Tag Archives: personally identifiable information

Are We Finally Getting Close to a Single View of the Customer?

The concept of the single view of the customer has been around for ages. I remember some significant single-view projects of insurers from the early 1990s. Many insurers have continued to strive toward this elusive goal. Now that the customer experience is front and center in insurers’ strategies, it’s time to revisit the single view, aka the 360-degree view of the customer.

Three questions must be addressed: 1) What is single view anyway? 2) How does it relate to the customer experience? 3) What is the state of the industry?

What is a single view anyway?

Having a single view of the customer means that the insurer and any front-line individual dealing with the customer understand the full context of the relationship. This normally includes information such as the customer’s personally identifiable information (PII), products currently owned, relationship history and the named agent/producer (if applicable). Ideally, this is summarized for a quick snapshot of the relationship.

Creating a single view is complicated by two main factors. First, the complexity and often siloed natures of IT systems make it difficult to have a common view. The evolution of channel options and technologies makes it a constant challenge to coordinate across the different systems. The second challenge relates to any company using independent agents, financial advisers, brokers or other producers. The producer does not typically share all the customer information with the insurer. Usually, the producer just passes along the minimum information needed for underwriting and servicing the customer. In addition, the producer may place insurance coverages for a customer with multiple insurance companies. The producer may have more of a single view of the customer’s insurance and financial services products and needs than the insurer has.

How does single view relate to the customer experience?

As challenging as it is, creating as complete a picture of the customer relationship as possible is essential today. Improving the customer experience is an SMA 2015 Imperative and a top strategic initiative for many companies and a key driver of business and IT strategies. Any touch point, whether human or digital, should be informed by the context of the customer relationship. An agent, customer service rep or adjuster should understand the value of the policyholder. While everyone is entitled to fair service that satisfies the contractual obligations, the level of attention and expertise applied might vary for an individual or business with a 20-year history and multiple policies vs. a new customer with just one small policy.

A related question is, “Does the customer have a single view of the insurer?” Customers do not want to repeat information, experience delays in service, be presented with incorrect information or find that their favorite mode of interaction is not available or current. This is causing insurers to move toward providing an omni-channel environment, enabling policyholders to interact using whatever devices and channels they want at any time — and making the transactions and interactions transfer across channels in real time. Ultimately, providing a world class customer experience requires the insurer to have a single view of the customer and vice versa.

What is the state of single view in insurance?

How many insurers have actually achieved this single view? According to SMA research, 35% say they have assembled a single view, but only 8% can present that view in real time to the individuals interacting with a policyholder. Another 46% do not have single view today but are working on it. There are also significant differences based on the size of the insurer. More insurers with less than $1 billion in premium actually have a full single view in real time than do their counterparts with more than $1 billion. This is likely because the smaller companies’ product and distribution environment is less complicated than that of the larger companies. On the other hand, virtually all insurers with more than $1 billion are at least working on achieving a single view, whereas 30% of the smaller companies have no plans.

Single view and improving the customer experience are inextricably linked. Business and IT strategies and plans should always consider the implications for both of these objectives.

Another Reason to Consider Cyber Insurance

Here a breach, there a breach, everywhere a data breach.

Verizon’s most recent 2013 Data Breach Investigations Report remarks that “[p]erhaps more so than any other year, the large scale and diverse nature of data breaches and other network attacks took center stage” this year.1 And no organization is immune from a breach. The last two years have seen some of the world’s most sophisticated corporate giants fall victim to some of the largest data breaches in history. It is clear that cyber attacks — including data breaches — are on the rise with unprecedented frequency, sophistication and scale. They are pervasive across industries and geographical boundaries. And they represent “an ever-increasing threat.”2 The problem of cyber risks is exacerbated, not only by increasingly sophisticated cyber criminals and evolving malware, but also by the trend in outsourcing of data handling, processing and storage to third-party vendors, including “cloud” providers, and by the simple reality of the modern business world, which is full of portable devices such as cellphones, laptops, iPads, USB drives, jump drives, media cards, tablets and other devices that may facilitate the loss of sensitive information.

While data breaches and other types of cyber risks are increasing, laws and regulations governing data security and privacy are proliferating. In its most recent 2013 Cost of Data Breach Study, the Ponemon Institute reports that U.S. organizations spend on average $565,020 on post-breach notification alone.3 Companies may also face lawsuits seeking damages for invasion of privacy, as well as governmental and regulatory investigations, fines and penalties, damage to brand and reputation and other negative repercussions from a data breach, including those resulting from breaches of Payment Card Industry Data Security Standards. The Ponemon Institute’s recent study reports that the average organizational cost of a data breach in 2012 was $188 per record for U.S. organizations ($277 in the case of malicious attacks) and that the average number of breached records was 28,765, for a total of $5.4 milion.4 The study does not “include organizations that had data breaches in excess of 100,000” records,5 although large-scale breaches clearly are on the rise. In the face of these daunting facts and figures, it is abundantly clear that network security alone cannot entirely address the issue; no firewall is unbreachable, no security system impenetrable.

Insurance can play a vital role in a company’s efforts to mitigate cyber risk. This fact has the attention of the Securities and Exchange Commission. In the wake of “more frequent and severe cyber incidents,” the SEC’s Division of Corporation Finance has issued guidance on cybersecurity disclosures under the federal securities laws. The guidance advises that companies “should review, on an ongoing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents” and that “appropriate disclosures may include” a “[d]escription of relevant insurance coverage.”6

While some companies carry policies that are specifically designed to afford coverage for cyber risk, most companies have various forms of traditional insurance that may cover cyber risks, including Insurance Services Office (ISO)7 standard-form commercial general liability (CGL) policies. There may be significant coverage under CGL policies, including for data breaches that result in disclosure of personally identifiable information (commonly termed “PII”) and other claims alleging violation of a right to privacy. For example, there is significant potential coverage under the “Personal and Advertising Injury Liability” coverage section (Coverage B) of the standard-form ISO CGL policy, which currently states that the insurer “will pay those sums that the insured becomes legally obligated to pay as damages because of ‘personal and advertising injury.’”8 “Personal and advertising injury” is defined to include a list of specifically enumerated offenses, which include “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.”9 Coverage disputes generally focus on whether there has been a “publication” that violates the claimant’s “right of privacy”—both terms are left undefined in standard-form ISO policies, and courts generally have construed the language favorably to insureds and have found coverage for a wide variety of claims alleging misuse of customer information and breach of privacy laws and regulations.10 There may also be coverage under the “Bodily Injury and Property Damage” section of the standard CGL form (Coverage A), which states that the insurer “will pay those sums that the insured becomes legally obligated to pay as damages because of ‘bodily injury’” that “occurs during the policy period.”11

As courts have found coverage for various types of cyber risks, however, ISO has added limitations and exclusions purporting to cut off CGL lines of coverage. For example, in response to a number of cases upholding coverage for breach of the Telephone Consumer Protection Act, the Fair Credit Reporting Act and other privacy laws, the current ISO standard form contains the following exclusion, which is applicable to both Coverage A and Coverage B:

This insurance does not apply to:

Recording And Distribution Of Material Or Information In Violation Of Law

“Personal and advertising injury” arising directly or indirectly out of any action or omission that violates or is alleged to violate:

  1. The Telephone Consumer Protection Act (TCPA), including any amendment of or addition to such law;
  2. The CAN-SPAM Act of 2003, including any amendment of or addition to such law;
  3. The Fair Credit Reporting Act (FCRA), and any amendment of or addition to such law, including the Fair and Accurate Credit Transactions Act (FACTA); or
  4. Any federal, state or local statute, ordinance or regulation, other than the TCPA, CAN-SPAM Act of 2003 or FCRA and their amendments and additions, that addresses, prohibits or limits the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information.12

Insurers have raised this exclusion, among others, in recent privacy-breach cases.13

More sweepingly, as part of its April 2013 revisions to the CGL policy forms, ISO introduced an endorsement, titled “Amendment Of Personal And Advertising Injury Definition,” which entirely eliminates the key “offense” of “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy” (found at Paragraph 14.e of the Definitions section of Coverage B):

With respect to Coverage B Personal And Advertising Injury Liability, Paragraph 14.e. of the Definitions section does not apply.14

And the latest: ISO has just filed a number of data-breach exclusionary endorsements for use with its standard-form primary, excess and umbrella CGL policies. These are to become effective in May 2014. By way of example, one of the endorsements, titled “Exclusion – Access Or Disclosure Of Confidential Or Personal Information And Data-Related Liability – Limited Bodily Injury Exception Not Included,” adds the following exclusion to Coverage A:

This insurance does not apply to:

Access Or Disclosure Of Confidential Or Personal Information And Data-related Liability

Damages arising out of:

(1) Any access to or disclosure of any person's or organization's confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information; or

(2) The loss of, loss of use of, damage to, corruption of, inability to access or inability to manipulate electronic data.

This exclusion applies even if damages are claimed for notification costs, credit-monitoring expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by you or others arising out of that which is described in Paragraph (1) or (2) above.15

The endorsement also adds the following exclusion to Coverage B: This insurance does not apply to:

Access Or Disclosure Of Confidential Or Personal Information

“Personal and advertising injury” arising out of any access to or disclosure of any person’s or organization's confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit-card information, health information or any other type of nonpublic information.

This exclusion applies even if damages are claimed for notification costs, credit-monitoring expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by you or others arising out of any access to or disclosure of any person's or organization's confidential or personal information.16

ISO states that “when this endorsement is attached, it will result in a reduction of coverage due to the deletion of an exception with respect to damages because of bodily injury arising out of loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data” and that “[t]o the extent that any access or disclosure of confidential or personal information results in an oral or written publication that violates a person's right of privacy, this revision may be considered a reduction in personal and advertising injury coverage.”17 While acknowledging that coverage for data breaches is currently available under its standard forms, ISO explains that “[a]t the time the ISO CGL and [umbrella] policies were developed, certain hacking activities or data breaches were not prevalent and, therefore, coverages related to the access to or disclosure of personal or confidential information and associated with such events were not necessarily contemplated under the policy.”18 The scope of this exclusion ultimately will be determined by judicial review.

Although it may take some time for the new (or similar) exclusions to make their way into general liability policies, and the full reach of the exclusions remains unclear, they provide another reason for companies to carefully consider specialty cyber insurance products. Even where insurance policies do not contain the newer limitations or exclusions, insurers may argue that cyber risks are not covered under traditional policies. The legal dispute between Sony and its insurers concerning the PlayStation Network data breach highlights the challenges that companies can face in getting insurance companies to cover losses arising from cyber risks under CGL policies. Sony argues that there is data breach coverage because “[t]he MDL Amended Complaint… alleges that plaintiffs suffered the ‘loss of privacy’ as the result of the improper disclosure of their ‘Personal Information’ [which] has been held to constitute ‘material that violates a person’s right of privacy’.”19 However, the insurers seek a declaration that there is no coverage under the CGL policies at issue, among other reasons, on the basis that the underlying lawsuits “do not assert claims for … ‘personal and advertising injury’.”20 The Sony coverage suit does not represent the first time that insurers have refused to voluntarily pay claims resulting from a network security breach or other cyber-related liability under CGL policies. Nor will it be the last. Even where there is a good claim for coverage, insurers can be expected to continue to argue that cyber risks are not covered under CGL or other traditional policies.

As far as data breaches are concerned, cyber policies usually provide some form of “privacy” coverage. This coverage would typically provide defense and indemnity coverage for claims arising out of a data breach that actually or potentially compromises PII. By way of example, the AIG Specialty Risk Protector specimen policy21 states that the insurer will “pay … all Loss” that the “Insured is legally obligated to pay resulting from a Claim alleging … a Privacy Event.” “Privacy Event”22 includes:

  1. any failure to protect Confidential Information (whether by “phishing,” other social engineering technique or otherwise) including, without limitation, that which results in an identity theft or other wrongful emulation of the identity of an individual or corporation;
  2. failure to disclose an event referenced in Sub-paragraph (1) above in violation of any Security Breach Notice Law; or
  3. violation of any federal, state, foreign or local privacy statute alleged in connection with a Claim for compensatory damages, judgments, settlements, pre-judgment and post-judgment interest from Sub-paragraphs (1) or (2) above.23

“Confidential Information” is defined as follows:

“Confidential Information” means any of the following in a Company’s or Information Holder’s care, custody and control or for which a Company or Information Holder is legally responsible:

  1. information from which an individual may be uniquely and reliably identified or contacted, including, without limitation, an individual’s name, address, telephone number, Social Security number, account relationships, account numbers, account balances, account histories and passwords;
  2. information concerning an individual that would be considered “nonpublic personal information” within the meaning of Title V of the Gramm-Leach Bliley Act of 1999 (Public Law 106-102, 113 Stat. 1338) (as amended) and its implementing regulations;
  3. information concerning an individual that would be considered “protected health information” within Health Insurance Portability and Accountability Act of 1996 (as amended) and its implementing regulations;
  4. information used for authenticating customers for normal business transactions;
  5. any third party’s trade secrets, data, designs, interpretations, forecasts, formulas, methods, practices, processes, records, reports or other item of information that is not available to the general public[.] 

There are numerous specialty cyber products on the market that generally respond to data breaches. A policy offering the privacy coverage will often offer coverage for civil, administrative and regulatory investigations, fines and penalties and, importantly, will commonly offer “remediation coverage” (sometimes termed “crisis management” or “notification” coverage) to address costs associated with a security breach, including:

•     costs associated with post-data breach notification

•     credit-monitoring services

•     forensic investigation to determine cause and scope of a breach

•     public relations efforts and other “crisis management” expenses

  • legal services to determine an insured’s indemnification rights where a third party’s error or omission has caused the problem.

Cyber insurance policies offer other types coverages, as well, including media liability coverage (for claims for alleging, for example, infringement of copyright and other intellectual property rights and misappropriation of ideas or media content), first party property and network interruption coverage, and cyber extortion coverage. The cyber policies can be extremely valuable. But selecting and negotiating the right cyber insurance product presents a real and significant challenge. There is a dizzying array of cyber products on the marketplace, each with their own insurer-drafted terms and conditions, which vary dramatically from insurer to insurer—even from policy to policy underwritten by the same insurer. Because of the nature of the product and the risks that it is intended to cover, successful placement requires the involvement and input, not only of a capable risk management department and a knowledgeable insurance broker, but also of in-house legal counsel and IT professionals, resources and compliance personnel—and experienced insurance coverage counsel.

Health Insurance Exchange Scam Alert: Beware of Fake Websites

The Identity Theft Resource Center (ITRC) has growing concerns regarding the potential for new scams concerning the implementation of the Health Insurance Exchange (HIE) websites as part of the Patient Protection and Affordable Care Act (also known as Obamacare). These exchanges are currently online with enrollment due to start on October 1st.

According to the Act, each state must implement insurance exchanges. These exchanges are to serve as online marketplaces (websites) for consumers to compare rates and make choices about which health insurance coverage is best for them. Each state has the ability to determine the best way to manage these exchanges in order to meet the needs of their uninsured residents.

The open enrollment period for these exchanges begins on October 1, 2013. There have already been some predictions that there will be “bugs and glitches,” to quote President Obama, during this process. IT professionals are already voicing concerns regarding the ability to handle the amount of traffic anticipated on the first day of the rollout. However, no one is talking about ensuring that consumers actually know and understand where to go in the first place.

There is huge potential for misinformation and misunderstanding with this new insurance exchange program. Consumers will now be mandated (or face a penalty come tax time) to purchase health insurance if they don’t have existing coverage. The official website, www.healthcare.gov will be used by the majority of the states. But 17 states have opted to manage their own unique exchange with a different URL. This has the potential to cause much confusion for consumers. While it may appear that this information would easily be located via an internet search, our experience was that the official website was not easy to locate. In fact, when we searched for “health insurance exchange official websites” (rather than “website”) the websites for the 17 states that have their own unique URLs appeared, but www.healthcare.gov did not appear on the first page.

From our experience with scams and fake websites, we believe it would be extremely easy for scammers to create multiple websites that will trick consumers into thinking that it is either the federal health exchange website or one of the alternative state websites. Without known and reliable sources, there exists a great opportunity for gaming of the Internet search engines to attract consumers to websites intent on harming them by eliciting the fraudulent collection of personal identifying information (PII). There is a need to present factual information about which websites represent the accredited websites for the new insurance exchanges.

While there is a comprehensive list of insurance exchange websites on www.healthcare.gov, we are concerned that consumers may not find their way there in the first place. Already our searches indicate that there are organizations using keywords such as “Obamacare” and “Health insurance exchange” in the paid advertising section that are not the official insurance exchange websites. While these websites may not be scams, our concern is that it will only be a matter of time before imposter websites intent on real consumer harm surface.

This concern has a historical basis. The Fair Credit Reporting Act (FCRA) requires each of the Credit Reporting Agencies (CRAs: Experian, Transunion, and Equifax) to provide consumers with one free credit report annually. Confusion still exists between www.annualcreditreport.com, which is the court-mandated website hosted by the credit reporting agencies that actually provides annual free credit reports to consumers, and other websites that offer free credit reports or free credit scores such as www.freecreditreport.com, hosted by one of the credit reporting agencies. Soon after the creation of the original mandated website, dozens of look-alike websites were created. Consumer protection organizations, including the Federal Trade Commission, continue to educate consumers about this to this day (Consumer Information: Free Credit Reports) even though the mandated free website was launched in December 2004.

With the operational launch of these new insurance exchanges just a few short months away, consumers will be scrambling to comply before the January 1st, 2014 deadline. We already stated that we expect consumers to use search engines to locate the particular website they are supposed to use, and that the searches are inconsistent. With that knowledge, will regulators put provisions in place to identify, deter, monitor and address imposter websites? Or do they presume that the existing regulatory or enforcement provisions will deter those who create malicious fake websites intended to capture the personally identifiable information of consumers? Information provided to a fake insurance exchange website could be used to commit identity theft and other frauds.

There will be two types of imposter websites that will require redress. Not all imposter websites are created equal. There are differing levels of harm depending upon the type of imposter website consumers discover. There are legitimate businesses cutting corners and engaging in misleading tactics to secure new business and there are outright scam websites, whose intention is to secure personally identifiable information for malicious use.

Phishing and smishing could eventually come into play.

In 2012 “Imposter Scams” ranked 6th (out of 30) in the list of most complained about fraud events according to the FTC Consumer Sentinel Report. The 82,896 complaints represented 4% of the total complaints received by the FTC.

This category is defined by the FTC as “complaints about scammers claiming to be family, friends, a romantic interest, companies, or government agencies to induce people to send money or divulge personal information.” Complaints included the following: Scammers posing as friends or relatives stranded in foreign countries without money, scammers claiming to be working for or affiliated with government agencies, and scammers claiming to be affiliated with a private entity (a charity or company).

By far, the largest subtype of scam was regarding government agency imposters, with over 43,000 of the total in that category. Previous years’ statistics indicate that year over year, government imposters were the most complained about subtype: 47,454 in 2011 and 49,321 in 2010.

This demonstrates that the scammers continue to find impersonating the government to be a lucrative enterprise. Since this is a new program, even those consumers who normally know not to click on strange links in emails or respond to unknown senders of text messages, may feel compelled to respond and potentially share their personally identifiable information via these means. Why should we believe that the health care exchanges will be immune to this kind of impersonation?

If past behavior is an indicator, we can be sure that there will be financial harm to at least some of these victims.

The Internet Crimes Complaint Center (IC3) 2011 report states that it received approximately 39 complaints per day regarding FBI impersonation email scams. IC3 presented a total loss for this type of impersonation scam (via phishing emails) as over $3 million dollars. This number is just for the complaints that the IC3 received and does not take into account all the unreported losses.

A fundamental part of the Identity Theft Resource Center’s mission is to serve as a relevant national resource on topics such as this. In an effort to provide consumers with the important information they need about potential insurance exchange scams, the Identity Theft Resource Center has developed a scam alert and posted additional information on its website to help educate consumers.

The Identity Theft Resource Center is hopeful that there will be strong and coordinated efforts to educate consumers as to the authentic websites for these exchanges. As they differ from state to state, universal messaging will be difficult to coordinate. Of course, there will be glitches, and as with any new process, we will only discover what these are when the actual user experience is reviewed. However, these efforts need to take place now.

A Look At Cyber Risk Of Financial Institutions

Overview Of The Risk
There were more than 26 million new strains of malware released into circulation in 2011. Such a rate would produce nearly 3,000 new strains of malware an hour! Almost two-thirds of U.S. firms report that they have been the victim of cyber-security incidents or information breaches. The Privacy Rights Clearinghouse reported that since 2005, more than 534 million personal records have been compromised. In 2011, 273 breaches were reported, involving 22 million sensitive personal records. The Ponemon Group, whose Cost of Data Breach Study is widely followed every year, indicated a total cost per record of $214 in 2011, an increase of over 55% ($138) compared to the cost in 2005 when the study began.

Other surveys are consistent. NetDiligence, a company that provides network security services on behalf of insurers, reported in their “2012 Cyber Risk and Privacy Liability Forum” the results of their analysis of 153 data or privacy breach claims paid by insurance companies between 2006 and 2011. On average, the study said, payouts on claims made in the first five years total $3.7 million per breach, compared with an average of $2.4 million for claims made from 2005 through 2010.

And attacks simply don't target large companies. According to Symantec's 2010 SMB Protection report, small busineses:

  • Sustained an average loss of $188,000 per breach
  • Comprised 73% of total cyber-crime targets/victims
  • Lost confidential data in 42% of all breaches
  • Suffered direct financial losses in 40% of all breaches

Indeed, according to the 2011 Verizon Data Breach Report, in 2010, 57% of all data breaches were at companies with 11 to 100 employees. Interestingly, it was the Report's opinion that 96% of such breaches could have been prevented with appropriate controls. Bottom line: cyber attacks are here to stay — and in many ways, they are getting worse.

A Look At The Financial Institution Sector
Willy Sutton once infamously remarked that he robs bank because “that's where the money is.” According to Professor Udo Helmbrecht, the Executive Director of the European Networking and Information Security Agency, if Willy Sutton was alive today, he would rob banks online.

Criminals today can operate miles, or even oceans, away from the target. “The number and sophistication of malicious incidents have increased dramatically over the past five years and is expected to continue to grow,” according to Gordon Snow, Assistant Director of the Cyber Division of the Federal Bureau of Investigation (testifying before the House Financial Services Committee, Subcommittee on Financials Institutions and Consumer Credit). “As businesses and financial institutions continue to adopt Internet-based commerce systems, the opportunity for cybercrime increases at the retail and consumer level.” Indeed, according to Snow, the FBI is investigating 400 reported account takeover cases from bank accounts of US businesses. These cases total $255 million in fraudulent transfers and has resulted in $85 million in actual losses.

According to the FBI, there are eight cyber threats that expose both the finances and reputation of financial institutions: account takeovers, third-party payment process breaches, securities and market trading company breaches, ATM skimming breaches, mobile banking breaches, insider access, supply chain infiltration, and telecommunications network disruption.

It was telecommunications network disruption that dominated the news in 2012.

Otherwise known as a distributed denial of service attack, US banks were attacked repeatedly throughout the year by sophisticated cyber “criminals” whose attacks were eventually sourced to the nation of Iran in what would truly be considered a Cyber War attack against this country's infrastructure.

Among the institutions hit were PNC Bank, Wells Fargo, HSBC, and Citibank, among many others. Big or small, it made no difference. At the end of the day, as many as 30 US banking firms are expected to be targeted in this wave of cyber attacks, according to the security firm RSA. And it is likely that we are not at the end of the day. On January 9, 2013, the computer hacking group that has claimed responsibility for cyber attacks on PNC Bank vowed to continue trying to shut down American banking websites for at least the next six months.

That is not to say that financial situations only had to worry about distributed denial of service attacks launched by hostile nation states in 2012.

On December 13, 2012 the Financial Services Information Sharing and Analysis Center, which shares information throughout the financial sector about terrorist threats, warned the US financial services industry that a Russian cyber-gangster is preparing to rob American banks and their customers of millions of dollars. According to the computer security firm, McAfee, the cyber criminal, who calls himself the “Thief-in-Law,” already has infected hundreds of computers of unwitting American customers in preparation to steal that bank account data.

Of course not all threats look like they come from the latest 007 flick. On October 12, 2012, the Associated Press reported TD Bank had begun notifying approximately 260,000 customers from Maine to Florida that the company may been affected by a data breach. Company spokeswoman Rebecca Acevedo confirmed to the Associated Press that unencrypted data backup tapes were “misplaced in transport” in March 2012. She said the tapes contained personal information, including account information and security numbers. It is unclear why the bank waited until October to notify customers. Over 46 states now have mandatory notification laws that dictate prompt notification to bank customers of missing or stolen “Personally Identifiable Information.” Failure to make timely notification can, and often does, prompt customer lawsuits and regulatory investigations.

The bottom line: you cannot be a financial institution operating in the 21st Century and not have a cyber risk management plan which includes the purchase of cyber insurance.

The Cyber Insurance Market
With these facts, it is not surprising that the cyber insurance market has grown tremendously from its initial beginning in 2000. Starting with what was the brainchild of AIG and Lloyds of London, the market has grown to over 40 insurance providers. A widely accepted statistic is that the market now produces over $1 billion in premium to insurance carriers on a worldwide basis.

Despite the increasing claim activity, informal discussions with the market continue to indicate that cyber risk is a profitable business. Perhaps, it is for this reason, cyber premium rates are flat to down 5% according to industry reports in the market where rates in property-casualty are generally increasing.

Carriers also see this as an area where there are many non-buyers, and statistics seem to back them up. According to the “Chubb 2012 Public Company Risk Survey: Cyber,” 65% of public companies surveyed do not purchase cyber insurance, yet 63% of decision-makers are concerned about this cyber risk. A risk area with a high level of concern but little purchase of insurance is an insurance broker's dream. In a recent Zurich survey of 152 organizations, only 19% of those surveyed have bought cyber insurance despite the fact that 76% of companies surveyed expressed concern about their information security and privacy.

It is unclear why there aren't more buyers but most of the industry believes it's a lack of education. For example, previous surveys indicated that over 33% of companies incorrectly believe that cyber risk is covered under their general corporate liability policy.

It is then perhaps not surprising that the Betterley 2012 market report stated “we think this market has nowhere to go but up” Although, they quickly qualified, “as long as carriers can still write at a profit.”

Navigating School Board And Educators Legal Liability Policies

Brokers who place School Board and Educators Legal Liability insurance are beginning to notice that the marketplace has gotten more difficult. Layoffs from budget cuts have triggered an increase in Employment Practices Liability (EPL) claims, while the tough job market has led to an increased amount of “failure to educate” claims.

The very public proceedings involving Penn State University have recently reminded us that sexual abuse and molestation are critical claim issues for schools. Any article written about a class of business that touches Personally Identifiable Information (PII) and doesn't mention Cyberliability fails to address another major source of trouble.

Based on these and other factors, insurers are either non-renewing business or re-underwriting their book, which leads to a restriction in terms.

The typical School Board or Educators Legal Liability policy is designed to protect not only teachers, but also school board members, administrators, volunteers, student teachers and various other members of the educational staff. In a standard policy, the definition of “Wrongful Act” includes coverage for an actual or alleged breach of duty, neglect, misleading statement and other errors or omissions of an insured educator in their capacity or scope of employment on behalf of the educational institution. Most policies also include coverage for Employment Practices Liability (EPL) claims, which tend to be the most frequent cause of loss.

Typical allegations found in claims include:

  • Failure to educate
  • Failure to supervise a classroom
  • Loss of accreditation
  • Employment-related lawsuits claiming sexual harassment, wrongful termination or discrimination
  • Misstatements, misleading statements, breaches of duty, neglect, errors or omissions made by a paid or volunteer board member who assists the school in making critical decisions about operations and economic survival
  • Failure to respond to or prevent bullying activities of the students

Market Commentary
Below are examples of the additional claim scenarios that insurers are seeing in this class of business.

“We are seeing the severity of educators' claims increase dramatically.” — Stephanie Gardner, RSUI

“The biggest issue that we have seen regarding Educators Legal Liability is on the EPL side. This has historically been a frequency-driven class and we have seen an even larger increase in frequency. We have also seen frequency develop into severity, which we had not seen to this extent before. There doesn't seem to be any new trend in the type of EPL claims, just more of them. I believe a lot of this is just a function of the economy and the pressure on school districts to reduce their budgets.” — Matthew Cibulskas, Westchester Specialty

“Bullying claims are being litigated under a 'failure to supervise' accusation. The financial damages to the parents are that they had to pay private school tuition because they had to leave the public school system after nothing was done to stop the bullying. And redistricting claims — many institutions have budget issues and, as a result, are closing schools and consolidating. This has triggered a lot of claims against the school boards.” — Steve Krusko, AIG

“I have seen issues with the for-profit educational segment regarding the federal tuition funding (loans/scholarships) as well as issues with dismal graduation rates and failure to educate allegations.” — Roy Huelsebusch, Crum & Forster

“Unfair competition and misrepresentation during the admissions process, as well as admissions to programs that don't have full accreditation yet (nursing programs seem to be frequent offenders here). Regulatory interest — a high percentage of tuition comes from Pell Grants so state Attorneys General have been pursuing litigation for unfair/deceptive trade practices.” — Rob Faber, AIG

If there was just one area of concern, underwriters could manage that risk with exclusions, sublimits, higher retentions or other means of mitigation. However, with severity increasing and claims coming from many directions, the marketplace has to respond. Underwriters can either withdraw from the marketplace or attempt to work around the hot spots. As mentioned earlier in this article, many insurers have moved away from this class while others are indeed revising their pricing, retentions and coverage terms.

With many schools having renewals on or around July 1, now is the time to formulate your renewal strategy, communicate the conditions of the market to your insured, and begin discussions with your current and prospective insurers.