The cost of a data breach
Consider this hypothetical situation:You finish your day at work and pack up your things to leave, taking your laptop with you so you can get some work done at home. On your way home, you stop by the grocery store.You make your purchases and return to the parking lot, and what you discover there makes your stomach turn over:Your car has been broken into.
When you look inside, you realize your laptop is missing.Your first thought is about how much that laptop will cost to be replaced. A thousand dollars? Maybe. But that's not the real cost of the theft.Your laptop contains personally identifiable information for your customers.
Your company has just experienced a data breach.
While most insurance professionals and insureds know there is insurance available to protect an organization facing this scenario, many still underestimate its value and the need for the product. The cost of replacing the laptop is inconsequential when compared to the exposure created by its loss. The data on the laptop is not covered by a property policy, and the liability from losing the data is also not a covered peril. A general liability policy would only provide coverage if there is bodily injury or property damage as a result of the loss of the laptop.
Severity Of A Loss
The Ponemon Institute’s “Cost of a Data Breach” study is published annually and illustrates how costly a breach can be. In the recently published edition, which summarizes the 2010 data, the study shows that the average data breach costs $7.2 million, and the average expense per compromised record is $214. The survey tracked expenses for data breaches ranging from 1,000 to 100,000 records. The least expensive breach cost a company $780,000 and the most expensive was $35.3 million. The average shown in the study does not include mega breaches such as Heartland Payment Systems (130 million records), TJX (94 million records) or TRW/Sears (90 million records), which would have pulled up the average dramatically. It is important to note within the study that $141 of the $214 per-record expense is made up of what the study calls “indirect costs,” such as the loss of customers who stop doing business with the company after learning of the breach, and the costs associated with advertising and public relations efforts to repair the company’s reputation. Notification, credit monitoring, forensics and other expenses make up the balance.
The potential expense from compromised data is large, but not as costly as pretending that it never happened and hoping no one figures it out. 46 out of 50 states have notification requirements following a data breach, and many have significant penalties based on the number of days a firm waits to report a data breach. For example, the State of Connecticut fined HealthNet $250,000 because the company waited six months to report a data breach that impacted 1.5 million individuals. The breach was a result of the loss of a portable hard drive. It’s important to note that the fines and penalties can be levied well in advance of the lost data actually causing harm. The mere potential exposure is enough to draw the attention of regulators. HealthNet, for example, was also ordered to establish a $500,000 contingency fund in case the data was later found to be accessed and used against residents of Connecticut.
The issue of punitive damages has become significant for maritime employers with employees working on maritime vessels since the June 2009 United States Supreme Court ruling in Atlantic Sounding Co. v. Townsend that made punitive damages allowable under Maintenance & Cure. In late 2010, a $25,000,000 verdict was issued in Doe v. Maersk Line Ltd., a case involving punitive damages. As one of the largest verdicts in the United States last year, it points to stormy times for maritime employers. Seemingly small mistakes in handling vessel crew injury claims can now lead to extremely costly punitive damages to your client. A punitive damage verdict could put your client out of business in a short period of time. Care must be taken to advise your clients of these developments as punitive damages typically are not covered under Protection and Indemnity (P&I) or Maritime Employers Liability (MEL) policies.
Maritime Employer's Liability for crew injuries can be covered under a Protection and Indemnity policy written for a maritime vessel or on a mono-line basis under a Maritime Employer's Liability policy. Maritime Employer's Liability insurance is the most comprehensive on-the-job injury coverage available in the U.S. Unlike other forms of workers’ compensation, Maritime Employer's Liability allows injured seamen to sue their employer for their injuries, with no limit on amounts recoverable. Claims are either settled through agreement or in court, and the courts generally favor the seaman. There are five key remedies under general maritime law that a Maritime Employer's Liability policy covers. Maintenance & Cure is the first of these remedies to be used when a crew injury occurs and where punitive damages come into play.
Maintenance & Cure is an ancient right of a seaman. Found in use over 1,000 years ago, it was codified into U.S. general maritime law in 1823. Maintenance & Cure pays for transportation back to home, wages, medical bills and a daily stipend to injured crewmembers in the service of a maritime vessel. The above cited Doe v. Maersk Line Ltd. case has very peculiar circumstances and reportedly no witnesses. It involved a seaman who reportedly became intoxicated and was injured while on shore leave. Authorities brought the drunk seaman back to the vessel and took him to the captain, who sent the seamen to his bunk to sleep it off. The injured seaman claims to have asked for medical attention and was turned down by the captain. Not providing medical attention for the injured seaman resulted in the $25,000,000 verdict.
To make matters worse, the BP Macondo well blowout in April 2010 has resulted in a number of injury/death cases suing for punitive damages under some of the other four key remedies covered under the Maritime Employers Liability policy. These are:
Competitive Options Exist for Your Client Despite Market Shifts
Mortgage impairment insurance is a policy purchased by financial institutions to protect their financial interests on property owned by borrowers. Home and business owners are required to carry first-party insurance on the mortgaged property to protect their own interests, but what if they don’t buy enough to cover their loan balance or don’t buy the proper coverage? This insurance policy is secondary to the owner’s own policy and protects only the interest of the financial institution. Since the financial institution cannot be certain that every homeowner and business owner will maintain the proper insurance, they run the risk of having the collateral behind their loan impaired by an uninsured calamity. The policy can also cover a broader range of perils including flood, wave wash, collapse or subsidence and earthquake that might not be insured on the borrower’s own policy. A variety of options are available, and limits available can be substantial. The policy is usually written subject to a deductible. The examples of perils on the following page will help illustrate how this coverage can be beneficial to lenders.
While mortgage impairment insurance was standard in the past, the state of the financial industry in general (and subprime loans specifically) has resulted in carriers increasingly withdrawing from the market. Although the exposure is still real, pricing and availability have impacted demand for the coverage. If any of your clients or prospects lend money to property owners, they should be encouraged to research mortgage impairment coverage.
Examples of events that could be covered by a mortgage impairment insurance policy:
Over the last two years, new technology has made unconventional drilling a viable, cost-effective way to extract oil and gas from shale. This new technology is based on advanced horizontal drilling techniques that enable pinpoint accuracy combined with complex multi-stage hydraulic fracturing (“fracking”) techniques over significant distances horizontally. This shift has resulted in new insurance issues that often go unaddressed.
The new fracking technology has advanced to 40-stage fracking operations on 10,000-foot horizontal laterals. This game-changing technology and its impressive results have led to a re-evaluation of the oil and gas resources available in the United States. A Congressional Research Service report released on March 25 of this year indicates that the United States now has the largest hydrocarbon resources in the world.1
Drilling activity is up, and the use of this new technology is now common.
This shift to unconventional drilling and heavy multi-stage fracking has created new insurance issues for the industry:
- Increase in blowouts during the completion/fracking stage.
- Increase in blowouts involving communication between multiple wells.
- Increase in blowouts caused by casing/cementing failure.
- Increase in blowouts caused by surface events.
In addition to these blowout trends, we are seeing:
- An increase in blowouts involving producing wells.
- An increase in blowouts involving plugged and abandoned wells.
Occurrence Versus Claims Made Coverage
Insurance written on an occurrence form provides coverage for events or wrongful acts solely occurring during the policy period. The claim from the wrongful act can be brought in the future after the policy expires and still have coverage respond. For example, if you buy an auto policy that is valid for one year, then it will cover an accident that happens during that one-year period, even if a lawsuit isn’t filed until after the policy has already expired. On the other hand, coverage is triggered for a claims-made insurance policy only when a claim is first reported during the policy period, even if the injury actually occurred prior to the inception date of the insurance policy. Conversely, if the injury occurs during the policy period and a claim isn’t reported until after the policy has expired, then the policy will not provide coverage. Management liability and professional liability policies are typically on claims-made forms. The common exceptions are media liability and health care professional liability, which tend to be on occurrence forms.
What Is A "Retroactive Date"?
Claims-made policies also often contain a retroactive date that specifies the earliest point in time for which the insurance will provide coverage. The coverage applies to actual or alleged wrongful acts from the retroactive date forward. Only injuries or wrongful acts occurring after the retroactive date will be covered by a claims-made policy.
What Is A "Continuity Date"?
This is synonymously called the “prior and pending litigation date.” Similar to a retroactive date, this feature sets a date in time for prior or active litigation but not wrongful acts. This clause will state that any litigation of any type that initiated prior to the continuity date will not be covered, even if the allegations were not part of a potentially covered claim. Many claims can evolve from one type to another. For example, a pollution event could harm the value of a corporation and evolve into a Directors & Officers Liability claim, or a Privacy Litigation claim could evolve into a Directors and Officers Liability claim. This date is typically set as the date the named insured first bought a type of insurance policy. When moving coverage from one insurer to another, it is critical to maintain your continuity date.
What Is A "Claim"?
Often a claims-made policy will define the term “claim” quite broadly to include much more than just a lawsuit. Many policies define “claim” to include written demands for damages as well as proceedings such as arbitration, administrative (such as those brought by the SEC or EEOC), regulatory, mediation and civil proceedings. The language of each particular policy will govern what constitutes a claim. If you receive a demand or threat of any kind, however, and are unsure what to do, then contact your insurance agent or your insurance company promptly.
This year, several new laws directly impact existing Employee Handbooks and employer procedures. Here is a summary of the most significant changes:
AB 22 Severely Limits Credit Checks of Applicants or Employees
Employers (with the exception of certain financial institutions) are prohibited from obtaining or relying on credit reports for applicants and employees, unless the report is sought in relation to one of eight exceptions. Relevant exceptions include: (1) a managerial position (defined as a position that qualifies for the executive exemption from overtime); (2) a position for which credit information is required by law to be disclosed or obtained; (3) a position that involves regular access (other than in connection with routine solicitation of credit card applications in a retail establishment) to people’s bank or credit card account information, social security number, and date of birth; (4) a position in which the employee would be a named signatory on the employer’s bank or credit card account, authorized to transfer money on behalf of the employer, or authorized to enter into financial contracts on behalf of the employer; (5) a position that involves regular access to cash totaling $10,000 or more of the employer, a customer, or client during the workday; or (6) a position that involves access to confidential or proprietary information (defined as a legal “trade secret” under Civil Code §3426.1(d)). Employers will be required to provide employees or applicants with a disclosure statement with the specific basis permitting the employer to obtain a credit report. You must provide a box for the applicant or employee to check off to request a copy of the report, and then provide it free of charge when you first receive the report. If employment is denied based on information in a credit report, the employer must advise the applicant or employee and provide the name and address of the credit reporting agency.
SB 459 Imposes Stiff Penalties for Willful Misclassification of Employees as Independent Contractors
The law defines “willful” as “voluntarily and knowingly misclassifying” an individual and makes it unlawful for an employer to charge an individual who has been willfully misclassified any fees or other deductions from compensation if those fees and deductions (e.g. for licenses, space rental, equipment) would have been prohibited had the individual been properly classified as an employee. Penalties may be assessed in the range of $5,000 to $25,000 per violation. Additionally, an employer in violation may be ordered to display prominently on its Internet web site (or other area accessible to employees and the general public) a notice that explains the employer has been found guilty of committing a serious violation of the law by willfully misclassifying employees. The new law also imposes liability on individuals who, for money or other valuable consideration, knowingly advise an employer to treat an individual as an independent contractor to avoid employee status. Excepted from liability are employees who provide advice to their employer (e.g., HR staff), and licensed attorneys providing legal advice to the employer. Management consultants and brokers are at risk for independent liability.
AB 469 Requires Employers to Provide New Hires With Notice of Pay Details
The details include (1) the pay rate and the basis, whether hourly, salary, commission or otherwise, as well as any overtime rate, (2) allowances, if any, claimed as part of the minimum wage, including meals or lodging, (3) the regular payday, (4) the name of the employer, including any “doing business as” names used by the employer; (5) the physical address and telephone number of the employer’s main office or principal place of business, and a mailing address if different, and (6) the name, address and telephone number of the employer’s workers’ compensation carrier. The employer must notify each employee in writing of any changes to the information set forth in the notice within 7 days of the changes, unless such changes are elsewhere reflected on a timely wage statement or other writing required by law to be provided.
This is the eleventh and final article in an 11-part series on Owner Controlled Insurance Programs. Preceding articles in this series can be found herePart 1, Part 2, Part 3, Part 4, Part 5, Part 6, Part 7, Part 8, Part 9, and Part 10.
Presentation Of Liability Claims Under An Owner Controlled Insurance Program.
The preceding portions of this series outline the analysis of liability claims under an Owner Controlled Insurance Program, but principally from the perspective of the insurance carrier. There are ways that insureds and claimants can present claims under an Owner Controlled Insurance Program that will speed the resolution process and avoid gridlock.
The claimant that has incurred a loss should remember "point of view” in the presentation of a claim. Since an owner controlled insurance program is, in effect, a liability policy insuring each and every contractor, the tendering party should bear in mind that the insurance company must set up a claim file to protect the rights of its "insured.” To the extent that privileged materials are obtained which could benefit that "insured” in subsequent litigation with any third party, the insurance carrier has to protect those rights and privileges against disclosure to third persons. In Soltani-Rastegar vs. Superior Court (1989) 208 Cal.App.3d 424, the court recognized that the statements made to the insurance carrier by an insured are privileged and within the work-product and "attorney-client privilege” of that insured.
Therefore, if the tendering party recognizes that the insurer must maintain those rights and protect those privileges, it can assist the process by clarifying against whom the claim is being presented. Since each insured must be treated separately, it may receive multiple positions from the same insurance company with regard to coverage under the policy. For example, the sponsor of the program may get a denial of coverage as to their claim that they made repairs to a work site as a result of an onsite accident. It could then receive an acceptance of liability on behalf of a subcontractor.
Given the difference in coverage limitations that apply to different enrollees of an Owner Controlled Insurance Program, a detailed factual record is critical for the insurer to understand the liability and coverage. Only where there is liability of an "insured/enrolled contractor,” the claim against that enrolled contractor is covered by the policy, will there be any indemnity paid. Therefore, the insurance carrier will need to be able to address the following questions:
A Tale of Three Allmans
A jovial devoted single father; a church-going, sharp-dressing author and entrepreneur; a former golden gloves boxer committed to regular workouts; an avid gun collector.
A poor performer with absenteeism issues; an unsafe truck driver; a perceived victim of racism.
A mass murderer; a hijacker; a fugitive; a decedent.
Each profile of the man, so different from the other. What happened in his life that brought him to a point where he could commit such horrific acts of violence, leaving three co-workers dead and seven others wounded? I will leave that question to be answered by the many experts who will analyze his upbringing, adult life, and all the events that transpired in between, in an effort to understand and make sense of such a heinous crime.
What I will comment on, however, is the importance of knowing the warning signs which, if recognized and acted upon, may have averted the bloodbath and loss of life; the importance of having a culture in the workplace that makes employees feel safe to report fears and concerns about their co-workers; and finally the steps employers need to take to make sure they provide a safe workplace for their employees.
Cupertino Gunman — History
Mr. Allman had a long career at Lehigh Hanson's Permanente Cement Plant. Fifteen years. We don’t know much yet about his early work history, but I am going to make an assumption, based on the many accounts of his co-workers regarding his unsafe driving record, numerous accidents and regular absenteeism, that such behavior did not constitute a long standing pattern of conduct.
I don’t believe it would have been tolerated for long by his employer. Something was changing in the life of Mr. Allman. These behaviors are compounded by the regular complaints and comments he made to friends, neighbors, and co-workers — that he is being discriminated against, due to his race. He was the only African American driver at the plant.
Two weeks before the shootings, Mr. Allman refused to be photographed with his "back stabbing" co-workers.
One week before the shooting, his union shop steward told him he would no longer represent him to management based on his numerous driving accidents.
Five daysbefore the shooting, a Friday, he was suspended for an accident where he struck power lines with his vehicle, and expressed to a union officer that he "didn’t feel the punishment fit the crime."
Four days before, Saturday, he visited a friend, who referred to Allman as "Uncle," and told the friend that he had just purchased an AK47 assault rifle. While this purchase would not be unusual for an avid gun collector, when asked "Why?" he replied, "There's some racist people at my job. They're messing with me."
On Monday, two days before the shootings, a meeting was held with management regarding Allman's unsafe driving record and the complaints by fellow workers — that they "...don’t feel safe and are tired of management taking no action."
This is the tenth article in an 11-part series on Owner Controlled Insurance Programs. Preceding and subsequent articles in this series can be found here: Part 1, Part 2, Part 3, Part 4, Part 5, Part 6, Part 7, Part 8, Part 9, and Part 11.
Particular Challenges Of Owner Controlled Insurance Program Claims (continued)
Contractors Partially Enrolled
In residential construction, wrap-up policies that cover all of the builders' projects under construction are becoming increasingly popular. These are sometimes referred to as "rolling wraps,” since they "roll” from one project to the next. Individual contractors and subcontractors enrolled in the home builders' wrap-up plan for work pursuant to a specific subcontract or project. The difficulty can occur when a rolling wrap is created while projects are ongoing.
Imagine, for example, a multi-phased development project that takes several years to complete. The project begins at a time when the builder has a traditional risk management structure, including the requirement for additional insured endorsements and indemnity agreements running in its favor from each of the contractors performing work. Midway through the project, the builder changes its liability program to a "rolling wrap,” which then insures all of the contractors on the job site. The change in programs does not pose particular difficulties with regard to operations claims; however, completed operations are a different matter.
In the typical construction defect claim, a group of homeowners will band together to file a single lawsuit against the developer. The homes in litigation can be from all phases of the development. Therefore, there can be homes at issue in the litigation that were developed under the traditional insurance program and claims completed under the rolling wrap. This presents ethical and administrative problems that need to be addressed early in the resolution process.
Under a rolling wrap-up, the builder as well as all of the contractors are "insureds” under the program. Most states follow the rule that the carrier may not satisfy a loss and sue its insured in subrogation to recover (e.g., Affilitated FM Insurance Co. vs. Patriot Fire Protection, Inc. (2004) 120 WN App. 1039, 2004, Wash.App.Lexis 340.) Thus, the homes insured under the wrap, the carrier could not satisfy the loss on behalf of the builder and then pursue recovery from the contractors insured under the same policy.
This is the ninth article in an 11-part series on Owner Controlled Insurance Programs. Preceding and subsequent articles in this series can be found here: Part 1, Part 2, Part 3, Part 4, Part 5, Part 6, Part 7, Part 8, Part 10, and Part 11.
Particular Challenges Of Owner Controlled Insurance Program Claims (continued)
Contractual Disputes and Mechanics Liens
Liability insurance is designed to cover damage caused by the defective work or negligence of an insured contractor; it does not become involved when the only dispute concerns completion of work and payment for work. In Owner Controlled Insurance Programs, the distinction between a liability insurance claim and a contractual claim often becomes blurred or obliterated when the claimed basis for nonpayment is defective work that may be partially covered by insurance. The scenario is usually presented by a suit to enforce a mechanics lien by the subcontractor, which is answered by the claim that, as a result of defective and/or incomplete work, the contractor's lien is offset to some degree. There are a number of specific issues to consider.
First, assume that the property owner chooses to answer the complaint and raise, as an affirmative defense, that the contractor is not entitled to the full amount of the lien because of defective work. The assertion of an affirmative defense is not recognized as a claim for damage against the insured contractor, which the insurance company would have to defend. The owner, who is likely the sponsor of the insurance program, may not want to trigger coverage, because in many programs the sponsor is responsible for a sizable retention. In many instances the contractor's liability for the deductible is set by contract at a much smaller amount. Thus, because of the way an owner chooses to proceed, the insured contractor may be left with no assistance with the legal expense or payment of damage.
Second, if there is an answer only, there is no separate pleading seeking damage such as a third-party complaint, which would make the presentation of evidence logical (first, claim for money under the contract; second, offsets for construction defects; third, defense to construction defect claims). Therefore, dividing the responsibilities between liability defense counsel and the insured's mechanics lien attorney is more expensive and critical. In many instances, it is in the insured's interest to allow the insurance company to participate in defeating construction defect claims, given their experience in litigating and trying such claims.