PRIVACY AND CONFIDENTIALITY ISSUES - LIMITS
ON
ACCESS AND USE OF INFORMATION
PREFACE
The ideas expressed in this
paper should not be considered as legal advice that might apply in any
particular jurisdiction, claim situation, or lawsuit.
I.
THE INSURANCE COMPANY'S DUTY TO INVESTIGATE
A.
Statutory Requirements
Many states have statutes
which require insurers to investigate claims. For example, under
Florida Statutes, §626.9541(l)(i)(3), it is an unfair claim practice
for an insurer to fail to adopt and implement standards for the proper
investigation of claims. Also, under §626.9541(l)(i)(3)(d), it
is an unfair claim practice for an insurer in Florida to deny claims
“without conducting reasonable investigations based upon available
information...” That duty is also made apparent by Florida's
reservation of rights statute, §627.426(1)(c), which states that the
insurer does not waive any policy provision or defense
by “...investigating any loss or claim under any policy...”
Another example of the insurer's duty to investigate can be found
in California's Insurance Code §790.03(h)(3), which requires an
insurer to adopt and implement standards for the prompt investigation
and processing of claims. See also, Pennsylvania Statutes 40 P.S.
§ 1171.5(a)(10)(iii) and Texas Statues, V.A.T.S., Insurance Code, Art.
21.21-2 Section 2(B)(3).
With the proliferation
of fraudulent claims and the desire of legislatures to curb premium
increases needed to pay exaggerated and fraudulent claims, many states
have also mandated the creation of anti-fraud units within insurance
companies. Typically, such units are statutorily required to investigate
suspicious claims of all types. For example, Florida Statutes,
§626.9891(l), requires insurers with a certain premium volume to
“(a) establish and maintain a unit or division within the company
to investigate possible fraudulent claims by insureds or by persons
making claims for services or repairs against policies held by insureds;
or (b) contract with others to investigate possible fraudulent claims
for services or repairs against policies held by insureds.”
B. Case Law Requirements
In addition to the statutory
duty to investigate claims, the case law in many states indicates that
an insurer who fails to promptly and thoroughly investigate a claim
may be charged with bad faith. See, for example: Beckman v.
Safeco Ins. Co., 691 F.2d 898 (insurer has duty to conduct a reasonable
investigation); Davy v. Public National Ins. Co., 5 Cal. Rptr.
488 (failure to investigate may evidence bad faith); American Fidelity
& Casualty Co. v. Greyhound Corp., 258 F.2d 709 (5th
Cir. (Fla.) 1958)(insurance company's negligence in handling claim,
by not investigating and evaluating it, rendered company liable for
excess judgment); Kohlstedt v. Farm Bureau Mutual Ins. Co. 139
N.W. 2d 184 (Iowa 1965)(insurer has duty to conduct good faith investigation
of all aspects of case); Commercial Union Ins. Co. v. Liberty Mutual
Ins. Co., 357 N.W. 2d 861 (Mich. Ct. App. 1984) (definition of bad
faith includes insurer's failure to properly investigate claim);
and Radio Taxi Service, Inc. v. Lincoln Mutual Ins. Co., 157
A.2d 319 (N.J. 1960)(reasonably diligent effort must be made to ascertain
facts upon which good faith judgment as to settlement can be formulated).
C. Contractual Obligations
The contractual rights
and duties of the insurer and its insured are specified in the policy
language. Generally, policies require an insured to cooperate
with the insurer's efforts to investigate any first-party claim,
but do not specifically require the insurer to investigate that claim.
That is, the insurer may waive its right to investigate and simply pay
the insured's claim.
However, for third-party
liability claims, the insurer typically has a duty to defend its insured,
which generally requires the insurer to investigate the claim made against
its insured. An insurer's failure to reasonably investigate
and timely pay or settle such a claim may give rise to an excess or
bad faith judgment against the liability insurer.
D. Other Reasons for
Investigating
According to the most
recent report published by Conning & Company, a Hartford, Connecticut
insurance research company, fraud cost the entire insurance industry
about $120 billion in 1995. That same research company indicated
that the extent of property and casualty insurance fraud alone reached
$21 billion in 1996. Such alarmingly high losses due to insurance
fraud have prompted insurance companies to more vigorously investigate
this growing burden on the industry and society as a whole.
Since insurance fraud
costs the industry billions of dollars every year, the failure to thoroughly
investigate claims can facilitate even greater amounts of fraud and,
ultimately, threaten a company's viability. The diligent
investigation of claims should be undertaken to protect the company's
viability as well as its insureds. Furthermore, society as a whole
should benefit from the reduction in fraud that can be brought
about by thoroughly and properly investigating suspicious claims.
II.
INVESTIGATIVE RISKS TO AVOID
Whenever an insurance
company executes a plan of action for the investigation of a claim,
the company must operate within the legal environment in which that
claim is pending. In today's legal environment, an insurance
company and its representatives should consider and typically balance
their right and duty to investigate
against the insured's or third-party's right to privacy.
One way an insurance
company can balance these two competing interests is by ensuring that
its investigations of claims involve only the discovery of “material”
facts and circumstances. For an excellent discussion of what a
“material” fact is, see Application Misrepresentation
and Concealment in the Property Insurance Policy . . . The Elusive Elements
of the Defense, by Clayton H. Farnham, THE FORUM, Vol. XX,
Number 2, Winter 1985. Otherwise, a suit for invasion of privacy
and a variety of other causes of action may be asserted against the
insurer.
A. Invasion Of Privacy
Courts generally recognize
a cause of action for invasion of privacy. Mark v. Seattle
Times, 635 P.2d 1081 (Wash. 1981). The common law tort of
invasion of privacy actually consists of four distinct kinds of actions:
(1) Unreasonable intrusion upon the plaintiff's seclusion or solitude
or into his private affairs; (2) Public disclosure of private facts
about the plaintiff; (3) Publicity which places the plaintiff in a false
light in the public eye; (4) Appropriation, for the defendant's advantage,
of the plaintiff's name or likeness. See Industrial Found.
of the S. v. Texas Indus. Accident Board., 540 S.W.2d 668, 682 (Tex.1976),
cert. denied, 430 U.S. 931, 97 S.Ct. 1550, 51 L.Ed.2d 774 (1977). See
also, Mark v. King Broadcasting Co., 27 Wash.App. 344, 618 P.2d
512 (1980).
1. Unreasonable
Intrusion Upon The Seclusion Of Another
This tort occurs when one
person intentionally intrudes, physically or otherwise, upon the solitude
or seclusion of another or his private affairs or concerns. The person
who engages in the intrusive behavior is subject to liability to the
other for invasion of his privacy if the intrusion would be highly offensive
to a reasonable person. Restatement of Torts, 2nd,
§652A.
Unlike other privacy
torts, this cause of action does not require disclosure of the
private information to third parties. However, there is no liability
if the information in question is a public record or if the activity
occurred in a public place where there is no reasonable expectation
of privacy. Forster v. Manchester, 189 A.2d 147 (Pa. 1963).
Some courts have required
that the intrusion be “substantial” in order for the conduct
to be actionable. In Chicarella v. Passant, 494 A.2d 1109 (Pa.
Super.1985), an accident victim alleged that an insurance company and
its employees intentionally and substantially intruded upon his private
affairs by obtaining hospital records of his injuries. Rejecting
this argument, the court held that a description of the plaintiff's
medical treatment did not constitute a substantial intrusion and that
the information in the medical records would not cause mental suffering,
shame, or humiliation to a person of ordinary sensibilities.
Regardless of the nature of
the information collected, the insurance company should also make sure
that it collects information by lawful means. For example, unauthorized
wiretaps, in addition to being illegal under the Electronic Communications
Privacy Act, will support a cause of action for unreasonable intrusion.
See Rhodes v. Graham, 37 S.W. 2d 46 (Ky. 1931).
2. Publicity Given
To Private Life
A cause of action for
invasion of privacy may be pursued where one publicizes a matter about
the private life of another if the matter publicized is one that:
(a) would be highly offensive to a reasonable person; and (b) is not
of legitimate concern to the public. Restatement of Torts, 2nd,
§652D. Case law generally holds that it is not enough that the
information is communicated to one or even several people to support
this cause of action. Instead, the matter in question must be communicated
to enough persons so that it “ ...must be regarded as substantially
certain to become one of public knowledge.” Tureen v. Equifax,
571 F.2d 411 (8th Cir. 1978).
In that case, Equifax supplied
a life and health underwriting history report to the plaintiff's
health insurer, at the insurer's request. The court held that
Equifax's disclosure to the insurer, without further disclosure,
was not sufficient publication to support a cause of action for invasion
of privacy.
This cause of action will
also not be viable where the matter disclosed is one of legitimate public
interest. In Cox Broadcasting Corp. v. Cohn, 420 U.S. 469, 95
S.Ct. 1029 (1975), the United States Supreme Court held that disclosure
of the identity of a rape victim did not support a common law claim
for publicity given to the private life of another, because news relating
to crime is a matter of legitimate public interest. However, most states
now have “rape shield” laws, which prohibit the disclosure
of the identity of rape victims.
3.
Publicity Placing A Person In A False Light
Publicizing a matter
about another person that places that person before the public in a
false light is actionable if: (a) the false light in which the plaintiff
is placed would be highly offensive to a reasonable person; and (b)
the actor had knowledge of or acted in reckless disregard of the falsity
of the publicized matter and the false light in which the other would
be placed. Restatement of Torts, 2nd §652E.
See also, Larsen v. Philadelphia Newspapers, Inc., 543 A.2nd
1181 (Pa.Super 1988) quoting § 652E as authority.
This theory has been
used to sue information providers who supply erroneous information.
For example, in Dun & Bradstreet v. Greenmoss Bldrs., 472
U.S. 749,105 S.Ct. 2939 (1985), D&B disclosed a credit report with
inaccurate information in it, which placed Greenmoss, the subject of
the report, in a false light. D&B defended the invasion of
privacy claim by arguing that the credit report was a matter of public
importance and that the plaintiff should, therefore, be required to
show “actual malice” in order to prevail. The Court
rejected that argument and Mr. Greenmoss prevailed in the case.
It should also be noted
that this cause of action is against the provider of the information,
not the recipient. Therefore, it is incumbent upon the information
service provider to take reasonable steps to make sure that information
supplied is accurate. That is, an insurance company should take
reasonable steps to avoid providing inaccurate information to others.
4.
Appropriation Of Name Or Likeness
Under this theory, one
who appropriates the name or likeness of another to his own use or benefit
is subject to liability to the other for invasion of his privacy.
Restatement of Torts, 2nd §652C. This tort action
is typically asserted in cases involving the use of photographs and
audio of celebrities for product endorsements without their knowledge
or consent. More egregious examples include posting nude photos
of people or models on the Internet.
Because this tort is
frequently used by celebrities who are “public figures”,
the plaintiff often has a high burden to meet. That is, much of
what “public figures” do and say is considered to be a matter
of legitimate public interest. A claim for invasion of privacy
will not succeed if the disclosure involves a matter of legitimate public
interest. Carson v. Baskin, 30 So.2d 635 (Fla. 1947).
A few years ago, radio
host Howard Stern ran for governor of New York. An Internet provider,
Delphi, used Stern's photograph in an advertisement without his
permission, and Stern sued. However, Delphi had used Stern's
photograph specifically to advertise an online bulletin board which
was established to debate Stern's candidacy. The court found that
although Delphi had used Stern's likeness without his permission,
the use was permissible because his candidacy was a matter of
public interest. Stern v. Delphi Internet Services Corp.,
626 N.Y.S.2d 694 (Sup. Ct. 1995).
For all types of invasion
of privacy, it should be noted that the elements and exact requirements
for bringing this suit vary among the states. For example, in
Florida, a cause of action for invasion of privacy will normally only
lie if the information at issue is published to the world at large.
Publication to one or a few people will generally not support this cause
of action in Florida. See Santiesteban v. Goodyear Tire, Inc.,
306 F.2d 9 (5th Cir. 1962). Other states are less restrictive
than Florida.
In Borquez v. Ozer,
423 P.2d 166 (Colo. Ct. App. Div. I 1995), the plaintiff, Mr.
Borquez, was a lawyer in the Ozer firm. Mr. Borquez was gay, and
when he learned that his companion was HIV positive, disclosed both
his homosexuality and his need for testing to a partner in the firm.
Mr. Borquez asked that law partner to keep the information confidential,
but the partner made no promise to do so. Within a few days, Borquez's
situation became common knowledge throughout the firm.
Mr. Borquez sued for
invasion of privacy, and won a jury verdict which the Court of Appeals
affirmed. The Colorado Court of Appeals held that the disclosure
of this “private matter” would be highly objectionable to
a reasonable person because a strong stigma still attaches to both homosexuality
and AIDS. The court also held that the scope of the disclosure
or publication has to be measured by the sensitive nature of the information
and the relationship of the parties. Unlike the case law in Florida,
the Colorado court held that publication to the world at large is not
required where the information is of a highly personal nature.
In Borquez's case, the information was found to be so personal
that dissemination to his co-workers, who did not have a need to know,
was held to be sufficient publication for the invasion of privacy claim.
Courts have required
greater degrees of publication to support a claim for invasion of privacy
where the information is of a less personal nature. For example,
a court has held that the disclosure to a small group of co-workers
that a dismissed worker had been to a “career counselor”
prior to discharge is not a sufficient publication to support a claim
for invasion of privacy. Croston v. Kamauf, 932 F.Supp.
676 (D. Md. 1996). Also, a hospital counseling center's
disclosure that one of the hospital's employees had been in counseling
did not violate that employee's right to privacy. Hanson
v. Hancock County Mem. Hosp., 938 F.Supp. 1419 (N.D. Iowa 1996).
These cases indicate
that the degree of publication necessary to constitute an invasion of
privacy is a function of the nature of the information disclosed.
Therefore, insurance companies, like others, should consider exercising
additional caution when handling claims that involve highly personal
information, such as medical and mental health information.
Another growing problem
is “Identity Theft.” Identity theft occurs when someone
acquires key pieces of someone's identifying information and impersonates
that person when committing various crimes in that person's name.
The basic information sought by identity thieves is a person's
name, address, phone number, social security number, driver's
license number, and credit card numbers. These thieves also seek
telephone calling card numbers, birth certificates and passports.
By obtaining this type of information, the identity thief is able to
commit various types of fraud; such as going on spending sprees using
the victims name, opening new financial accounts, taking over existing
accounts, diverting mail, and applying for loans, credit cards, social
benefits, etc.
Identity theft can leave
the victim with a poor credit rating or bad reputation that may take
years to correct. With the increased use of the internet, more
information than ever is available to the savvy identity thief.
In order to protect electronic transactions, more consumers are using
various types of digital signature protection and other encryption methods.
Congress has passed the Identity Theft and Assumption Deterrence Act,
codified at 18 U.S.C. § 1028. This act makes it a felony to knowingly
use the identification of another person with the intention of committing
any unlawful activity under federal or state law.
B. Trespass
Trespass is the entering
onto the property of another without permission or legal authority.
Prosser on Torts, 4th Ed §13. To avoid potential
liability for trespass, insurers and their representatives may include
policy language to allow inspections of any insured's property,
and obtain written permission or consent forms from the property owners
prior to entry onto the property. Also, when surveillance activity
is undertaken, it should be conducted from public places to avoid claims
of trespass.
C. Defamation
Defamation is any written
or oral communication about another which would expose the subject of
those statements to hatred, contempt, ridicule, or which causes or tends
to cause any person to be shunned or avoided. See, for example,
Layne v. Tribune Co., 146 So. 234 (Fla. 1933). When conducting
interviews during an investigation, insurance company representatives
should take care to avoid making statements that could be considered
as derogatory remarks about the insured or any other person. In
Nebraska, in order to have a cause of action for defamation, there must
be: (1) a false and defamatory statement concerning the plaintiff; (2)
an unprivileged publication to a third party; (3) fault amounting to
at least negligence on the part of the publisher; and (4) either actionability
of the statement irrespective of special harm or the existence of special
harm caused by the publication. Norris v. Hathaway, 5 Neb.App.
544, 547‑48, 561 N.W.2d 583, 585 (1997). Accord, 50 Am.Jur.2d
Libel and Slander § 21 (1995); Restatement (Second) of Torts
§ 558 (1977).
D. Breach of Contract
Where the insurer has
a duty to defend or investigate a claim under its policy, and
fails to do so in a reasonable manner, its insured may bring a breach
of contract action against it. Similarly, a lienholder or mortgagee
may assert such an action against the insurer. A failure to pay
because of the lack of an appropriate investigation by the insurer is
a claim many plaintiffs have alleged. An arguable basis for that
inappropriate investigation may be the insurer's invasion of the
insured's or third-party claimant's privacy.
E. Bad Faith
Creative counsel for
claimants look for additional grounds for asserting “bad faith”
claims. In many states, bad faith claims can arise from a first-party
claim or a third-party liability claim. A typical allegation is
that the insurer did not act fairly towards its insured. The creative
claimant's attorney will argue that any invasion of privacy amounts
to a failure to act fairly towards its insured or is an unfair claims
settlement practice that amounts to “bad faith”.
F. Infliction
of Emotional Distress
Although frequently
pled, this cause of action rarely succeeds. In order to prevail
on a claim for infliction of emotional distress, the plaintiff must
typically show that the defendant engaged in conduct so extreme and
outrageous as to go beyond all bounds of decency, and which is regarded
as atrocious and utterly intolerable in a civilized society. Mere
rudeness or lack of courtesy will not support a cause of action for
emotional distress. Mundy v. Southern Bell Tel. & Tel.
Co., 676 F.2d 503 (11th Cir. 1982). Also, many
cases require that the plaintiff sustain some actual physical impact
or bodily injury from the alleged tortious conduct.
The Florida Supreme
Court, in Time Ins. Co. v. Burger, 712 So.2d 389, 393 (Fla. 1998),
held that in order to recover damages for emotional distress, the plaintiff
must prove: (1) that the bad-faith conduct resulted in the insured's
failure to receive necessary or timely health care; (2) that,
based upon a reasonable medical probability, this failure caused or
aggravated the insured's medical or psychiatric condition; and
(3) that the insured suffered mental distress related to the condition
or the aggravation of the condition. In order for the insured
to recover, these allegations must be substantiated by the testimony
of a qualified health care provider. Prior to Burger and
the enactment of F.S.A. § 624.155, emotional distress damages were generally
unavailable absent physical contact arising out of the conduct of an
insurer.
G.
Interference with Business Relationship
To sustain a cause of
action for interference with a business relationship, the plaintiff
must establish (1) the existence of a business relationship, which need
not be evidenced by an enforceable contract; (2) knowledge of the relationship
on the part of the defendant; (3) intentional and unjustified interference
with the relationship by the defendant; and (4) damage to the plaintiff
as a result of the breach of the relationship. G.M. Brod & Co.
v. U.S. Home Corp., 757 F.2d 1526 (11th Cir. 1985).
This cause of action may arise where an investigator or adjuster inappropriately
interviews a claimant's business associates, customers, or clients.
H.
Class Action Litigation
Class action suits are
governed by Rule 23 of the Federal Rules of Civil Procedure. A
class action suit can be maintained if the following conditions are
met: (1) the class is so numerous that joinder of all members is impracticable;
(2) there are questions of law or fact common to the class; (3) the
claims or defenses of the representative parties are typical of the
claims and defenses of the class; and (4) the representative parties
will fairly and adequately protect the interest of the class.
There has been a tremendous growth in class action lawsuits in recent
years, due in part to the potential for large judgments.
For example, in Avery
v. State Farm Mutual Automobile Ins. Co., 1999 WL 955543 (Ill.Cir.
1999) , the jury awarded the class of plaintiffs $243,740,000.00 for
class-wide specification/direct damages, $212,440,000.00 for class-wide
installation damages plus interest of $456,180.00. These large
sums were only for Count 1 of the complaint. Counts II and II
were questions of law decided by the judge. The court awarded
an additional $130,000,000.00 for violating the Consumer Fraud
Act of Illinois, and also awarded punitive damages in the amount of
$600,000,000.00. The total damages awarded came to $1,186,636,180.00.
The case involved State Farm's requiring the use of non-OEM parts.
An example of an activity
that may lead to class action type liability is the routine obtaining
of credit reports without first getting a release. If an insurance
company engages in the repeated or regular practice of conducting improper
investigations, including, for example, the invasion of persons'
privacy, the insurance company could become the target of a class action
suit, which could be extremely expensive to defend and settle.
Therefore, it is important that an insurance company conduct investigations
with an awareness of this risk.
III.
PROFESSIONAL INVESTIGATORS
A. Private Investigators
1.
Licensing requirements
An
insurer's hiring of a private investigator is not prohibited by state
insurance codes. However, state statutes do establish regulations
for the licensing of private investigators. See, for example,
Florida Statutes, §493.6100; Nebraska Statutes, § 71-3202; Pennsylvania
Statutes, 22 P.S. § 13; and Texas Statutes, Vernon's Ann.Civ.St. Art.
4413(29bb) Sec. 13(a). When hiring private investigators, insurance
companies should determine that the private investigators retained are
properly licensed in each jurisdiction where they will be working.
It could happen that a private investigator licensed in one state may
cross over state lines and operate illegally.
2.
Surveillance/Investigation by Audio, Video, and Electronic Means
In an effort to detect
and defend against the increasing volume of fraudulent claims, insurance
companies frequently investigate suspicious claims by having investigators
engage in video, audio, and electronic surveillance of claimants.
Employers, banks, merchants and even amusement companies have similarly
responded to their losses from external and internal fraud and theft.
Despite the need to
vigorously pursue investigations of suspicious claims, investigators
must limit themselves to “reasonable” means of surveillance,
or be subject to liability for the invasion of an individual claimant's
right to privacy. That usually involves the balancing of the insurer's
right and duty to investigate the validity of claims filed against the
claimant's right to privacy.
In the context of claim
investigations involving surveillance, claimants may assert a claim
or cause of action against the insurance company and its private investigator
for unreasonably intruding upon their solitude or seclusion. In
determining whether to sustain such a claim for wrongful intrusion,
the courts question: (1) whether there was a legitimate purpose
for the investigation that led to the intrusion; and (2) whether
the means employed in conducting the investigation were reasonable.
Courts have uniformly
held that an individual who files a personal or bodily injury claim
should expect that the insurance company will conduct a reasonable inquiry
and investigation to determine the validity of the claim. Pinkerton
Nat'l. Detective Agency, Inc. v. Stevens, 132 S.E.2d 119 (Ga.
1963). Therefore, when a claimant files a personal or bodily injury
claim, that claimant's interest in privacy is sacrificed to the
extent of a “reasonable” investigation. However, if the
insurance company conducts the investigation in an offensive, objectionable,
or unreasonable manner, it will be liable for wrongful intrusion even
if it had a legitimate purpose for the investigation.
With regard to the means
employed in conducting the investigation, the insurance company will
not incur liability for invasion of privacy based on wrongful intrusion
if the company conducted the surveillance in a “reasonable”
manner. As a general rule, surveillance of a claimant in a public
place and from a public vantage point in which a passerby could have
made the same observations does not constitute an invasion of privacy
if conducted in a reasonable and non-obtrusive manner. In Forster
v. Manchester, 189 A.2d 147 (Pa. 1963) (1963), a private investigator
took motion pictures of the plaintiff driving her car on public thoroughfares.
The court held that the motion pictures were a reasonable means of procuring
evidence and did not constitute an invasion of privacy because the plaintiff
was exposed to public observation. Id. at 197.
In McLain v. Boise
Cascade Corp., 533 P.2d 343 (Or. 1975), an investigator trespassed
upon the border of the claimant's property to obtain a better
position to videotape the claimant during day light hours. In
affirming the dismissal of the claim, the Oregon Supreme Court overlooked
the trespass because the claimant was unaware that he was being videotaped
and conceded that the activities filmed could have been observed by
his neighbors or a passenger watching from an adjacent road. Therefore,
the Court found that the investigator's conduct could not constitute
an unreasonable surveillance highly offensive to a reasonable person.
But see Alabama Electric Cooperative, Inc. v. Partridge, 225
So.2d 848 (Ala. 1969), where the jury found that hiding in an abandoned
house near the claimant's home and using high-powered binoculars
to videotape the claimant's family moving about their home was
unreasonable.
In Unrah v. Truck
Insurance Exchange, 498 P.2d 1063 (Cal. 1972), the California Supreme
Court determined that the insurer's investigators went too far
and held the insurer liable for “additional injuries” caused
by the investigation. In Unrah, the plaintiff was being
investigated for workers' compensation fraud. The investigator
befriended the plaintiff, took her to Disneyland, and engaged in physically
demanding activities while at the park. A second investigator
videotaped the events. When the videotape was shown to the plaintiff,
she suffered a mental breakdown. This type of activity was held
to go beyond the bounds of a reasonable investigation.
In addition, an action
for invasion of privacy or wrongful intrusion does not result when an
investigator obtains information about the claimant from public records
or interviews acquaintances or friends of the claimant. To the
extent that third parties are willing to talk to investigators, the
courts will not find a violation because the claimant made the information
public when he/she voluntarily revealed it to others and assumed the
risk that a friend or acquaintance in whom the claimant confided might
breach the confidence. Schupmann v. Empire Fire & Marine
Ins., 689 S.W.2d 101 (Mo. App. 1985).
However, the revelation
of too much information, especially unsupported allegations or innuendo,
can lead to the imposition of liability on both the insurer and its
investigator for invasion of privacy. For example, in Republic
Ins. Co. v. Hires, 810 P.2d 790 (Nev. 1991), the insurer's
investigator conducted an intense investigation of a burglary loss claimant's
neighbors, asking if they had any information that the claimant staged
the burglary and if they were aware that the claimant's wife was
involved in an affair with the neighbor who discovered the burglary.
If an insurer or its
private investigator conducts an investigation in a malicious manner
that is not reasonably limited to obtaining information needed for analyzing
or defending a claim, or deliberately conducts an investigation so as
to intentionally torment or frighten the subject of the investigation,
the investigator and the insurer may be liable for wrongful intrusion.
In this area, insurance companies should be aware of two types of investigations
that generally give rise to a sustainable cause of action for wrongful
intrusion, namely: (a) listening to or viewing, with or without
the assistance of electronic devices, the purely private affairs of
the claimant that could not be readily ascertained by the casual observer;
and (b) obtrusive surveillance designed to make the claimant and the
public aware of the surveillance, commonly referred to as “rough
shadowing”.
With regard to electronic
surveillance, insurance companies and investigators must be aware of
federal and state wiretapping statutes that apply to all kinds of recording
of the voice, such as tape-recording, videotaping, and using sound on
video. The Electronic Communications Privacy Act, 18 U.S.C. §2511(1),
also known as the federal wiretapping statute, prohibits warrant-less
wiretapping unless one of the parties to the conversation consents and
the recording is not being made for the purpose of committing any criminal
act in violation of the Constitution or laws of the United States or
any state. See United States v. Wright, 573 F.2d 681 (1978).
In addition, most states
have statutes restricting the interception of “wire communications”.
For example, the California Privacy Act makes it unlawful to eavesdrop
or record a confidential communication “intentionally or without
the consent of all parties by means of any electronic amplifying or
recording device”. West's Ann.Cal.Penal Code 15 §631
- 632. See also, Coulter v. Bank of America Nat'l. Trust
& Sav. Assoc., 33 Cal. Rptr. 2d 766 (1994).
In that case, Christopher
G. Coulter sued Bank of America, where he worked as an automatic teller
machine mechanic. Anticipating litigation for sexual harassment
that he would later file, Mr. Coulter secretly recorded more than 160
face-to-face and telephone conversations with various bank employees,
supervisors, and officers. When Mr. Coulter filed his suit for
sexual harassment, the bank and eleven of its employees initiated a
cross-complaint against Mr. Coulter for invasion of privacy and for
violation of the California Privacy Act. In dismissing Mr. Coulter's
lawsuit, the trial court found in favor of the bank and the employees
on their privacy act claim. Rejecting Mr. Coulter's argument
that he never disclosed the tapes to any third party, the California
Appeals Court affirmed the trial court and held that “the statute
is violated simply by the recording of confidential communications without
the consent of all parties; violation does not require disclosure to
a third party”. Id. at 771.
Like California, Florida
has a state statute that limits the scope of surveillance by wiretapping.
Florida Statutes, §934.03, applies to any person, and prohibits the
intentional interception or the intentional use or disclosure of wire,
oral, or electronic communications.
Effective October 1,
1974, the Florida Security of Communications Act was amended to prohibit
a party to a conversation from recording that conversation without the
consent of all parties to the conversation, provided that the conversation
is not public or the intercept is not conducted for the purpose of obtaining
evidence of a criminal act. Florida v. News-Press Publishing
Co., 338 So.2d 1313 (2d DCA 1976). In that case, the 2d DCA
held that tape recordings of conversations obtained without the knowledge
and permission of all parties involved in those conversations were illegal
intercepts because the Florida legislature intended to allow each party
to a conversation an expectation of privacy from interception by the
other party.
Similarly, Pennsylvania
requires consent of all parties to the communication (See 18 Pa.C.S.A.
§ 5704(4)); while in Texas, when one party consents to the recording
of the communication, the recording is permissible. (See V.T.C.A., Penal
Code § 16.02(c)(4).) In both Texas and Pennsylvania, not only
is the person who improperly makes a recording subject to criminal penalties,
but if anyone uses the information gained, with the knowledge it was
illegally obtained, that person can also be subject to criminal sanctions.
Pa.C.S.A. § 5703(3) and V.T.C.A. Penal Code § 16.02(b)(3).
Therefore, if an investigator illegally tapes a conversation and the
insurance company is aware (or even suspects) that the tape was made
illegally, the insurance company representative may be subjected to
criminal sanctions.
With regard to what
is known as “rough shadowing”, the seminal case on
point is Pinkerton National Detective Agency, Inc. v. Stevens,
132 S.E.2d 119 (Ga.App. 1963). In that case, investigators, hired
by an insurance company to determine the extent of injuries suffered
by a bodily injury claimant, shadowed the claimant almost continuously
for nearly four months, peeped and eavesdropped through her windows,
and gave the claimant's neighbors the impression that the claimant
was involved in some wrongful activity. The court held that such
behavior was unreasonable and invaded the claimant's right to
privacy because the surveillance was not intended to acquire information
but to intentionally and maliciously disturb, harass, and injure the
claimant.
3.
Insurer Liability for Private Investigators
Whenever an insurance
company retains a private investigator to assist with the investigation
of a claim, the insurance company may become liable for the torts of
the private investigator. Noble v. Sears, Roebuck & Co.,
33 Cal.App.3d 654 (1979). In order to determine if liability
attaches to an insurer for the tort committed by its private investigator
upon the investigation's subject, one must first determine if
the investigator is an agent of the insurer, or an independent
contractor.
Generally,
an insurer who entrusts work to an independent contractor is not liable
for the tortious acts or omissions of that contractor. On the
other hand, an insurer who entrusts work to an agent will be liable
for the agent's conduct. See Mahon v. City of Bethlehem,
898 F.Supp. 310 (E.D.Pa. 1995); and Baldassarre v. Butler, 625
A.2d 458 (N.J. 1993).
In determining whether
a private investigator is the agent of an insurance company, courts
will consider whether the insurer had the right to control the performance
of the private investigator's work. King v. Loessin,
572 S.W.2d 87 (Tex, Civ. App. 1978). If the insurer exercised
control over the manner in which the investigator went about
his/her investigation, then the “independence” of the independent
contractor relationship will fall away. For example, see
Pinkerton Nat'l. Detective Agency, Inc. v. Stevens, 132
S.E.2d 119 (1963), where the court held that the subject of the investigation
had an action for invasion of privacy against both the detective agency
and the insurance company.
If, on the other hand,
control over the manner of the investigation remains with the private
investigator, the independent relationship will remain in tact.
For “[I]f the employer is interested only in the results, and
there is left to the party performing such services complete control
over the details as to the method and manner of such performance, then
the relationship of independent contractor exists.” King
v. Loessin, 572 S.W.2d 87, 89 (Tex. Civ. App. 1978); see also, AT&T
v. Winback & Conserve Program, Inc., 42 F.3d 1421 (3d Cir. 1994).
In dealing with privacy
concerns and the hiring of private investigators, insurance companies
will want to make certain that the private investigator's conduct
will not be deemed to establish an agency relationship if, in fact,
the private investigator is acting as an independent contractor.
Likewise, the insurance company will usually want to make certain that
its private investigators comply with appropriate general guidelines
in undertaking their work, while not specifically directing the manner
in which that work is undertaken. By doing so, the prudent insurer
can minimize the chance that it will be held liable for the misconduct
of a private investigator.
B. Special Investigative
Units (SIUs)
Insurance companies
have responded to the increased volume of fraudulent insurance claims
by creating in-house special investigative units (SIUs) as part of their
fraud control programs. Additionally, an ever increasing number
of states have legislatively mandated anti-fraud investigative units.
For example, Florida Statutes, §626.9891, requires that every insurer
admitted to do business in Florida who in the previous calendar year
had $10 million or more in direct premiums shall establish and maintain
a division, either within or outside the company, to investigate possibly
fraudulent claims.
Under the Pennsylvania
Insurance Fraud Prevention Act, 40 P.S. § 3701-101 et seq., the
legislature established a seven member board comprised of the Attorney
General, a representative of the Philadelphia Federal Insurance Fraud
Task Force, four representatives of insurers and one representative
of the average insurance purchaser. This board is responsible for overseeing
all insurance fraud programs throughout the state.
Texas has created a
separate Insurance Fraud Unit within the Texas Department of Insurance
to investigate and manage fraudulent insurance practices. See
V.T.C.A., Insurance Code, Art. 1.10D. Similarly, in Nebraska,
the Director of the Department of Insurance appoints people to serve
in the Insurance Fraud Prevention Division. § 44-6606
State requirements vary
when mandating SIUs. Some states require that the insurance company
be accountable for staffing, for what the SIUs do, and the level of
expertise of SIU personnel. Typically, the personnel in SIU units are
experienced in the investigation of suspicious claims and may have substantial
law enforcement backgrounds.
To protect insurance
companies from potential tort liability for invasion of privacy claims
that can arise from SIU investigations, SIU personnel must take the
same precautions that private investigators and claims personnel do
when handling suspicious claims. That includes conducting a reasonable
investigation in a timely, objective, and open-minded approach.
In addition, insurers may reduce their exposure to claims arising from
SIU investigations by monitoring SIU compliance with company procedures
and claim handling guidelines.
C. Public Sector Investigators
and Public Information
1.
Public Investigators
Conducting a reasonable
and thorough investigation frequently requires that contact be made
with public officials, including police investigators who work for the
public good. However, insurance companies must be careful not
to violate a third-party claimant or insured's right to privacy when
seeking information from public sector investigators.
Regardless of whether
the public sector investigator is a federal, state, county, or municipal
official, there will usually be a restriction upon the public investigator's
ability to assist or cooperate with investigators who are not employed
in the public sector. It may even be a crime for a public investigator
to release certain information, such as that pertaining to an active
or on-going criminal investigation. See, for example, Florida
Statutes, §119.07(3)(b), permitting law enforcement agencies to withhold
information regarding an active criminal investigation, and 18 U.S.C.
§1905, making it a crime for an officer or employee of any federal agency
to release financial information or trade secrets without authorization.
However, once reports become public, public officials are often a valuable
source of information in the investigation of claims to which their
reports pertain.
2.
Public Records
a. Public Records
Defined
Most states have statutorily
defined what public records are. For example, California's definition
is as follows:
“Public records”
includes any writing containing information relating to the conduct
of the public's business prepared, owned, used, or retained by
any state or local agency regardless of physical form or characteristics.
“Public records” in the custody of, or maintained by, the
governor's office means any writing prepared on or after January
6, 1975. California Public Records Act §6252.
Florida, on the other
hand, has a more explicit definition. Florida's statute
states:
“Public records”
means all documents, papers, letters, maps, books, tapes, photographs,
films, sound recordings, data processing software, or other material
regardless of the physical form, characteristics, or means of transmission,
made or received pursuant to law or ordinance or in connection with
the transaction of official business by any agency. F.S.A. § 119.011.
Moreover, Florida's
legislature has expanded the above definition with the following statuatory
language:
If public funds are
expended by an agency defined in § 119.011(2) in payment of dues or
membership contributions to any person, corporation, foundation, trust,
association, group, or other organization, then all the financial, business,
and membership records pertaining to the public agency from which or
on whose behalf the payments are made, of the person, corporation, foundation,
trust, association, group, or organization to whom such payments are
made shall be public records and subject to the provisions of §119.07.
F.S.A. § 119.012.
For a state-by-state listing
of public records Web sites, go to www.ntlaw.com/ state_public_records.htm.
b.
Generally Available Public Records
(1) Electronic
Data Base Information
Currently, personal
information about an individual that is within public records can be
legally collected without notice to or input by an individual insured
or claimant. Examples of public records that are now or soon may
be available from your state, online, include the following: appellate
court records; arrest records; articles of incorporation; bankruptcy
records; civil court indices to lawsuits; corporate status reports;
criminal records; death records; divorce records; FAA records; fictitious
names; hospital liens; judgments; limited partnership records; mechanic's
liens; motor vehicle and driving records; OSHA reports; probate records;
police reports; professional licenses; real estate ownership; SEC reports;
tax liens; UCC indices; voter registration records; watercraft ownership
records; and workers compensation records. As more government
entities maintain public records electronically, and as more public
records are marketed electronically by data base vendors, such information
will become more readily available online.
Those who gather and use electronic
data base information should recognize and respect the privacy interest
that individual insureds and claimants have in personal information
by (1) assessing the impact on the subject's privacy, in deciding
whether to obtain or use personal information; and (2) obtaining and
using only information that could be reasonably expected to support
current or planned activities pertaining to the investigation or analysis
of a pending claim.
(2) Hard-copy
Public Records
Records accessible to
the general public are often an invaluable source of background information
on both claimants and potential witnesses. Furthermore, it is
not necessary for the insurer to obtain an authorization to conduct
a search of public records. Frequently examined public records
are those pertaining to litigation, driving history, and police reports.
Most trial level courts
maintain Plaintiff and Defendant indices which an insurance company
can access to determine whether the claimants have been involved in
prior litigation. These indices can lead to court files containing
information concerning a claimant's past injuries, medical treatment,
financial situation, and other prior losses.
In many states, the
Office of the Secretary of State, Department of Transportation, or Department
of Motor Vehicles will provide a written abstract of prior motor vehicle
convictions, suspensions, and license revocations for any licensed driver
in that state. Those reports provide invaluable information concerning
the claimant's prior driving record.
Police reports also
represent an invaluable source of information. However, sensitive
data is frequently redacted from police reports when they are made public.
Also, care should be taken to follow the proper procedure for obtaining
police reports where there are local requirements for that.
There are many other
forms of “hard copy” public records available for inspection,
ranging from real property ownership to handicapped parking permits,
some or all of which may be needed to investigate a particular claim.
And, if such records are “public” records, there can be
no invasion of privacy claim for the insurer's review of them.
As long as the insurance company uses the public information to assist
it in the analysis or defense of a pending claim, obtaining such information
will usually not result in an allegation of invasion of privacy claims.
However, a more delicate situation arises when an insurance company
investigates the criminal history of an individual.
c. Criminal History
on Adults and Juveniles
(1) An Adult's
Criminal Record
There is no prohibition
against an insurer conducting a courthouse search to obtain public records
of criminal acts by an adult. Most states provide that felony
and misdemeanor convictions which result in a sentence other than supervision
(i.e., probation or incarceration) are available as public record.
There are services available in most states which, for a minimal fee,
will obtain an abstract of prior criminal convictions and certified
copies of the conviction records. Also, there are private data
base companies that collect criminal records that are public record,
and make that information available for a nominal fee.
However, in Westbrook
v. County of Los Angeles, 27 Cal.App. 4th 157 (Cal.App.2
Dist. 1994), a private company that sold criminal background information
was restricted by the court. The company asked the municipal
courts of Los Angeles County to provide a monthly list of every person
against whom criminal charges were pending in the 46 municipal courts.
Even though the information sought was public, the court denied the
company's request on the basis that “while there is no question
the court proceedings should not be conducted in secrecy, the public's
right to information of record is not absolute. Where that right
conflicts with the right of privacy, the justification supporting the
requested disclosure must be balanced against the risk of harm posed
by disclosure.” Id.
Developed by the Federal
Bureau of Investigation, the National Crime Information Center (NCIC)
has a computerized, national law enforcement system that links more
than 4,000 police agencies through the use of over 100 terminals in
the 50 states, Washington D.C., and Canada. The nine basic record
files in the NCIC computer system consist of stolen motor vehicles,
stolen articles, stolen, missing or recovered guns, stolen license plates,
wanted persons, stolen securities, stolen boats, computerized criminal
history, and missing persons. The computerized criminal history
file consists of arrest records going into the F.B.I. primarily from
state and local agencies. Those records contain the complete criminal
history of each individual from arrest through the criminal justice
system process, including court decisions, probation, and incarceration.
The NCIC prohibits use of its data base to non law enforcement personnel
who seek to obtain the criminal history of an individual. Therefore,
if an insurance company seeks information from this data base, directly
or indirectly, to obtain a criminal history on an individual, without
authorization to do so, the insurer may be exposed to liability under
a claim for invasion of privacy.
(2) Juvenile Criminal
Records
In general, juvenile
records information from either law enforcement agencies or court records
is not available to governmental non-criminal justice agencies, private
organizations, the media, or the public. Federal law flatly
prohibits the disclosure of juvenile records held by federal courts
to non-criminal and non-juvenile justice agencies, private employers,
the press, or the public. Department of Justice Regulations prohibit
state and local criminal justice agencies which are covered by their
Regulations from disclosing juvenile record information to any non-criminal
justice agency unless a statute, court order, rule or court decision
specifically authorizes dissemination of the juvenile records.
Not one juvenile code
authorizes the dissemination of juvenile record information to private
employers, the media, or any other private group. For example,
Florida Statutes, §39.411 of the Florida Rules of Juvenile Procedure,
provides in pertinent part as follows: “(3)...All court records
required by this part shall not be open to inspection by the public.
All records shall be inspected only upon order of the court by persons
deemed by the court to have a proper interest therein ...” However,
such statutes generally give juvenile courts the discretion to release
information to any party with a legitimate interest. Thus, such
records may be obtained with an appropriate Court Order.
Courts have analyzed
whether insurance companies have a legitimate interest in obtaining
juvenile records in the investigation of claims. In People
v. John F. & Steven H., 665 N.Y.S.2d 822 (1997), the defendants
were charged with criminal offenses relating to an incident that occurred
on July 2, 1994, allegedly causing injury to the complainant.
The criminal actions were disposed of by Youthful Offender findings
pursuant to Criminal Procedure Law §720.20(3). The court clerk
duly sealed the court file pursuant to Criminal Procedure Law §720.35(2),
which states in pertinent part as follows: “1. A youthful
offender adjudication is not a judgment of conviction for a crime or
any other offense. 2. Except where specifically required
or permitted by statute or upon specific authorization of the court,
all official records and papers, whether on file with the court, a police
agency or the division of criminal juvenile services, relating to a
case involving a youth who has been adjudicated a youthful offender,
are confidential and may not be available to any person or public or
private agency, other than an institution to which such youth has been
committed, or a probation department of this state that requires such
official records and papers for the purpose of carrying out duties specifically
authorized by law ...”.
State Farm Fire and
Casualty Insurance Company issued a homeowners insurance policy and
an umbrella
policy, which included John and Steven as covered persons. In
a civil lawsuit against John and Steven, Joseph Pierse alleged that
on July 2, 1994, John and Steven negligently or willfully assaulted
him about his face and head. In providing a defense to John and
Steven, State Farm desired to unseal the two criminal court files of
John and Steven to obtain copies of the Certificates of Dispositions
and plea allocution minutes, in the event that they entered guilty pleas.
In reviewing the Youthful
Offender Law, the court stated that the primary purpose of the youthful
offender process is avoidance of the stigma and practical consequences
of a conviction for a crime. In denying State Farm's
motions to have access to the sealed files of the criminal proceedings
against Youthful Offenders John and Steven, the court stated that the
social policy goal of restoring a youth to the status that he or she
previously held, after a successful termination of a criminal proceeding
or after being adjudicated a youthful offender, far outweighed any pecuniary
or economic reason of the homeowners' insurer in seeking to unseal
the youthful offender records and disclaim coverage in the alleged battery
victim's tort action against the juveniles.
High-profile crimes
involving minors have contributed to changes in public attitudes about
the juvenile justice system and a youthful offender's right to
privacy. More states are opening up their juvenile courts to some
degree. For example, court records and proceedings involving youths
charged with offenses that would be considered felonies if committed
by adults are public in Maryland and West Virginia. In addition,
Oklahoma and Arizona have passed laws creating a presumption of openness
for all juvenile records. Nevertheless, in order to prevent a
claim for invasion of privacy in obtaining juvenile information, insurance
companies should seek legal advice regarding the juvenile laws in the
state where they want to obtain the juvenile information, before proceeding
with the investigation of a juvenile's criminal history.
3.
Cooperation with Public Officials/Immunity Statutes
In Vogel v. Gruaz,
110 U.S. 311, 316, 4 S.Ct. 12, 15 (1884), the United States Supreme
Court held that “it is the duty of every citizen to communicate
to [the] government any information which [they have] of the commission
of an offense against its laws.” That would include corporate
citizens such as insurance companies. However, due to insureds
and third-party claimants readily pursuing tort liability against insurance
companies based upon allegations of defamation, bad faith, and invasion
of privacy, insurance companies are often reluctant to disclose its
suspicions about possible fraud or to disclose incriminating information
about insureds and claimants.
In an effort to address
those concerns, Ohio became the first state to enact “arson reporting
immunity” legislation that was intended to assist insurers and
law enforcement agencies in their respective efforts to combat insurance
fraud, by providing limited immunity to insurers. Since then,
each of the 50 states and Washington D.C. have enacted various statutes
to protect those who disclose information to law enforcement or governmental
agencies in the fight against insurance fraud.
For example, Florida
Statutes, §626.989(4)(c), provides qualified civil immunity to those
providing information on suspected insurance fraud to state law enforcement
officials as well as to the State's Division of Insurance Fraud.
See Pearce v. United States Fidelity & Guaranty Co., 476
So.2d 750 (Fla. 4th DCA 1985). In addition, Pennsylvania
has a comprehensive statute (Pennsylvania Statutes Annotated, 40 P.S.
§474.1) which broadly immunizes good faith efforts to investigate fraud;
as does Illinois in its Insurance Information and Privacy Protection
Act, 215 ILCS 5/1014.
Some states, like Virginia,
make reporting information on an insured to a law-enforcement agency
or other government authority confidential by statute. For example,
Virginia Code Annotated §38.2-613(A) provides that an insurance institution
shall not disclose any personal or privileged information about an individual
collected or received in connection with an insurance transaction unless
the disclosure is: (6) to a law-enforcement or other government
authority: (a) to protect the interests of the insurance
company in preventing fraud upon it; or (b) if the insurance company
reasonably believes that illegal activities have been conducted by the
individual; or (c) upon written request of any law-enforcement agency,
for all insured or claimant information in the possession of an insurance
company or agent which relates to an ongoing criminal investigation.
In that situation, any information released to a law-enforcement agency
pursuant to such a request shall be treated as confidential criminal
investigation information and not be disclosed further except as provided
by law.
Because immunity statutes
vary from state to state, insurance companies must be familiar with
the reporting/immunity statutes in its respective states. That
is particularly important since some immunity statutes only provide
qualified immunity based upon the absence of malice or wilful intent.
Therefore, insurers should exercise caution in their cooperative
efforts with law enforcement officials, by insuring that all materials
reflect a good faith, careful investigation that is coupled with objectivity
and fairness. Also, the insurer's letter transmitting information
on file materials should document the absence of malice or adverse wilful
intent.
IV. SOME
LONGSTANDING CONCERNS IN REQUESTING INFORMATION
A.
Constitutional Privacy Issues
1.
Federal Constitutional Provisions
The Federal Constitution
does not specifically mention privacy. However, the Fourth Amendment,
which prohibits unreasonable searches and seizures, has been interpreted
to imply a right of privacy. Beginning in the early 1960s, the United
States Supreme Court decided a line of cases which held that privacy
is an implied right under the Fourth and Fourteenth Amendments.
For example, in Roe v. Wade, 410 U.S. 113, 93 S.Ct. 705 (1973),
the Court addressed the right to privacy in the area of birth control
and abortion.
In Katz v. United
States, 389 U.S. 347, 88 S.Ct. 507 (1967), the United States Supreme
Court recognized a reasonable expectation of privacy for telephone conversations.
The Court in that Fourth Amendment case indicated that the attorney-client
privilege turns on whether the communication enjoys a “reasonable
expectation of privacy.”
Lower courts vary in
the tests they apply to determine if there is a reasonable expectation
of privacy. Some courts hold that any disclosure, even inadvertent,
will waive the privilege. See, In Re Sealed Case, 877 F.2d
976, 980 (D.C. Cir. 1989). Other courts have held that there must
be a knowing relinquishment of the privilege. See, Underwater
Storage, Inc., 314 F.Supp. 546, 549 (D.D.C. 1970).
A “balancing test”
is used to determine whether the attorney-client privilege has been
waived. This test is case specific and evaluates (1) the reasonableness
of the precautions taken to prevent disclosure; (2) the amount of time
taken to remedy the error; (3) the scope of the disclosure; (4) the
extent of the disclosure; and (5) the overriding issue of fairness.
Alldread v. City of Grenada, 988 F.2d 1425, 1433 (5th
Cir. 1993).
Although the Federal
Constitution's privacy protections limit the power of the government
because they apply to “state action” i.e., acts taken by
the government, insurance companies should be aware of these safeguards
whenever dealing with public officials. For example, when there
is an ongoing investigation by both public officials and insurers, the
insurance company could be deemed an agent of the state, and would then
be subject to constitutional provisions that would limit the government
in its ability to gather evidence. See Coolidge v. New Hampshire,
403 U.S. 443, 487, 91 S.Ct. 2022, 2049 (1971). Thus, if an insurance
company acts as an agent of the state, and fails to comply with Fourth
Amendment requirements, evidence the company acquires may be inadmissible
in court.
A court will likely
deem the company a state agent if three conditions are met: (1) there
is a manifestation by the principal that a person is acting for that
principal; (2) there is acceptance by an agent of the relationship;
and (3) there is an understanding that the principal is in control of
the acts of the agent. See, State v. Smith, 673 A.2d 1149
(Conn. App. 1995). To avoid being classified as a state agent,
an insurance company should neither give directions to, nor take directions
from, any state agency, including law enforcement agencies. See
also, State of Utah v. Brenda Ellingsworth N0. 971456-CA (Utah.
App. 1998), where a workers compensation claimant was found not to have
been entitled to Fourth Amendment protections because the investigating
employer, although a state entity itself, had a purpose for investigating
that was completely independent of law enforcement.
Similarly, in United
States v Howard, 752 F.2d 220, 227 (6th Cir. 1985), and
United States v Pervaz 118 F.3d 1, 5-6 (1st Cir 1997),
the courts held that private investigations were not “state actions”
because the parties' intent was “primarily to benefit private
interest and not law enforcement.” Under this analysis, an investigation
undertaken primarily to analyze or defend against a claim would not
constitute state action. However, until more courts adopt this
analysis, the more cautious approach is for insurers to keep their investigations
separate and independent from the investigations of public officials.
2.
State Constitutions
Some states have constitutional
provisions which expressly provide citizens with a right of privacy.
For example, §23 of Florida's Constitution guarantees each citizen
a right of privacy, pursuant to the following language: "Every natural
person has the right to be let alone and free from governmental intrusion
into his private life except as otherwise provided herein. This section
shall not be construed to limit the public's right of access to public
records and meetings as provided by law."
By its terms, §23 only
applies to governmental action. Consequently, insurers in Florida
should not be subject to a claim pursuant to this language, unless the
insurer becomes too closely allied with law enforcement or some other
agency of the state, in which case the company may be deemed an agent
of the state. As such, an aggrieved claimant may allege a violation
of his state constitutional right to privacy due to the insurer's
conduct as an agent of the government.
Also, a few states provide
a constitutional right of access to public records. For example,
in Florida's Constitution, Art I, Section 24 provides access to
any non-exempt public record made or received in connection with the
official business of any public body, officer, or employee of the state
of Florida, or persons acting on their behalf. Prior to performing
a public records search, a quick review of the specific state's
constitution may reveal broader avenues for access to public records.
B.
Internal Revenue Code
Under 26 U.S.C. §6103,
taxpayer records are deemed confidential, and may only be produced with
the taxpayer's consent or pursuant to a subpoena. Other
provisions of the Internal Revenue Code provide for the confidentiality
of IRS investigations and records maintained by the IRS. For example,
under 26 U.S.C. §7431, a taxpayer may bring a civil action against
any person who willfully or negligently discloses any tax return information
in violation of 26 U.S.C. §6103.
C.
The Freedom of Information Act, as amended
Passed in 1966, the
Freedom of Information Act, 5 U.S.C. §552 (hereinafter FOIA), was originally
designed to allow citizens access to government records and to prevent
secret governmental activities. Amended in 1996 to expand the
definition of records to include electronically stored information,
the FOIA now requires that records created after November 1, 1996 must
be available on line. In addition, the FOIA has been interpreted
to cover records in a broad range of media forms, including audio recordings
(Mobil Oil Corp. v. FTC, 406 F. Supp. 305 (S.D.N.Y. 1976)); videotapes
(Murphy v. FBI, 490 F. Supp. 1138 (D.D.C. 1980)); and motion
pictures (Save the Dolphins v. Dept. of Commerce, 404 F. Supp.
407 (N.D. Cal. 1975)).
The FOIA creates the
presumption that the records of all federal agencies are open to the
public. However, given the explosion of information readily available
on the Internet and computer data bases, the state and federal courts
now appear to be favoring privacy interests over openness to justify
sealing information that once was considered public.
Under the FOIA, the government is required to
give individuals the records they request unless the government
asserts one of nine exemptions permitted by the FOIA. Of those
exemptions, the FOIA contains two exemptions that allow an agency to
withhold information if it concludes that release would invade the privacy
of individuals. Exemption (b)(6) protects “personnel and
medical files and similar files the disclosure of which would constitute
a clearly unwarranted invasion of personal privacy”. 5 U.S.C.
552(b)(6). In addition, exemption (b)(7)(C) applies to “records
or information compiled for law enforcement purposes, but only to the
extent that the production of such law enforcement records or information
... could reasonably be expected to constitute an unwarranted invasion
of personal privacy”. 5 U.S.C. 552(b)(7)(C).
The FOIA also provides
that a federal agency may delete from its published rulings and opinions
identifying details, if necessary to prevent an unwarranted invasion
of privacy. However, the opinion must explain the justification
for the deletion. For all its promise, the FOIA appears to have
fallen short of its original goal of providing full disclosure.
The courts, including the United States Supreme Court, have given the
FOIA a narrow construction and have given the exceptions to disclosure
a fairly broad construction.
For example, in the
Dept. of Justice v. Reporters Committee for Freedom of the Press,
489 U.S. 749, 109 S.Ct. 1468 (1989), the United States Supreme Court,
relying on the personal privacy exemption, held that the disclosure
of “rap sheets” (compilations of arrests, indictments, convictions,
or acquittals) maintained on a centralized computer at the Department
of Justice constituted an unwarranted invasion of privacy, even though
the same information was publically available on paper from the original
sources, such as local police departments. Finding that there
was a stronger personal privacy interest implicated by the disclosure
of a rap sheet generated by a computer than by scattered records found
from a diligent search of courthouse files, county archives, and local
police stations, the Supreme Court narrowly interpreted “public
interest” and held that those seeking personally identifiable
information from government records must show an intent to use the information
to examine the workings of the government.
Thereafter, the Supreme
Court continued to permit federal agencies to withhold personally identifiable
information on privacy grounds. For example, the Supreme Court in Dept.
of Defense v. Federal Labor Relations Authority, 510 U.S. 487, 114
S.Ct. 1006 (1994), held that the home addresses of government
employees should not be disclosed to union organizers because the addresses
did not relate to government operations and their release would not
serve the public interest.
Other governmental agencies
have also relied on the personal privacy exemption. For example,
in New York Times v. NASA, 920 F.2d 1002 (D.C. Cir. 1990), NASA
cited the personal privacy exemption to justify withholding the cockpit
tape from the Challenger disaster. In addition, the Department
of Education in Garnett Satellite Information Network, Inc. v. Dept.
of Education, No. 90-1392 (D.D.C. 1990), relied on the personal
privacy exemption to justify its refusal to release the names of persons
who had defaulted on their student loans. Furthermore, the
FBI in Schmerler v. Federal Bureau of Investigation, 900 F.2d
333 (D.C. Cir. 1990), invoked the privacy exemption to justify its refusal
to disclose sixty-year-old records.
This trend towards relying
on the exemptions of the FOIA has demonstrated how the presumption favoring
disclosure originally embodied in the FOIA is becoming subservient to
privacy interests. In reshaping the boundaries established by
Congress, courts have restricted access to information that could shed
light on government activities.
D.
The Fair Credit Reporting Act, as amended
Checking an insured's
credit history can result in vital clues for insurance companies in
unveiling fraud. A consumer credit report typically includes employment
history, income, current indebtedness, payment history on credit accounts
and loans, bankruptcies, lawsuits or judgments against the subject,
and tax and other liens against the subject's property.
Much of that information, however, is protected by the Fair Credit Reporting
Act.
1. What is the
Fair Credit Reporting Act?
In 1970, Congress enacted
the Fair Credit Reporting Act (hereinafter the Act), 15 U.S.C. §1681,
to ensure that consumer reporting agencies utilize reliable and
accurate credit reporting practices while simultaneously maintaining
the confidentiality of the consumer reports the consumer reporting agencies
generate, by limiting access to those with a specific, limited, and
legitimate interest in obtaining the information. Essentially,
the Act limits access to personal credit information. St. Paul
Guardian Ins. Co. v. Johnson, 884 F.2d 881 (5th
Cir. 1989); Hovater v. Equifax, Inc., 823 F.2d 413 (11th
Cir. 1987). The Act was designed to focus on the rights of consumers
by promoting accuracy, fairness, and privacy in the files of every credit
bureau or consumer reporting agency that regularly assembles consumer
information for the purpose of furnishing consumer reports to third
parties. 15 U.S.C. §1681(a).
In order to achieve
its objectives, the Act restricts the circumstances under which a consumer
reporting agency can properly disclose consumer reports, and the recipients
of those reports. Hovater, 823 F.2d at 417. Two kinds
of reports exist under the Act; a consumer report and an investigative
consumer report. A consumer report is defined as any communication
of any information by a consumer reporting agency that is expected to
be used in whole or in part to serve as a factor in establishing the
consumer's eligibility for “credit or insurance to be used
primarily for personal, family, or household purposes; employment purposes;
or any other purpose authorized under §1681(b)”. An investigative
consumer report is defined as a report which delves into the consumer's
character, general reputation, personal characteristics, and mode of
living; which is obtained through personal interviews. 15 U.S.C.
§1681(d).
The Act only permits
disclosure of consumer reports to persons who intend to use the information
for credit-granting, employment, insurance underwriting, governmental
license or benefit eligibility, or in connection with a business transaction
involving the subject of the report. 15 U.S.C. §1681(b).
The recipient of the consumer report is required to notify the consumer
that it has obtained a report in two instances.
First, the recipient's
duty to notify a consumer that it has obtained a consumer report is
triggered only when a consumer's application for credit, insurance,
or employment is denied based, in whole or in part, on the information
contained in the report. Unless adverse action is taken, users
of the information obtained from a consumer reporting agency have no
duty to notify the consumer that it reviewed such a report in making
its determination. In those cases, the Act affords protection
through 15 U.S.C. §1681(g), which requires consumer reporting agencies
to disclose information in their files to the consumer upon request
only.
Second, the recipient's
duty to notify is triggered when the recipient has ordered a consumer
investigative report. In that case, the recipient must notify
the consumer within three (3) days of requesting such a report and disclose
same upon request. 15 U.S.C. §1681(d). See also Houghton
v. New Jersey Mfr. Ins. Co., 795 F.2d 1144 (3rd Cir.
1986).
2. What relevance
does the FCRA have for insurance companies investigating claims?
In processing claims,
insurance companies may seek information from consumer reporting agencies
in the form of a consumer report or a consumer investigative report.
Currently, the three national credit agencies in the United States
are Equifax, TransUnion, and Experian (formerly TRW).
In Houghton v. New
Jersey Mfr. Ins. Co., 795 F.2d 1144 (3rd Cir. 1986),
the 3rd Circuit Court of Appeals addressed the issue of when
a communication between a consumer reporting agency and an insurance
company investigating a claim is subject to the Act. In that case,
Houghton filed suit against Bernice Rosenfeld, the insured of New Jersey
Manufacturer Insurance Company (NJMI), for bodily injuries resulting
from an automobile collision. NJMI requested that Equifax Services,
Inc. conduct an investigation of Houghton and prepare a written report
to assist in evaluating Houghton's claim.
Equifax submitted a
report to NJMI that included information based on interviews with neighbors,
an examination of Houghton's available credit files, and other
relevant information. After the case was settled, Houghton learned
of the Equifax report and requested that NJMI disclose its substance
to her. After NJMI refused, Houghton filed suit against NJMI claiming
that NJMI had violated her right to privacy under the United States
and Pennsylvania constitutions when it violated the notice and disclosure
requirements of the Fair Credit Reporting Act.
Stating that the communication
between Equifax, the consumer reporting agency, and NJMI qualified as
an investigative consumer report, the district court held that NJMI
had violated the Act by not providing Houghton notice and disclosure
of the report. The court considered the report to be an investigative
consumer report because portions of the report were obtained through
interviews, a method specifically referred to in the Act's definition
of a consumer investigative report.
In reversing the district
court's holding, the 3rd Circuit held that the insurance
company's request concerned only the genuineness of Houghton's
bodily injury claim and not her eligibility for credit, insurance, or
employment. The appellate court in Houghton determined
that the inclusion of insurance in the definition of a consumer report
in the Act related exclusively to the underwriting of insurance and
not the investigation of a claim for benefits under an existing policy.
Consequently, the court found no violation of the Act.
In Hovater v. Equifax,
Inc., 823 F.2d 413 (11th Cir. 1987), cert. denied,
484 U.S. 977, 108 S.Ct. 490 (1987), the 11th Circuit followed
the 3rd Circuit's Houghton opinion. In
Hovater, the insured filed a first party property claim for loss
of his residence by fire. After determining that arson caused
the fire, the insurance company retained Equifax to obtain background
information about Hovater in order to evaluate his claim. After
learning of the report, Hovater sued Equifax for negligently releasing
a consumer report for a purpose not authorized under the Act.
The court held that a report, which an insurer procures from a credit
reporting agency solely for use in evaluating the insured's claim
for benefits under an existing policy of insurance, is not a consumer
report that is governed by the Act. See also, Cochran v. Metropolitan
Life Ins. Co., 472 F.Supp. 827 (N.D.Ga. 1979); Kiblen v. Pickle,
33 Wash. App. 387, 653 P.2d 1338 (1982).
However, in St. Paul
Guardian Ins. Co. v. Johnson, 884 F.2d 881 (5th Cir.
1989), the 5th Circuit held differently than the 3rd
and 11th Circuits. In this case, a homeowner's
insurer, suspicious of a theft loss, obtained a copy of the insured's
pre-existing credit report for the purpose of obtaining information
as to whether the insured owned the property claimed as stolen.
In analyzing whether the credit report fell within the statutory definition
of a consumer report and invoked the Act, the 5th Circuit
held that the purpose for which the information contained in a credit
report was collected governs whether that report is a consumer report
under the Act. Because the insurance company had obtained a copy
of a pre-existing credit report which had been collected for purposes
under the Act, the court held that the insurance company had violated
the Act, even though the insurance company did not intend to use the
report for a purpose under the Act. See also Ippolito v. WNS,
Inc., 864 F.2d 440 (7th Cir. 1988), and Beresh v.
Retail Credit Co. Inc., 358 F.Supp. 260 (C.D. Cal. 1973) (holding
that an insurer obtaining a credit report for purposes of evaluating
the claim under an existing insurance policy was within the catch all
provisions of the Act).
Therefore, as a general
rule, the specific requirements of the Act always apply if an insurance
company is obtaining a consumer credit report or consumer investigative
report for purposes of making an underwriting decision. If an
insurance company is obtaining a consumer report for
purposes of evaluating insurance claims under existing insurance policies,
the insurance company should first make certain that the consumer report
does not contain information that had previously been collected for
one of the purposes under the Act such as determining an individual's
eligibility for insurance. And to avoid litigation regarding the
appropriateness of obtaining a consumer credit report during the investigation
of a claim, a written consent or authorization from the subject of the
report should be obtained before the request for such a report is made
to any consumer credit reporting agency.
In addition to the Federal
Fair Credit Reporting Act, insurance companies need to be aware that
many states have enacted statutes or rules which codify all or substantial
portions of the Fair Credit Reporting Act. For example, as of
September 24, 1996, the Florida Insurance Commissioner approved a rule
requiring insurers to disclose their use of credit checks to consumers
and to keep records of such checks for state regulators to monitor.
In addition, California has passed the Consumer Credit Reporting Agencies
Act, Cal. Civ. Code §1785.1, which indicates that a credit report issued
to an insurance company for the purpose of investigating a claim is
a consumer credit report and consumer credit reporting agencies are
explicitly authorized to furnish credit reports for such purpose (unlike
the Fair Credit Reporting Act). Cal. Civ. Code §1785.11(a)(3)(C).
In order to assure compliance
with the Federal Fair Credit Reporting Act and state statutes in obtaining
consumer credit reports, the more cautious approach is for insurers
to obtain the insured's authorization or written consent for the
release of a credit report pursuant to the cooperation clause in the
insurance policy. See 15 U.S.C. §1681(b)(2) that authorizes the
release of credit reports in accordance with the written instructions
of the consumer to whom it relates.
V.
THE PROLIFERATION OF FEDERAL “PRIVACY” LEGISLATION
A. Electronic
Communications
1. Federal Wiretapping
Act, as amended by the Electronic Communications Privacy Act
As an amendment to the
1968 Federal Wiretap Statute, the Electronic Communications Privacy
Act, 18 U.S.C. § 2510 (hereinafter ECPA), codified the common law tort
of invasion of privacy as it relates to electronic communications.
Whereas the Federal Wiretap Statute made it unlawful for one to eavesdrop
on or intercept another person's oral and wire (telephone) communications,
the ECPA broadened that statute's scope to protect all forms of
electronic/digital communications, such as data transmissions between
computers, paging devices, e-mails, video transmissions, and telephone
voice communications.
Generally, the ECPA
prohibits any person (not just the government) from intentionally intercepting
an electronic communication, or from disclosing the contents of any
intercepted electronic communication. 18 U.S.C. § 2511(1).
This prohibition applies not only to those who seek to break into an
electronic communications system (such as hackers) but also to those
who own and operate such systems (such as Internet access/service providers
and private network operators).
However, this prohibition
does not prevent an employer or agent of a provider of an electronic
communication service from intercepting, disclosing, or using the communication
in the normal course of his or her employment while engaged in any activity
that is necessarily incident to the rendition of the service or to the
protection of the rights or property of the provider of that service.
18 U.S.C. §2511(2)(a)(i). Cases interpreting this “ordinary
course of business” exception have involved telephone monitoring,
and the courts have generally held that an employer may monitor an employee
for as long as the communication is business-related. See Epps
v. St. Mary's Hospital of Athens, Inc., 802 F.2d 412 (11th
Cir. 1986), (finding that the employer monitoring of a conversation
between two employees, during which one employee criticized supervisors,
was in the ordinary course of business because the call took place during
work hours, and it concerned supervisory employees and the work environment);
and Briggs v. American Air Filter Co., 630 F.2d 414 (5th
Cir. 1980), (determining that an employer's monitoring of a business
call, in which the employee revealed trade secrets to a business competitor,
was within the ordinary course of business because the employer had
suspicions that trade secrets were being revealed and listened only
long enough to confirm that fact).
The ECPA provides various
levels of privacy protection depending on: (1) the type of system (public
or private) where the communication is found; and (2) whether the communication
is in storage or in transit. Typically, there are three main types
of systems: a private network; a semi-public network or commercial services;
and the Internet.
Private networks are
essentially closed systems that operate within the same office.
E-mail communications on a private network raise a reasonable expectation
of privacy (See, for example, United States v. Keystone Sanitation
Company, 903 F.Supp. 803 (M.D.Pa. 1995), because the e-mail messages
travel directly from one computer to another within the same office
without any stops in between.
Semi-public networks
or commercial services provide e-mail services to individuals or entities
for a subscription fee. Typically, access to those networks is
password-protected. Computers send messages over a reserved telephone
network to the commercial network. Stored on the commercial network,
those messages are accessed via password by another member of the commercial
service. Such transmissions are subject to a reasonable expectation
of privacy. See United States v. Maxwell, 42 M.J. 568 (1995).
E-mail provided through
the Internet typically uses ordinary telephone lines and intermediate
computers to transfer information. Operated by Internet service
providers, Internet e-mail may be stored temporarily in one or more
computers. The Internet service providers assist in distributing
electronic mail over the Internet and placing it into the recipient's
computer or “mail boxes”, which may exist on the recipient's
computer or on the host computer used by the recipient to access the
Internet. Since individuals can access e-mail through any device
that provides web access, use of the web-based e-mail system reduces
the insulation between stored messages and unauthorized access.
Although the ECPA provides internet users certain rights and safeguards,
users and service providers of a web-based system must continue to ensure
that effective security measures are developed and diligently applied
and that all involved parties recognize the potential privacy risks
with use of the web-based system.
With regard to stored
communications, the ECPA prohibits any person from unlawfully and intentionally
accessing a stored electronic communication without authorization.
18 U.S.C. §2702. Stored messages include those in the addressee's
mailbox waiting to be picked up by the addressee, and records of private
discussions between users. Thus, stored e-mail messages can be
obtained only pursuant to a search warrant. For e-mail messages
that have been in electronic storage for more than 180 days, the government
need only obtain “an administrative subpoena authorized by a Federal
or State Statute or a Federal or State Grand Jury or Trial Subpoena.”
18 U.S.C. §2703(b)(B)(I).
However, the ECPA does
not provide users of a system with a right of privacy against the operator
of the system, at least with respect to stored messages. Since
a system can be configured to store all messages that pass through it,
the system operator effectively has the ability to review all messages
that pass through the system. It is illegal, however, for a system
operator to divulge the contents of any communication stored on the
system (other than to the intended addressee and other limited exceptions).
Other concerns regarding
access to stored messages have generally arisen in the context of an
employer reading an employee's e-mail sent from or received at
an employer's address. Employers can read messages sent
or received via their companies' computer systems without violating
employees' privacy rights. Although the degree of protection
under the privacy laws vary from state to state, cases addressing the
privacy of business e-mails, thus far, have not found those communications
to be protected. See U.S. v. Maxwell, 42 M.J. 568 (1995);
Smyth v. Pillsbury Co., 914 F.Supp. 97 (E.D. Pa. 1996); Flanagan
v. Epson America, No. BC007036 (Cal. Super. Ct. Jan 4, 1991); and
Bourke v. Nissan Motor Corp., No. BO68705 (Cal. Ct. App. July
26, 1993) (holding that the employees did not have a reasonable expectation
of privacy with regard to their e-mail messages on the employer's
system and that the provisions of the relevant California statute protecting
private communications did not apply to e-mail messages in the workplace).
With regard to the transmission
of any voice or electronic communications, the ECPA prohibits unauthorized
interception, use, or disclosure of such communications in transit.
Therefore, the interception of private e-mail and other communications
in transit requires a wiretap authorization. Jackson Games,
Inc. v. U.S. Secret Service, 36 F.3d 457 (5th Cir. 1994).
However, there are a limited number of exceptions. For example,
no protection exists for communications that are “readily accessible
to the general public” such as those in public chat rooms.
18 U.S.C. §2511(2)(g)(I). Also, an Internet service provider may
intercept an injurious message if necessary to protect “the rights
of property” of the Internet service provider. 18 U.S.C.
§2511(2)(a)(I).
Finally, the ECPA provides
for both criminal and civil remedies in the event of a violation.
Appropriate relief in a civil action may include actual damages suffered
by the plaintiff, profits made by the violator, and attorney's
fees and costs. U.S.C. §2511(5)(a)(ii).
As on-line electronic
communications like e-mail become more commonly used in our society,
both privately and in the work place, insurance companies must remain
aware of the Electronic Communications Privacy Act and its effect on
using and obtaining electronic communications. For example,
Internet service providers can reveal the contents of an OnLine communication
or identifying subscriber information only pursuant to a search warrant
or subpoena. 18 U.S.C. §2703. Because the case law is still developing
in this area and the criminal and civil penalties for violating the
ECPA are strong, it remains a good practice for insurance companies
to obtain an insured's authorization or release before attempting
to obtain any information related to an insureds' electronic communications.
2.
Computer Fraud and Abuse Act (CFAA)
Another federal statute
enacted to address data and communications privacy concerns is the Computer
Fraud and Abuse Act. Codified at 18 U.S.C §1030 (1994), the Computer
Fraud and Abuse Act (CFAA) was designed to protect information in computer
data banks, including information held by financial institutions, a
consumer reporting agency, or a credit card issuer. In addition,
the CFAA prohibits certain actions when computers used by, or for the
benefit of the U.S. Government or financial institutions (known as “federal
interest computers”) are involved, or when there is interstate
computer access. Id. §1030(e). The CFAA also prohibits
intentional access to a federal interest computer which affects the
ability of the government to operate that computer.
Intended primarily to
prevent unauthorized access to computer networks to protect the privacy
of the information and communications associated with those networks,
the CFAA also protects those networks from acts of sabotage, including
alteration of data and impairment of network operations and use.
Authorizing the Secret Service to investigate any violation, the CFAA
provides for a private cause of action for any person who suffers damage
due to someone tapping into a computer system. The Act also provides
for criminal penalties up to ten (10) years for a first violation and
twenty (20) years for a subsequent violation.
3.
Computer Matching & Privacy Protection Act of 1988
This Act is an amendment
to the Privacy Act of 1974, 5 U.S.C. §552a; discussed below in this
paper. The amendment restricts the federal government's
ability to keep track of people by matching information (such as social
security numbers) regarding individuals that is maintained by different
federal agencies.
4.
Telephone Consumer Protection Act of 1991
Codified at 47 U.S.C. §227,
this Act prohibits the use of unsolicited fax advertisements, and restricts
the use of automatic dialer systems to make telephone solicitations.
The Act also allows the creation of a data base of customers who specifically
do not want to be called by telephone solicitors. This statute is not
intended to preempt state laws, and the states are free to enact laws
that provide greater protection.
5.
Cable Communications Policy Act
Codified at 47 U.S.C §551
(1984), this Act prohibits a cable service operator from collecting
personally identifying information about a customer without the customer's
consent. It also prohibits disclosure of the customer's identifying
information, including, but not limited to, information about the customer's
viewing habits.
6. Children's
Online Privacy Protection Act of 1998 (COPPA)
Codified at 15 U.S.C.
§ 6501 et seq., this act prohibits internet web sites from getting personal
information from minors without parental consent. In October of
1999, the Federal Trade commission issued its final rule regarding the
act. 16 C.F.R. Part 312. That rule requires commercial Web
sites and other online services to post a detailed privacy notice that
clearly states the type of personal information that is collected from
children under 13, how that information will be used, and whether any
of the information will be given to third parties. Also, under
this rule, the Web site must provide a method of obtaining verifiable
parental consent before obtaining the information from the children.
7. Gramm-Leach-Bliley
Act of 1999 (a/k/a Financial Services
Modernization Act of 1999)
This law became effective
in November of 1999. It primarily affects the banking and finance
industry. However, it also affects the interplay between the banking
and insurance industries. More specifically, the Act permits financial
holding companies to engage in insurance activities, and will pre-empt
any state laws currently prohibiting that practice.
The Act creates a new
mechanism for protecting non-public customer information. It provides
customers with certain informational and non-disclosure rights with
respect to the sharing of customer information between financial service
organizations. Consumers must be provided an annual privacy disclosure
concerning privacy policies and information sharing, and consumers must
be provided with an opportunity to opt-out with respect to the transfer
of that consumer's information.
The Act requires federal
banking and securities agencies to adopt customer privacy regulations.
The Act also specifically addresses the issue of “pretext calling”
and identity theft, and provides for criminal sanctions for these type
activities.
B.
Other Federal “Privacy” Legislation
1.
The Privacy Act of 1974
Codified at 5 U.S.C.
§552a, this Act limits the collection and transfer of personal data
on individuals by government agencies. It provides that no government
agency may disclose any record about an individual except pursuant to
the written request of or with the consent of the person to whom the
record relates. However, there are several exceptions in the Act;
which allow disclosure to employees of the agency itself, to law enforcement
officers, to the Census Bureau, or to either house of Congress.
In addition, records of an agency may be produced pursuant to a subpoena.
Under this Act, an agency
in possession of records is required to provide an individual with the
information concerning that individual, upon his or her request, and
is required to allow that person an opportunity to correct inaccurate
information. The Act also provides that the government agency
maintain only such information about an individual as is relevant and
necessary to accomplish a purpose of the statute which authorized collection
of the information. If the agency fails to keep accurate information,
or fails to provide an individual with a copy of his record upon request,
the aggrieved person may bring a civil action in Federal District Court
and may recover attorneys' fees upon prevailing.
Of particular interest
in the context of the Internet is the fact that the Privacy Act extends
only to those records that specifically identify an individual based
upon name, identifying number, or other personal identification feature,
such as photograph, fingerprint, or voice print. Id. §552a(a).
Accordingly, the Act does not cover collections of information which
do not identify that person based on a feature or attribute unique to
that individual. For example, detailed information about a person's
purchasing patterns and assets would not constitute a record under the
Act unless that information was retained in a record designated by an
identifying attribute of the individual.
2. Privacy Protection
Act of 1980
Codified at 42 U.S.C
§§2000aa-2000aa-12, this Act limits the authority of federal law enforcement
officers and employees to seize any work product materials possessed
by a person reasonably believed to have a purpose to use those materials
in a book, broadcast, or newspaper to be distributed to the general
public, unless there is probable cause to believe that the person in
possession of the materials has committed or is committing the criminal
offense to which those materials relate. The Act includes a specific
exception which allows the seizure of child pornography.
3. Federal Records
Act
The Federal Records Act, 44
U.S.C. §3101, provides citizens with access to historical documents
contained in the national archives. In particular, this Act provides
that people shall have access to records of federal agency activity
which affect that individual.
4. Right to
Financial Privacy Act
Codified at 12 U.S.C §§3401-3412,
this Act prohibits the federal government from obtaining access to the
bank records of an individual or partnership of five people or less,
unless the account holder consents, or the federal agent obtains a warrant
or subpoena for the records. However, the Act permits the bank to disclose
records of persons suspected of engaging in illegal activity.
5.
Family Educational Rights and Privacy Act of 1974
Codified at 20 U.S.C.
§1232g, this Act applies to any school which accepts federal funds.
Under the Act, a school may not release a student's records without
either permission of the student or the student's parents.
This Act requires that the school release records to the student's
parents within 45 days of the date of the request, and allows the student
and/or parents an opportunity to challenge inaccurate information.
6.
Video Privacy Protection Act
Passed by Congress in
1988, the Video Privacy Protection Act, 18 U.S.C. §2710, also known
as the Bork Bill, was created after the City Paper, a Washington
D.C. weekly, published the titles of Judge Robert Bork's video
rentals when he was a Supreme Court nominee. The Video Privacy
Protection Act makes it a crime to release individualized data about
the videos any individual may rent or buy. In addition, this Act
requires a warrant, a grand jury subpoena, or a court order establishing
probable cause and formal notice to the individual to obtain such information.
7.
Driver's Privacy Protection Act (DPPA)
Found at 18 U.S.C. §2721,
this Act sets forth a general prohibition on the release of information
contained in state motor vehicle registration records. However,
the Act sets forth numerous exceptions. One of those exceptions,
18 U.S.C §2721(b)(6), permits the release of motor vehicle information
“For use by any insurer or insurance support organization, or
by a self insured entity, or its agents, employees or contractors in
connection with claims investigation activities, anti-fraud activities,
rating or underwriting.” This exception allows the insurance
company's investigation to include records available from state
motor vehicle registration departments.
Both the Seventh Circuit Court
of Appeal and the Tenth Circuit Court of Appeal have upheld the Driver's
Privacy Protection Act as constitutional. See Travis v. Reno,
1998 WL 871038 (7th Cir. 1998) and State of Oklahoma,
ex rel, Oklahoma Dept. of Public Safety v. U.S., 161 F.3d 1266 (10th
Cir. Ok. 1998).
However, in a recent
Fourth Circuit Court of Appeals case, the Driver's Privacy Protection
Act was held to be unconstitutional as an infringement on states'
rights. See, Charlie Condon & the South Carolina Press
Assoc. v. Reno, 255 F.3d 453 (4th Cir. 1998). The
United States Justice Department appealed that ruling to the United
States Supreme Court. On January 12, 2000, the United States Supreme
Court issued its ruling. Reversing the Fourth Circuit Court of
Appeal's ruling, the United States Supreme Court upheld the Driver's
Privacy Protection Act as constitutional because “drivers'
information is an article of commerce, its sale or release into the
interstate stream of business is sufficient to support congressional
regulation.” As such, the Driver's Privacy Protection
Act will now be enforced in the states which make up the Fourth Federal
Circuit, i.e., South Carolina, North Carolina, Virginia, West Virginia
and Maryland, as well as in the remainder of the United States.
VI. PROPOSED FEDERAL LEGISLATION
A.
Electronic Communications
1.
Consumer Internet Privacy Protection
Act of 1999
Introduced by Representative
Bruce F. Vento (D-Minnesota), the Consumer Internet Privacy Protection
Act of 1999, H.R. 313, 106th Congress, 1st session,
proposes to regulate Internet providers and prohibit their employees
from disclosing to a third party any personally identifiable information
provided by its subscribers without the subscribers' prior written
consent. The Act also requires that such service providers permit
subscribers to review, verify, and correct all their personal information,
at no charge to the subscriber. The Act empowers the Federal Trade
Commission to enforce its privacy provisions. In April of 1999,
the Act was referred to the House Subcommittee on Telecommunications,
Trade, and Consumer Protection. Given the recent controversy involving
on-line service providers' efforts to sell information about their
customers to marketers (i.e., America On Line's proposal to make
available telephone numbers of its subscribers to CUC International,
a mass marketing firm with which AOL had established a commercial relationship),
this legislation may gain greater attention. On April 12, 1999,
this Act was referred to the Senate Subcommittee on Telecommunications,
Trade, and Consumer Protection.
2.
Online Privacy Protection Act of 1999
Introduced
by Senator Conrad Burns in the Senate on April 15, 1999, the Online
Privacy Protection Act of 1999, S. 809, would require the Federal Trade
Commission to prescribe regulations to protect the privacy of personal
information collected from and about private individuals who are not
covered by the Children's Online Privacy Protection Act of 1998
on the Internet. In addition, this Act would require privacy disclosures
on web sites, allow consumers to “opt-out” of giving information
to third parties, and allow consumers to access their own personal data.
On July 27, 1999, this Act was referred to the Senate Subcommittee on
Communications.
B.
Other Federal “Privacy” Legislation
1.
Personal Information Privacy Act
of 1999
Introduced by Representative
Gerald Kleczka on April 15, 1999, the Personal Information Privacy Act
of 1999, H.R. 1450, is designed to protect individuals' Social
Security numbers and other personal information. In particular, this
bill would amend part A of title XI of the Social Security Act to prohibit
the commercial acquisition or distribution of any person's social
security number, as well as its use as a personal identification number,
without the individual's written consent. In order for the individual's
consent to be effective, the number holder must be informed of the purpose
for which the number will be used.
In
addition, this bill would amend the Fair Credit Reporting Act to prohibit
a consumer reporting agency form providing a report in connection with
a credit or insurance transaction not initiated by the consumer without
the consumer's written consent. This bill would also create
a civil cause of action, with penalties to be the greater of either
actual damages, or liquidated damages of $25,000 . If a violation of
the Act is willful or done for profit, the liquidated damages are $50,000.
The bill would also allow a prevailing plaintiff to recover attorney's
fees. On April 30, 1999, this bill was referred to the House Subcommittee
on Financial Institutions and Consumer Credit.
2.
Personal Privacy Protection Act of 1999
Introduced
by Representative John Conyers, Jr. (D-MI) on January 6, 1999 to the
106th Congress, the Personal Privacy Protection Act, H.R.
97, amends the Federal criminal code to provide protection from personal
intrusion for commercial purposes. The bill would make it a federal
crime to stalk a person, enter onto private property to tape or record
them, and then attempt to sell the recording to someone. However, the
bill's prohibitions are inapplicable to official law enforcement
activities. On February 25, 1999, the bill was referred to the
Subcommittee on Crime.
3.
Freedom and Privacy Restoration Act of 1999
Introduced
by Representative Ron Paul (R-TX), the Freedom and Privacy Restoration
Act, H.R. 220, would amend title II (Old Age, Survivors, and Disability
Insurance) of the Social Security Act and the Internal Revenue Code
of 1986 to prohibit any Federal, State, or local government agency from
using a social security account number as the means of identifying any
individual, except for specified social security and tax purposes. In
addition, this bill would prohibit the federal government from
establishing any kind of national identity card. On January 20,
1999, this bill was referred to the House Subcommittee on Government
Management, Information and Technology.
4.
Financial Information Privacy Act
of 1999
Introduced
by Representative James A. Leach, the Financial Information Privacy
Act of 1999, H.R. 30, 106th Congress, addresses threats to
the privacy of financial information by making it unlawful to obtain
or solicit customer information from a financial institution by the
use of any false pretenses. This bill would require financial institutions
to inform customers if the financial institution intends to sell the
customer's personal information. In addition, this bill
would require institutions to give their customers the option of prohibiting
disclosure of personally identifying information. On January 6, 1999,
this bill was referred to the House Committee on Banking and Financial
Services.
5.
Children's Privacy Protection
and Parental Empowerment Act of 1999
Introduced
by Representative Bob Franks (R-New Jersey), the Children's Privacy
Protection and Parental Empowerment Act of 1999, H.R. 369, 106th
Congress, 1st Session (1999), proposes to amend Title 18
of the United States Code to prohibit the sale of personal information
about children without their parents' consent. More
specifically, this bill would prohibit the sale of information about
children under the age of 16 in all media (including the Internet),
prohibit the use of prison inmate labor for data processing of personal
information about children, and prohibit the distributing or receiving
of any such information when the person handling the information knows
or has reason to believe that the information will be used to abuse
or physically harm a child. This bill authorizes civil suits by
parents, and provides for the award of attorney's fees to a prevailing
plaintiff. On February 25, 1999, this bill was referred to the
House Subcommittee on Crime.
6.
Social Security On-Line Privacy
Protection Act
Introduced by Representative
Bob Franks (R-New Jersey) as H.R. 367 to the 106th Congress
(1st Session), this bill would prohibit “interactive
computer services” (such as Lexis-Nexis) from disclosing to a
third party an individual's Social Security number or other personal
identifying information and from using an individual's Social
Security number as an identifier to disclose personal information. On
January 29, 1999, this bill was referred to the House Subcommittee on
Telecommunications, Trade and Consumer Protection.
7.
Genetic Privacy and Non-Discrimination
Act of 1999
Introduced
by Representative Cliff Stearns on July 19, 1999, the Genetic Privacy
and Non-Discrimination Act of 1999, H.R. 2555, would prohibit employers
and health insurers from using genetic tests to discriminate among applicants.
This bill would also prohibit the disclosure of an individual's
genetic information without written authorization from the individual
or his/her representative. On July 26, 1999, this bill was referred
to the House Subcommittee on Government Management, Information and
Technology.
8.
Medical Information Privacy and
Security Act of 1999
Introduced
by Representative Edward J. Markey on March 10, 1999, the Medical Information
Privacy and Security Act, H.R. 1057, would require specified parties
(such as health care providers, health plans, public health authorities,
law enforcement officials, health or life insurers, schools, universities,
etc.) to allow individuals who are the subject of protected health information
access to that health information and to establish safeguards to ensure
the confidentiality, security, and accuracy of protected health-care
information. This bill would also impose criminal and civil penalties
for unauthorized use of protected health information. On September
24, 1999, this bill was referred to the House Subcommittee on the Constitution.
9.
Medical Privacy in the Age of New Technologies Act of 1999
Introduced by Representative
Jim McDermott on September 15, 1999, the Medical Privacy in the Age
of New Technologies Act of 1999, H.R. 2878, would protect the privacy
of health information in the age of genetic and other new technologies.
On September 27, 1999, this bill was referred to the House Subcommittee
on Government Management, Information and Technology.
10.
Patients' Bill of Rights Acts
The
Patients' Bill of Rights Acts of 1999 are designed to protect
patients in managed health care plans. Introduced on January 19,
1999, these three bills include provisions which require a group health
plan or health insurer that maintains medical records to establish procedures:
“(1) to safeguard the privacy of any individually identifiable
enrollee information; (2) to maintain such records and information in
a manner that is accurate and timely; and (3) to assure timely access
of such individuals to such records and information.” The
two bills introduced in the Senate are S.6 and S.1344 and the bill introduced
in the House of Representatives is H.R. 358. The House bill was
referred to the Subcommittee on Employer-Employee Relations on February
24, 1999, Senate bill 6 has been referred to the Senate Committee on
Health, Education, Labor and Pensions (HELP) on March 11, 1999, and
Senate bill 1344 was indefinitely postponed by the Senate by Unanimous
Consent on October 15, 1999.
11.
Depository Institution Customers Financial Privacy Enhancement Act of
1999
Introduced by Representative
Edward Markey on March 25, 1999, the Depository Institution Customers
Financial Privacy Enhancement Act of 1999, H.R. 1339, 106th
Congress, 1st Session, would amend the Federal Deposit Insurance
Act, the Federal Credit Union Act, the Bank Holding Company Act of 1956,
and the Home Owners' Loan Act to require insured depository institutions
(banks), depository institution holding companies, and insured credit
unions to protect the confidentiality of financial information obtained
concerning their customers. On April 16, 1999, this bill was referred
to the House Subcommittee on Financial Institutions and Consumer Credit.
12.
Standards for Privacy of Individually Identifiable
Health Information
President
Clinton and the Department of Health and Human Services Secretary, Donna
Shalala, have proposed new rules to protect personal health information.
The public comment period for this proposed rule ends February 20, 2000.
This rule proposes standards to protect the privacy of individually
identifiable health information maintained or transmitted in connection
with certain administrative and financial transactions. The purpose
of the rule is to limit the use and release of private health information
without consent; to inform consumers of their right to access
their medical records and to also know if anyone else has accessed their
medical records; to establish new disclosure requirements for researchers
and others who seek access to medical records; and to impose new criminal
sanctions.
VII.
THE EXCHANGE AND DISCLOSURE OF INFORMATION BY INSURERS
A.
State Legislation Allowing Exchanges
Between Insurers
During
the course of a claim investigation, the exchange of information between
insurance companies can be very helpful to the insurer investigating
a suspicious or fraudulent claim. However, such an exchange raises
the question of whether an insurance company may be held liable for
an invasion of privacy when it shares information from its claim files
with any other insurance company.
Some
states have enacted statutes which allow insurance carriers to release
claim files to other carriers under certain circumstances, without written
authorization of the insured. For example, §626.989(4)(d) of the
Florida Statutes provides that: “an employee whose responsibility
it is to investigate claims relating to suspected fraudulent insurance
acts may share information related to persons suspected of committing
fraudulent insurance acts with other employees employed by the same
or other insurers whose responsibilities include the investigation
and disposition of claims relating to fraudulent insurance acts, provided
the department has been given written notice of the names and job titles
of such designated employees prior to sharing that information.”
Also,
Illinois has enacted an Insurance Information and Privacy Protection
Act, Chapter 215, Act 5, which provides in part as follows: “§1014.
Disclosure Limitations and Conditions. An insurance institution,
agent, or insurance-support organization shall not disclose any personal
or privileged information about an individual collected or received
in connection with an insurance transaction unless the disclosure is:...(C)
to an insurance institution, agent, insurance-support organization or
self-insurer, provided the information disclosed is limited to that
which is reasonably necessary: (1) to detect or prevent criminal activity,
fraud, material misrepresentation or material non-disclosure in connection
with insurance transactions...”.
Along
with permitting insurance companies to provide information to other
insurance companies, Chapter 215, Act 5, §1022 of the Insurance Information
and Privacy Protection Act provides immunity to an insurer who releases
information in compliance with Chapter 215, Act 5, §1014. Chapter
215, Act 5, §1022 provides in pertinent part as follows: “§1022.
Immunity. No cause of action in the nature of defamation, invasion
of privacy or negligence shall arise against any person for disclosing
personal or privileged information in accordance with this Article,
nor shall such a cause of action against any person for furnishing personal
or privileged information to an insurance institution, agent, or insurance
support organization; provided, however, this Section shall provide
no immunity for disclosing or furnishing false information with malice
or willful intent to injure any person.”
In
addition to immunity statutes, common law privileges in some states
provide significant and substantive protection for a wide range of communications,
including information disclosures, that otherwise would create civil
tort liability. See, Restatement of Torts, §613, 593-598A.
This “conditional” or “qualified” common law
privilege exists to promote the free flow of information to further
a legitimate private or public interest. The condition on the
privilege is that the publication not be abused or widely distributed.
This privilege provides substantial protection for an insurer's
disclosures concerning fraud investigations.
An
example of this qualified protection can be seen in Caswell v. Manhattan
Fire & Marine Ins. Co., 399 F.2d 417 (1968), where a fire destroyed
a portion of Caswell's restaurant in DeFuniak Springs, Florida.
After investigating that suspicious fire loss, the National Board of
Fire Underwriters published a report to its member insurance companies
that contained a detailed account of its investigation into the cause
of the fire. In discussing whether the report was privileged,
the 5th Circuit stated that a communication is privileged
when made in good faith and both the communicating party and the receiving
party have an interest worthy of protection in its subject matter.
Id. at 421. Further, the court stated that the National
Board had an interest in warning all of its member insurance companies
of potential risks in insuring the plaintiff against fire loss and that
the member insurance companies would have a legitimate interest in that
information. Therefore, a libel action will not be successful
if based upon information shared between two companies when both entities
have a common interest in the information and the communication is reasonably
calculated to protect or further such common interest.
B.
State Legislation (Immunity Statutes) Allowing or Requiring Insurers
to Provide Information to Public Officials
As
indicated above in this paper, each of the 50 states and Washington
D.C. have enacted immunity statutes to protect those who participate
in the fight against insurance fraud. Because immunity statutes
vary from state to state, insurance companies must be familiar with
the reporting/immunity statutes in their respective states and exercise
caution in their cooperative efforts with law enforcement officials.
Also, each insurer should determine its reporting requirements under
such statutes, as in some states, insurers are required to report all
suspicious claims. See, for example, Florida Statutes, §626.989(4)(c);
Nebraska Statutes, § 44-6605;Pennsylvania Statutes, 40 P.S. § 3701-304;
and Texas Statutes, V.T.C.A., Insurance Code, Art 1.10D Sec. 6.
In
addition, effective January 1, 1999, Virginia Code Annotated §52-40
mandates that any insurer who has reason to believe that a violation
of § 18.2-178 (obtaining money or other property by false pretenses)
will be, is being, or has been committed shall furnish and disclose
any information in its possession concerning the fraudulent act to the
Department of State Police. That statute also provides confidentiality
from public inspection all papers, records, documents, reports, materials,
or other evidence relative to the subject of an insurance fraud investigation
in the possession of the Department of State Police and provides immunity
from liability for insurers from defamation, invasion of privacy, and
negligence for cooperating with the Department as long as the information
is not disclosed with “malice or willful intent to injure any
person”. See Va. Code Ann. §52-39 and §52-41.
C.
Data Bases Available
1.
The All Claims Data Base
Insurance
data bases containing information on claimants may represent the single
most effective loss prevention weapon available to insurers in combating
insurance fraud. Not only can they help uncover patterns of possibly
fraudulent claims activity but they can also alert insurers when those
patterns appear in their markets.
The
National Insurance Crime Bureau (NICB), a non-profit organization, operates
ClaimSmart, a data base of property/casualty claims used to detect,
prevent, and prosecute fraudulent claims. In addition, the American
Insurance Services Group (AISG), which was recently acquired by the
Insurance Services Office (ISO), operates the Index System, which tracks
bodily injury and workers' compensation data by name, social security
number, age, date of loss, body part injured, physician, attorney, and
other key claim data elements. It also operates the Property Insurance
Loss Register (PILR), which tracks property losses arising out of any
insured peril.
In
August of 1997, the NICB and ISO announced that they would merge their
individual claims data into an “all claims data base”, containing
bodily injury, property, workers compensation, and vehicle claims.
That “all claims data base” would enable insurers to supply
their claims information to one source and also access information from
a single industry recognized source. Under the NICB-ISO data integration
agreement, ISO will manage data that insurance companies had previously
been providing to NICB. The NICB, insurers, and self-insured entities
would have access to that data. The NICB would continue to provide
access to portions of the data to law enforcement personnel, at no cost
to them.
However,
the creation of the “all claims data base” raised
concerns with the national privacy rights movement. In early March
of 1997, Representative Edolphus Towns, D-New York, introduced into
the House of Representatives the Insurance Claims Privacy Protection
Act (H.R. 1029). That bill attempted to create a firewall between
criminal data bases and the all-claims data base by prohibiting an insurance
crime bureau from accessing the all claims data base. In addition, that
bill proposed to limit the disclosure of confidential information by
property/casualty insurers and crime bureaus to law enforcement agencies,
unless the access is deemed necessary to prevent an act of fraud upon
it or unless the insurer or crime bureau reasonably believes illegal
activities have been conducted by an individual. The bill was
referred to the House subcommittee on Crime and did not go any further.
However, if the bill had passed, it could have adversely affected state
statutes that currently allow insurance companies to exchange claim
information.
The
all claims data base is a reality today. Insurers can access
ISO ClaimSearch, which is a combination of the former ISO, AISG and
NICB data bases. ISO's target completion date for its ClaimSearch
combination is the end of February 2000. At that time, even though
all of the data bases will be combined, the system still treats the
information as three separate data bases. By mid-year 2000, ISO
hopes that the integration of this data will be complete, and that former
divisions between the databases will no longer exist.
2.
Property Insurance Loss Register
(PILR)
The
Property Insurance Loss Register tracks property losses arising out
of any insured peril. Established in 1980 for fire, PILR thereafter
extended its data base to include burglary and theft losses. In
1991, PILR was further expanded to include any insured property peril.
Previously owned and operated by the American Insurance Services Group
(AISG), PILR was recently acquired by the Insurance Services Office
(ISO). The information formerly maintained in a separate PILR
database is now part of the ISO ClaimSearch data base discussed above.
3.
Medical Index Bureau (MIB)
The Medical Information Bureau
(MIB) is a membership organization in Massachusetts which serves as
a data bank of medical information for approximately 650 different insurance
companies. MIB's members reportedly write 99% of the individual
life policies and 80% of the health and disability policies sold in
the U.S. and Canada. MIB maintains medical information on individuals,
and member companies report significant consumer medical information
to the MIB.
In
1995, the MIB reached an agreement with the Federal Trade Commission.
Under that agreement, whenever a consumer is rated for insurance, or
turned down, due to an MIB report, the MIB will send a letter explaining
the reasons for the action, along with MIB's name,
address
and telephone number. These notice provisions are modeled after the
notice provisions in the Fair Credit Reporting Act. Under the
agreement, consumers have the right to a free copy of their MIB report,
and they may challenge inaccurate information.
4.
Database Technologies, Inc. (DBT)
Established
in 1992 and headquartered in South Florida, Data Base Technologies,
Inc. (“DBT”) is a national provider of on-line data base
services and related reports to law enforcement and other governmental
agencies, law firms, insurance fraud investigation companies, and other
qualified entities. DBT's products known
as “Auto Track PLUS” and its new web-based version, “Auto
TrackXP,” provide on-line access to national, state, and county
public records. Available search information includes, for example,
current and past addresses, telephone numbers, neighbors, associates,
professional licenses, driving histories, business profile reports,
real estate, vehicles, and other assets.
5.
Others
There
are many companies that offer public records and related investigative
services online or on CD-ROM. For example, CDB Infotek of Santa
Ana, California, offers a wide variety of data base and search tools.
Also, Information America (IA), owned by West Publishing, is a large
vendor of public records.
Run by the F.B.I., the National
Law Enforcement Telecommunications System (NLETS) is a data base link
that shares information with the National Crime Insurance Bureau, state
motor vehicles departments, U.S. Customs, law enforcement impound lots,
the National Crime Information Center, and other U.S. and Canadian law
enforcement authorities.
Operated
by the National Insurance Crime Bureau, Insurance Crime Information
Services (ICIS) maintains a data base on suspicious workers' compensation
claims, liability claimants, and property losses. This data base
can be accessed by insurance company SIU fraud investigators who are
members of subscriber companies.
Known
as Atlantis, the International Communication Network is a data base
link run by IBM, and it shares information with NICB, state fraud bureaus,
insurance companies, PILR, the Index System, vehicle manufacturers,
shipping lines, and other bureaus in the United States and Canada.
Known as A-Plus, the Automated Property Loss Underwriting System is
an underwriting data base that assists underwriters when they evaluate
applications for insurance. In addition, it maintains information
on the claims history of potential insureds.
There
are now literally hundreds of data base vendors in the United States.
The growth of this market is anticipated to continue around the world,
as well as in the United States.
D.
IRSG Principles
At
least fourteen computerized credit and information services follow their
own industry guidelines, the Individual Reference Services Group Self
Regulation Initiative (IRSG). These guidelines are designed to
ensure the accuracy and reliability of information. The IRSG Principles
include the following precepts: (1) to acquire individually identifiable
information only from sources know as reputable; (2) to restrict the
distribution of non-public information through safeguards appropriately
calibrated to the type of use made of the information; and (3) to furnish
individuals with information contained in the services and products
that specifically identifies them, unless the information is publically
available, in which case the company will advise the individual how
they may obtain information directly from the source.
The
Principles also provide that subjects of reports shall have the
opportunity to correct inaccurate information in their records, and
that non-public information shall be released only for “APPROPRIATE”
uses. The Principles define “APPROPRIATE” as uses that are
reasonable under the circumstances, and which reflect a balance between
the individual's privacy and legitimate business or government
uses. The recipient of non-public information must agree to limit the
use and re-dissemination of non-public information.
Furthermore, the Principles
provide that when non-public information is disclosed, it will not include
specifically identifying information such as the individual's
social security number, mother's maiden name, or unpublished telephone
number. Under the Principles, an information service shall inform an
individual about the nature of public records and non-public information
which it distributes about that individual.
When
the subject of the information is about a person younger than eighteen
years of age, non-public information about that person will not be disclosed
except for the limited purpose of locating missing children. Also,
signatories to the IRSG Principles are subject to annual review by independent
outside reviewers.
E.
Sunshine in Litigation and Confidential
Settlement Agreements
When a claim or lawsuit is
settled, it is not uncommon for the parties to agree to keep the terms
and provisions of the agreement confidential for a variety of reasons.
However, the use of confidential settlement agreements has been criticized
in recent years, particularly with regard to manufacturers of dangerous
products.
Nine states have enacted statutes
or court rules that limit a party's ability to shield settlement
agreements in secrecy. Those states are Florida, New York, North Carolina,
Georgia, Oregon, Virginia, Delaware, Texas and Oregon. Of those statutes,
Florida's is one of the strongest.
The
right to incorporate a confidentiality provision into a settlement agreement
is governed by Florida Statutes, §69.081, known as Florida's “Litigation
in the Sunshine Act”. This Act prohibits a confidential settlement
agreement which has the effect of concealing a "public hazard.”
A "public hazard" is defined in this statute as “An instrumentality,
including but not limited to any device, instrument, person, procedure,
product, or a condition of a device, instrument, person, procedure or
product that has caused and is likely to cause injury.”
Therefore, this Act would apply primarily to products liability cases.
Even
if a settlement document is protected from discovery due to a confidentiality
clause in it, that does not prevent discovery about the underlying facts.
See, Smith v. TIB Bank of the Keys, 687 So.2d 895 (Fla. 3d DCA
1997), in which the court held that the plaintiff in a fraud case
could not rely on a confidentiality agreement in an unrelated case to
avoid answering deposition questions. The court held that Ms. Smith
had to answer deposition questions which the defendant bank posed, even
though the answers might put her in breach of a confidentiality agreement
with her former employer, or else her case against the bank would be
dismissed.
Settlement
offers and statements made during settlement negotiations are generally
privileged from discovery. See Rule 408 of the Federal Rules of Evidence
and most states' rules of evidence. Also, states with mediation
rules of procedure or statutes usually make all discussions held during
a mediation conference confidential and non-discoverable.
F.
Internal and External Securitization
of Data
In
today's information age, the exchange of information is greater
than ever. Attorneys are using this ability to swap information
over the internet. For example, a deposition or statement of a
company representative in one case can be accessed via the internet
and used against that same representative in another case. There
are also web pages set up to elicit information, complaints and responses
from individuals that can be used at a later time against various companies.
One such wed-site is www.fordtruckssuck.com. There are many other sites
where people are encouraged to share their complaints. For example,
the Personal Injury Law Forum is at http://www.prairielaw. com/pi/index.shtml.
Companies should consider monitoring the internet for derogatory statements
and data compilation being made to use against them in litigation.
In
order to maintain the privacy and integrity of its records, the insurer
in today's world of electronic piracy should take greater preventions
than in past years to safeguard its electronic data. Such precautions
may include the use of firewalls, passwords, and encryption software.
An example of software that is available is PGP, which stands for “pretty
good privacy.” More information on that software can be
found at http: //www.pgp.com/asp_set/ products/tns/intro.asp.
This privacy software can aide in protecting communications on the internet.
Another
company providing products/software to permit secure transactions is
Hilgraeve. Hilgraeve has various packages which they call DropChute.
Depending on the type of security the purchaser desires, they claim
to assure delivery to the requested party with complete encryption protection.
Although
the Electronic Communications Privacy Act makes eavesdropping illegal,
insurers and their attorneys should take reasonable steps to protect
the privacy of their communications. Whenever an insurer and its
counsel communicate over e-mail or through the use of cellular telephones,
each party should make sure that its messages are encrypted. Encryption
has the twin advantages of shielding information and establishing an
intent to keep that information private.
Encryption
is such a valuable security tool that two states, Iowa and South Carolina,
require attorneys to encrypt any sensitive material which they send
over the Internet. See, Iowa Supreme Court Board of Professional
Ethics and Conduct, Op. No. 96-01 (Aug. 29, 1996) and South Carolina
State Bar Assn. Ethics Advisory Comm., Advisory Op. No. 94-27
(Jan. 1995).
However,
an unencrypted electronic communication may not violate an attorney's
ethical requirements in some states. For example, see Illinois
State Bar Assn. Comm. On Professional Ethics, Op. 96-10 (May 16, 1997).
See also, California Evidence Code §952 (West 1994), which states that
“A communication between a client and his or her lawyer is not
deemed lacking in confidentiality solely because the communication is
transmitted by facsimile, cellular telephone, or other electronic means
between the client and his or her lawyer.”
The
American Bar Association has issued a formal opinion as to the confidentiality
of e-mail correspondence. In ABA Formal Opinion 99-413, issued
March 1999, the association stated:
A lawyer may transmit information
relating to the representation of a client by unencrypted e-mail sent
over the Internet without violating the Model Rules of Professional
Conduct (1998) because the mode of transmission affords a reasonable
expectation of privacy from a technological and legal standpoint. The
same privacy accorded U.S. and commercial mail, land-line telephonic
transmissions, and facsimiles applies to Internet e-mail. A lawyer should
consult with the client and follow the client's instructions,
however, as to the mode of transmitting highly sensitive information
relating to the client's representation.
Some
state bar associations have adopted similar provisions. However,
the key language is that the more sensitive the information that is
being transmitted, the greater the precautions that should be taken.
For example, Pennsylvania and Arizona expressly caution lawyers to consult
with clients before sending unencrypted e-mail. North Carolina advises
lawyers against using e-mail, while Iowa prohibits using e-mail without
client consent, encryption or a similar security system.
The
Florida Bar has not yet taken a formal position on whether an attorney
who communicates with his client via e-mail must use encryption technology
to protect the attorney-client privilege. However, in Gomberg
v. Zwick, Friedman & Goldbaum, 693 So.2d 1065 (Fla. 4th
DCA 1997), (involving the use of a facsimile machine) a Florida Court
of Appeals held that “... an attorney who designates the method
for sending communications concerning a client has the duty to protect
the confidentiality of communications sent via that mode.”
In view of this holding, when an attorney sends sensitive information
over the Internet, the use of encryption technology would be prudent.
A
significant federal case involving encryption is Bernstein v. U.S.
Dept. of Justice, 176 F.3d. 1132 (9th Cir. May 1999)
In that case, a Berkeley, California mathematician sued the State Department
after they told him that he would have to register as an arms dealer
under the International Traffic in Arms Regulation if he wanted
to publicize an encryption program he had developed. According
to the then-current law, distributing data or encryption software without
governmental approval was (under certain circumstances) a criminal act
punishable by ten years in prison and fines of a million dollars or
more. The court of Appeals for the Ninth Circuit affirmed the
lower court's ruling that the government's regulations were
an unconstitutional infringement on free speech. The Court stated
that encryption codes contain expressions of ideas and cannot be suppressed
indefinitely by government officials.
Recently,
on September 30, 1999 the Appeals Court granted an en banc rehearing.
The Court stated that the case will be reheard by the en banc court
pursuant to Circuit Rule 35-3. The three-judge panel opinion, Bernstein
v. U.S. Dept. of Justice, 176 F.3d 1132 (9th Cir. 1999), is withdrawn.
If ultimately successful in its challenge of the export-control laws,
this suit will clear the way for cryptographic software to be treated
like any other kind of software; and will allow computer and network
users much more freedom in building and exchanging their own cryptography
solutions.
As
the use of e-mail increases and concerns about its security grow, several
commercial enterprises have begun to offer services directed toward
making e-mail a more secure process. For example, DeLoitte &
Touche and The Merchant Bank of the Thurston Group announced in January,
1997 plans to start NetDox, a joint venture which plans to guarantee
the private delivery of e-mail documents and provide certification of
receipt of the messages it handles. In encrypting messages, the
NetDox system will use an “electronic thumbprint” for each
document to be used as verification of private delivery. This
system may work well for law firms and insurance companies who send
documents for which timely private delivery and verification of receipt
are critically important.
VIII.
OBTAINING INFORMATION FROM “PRIVATE” SOURCES OTHER THAN
INSURERS
A.
Banks and Financial Institutions
The
“Right to Financial Privacy Act” is briefly discussed earlier
in this paper. Also, banks are generally considered to have an
implied duty to keep their customers' accounts secret, unless
there is some public duty to disclose. See 10 Am.Jur. Banks,
§332. Some state courts, including those in Florida, allow the customer
a cause of action for unauthorized disclosure of account information.
See Mahlomich v. First National Bank, 224 So.2d 759 (Fla. App.
1986). However, in Barnet Bank of West Florida v. Hooper,
498 So.2d 923 (Fla. 1986), the Florida Supreme Court stated that under
special circumstances, banks have a duty of disclosure (where bank had
a duty to disclose suspected fraud of one customer to another customer
of the bank).
Although
bank records are confidential, they are not privileged from discovery.
Therefore, parties in a civil or criminal action may subpoena bank records.
For example, in U.S. v. Miller, 425 U.S. 435, 96 S.Ct.
1619 (1976), the defendant sought to suppress the use of his bank records,
which the government had obtained through a valid subpoena. The Supreme
Court rejected the defendant's argument that the bank records
were his “personal papers,” and held that the records were
the property of the bank. The Court also noted that under the Bank Secrets
Act, 12 U.S.C. §1829b, the bank was required to maintain the account
records precisely because of their potential relevance to investigations
and prosecutions of financial crimes. Because the bank was a party
to the transaction, the Court held the bank was authorized to disclose
those records.
During
an insurer's investigation of a claim prior to litigation, it
may need to obtain records from banks or other financial institutions.
A written, and usually notarized, release signed by the bank's
account holder will typically be required to obtain those records.
B.
Employers
There
is generally no right of privacy concerning one's work history.
For example, Florida Statutes, §768.095, provides that an employer who
discloses information about a former employee's job performance
at the request of a prospective employer or the former employee, has
a qualified privilege from liability for defamation. The former
employer will only be found liable for defamation if the former employee
can show by clear and convincing evidence that the former employer knowingly
gave false or misleading information, acted with a malicious purpose
or violated the former employee's rights under the Florida Civil
Rights Act, Florida Statutes, Chapter 760.
However, there are limits
on the kinds of information employers are allowed to gather and disclose
about their employees. Two significant laws pertaining to employers
are the Employee Polygraph Protection Act and The Americans with Disabilities
Act.
1.
The Employee Polygraph Protection
Act
Under
this Act, 29 U.S.C. §§2001-2009, employers are generally prohibited
from requiring employees to undergo a polygraph test, subject to a few
exceptions, notably law enforcement jobs. Also, an employer may
not discharge, discipline, or discriminate against an employee for refusing
to take a polygraph, and may not take any action against an employee
based on the results of a polygraph test.
2.
Other Employment “Privacy”
Statutes
The Americans with Disabilities
Act, 42 U.S.C. §12101, et seq, (hereinafter referred to as “ADA”),
prohibits discrimination against the disabled, and requires an employer
to make reasonable accommodation for those who are disabled but still
capable of performing essential job functions.
The
ADA significantly limits the kind of medical information that an employer
can obtain on a prospective employee. For example, the ADA prohibits
an employer from requiring a physical examination unless and until a
conditional offer of employment has been made. Also, under the
EEOC Enforcement Guidance rules, “An employer may not make such
inquiries about a disability at the pre-offer stage, even if the employer
would legitimately be able to exclude the applicant because of the disability."
The
ADA also prohibits an employer from requiring existing employees to
undergo a physical examination unless that examination is shown to be
job-related and consistent with business necessity. When such
an examination is performed, the ADA requires that the medical records
must be collected and maintained on separate forms, in separate medical
files, and treated as a “confidential medical record.”
42 U.S.C. §12112(d)(3)(B).
In
addition to the ADA, many states have their own anti-discrimination
laws, frequently known as Human Rights Acts. These Acts often
provide broader protection than Federal laws. For example, under the
Minnesota Human Rights Act, Minn. Statutes, §636.01 et seq., sexual
orientation is a protected classification; whereas it is not a protected
classification under Title VII of the Civil Rights Act, 42 U.S.C. §2000e.
Because of such statutes, employers are often reluctant to gather or
disclose information concerning an employee.
State
anti-discrimination laws generally apply to discrimination in employment,
housing and public accommodations, rather than to insurance. However,
to avoid the appearance of impropriety, an insurer should generally
avoid inquiring into any matter which is a prohibited basis for discrimination.
C.
Medical Providers
The
automation and assimilation of healthcare information continues to increase.
For example, Physician Computer Network, Inc. (PCN), has access to patient
records of approximately 100,000 doctors. PCN offers doctors electronic
links to hospitals, labs and insurance companies. There are also
medical registries that track patients and their illnesses. As
healthcare facilities and physicians continue to take advantage of technology
to better serve the needs of their patients, the risk of loss to individual
privacy increases.
However,
medical and healthcare information has long been considered to be confidential.
For over two thousand years, the Hippocratic Oath has provided that
a physician shall keep his patients' confidences secret.
Despite that, the right to privacy in one's medical information
is not absolute, and insurance companies frequently have a legitimate
need for medical information. The law seeks to balance the individual's
right to privacy with the insurer's right to full and accurate
disclosure of relevant information. Achieving this balance requires
the consideration of applicable statutes.
1.
Confidentiality Statutes
Most
states have laws which make a person's medical records confidential.
For example, Florida Statutes, §455.667, provides that a physician may
not disclose a patient's medical history except to the patient,
the patient's representative, or another health care provider,
without the express consent of the patient. However, in a civil or criminal
action, such records may be subpoenaed for production. Thus, although
generally confidential, most medical records are not privileged from
discovery in Florida, i.e., the patient may not prevent the records
from being produced pursuant to a subpoena.
However,
Florida Statutes, §90.503, provides a privilege for psychotherapists
and their patients in Florida. Under this statute, records relating
to treatment for mental illness, including drug and alcohol dependence,
are generally shielded from discovery, absent a Court Order requiring
their production.
2.
Health Insurance Portability and Accountability
Act of 1996 (HIPPA)
The
Health Insurance Portability Act of 1996, 42 U.S.C. §300gg et seq.,
governs the circumstances under which an insurance company may offer
group health coverage. In particular, the Act prohibits a group health
insurer from conditioning an individual's eligibility for coverage based
on a variety of factors. One of the most significant limitations
is that a group health insurer may not refuse an individual's
membership in a group health plan based on genetic information.
This is important because as knowledge of the genetic code increases,
it will become increasingly easy to predict an individual's likelihood
of developing certain diseases.
Although insurers may not
use an individual's genetic information for purposes of underwriting
“group” health insurance, there is no Federal law prohibiting
an insurer from using genetic information to underwrite “individual”
health insurance. However, one bill, the Genetic Privacy and Non Discrimination
Act of 1995, has been proposed in Congress to do just that. As the name
implies, this bill is intended to limit access to and use of genetic
information. Although this bill has not passed, the public concern over
genetic privacy continues to grow.
3.
Federal Drug Abuse Office and Treatment
Act
Codified at 42 U.S.C. §290dd-2,
this Act provides that records of any patient maintained in connection
with any substance abuse treatment program which is conducted or regulated,
directly or indirectly by any agency of the United States shall be treated
as confidential. Although this statute makes drug treatment records
confidential, a recent attempt to base a private cause of action on
violation of the Act failed.
In
Ellison v. Cooke County Tennessee et al, 63 F. 3d 467 (6th Cir.
1995), a county employee brought suit against a county hospital, alleging
a violation of his privacy right for releasing records concerning his
treatment for drug abuse. The records were disclosed during a grievance
hearing and published in two local newspapers. This disclosure was made
in spite of the employee's request that the information be kept
confidential. However, the federal Sixth Circuit refused to recognize
an implied private right of action under the confidentiality provision
of this Act.
D.
Authorization and Release Forms in the
Electronic Age
The
cooperation clause of most insurance policies should expressly require
the insured to provide the company with records and documents, and permit
the company to make copies of those records and documents. Often,
the records and documents which the company may need in its analysis
of a claim are in the possession of persons other than the insured.
An authorization for release of records is, therefore, often needed
or required for the company to obtain access to records in the custody
of such other persons. The insurer's risks in obtaining
an insured's documentation and information from confidential sources
without the insured's permission are outlined in the earlier portion
(II) of this paper.
With
the assistance of local counsel, an appropriate authorization for the
release of records and information is often helpful in gathering information.
Requesting an insured to sign an authorization to obtain records and
information at the earliest possible opportunity will also assist the
company to avoid delays in collecting and analyzing records. An
insured's refusal to provide the insurer with an authorization
that would allow copies of documents to be obtained may constitute a
material breach of the policy and relieve the insurer of any liability
under the policy. Wood v. Allstate Ins. Co., 815 F.Supp.
1185 (N.D.Ind. 1993).
The
authorization to obtain records and information should be sufficiently
broad and comprehensive to permit the insurer to obtain the insured's
records. But see Chavis v. State Farm Fire & Casualty,
346 S.E.2d 496 (N.C. 1986), where the North Carolina Supreme Court held
that the production of documents provision included in the insureds'
fire policy as required by statute did not require the insureds to sign
an overly broad release that provided the insurers access to “any
and all records” in connection with “all banks and/or any
type of lending institution” with which the insureds had done
“any business”. To avoid that problem, releases and
authorization forms should be sufficiently broad, but specifically address
the particular records and materials needed from sources other than
the insured, including electronic data from an internet service provider
or e-mail recipient where appropriate.
In
addition, insurers should be aware of state statutes that mandate specific
requirements that must appear on a disclosure authorization form used
by an insurance company in connection with insurance transactions.
For example, Virginia Statutes Annotated §38.2-606 provides
that any authorization forms that are used by an insurance company to
disclose personal or privileged information about an individual to an
insurance institution or an agent must contain the types of persons
authorized to disclose information about the individual, the nature
of the information authorized to be disclosed, the purposes for which
the information is collected, the length of time that the authorization
shall remain valid, etc.
IX.
UTILIZING THE INTERNET
A.
Internet Privacy Issues
The
Internet serves as one of the richest sources of information available
to an individual or business. A proficient Internet user can access
a vast array of information at the click of a button, and with another
click of a button, either print or download
to disk information he or she wishes to keep. However, the Internet
also poses one of the greatest threats to privacy, both to those who
use it and the general public.
The
greatest value of the Internet is the scope of information it can convey.
However, this is also its greatest threat to privacy. This threat
has not been alleviated by legislation. For example, no federal
legislation exists which restricts or prohibits transmission or communication
of medical records through the Internet. Although state law may
prohibit individual medical care providers from making unauthorized
disclosures of medical records, only that medical provider would face
liability for unauthorized disclosures. The duty of confidentiality
extends only to the doctor or hospital, not to the Internet service
provider or to the persons who look up that information. The lack
of protection over medical information consulted on line not only compromises
the medical information itself, but also invites other kinds of abuses.
For
example, an employer is generally prohibited under the Americans with
Disabilities Act (ADA) from asking for medical information from
prospective employees. However, theoretically, an employer could
go on the Internet and obtain information regarding a potential employee's
medical history, if that information were improperly disclosed onto
a Web site. Based on that information, an employer could decline
to hire a candidate out of fear that hiring him or her would increase
medical insurance costs.
In
addition to the possible disclosure of medical information, publicly
available information, such as land title records and court records,
are routinely disclosed over the Internet. Although there is no
privilege applicable to that information, many persons are surprised
at the ease at which one can acquire this information over the Internet.
At
present, the only federal legislation directly restricting communications
on the Internet are regarding “Sexual Exploitation of Children”,
18 U.S.C. §2251, which criminalizes the use of computer technology to
transmit child pornography; “Fraud and Related Activity in Connection
with Computers”, 18 U.S.C. §1030, which criminalizes the use of
computer technology to commit acts of fraud; and “Protection for
Private Blocking and Screening of Offensive Materials”, 47 U.S.C.
§230, which protects Internet service providers from civil liability
for libel. Specifically, “Protection for Private Blocking
and Screening of Offensive Materials” §230 provides that Internet
Service Providers (hereinafter “ISP”) shall not be treated
as the publisher/speaker of any information provided by another information
provider, such as someone posting information on a Web page. That
Act also indicates that ISPs shall not be held liable for good faith
acts by which they seek to restrict access to lewd or obscene material,
even if such material is constitutionally protected.
Another
statute which regulates Internet Communications is the Child OnLine
Protection Act (COPA), codified at 47 U.S.C. §231. This statute
makes it a federal crime for commercial Web sites to transmit any material
“harmful to minors”. The ACLU has challenged this
law, and on February 1, 1999, U.S. District Judge Lowell Reed of Philadelphia
entered a preliminary injunction against the Act. However, the
government is currently proceeding, and has appealed the decision of
the lower court. Oral arguments were heard on November 4, 1999
by the Third Circuit court of Appeals. The result may be appealed
to the United States Supreme Court. Until the United States
Supreme Court either decides this case or denies certiorari, COPA's
future appears to be uncertain.
Although
very little federal legislation restricting Internet information exists,
Internet activity falls under the jurisdiction of the Federal Trade
Commission (FTC). In 1996, the FTC conducted a study in which
it examined privacy issues regarding the Internet and addressed issues
including collection, compilation, and sale of personal information
pertaining to consumers. Although there has been a considerable
amount of study, the FTC at present has deferred enacting formal regulations.
Instead, the FTC is relying on the Internet industry to police itself.
The industry has responded with various internal regulations, including
the IRSG principles discussed in this paper.
The
only exception to the FTC's laissez faire policy has been with
regard to on-line solicitation of data from children. The FTC
expects Web site operators to obtain parental consent before distributing
private data about a child to a third-party. The FTC also
requires Web sites to disclose to parents information about how data
from or regarding children will be used. The FTC has held that
violations of these guidelines can be treated as unfair or deceptive
trade practices.
The
paucity of legislation governing the Internet is due in large part to
our society's interest in preserving freedom of expression.
The desire to promote broad freedom of expression is reflected in Reno
v. UCLA, 117 S.Ct. 2329 (1997), wherein the United States Supreme
Court struck down all provisions of the Communications Decency Act,
47 U.S.C. §223 (“CDA”), except for the provisions which
prohibit child pornography. The CDA was very similar to COPA.
In reaching its decision, the Reno court noted that the Internet's
extraordinary scope and versatility made it a valuable communication
tool, and that such freedom of communication is protected by the First
Amendment.
With
the exception of on-line solicitation of data from children, no restrictions
exist on the information that can be conveyed through the Internet.
This freedom of information creates privacy risks not only to the subjects
of those Internet reports, but also to persons using the Internet.
Many
persons use the Internet under the belief that they are doing so anonymously.
That belief is mistaken. Generally speaking, when an Internet
user accesses a Web site, the user leaves an “electronic trail”.
In particular, the Web site that is accessed registers information which
includes the user's e-mail address and at least some information
on the previous sites the user has visited. That information trail
is referred to as a “cookie”. Generally, the real
name of the person using the Internet is not provided as part of the
cookie. However, because that information is available to
the Internet Service Provider, it creates a risk that the cookie may
be matched with the real name of the user.
A
more significant risk arises when an Internet user visits a Web site
and voluntarily discloses personal information. There are no
restrictions on the use of information which Internet users voluntarily
provide. Any such personal information provided may be sold or
given away at will by the ISP. Consequently, no reasonable expectation
of privacy exists in any information which a person voluntarily discloses
on the Internet. Furthermore, there is very little, if any, expectation
of privacy in the information contained in the “cookie”
which is generated through the use of the Internet.
Although
various pieces of Federal legislation have been proposed which would
restrict the dissemination of sensitive information, such as social
security numbers over the Internet, none of that legislation has yet
been enacted. Consequently, any individual or business entity,
including insurance companies, should be very cautious when conveying
sensitive information over the Internet.
In
addition to the inherent privacy risks in using the Internet, there
is also the potential for governmental surveillance of computer activities.
Specifically, the Communications Assistance Law Enforcement Act (CALEA),
47 U.S.C. §1001, requires Internet providers to make their systems accessible
to government monitoring when that monitoring is authorized by a court
order. That law is relevant to the insurance industry because
it could facilitate the investigation of insurance fraud. The
law would be especially helpful in the investigation of large scale
insurance fraud involving the use of computers for either communication
or record creating purposes.
B.
Protecting One's Privacy On the Internet
Although
the Internet is fraught with threats to privacy, a number of fairly
effective measures can be taken to protect one's privacy on the
Internet. In particular, several Internet Service Providers have
software which will strip the user's signal of any identifying
information before the user reaches a Web site. Thus, the operator
of the Web site will not be able to gather the information which would
otherwise be conveyed in the cookie. In particular, one type of
software called “Privnet” blocks the transmission of cookies.
In
addition, the National Computer Security Association (“NCSA”)
is offering a certification program which allows Web site users to compare
the relative security of Web sites. The NCSA evaluates a Web site's
security based on several criteria, including security policies and
procedures for the site, the use of cookies, and the strength of firewalls.
Web sites that pass the remote hacking and on-site tests run by the
NCSA receive the NCSA's “Seal of Approval” and are
allowed to display the NCSA icon.
Another
rating system has been established by the e-TRUST organization.
In order to promote on-line privacy, e-TRUST has initiated a pilot
program to rate the level of “information security” provided
by various Web sites. Sites which participate in the e-TRUST program
will have their information management policies and security measures
evaluated and they will receive one of three ratings: anonymous or no
exchange (i.e., no personal data regarding the user is collected); one-to-one
exchange (i.e., data collected only for use by the Web site owner);
or third-party exchange (i.e., data is collected but only provided to
specified third parties with the user's consent).
More
than 100 major Internet companies, including Netscape, Microsoft, VeriSign,
and Firefly Network, apply the Open Profiling Standard, commonly known
as “OPS”. The OPS system involves users selecting the amount
and type of personal data they are willing to share, storing that data
on the user's personal computer, and releasing the data to only
those Web sites selected by the user. The OPS system has been
submitted to the World Wide Web consortium for adoption.
Another
option for securing privacy is the use of re-mailers. This involves
using anonymous Internet accounts and using a special server into which
one logs in, and which then transmits messages to and from the Internet.
One company in particular, C2Net, offers software called the “Anonymizer”,
which helps individuals guard their privacy as they browse the Web.
Users
of the Internet must be mindful of both the risks, as well as the benefits,
inherent in the Internet system. Common sense, discretion, and
the use of available safeguards can minimize the risks to personal and
business privacy.
C.
Internet Law
An
important issue for Internet users is whether using the Internet in
a given state will constitute sufficient contact with the state to give
that state's courts jurisdiction over the Internet user.
One of the leading cases addressing this issue is CompuServe v. Patterson,
89 F.3d 1257 (6th Cir. 1996).
In
that case, Mr. Patterson, a Texas resident, sold software to consumers
over the CompuServe system. Mr. Patterson uploaded the software
to the CompuServe system in Ohio and CompuServe subscribers then downloaded
Mr. Patterson's software and remitted the licensing fee to CompuServe.
CompuServe deducted its handling fee and remitted the balance to Mr.
Patterson. However, CompuServe began to market its own software,
which was similar to Mr. Patterson's, and Mr. Patterson claimed
it infringed on his product. CompuServe filed suit for a declaratory
judgment that it had not infringed on Mr. Patterson's trademark
or engaged in unfair trade practices.
The
lower court dismissed the case on the ground of lack of personal jurisdiction
in Ohio, but the U.S. Court of Appeals for the 6th Circuit
reversed and remanded for further proceedings. The Court held
that jurisdiction may be asserted over a defendant if the defendant's
actions meet the following test: “First, the defendant must purposefully
avail himself of the privilege of acting in the forum state or causing
a consequence in the forum state. Second, the cause of action
must arise from the defendant's activities there. Finally,
the acts of the defendant or consequences caused by the defendant must
have a substantial enough connection with the forum to make the exercise
of jurisdiction over the defendant reasonable”.
The
Patterson decision appears to represent the majority rule.
See: Resuscitation Tech, Inc. v. Continental Health Care Corp.,
No. 96-1457-C, 1997 WL, 148567 (S.D. Ind. Mar. 24, 1997), (holding that
access to the defendant's Web site and follow up conferences via
e-mail were sufficient to sustain jurisdiction, together with other
contacts); Digital Equip. Corp. v. Alta Vista Tech, Inc., 960
F.Supp. 456 (D. Mass. 1997), (holding that sufficient contacts were
met where the contract stipulated the law of the forum, the defendant
solicited advertising and products in the forum, and the Web page was
accessible in the forum); and Cody v. Ward, 954 F.Supp. 43 (D.Conn.
1997) (holding that the defendant's e-mail messages were a basis
for jurisdiction to hear a suit on fraudulent misrepresentations under
securities law).
See
also: Zippo Mfg. Co. v. Zippo Dot Com, Inc., 952 F.Supp. 1119
(W.D. Pa. 1997); EDIAS Software Int'l, L.L.C. v. Basis Int'l
Ltd., 947 F. Supp. 413 (D. Ariz. 1996); and Inset Sys., Inc.
v. Instruction Set, Inc., 937 F. Supp. 161 (D. Conn. 1996).
These additional decisions indicate that insurance companies who advertise,
market products or investigate over the Internet in any state should
be aware that such activities may subject them to the laws of that state's
jurisdiction.
D.
Internet Service Providers
Typically
known as ISPs, internet service providers offer their subscribers the
means to acquire and disseminate a wealth of public, private, commercial,
and non-commercial information. It is important to note, however,
that when subscribers obtain information or create information through
the use of the Internet, the ISP does not monitor, verify, warrant or
vouch for the accuracy or quality of the information that subscribers
may acquire or create. Therefore, subscribers must take responsibility
in relying on information from the Internet.
An
ISP will typically not monitor the communications of its subscribers
to ensure that its subscribers comply with policy and the applicable
law. However, if an ISP becomes aware of harmful invasive communications,
the ISP may take any of a variety of actions. The ISP may remove
information that violates its policies, implement screening software
designed to block offending transmissions, or take any other action
it deems appropriate, including termination of a subscriber's
contract with the ISP. In dealing with privacy laws, ISPs often
state that they will not intentionally monitor or disclose any private
electronic mail messages sent or received by its subscribers unless
required to do so by law.
Without a specific
signed release directed to the corporate legal department of an ISP,
it will usually not release any information regarding a subscriber's
account. However, ISPs may be required to disclose information
transmitted through its facilities in order to comply with court orders,
statutes, regulations, or government requests.
E.
Web Sites for Investigative Searches
The following is an exemplary
list of web sites for investigative searches:
People/Business Finders
http://www.theultimates.com/white/ [The Ultimate White Pages];
http://www.411.com/ [Search for people];
http://people.yahoo.com/ [Search
for persons or their e-mail addresses];
http://www.bigfoot.com/ [Search
for people and their e-mail addresses];
http://www.whowhere.lycos.com/ [Search for people];
http://www.worldyellowpages.com/ [Search for a business];
http://www.yellow.com/ [Search
for a business];
http://www.anywho.com/ [Search
for a person or business];
http://www.classmates.com/
[Find old classmates];
http://www.databaseamerica.com/ [Search for people];
http://www.cedar.buffalo.edu/adserv.html [National Address Server];
http://www.knowx.com/ [Search for
people];
http://www.1800ussearch.com/ [Search for people and businesses];
Miscellaneous Locators
http://www.411locate.com/ [Find
and e-mail or web-site address];
http://www.iaf.net/ [Internet Address
Finder];
http://www.anywho.com/telq.html [Find a name from a phone number];
http://www.hoovers.com/ [Find
company or corporate information];
http://www.switchboard.com/
[Search for people or businesses];
Information on Investigators
http://www.pimall.com/ [Shopping
mall to find a private investigator];
http://www.ioninc.com/ [Investigator
referral service];
http://www.nciss.com/ [National
Counsel of Investigation and Security Services].
Credit Reporting Sites
http://www.equifax.com/ [Equifax]
(800-685-1111);
http://www.experian.com/ [Experian/formerly
TRW] (800-682-7654);
http://www.transunion.com/
[Trans Union] (800-916-8800);
http://www.dnb.com/credit/pcredit.htm [Dun & Bradstreet];
and
http://www.wdia.com/fcra-menu.htm [Fair Credit Reporting Act].
Public Records
http://http://www.ntlaw.com/All_States_Public_Records.htm
http://www.information‑search.com/ [ISI Database Reports];
http://www.cdb.com/public/
[CDB Infotek - Intelligent Information];
http://www.fedworld.gov/ftp.htm#nhtsa [Government Agencies Database];
http://www.ojp.usdoj.gov/bjs/ [Bureau of Justice Statistics];
http://www.icpsr.umich.edu/
[Inter-University Consortium for Political and Social Research];
http://www.bop.gov/facilnot.html [Federal Bureau of Prisons -
Determine if a person is in federal prison];
http://www.dc.state.fl.us/
[Florida Prisons Site];
http://www.corrections.com/links/state.html [National Correctional
Institution Site];
http://www.ncjrs.org/ [Links to
many Criminal Justice Sites];
http://www.loc.gov/ [Library of Congress];
http://www.congress.org/ [United
States Congress];
http://thomas.loc.gov/ [United
States Congress, legislative information on the internet].
Other Links
http://www.icpsr.umich.edu/NACJD/home.html [National Archive
of Criminal Justice Data];
http://www.nationalfraud.com/ [Provides many services to combat
fraud, including insurance fraud];
http://www.fraud.org/welcome.htm [National Fraud Information
Center];
http://www.informus.com/ [Employment
Screening Services];
http://http://www.interfire.org/ [Fire Investigations Site];
http://www.nfpa.org/ [National Fire
Protection Association];
http://www.carsafety.org/ [Injury,
Collision and Theft losses by make and model 1996-1998];
http://www.mwsearch.com/ [Medical
Information search];
http://www.hwysafety.org/ [Highway
Safety Statistics];
http://www.findlaw.com/ [Search
for legal resources].
Books to consult regarding
investigative searches include:
(1) Public Records Online - the National Guide to Private & Government
Online Sources of Public Records, by Facts on Demand Press (1999);
(2) Naked in Cyberspace: How to find Personal Information OnLine,
by Carole A. Lane, Wilton, CT. (1997);
(3) The Internet Yellow Pages, by Harley Hahn and Rick Stout,
Osborne McGraw Hill (1994);
(4) Search Engines for the World Wide Web (Second Edition), by
Alfred and Emily Blossbrenner, Peachpit Press (1999);
and
(5) Financial Investigations: A Financial Approach to Detecting and
Resolving Crimes: Instructor's Guide, by U.S. Internal Revenue
Service (1994).
F.
Web Sites that Deal with Privacy Issues
The following is an
exemplary list of web sites that deal with privacy issues:
http://http://www.epic.org/ [Electronic
Privacy Information Center];
http://http://www.cme.org/ [Center
for Media Education];
http://http://www.named.org/ [The
Named];
http://http://www.junkbusters.com/ [Junkbusters];
http://http://www.pirg.org/ [The
State Public Interest];
http://http://www.privacytimes.com/ [Privacy Times];
http://http://www.private-citizen.com/ [Private Citizen];
http://http://www.privacyrights.org/[Privacy Rights Clearinghouse];
http://http://www.cdt.org/ [Center
for Democracy & Technology];
http://http://www.townonline.com/privacyjournal/ [Privacy Journal];
http://http://www.privacyexchange.org/ [Privacy Exchange];
http://http://www.accessreports.com/ [Access Reports];
http://http://www.fulldisclosure.org/ [Inside Information On
Privacy];
http://http://www.privacyinc.com/ [Privacy, Inc.];
http://http://www.eff.org/. [Electronic
Frontier Foundation];
http://www.vortex.com/privarch.htm [Privacy Forum Archive];
http://http://www.ahima.org/ [American
Health Information Management Association, medical data security];
http://http://www.privacy.org/
[The Privacy Page];
http://www.aclu.org/issues/privacy/hmprivacy.html [ACLU Privacy
Page];
http://www.irsg.org/ [Individual
Reference Services Group (IRSG)];
and
http://www.ftc.gov/ [The Federal Trade
Commission].
|