job performance at the request of a prospective employer or the former employee, has a qualified privilege from liability for defamation.  The former employer will only be found liable for defamation if the former employee can show by clear and convincing evidence that the former employer knowingly gave false or misleading information, acted with a malicious purpose or violated the former employee's rights under the Florida Civil Rights Act, Florida Statutes, Chapter 760.

However, there are limits on the kinds of information employers are allowed to gather and disclose about their employees. Two significant laws pertaining to employers are the Employee Polygraph Protection Act and The Americans with Disabilities Act.

1.         The Employee Polygraph Protection Act

Under this Act, 29 U.S.C. 2001-2009, employers are generally prohibited from requiring employees to undergo a polygraph test, subject to a few exceptions, notably law enforcement jobs.  Also, an employer may not discharge, discipline, or discriminate against an employee for refusing to take a polygraph, and may not take any action against an employee based on the results of a polygraph test.

2.         Other Employment “Privacy” Statutes

The Americans with Disabilities Act, 42 U.S.C. 12101, et seq, (hereinafter referred to as “ADA”), prohibits discrimination against the disabled, and requires an employer to make reasonable accommodation for those who are disabled but still capable of performing essential job functions.

The ADA significantly limits the kind of medical information that an employer can obtain on a prospective employee. For example, the ADA prohibits an employer from requiring a physical examination unless and until a conditional offer of employment has been made.  Also, under the EEOC Enforcement Guidance rules, “An employer may not make such inquiries about a disability at the pre-offer stage, even if the employer would legitimately be able to exclude the applicant because of the disability." 

The ADA also prohibits an employer from requiring existing employees to undergo a physical examination unless that examination is shown to be job-related and consistent with business necessity.  When such an examination is performed, the ADA requires that the medical records must be collected and maintained on separate forms, in separate medical files, and treated  as a “confidential medical record.” 42 U.S.C. 12112(d)(3)(B). 

In addition to the ADA, many states have their own anti-discrimination laws, frequently known as Human Rights Acts.  These Acts often provide broader protection than Federal laws. For example, under the Minnesota Human Rights Act, Minn. Statutes, 636.01 et seq., sexual orientation is a protected classification; whereas it is not a protected classification under Title VII of the Civil Rights Act, 42 U.S.C. 2000e. Because of such statutes, employers are often reluctant to gather or disclose information concerning an employee.

State anti-discrimination laws generally apply to discrimination in employment, housing and public accommodations, rather than to insurance.  However, to avoid the appearance of impropriety, an insurer should generally avoid inquiring into any matter which is a prohibited basis for discrimination.

C.        Medical Providers

The automation and assimilation of healthcare information continues to increase.  For example, Physician Computer Network, Inc. (PCN), has access to patient records of approximately 100,000 doctors.  PCN offers doctors electronic links to hospitals, labs and insurance companies.  There are also medical registries that track patients and their illnesses.  As healthcare facilities and physicians continue to take advantage of technology to better serve the needs of their patients, the risk of loss to individual privacy increases.

However, medical and healthcare information has long been considered to be confidential.  For over two thousand years, the Hippocratic Oath has provided that a physician shall keep his patients' confidences secret.  Despite that, the right to privacy in one's medical information is not absolute, and insurance companies frequently have a legitimate need for medical information.  The law seeks to balance the individual's right to privacy with the insurer's right to full and accurate disclosure of relevant information. Achieving this balance requires the consideration of applicable statutes.

1.         Confidentiality Statutes

Most states have laws which make a person's medical records confidential. For example, Florida Statutes, 455.667, provides that a physician may not disclose a patient's  medical history except to the patient, the patient's representative, or another health care provider, without the express consent of the patient. However, in a civil or criminal action, such records may be subpoenaed for production.  Thus, although generally confidential, most medical records are not privileged from discovery in Florida, i.e., the patient may not prevent the records from being produced pursuant to a subpoena.

However, Florida Statutes, 90.503, provides a privilege for psychotherapists and their patients in Florida.  Under this statute, records relating to treatment for mental illness, including drug and alcohol dependence, are generally  shielded from discovery, absent a Court Order requiring their production.

2.         Health Insurance Portability and Accountability Act of 1996 (HIPPA)

The Health Insurance Portability Act of 1996, 42 U.S.C. 300gg et seq., governs the circumstances under which an insurance company may offer group health coverage. In particular, the Act prohibits a group health insurer from conditioning an individual's eligibility for coverage based on a variety of factors.  One of the most significant limitations is that a group health insurer may not refuse an individual's membership in a group health plan based on genetic information.  This is important because as knowledge of the genetic code increases, it will become increasingly easy to predict an individual's likelihood of developing certain diseases.

Although insurers may not use an individual's genetic information for purposes of underwriting “group” health insurance, there is no Federal law prohibiting an insurer from using genetic information to underwrite “individual” health insurance. However, one bill, the Genetic Privacy and Non Discrimination Act of 1995, has been proposed in Congress to do just that. As the name implies, this bill is intended to limit access to and use of genetic information. Although this bill has not passed, the public concern over genetic privacy continues to grow.

3.         Federal Drug Abuse Office and Treatment Act

Codified at 42 U.S.C. 290dd-2, this Act provides that records of any patient maintained in connection with any substance abuse treatment program which is conducted or regulated, directly or indirectly by any agency of the United States shall be treated as confidential. Although this statute makes drug treatment records confidential, a recent attempt to base a private cause of action on violation of the Act failed.

In Ellison v. Cooke County Tennessee et al, 63 F. 3d 467 (6th Cir. 1995), a county employee brought suit against a county hospital, alleging a violation of his privacy right for releasing records concerning his treatment for drug abuse. The records were disclosed during a grievance hearing and published in two local newspapers. This disclosure was made in spite of the employee's request that the information be kept confidential.  However, the federal Sixth Circuit refused to recognize an implied private right of action under the confidentiality provision of this Act.

D.        Authorization and Release Forms in the Electronic Age

The cooperation clause of most insurance policies should expressly require the insured to provide the company with records and documents, and permit the company to make copies of those records and documents.  Often, the records and documents which the company may need in its analysis of a claim are in the possession of persons other than the insured.  An authorization for release of records is, therefore, often needed or required for the company to obtain access to records in the custody of such other persons.  The insurer's risks in obtaining an insured's documentation and information from confidential sources without the insured's permission are outlined in the earlier portion (II) of this paper.

With the assistance of local counsel, an appropriate authorization for the release of records and information is often helpful in gathering information.  Requesting an insured to sign an authorization to obtain records and information at the earliest possible opportunity will also assist the company to avoid delays in collecting and analyzing records.  An insured's refusal to provide the insurer with an authorization that would allow copies of documents to be obtained may constitute a material breach of the policy and relieve the insurer of any liability under the policy.  Wood v. Allstate Ins. Co., 815 F.Supp. 1185 (N.D.Ind. 1993).

The authorization to obtain records and information should be sufficiently broad and comprehensive to permit the insurer to obtain the insured's records.  But see Chavis v. State Farm Fire & Casualty, 346 S.E.2d 496 (N.C. 1986), where the North Carolina Supreme Court held that the production of documents provision included in the insureds' fire policy as required by statute did not require the insureds to sign an overly broad release that provided the insurers access to “any and all records” in connection with “all banks and/or any type of lending institution” with which the insureds had done “any business”.  To avoid that problem, releases and authorization forms should be sufficiently broad, but specifically address the particular records and materials needed from sources other than the insured, including electronic data from an internet service provider or e-mail recipient where appropriate.

In addition, insurers should be aware of state statutes that mandate specific requirements that must appear on a disclosure authorization form used by an insurance company in connection with insurance transactions.  For example,  Virginia Statutes Annotated  38.2-606 provides that any authorization forms that are used by an insurance company to disclose personal or privileged information about an individual to an insurance institution or an agent must contain the types of persons authorized to disclose information about the individual, the nature of the information authorized to be disclosed, the purposes for which the information is collected, the length of time that the authorization shall remain valid, etc.

IX.       UTILIZING THE INTERNET

A.        Internet Privacy Issues

The Internet serves as one of the richest sources of information available to an individual or business.  A proficient Internet user can access a vast array of information at the click of a button, and with another click of a button, either print or download to disk information he or she wishes to keep.  However, the Internet also poses one of the greatest threats to privacy, both to those who use it and the general public.

The greatest value of the Internet is the scope of information it can convey.  However, this is also its greatest threat to privacy.  This threat has not been alleviated by legislation.  For example, no federal legislation exists which restricts or prohibits transmission or communication of medical records through the Internet.  Although state law may prohibit individual medical care providers from making unauthorized disclosures of medical records, only that medical provider would face liability for unauthorized disclosures.  The duty of confidentiality extends only to the doctor or hospital, not to the Internet service provider or to the persons who look up that information.  The lack of protection over medical information consulted on line not only compromises the medical information itself, but also invites other kinds of abuses.

For example, an employer is generally prohibited under the Americans with Disabilities Act (ADA) from asking for medical  information from prospective employees.  However, theoretically, an employer could go on the Internet and obtain information regarding a potential employee's medical history, if that information were improperly disclosed onto a Web site.  Based on that information, an employer could decline to hire a candidate out of fear that hiring him or her would increase medical insurance costs. 

In addition to the possible disclosure of medical information, publicly available information, such as land title records and court records, are routinely disclosed over the Internet.  Although there is no privilege applicable to that information, many persons are surprised at the ease at which one can acquire this information over the Internet.

At present, the only federal legislation directly  restricting communications on the Internet are regarding “Sexual Exploitation of Children”, 18 U.S.C. 2251, which criminalizes the use of computer technology to transmit child pornography; “Fraud and Related Activity in Connection with Computers”, 18 U.S.C. 1030, which criminalizes the use of computer technology to commit acts of fraud; and “Protection for Private Blocking and Screening of Offensive Materials”, 47 U.S.C. 230, which protects Internet service providers from civil liability for libel.  Specifically, “Protection for Private Blocking and Screening of Offensive Materials” 230 provides that Internet Service Providers (hereinafter “ISP”) shall not be treated as the publisher/speaker of any information provided by another information provider, such as someone posting information on a Web page.  That Act also indicates that ISPs shall not be held liable for good faith acts by which they seek to restrict access to lewd or obscene material, even if such material is constitutionally protected. 

Another statute which regulates Internet Communications is the Child OnLine Protection Act (COPA), codified at 47 U.S.C. 231.  This statute makes it a federal crime for commercial Web sites to transmit any material “harmful to minors”.  The ACLU has challenged this law, and on February 1, 1999, U.S. District Judge Lowell Reed of Philadelphia entered a preliminary injunction against the Act.  However, the government is currently proceeding, and has appealed the decision of the lower court.  Oral arguments were heard on November 4, 1999 by the Third Circuit court of Appeals.  The result may be appealed to the United States Supreme Court.   Until the United States Supreme Court either decides this case or denies certiorari, COPA's future appears to be uncertain.

Although very little federal legislation restricting Internet information exists, Internet activity falls under the jurisdiction of the Federal Trade Commission (FTC).  In 1996, the FTC conducted a study in which it examined privacy issues regarding the Internet and addressed issues including collection, compilation, and sale of personal information pertaining to consumers.  Although there has been a considerable amount of study, the FTC at present has deferred enacting formal regulations.  Instead, the FTC is relying on the Internet industry to police itself.  The industry has responded with various internal regulations, including the IRSG principles discussed in this paper.

The only exception to the FTC's laissez faire policy has been with regard to on-line solicitation of data from children.  The FTC expects Web site operators to obtain parental consent before distributing private data about a child to a third-party.  The FTC  also requires Web sites to disclose to parents information about how data from or regarding children will be used.  The FTC has held that violations of these guidelines can be treated as unfair or deceptive trade practices.

The paucity of legislation governing the Internet is due in large part to our society's interest in preserving freedom of expression.  The desire to promote broad freedom of expression is reflected in Reno v. UCLA, 117 S.Ct. 2329 (1997), wherein the United States Supreme Court struck down all provisions of the Communications Decency Act, 47 U.S.C. 223 (“CDA”), except for the provisions which prohibit child pornography.  The CDA was very similar to COPA.  In reaching its decision, the Reno court noted that the Internet's extraordinary scope and versatility made it a valuable communication tool, and that such freedom of communication is protected by the First Amendment.

With the exception of on-line solicitation of data from children, no restrictions exist on the information that can be conveyed through the Internet.  This freedom of information creates privacy risks not only to the subjects of those Internet reports, but also to persons using the Internet.

Many persons use the Internet under the belief that they are doing so anonymously.  That belief is mistaken.  Generally speaking, when an Internet user accesses a Web site, the user leaves an “electronic trail”.  In particular, the Web site that is accessed registers information which includes the user's e-mail address and at least some information on the previous sites the user has visited.  That information trail is referred to as a “cookie”.  Generally, the real name of the person using the Internet is not provided as part of the cookie.  However, because  that information is available to the Internet Service Provider, it creates a risk that the cookie may be matched with the real name of the user. 

A more significant risk arises when an Internet user visits a Web site and voluntarily discloses personal information.  There are no restrictions on the use of information which Internet users voluntarily provide.  Any such personal information provided may be sold or given away at will by the ISP.  Consequently, no reasonable expectation of privacy exists in any information which a person voluntarily discloses on the Internet.  Furthermore, there is very little, if any, expectation of privacy in the information contained in the “cookie” which is generated through the use of the Internet.

Although various pieces of Federal legislation have been proposed which would restrict the dissemination of sensitive information, such as social security numbers over the Internet, none of that legislation has yet been enacted.  Consequently, any individual or business entity, including insurance companies, should be very cautious when conveying sensitive information over  the Internet. 

In addition to the inherent privacy risks in using the Internet, there is also the potential for governmental surveillance of computer activities.  Specifically, the Communications Assistance Law Enforcement Act (CALEA), 47 U.S.C. 1001, requires Internet providers to make their systems accessible to government monitoring when that monitoring is authorized by a court order.  That law is relevant to the insurance industry because it could facilitate the investigation of insurance fraud.  The law would be especially helpful in the investigation of large scale insurance fraud involving the use of computers for either communication or record  creating purposes.

B.        Protecting One's Privacy On the Internet

Although the Internet is fraught with threats to privacy, a number of fairly effective measures can be taken to protect one's privacy on the Internet.  In particular, several Internet Service Providers have software which will strip the user's signal of any identifying information before the user reaches a Web site.  Thus, the operator of the Web site will not be able to gather the information which would otherwise be conveyed in the cookie.  In particular, one type of software called “Privnet” blocks the transmission of cookies. 

In addition, the National Computer Security Association (“NCSA”) is offering a certification program which allows Web site users to compare the relative security of Web sites.  The NCSA evaluates a Web site's security based on several criteria, including security policies and procedures for the site, the use of cookies, and the strength of firewalls.  Web sites that pass the remote hacking and on-site tests run by the NCSA receive the NCSA's “Seal of Approval” and are allowed to display the NCSA icon. 

Another rating system has been established by the e-TRUST organization.  In  order to promote on-line privacy, e-TRUST has initiated a pilot program to rate the level of “information security” provided by various Web sites.  Sites which participate in the e-TRUST program will have their information management policies and security measures evaluated and they will receive one of three ratings: anonymous or no exchange (i.e., no personal data regarding the user is collected); one-to-one exchange (i.e., data collected only for use by the Web site owner); or third-party exchange (i.e., data is collected but only provided to specified third parties with the user's consent).

More than 100 major Internet companies, including Netscape, Microsoft, VeriSign, and Firefly Network, apply the Open Profiling Standard, commonly known as “OPS”. The OPS system involves users selecting the amount and type of personal data they are willing to share, storing that data on the user's personal computer, and releasing the data to only those Web sites selected by the user.  The OPS system has been submitted to the World Wide Web consortium for adoption.

Another option for securing privacy is the use of re-mailers.  This involves using anonymous Internet accounts and using a special server into which one logs in, and which then transmits messages to and from the Internet.  One company in particular, C2Net, offers software called the “Anonymizer”, which helps individuals guard their privacy as they browse the Web.

Users of the Internet must be mindful of both the risks, as well as the benefits, inherent in the Internet system.  Common sense, discretion, and the use of available safeguards can minimize the risks to personal and business privacy.

C.        Internet Law

An important issue for Internet users is whether using the Internet in a given state will constitute sufficient contact with the state to give that state's courts jurisdiction over the Internet user.  One of the leading cases addressing this issue is CompuServe v. Patterson, 89 F.3d 1257 (6th Cir. 1996). 

In that case, Mr. Patterson, a Texas resident, sold software to consumers over the CompuServe system.  Mr. Patterson uploaded the software to the CompuServe system in Ohio and CompuServe subscribers then downloaded Mr. Patterson's software and remitted the licensing fee to CompuServe.  CompuServe deducted its handling fee and remitted the balance to Mr. Patterson.  However, CompuServe began to market its own software, which was similar to Mr. Patterson's, and Mr. Patterson claimed it infringed on his product.  CompuServe filed suit for a declaratory judgment that it had not infringed on Mr. Patterson's trademark or engaged in unfair trade practices.

The lower court dismissed the case on the ground of lack of personal jurisdiction in Ohio, but the U.S. Court of Appeals for the 6th Circuit reversed and remanded for further proceedings.  The Court held that jurisdiction may be asserted over a defendant if the defendant's actions meet the following test: “First, the defendant must purposefully avail himself of the privilege of acting in the forum state or causing a consequence in the forum state.  Second, the cause of action must arise from the defendant's activities there.  Finally, the acts of the defendant or consequences caused by the defendant must have a substantial enough connection with the forum to make the exercise of jurisdiction over the defendant reasonable”.

The Patterson decision appears to represent the majority rule.  See: Resuscitation Tech, Inc. v. Continental Health Care Corp., No. 96-1457-C, 1997 WL, 148567 (S.D. Ind. Mar. 24, 1997), (holding that  access to the defendant's Web site and follow up conferences via e-mail were sufficient to sustain jurisdiction, together with other contacts); Digital Equip. Corp. v. Alta Vista Tech, Inc., 960 F.Supp. 456 (D. Mass. 1997), (holding that sufficient contacts were met where the contract stipulated the law of the forum, the defendant solicited advertising and products in the forum, and the Web page was accessible in the forum); and Cody v. Ward, 954 F.Supp. 43 (D.Conn. 1997) (holding that the defendant's e-mail messages were a basis for jurisdiction to hear a suit on fraudulent misrepresentations under securities law). 

See also: Zippo Mfg. Co. v. Zippo Dot Com, Inc., 952 F.Supp. 1119 (W.D. Pa. 1997); EDIAS Software Int'l, L.L.C. v. Basis Int'l Ltd., 947 F. Supp. 413 (D. Ariz. 1996); and Inset Sys., Inc. v. Instruction Set, Inc., 937 F. Supp. 161 (D. Conn. 1996).  These additional decisions indicate that insurance companies who advertise, market products or investigate over the Internet in any state should be aware that such activities may subject them to the laws of that state's jurisdiction.

D.        Internet Service Providers

Typically known as ISPs, internet service providers offer their subscribers the means to acquire and disseminate a wealth of public, private, commercial, and non-commercial information.  It is important to note, however, that when subscribers obtain information or create information through the use of the Internet, the ISP does not monitor, verify, warrant or vouch for the accuracy or quality of the information that subscribers may acquire or create.  Therefore, subscribers must take responsibility in relying on information from the Internet.

An ISP will typically not monitor the communications of its subscribers to ensure that its subscribers comply with policy and the applicable law.  However, if an ISP becomes aware of harmful invasive communications, the ISP may take any of a variety of actions.  The ISP may remove information that violates its policies, implement screening software designed to block offending transmissions, or take any other action it deems appropriate, including termination of a subscriber's contract with the ISP.  In dealing with privacy laws, ISPs often state that they will not intentionally monitor or disclose any private electronic mail messages sent or received by its subscribers unless required to do so by law. 

          Without a specific signed release directed to the corporate legal department of an ISP, it will usually not release any information regarding a subscriber's account.  However, ISPs may be required to disclose information transmitted through its facilities in order to comply with court orders, statutes, regulations, or government requests.

E.         Web Sites for Investigative Searches

The following is an exemplary list of web sites for investigative searches:

People/Business Finders
http://www.theultimates.com/white/ [The Ultimate White Pages];
http://www.411.com/ [Search for people];
http://people.yahoo.com/ [Search for persons or their e-mail addresses];
http://www.bigfoot.com/ [Search for people and their e-mail addresses];
http://www.whowhere.lycos.com/ [Search for people];
http://www.worldyellowpages.com/ [Search for a business];
http://www.yellow.com/ [Search for a business];
http://www.anywho.com/ [Search for a person or business];
http://www.classmates.com/ [Find old classmates];
http://www.databaseamerica.com/ [Search for people];
http://www.cedar.buffalo.edu/adserv.html [National Address Server];
http://www.knowx.com/ [Search for people];
http://www.1800ussearch.com/  [Search for people and businesses];

Miscellaneous Locators
http://
www.411locate.com/ [Find and e-mail or web-site address];
http://www.iaf.net/ [Internet Address Finder];
http://www.anywho.com/telq.html [Find a name from a phone number];
http://www.hoovers.com/ [Find company or corporate information];
http://www.switchboard.com/ [Search for people or businesses];

Information on Investigators
http://
www.pimall.com/ [Shopping mall to find a private investigator];
http://www.ioninc.com/ [Investigator referral service];
http://www.nciss.com/ [National Counsel of Investigation and Security Services].

Credit Reporting Sites
http://
www.equifax.com/ [Equifax] (800-685-1111);
http://www.experian.com/ [Experian/formerly TRW] (800-682-7654);
http://www.transunion.com/ [Trans Union] (800-916-8800);
http://www.dnb.com/credit/pcredit.htm [Dun & Bradstreet];
and
http://www.wdia.com/fcra-menu.htm [Fair Credit Reporting Act].

Public Records
http://
http://www.ntlaw.com/All_States_Public_Records.htm
http://www.information‑search.com/ [ISI Database Reports];
http://www.cdb.com/public/ [CDB Infotek - Intelligent Information];
http://www.fedworld.gov/ftp.htm#nhtsa [Government Agencies Database];
http://www.ojp.usdoj.gov/bjs/ [Bureau of Justice Statistics];
http://www.icpsr.umich.edu/ [Inter-University Consortium for Political and Social Research];
http://www.bop.gov/facilnot.html [Federal Bureau of Prisons - Determine if a person is in federal prison];
http://www.dc.state.fl.us/ [Florida Prisons Site];
http://www.corrections.com/links/state.html [National Correctional Institution Site];
http://www.ncjrs.org/ [Links to many Criminal Justice Sites];
http://www.loc.gov/ [Library of Congress];
http://www.congress.org/ [United States Congress];
http://thomas.loc.gov/ [United States Congress, legislative information on the internet].

Other Links
http://www.icpsr.umich.edu/NACJD/home.html [National Archive of Criminal Justice Data];
http://www.nationalfraud.com/ [Provides many services to combat fraud, including insurance fraud];
http://www.fraud.org/welcome.htm [National Fraud Information Center];
http://www.informus.com/ [Employment Screening Services];
http://http://www.interfire.org/ [Fire Investigations Site];
http://www.nfpa.org/ [National Fire Protection Association];
http://www.carsafety.org/ [Injury, Collision and Theft losses by make and model 1996-1998];
http://www.mwsearch.com/ [Medical Information search];
http://www.hwysafety.org/ [Highway Safety Statistics];
http://www.findlaw.com/ [Search for legal resources].

Books to consult regarding investigative searches include:
(1) Public Records Online - the National Guide to Private & Government Online Sources of Public Records, by Facts on Demand Press (1999);
(2) Naked in Cyberspace: How to find Personal Information OnLine, by Carole A. Lane, Wilton, CT. (1997);
(3) The Internet Yellow Pages, by Harley Hahn and Rick Stout, Osborne McGraw Hill (1994);
(4) Search Engines for the World Wide Web (Second Edition), by Alfred and Emily Blossbrenner, Peachpit Press (1999);
and
(5) Financial Investigations: A Financial Approach to Detecting and Resolving Crimes: Instructor's Guide, by U.S. Internal Revenue Service (1994).

F.         Web Sites that Deal with Privacy Issues

The following is an exemplary list of web sites that deal with privacy issues:
http://http://www.epic.org/ [Electronic Privacy Information Center];
http://http://www.cme.org/ [Center for Media Education];
http://http://www.named.org/ [The Named];
http://http://www.junkbusters.com/ [Junkbusters];
http://http://www.pirg.org/ [The State Public Interest];
http://http://www.privacytimes.com/ [Privacy Times];
http://http://www.private-citizen.com/ [Private Citizen];
http://http://www.privacyrights.org/[Privacy Rights Clearinghouse];
http://http://www.cdt.org/ [Center for Democracy & Technology];
http://http://www.townonline.com/privacyjournal/ [Privacy Journal];
http://http://www.privacyexchange.org/ [Privacy Exchange];
http://http://www.accessreports.com/ [Access Reports];
http://http://www.fulldisclosure.org/ [Inside Information On Privacy];
http://http://www.privacyinc.com/ [Privacy, Inc.];
http://http://www.eff.org/. [Electronic Frontier Foundation];
http://www.vortex.com/privarch.htm [Privacy Forum Archive];
http://http://www.ahima.org/ [American Health Information Management Association, medical data security];
http://http://www.privacy.org/ [The Privacy Page];
http://www.aclu.org/issues/privacy/hmprivacy.html [ACLU Privacy Page];
http://www.irsg.org/ [Individual Reference Services Group (IRSG)];
and
http://www.ftc.gov/ [The Federal Trade Commission].


Books to consult regarding privacy issues include:

(1) Protecting Yourself Online, by Robert B. Gelman, Harpers Edge (1998);
(2)  Internet Privacy Kit, by Marcus Goncalves, Que Corporation (1997);
(3) In Pursuit of Privacy, by J. Decew, Cornell University Press (1997);
(4) The Privacy Rights Handbook, by Beth Givens, Avon Trade Books (1997);
(5) Protect Your Privacy on the Internet, by Pfaffenberger, Wiley Computer (1997); and
(6) Your Right to Privacy
, by E. Mendricles, Southern University Press (1990).
 
   
 
 
Home | interFIRE VR Support | Training Calendar | Training Center | Resource Center | Message Board | Insurance Info
Sponsorship Opportunities
Web Site Designed for 800 x 600 by Stonehouse Media Incorporated® Copyright © 2014 All Rights Reserved.