Timothy Moroney

Timothy Moroney has no picture

imothy Moroney is a partner of Barger & Wolen LLP’s San Francisco office. He has been with the firm since 1999. Mr. Moroney has worked on a wide range of business and insurance litigation and regulatory matters.Mr. Moroney’s practice focuses on insurance regulatory issues before all state insurance departments, with particular expertise in connection with advising insurancecompanies, insurance agencies, banks, lenders, broker-dealers and various other financial institutions in connection with privacy requirements under the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, the Fair and Accurate Credit Transactions Act, and state laws.Mr. Moroney regularly advises clients on matters including entity formation, licensing, mergers, acquisitions, reinsurance transactions, product development, policy form filings and other regulatory compliance issues. He frequently serves as a guest speaker at conferences and seminars to discuss privacy related topics.Mr. Moroney’s recent representative matters include:

  • Represented large insurer with regulatory filings in California related to securitization of approximately $3 billion block of life insurance policies.
  • Represented lender with structure of program of non-recourse premium finance lending in connection with the purchase of life insurance and eventual sale in secondary market.
  • Represented large Bank with regulatory filings necessary to disclaim control of insurer in connection with Bank’s acquisition of 17% of the outstanding share of stock of large holding company with insurance company subsidiary.
  • Represents large oil company with the structure for its $30 million sale of its wholly-owned subsidiary motor club.
  • Advises many insurance companies, banks and other financial institutions with regard to many financial privacy and HIPAA issues, including but not limited to the creation of privacy notices, joint marketing arrangements, vendor and business associate agreements, safeguarding programs, and customer notification programs relating to security breaches.


Articles By This Author

California Legislation Aims to Protect Personal Social Media Account Access by Employers

Posted on May 3, 2012 by Timothy Moroney

In effort to protect employees and prospective employees, the California Legislature is taking steps to prevent an employer’s ability to gain access to their employees’ or prospective employees’ social media accounts.

On May 2, 2012, the California Assembly Committee on Labor and Employment unanimously approved Assembly Bill 1844 a bill which will prohibit an employer from requiring an employee or prospective employee to disclose user names and passwords to personal social media accounts. AB 1844 is a direct result of national stories and statements by Facebook that employers have been asking for such information more frequently to monitor employees’ activities or to screen prospective employees.

AB 1844 is expected to sail through the Legislature with little opposition, though the Governor has not indicated his position on the bill. At least eight other states are currently considering similar legislation.

Related legislation has also been introduced – Senate Bill 1349 – The Social Media Privacy Act. SB 1349 would prohibit a postsecondary educational institution and employer, whether public or private, from requiring, or formally requesting in writing, a student or an employee, or a prospective student or employee, to disclose the user name and account password for a personal social media account.  

While SB 1349 currently would allow postsecondary educational institutions and employers to request access to a personal social media account to aid in a formal investigation conducted by the institution or employer regarding specific allegations of harassment, discrimination, intimidation, or potential violence, the bill would prohibit the post secondary institution and employer from discharging, disciplining, threatening to discharge or discipline, or otherwise in any way penalizing a student or employee for refusing to disclose the requested information related to their personal social media account. SB 1349 is making its way through the Senate.

For more information or any questions, please contact Tim Moroney 415-743-3713 or tmoroney@bargerwolen.com.

Tags: , , ,

Big Brother - Are Americans Ready for the Growth of Usage (Telematics) Based Insurance?

Posted on April 25, 2012 by Timothy Moroney

Fox News.com (“Fox”) reported on April 24, 2012, Are drivers ready for Big Brother car insurance plans? that a new study points to the fact that good drivers seem poised to give up privacy rights in order to achieve savings in their auto insurance premiums through usage based insurance programs such as pay-as-you-drive (PAYD) models.

Specifically, the Fox article noted that a UK-based insurance aggregator, GoCompare.com, conducted a survey that found 92 percent of drivers surveyed believe that insurance premium should be based on how they drive and that 97 percent indicated that good drivers should get better insurance rates.

While PAYD programs now exist in many states from many carriers, as reported by Fox, Americans once thought to be protective of their privacy may now be willing to give up some privacy in order to obtain rewards such as cheaper insurance premiums. 

While no reasons or support were provided in the Fox article to suggest that Americans are in fact willing to give up some privacy, any loosening of views in this area may result from the fact that consumers in today’s Google or Facebook America may not have the same expectations of privacy when it comes to giving private companies (as opposed to government actors) access to their private information, including driving data.

Insurance regulators across the country are surely going to adopt rules on how and what types of information may be collected – California has already done so (Title 10 California Code of Regulations section 2632.5) – in connection with such programs. We will keep you posted on any state developments in this regard.

 

Tags: , , ,

"Do Not Track" and Telematics

Posted on April 4, 2012 by Timothy Moroney

Most major U.S. auto insurers have launched or are exploring usage-based insurance (UBI) programs. The most common of these programs, pay-as-you-drive (PAYD), uses actual driving data to determine accurate rates in order for insurers to give customers more control over premiums. 

One issue of concern that has been voiced is that, in addition to collection of mileage data, telematic devices monitor and collect all sorts of other driving information, so-called GPS data, including such things as location, speeds, braking patterns etc. The collection and use of this GPS data raises privacy concerns.

The recently released Federal Trade Commission (FTC) report, “Protecting Consumer Privacy in an Era of Rapid Change” pledges that part of a “best practices” framework for the Internet industry concerning how companies should address consumer privacy includes either an industry-created “easy to use and effective”  “Do Not Track” option by the end of 2012, or “Do Not Track” legislation from Congress in 2013.  “Do Not Track” is the proposed ability by consumers to opt out of tracking procedures.

At this point, it is too early to tell the impact that the renewed call for a “Do Not Track” requirement will have on the telematics industry, but it is worth noting that federal “Do No Track” legislation last year, the Do Not Track Online Act, would have allowed consumers to opt out from having online services collect personal information that can be used for data mining. 

That legislation applied to all online activities, including mobile telephone applications and auto-based telematics options. Important to the telematics industry last year was the fact that that legislation permitted providers to collect data, even for those who have previously opted out, in order to provide a service requested by the individual. So, even if it was enacted, the Do Not Track Online Act did not threaten the telematics industry. It should be noted that there was a similar legislative effort last year in California, Senate Bill 761, which failed to pass.

The operational provisions of the federal Do Not Track Online Act and California’s SB 761 were broadly similar by allowing exceptions to data collection and tracking opt-outs in order to provide an expressly requested service. As such, if those statutes had been enacted, it was not believed that they would have had any significant impact on telematics services. 

However, with the recent renewed calls by the FTC for “Do Not Track” requirements, the telematics and insurance industries need to protect their business models by watching all federal or state pronouncements on this topic to make sure similar exceptions are present.

For more information or any questions, please contact Tim Moroney 415-743-3713 or tmoroney@bargerwolen.com.

 

Tags: , , , , , , , , ,

FTC Issues Best Practices Guide to Protecting Consumer Privacy

Posted on March 28, 2012 by Timothy Moroney

The Federal Trade Commission (FTC) recently issued a report, “Protecting Consumer Privacy in an Era of Rapid Change.”

Two years in the making, the report outlines a “best practices” framework for the Internet industry concerning how companies should address consumer privacy. 

The FTC pledged that consumers will have an industry-created “easy to use and effective” “Do Not Track” option by the end of the year, or it will almost certainly face “Do Not Track” legislation from Congress next year. "Do Not Track" is the proposed ability by consumers to opt out of tracking procedures.

The Report calls on companies to act now to implement “best practices” to protect consumers’ private information. The “best practices” are based on the following key principles:

  1. Privacy by Design (building privacy at every stage of product development);
  2. Simplified Choice for Business and Consumers (give consumers the ability to make decisions about their information at the relevant time and context, including Do Not Track mechanism); and,
  3. Greater Transparency (make information collection and use practices transparent).

The Report indicates that, over the course of the next year, FTC staff will work to encourage consumer privacy protections by focusing on the following five main action items:

Do Not Track - The FTC will work with interested groups to complete implementation of an easy-to-use, persistent, and effective Do Not Track system.

Mobile Services - The FTC will be urgings companies offering mobile services to work toward improved privacy protections, including disclosures.  To this end, the FTC is trying to do what the California Attorney General did in February to improve and define consumer privacy on mobile apps. See our post dated February 24, 2012. 

Data Brokers - The FTC will be calling on data brokers to make their operations more transparent by creating a centralized website to identify themselves, and to disclose how they collect and use consumer data.

Large Platform Providers - The FTC cited heightened privacy concerns about the extent to which large platform platforms, such as Internet Service Providers, operating systems, browsers and social media companies, seek to comprehensively track consumers’ online activities.

Promoting Enforceable Self-Regulatory Codes - The FTC will be working with the Department of Commerce and stakeholders to develop industry-specific codes of conduct.

The FTC Report appears to be a broad warning to the Internet industry that it must adhere to what it considers reasonable behavior and has laid out a road map of its expectations in connection therewith.

For more information or any questions, please contact Tim Moroney at 415-743-3713 or tmoroney@bargerwolen.com.

Tags: , , , , , , , , , ,

Workshop held by California Department to Discuss Contemplated Changes to Life Settlement Regulations

Posted on March 9, 2012 by Timothy Moroney

Can Servicers Expect to be Brought into the Regulatory Fold?

On March 9, 2012, the California Department of Insurance (“Department”) held a Pre-Notice Public Discussion on contemplated revisions it intends to make to California’s life settlement regulations, Title 10 California Code of Regulations §§ 2548.1 et seq. (the “Workshop”) 

The Workshop was chaired by Staff Counsel Audrie Lee of the Department’s Corporate Affairs Bureau, and was attended by Special Counsel to the Commissioner Geoff Margolis, Deputy Commissioner John Finston, and Senior Staff Counsel Jennifer Chambers also of the Corporate Affairs Bureau. The industry turnout included representatives from Coventry, Maple Life, and various other trade industry representatives. The purpose of the Workshop was to discuss the following contemplated revisions to the life settlement regulations.

  • Prohibiting the commingling or investment of escrowed life settlement proceeds due to the owner in a life settlement transaction.
  • Defining grounds for the denial of a license application or the revocation of a license. For life settlement providers, failure to show financial stability will serve as grounds.
  • Regulating the life settlement transactions that allow the owner to retain an interest in the policy by requiring the owner to designate an irrevocable beneficiary and requiring contractual provisions intended to protect and preserve the seller’s interest.
  • Permitting the owner who has entered a life settlement contract to purchase annuities and retain additional benefits or optional riders that were part of the insurance policy; however, if the owner elects not to purchase an annuity or continue any additional benefit or optional rider, such elections would be terminated when the life settlement takes place.
  • Requiring any subsequent life settlement purchaser that transfers ownership or changes the beneficiary to notify the provider so that the provider may again notify the insured of the subsequent change in ownership or beneficiary.
  • Clarifying that a life settlement provider applicant or licensee must disclose any pending investigations of any criminal, civil, regulatory, or administrative action(s) taken against the applicant or licensee.

One of the big issues discussed concerned the Department’s plan to amend the life settlement regulations to include lack of financial stability as a ground for denying or revoking a provider license. The Department believes that it has the power to promulgate such a standard as the commissioner has the discretion to deny an application if the commissioner determines that issuance of a license is contrary to public interest. The Department has concluded that it is contrary to the public interest to license an entity that does not have staying power because there are ongoing obligations owed by providers to insured sellers after the close of a life settlement transaction.

The industry offered that, unless there is an objective standard for finding a lack of financial stability, it would be hard for the Department to enforce any such requirement since it would lead to arbitrary results. Also, the industry posited that the Department was not thinking of providers in the correct light, arguing that nearly all providers are simply fund originators and are not risk bearing entities since they generally do not hold policies for their own account. The industry also added that there are many reasons why providers go out of business – it is not always because of a lack of financial stability.

As for continuing post-closure obligations, the industry reported that most of the time life insurance policy servicers contract to undertake any post-closure obligations, not providers, and suggested that a better approach would be if the Department institutes a servicer registration or licensing requirement. The Department indicated that it will consider the servicers’ role in the transactions.

There was also a fair amount of discussion around retained death benefit cases and why in those cases the providers may be risk bearing entities as well as how the Department can protect insureds who try to retain some death benefits from a secondary market buyer who may stop paying premiums, thus impacting the insured. There was also discussion of the whether coverages and rights owed to the insured should transfer to the new owner. The industry believes that there is no difference in the rights and obligations under a policy sold in the secondary market since the secondary buyer simply stands in the shoes of the insured.

There were clearly differences of opinion between the Department and the industry, but the Workshop was productive. We will not know how much traction the industry’s positions will get until the Department publishes its proposed revised regulations.

The Department invited interested parties to submit written comments to assist in crafting of revised regulations. Any written comments should be received by the Department by March 23, 2012.


For more information or any questions, please contact Tim Moroney 415-743-3713 or tmoroney@bargerwolen.com.

Tags: , , , ,

Agreement with California Attorney General May Set Floor for Privacy Protections for Users of Mobile Applications

Posted on February 24, 2012 by Timothy Moroney

Amid growing concern about their personal information being pulled by mobile applications (“apps”) and taking a lead from the Federal Trade Commission (“FTC”), whose recent report raised concerns about the lack of privacy information available to mobile app users before download, California Attorney General Kamala Harris announced a privacy agreement with the six largest mobile app providers – Amazon, Apple, Google, Hewlett-Packard, Microsoft and Research in Motion – that will impact how millions download apps to their smartphones, tablets, and other mobile devices.

The six companies have agreed to privacy principles designed to bring the industry in line with California’s Online Privacy Protection Act (“the Act”), most significantly requiring mobile apps that collect personal information to have a privacy policy, and to display it in prominent fashion and in easy to understand language before the app is downloaded. 

Two important features of the agreement are that consumers:

  1. will be afforded the opportunity to review the app’s privacy policy before they download the app rather than after, and
  2. will be offered a consistent location for finding the app’s privacy policy. 

The six companies will also be tasked with educating the app developers about their privacy obligations and will be providing users tools to report non-compliant apps.

Privacy policies are important consumer protections that allow for transparency into how companies collect and use personal information. Currently, most apps do not have privacy policies.

An important part of the agreement is the recognition that the Act applies to independent app developers as well as operators of commercial website and online services that sell and distribute them.

The Attorney General predicts that this agreement will have international impact as app developers will choose to comply with California law and the agreement because California is an important state (lots of app users here), and it will be administratively easier for the app developers to have one design that works everywhere.

At this point, it is uncertain whether the agreement will have the global impact the Attorney General predicts. That said, we have seen other California privacy laws assume a national impact. 

For example, the California Security Breach Notification law was one of the first in the country and, as such, many companies doing business in California had to comply with it not only in California, but, for public relations reasons, everywhere – how could a large national company provide security breach notification letters in California to California residents, but not in Arizona? 

In this example, the company would essentially being telling people in Arizona that their protection is less important than persons in California. Therefore, many companies simply decided to provide security breach notification letters everywhere it did business even before many states passed similar security breach notification laws. It is possible the same impact could happen with this new Act.

For more information or any questions, please contact Tim Moroney 415-743-3713 or tmoroney@bargerwolen.com.

Tags: , , , ,

California's Reader Privacy Act: What Every Bookseller Must Know

Posted on February 21, 2012 by Timothy Moroney

by Dawn Valentine and Timothy Moroney

On January 1, 2012, the California Reader Privacy Act went into effect. The Act requires all “book service providers,” i.e., book sellers, in the State to take certain steps when responding to governmental requests for user information and to make specific reports and disclosures regarding those requests.

The Act protects unauthorized disclosure of private information regarding books and book readers.

California consumers are increasingly utilizing digital book services and providers and in connection therewith such entities may collect detailed personal information about consumers such as books browsed, how much time is spent reading each page, and digital notes made in the margins. The Act is meant to address implicated privacy issues and codify the privacy and free speech safeguards for expressive records guaranteed by the California Constitution. 

The Act prohibits book service providers—defined as any service that has as its primary purpose the “rental, purchase, borrowing, browsing, or viewing of books”—from knowingly disclosing the personal information of any of its users to a law enforcement agency except per a valid court order based on probable cause and a determination that the requesting agency has a compelling interest in obtaining the information that could not be obtained by less obtrusive means. 

Prior to issuing an order to disclose user information, the book service provider must have been provided “reasonable notice” to allow it the opportunity to appear and contest the issuance of the order. 

Once a book service provider receives a court order seeking disclosure of a user’s personal information, the service provider must notify the user so that he or she has a chance to appear or quash the order. 

The Act also imposes certain reporting requirements on all book service providers. If a book service provider discloses the personal information of 30 or more California users in a year it is required to prepare a report that is to be made publicly available in an online searchable format. A book service provider with a commercial web site is required to either create a prominent hyper link to the report required under this Act or state that no report was prepared because the service provider was exempt from the reporting requirement. (because less than 30 disclosures were made). 

The provisions of the Act are ignored at a book service provider’s peril. A service provider that violates the Act is subject to civil penalties to the user and/or Attorney General and the Act may be the basis of civil actions and liability brought by either the user or an attorney general or district attorney within two years of discovery of any violation of the Act. 

For more information or any questions regarding the requirements of the newly enacted Reader Privacy Act, please contact Dawn Valentine, 415-743-3731 dvalentine@bargerwolen.com or Tim Moroney, 415-743-3713, tmoroney@bargerwolen.com

Tags:

Privacy - New California Security Breach Notification Requirements Set Standard Core Content for Notification Letters

Posted on January 27, 2012 by Timothy Moroney

The purpose of this alert is twofold: (1) to remind our clients that both federal and state law requires financial institutions and most businesses to safeguard their customers’ information; and (2) to advise of new requirements for security breach notification letters.

by Timothy Moroney and Dawn Valentine

In 2002, California adopted a first-in-the-nation security breach notification statute (AB 700, Simitian) (the “Security Breach Notification Law”).

The Security Breach Notification Law requires companies that do business in California and retain their customer’s personal information to notify individuals when there has been a data breach involving their personal information. 

Background

Since 2002, 45 other states, as well as the District of Columbia, Puerto Rico, and the U.S. Virgin Islands, have also enacted security breach notification laws that are modeled upon California’s Security Breach Notification Law. Only Alabama, Kentucky, New Mexico and South Dakota do not have security breach notification laws.

Moreover, 14 states (Hawaii, Iowa, Maryland, Massachusetts, Minnesota, New Hampshire, New York, North Carolina, Oregon, Vermont, Virginia, West Virginia, Wisconsin, and Wyoming) and Puerto Rico have built upon California’s model and added more detailed requirements for security breach notifications to include certain types of information.  

Further, the federal government has weighed in. As of February 19, 2009, for breaches of personal medical information, individuals have to be notified and those notifications must contain certain specified content.

Still further, most of these states require a business that suffers a security breach to notify a state regulator, such as the Attorney General, in addition to the affected individuals (Alaska, Hawaii, Louisiana, Maine, Maryland, Massachusetts, New Hampshire, New Jersey, New York, North Carolina, South Carolina, Vermont, and Virginia).  

SB 24 Data Breach Notification

Accordingly, not to be outdone as the leader in consumer protection, effective January 1, 2012, California adopted new requirements (SB 24 – amending Civil Code sections 1798.29 and 1798.82) for what information must be put in a security breach notification letter. 

The purpose underlying these new requirements is to close a gap that has been identified – the old requirements simply required data holders to notify individuals when there had been a data breach involving personal information but were silent on what information should be contained in the notification.

As a result, security breach notification letters varied greatly in the information provided leaving consumers confused and not providing answers to the questions of what information was breached, when did the breach occur, and what consumers should do to protect themselves.

Moreover, businesses were left exposed and uncertain of what was expected of them in the event of a breach.  

The new requirements fill this gap by establishing standard, core content for the notification letters. Specifically, the new law requires that security breach notification letters, at a minimum, contain the following information:

Continue Reading...
Tags: , , , , , , , , ,

Request for Increase in Workers' Comp Cost Benchmark Rejected by Commissioner Poizner

Posted on November 22, 2010 by Timothy Moroney

California Insurance Commissioner Requires Overhaul of Workers’ Comp Rate-Making System to Increase Transparency

Citing the inclusion of avoidable costs, California Insurance Commissioner Steve Poizner for the third straight time rejected a filing submitted on behalf of insurers by the Workers’ Compensation Insurance Rating Bureau (“WCIRB”) seeking an increase in the workers’ compensation pure premium rates and claims cost benchmark (“Benchmark”). See this link for Commissioner Poizner’s Decision and Order.

The WCIRB had originally submitted a filing recommending a 29.6% increase, which was subsequently amended to 27.7%. The WCIRB justified the recommended rate increase as warranted primarily because of rising medical costs. This increase would have affected policies with effective dates on or after January 1, 2011. See this link for a summary of the proceedings relating to the WCIRB’s filing.

Pure premium rates reflect the loss (both medical and indemnity) and loss adjustment expense expected to occur on policies. Pure premium rates are a benchmark that insurers can use as a tool for determining their own rates. Pure premium rates have not been increased since January 1, 2009, and this is the third increase in excess of 20% filed by the WCIRB since then.

While the Benchmark is purely advisory and does not set workers’ compensation rates, Commissioner Poizner criticized the requested increase as the Benchmark has in the past allowed insurers to file for and pass on rate increases to businesses.

Calling for transparency and stating that “[t]he workers’ compensation rate-making system is long overdue for some much needed reforms,” Commissioner Poizner also announced three reforms that he believes will significantly improve and inject transparency into the workers’ compensation rate-making process. Under these reforms, the WCIRB will be required to:

  1. calculate future advisory pure premiums based on insurers’ actual, filed rates rather than on theoretical benchmark numbers;
  2. include in each future rate filing a table showing (in addition to industry average numbers) the proposed change for each individual worker classification; and
  3. use California Department of Insurance filing information and data from the WCIRB to evaluate overall workers’ compensation insurer profitability.

 

Tags: , , , , , , ,

Older Entries