Identity theft continues to be a growing concern in the ever-expanding digital age. What happens if the insurance company paying disability benefits has a data breach? What rights do employees have? Because it happens with some frequency, it is first a good idea to make sure that the insurance company is provided only the data it really needs. An ounce of prevention…

What information does that authorization really authorize?

Many insurance companies, especially those providing employee disability benefits, require that the employee or insured sign an authorization. Often, there is a threat in the authorization that if it is altered in any way, the claim may be denied. Therefore, many sign the authorization as allowing the insurance company to obtain all sorts of information that typically is irrelevant and unnecessary for a claim determination. For example:

• Does the insurance company really need to obtain a credit report to evaluate a disability claim?
• Is it really necessary that the insurance company obtain information about any other insurance such as car insurance, home insurance, cell phone insurance or even pet insurance?
• Is it necessary to allow the insurance company to give information to the Medical Information Bureau or the Association of Life Insurance Companies which operates the Health Claims Index and the Disability Income Record System?
• Do you know what those entities do and who they are?
• Is it necessary for the insurance company to have complete tax returns?
• Is it necessary, or even proper, to authorize an attorney to give information to an insurance company potentially waiving the attorney-client privilege?

While there may be instances when such information is needed, it hardly seems proper to request an employee to waive all privacy rights to process a disability claim especially given the risk of identity theft. After all, many insurers simply use that authorization to gather irrelevant information in order to develop a reason to deny a claim.

There are many harms that could result from an overly broad authorization. For example, if the insurer pulls credit reports, repeated inquiries can actually have a negative impact on an individual's credit score. That is the last thing someone battling a disability needs. Obviously, if the insurer has a data breach – the sensitive personal information contained within a credit report could be used to open numerous illegitimate accounts. Another headache the disabled insured doesn't need.

Do the courts provide any relief?

Only if you experience actual harm will courts in the Eleventh Circuit be sympathetic. Even if you go to the trouble of purchasing identity theft protection and cancel credit cards, that still is not enough.

In the case I Tan Tsao v. Captiva MVP Rest. Partners, LLC, No. 18-14959, at *2 (11th Cir. Feb. 4, 2021) Tsao ordered a chicken meal and used his credit card to pay for it. The restaurant kept some of the data in its system including the customer's name, account number, card expiration date, and the card verification value code (CVV). The restaurant was hacked, and data was exposed. The restaurant dutifully notified its customers of the breach. The customer then canceled the credit card and obtained a lawyer to file a class action complaint in the Middle District of Florida.

Tsao asserted that he and the class members “have been placed at an imminent, immediate, and continuing increased risk of harm from identity theft and identity fraud, requiring them to take the time which they otherwise would have dedicated to other life demands such as work and effort to mitigate the actual and potential impact of the Data Breach on their lives.” Id. at *4 (11th Cir. Feb. 4, 2021). The Eleventh Circuit noted that the Sixth, Seventh, Ninth, and DC Circuits have recognized, at least at the pleading stage, that the plaintiff can establish an injury in fact based on the increased risk of identity theft. Other circuits such as the Second, Third, Fourth, and Eighth declined to find standing on that theory. The 11th Circuit took the conservative approach, in joining the latter group of Circuits, finding that there was no standing. It is noteworthy that Judge Jordan only concurred in the judgment (noting his dissent in a prior case) and openly hoped that the Supreme Court would grant cert. on the issue.

We advise our ERISA clients not to sign authorizations that are broader than necessary. At the same time, we let the insurance company know that we will be glad to consider providing any specific information that is needed to evaluate an ERISA disability claim, but we aren't going to give carte blanche to expose our clients to the risk of harm arising from identity theft. Given that the courts will not afford relief unless there is actual harm, the best defense is to strike through the objectionable terms in an authorization. If an insurance company denies a claim for that reason and under those circumstances, they will have some explaining to do. We will make sure of that.