The RISC eNews Blast is intended to provide relevant and timely news information from a number of sources to member pool staff. If you see articles in the journals, email and sources you subscribe to that may be of interest to the RISC membership, please feel free to forward them to Erin Rian for inclusion in the eNews Blast. The eNews Blast will be delivered weekly, and the RISC Report newsletter will be delivered every two months.
In this week's edition of the RISC eNews Blast:
DATA SECURITY & CYBER RISK
Insurer to Schnucks: We won't pay for lawsuits related to your breach (SC Magazine, 8/20/2013): Liberty Mutual, the insurer for Schnucks, is denying that the general liability policy it sold to the supermarket chain covers third party lawsuits arising from the major data breach in March 2013 that exposed information of 2.4 million customers. Liberty Mutual argues that the electronic data stolen was not tangible property covered under the property damage insurance it issued.
Hiding In Plain Sight: Failure To Scrub Patient Data From Digital Copiers Returned To Leasing Company Results In $1.2 Million HIPAA Settlement (Mondaq, 8/18/2013): A health care plan recently paid a $1.2 million fine under a resolution agreement with the federal Department of Health and Human Services. The health care plan had failed to scrub sensitive data from a leased digital copier before returning it to the lessor. How many pool members know whether the copier they are using is digital and thus storing each copy or scan in its memory? If pool members scan or make copies in a place of business that provides support to small organizations, do they know whether those publicly available machines retain the information in their memories? Pools may want to suggest that their members assess all technology and business machines they use for privacy implications.
Four Stages of Cyber Risk Management (The Metropolitan Corporate Counsel, 8/14/2013): The second stage of cyber risk management is of special importance to pools and their members. This stage includes preparations to both avoid and respond to a network breach. Planning to avoid breaches can include:
• Involving senior management in the planning
• Performing due diligence on vendors that host and manage data, including investigation of their security practices.
• Understanding the role played by any subcontractors used by your vendors, especially if it affects where your data is housed (i.e. inside or outside the U.S.)
• Negotiating the best contract terms possible, including if possible the right to perform security audits, favorable terms for recovering data in the event the agreement is terminated, and the right to be notified in the event of a breach of the vendor’s system.
• Using encryption as much as possible.
• Regular training of employees.
• Mapping the location of computer data to know where the risks lie.
Planning to respond to breaches can include:
• Identifying resources (employees and vendors) in advance.
o Forensic investigators to determine the nature and extent of the breach and recommend how to avoid further compromise.
o Legal advisors to determine notification requirements and exposure to liability.
o Public spokesperson(s).
o Insurance company liaison.
• Identifying appropriate law enforcement agencies to work with and cooperating with them.
Hackers Called Into Civic Duty (Wall Street Journal Online, 8/2013): Some local governments are turning to “hackers” (people who like to write their own computer programs) to use technology for the purpose of developing tools and applications that solve public problems. The hackers use data already being collected by the government, but stripped of personally identifiable information. This is an approach advocated in the recent book Citizenville, by Gavin Newsom, as a way to enable local governments without extra funds to do something useful with their data. This is a positive development for both governments and the public, but pool should advise their members to very carefully scrub the data of private information before allowing access.
Not a Matter of “If” but “When”: Employers Would be Smart to Prepare for an Inevitable Data Breach (Mondaq, 8/13/2013): The threat of a costly class action based on the theft or misuse of personally identifying information is important to keep in mind when deciding how many resources to devote to preparing for data breach. In some states, laws are sufficiently liberal to allow for private rights of action even when there is no demonstrated injury. Federal circuit courts disagree as to whether actual harm must be demonstrated to have standing in federal courts, but recent cases in the Third Circuit Court of Appeals and the US Supreme Court indicate there may ultimately be a requirement for something more than speculative future damages. The law is likely to remain unsettled for some time, so pools should encourage their members to prepare for data breach as a potentially costly risk.
Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age (Ponemon Institute, 8/2013): A new multi-sector Ponemon Institute study, sponsored by Experian Data Breach Resolution, provides interesting information for pools that offer or are considering cyber insurance for their members. Access to the full study is available by registering at this link.
• According to the Ponemon Institute’s 2013 Cost of Data Breach Survey, the average cost of a data breach was $188 for each lost or stolen record.
• Although the average potential financial risk of future data incidents is estimated at $163 million, most of this results from the loss of confidential business information.
• 31% of organizations surveyed have cyber security insurance and another 39% are considering it.
• The two top reasons for not purchasing cyber insurance are that premiums are too high or there are too many exclusions, restrictions and uninsurable risks.
• Most respondents that have cyber insurance say that it covers human error, mistakes and negligence; external attacks by cyber criminals, system or business process failures and malicious or criminal insiders. But only 11% are covered for attacks against business partners, vendors or other third parties that have access to the organization’s information assets.
• Benefits provided usually include notification to victims and legal defense costs and often include forensics, replacement of lost or damaged equipment and regulatory penalties and fines. Less often they cover revenue losses, third party liability, and communication costs to regulators.
• Only 19% of public sector organizations reported that they have a cyber insurance policy, the lowest of any of the sectors analyzed. Of the respondents in the technology and software sector, which ranked highest, 41% reported having coverage.
U.S. delays deadline for finalizing Obamacare health plans (Reuters, 8/28/2013): The U.S. Department of Health and Human Services notified insurance companies that it would not sign final agreements until mid-September. Originally agreements were to be signed between September 5-9. While the reason for the delay was unclear, state and federal officials are working to overcome challenges relating to the information technology systems critical to making the exchanges work. Some states, including Oregon and California, have announced plans to scale back the launch of the new marketplace.
Study Shows Need for More Focus on Potential Impacts of PPACA on Workforce Disability and Absence Management Programs (Insurance News, 8/20/2013): A new studyjointly released by the Disability Management and Employer Coalition (DMEC) and Pacific Resources points to a need for more focus on the potential impact of health reform on disability and absence management programs. The study shows that almost half of employers responding and a majority of disability insurance carriers believe that the financial impact of employee disability and absence will increase over the next several years. Some of the key findings and implications of the study and corresponding report include:
• Increase in incidence and duration of long-term absences
• More difficult to access routine care under PPACA
• Potential increase in FMLA activity and impact on leave management administration
• Increase in wellness initiatives
New IRS website devoted to ACA tax provisions (HealthReformGPS, 8/19/2013): The Internal Revenue Service has launched a website where individuals, employers and other organizations, such as insurers and government organizations, can obtain information about the health care reform law. The website can be found here.
PROPERTY & CASUALTY
Claims Audit Considerations by Topic – a Checklist (Property Casualty 360, 8/14/2013): Checklists help auditors move systematically through files and consider all of the important issues. This sample does not include every question a pool may want to consider when auditing its claims handler, but it identifies major categories of inquiry that can be used to develop more detailed questions.
Curbing the Claims Related Opioid Abuse Epidemic (Property Casualty 360, 8/16/2013): The rise of opioid abuse and associated morbidity and mortality is a major cost driver in workers’ compensation. The CDC says that 80% of prescription painkillers are prescribed by 20% of subscribers, and most of these prescribers are primary care physicians not specialists. Some insurers are developing predictive models to identify claims that are at risk of resulting in opioid abuse, or using vendors who have already developed those models. One approach to controlling these costs is using a predictive model to identify claims. A structure for developing a program includes the following elements:
• Assessing the potential for opioid abuse within the insured population.
• Developing a method to score claims dynamically for their opioid abuse risk.
• Implementing a process for taking the appropriate action based on the current phase and risk of the claim.
• Monitoring health care providers to determine which pose the greatest risk.
• Measuring outcomes.
OTHER TOPICS OF INTEREST
Towns Credit VLCT for Swift Response to Irene Insurance Claims (VTDIGGER.ORG, 8/28/2013): The members of the Vermont League of Cities and Towns recognize its good customer service in the wake of Hurricane Irene. Many towns received payments within a week of the disaster. A good reinsurance strategy enabled the fund to limit its losses to $500 thousand out of what is likely to amount to $10 million to $14 million in claims from 60 municipalities. Although members saw some rate increases as a result of the fund’s increased reinsurance costs in 2013, much of the increase was covered by the fund’s reserves. This reflects its goal of making coverage as easy and low cost as possible for its members.
IBHS Updates States’ Progress on Building Codes (Property Casualty 360, 8/23/2013): A new report issued by the Institute for Building and Home Safety finds that Florida is the lead Gulf State in terms of revising building codes to meet hurricane risk. Alabama has also made positive strides but Louisiana, Texas and Mississippi have either taken no action or actually fallen behind. Florida distinguished through its leadership in developing a new building code, which has a projected effective date of March, 2014.
Tattoo Parlor Protected by the First Amendment (Municipal Minute, 8/20/2013): The Arizona Supreme Court has held that the process of tattooing is a purely expressive activity that is protected speech under the First Amendment to the U.S. Constitution, even if the tattoos use standard designs. A city ordinance that required a special Council approved permit to operate a tattoo business generated a lawsuit by an applicant whose application was denied. Despite a recommendation by the zoning staff to approve the permit subject to various conditions, the zoning board voted 3-2 to recommend that the council deny the application, due to concerns that the proposed use was not appropriate for the location or in the best interest of the neighborhood. The Council, after a public meeting, voted 6-1 to deny the application. The Supreme Court found that the ordinance in question did not include standards sufficient to guide and limit the Council’s discretion in evaluating the permit application. However, the decision acknowledges that cities have legitimate interest in controlling the location of businesses through zoning regulations, so this decision does not amount to a statement that tattoo parlor locations cannot be controlled. A link to the full decision is available in the article.
After Airliner Crash, San Francisco Fire Chief Bans Helmet Cams (Claims Journal, 8/20/2013): While there is a trend in law enforcement toward using body cameras, serious concerns have been raised about using them in emergency response situations, and some cities ban them outright, including Houston and Baltimore. San Francisco’s fire department expanded its pre-existing ban on video cameras to include helmet-mounted devices in the wake of the July Asiana air crash at San Francisco International Airport. Footage recorded by the helmet-mounted camera of the responding battalion chief purportedly shows a responding fire truck running over a survivor who had been ejected onto the tarmac, leading some to speculate that the change in policy is motivated by concern over liability. The fire chief’s stated concern, however, is that recording people during an emergency response may violate privacy laws. Preserving privacy is a topic that should be considered and addressed in policies by any city fire department adopting this technology.
Order That Police Wear Cameras Stirs Unexpected Reactions (New York Times, 8/13/2013): A U.S. District Judge in New York has ordered New York City to conduct a pilot program requiring police to wear body or glasses cameras. The Judge ordered the pilot program along with other changes in conjunction with her finding that the NYPD intentionally discriminated against minorities in its stop-and-frisk program. Several RISC member pools work with their members to use body cameras or cameras mounted on glasses as defensive measures, but in this case the purpose seems to be to document or discourage police misconduct. In an interesting reversal, Mayor Bloomberg has expressed opposition to the initiative and the New York Civil Liberties Union supports it, despite the NYCLU's past criticism of surveillance technology.
Drones: Coming to the Skies Near You (Washington Lawyer, 8/2013): Drones are coming to the US airspace, and there is a plethora of issues that have to be addressed in the process. Safety in an increasingly crowded airspace, privacy, search and seizure, and the use of drones by commercial interests and law enforcement are all emerging issues. Four states have seen legislation introduced, and six (Florida, Idaho, Montana, Tennessee, Texas and Virginia) have passed laws. Model legislation that could be adopted by states is under development by a consortium of organizations, which hopes to finalize a draft by September. From the perspective of pools and their members, the most problematic issues are the privacy and Forth Amendment search and seizure implications of using drones in law enforcement. When is a law enforcement agency required to get a search warrant to use a drone the size of a quarter to follow and record members of the public without their knowledge? How far can the agency go to use drones to gather information about activities in high crime areas? And what are the possible liabilities for the pool and its members if they guess wrong in this unsettled and rapidly shifting area of the law?
2013 NLC-RISC Staff Conference - Registration and Preliminary Agenda Now Available! (October 21-23, 2013 at The Nines in Portland, Oregon): The NLC-RISC Staff Conference Provides staff of state municipal league-sponsored risk pools with the opportunity to learn about trends, programs, services and best practices in a variety of coverage lines and functional areas, and offers a great opportunity to network with pool staff from across the country ~ all in a non-competitive, collaborative environment! A preliminary agenda and online conference registration, as well as hotel reservations can all be found on the 2013 NLC-RISC Staff Conference Event Page. Contact Erin Rian with questions or concerns.
Southern Municipal Conference IT Conference (October 16-18, 2013 in Columbia, South Carolina): The Southern Municipal Conference has sponsored the SMC IT meeting for 11 years. The group meets twice each year to share the IT experiences of each league and/or Risk pool. Presentations by IT experts on the latest hardware and software help keep the participants up to date on the cutting edge of technology. Registration for the SMC IT Group meeting is open to all State Municipal Leagues and League Risk Pools.
Property Inspector - Rhode Island Interlocal Risk Management Trust: Property Inspector for non-profit self-insurance pool for RI local governments. Provide detailed loss prevention inspections, identify potential hazards and design preventive programs. Extensive field work. Knowledge of governmental risks and OSHA Construction Standards. Undergraduate degree in insurance or risk management preferred. Professional certifications/designations (ARM, NFPA, OSHA) desired. 3-5 years field experience. Proficiency in Microsoft Office. Salary commensurate with education and experience; excellent fringe benefits. Resume ASAP to Brian T. Ahern, Director of Risk Management Services, RI Interlocal Risk Management Trust, 501 Wampanoag Trail, Suite 301, East Providence, RI 02915; by fax to 401-438-6990; by email to firstname.lastname@example.org.