In meetings with employers who have a history of high workers’ compensation claims costs and related expenses, we hear a common story: “The insurance adviser does not to take an active role on the problem. The adviser provides little or no supervision of the claims process. Nor are the true costs of each claim incident evident to the employer.”

These employers tell us that they rely solely on the insurance company claims adjuster’s process and the recommended insurance carrier medical clinic treatment protocol. There seems to be no one enhancing communications with the injured employee.

This communication void can lead to misunderstandings and a lack of trust and cause injured employees to seek legal representation. The result can be higher claims costs and delays in closing claims.

In most of these situations, the insurance adviser goes through an annual exercise to obtain rate quotations in an attempt to “control employer costs.”  But the quoting process fails to help the employer understand the costs of each claim. Nor does the process inform employers how to lower costs.

Some time ago, Dave Smith, a safety consultant in Lafayette, Calif., shared a comprehensive list of items and costs that affect employers when a work-related injury or illness occurs. I've attached a copy of Dave’s creation that I share with employers.   

In our experience, this guide helps employers rethink the claims management process and their experience with their insurance adviser. The guide helps employers come to the conclusion that they must make some changes to achieve better financial outcomes.

Cost transparency helps an employer to understand where the costs are coming from. Employers will also be better able to see if they truly have a valuable insurance adviser or if the adviser's process is just too costly.

Many employers seem to forget that it is their money at work in workers' comp claims and that they must be involved in all aspects of their workers’ comp insurance and risk management program.

Remember that the expenses listed in this chart are all in addition to the increase in future workers' comp premiums that come because of the change in the employer’s experience modification factor.

I had the pleasure of attending a conference on analytics recently. It felt like a religious experience. As each speaker announced a new capability or widget, there was a respectful round of applause from the audience, many of whom, it must be said, work in the back offices of their organizations and probably aren’t allowed out in public very often.

My colleague, who is older and possibly wiser than me from time to time, whispered in my ear that it looked to him very much like a church gathering. The speakers were talking to the "believers" – those who had already got the analytics message and were looking for better ways to implement their insight. And what we had stumbled on wasn’t in fact an analytics conference, but rather a Church of Analytics.

It’s an interesting viewpoint. Isn’t the use of analytics in insurance – and indeed any industry – as much a matter of belief as of technology? A belief that the insurance industry is far too complex to be managed on intuition alone, that data-based insights are increasingly critical. ROIs are important for analytics, of course, but it’s as if you have to take that emotional leap of faith before signing up.

In fact, I’m sensing that organizations are making emotional decisions, then looking for an ROI calculation to justify their decision.

Oddly enough, when I first came into insurance a few decades ago, we used information to support decisions we had already made. If you look hard enough in the data, you can usually find that it supports even poor decisions. I hope that we’ve moved on a bit and now use insight to help organizations make good decisions, not validate poor ones.

What’s this got to do with beauty contests? It’s a brave (or stupid) man who offers an opinion on such a contentious topic, but the point I want to make is that there are those who still measure the quality of analytics by the quality of dashboards and reports. Effective use of analytics is much more than a pretty visualization, in the same way that judges at Miss World are now encouraged to think with a new perspective, about "beauty with a purpose." Check out their site http://www.missworld.com/BeautywithPurpose/, which talks about supporting leprosy and autism projects and daycare units for the disabled.

Good visualization effects are important and help improve user consumption – but effective use of analytics means much more just than a pretty dashboard. It’s the ability to gain better business understanding, support (or create) business strategy and manage progress. As with Miss World, the beauty of analytics is more than skin deep.

The experts guaranteed that the Baylor and Alabama football teams would win their bowl games after the 2013 season. Both lost. Baylor was favored by a whopping 17 points over Central Florida but lost by 10, while Alabama was favored by 15 over Oklahoma but got crunched by 14. 

Likewise, for decades, the “experts” have been betting against independent insurance agents, yet agents keep winning. Why? The consultants, finance guys and others who populate the skyscrapers on Wall Street discount the power of the local trusted insurance agent who does business on Main Street.

That’s not to say that the recent report from McKinsey on the future of property/casualty insurance agents should be discounted. It raises some very good points about how insurance agents need to evolve to continue to be the distribution channel of choice in the insurance industry.

McKinsey got some things right, some wrong. Let’s start with the latter.

What McKinsey got wrong

-- The agent’s role hasn’t changed.

Automation has reduced independent agents' role in underwriting and processing, so insurance companies perceive agents are doing less and should get less commission. But the agent’s role has not changed. The client still needs a local, trusted adviser to explain and recommend the proper insurance coverage. Today, that role is valued even more, with trust in big corporations and the government at all-time lows. Cost-cutting is the easy way to increase short-term profits, and the biggest cost for most insurers is commissions. The McKinsey report gives a short-sighted insurance company executive a reason to lower commissions, but companies that reduce commissions will be following a “fool’s gold” strategy producing short-term gains at the expense of the long-term viability of their agent-based distribution.

-- Brand awareness doesn’t translate into customer loyalty.

A talking gecko, the discount double-check, Flo, Mayhem or Farmers University don’t build customer loyalty. They do build customer awareness, so the big insurance companies spend hundreds of millions of dollars on ad campaigns. But being top of mind doesn’t mean the customer will have any loyalty to the company. You can’t create a relationship with a person through advertising. People create relationships--for example, with someone whose son or daughter plays on the same soccer team and attends the same school as the agent's children. The opportunity to establish a relationship is unique to the agency distribution channel. It takes time and effort, but once established the relationship creates strong customer loyalty. That’s why you never see any studies from big consulting firms that ask people whom they trust more – their local agent or the insurance company We all know the answer.

-- Independent agents will gain market share as auto insurance becomes commoditized.

I agree with McKinsey that some parts of the auto insurance market are becoming commoditized but disagree with the conclusion that this will hurt independent agents. Because they can offer multiple carriers, independents will still get the sale. They will just place the business with the best-priced carrier. The big losers will be the captive distribution companies, which will be unable to offer their clients choice.

--A multi-channel distribution strategy ends up cannibalizing agent-based distribution. McKinsey argues that insurance companies must balance their investments among multiple distribution platforms. It sounds reasonable, but in reality it means a company must reduce the amount of money it commits to its agency distribution channel to reallocate its resources to contact centers, web portals, advertising and other costs of building a direct consumer platform. Companies that follow this strategy will discover that they traded valuable multi-line customers for single-product consumers with no company loyalty.

Where McKinsey got it right

-- Agents must evolve in the way they attract and retain their customers.

Absolutely! The cost of technology is dropping so fast that small and mid-sized agencies can now use tools like social media and data analytics that only large companies could afford a few years ago. Local agents need to be able to engage with their customers in real time. That requires they have a digital media and mobile-compatible platform as well as a social media capability to engage with clients and prospects.

-- Agents must be seen as able to handle all of a client’s insurance needs. Product peddlers won’t survive. Agents have to be able to demonstrate the value they add by virtue of their expertise and that their advice can be trusted.

-- Agents must understand the customers they are targeting and stay focused on that segment. One size no longer fits all in today’s insurance market. Independent agents need to understand their target market, the attributes of profitable customers, and how to reach and serve them. Just like the big insurance companies use advertising to create a top-of-mind brand, agents today must become top of mind with their customer segment.

Today, we live in a world that is moving so fast and becoming so much more complicated that people need someone they can trust—and work with conveniently when and where they want. Current trends in the insurance marketplace bode well for the local, trusted, independent adviser who represents the interests of her clients. The McKinsey report supports that conclusion.

With just months to go until the year-end 2014 expiration of the government-backed Terrorism Risk Insurance Program Reauthorization Act (TRIPRA), the debate between industry and government over terrorism risk is intensifying.

The discussion comes in a year that marks the one-year anniversary of the Boston Marathon bombing—the first successful terrorist attack on U.S. soil in more than a decade. The April 15, 2013, attack left three dead and 264 injured.

Industry data shows that the proportion of businesses buying property terrorism insurance (the take-up rate for terrorism coverage) has increased since the enactment of the Terrorism Risk Insurance Act (TRIA) in 2002, and for the last five years has held steady at around 60% as businesses across the U.S. have had the opportunity to purchase terrorism coverage, usually at a reasonable cost.

However, should TRIPRA not be extended, brokers have warned that the availability of terrorism insurance would be greatly reduced in areas of the U.S. that have the most need for coverage, such as central business districts. Uncertainty around TRIPRA’s future is already creating capacity and pricing issues for insurance buyers in early 2014, reports suggest.

New Aon data show that retail and transportation sectors face the highest risk of terrorist attack in 2014. Both sectors were significantly affected in 2013, as highlighted by the Sept. 21, 2013, attack by gunmen on the upscale Westgate shopping mall in Nairobi, Kenya, as well as the Boston bombing.

The vulnerability of the energy sector to a potential terrorist attack has also been highlighted following an April 2013 assault on a California power station when snipers took down 17 transformers at the Silicon Valley plant.

The Boston Marathon attack—twin explosions of pressure cooker bombs occurring within 12 seconds of each other in the Back Bay downtown area—adds to a growing list of international terrorism incidents that have occurred since the terrorist attack of Sept. 11, 2001, and highlights the continuing terrorism threat in the U.S. and abroad.

Following 9/11, the 2002 Bali bombings, the 2004 Russian aircraft and Madrid train bombings, the London transportation bombings of 2005 and the Mumbai attacks of 2008 all had a profound influence on the 2001 to 2010 decade. Then came 2011, a landmark year, which simultaneously saw the death of al-Qaida founder Osama bin Laden and the 10-year anniversary of the Sept. 11 attacks.

While the loss of bin Laden and other key al-Qaida figures put the network on a path of decline that is difficult to reverse, the State Department warned that al-Qaida, its affiliates and adherents remained adaptable and resilient and constitute “an enduring and serious threat to our national security.”

A recently published RAND study finds that terrorism remains a real—albeit uncertain—national security threat, with the most likely scenarios involving arson or explosives being used to damage property or conventional explosives or firearms used to kill and injure civilians.

The Boston bombing serves as an important reminder that countries also face homegrown terrorist threats from radical individuals who may be inspired by al-Qaida and others, but have little or no actual connection to known militant groups.

In a recent briefing, catastrophe modeler RMS assesses that the U.S. terrorist threat will increasingly come predominantly from such homegrown extremists, who because of the highly decentralized structure of such “groups,” are difficult to identify and apprehend.

Until the Boston bombing, many of these potential attacks had been thwarted, such as the 2010 attempted car bomb attack in New York City’s Times Square and the attempt by Najibullah Zazi to bomb the New York subway system.

Other thwarted attacks against passenger and cargo aircraft indicate the continuing risk to aviation infrastructure. The investigation into the March 7, 2014, disappearance of Malaysia Airlines flight 370 over the South China Sea aircraft with 239 passengers has raised many concerns over the vulnerability of aircraft to terrorism.

When I started defending workers’ comp claims 25 years ago, I learned very quickly what carriers and employers wanted from me—because adjusters would tell me every day about what they DIDN’T like about other defense attorneys. Seeing an opportunity, I made sure I did the OPPOSITE of the complaints.

To paraphrase Rod Serling, I am submitting for your approval six things I learned during those formative years that I believe insurance carriers and self-insured employers are looking for in defense counsel.

Independent thought

Workers’ compensation defense attorneys often simply inform clients that the going rate for a standard-type of injury is this or that. While the client certainly needs to know the going rate, that cannot be where the analysis ends. When I represented TWA years ago, the claims manager told me: "Brad, I can hire trained monkeys to tell me to pay the going rate for standard types of injuries. I pay you to do better than that."

I define independent thought to be analysis on not only whether a claim is compensable but also on strategies to resolve the claim more favorably than simply paying the going rate. This means laying out a game plan that includes all necessary steps. It doesn't always work, but I know clients appreciate this analysis on the front end of a claim.

Zealous advocacy

When the vast majority of claims are compensable, defense attorneys (like insurance adjusters) can easily develop the "process and pay" mentality. I define this as simply looking at what it will cost to pay the claim and taking the fastest steps necessary to close the file and move on.

Even on compensable claims, I have found that clients are always happy to also receive (and even expect) a game plan for asserting possible defenses. To promote its $1 Dollar Menu a few years ago, McDonald's had a billboard that said: "$1 Legal Advice -- Plead Guilty." When I hear of a defense attorney simply saying: "Claim is compensable, pay this amount," I always think this is the workers’ comp equivalent of "Plead Guilty." Even if the employer should pay, the client wants zealous advocacy from the defense attorney on how to best reach the goal.

Regular, substantive communication

This may be the most important piece. It can be broken down into two parts - - regular communication and substantive communication.

I've had a plethora of adjusters over the years tell me war stories about their prior counsel, who would never....ever...do anything on claims. One adjuster told me: "All I ever heard from that attorney was the sound of crickets." The defense attorney who does this not only violates the ethical duty to keep his or her client properly informed, but is also an attorney who is dealing with a future ex-client.

Employers and carriers also want substantive updates that demonstrate how the attorney is best representing the employer. Communications, whether by letters or through now-common emails, should always encapsulate where the parties are on a claim and where the defense attorney intends to take it. Letters or emails from the defense attorney that say nothing more than "Look at all of the creative ways I have billed your file this month" is NOT what employers and carriers want.

Understanding what constitutes a win

One common complaint about workers’ comp defense is, “The employer almost always loses.” That raises the question: Just what is a win, and what is a loss?

I try to resist watching legal shows on television because, even when such shows are deliciously complex, the outcome of almost every legal proceeding is either guilty or innocent. If a civil court is involved, almost every verdict is for millions of dollars or nothing even though, in reality, almost everything is resolved within the nebulous middle ground. I guess that’s why it’s called fiction.

In workers’ compensation claims, the vast majority are going to be found compensable by the state division of workers' compensation. But, to borrow some analysis from Monopoly, we’re not faced with a choice between Baltic Avenue or Boardwalk with hotels. Rather, we are more often than not fighting over whether we can buy Pacific Avenue for the price of St. Charles Place.

Because the vast majority of claims are settled, I often wonder if the client views the settlement as a win or a loss. Over the years, I have seen carriers and employers examine the relative value of a settlement by looking through the lens of the following criteria:

• Is the settlement fair in light of the evidence available and the applicable jurisdiction?  (e.g., Illinois claims settle for far more than Missouri claims even if the injuries are identical.)
• Was the claim resolved within the established reserves?
• Were the defenses that were raised truly sufficient to obtain a non-compensable award or were they only good enough to use for settlement negotiations?

Creative attempts at problem-solving

All carriers and employers know that most claims are compensable. Rarely have I had clients who expected an award of “not compensable” on every claim or even on most claims.

But most clients expect the defense attorney to at least examine all potential defenses to evaluate how the assertion of such defenses might affect the value of the claim. 

Despite the lofty views that most attorneys have of our profession, most of our jobs can often be distilled down to this concept: We help our clients avoid obstacles. While this is self-evident in criminal law (obstacle -- the state wants to put client in prison), such analysis is rarely applied to workers’ comp. 

For example, if a claimant states, “My injury occurred on the job,” this may or may not actually be the case. My job as a defense attorney is to identify factual, medical and legal evidence that might persuade the judge that the “work-related” component of the employee’s injury is not as clear-cut as the employee may believe.

I had one case years ago where the employee claimed he was injured on the job. In his deposition, he admitted that he liked to ride the bull in rodeos. It occurred to me that there must be some association that keeps track of who rides in professional rodeos, and I contacted the Missouri Rodeo Association. I was “shocked” (insert mock assertion of surprise here) that the claimant’s medical care ALWAYS seemed to occur exactly one day after he competed in professional rodeos. After I provided this information to opposing counsel, the claim was quickly dismissed.

My point -- the employee’s assertion that he was hurt on the job would normally be sufficient to prove compensability in the absence of other evidence, but my job was to find that other evidence. Carriers and employers want their counsel to explore all possible defenses, even if the probability of success is low, because occasionally (like in my rodeo case) the defenses actually work.

Sticking to your guns

If you ask an adjuster about her greatest pet peeve when it comes to dealing with defense attorneys, one example is most often cited: “I hate it when my defense attorney tells me at the beginning of the case that the claim is only worth $500, and then, on the day of trial, he tries to convince me to pay $20,000 to settle it.”

Years ago, I had a client who pulled files from another attorney and sent them to me. As I reviewed them, I saw a theme. The attorney would often say: "This claim is a fraud, and I wouldn't pay anything more than $500 to settle." But I didn’t see ANY evidence of fraud in many of the files. I was in the unenviable position of having to tell the client that I thought these claims were not fraudulent, and I provided exposure estimates that were far higher than $500.

I was concerned that the client would say: "Gee, Brad, I liked the advice from the prior guy a lot better." However, this did not happen. Instead, I heard this: "I thought the prior attorney was simply telling me what I wanted to hear. That's why I pulled the files and sent them to you."

The lesson I learned here: Clients want the attorney’s honest assessment of the claim, and they don't want the defense attorney to simply tell them what the attorney thinks the client wants to hear. If the client can't rely on my analysis, then I'm not doing my job correctly. If the case is worth $20,000, I must tell this to the client as soon as it becomes possible to arrive at such a valuation. If I wait until the day of trial to disclose the true value of the claim, the client will think that I am simply afraid to take the case to trial.

Conclusion              

One could easily distill all these comments into a single concept: There must be a good working relationship between the defense attorney and the carrier/employer, one that is based on shared values, frequent communication and deliberative communication (meaning the attorney and the client jointly develop the goal for a particular claim and then both take the steps necessary to reach that goal). If reality matches this ideal, the defense attorney and the carrier/employer will probably be working together for a long time.

Here a breach, there a breach, everywhere a data breach.

Verizon’s most recent 2013 Data Breach Investigations Report remarks that “[p]erhaps more so than any other year, the large scale and diverse nature of data breaches and other network attacks took center stage” this year.¹ And no organization is immune from a breach. The last two years have seen some of the world’s most sophisticated corporate giants fall victim to some of the largest data breaches in history. It is clear that cyber attacks -- including data breaches -- are on the rise with unprecedented frequency, sophistication and scale. They are pervasive across industries and geographical boundaries. And they represent “an ever-increasing threat.”² The problem of cyber risks is exacerbated, not only by increasingly sophisticated cyber criminals and evolving malware, but also by the trend in outsourcing of data handling, processing and storage to third-party vendors, including “cloud” providers, and by the simple reality of the modern business world, which is full of portable devices such as cellphones, laptops, iPads, USB drives, jump drives, media cards, tablets and other devices that may facilitate the loss of sensitive information.

While data breaches and other types of cyber risks are increasing, laws and regulations governing data security and privacy are proliferating. In its most recent 2013 Cost of Data Breach Study, the Ponemon Institute reports that U.S. organizations spend on average $565,020 on post-breach notification alone.³ Companies may also face lawsuits seeking damages for invasion of privacy, as well as governmental and regulatory investigations, fines and penalties, damage to brand and reputation and other negative repercussions from a data breach, including those resulting from breaches of Payment Card Industry Data Security Standards. The Ponemon Institute’s recent study reports that the average organizational cost of a data breach in 2012 was $188 per record for U.S. organizations ($277 in the case of malicious attacks) and that the average number of breached records was 28,765, for a total of $5.4 milion.⁴ The study does not “include organizations that had data breaches in excess of 100,000” records,⁵ although large-scale breaches clearly are on the rise. In the face of these daunting facts and figures, it is abundantly clear that network security alone cannot entirely address the issue; no firewall is unbreachable, no security system impenetrable.

Insurance can play a vital role in a company’s efforts to mitigate cyber risk. This fact has the attention of the Securities and Exchange Commission. In the wake of “more frequent and severe cyber incidents,” the SEC’s Division of Corporation Finance has issued guidance on cybersecurity disclosures under the federal securities laws. The guidance advises that companies “should review, on an ongoing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents” and that “appropriate disclosures may include” a “[d]escription of relevant insurance coverage.”⁶

While some companies carry policies that are specifically designed to afford coverage for cyber risk, most companies have various forms of traditional insurance that may cover cyber risks, including Insurance Services Office (ISO)⁷ standard-form commercial general liability (CGL) policies. There may be significant coverage under CGL policies, including for data breaches that result in disclosure of personally identifiable information (commonly termed “PII”) and other claims alleging violation of a right to privacy. For example, there is significant potential coverage under the “Personal and Advertising Injury Liability” coverage section (Coverage B) of the standard-form ISO CGL policy, which currently states that the insurer “will pay those sums that the insured becomes legally obligated to pay as damages because of ‘personal and advertising injury.’”⁸ “Personal and advertising injury” is defined to include a list of specifically enumerated offenses, which include “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.”⁹ Coverage disputes generally focus on whether there has been a “publication” that violates the claimant’s “right of privacy”—both terms are left undefined in standard-form ISO policies, and courts generally have construed the language favorably to insureds and have found coverage for a wide variety of claims alleging misuse of customer information and breach of privacy laws and regulations.¹⁰ There may also be coverage under the “Bodily Injury and Property Damage” section of the standard CGL form (Coverage A), which states that the insurer “will pay those sums that the insured becomes legally obligated to pay as damages because of ‘bodily injury’” that “occurs during the policy period.”¹¹

As courts have found coverage for various types of cyber risks, however, ISO has added limitations and exclusions purporting to cut off CGL lines of coverage. For example, in response to a number of cases upholding coverage for breach of the Telephone Consumer Protection Act, the Fair Credit Reporting Act and other privacy laws, the current ISO standard form contains the following exclusion, which is applicable to both Coverage A and Coverage B:

This insurance does not apply to:

Recording And Distribution Of Material Or Information In Violation Of Law

“Personal and advertising injury” arising directly or indirectly out of any action or omission that violates or is alleged to violate:

1. The Telephone Consumer Protection Act (TCPA), including any amendment of or addition to such law;
2. The CAN-SPAM Act of 2003, including any amendment of or addition to such law;
3. The Fair Credit Reporting Act (FCRA), and any amendment of or addition to such law, including the Fair and Accurate Credit Transactions Act (FACTA); or
4. Any federal, state or local statute, ordinance or regulation, other than the TCPA, CAN-SPAM Act of 2003 or FCRA and their amendments and additions, that addresses, prohibits or limits the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information.¹²

Insurers have raised this exclusion, among others, in recent privacy-breach cases.¹³

More sweepingly, as part of its April 2013 revisions to the CGL policy forms, ISO introduced an endorsement, titled “Amendment Of Personal And Advertising Injury Definition,” which entirely eliminates the key “offense” of “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy” (found at Paragraph 14.e of the Definitions section of Coverage B):

With respect to Coverage B Personal And Advertising Injury Liability, Paragraph 14.e. of the Definitions section does not apply.¹⁴

And the latest: ISO has just filed a number of data-breach exclusionary endorsements for use with its standard-form primary, excess and umbrella CGL policies. These are to become effective in May 2014. By way of example, one of the endorsements, titled “Exclusion - Access Or Disclosure Of Confidential Or Personal Information And Data-Related Liability - Limited Bodily Injury Exception Not Included,” adds the following exclusion to Coverage A:

This insurance does not apply to:

Access Or Disclosure Of Confidential Or Personal Information And Data-related Liability

Damages arising out of:

(1) Any access to or disclosure of any person's or organization's confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information; or

(2) The loss of, loss of use of, damage to, corruption of, inability to access or inability to manipulate electronic data.

This exclusion applies even if damages are claimed for notification costs, credit-monitoring expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by you or others arising out of that which is described in Paragraph (1) or (2) above.¹⁵

The endorsement also adds the following exclusion to Coverage B: This insurance does not apply to:

Access Or Disclosure Of Confidential Or Personal Information

“Personal and advertising injury” arising out of any access to or disclosure of any person’s or organization's confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit-card information, health information or any other type of nonpublic information.

This exclusion applies even if damages are claimed for notification costs, credit-monitoring expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by you or others arising out of any access to or disclosure of any person's or organization's confidential or personal information.¹⁶

ISO states that “when this endorsement is attached, it will result in a reduction of coverage due to the deletion of an exception with respect to damages because of bodily injury arising out of loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data” and that “[t]o the extent that any access or disclosure of confidential or personal information results in an oral or written publication that violates a person's right of privacy, this revision may be considered a reduction in personal and advertising injury coverage.”¹⁷ While acknowledging that coverage for data breaches is currently available under its standard forms, ISO explains that “[a]t the time the ISO CGL and [umbrella] policies were developed, certain hacking activities or data breaches were not prevalent and, therefore, coverages related to the access to or disclosure of personal or confidential information and associated with such events were not necessarily contemplated under the policy.”¹⁸ The scope of this exclusion ultimately will be determined by judicial review.

Although it may take some time for the new (or similar) exclusions to make their way into general liability policies, and the full reach of the exclusions remains unclear, they provide another reason for companies to carefully consider specialty cyber insurance products. Even where insurance policies do not contain the newer limitations or exclusions, insurers may argue that cyber risks are not covered under traditional policies. The legal dispute between Sony and its insurers concerning the PlayStation Network data breach highlights the challenges that companies can face in getting insurance companies to cover losses arising from cyber risks under CGL policies. Sony argues that there is data breach coverage because “[t]he MDL Amended Complaint… alleges that plaintiffs suffered the ‘loss of privacy’ as the result of the improper disclosure of their ‘Personal Information’ [which] has been held to constitute ‘material that violates a person’s right of privacy’.”¹⁹ However, the insurers seek a declaration that there is no coverage under the CGL policies at issue, among other reasons, on the basis that the underlying lawsuits “do not assert claims for … ‘personal and advertising injury’.”²⁰ The Sony coverage suit does not represent the first time that insurers have refused to voluntarily pay claims resulting from a network security breach or other cyber-related liability under CGL policies. Nor will it be the last. Even where there is a good claim for coverage, insurers can be expected to continue to argue that cyber risks are not covered under CGL or other traditional policies.

As far as data breaches are concerned, cyber policies usually provide some form of “privacy” coverage. This coverage would typically provide defense and indemnity coverage for claims arising out of a data breach that actually or potentially compromises PII. By way of example, the AIG Specialty Risk Protector specimen policy²¹ states that the insurer will “pay … all Loss” that the “Insured is legally obligated to pay resulting from a Claim alleging … a Privacy Event.” “Privacy Event”²² includes:

1. any failure to protect Confidential Information (whether by “phishing,” other social engineering technique or otherwise) including, without limitation, that which results in an identity theft or other wrongful emulation of the identity of an individual or corporation;
2. failure to disclose an event referenced in Sub-paragraph (1) above in violation of any Security Breach Notice Law; or
3. violation of any federal, state, foreign or local privacy statute alleged in connection with a Claim for compensatory damages, judgments, settlements, pre-judgment and post-judgment interest from Sub-paragraphs (1) or (2) above.^23​

“Confidential Information” is defined as follows:

“Confidential Information” means any of the following in a Company’s or Information Holder’s care, custody and control or for which a Company or Information Holder is legally responsible:

1. information from which an individual may be uniquely and reliably identified or contacted, including, without limitation, an individual’s name, address, telephone number, Social Security number, account relationships, account numbers, account balances, account histories and passwords;
2. information concerning an individual that would be considered “nonpublic personal information” within the meaning of Title V of the Gramm-Leach Bliley Act of 1999 (Public Law 106-102, 113 Stat. 1338) (as amended) and its implementing regulations;
3. information concerning an individual that would be considered “protected health information” within Health Insurance Portability and Accountability Act of 1996 (as amended) and its implementing regulations;
4. information used for authenticating customers for normal business transactions;
5. any third party’s trade secrets, data, designs, interpretations, forecasts, formulas, methods, practices, processes, records, reports or other item of information that is not available to the general public[.] 

There are numerous specialty cyber products on the market that generally respond to data breaches. A policy offering the privacy coverage will often offer coverage for civil, administrative and regulatory investigations, fines and penalties and, importantly, will commonly offer “remediation coverage” (sometimes termed “crisis management” or “notification” coverage) to address costs associated with a security breach, including:

•     costs associated with post-data breach notification

•     credit-monitoring services

•     forensic investigation to determine cause and scope of a breach

•     public relations efforts and other “crisis management” expenses

• legal services to determine an insured’s indemnification rights where a third party’s error or omission has caused the problem.

Cyber insurance policies offer other types coverages, as well, including media liability coverage (for claims for alleging, for example, infringement of copyright and other intellectual property rights and misappropriation of ideas or media content), first party property and network interruption coverage, and cyber extortion coverage. The cyber policies can be extremely valuable. But selecting and negotiating the right cyber insurance product presents a real and significant challenge. There is a dizzying array of cyber products on the marketplace, each with their own insurer-drafted terms and conditions, which vary dramatically from insurer to insurer—even from policy to policy underwritten by the same insurer. Because of the nature of the product and the risks that it is intended to cover, successful placement requires the involvement and input, not only of a capable risk management department and a knowledgeable insurance broker, but also of in-house legal counsel and IT professionals, resources and compliance personnel—and experienced insurance coverage counsel.

Business frameworks have become a best practice to model processes, technology and organization. Frameworks help visualize the landscape of the current and future states of organizations. Whether they are called capability maps or business architecture frameworks, they are industry reference models that can be used to plan, analyze, develop, manage and maintain.

With everything that is happening in the insurance industry and with the never-ending announcements of new technologies and competitors, companies need to define their business directions and how they can differentiate themselves. This is where business frameworks become an asset.

What is an enterprise business architecture framework? It is a representation of an organization’s business composition. It describes the functions at various levels of details, including information structures and the natural dependencies found between functions. Frameworks are used as a map to describe various aspects of organizations. They are the Lego blocks of an industry.

Those Lego blocks can then be enhanced and layered with what is specific to each organization. For example, companies may add some of the following perspectives to industry business frameworks to better describe themselves:

• Enterprise ecosystems
• Organizational structures
• Roles and accountabilities
• Processes and procedures
• Geographical map
• Risk assessment heat map

Whether to use an existing business framework or create one is an important question to answer. There are only a handful of comprehensive business frameworks available on the market for the insurance industry. The most known ones are ACORD and Panorama 360. Yet, available industry business frameworks can serve as accelerators for organizations. For management consulting organizations or technology vendors, an existing framework can provide credibility and structure to their offerings.

The true benefits from using industry business frameworks are speed, quality and cost reduction. This is true for defining strategies, planning projects or investments, analyzing situations, developing processes, defining technology requirements and managing organizations. Frameworks can be used for situations such as:

• Enterprise or business architecture
• BPM or process improvement
• Business requirements definition
• Software evaluation
• Application architecture
• Data warehouse architecture
• System integration
• Application portfolio management
• Operational risk management
• Mergers and acquisitions
• Data security management
• Knowledge management
• New employee training

Business frameworks can significantly leverage single projects or organizations. They provide a return on investment in the short and in the long term. They become an asset base for knowledge.

• When coverage is required in jurisdictions where the employer has operations or employees working, living or traveling in or through.

• How coverage is provided for various jurisdictions.

• What jurisdictional benefits an employee can collect.

• Providing an entry of “Any Street, Any Town” or “No Specific Location, Any City” for the state. Many carriers will use this.
• Using an employee’s home address in the state if there is an employee working from home there.
• Using the agent/brokers address if they have an office there.

• State of hire
• State of residence
• State of primary employment
• State of pay
• State of injury
• State in agreement between employer and employee (unique to Ohio, and only Ohio and Indiana recognize the agreement)

• Recognize that having employees who work, live or are temporarily traveling to or through other states creates premium and coverage challenges for employers and agents.
• Take time to understand the rules of the state where there is potential exposure.
• States requiring coverage in 3.A. for some or all situations tend to be strict and impose severe penalties for non-compliance. Many carriers are often aware of the challenges these states present and will work with the agent/employer and add on an “if any” exposure basis.
• Always attempt to secure the broadest coverage possible under the workers compensation policy, adding to 3.A. as many states with even minimal exposure. As a fallback, get the state in 3.C.
• Obtain coverage for operations in monopolistic states separately.
• Address out-of-state exposures when insured by a state-specific state fund or regional carrier that only writes in one or a few states. Remember, the 3.C. wording is designed to pay benefits — by reimbursing the employer — if the carrier cannot pay directly to the employee.
• Check for employees traveling out of the country and arrange to expand coverage with the foreign endorsement or through an international policy.
• Check with a marine expert to assess the exposure to the Longshore Act and whether coverage is required.  Longshore is very employee-friendly.