Coverage for networks and data

(1)

Managing

Risk

Ventura

Santa Maria

Bakersfield

Salinas

CDI LIC.

0E52073, 0424313

www.twiw.com

Winter 2011 Risk Management

continued on next page

Data Loss: A Business Nightmare

C

overage for networks and data is sometimes called cyber insur-ance. It covers two broad areas: your own data and the data of cus-tomers, partners and clients that you interact with. In insurance terms — first-party and third-party coverages.

Protecting Your Data

Most property policies have coverage limits for computer hardware and exclude software and data. Insurance companies offer optional endorsements that increase hardware limits

and add coverage — usually with small sub-limits for:

Y Loss of software, programming and data caused by viruses.

Y Loss of income and extra expenses due to damaged hardware or software caused by viruses.

Y Loss of income due to viral attacks that overload computers and prevent normal business traffic.

Y Electronic fraud — reimbursement for money stolen through the computer.

It is important to work with your IT execu-tives to identify your company’s specific cyber risks. The next step is to analyze your current insurance program to understand which risks are covered and which may need additional protection. We are here to help.

Data Back-Up

Can you place a price tag on your data? Perhaps it’s priceless! After a major data loss, insurance may not be able to prevent you from losing customers and perhaps your good repu-tation. Insurance should not be your first line

As computers, network systems and the Internet have become integral to business, the insurance

indus-try has responded by excluding coverage for certain risks from standard policies, and then developing

endorsements and separate policies to cover various threats to software, data and networks. This

com-plicated, ever-changing picture makes it important to review your operations and your insurance

annu-ally to make sure your business is adequately protected.

(2)

Managing Risk • Winter 2011 Risk Management

of defense. It is crucial to have an IT security program that backs up your data and pro-tects your business.

Here are some basic requirements of an ongoing security plan:

Y Off-site data back-up.

Y Firewalls, anti-spam and anti-virus soft-ware. Many companies find that busi-ness stops when the computers go down. What happens when your data is lost or corrupted? Can insurance help get you back in business?

Y Controlled access to data through user permissions and separation of duties.

Y Documentation of each user’s access to applications and files.

Y Restricted access to data from outside

the company’s computer network.

Y Encrypted proprietary and personal data.

Y Controlled access to the physical build-ing and hard-copy files.

Third-Party Data

If you are an electrical contractor who causes an electrical surge that wipes out your customer’s data, your general liability (GL) policy should cover their data loss. However, if you inadvertently transmit a virus to your customer, your GL policy will not cover the loss. Your errors and omissions policy will probably not cover it either, unless it includes specific cyber liability language.

Cyber liability is a big issue in the insur-ance industry. As the Internet becomes a more important business channel, including social

media and cloud computing (storing and us-ing data on a vendor’s Web site), companies need to review their liability insurance. For instance, any company that has a Web site or uses social media is, in fact, a publisher that may need the protection of a media liability policy. Insurance companies are responding by developing new coverages and redefining existing ones.

Here are some key coverages. Y_{Privacy Liability: Covers losses from}

failing to protect personal information (i.e., Social Security numbers) and corpo-rate information, as well as costs to repair identity theft and to respond to regula-tory agencies.

Y_{Network Security Liability: Covers}

losses due to a failure in network secu-rity such as unauthorized access, virus transmission or destruction of software and data. May also cover business inter-ruption for third parties impacted by the network security failure.

Y_{Internet Media Liability: Covers the}

company’s Web content for infringement, defamation, plagiarism or negligence. May also include coverage for transmis-sion of viruses to your Web visitors. Cyber liability can be bought as a free-standing policy or as part of a professional liability policy. To learn more, please give us a call.

(3)

Managing Risk • Winter 2011 Property/Fidelity

T

he following action steps can help you spot employee theft and fraud earlier, and minimize op-portunities for theft:

1 Conduct background checks before mak-ing job offers. This might help you elimi-nate the worst candidates; however, most perpetrators of employee theft or fraud have no previous record.

2 Spell out your firm’s definition of fraud and theft. For example, some people think it’s okay to pad their expense

ac-counts; you have to tell them it isn’t. In-clude a statement that theft or fraud can lead to termination and criminal prosecu-tion.

3 Include your definition in employee handbooks and other communications as appropriate.

4 Discuss theft, fraud, their costs to the company and their consequences to em-ployees in new employee orientations and other employee trainings.

5 Keep a theft and fraud scorecard and publicize it to employees. For example, a

retail business might keep tabs on theft of cash or merchandise; a manufacturer might track missing inventory or sup-plies. A positive score (no losses) reflects well on your workforce, whereas a nega-tive score reflects badly.

6 Encourage employees to report suspected theft by protecting tipsters’ identity.

7 Install video cameras in storage rooms, equipment rooms and computer facili-ties.

8 Have a professional security agency re-view internal security measures.

Preventing Employee Theft

For the first time in 2010, businesses reported they were losing more money to theft of electronic

data than physical goods, said risk consultancy Kroll Inc. The company, which surveyed business

managers from around the world, also reported that most managers surveyed said that the fraud

was an “inside job” by the company’s own employees.

(4)

Managing Risk • Winter 2011 Property/Fidelity

9 Use “lock-out” options for computers and telephones to

10 Review your insurance coverage. Business property policies generally do not cover employee dishonesty; business package policies do, but may limit your coverage to only $25,000.

Checklist adapted from “Protecting the Company Against Theft and Fraud,” www. workforce.com

You Need Insurance… but What Kind?

In addition to a risk management plan, you need some kind of insurance coverage to protect your business from employee theft. Most commercial property policies exclude employee theft; however, you can buy op-tional crime coverage.

Commercial crime coverage is a type of fidelity bond. Fidelity bonds indemnify em-ployers for the loss of money or other prop-erty sustained through the dishonest acts of bonded individuals. Often called “honesty insurance,” bonds provide coverage for in-tentional acts of fraud, larceny, misappro-priation, forgery, embezzlement and other dishonest acts committed by a bonded em-ployee. The acts must also be intended to cause a loss to the employer and financially benefit the bonded person. The bonds are technically a form of surety, but are similar to an insurance policy in format and termi-nology.

Types of Crime Coverage

There are four major crime coverage forms available:

Y Form A, which covers employee dishon-esty

Y Form B, which covers forgery or altera-tion of documents

Y Form C, which covers theft, disappear-ance and destruction, and

Y Form D, which covers robbery and safe burglary.

Most businesses buying crime coverage will need one or more of these forms. Forms to cover more specialized exposures, such as items in hotel/innkeepers’ safe deposit box-es, also exist. The Insurance Services Office has packaged these forms into crime pack-ages for specific types of businesses. You can buy them as separate crime policies or attach them to your commercial package policy. Whatever you need coverage for, whether it’s money and securities, the contents of safes and more, the property of guests and lodg-ers, there’s probably a plan that meets your needs.

Most crime plans exclude coverage for crime or dishonest acts committed by the insured or any partner, seizure or destruc-tion of property by order of governmental authority, indirect or consequential loss, and legal expenses. Most plans cover only work-ers employed in the U.S., its territories and Canada.

What About Data Theft?

To be sure your crime coverage will pro-tect you for data theft, read your policy care-fully. A broadly drafted policy might provide coverage for electronic data, including data stolen by employees. Some insurance forms also extend coverage to certain computer contractors. We can help you review your op-erations and coverage to help you minimize exposures to employee theft. Please contact us for more information.

(5)

Managing Risk • Winter 2011 Workers’ Compensation

Employers’ Liability

Workers’ comp policies usually include a special

section for employers’ liability. What additional

coverage does it provide and why do you need it?

Y

our workers’ compensation policy covers the costs associated with an employee’s work-related injury or occupational disease. It pays for the worker’s medical costs, rehabilitation costs, lost wages and any settlement for per-manent disability.

The fundamental premise of workers’ comp is that employers agree to take respon-sibility for work-related injuries whether or not the injury was the employer’s fault. In return, employees give up their right to sue for damages. Workers’ comp is designed to be “no-fault” and the “exclusive remedy” for work-related illness and injury. Nonetheless, some related claims fall outside of work-ers’ comp coverage. The employwork-ers’ liability section of the workers’ comp policy adds cov-erage for these types of claims. Without this coverage, employers would have a significant coverage gap, because commercial general li-ability policies specifically exclude coverage for work-related injury and disease.

Employers’ liability is a common law or tort liability, and insurance companies handle those types of claims in the same way they adjust general liability claims, including

managing and paying for defense. Since states do not require employers’ liability insurance, you do not have it unless your workers’ com-pensation policy explicitly states it includes this coverage in a separate section.

Unlike workers’ comp, employers’ liabil-ity has a defined limit of liabilliabil-ity, starting at $100,000 per injury.

When Coverage Applies

Insurance authority IRMI cites several examples of when employers’ liability cover-age applies:

Y Wrongful death: The family of a de-ceased worker may file a common-law claim seeking damages in addition to the death benefit paid by workers’ comp.

Y Consequential bodily injury: A family member may file a lawsuit for his or her own injury (for instance, a heart attack) that was caused by learning about or deal-ing with the injured employee.

Y Loss of consortium: The spouse of an injured worker may sue for loss of con-sortium, which means the spouse has lost the services — such as sexual relations or

(6)

the ability to do household chores — of his or her spouse. Damages can be award-ed even if the spouse is receiving disabil-ity payments.

Y Third-party liability: If an employee is injured while using equipment that mal-functioned, he or she may sue the manu-facturer of the equipment for negligence. The manufacturer may in turn sue the employee’s company to recover damages. Depending on the specifics of the claim, either the employers’ liability or a general liability policy can provide coverage.

Y Employees excluded from workers’

comp: In some states, seasonal and tempo-rary workers can be excluded from workers’ comp. In other states some small employ-ers do not have to buy comp. In those situ-ations, an employers’ liability policy can provide protection from employee lawsuits for bodily injury and illness.

Monopolistic States

In states with monopolistic workers’ comp funds (North Dakota, Ohio, Washing-ton and Wyoming), employers need to pur-chase a separate employers’ liability policy. Organizations headquartered in other states but that have offices in these states need to buy an endorsement to their employers’ li-ability policy to avoid having a coverage gap for employees in those states.

Not Employment Practices Liability

Do not confuse employers’ liability with employment practices liability (EPL) insur-ance, which protects employers from em-ployee claims that their legal rights have been violated. EPL protects an organization when employees file claims for wrongful termina-tion, sexual harassment and discrimination. It does not cover bodily injury.

Some employers that have not bought EPL insurance attempt to use their employ-ers’ liability to provide coverage for EPL claims. However, in most cases the insur-ance does not apply. Even when states define workers’ comp “injury” to include mental injury, the broader, workers’ compensation definition does not necessarily transfer to the employers’ liability portion of the policy.

If you have any questions about your employers’ liability coverage — and how it complements your workers’ comp coverage — please give us a call.

(7)

Managing Risk • Winter 2011 Claims Management

What to Do When You Get a

“Reservation of Rights” Letter

Your organization has just been sued, and you’ve notified your

liability insurer as required by the policy. You think all’s taken care

of…when you receive a reservation of rights letter from the

in-surer. What does this mean, and what should you do?

I

n a liability lawsuit, the plaintiff of-ten makes several claims. The policy might cover some and exclude others. By sending you a reservation of rights letter, the insurer is telling you that it has doubts whether your policy covers some or all of the claims.

A liability policy obligates your insurer to pay for your legal defense costs in addition to any damages you might be legally obliged to pay for a covered claim. Most states recognize this “duty to defend” as fairly broad under a commercial general liability policy. If there is a possibility that coverage might apply, the insurer must provide your legal defense.

When an insurer receives a claim that might be covered only partially by its policy or not at all, it can do one of the following:

1 Refuse the duty to defend. If the in-surer does this and the court later finds that coverage applied, the insurer must reimburse your defense costs, along with settlement costs over which it had no control.

2 Investigate the claim and begin your legal defense. Insurers like to avoid this due to the principle of estoppel, which bars an in-dividual from “denying or alleging a certain fact…because of that individual’s previous conduct, allegation, or denial” to the detri-ment of another. (Black’s Law Dictionary) In other words, if your insurer begins investigat-ing or defendinvestigat-ing your claim, this could lead you to assume it will cover your claim.

3 File a declaratory action, in which the insurer asks the court to determine whether it is obligated to defend the claim. An insurer will seldom do this when it first receives notice of a claim.

4 Send the insured, by certified mail, a reservation of rights letter and proceed with its investigation. This allows the insurer to gather more facts before deciding whether to deny coverage, while preserving its right to do so. Thus, your insurer might defend your liability claim but later deny indemnification (or paying settlements or judgments) if its defense is unsuccessful.

(8)

Managing Risk • Winter 2011 Risk Management

Workers’ Comp

Attorneys Veronica M. Bates and Renee C. Callantine caution that different rules ap-ply, depending on location. “In many juris-dictions, the reservation of rights may allow the insurer to withdraw from the defense when there is no potential for coverage un-der the policy. The ROR letters allow insurers to decline indemnifying the insured for any portion of a judgment not covered under the policy.”

The liability policy also either explicitly or implicitly obligates you to cooperate with the insurer in its conduct of your defense. This allows the insurer to direct your legal defense, including giving it the right to settle. But investigations can also give it facts need-ed to deny you coverage. For these reasons, a

reservation of rights letter indicates a conflict between you and your insurer.

If you receive a reservation of rights letter, you will want to protect your coverage rights by doing the following:

1 Read the reservation of rights letter and the policy to which it applies carefully.

2 Respond to your insurer, saying that you disagree. The experts with the John Liner Review recommend asking the insurer to commit to coverage before it begins its investigation.

3 Arrange for your own counsel.

Some reservation of rights letters will state the insurer reserves the right to recoup

defense costs if the insurer does not owe a defense. Depending on the facts of the case and the jurisdiction, you could indeed be ob-ligated to reimburse your insurer for defense costs if it was later determined coverage did not apply.

In a straightforward claim, you have no cause to worry. A reputable insurer will provide a quality defense. It’s the gray areas, where coverage might or might not apply, that can cause potential conflicts. For this reason, we recommend thoroughly reviewing your liability coverage on a regular basis. A review can point out gaps in coverage, out-dated forms and language, and other prob-lems. For more information, please contact us.

The Factors That Determine Your Comp Costs

Although workers’ compensation seems complicated, only three factors affect your workers’

compen-sation costs: your rate, your employees’ job classifications and your experience modification factor.

H

ave you ever wondered how your insurer comes up with your workers’ compensation premium? Four factors come into play: your business classification, the rate for that classification, your employees’ remuneration and your experience modifica-tion factor.

Business Classifications

Your rate depends on the primary opera-tions of your business, or its classification. Workers’ compensation insurers group busi-nesses into different classifications based on the relative hazard they present. Some busi-nesses present more hazards than others. For example, roofers experience more frequent and more costly claims than administrative

(9)

assistants, so a roofing business would pay a higher rate than a sales organization.

To ensure you don’t pay too much for your workers’ compensation, check the clas-sification listed on your policy to make sure the insurer has appropriately categorized your business by primary operations. An incorrect classification can make a big difference!

Payroll

Your insurer will calculate your premium by multiplying the rate for your classification by total estimated annual payroll. This in-cludes your employees’ gross wages and other compensation, before withholding taxes or other deductions.

Rates

Workers’ compensation insurers show rates per $100 of payroll. In most states, rat-ing bureaus, which are independent organi-zations formed by or on behalf of insurers, help determine workers’ compensation rates. Rating bureaus collect data on claims and costs, including lost-time and medical costs, from member insurers. They then use this information to calculate rates insurers will need to charge to provide mandated benefits without losing money. They publish rates for hundreds of different job categories, shown as rate per $100 of payroll. These rates are based on the relative hazards of each classi-fication.

In some states, workers’ compensation insurers must use the published rates, so you will pay the same rate no matter which

in-surer you choose. In others, published rates are suggestions only, and individual insur-ers are free to charge more or less. As with anything else, however, beware rates that vary too much from the norm—if an insurer quotes you a rate that seems too good to be true, it might be!

Experience Modification Factor

If your business qualifies for more than a “minimum premium” policy, the insurer may apply an experience modification factor. The experience modification factor modifies your rate based on your claims experience. In doing so, it provides employers incentive to control their losses.

Insurance companies send information on employers’ premiums and losses to the applicable rating bureau, which then calcu-lates experience modifications based on paid claims and incurred losses for the “experience period,” generally three years prior to the last policy renewal date. The resulting experience modification factor generally ranges from .75 to 1.75. An experience modification of 1.00 indicates your losses reached the expected dollar amount. A number higher than 1.00 indicates that your risk of loss is greater than average, while an experience modification of less than 1.00 indicates your risk is better than average.

If you meet the minimum premium lev-els, keeping your experience modification low can reduce your workers’ compensa-tion premiums. The most important step in keeping experience modifications low is to

reduce your workers’ compensation claims. Focus on controlling the smaller, more fre-quent losses--they will impact your experi-ence modifications more than less frequent, larger losses.

Next, you’ll want to periodically review your payroll and claims information for ac-curacy. Make sure your payroll data is accu-rate and your experience modification calcu-lations include data from the proper years. And keep tabs on loss reserves--unused loss reserves affect your experience modification. If you are interested in learning more about how your premiums are calculated, we can review your policy and claims history with you. We can also help you develop loss reduction strategies to keep your costs under control. For more information, please call our office.