Archives for

Deferred gratification

May 5, 2013 by tim in Live | Leave a comment

There are some days, and today is definitely one of them, when having to wait for the builders to finish working on the garden and the pool, is not easy…

20130505-141457.jpg

How to buy insurance for unusual risks

April 24, 2013 by tim in Insurance user manual | Leave a comment

I have recently sat through a series of underwriter presentations, where some of the underwriters said they were pleasantly shocked by the level of disclosure they received.  Somewhat surprised, I asked ‘why pleasantly’?  It seems that the overall level of disclosure they see is getting progressively lower and more formulaic.  They said it made a very pleasant change to feel like they were really connecting with the risk and those managing it.

Well, that all sounds very nice but, so what?  Well, for the kind of insurances I tend to handle - unusual, complex and novel insurances - I believe that the style, form and substance of disclosure provided by a buyer is critical to the success of the placement.  Full and accurate disclosure is critical to any placement of course but there is disclosure, full disclosure and then there is the real thing.  With unusual, complex or novel coverage (UCN coverage from now on) I believe only the real thing will do.

This piece is about what the real thing is and why it is important.  Another time, I will need to reflect on what the underwriters’ shock means for UCN insurance.  From what they said, one could infer either that there is less UCN exposure, which I simply don’t believe or that UCN exposure is less disclosed - however you define that term – and I am not quite sure what I think about that…

First then, some background on UCN coverage.

UCN coverage is what it sounds like:

  • Unusual means that it is rare, so there is not enough to make up a portfolio of it.  This means that, instead of the insurer being able to price for the volatility of the performance of a portfolio, which is the core of what insurers do, they have to price the underlying risk.  This is a much more complicated, expensive and uncertain process.
  • Complex can mean that different perils are covered under the same policy but real complexity occurs when the underlying nature of the risk is maybe dynamic, interconnected in non obvious ways with other perils or otherwise inherently messy – normally because it deals with what we (humans) do or don’t do, as opposed for example, to the effect of bad weather.
  • Novel coverage deals with risk that it is not yet well understood; various forms of cyber risk currently fall into this category.

Second, some background on disclosure.

Disclosure means different things in different places.   The key differences are evident between the US and the UK – where other places tend to adopt one or the other approach.

  • Very crudely, in the US, the prospective insured is required to fully and honestly answer the questions posed of it by the insurer and, if the insurer doesn’t ask, the buyer doesn’t have to reveal.  I repeat, before being bombarded by lawyers, this is crude.  In my continuum above, this is ‘disclosure‘.
  • In the UK on the other hand, the onus is reversed.  The insured is under an obligation to disclose anything that might be material to the insurer’s acceptance or pricing of the risk, whatever the insurer does or doesn’t ask.  Naturally, this is an almost impossible requirement to fulfil, the more so, the more UCN the risk.   This is ‘full disclosure‘.
  • The ‘real thing‘ is the sharing of drains up information about how you understand the exposure, with the colour of what it means for how you are going to (and who is going to) deal with it from soup to nuts.

The ‘real thing’ has three elements.  It involves:

  1. Soup to nuts – it addresses  the entire process of understanding and managing the particular risk, including the full context of the risk;
  2. Drains-up – it is an in depth review; it is not superficial; and
  3. Sharing – both parties share what they know to ensure the residual uncertainty is about the risk, not about the difference between what each of them knows.  This also involves bringing together the personalities who will be dealing with the risk – again on both sides.  This adds the real colour to the process.

Bringing UCN coverage together with disclosure, the thing that is common to all UCN risk is that portfolio management approaches to managing it don’t work very well – or at all.  Modelling, the foundation of portfolio management, has become extremely sophisticated but you need a base of reliable data to start working with a model and you need to be able to make reasonably reliable assumptions to extrapolate from the base with confidence.  Disclosure is one of the key sources of both the raw data and of the material needed to make reasonable assumptions.  NOTE: in an increasingly ‘big data’ world, it is clearly not the only source – and may in future not even be much of a source at all but that is for another post.

I am not saying UCN risk is unmeasurable, far from it; I am saying however that, by its nature, it is not measurable to the same level of confidence that insurers are used to and this can make them extremely uncomfortable.  My contention is that you therefore need to disclose more to try to fill the gap between what they are used to getting with better understood exposures and what you can provide or they already know relating to your particular UCN risk.  In this sense:

  • disclosure’ doesn’t result in better understanding, it really only confirms what an insurer thought they already knew;
  • ‘full disclosure’ adds what the buyer knows about the risk – which may or may not add to what the insurer knows generally or fill in some specific details in an alpha and beta sort of a way; and
  • the ‘real thing’ on the other hand is designed to compliment data by delivering a rich and colourful mental model of the risk.

Whether you add what that mental model tells you to your formal model or not, the colour and the personalities are the key.  Data narrows the uncertainty of the number of possible outcomes or the costs therefrom to some extent but with UCN risk, can only go so far.  The result is that a probably higher than truly necessary premium will still be required as far as the insurer is concerned (compared to the genuine risk premium), to deal with the greater uncertainty than they are used to that remains.  Of course, if the certainty remains too great, the coverage won’t happen at all.

The purpose of the colour is to bridge the gap between not enough and enough, by influencing how we make decisions.  We (humans) tend to be naturally biased towards optimism when we make decisions.  The more we think we know about a situation, the more confident/less uncertain we are about it.  As a buyer adding colour to what is already known by the underwriter, you are feeding their optimism bias, giving the underwriter far greater scope to say ‘yes’ to what you are asking for.

In my experience, there are four main benefits to the ‘real thing’ and, subject to the cost of disclosure and the importance of the risk to you, they apply to some extent to any risk or insurance policy:

  1. As already discussed, high levels of colourful disclosure make it more likely that the coverage you want will be available at all; and
  2. As also discussed, the more UCN the risk, the greater the disclosure, the lower the cost of the coverage compared to what is available with lower levels of disclosure.
  3. The quality of the contract is also improved.  I often see that the quality of coverage low disclosers get is not as good as it could be.  High disclosers on the other hand, can get coverage low disclosers can only dream about.  For example, the extent of  in-house claims handling latitude a high discloser can get, can bear no resemblance whatsoever to what most buyers have to contend with.
  4. Probably the biggest benefit however, after availability, price and coverage (what have the Romans ever done for us…?) relates to claims handling.  Now, while it is true that there will be more scope to be creative with situations at the fringes of what is intended to be covered if you have done everything you can to jointly contemplate what should be in the policy, I can’t pretend that illegitimate claims will ever be paid.  That said however, the outcome of any claim – whether against a buyer or subsequently against an insurer (I am a casualty snob; I always think in terms of liability) – is never determined only by the facts of the event giving rise to the claim in the first place.  There is just too much else that goes on, and that can go wrong, for that to be the case.  In my experience, almost the only two things you can be certain about every claim are:
    • that you never know at the beginning of a claim journey everything that you will know about it by the end of the journey.  You can reasonably expect to be surprised and a healthy skepticism about what you think you know at the outset is not necessarily unhelpful; and
    • it is not so much that ‘whatever can go wrong will go wrong’ but that, in addition to the original proximate cause of the claim in the first place, one or more other things are also likely to go wrong (or to have gone wrong) in the chain of events leading to the final disposition of the claim.  It might be before the event (or even have caused it), it might be during the event itself, in the notification of the subsequent claim or sometime during the negotiation with the plaintiff or with the insurer – or any one of a number of other places and times.  The colour of the ‘real thing’ ensures all this ground has been covered when you are writing the policy, not when stuff and fan are coming together.

When a buyer’s uncertainty – the reason they want UCN coverage in the first place – is compounded with the insurer’s uncertainty – whether to accept the UCN risk and what to charge for it – it seems to me to be axiomatic that disclosure needs to be much more than ‘disclosure’ or ‘full disclosure’.  The ‘real thing’ is something shared between buyer and insurer and involves transparency about everything about the risk the insurer is really accepting.

Why I think about Insurance 2.0

April 12, 2013 by tim in Insurance 2.0 | Leave a comment

I have just up-dated my definitions or risk and uncertainty and, in so doing, have clarified why I am writing all this about insurance 2.0.

Here is my new definition of uncertainty:

I am slightly lazy about how I use the term uncertainty – I suspect, like most people. I don’t, for example, stick strictly to either of the definitions I use when I compare the theoretical differences between risk and uncertainty in my definition of risk.

Without trying to excuse my laziness, I do this because, in most of my thinking, I have a working assumption that something like uncertainty is what most of us are actually talking about when we refer to risk. By ‘something like uncertainty’, I mean that I conflate two theoretical views of what uncertainty is compared to risk. In this hybrid view, I suspect that most of us have too little idea of all that could happen in a given situation and, were something bad to happen, how bad it could be.

I mash up the ‘measurable/not measurable’ and ‘multiple options/downside of the options’ theoretical approaches for practical reasons associated with what I hope Insurance 2.0 will deliver.

On one level, I would like to alter the asymmetry that currently sees insurance buyers generally ignorant of the extent of their possible outcomes and the potential costs in a way that insurers are not. By the way, that is not to say that insurers are omniscient; far from it. They have no idea who is going to be loss free and who is not but they have a pretty good idea how many policyholders will have losses and how big those losses will be.

Altering the asymmetry is however, no more than a by-product of the main aim. I would like to help buyers to have fewer losses and for those to cost them less.

Cybersecurity – 3 reasons insurance as we know it will not be part of the solution

April 9, 2013 by tim in Risk | Leave a comment

I have just read a report issued a few days ago by the Heritage Foundation, discussing the measures the US should implement to develop effective cyber security.

First of all, I should make it clear that I agree with much of the report. For example, as I have said here before, a regulatory approach is absolutely not the way to introduce effective cyber security. A regulatory approach would be too slow and cumbersome to deal with the dynamism of the cyber environment and, if sharing information about cyber threats and their mitigations – which is critical to effective cyber security – is mandated and consequently managed by regulation, the likely unintended consequence is that businesses will share less and more slowly than necessary.

That said, I have one major reservation about the report. It advocates for the development of ‘a viable cybersecurity insurance system’, as if this were possible; given the current shape and form of the insurance industry, this is not possible.

This is the abstract from the report:

Cybersecurity is one of the most critical issues the U.S. faces today. The threats are real and the need is pressing. Despite the best intentions of those involved with previous cyber legislative efforts, a regulatory basis simply will not work: It will not improve security and may actually lower it by providing a false level of comfort and tying the private sector down with outdated regulations. Cyberspace’s dynamic nature must be acknowledged and addressed by policies that are equally dynamic. Heritage Foundation national security analysts detail seven measures that the U.S. should implement to protect its assets and interests in the cyber domain.

The 7 measures advocated are:

Enabling information sharing instead of mandating it;
Encouraging the development of a viable cybersecurity liability and insurance system;
Creating a private-sector structure that fosters cyber-supply-chain security ratings;
Defining limited cyber self-defense standards for industry;
Advocating for more private-sector efforts to promote general awareness, education, and training across America;
Reforming science, technology, engineering, and mathematics (STEM) education to create a strong cyber workforce within industry and government; and
Leading responsible international cyber engagement.

As the article I read introducing this report acknowledged, much of the above is ‘mom and apple pie’ stuff – or ‘bleeding obvious’ in English… I am not sure I would have so closely linked the liability and the insurance points if I had written the report but what the report says about the need for a new cyber liability framework is interesting.

To appreciate why insurance cannot cope with cyber risk however, it is important to understand that it is not unwilling to do so. The insurance industry is just incapable of dealing with cyber risk, for reasons relating to its very DNA.

First, utmost good faith, disclosure, indemnity, insurable interest and potentially even fortuity all militate, in different ways, against the design of an effective cyber security insurance product. For example, disclosure requires that everything about a risk be disclosed prior to the inception of the policy; given the dynamism of cyber risk, this is not possible. This in turn means that utmost good faith, which (in theory at least) requires an insurer to disclose whether he can or cannot accept a risk, cannot operate because – who knows if the insurer will be able to accept what the risk (for example in systemic terms) might become?

Second, insurance’s hierarchical structure – in information terms – currently makes information sharing impossible. Information flows only upwards to the insurer, not the other way. Further, information is the key source of competitive advantage between one insurer and another; sharing is simply not an option.

Third, insurance’s capital and pricing structures are almost completely geared to what it has needed of both in the past; future exposure based pricing rarely works for long because of subjective opinions and competitive forces and dynamic pricing has never been effective because of how long it can take to understand the true cost of a risk.

I am also wary that the article discusses the development of cyber security ratings. As a principle, I have been advocating something like these – though for insureds, rather than for the cyber security supply chain – for some time but the events of 2008 make me even more nervous than I was already of placing too much reliance on external rating agencies. It is not just that rating agencies can never be completely right about anything; it is a question of how wrong they can get and what are the forces – lack of independence being the biggest concern – that will lead them to be wrong in potentially multiple different ways. On a separate note, a rating agency approach is also at odds with how insurance currently operates. It is not just that insurers prefer to use their own judgement about risk, not someone else’s. The bigger issue is that, without the provision by the customer to the insurer of information about their risk, the utmost good faith underpinnings of (to some extent) every insurance contract cannot operate.

In my last two posts, I have talked about the possibility of insureds becoming their own intermediary between uncertainty and risk and why I don’t want ‘big data’ insurance. The Heritage Foundation report is therefore extremely unfortunate timing – for me at least – because it forces me to start talking about a risk operating system I have been thinking about but which is not yet completely sorted in my head.

As I currently see the basic foundations however, I am sure, first, that no one solution is going to provide an answer to cyber security. I am not sure if 7 is the right number of initial components or not yet; I’ll get back to you on that. I am sure though, that many more components will be added in time; whatever overarching approach is designed needs to be flexible enough to plug new components in at will.

The second is that a top down approach won’t work either; there are too many different configurations – of firms, networks, needs, regulations, stakeholders, etc., etc., for any top down approach to work. Individual agents therefore need to be able to make their own decisions, in their own interests, about how they manage cyber risk.

Third, to be able to make those decisions, they will need access to reliable information; information sharing is self-evidently critical to the process and reliable rules safeguarding this process need be developed.

Fourth, it is all very well having good information but you need to be able to do something practical and effective with it. Access to trusted advice and effective implementation processes will be needed to effectively support the decisions made.

And if information sharing is going to mean anything, effective implementation needs to be verified and ongoing monitoring implemented. Without this, the information shared might be meaningless.

Finally, with the best will in the world, cyber security will never be complete. The volatility of those costs needs to be addressed by something that, in principle, will bear close resemblance to the purpose of insurance, if not its current processes. For one thing, it will need to be entirely embedded into the overall process.

The purpose of the operating system will therefore be to provide individuals and firms with access to all the different resources that might be necessary to manage cyber risk – both those already known and those yet to be discovered – and to establish rules governing the uses thereof.

In this regard, I don’t think The Heritage Foundation and I are thinking along very different lines. For me though, a risk operating system is the glue that holds everything else together. More thoughts on it to follow in due course.

3 reasons I don’t want big data insurance

April 2, 2013 by tim in Insurance 2.0 | Leave a comment

I was recently talking to a good friend of mine, who pointed out that a lot of what I have been talking about here is encapsulated in the simple idea that new technology means a whole load of clever new stuff can now be done.

As far as that statement goes, he was absolutely right but, in seeking to further clarify what he thought I have been talking about, he went on to describe a ‘big data’ centric view of what all this clever new stuff could be, as far as insurance is concerned. He specifically described how insurers will be able to segment risk into ever-finer categories and sub-categories, so allowing them more effectively to exclude the risks they prefer not to accept and to price more accurately the risks they are happy to accept.

<p>His comments made me realise that I haven’t explained clearly enough the specific type of clever new stuff I am thinking about. So, to try to clarify, there seem to me to be diverging paths ahead of us.

In the ‘big data’ scenario, insurers will develop ever-more detailed information about us that they will use to segment the market into ever-finer and more accurately priced gradations. The information will be algorithm developed, will be spookily accurate about us but will forever remain the property of the insurer; it won’t be shared with us and so it won’t be available to us to let us use it to manage our uncertainty. {See this post to see what I mean by ‘managing uncertainty’.}

In this scenario, big data will increasingly be seen as something that is done or used against us, even if we tacitly accept the trade-off between the information gathering by the insurer and the products this allows them to provide to us.

In the ‘network scenario’ on the other hand, I will consciously share my information with a utility of my choice, that is designed to help me make sense of my current uncertainty and to give me access to the resources to help me reduce it. I will be able to choose the connections I want to make to develop improvement information and processes; the utility will also provide the platform from which I can implement the improvements. I will not only own my information in the formal legal sense but I will also own the improvement process and the resulting improvements.

In this scenario, I will also be able to use the information about the quantity and quality of my risk (not uncertainty anymore) to contract with insurers also accessible via the platform for a volatility management service that will be unrecognisable from current insurance. Apart from anything else, the likelihood and cost of my losses will be lower and I will be able to demonstrate full disclosure; these are the three main components of every pure premium calculation. By ‘pure’, I mean the cost of the risk to the insurer, without their own costs added.

The key difference between the 2 scenarios is that, in the first, risk management is directed by the insurer in their interest; in the second, I direct risk management in my interest. Scenario 2 won’t be for everyone but scenario 2 is my choice, for 3 reasons.

The first is simply that I will own my own information. Information known about me, accurate or not, dictates how everyone behaves towards me. In a bar, if someone thinks I am an arsehole, that is their prerogative. Of course, that hardly ever happens… But, if an insurer were to have the wrong information about me, which can happen in all sorts of ways and for all sorts of reasons, I might desperately need to correct the information – assuming I can even discover they have erroneous information. If it is their information, I may struggle to get them even to disclose it, much less change it.

The second is that scenario 1 is too financially based. There is nothing wrong with a financial perspective; it is just not enough perspective when talking about managing either uncertainty or risk. From a financial perspective, my insurer will be asked to pay my losses, whatever my losses happen to be. They will naturally seek to use risk selection and pricing tools to coerce me to behave in ways that reduce the likelihood of their having to pay claims. They won’t however, develop or share information about how I might behave outside their preferred behaviours but remain an acceptable risk.

This will partly be because they will rightly not see it as any of their business to tell me how to behave. The obvious irony of course, is that is precisely the effect they will have; in seeking to reduce their costs, they will also reduce my options. More important to them, in the highly competitive insurance business, the quality of your data is your greatest source of competitive advantage; you just don’t give that stuff away.

Taking the broader perspective of scenario 2, I expect to be able to choose how I behave in the knowledge that there are different potential outcomes – positive and negative – that can arise from my choice of behaviour. There will then be all kinds of options to choose from – or not – at my choice. So, I might choose to improve the chance of a positive outcome. On the other hand, other issues beyond the specific choice of behaviour might mean it is more important ‘for now’ to reduce the chance of a negative outcome. I may also be able to hedge the negative outcomes by acting in advance of the losses I can’t prevent, to make sure both their effects and costs are kept as low as possible.

The point is that risk management is not just about money but insurance is.

The third reason, however, is the most important, dealing as it does with what I see as the real digital divide. I understand that corporations will try to influence my behaviour when it comes to trying to convince me to buy their car, gadget, shoes or whatever (3 of my particular weaknesses…). But at the heart of this overall process is risk management – how I optimize the positive and minimize the negative effects of my behaviours, choices and activities. I don’t want to sound overly apocalyptic but it is the very essence of my ‘me-ness’ that I have the free will to make decisions about how I behave for good or ill. I don’t want an insurance company making those kinds of decisions for me.

Life is good

March 19, 2013 by tim in Live | Leave a comment

This had been our base camp for the last 10 days.

20130319-175431.jpg

This is when ‘teleworking’ makes sense… 28 degrees, Margaritas on tap and wonderful views. Oops, I mean abundant wi-fi and perfect cell service…

My own intermediary between uncertainty and risk?

March 12, 2013 by tim in Insurance 2.0 | Leave a comment

When I am asked what insurance is, I have until recently thought it was sufficient to trot out one of two old faithfuls. I would either say that it is was the mechanism by which the premiums of the many pay the losses of the few or that it was a promise made to pay losses by an entity that can afford to pay them, to one that cannot.

As far as they go, in “insurance as usual” terms, these descriptions work. But I have now realised that they are typical of much shorthand; they have made me think too lazily about what insurance is and disguised what I am coming to think of as the inadequacy of “insurance as usual”.

Thanks to two recent conversations, I have had something of an epiphany; though at the time, for someone who thought he had been thinking about Insurance 2.0 for some time, it felt more like being slapped around the face with a wet fish…

I would be interested in hearing if this – with some clarification – gets a bit closer to the core of what insurance is?

Insurance is the mechanism that converts uncertainty into risk.

In thinking about insurance this way, I have also come to realise what Insurance 2.0 should be.

In Insurance 2.0, I will become my own intermediary between uncertainty and risk.

First, a couple of definitions and clarifications. Here I am using risk and uncertainty as the difference between being able to measure, or not, the possible outcomes in any given situation. In one situation – the uncertain one – there is, for example, insufficient information to measure the possible outcome(s). In the other, one can measure the risk of one outcome – or even a number of possible outcomes. Risk is measurable, uncertainty is not; it is as simple and as complicated as that.

As I have come to think about the inadequacy of insurance, the uncertainty I am thinking about is your and my uncertainty if, like me, you have a family, a job, a mortgage, you drive a car and are healthy. It applies equally well however, for a business with assets and resources, customers and debts, let’s say.

Both the business and I have a general idea of what could go wrong with any of the things that matter to us but neither of us – on our own – can measure the probability of a material detrimental event occurring, how bad such an event could be or what really works – and is worthwhile to spend money or time on – to improve either situation, whether before, during or after such an event. I am not sure which is the chicken and which the egg but I think the reasons may lie in and around the ideas that we all have too many other things to think about and, even if we wanted to, we have no yardstick against which we can make any kind of calculated risk judgement.

Risk on the other hand, as I am using it, is a very different concept. On the basis of detailed calculations using data on the past performance of portfolios and projecting forward by factoring changes to the data, insurers aim to put themselves into a situation where they have (say) just a 0.01% chance of loosing more than the premium they collect and their capital from losses arising from the multiple portfolios of insurance policies they write. This is carefully calculated risk.

So, the conversion process occurs when insurers make promises to buyers to relieve them of a little of their uncertainty in return for a premium, and in so doing, they accept the risk of how the sum of those promises will work out. The specific processes are:

1. Pick one of the things someone is uncertain about;
2. Issue a promise that covers some of it; and
3. Aggregate lots of as similar promises as possible.

Then, go out and pick something else someone is uncertain about, that is preferably uncorrelated to the last thing you picked, and repeat. And keep repeating until you have what you believe is the optimum balance of risk, premium and capital. Then adjust as environment changes require.

It is a bit more complex than that – but not by much – and I accept that there is a genuine and valuable promise made by the insurer, though some seem more willing to fulfill their promises than others. The problem is that the amount of uncertainty removed by any one promise or policy (and so the value of its removal) is tiny (a highly technical, quantitative term) and cognitively, the value might even be negative given the known difficulty of dealing with insurers – but I digress a bit.

The more central point is that every policy is tightly focused on a particular peril and has limits, deductibles and other qualifications that make it, by design, incomplete even for the peril it addresses. I haven’t worked out the math (pun intended…) but even if I bought every single insurance policy I could possibly buy, I couldn’t insure (even if I could afford to) everything, so I would still be left with residual exposure. And I would still have done precisely nothing to make any of the events insured against any less likely to occur or any less damaging if they did.

I have no problem with insurers – or anyone else – making a profit and I expect profit to be earned but, with insurers making a profit by turning my uncertainty into their risk without making any appreciable difference to my uncertainty, I am no longer sure they are doing enough to justify my premium or the profit they make from it.

I want a service that delivers more than that. And I think the tools are now available to deliver more in the form of Insurance 2.0.

Insurance is known as a risk management tool – but it is really only that when looked at from the perspective of the insurer, who creates risk – and its corollary, reward – by making many little, similar but very selective promises. Insurers turn uncertainty into risk for their benefit and, to the extent there hasn’t so far been any alternative, I have accepted what has been offered.

What I really want though, is a suite of tools to help me manage uncertainty. If, by using them, I can become my own intermediary between uncertainty and risk, that would be fine… I am sure it would involve some work but, for example, to have a clear understanding of what risks I have, whether I can take more or less of them and to understand the many different ways I can increase or reduce them – these would all be valuable. And I am sure it would be cheaper and more effective to buy risk protection than uncertainty protection, which is really all I can buy now.

Working from home – initial observations

February 1, 2013 by tim in Observation, Work | 1 Comment

From December last year, I have been able to work from home far more than was ever possible when I worked in London.  For 30 years, I was required to attend one London office or another, even if I could have done far more work staying at home.  I know many people suspect – and I have been one of them so I can’t really complain –  that for many people, ‘working from home’ is a euphemism for ‘watching the telly’/'playing golf’/'going down the pub’ – or one of any number of other skiving activities; feel free to insert your own version.

For family reasons, it became necessary to move to Canada – and if that makes it sound like a hardship – it so isn’t!

But, as part of the move and the need to manage a number of different concerns, it became clear that I would have to work from home to make the move work.  That’s what I now do and this is the first piece I will write about the challenges I encounter working from home.

Most surprisingly – for someone who, as noted above, previously suspected the motives of those working from home – the biggest challenge isn’t getting myself to my desk; it is tearing myself away from it.  I never feel like I have done enough work; even as I type this, I am thinking of all the other things I should be doing.

Another surprise is to find that, if you have even the most minute capacity for disorganisation, which I am told might be just a little true for me, it catches you out far more when you work alone than when you work in an office.  I suspect that the day to day argy bargy of an office, with its constant chatter and reminders of ‘what’s going on’ mean that an office environment provides a natural reminder system you don’t get working alone.  More on this in due course – I am trying various strategies and devices to counter this and will let you know which, if any, work.

Another thing I notice – for the better, I think – is the complete lack of the ‘autopilot’ mentality.  When you have done something for 30 years – and it varies relatively little over that time – it becomes second nature.  I have never worked from home like this before and everything, work-wise, I used to do on autopilot was left 5,000 miles behind me.  I can’t help thinking this is a really good thing but it is still slightly uncomfortable as I get used to it.  More on this in due course too.

 

 

 

 

 

WhatsApp violates International Law – aparently

February 1, 2013 by tim in Observation | Leave a comment

I thought when I signed up to WhatsApp that it was strange it accessed my entire address book.  Now, the Office of the Privacy Commissioner of Canada and the Dutch Data Protection Authority say this breaches international privacy law.

WhatsApp, one of the world’s top five best-selling apps, is an instant-messaging application for smartphones including Apple’s iPhone and RIM’s Blackberry.  It provides a free internet alternative to SMS, or text messaging, sending more than a billion messages every day.

According to a press release:

The instant-messaging application requires users to provide access to their complete address book, including users and non-users, the report states. Dutch DPA Chairman Jacob Kohnstamm said, “This lack of choice contravenes (Canadian and Dutch) privacy law. Both users and non-users should have control over their personal data and users must be able to freely decide what contact details they wish to share with WhatsApp.”

There seems however, to be some controversy over how far a Dutch remit can stretch:

Bird & Bird Partner Gerrit-Jan Zwenne told the IAPPs Daily Dashboard, “Clearly the Dutch DPA thinks it has extra-territorial powers. The implications are far-reaching, as this would be no different for other DPAs in the EU. If this interpretation of EU data protection law is right–many doubt that–all national DPAs could investigate any non-EU-based controller that provides apps to EU nationals.”

In several earlier posts, I have talked about the presumption behind some national regulators and the confusion they cause in the name of bringing clarity.  This looks like it might be another example…

Regulation’s stated objectives v. likely consequences; mismatch #248

January 31, 2013 by tim in Insurance 2.0, Insurance user manual, Observation | Leave a comment

I found this Mondaq article – discussing the impact on US Discovery of EU Data Protection and Discovery Blocking Statutes – on Advisen – free registration required. Though I realise it is not to everyone’s taste, I think it is fascinating… I am a layman but it appears to be a helpful outline of those laws – and is current as at December 2012.

One paragraph though, really caught my eye. It is stuck away in the middle so, to save you looking for it:

On January 25, 2012, the European Commission published a draft “General Data Protection Regulation,” a proposed reform that would significantly change data protection laws and regulatory schemes across Europe.17 The proposed reform seeks to reduce the confusion caused by the fragmented approach companies currently face when dealing with DPAs across the member states of the EEA. The proposed reform seeks to strengthen data privacy protections. It stiffens penalties for noncompliance and expands the reach of the law to all companies seeking to process data belonging to EU residents, regardless of the company’s location. The Commission hopes to obtain the agreement of all member states by June 2014 so that the regulation can take effect by June 2016.

I know this isn’t exactly news but it always strikes me as hilarious (in that slightly manic use of that term) that laws designed to ‘reduce confusion’ almost always also seem to end up tightening them. And, in seeking to ‘reduce confusion’ by ‘expanding the reach of the law to all companies seeking to process data belonging to EU residents, regardless of the company’s location’, the new law can only possibly add to the confusion that already exists.

What has any of this got to do with insurance? This constantly shifting legal landscape, the almost impossibility of remaining within the law everywhere it matters and the resulting need to defend against (for example) regulatory and competitor challenges are key risks some insurance policies can now deal with. A few companies buy such policies directly, some assume their GL covers this (which it doesn’t) and others rely on their D&O which, to be fair, can deal with some of this. But, being a purist about D&O, I am not sure that is where this exposure should be addressed.

PS. “I am not sure that” is British understatement which, in the US for example, would be translated as: “really?”

← Older posts