Is Homework Ethical?
Editor’s Note: This article is part of a series written by members of the CAS Committee on Professionalism Education (COPE). Its intent is to stimulate discussion among CAS members. Therefore, positions are sometimes stated in such a way as to provoke reactions and thoughtful responses on the part of the readers. Responses are welcomed. The opinions expressed by readers and authors are for discussion purposes only and should not be used to prejudge the disposition of any actual case or modify published professional standards as they may apply in real-life situations.
David Dataminer, FCAS, MAAA, works for Giant Insurance Company and has been performing predictive modeling studies for various lines of business. As today’s business climate tends to dictate, David works a long day and often feels the need to bring some work home with him. On these days he simply downloads his files and heads for home. Giant Insurance Company is aware of David’s work from home and has never expressed any concern regarding the data that David downloads to bring home. This is not surprising to David since he generally only needs aggregated data with no specific personal policyholder information. Even so, David handles the data with care, does not send the files over the Internet, and is sure to keep the files securely in his possession.
For the current workers compensation study that David is working on, he has found some unusual results. He has extracted a subset of individual data to determine whether the data has been sufficiently “scrubbed” for use in this study. Although David did not request all of the specific data fields in the file extract, the programmer included claimant name, birth date, date of hire, salary, job title, injury type, and the claims adjuster status notes. David is facing a tight deadline and would like to take this data extract home over the weekend.
Is it okay for David to bring this data home?
David’s only obligation is to follow his employer’s security policy. Giant is aware that David often brings data home and has not expressed any concern. Giant does not have any specific security policies regarding the portability of data. Even so, David is very careful. He doesn’t e-mail data and keeps the files securely in his possession at all times. In addition, the data extract does not include social security numbers or credit card information and therefore is not subject to statutory regulation on storage or disposal.
David’s obligation is not only to his employer, but also to the public. The personal information could be used to obtain additional data items from other sources and the status notes could contain detailed medical information regarding maximum medical improvement and the physical and mental status of the claimant. A breach of this type of data has the potential to put Giant’s and David’s professional reputations at risk and may be assumed to breach statutes or regulations in some jurisdictions. Many states are proposing and passing laws around “personal data” handling and breaches of data. If the data extract contains claimant information from multiple states, the data security requirements likely vary. In particular, the definition of personal data may vary. To date, there is little case law that deals with protection of personal data.
David is aware of the sensitivity of the data. The public expects companies to keep their sensitive data confidential and actuaries have an obligation to do so under the Code of Professional Conduct. Precept 9 indicates that an actuary shall not disclose to another party any confidential information unless authorized to do so. Although a breach of this data would not be intentional on David’s part, Precept 1 requires actuaries to act honestly, with integrity and competence, and in a manner to fulfill the profession’s responsibility to the public and to uphold the reputation of the actuarial profession. In addition, annotation 1-1 specifies that an actuary’s work should be performed with skill and care.