April 15, 2014

On February 25, several small outstate Minnesota banks filed suit against Target for losses stemming from the recent data breach. They've joined the ranks of banks and credit unions around the country that have spent a combined more than more than $200 million replacing credit and debit cards whose data was taken in the attack on the retailer's computer system.

The property and casualty insurance industry has a complex system of data upload/download between companies, comparative rater vendors, and agencies. Is that system safe, and if not, is that system necessary?

Our industry has a spotty history of indifference to safeguarding individual privacy. When I started in the industry in 1970, everything was done on paper. However, that didn't stop the industry from invading privacy on a daily basis. Part of the "fun" of working for an insurance company was reading the sometimes-salacious reports provided by inspection companies for home and auto risks. At that time, it was common practice for the inspectors to question the neighbors about the "character" of the company's customer. Particularly interesting comments were passed around like cheap novels.

Jim Holm, Enhanced Insurance
Jim Holm, Enhanced Insurance

In the early 1990s my agency was the top producer in the nation for new personal lines business for Metropolitan. That company used a person's social security number as their policy number. Even at that time the social security card said that number was not to be used for identification. I was told that any privacy issues were offset by the convenience of only having to memorize one set of numbers.

About a decade ago, insurance companies started to auto-fill data onto insurance applications for agents based on name and address of the insured. As late as just a few months ago at least one company would auto-fill social security numbers if the agent provided the name and address.

The P&C insurance industry has not acted responsibly. Insurance companies are large, complex giants who are horribly political. What is called "problem solving" is often merely "problem disguising," or intricate manipulation to provide cover for careers in case disaster strikes. Insurance company IT systems are outdated and easy to infiltrate. They rely on third-party vendors who are often under-capitalized.

But, at least in my opinion, we have no choice but to continue on the current path. Our industry's cost structures are based on the savings allowed by free-flowing data between companies and agencies. The advantages outweigh the potential risks.

[The risk of mobile data breaches]

When I started in the industry I worked in an average-sized branch office for a large company. We had about 100 employees. Of those 100 employees, three to five of them were called "finders". Their job was to "find" paper files that were needed. That was all they did. Obviously with e-files that position isn't needed and files can be found and shared by any company employee who needs them on a timely basis.

The file room for that branch covered about one-fourth of the office space. Each desk area had to have about 25% more space than current work areas to handle the paper involved. When data sharing between companies and agencies first started all the discussion centered on saving keystrokes. In reality, the keystroke savings was but a small tip of the iceberg.

Prior to the advent of e-commerce, the average expense ratio for P&C companies was in the area of 33% to 35%. Those companies who have done the best job of utilizing shared data are now in the 20% to 30% range. A large share of this is due to e-commerce.

Insurance agencies were tied to a 40/40/20 rule in which salaries and expenses each accounted for 40% of revenue, leaving 20% for profit. There are still some agencies that fit this model, but just as many are now virtual offices where 65/15/20 is closer to today's model. The key to increased profits is that a virtual agency is working with a much larger gross.

When I started in business, much of "data-transfer" was done with carbon copies. Clerical workers wore cuff protectors to keep from having the shorts and blouses ruin by the ink on the carbon paper. No Carbon Required paper was a huge advancement, followed by multiple Xerox copies. We would still be fumbling with multiple copies without e-commerce.

Each system has had its "data breach" problems. Waiters stole the carbon paper to get your credit card number. Not until recently did people even consider that every photocopy made a record in the machine's memory. E-commerce isn't the only data breach culprit.

Trashing the e-commerce system is not an option, but corporations have to pull off the blinders and come to grips with their exposure. For example, they need to attack data privacy issues with outside vendors developing solutions for them to implement.

Accepting that e-commerce is a new world with new rules won't be easy for most insurance companies. I'm reminded of the top exec for one of the largest insurance companies who bragged in the late 1990's that he didn't own a PC because he had people to do that sort of thing for him. His company went broke and was acquired, because he thought of e-commerce as something that just happened, rather than something to be managed.

About the Author: Jim Holm, President of Enhanced Insurance, operates an insurance agent network called Insurance Partners, aggregating agents in the Midwest for over 20 years. He was National Agent of the Year for Metropolitan in 1993 and Midwest Agent of the Year for Travelers in 2011. He serves as a founding board member of Surplus Lines Association of Minnesota.