Tag Archives: executive order

IRS Set to Nail Employers on ACA

The Internal Revenue Service is acting to help individuals who are eligible for Patient Protection and Affordable Care Act (Obamacare) health subsidies and who live in regions where exchange insurers do not offer bronze (lowest-cost) coverage, even as it moves ahead to nail employers failing to comply with Obamacare’s employer shared responsibility rules (commonly referred to as the “employer mandate”).

IRS New Individual Obamacare Relief

Notice 2017-74  will provide that individuals who are not eligible for coverage under an eligible employer-sponsored plan and who lack access to affordable coverage should not be denied the use of the affordability exemption under § 5000A(e)(1) of the code and § 1.5000A-3(e) of the regulations merely because they reside in an area served by a marketplace that does not offer a bronze-level plan. Consequently, for purposes of the affordability exemption under § 5000A(e)(1) and § 1.5000A-3(e), if an individual resides in a rating area served by a marketplace that does not offer a bronze plan, the individual generally should use the lowest-cost metal-level plan available in the marketplace serving the rating area in which the individual resides.

Notice 2017-74 will be in IRB 2017-51, dated Dec. 18, 2017.

See also: Optimizing Financing in Healthcare  

Employers Still Face Obamacare Penalties

While the IRS has issued limited relief for individuals from the ACA’s individual mandate penalties, so far it has remained steadfast in its refusal to grant employers corresponding relief from the ACA employer-shared responsibility penalties or other ACA penalties. Instead, IRS officials continue to make clear that the IRS intends to enforce the ACA employer-shared responsibility rules against employers with 50 or more full-time employees (including full-time equivalent employees).

Under the Obamacare employer mandate rules, covered employers face significant federal tax penalties for (1) failing to offer minimal essential coverage to substantially all full-time employees and their dependents (the “A Penalty”), or (2) offering coverage that is either “unaffordable” or does not provide “minimum value” (the “B Penalty”) if a full-time employee enrolls in the health insurance marketplace and receives a premium tax credit.

While many employers assumed President Trump’s Jan. 20, 2017, executive order “Minimizing the Economic Burden of the Patient Protection and Affordable Care Act Pending Repeal” would insulate them against enforcement of the employer mandate and other Obamacare penalties, the IRS doesn’t see the executive order as barring its enforcement of Obamacare against sponsoring employers or their group health plans. In an April 14, 2017, IRS Chief Counsel letter, for instance, the IRS announced it does not interpret its discretionary authority under Obamacare to allow waiver of the employer mandate tax imposed under Internal Revenue Code Section 4980H against covered employers that fail to provide the affordable minimum essential coverage required by the employer mandate. In keeping with this interpretation, the IRS has announced that it will begin enforcement of the employer mandate tax liability for plan years after 2015 against covered employers that failed to meet the employer mandate.

Of course, the employer mandate is not the only Obamacare provision that employers and their health plans need to worry about. In addition to the employer mandate, Obamacare imposed a host of patient protection and other federal mandates upon employer-sponsored plans, most of which apply to plans covering two or more employees. In addition to any benefit and other administrative penalties that otherwise arise under the Employee Retirement Income Security Act or the Social Security Act for violating these mandates, employers sponsoring plans that violate any of 40 listed mandates imposed by Obamacare or certain other federal laws also become liable under Internal Revenue Code Section 6039D to self-identify, self-assess, report on Form 8928 and pay an excise tax equal to $100 per person per uncorrected violation. The IRS, Department Of Labor and Department Of Health and Human Services have taken the position that the Jan. 20 executive order also does not bar enforcement of those Obamacare penalties. Accordingly, employers and their group health plans continue to face potentially substantial liability if their group health plan does not comply with Obamacare.

See also: U.S. Healthcare: No Simple Insurtech Fix  

In the face of these exposures, employers and their group health plan should carefully review their plans and their administration for compliance before the end of the plan year so as to be able to take appropriate and timely corrective action before penalties attach and while stop loss or other insurance is available to help mitigate the cost of these corrections. Employers preparing for health plan renewals also should review their group contracts and conduct due diligence to verify their group health plans terms and operations meet the mandates as they initiate new plan years. Employers also generally will want to review their compliance and take action to address any deficiencies against any vendors or advisers who may have culpability in the defective health plan design or administration. Prompt action against vendors who may be culpable for the design or administration defects is necessary to preserve potential claims for deceptive trade practices or other causes of action that an employer might have under state contract, tort or other law. Employers and health plan fiduciaries should consider engaging experienced legal counsel to conduct this review on behalf of the employer or other plan sponsor within the scope of attorney-client privilege so as to assess and address these potential risks on a timely basis.

Has an International Cyber War Begun?

Cyber attacks were once on the periphery of American business consciousness. That mindset changed over the past two years. A series of devastating events, including the 2014 cyber attack against Sony, catapulted cyber liability concerns from an IT department issue to a major priority for boardrooms across America. As U.S. government officials concluded that North Korea was behind the attack, many C-suite executives suddenly found themselves asking questions. Is this the start of a cyber war? Could we be the next victim? If we are, how will it affect our operations and our bottom line? Do our insurance policies cover any of these costs?

g1

Today, many insurance buyers look to their cyber insurance policies to fill coverage gaps that often exist in other policies. For example, a property policy may respond to physical damage from a named peril, but it will likely exclude loss for non-tangible assets as a result of a cyber attack. Similarly, a commercial general liability policy will likely provide liability coverage for causing bodily injury because of negligence but exclude coverage for liability because of a failure to secure sensitive data from hackers.

Many policyholders may be unaware that some, though not all, of these cyber policies contain specific terrorism and war exclusions. As a result, gaps in cyber insurance coverage can exist in cases like the Sony breach, where government agencies, like the FBI, conclude that a foreign government or terrorist organization is responsible for the attack.

Is a Cyber Attack “Terrorism” or “War”?

Immediately following the Sony attack, President Obama referred to it by saying, “I don’t think it was an act of war . . . but cyber vandalism.” Then, on April 1, 2015, President Obama signed the Executive Order on Cybersecurity with the goal of protecting the private sector against hackers and thereby bolstering national security. The order seeks to identify and punish individuals behind attacks, but it could also lead some to categorize an apparent hacking event or act of cyber terrorism as an “act of war.”

Changes in government definitions trickle down into coverage disputes because many policies that exclude or include “war,” “terrorism” or “cyber terrorism” either fail to define those terms or define them by referring to standard government definitions.

Government Definitions of Terrorism, Cyber Terrorism and War

THE TERRORISM RISK INSURANCE ACT (TRIA)

“Act of terrorism” is defined as any act certified by the secretary of the Treasury in concurrence with the secretary of State and the attorney general of the U.S. to be:

» an act of terrorism

» a violent act or an act that is dangerous to human life, property or infrastructure

» an act resulting in damage within the United States or Outside (on a U.S.-flagged vessel, aircraft or U.S. mission)

» an act committed by an individual or individuals acting on behalf of any foreign person or foreign interest, as part of an effort to coerce the civilian population, U.S. policy or the U.S. government.

The secretary of the Treasury may not delegate his certification authority, and his decision to certify an act or not is not subject to judicial review.

DEPARTMENT OF DEFENSE (DOD)

The DOD defines “terrorism” as “the unlawful use of violence or threat of violence, often motivated by religious, political or other ideological beliefs, to instill fear and coerce governments or societies in pursuit of goals that are usually political.” The term “act of war” is understood to mean “a use of force [that may] invoke a state’s inherent right to lawful self-defense.”

DEPARTMENT OF JUSTICE (DOJ)/FEDERAL BUREAU OF INVESTIGATION (FBI)

The FBI defines “cyber terrorism” as “the premeditated, politically motivated attack against information, computer systems, computer programs and data [that] results in violence against non-combatant targets by subnational groups or clandestine agents.”

DEPARTMENT OF HOMELAND SECURITY (DHS)

The National Infrastructure Protection Center (NIPC), (formally a branch of DHS), defines “cyber terrorism” as “a criminal act perpetrated through computers resulting in violence, death and/or destruction and creating terror for the purpose of coercing a government to change its policies.”

Cyber Terrorism and the ‘Act of War’ Exclusion

Cyber policies are relatively new and manuscript products; as such, the wording varies significantly. Many policies contain a standard exclusion for “war, invasion, acts of foreign enemies, hostilities (whether war is declared or not), civil war, rebellion, revolution, insurrection, military or usurped power, confiscation, nationalization, requisition, or destruction of, or damage to, property by or under the order of any government, public or local authority…” An attack by the Taliban, for example, would probably fit within the exclusion as an act sponsored by a “public or local authority.”

Traditionally, war exclusions were relatively narrow; they required an actual war or, at the very least, “warlike operations”; “for there to be a ‘war,’ a sovereign or quasi-sovereign must engage in hostilities.” Pan Am. World Airways, Inc. v. Aetna Cas. & Sur. Co., 505 F.2d 989, 1005 (2d Cir. 1974) (finding that a Jordanian terrorist group that hijacked a plane was not a de facto government for the purposes of applying the war exception).

However, the events of Sept. 11, 2001, changed the way certain events and groups were perceived and classified, ultimately leading many to label the 2014 cyber attack on Sony an “act of war.”

Screen Shot 2015-12-22 at 1.53.07 PM

Litigation surrounding the Sept. 11 attacks led directly to an expanded view of the war exclusion. For one thing, the Second Circuit Court of Appeals ruled that the attacks were an “act of war.” In re Sept. 11 Litig., 931 F. Supp. 2d 496, 512 (S.D.N.Y. 2013), an owner of a building near the site of the World Trade Center attacks sought to recover cleanup and abatement expenses for removing pulverized dust that infiltrated into the owner’s building after the collapse of the Twin Towers. He sued under the Comprehensive Environmental Response, Compensation, and Liability Act [CERCLA], which allows strict liability claims in pollution cases, but the court applied CERCLA’s “act of war” exception to strict liability.

In concluding that the attacks were an act of war, the court commented that “Al Qaeda’s leadership declared war on the United States, and organized a sophisticated, coordinated, and well-financed set of attacks intended to bring down the leading commercial and political institutions of the United States,” id. at 509, and that “as we learned in the twentieth century, and as has been true throughout history, war can take on a formal structure of armies in contrasting uniforms confronting each other on battlefields, and war can persist for years, fought by irregular, insurgent forces and capable of causing extraordinary damage,” id. at 511.

This expansion of the legal definition of “act of war” to include acts by “irregular, insurgent forces and capable of causing extraordinary damage” could lead to attacks by hacktivist groups or foreign intelligence services being considered acts of war and therefore excluded from cyber policies.

Cyber Insurance and TRIA

The Terrorism Risk Insurance Act (TRIA) is a government program designed to provide a backstop for reinsurers in the event of large terrorism-related losses (more than $100 million). There is debate over whether TRIA applies to cyber policies at all. TRIA applies to commercial property and casualty insurance coverage, but some cyber policies are written as another line of coverage, such as professional liability, which is not included in TRIA.

Even assuming that TRIA would apply to cyber insurance, for TRIA coverage to be in effect, (1) there must be losses, resulting from property damage, exceeding $100 million; and (2) they must be caused by a certified terrorism event:

(1) Property Damage: For TRIA to apply, physical property damage must occur, and what constitutes “physical damage” in the context of a cyber attack remains an open question. What we do know is that TRIA will probably not cover business interruption or reductions in business income absent some physical loss or property damage. Many cyber attacks do not involve any physical damage, which would exclude TRIA coverage.

(2) A Certified Terrorism Event: For TRIA to apply to any event, the event would need to be certified as an act of terrorism. This onerous and political certification process requires the secretary of the Treasury, secretary of State and attorney general to agree that an incident was an “act of terrorism.” Many political and economic issues factor into certifying a terrorism event, which can lead to counterintuitive results. For instance, as of the date of this publication, the April 2013 Boston Marathon bombing has not been certified as a terrorist act.

Conclusion

To ensure coverage for cyber terrorism and cyber warfare, buyers of cyber insurance will need to seek out a cyber risk insurance policy that explicitly includes this coverage in the broadest terms possible. As more insurance carriers enter the cyber insurance market, one must be wary that policy terms will vary from one policy form to the next, and some will have coverage terms superior to others.