Data Breach & Cyber Security
Risk & Responsibility in a Hyperconnected World - McKinsey & Co
Cyber Risk and Insurance Forum, January 2014
McKinsey and the World Economic Forum studied organizations of different levels of sophistication to assess the implications of cyber risk and to suggest a path toward greater security. While the organizations studied were much larger than the small entities that comprise most of the membership of RISC pools, basically all organizations have the same risks, just on a different scale. Pool IT staff may also have an interest in the full details of the report, to which a link is provided in this summary. Some of the points most important to pools’ members are:
- Be sure that frontline personnel understand the value of the information assets they access and how their failure to follow security directives can compromise those assets.
- Be sure that cyber risk is treated as an enterprise risk and discussed at the highest levels of the organization, as well integrated into the responsibilities of all departments.
- Evaluate the entity’s information assets and prioritize them for protection.
- Provide differentiated protection for information assets based on their importance and the harm that can occur if they are compromised.
- Deploy technological resources to prevent breaches and identify and timely respond to them if they occur.
The responses by sector to various research questions were reported, and the insurance industry was one of the sectors explored.
‘Password’ is no longer the dumbest password of the year
Technology users that choose easy and common passwords are leaving themselves and their employer open to attack. This list of the top 25 worst passwords might be informative to pool members and employees.
Data Security: Tips and Red Flags When Buying Cyber Insurance
This overview of issues to consider for potential buyers of cyber insurance is a good guide for pools that offer, or are considering offering, cyber coverage to their members, or that are considering buying cyber coverage for their own operations. Here are some examples:
- The phrasing of the exclusion for terrorism, hostilities and acts of foreign enemies could affect whether there is coverage for the increasingly common situation where criminal hackers are located overseas.
- Pollution exclusions may greatly affect the usefulness of cyber coverage to the insured in a world where more cyber attacks can be expected against key infrastructure. It can also create significant potential exposure for a pool if it doesn’t exclude it. Although not linked to cyber terrorism, the recent release of chemicals into the water in Charleston, West Virginia is an example of the potentially far-reaching effects and large damages from such an attack.
- An exclusion for violations of law could undermine coverage in situations where coverage would be expected. It is not unexpected for regulators to find some violation of law, and if any violation voids coverage then the insured may not be receiving the value for which it is paying.
- An exclusion for unauthorized collection of data can also be a trap for the unwary, and it can be unclear how an insurer would apply such an exclusion.
A pool that is considering providing cyber coverage to its members needs to weigh the potential losses from failing to include such exclusions against its intent to provide coverage to its members in situations where they would expect coverage.
Wawa Forces Blind Customers To Reveal PINs, Suit Says
Law 360, 1/15/2014
A Pennsylvania based retail chain, Wawa stores, is facing a potential class action lawsuit under Title III of the Americans With Disabilities Act for failing to provide textured keys on its point of sale devices, which would allow its blind customers to enter their own pin numbers rather than divulging them to the sales person. Title III does not apply to local governments, but Title II does, and it also requires nondiscrimination on the basis of disability. If this litigation is successful under Title III, it may portend similar liability for pool members under Title II.
Why (most) consumer data breach class actions vs Target are doomed
Target seems likely to prevail in class action suits against it by customers based on its recent data breach, at least to the extent that those suits do not allege actual damages. The federal Class Action Fairness Act (CAFA) permits removal of class actions involving more than 100 people to federal court, although a January 14, 2014 Supreme Court decision, Mississippi ex rel. Hood v. AU Optronics Corp., has held that lawsuits filed by Attorneys General seeking relief on behalf of a state’s residents cannot be removed to federal court under CAFA. A different Supreme Court case, Clapper v. Amnesty International, has been relied upon by courts in support of findings that customers have no standing in federal court where there is only the future potential for harm. If Target settles claims against it, however, rather than pushing for dismissal or summary judgment, that settlement could open up the floodgates for litigation. Although pool members may not often see breaches of the size that would trigger CAFA and federal jurisdiction, state court decisions and litigation patterns might move in the same direction.
IRS and Treasury Issue Final Employer Shared Responsibility Regulations
IRS & U.S. Department of Treasury, 2/10/2014
The IRS and Treasury recently released the Final Employer Shared Responsibility Regulations. A couple of things to note:
- Exclusion of "bona fide volunteers" from hours of service: As anticipated, the final regulations provide that hours of service for a "bona fide volunteer" are not included in the definition of hours of service, including volunteer firefighters, emergency responders and others. The final rules define a "bona fide volunteer".
- Seasonal employees: The final regulations provide that a seasonal employee means an employee in a position for which the "customary" annual employment is six months or less.
- Transition relief and interim guidance: While there are many, one of the most notable in the final regulations include an additional delay in the play or pay requirements until 2016 for larger employers with 50 and 99 employees. The requirements still apply to large employers with more than 100 employees starting in 2015.
A link to the final regulations can be found here.
Water company is latest target in leak-related lawsuits
Charleston Daily Mail, 2/4/2014
New targets are being sued in the leaking of chemicals by Freedom Industries into the Elk River in Charleston, West Virginia, polluting the city’s drinking water and precipitating a water crisis that lasted for several days. The West Virginia American Water Company is being sued for failure to take adequate precautions to protect the water supply. Pools may want to consider the extent to which their members, and the pool, would be exposed to this type of liability, especially in situations where the primary culprit files bankruptcy.
Buyer Beware: Fracking and House Prices
The Economist, 1/15/2014
A new research project argues that fracking may have an adverse impact on housing located in areas that obtain their water from groundwater sourced near fracking sites. More detailed information about the location of fracking sites is becoming available to buyers, who may factor potential drinking water pollution into their buying decisions. One issue to consider is whether local governments that play any role in allowing a fracking site to operate might face litigation for reduced property values.
Joint and Several Liability Rule Reform
American Tort Reform Association
This is a state-by-state compilation of joint and several liability reforms throughout the US. It is compiled by the American Tort Reform Association, which advocates replacing joint and several liability with proportionate liability, where each defendant’s liability is liable only for the portion of harm form which the jury finds it responsible.
Ohio man settles lawsuit with police for $2.25M
Washington times, 1/29/2014
The dangers of using a Taser on suspects who are positioned on an elevated surface, and thus at risk of injury by falling, was demonstrated in a $2.25 million settlement of a federal civil rights lawsuit between the family of an injured Ohio man and Perry Township. A Perry Township officer used the Taser on the man who was fleeing police and was on the top of a fence when the Taser struck, causing him to fall forward and sustain head injuries. The Township allegedly failed to warn officers about the danger of using a Taser on suspects who are on elevated surfaces. The settlement was based on the Township’s insurer’s analysis that there could have been up to $12 million awarded for present and future medical bills.
Rail disaster liability needs fix but shouldn’t be downloaded to taxpayers, municipal leaders say
The Toronto Star, 1/29/2014
Municipal leaders in Canada are seeking to ensure that local taxpayers will not be responsible for the costs of clean up arising from accidents and spills. The Federation of Canadian Municipalities has submitted to the California Transportation Agency a brief arguing that the public is effectively the insurer in significant railway accidents, and that there should be a national funding mechanism that would provide full coverage for disasters including contributions from everyone involved in the transportation of hazardous materials by rail, including carriers, importers, producers and industrial purchasers. The Railway Association of Canada also suggests a common fund drawing from everyone in the supply chain, noting that railroads may not be able to secure sufficient third party liability insurance on their own. The U.S. Association of American Railroads takes a similar position, based on the government mandate that carriers move hazardous substances.
Insurers weigh risks of an oil-train catastrophe
Railroad operators cannot refuse to transport cargo, no matter how hazardous it is, as long as it is provided in accordance with regulations. Under the law, it is the railroad that is responsible for liability if an accident occurs and the substance is released and causes damages. This is true even if the accident does not result from the railroad’s negligence, and if the shipper had a safer container it could have used. Such an accident in a heavily populated area could bankrupt the railroad, because they cannot carry insurance limits sufficient to cover all the losses. Railroad operators are seeking a cap on their responsibility or loss sharing with shippers, but shippers are resisting such changes. Most pools don’t insure cities in major urban centers, but these trains are being routed through more rural areas where pools’ members may be located. Pools may want to alert their members that it is worthwhile to know what the trains going through their area are carrying for emergency planning and loss control purposes, even if they are unable to change that routing. Pools may also want to consider whether the indemnification that railroads often require from cities might come into play in these situations.
Arizona city denies claims from Yarnell Hill Fire
The city of Prescott, Arizona has denied more than 100 claims filed by owners of property damaged and relatives of firefighters killed during the Yarnell Hill fire in June 2013. The city responded that it was not liable because it did not act intentionally, recklessly or negligently. Attorneys for the property owners commented that because city personnel played key roles in managing the firefight, the city is liable for their negligence. Attorneys for the 12 families previously commented that the firefighter deaths were preventable. Those families are seeking from Prescott and other entities more that $220 million in damages plus changes in firefighting techniques and additional training to become wildland firefighters. The State Forestry Division was found by the Arizona Division of Occupational Safety and Health to have prioritized protection of property over safety and was fined. That sanction is under appeal.
Property & Casualty
Reaping the Financial Rewards of End-to-End Claims Analytics
Property Casualty 360, 2/3/2014
End to end predictive analytics helps improve claims outcomes by:
- Improving the assignment of various claim professional disciplines, such as adjusters, health care professionals and other specialties to files throughout their life cycle
- Increasing the focus on high severity claims, where early intervention can affect the outcome
- Improving referral to special investigative units
- Enhancing the focus on return to work and safety
- Reducing claims duration by supporting the segmentation of claims into groups reflecting potential severity
Models use statistical models to systematically identify danger signs that a claim may become a problem before adjusters can recognize the complex patterns indicating deterioration. Models are not helpful, however, unless they can be incorporated into the organization’s workflow. Developing a plan for using the model is thus a useful precursor to developing the model. Plan development should involve key claims professionals to ensure that there is ownership, acceptance and use of the eventual model. A communications plan is also essential to convey to claims adjusters that the models are an enhancement of, rather than a replacement for, their own professional skills.
3 Barriers Keep Insurers from Fully Using Analytics Investments
Property Casualty 360, 2/3/2014
An Accenture study found that insurers are not achieving the full benefits from using analytics for reasons including failure to use data as a strategic tool throughout the organization, rather than as a tactical tool in specific units. Another limit is the use of data retrospectively to understand the past rather than prospectively to predict what will happen. The barriers to utilizing analytics investments, which can be instructive to pools considering a program, were identified as:
- Inadequate human and technological resources
- Lack of strong management support
- Competition for specialized talent for data mining
Fitch Releases New U.S. Property/Casualty Insurance Reserve Development Report
Fitch Ratings has issued a special report entitled “Property/Casualty Loss Reserve Development – Five Insurers Carry Trend”, which is available to subscribers through a link in this article. Fitch finds that five insurers account for about 75% of the favorable reserve development during the first nine months of 2013. It concludes that the pattern of favorable and unfavorable loss reserve development it describes in the report indicates weakening of the industry reserve position over time.
Competition, soft pricing in reinsurance to pressure ratings: S&P
Standard & Poor’s is forecasting rating pressure for reinsurers due to an oversupply of reinsurance capital, increased competition from both traditional and non-traditional sources and soft pricing. For the prior eight years, S&P issued stable outlooks for the global reinsurance sector. The article provides a link to the full S&P report for those who are S&P subscribers.
Wells Fargo Predicts Continued WC Rate Increases for Much of 2014
Property Casualty 360, 2/5/2014
Well Fargo has issued a Market Outlook Report that forecasts a good year for most commercial property and casualty insurers. Rate increases are forecast for the first three quarters of 2014, as is continued reduction in the combined loss ratio due to higher prices over the past three years.
Six Strategies for a Stronger Safety Culture
EHS Today, 1/22/2014
Organizations with good workers’ compensation loss experience are likely to make safety a priority and engage their workers in taking personal responsibility for their own safety. A strong safety culture also improves the way the organization functions in other ways. The six strategies recommended are:
- Setting safety goals and establishing accountability for meeting them.
- Engaging workers in the safety program, including involving them in monthly safety meetings that feature active employee involvement and two-way communication.
- Recognition of employees for good safety performance.
- Providing tangible rewards for meeting goals, which rewards should be significant but not so substantial that they discourage injury reporting.
- Senior management expression of personal appreciation to thank award winners.
- Management demonstration of its commitment to safety by responding promptly to safety hazards and employee suggestions and engaging employees in the process.
Other Topics of Interest
Electronic Discovery & Information Governance: 2013 Tips of the Month - A Compilation
Discovery of electronic documents continued to mature in 2013. Notable events included:
- The lack of dramatic changes in 2013 may provide additional predictability for potential litigants.
- The release of proposed new provisions of the Federal Rules of Civil Procedure for public comment that would narrow the scope of potential discovery and limit the imposition of sanctions.
- Development of case law around cost recovery and court imposed sanctions.
- Continuation of keyword searches as a defensible strategy for identifying documents.
- Changes in the use of technology continue to drive changes in e-discovery, making communications as ephemeral as text messages subject to discovery and preservation requirements.
Financial Illiteracy: One of Government’s Biggest and Least-Discussed Problems
Lack of detailed financial knowledge and experience can expose public officials and local governments to liability for financial decisions made with inadequate understanding. Term limits contribute to these problems by rotating out officials who have acquired some knowledge on the “job”. New provisions of the Dodd-Frank law, including a more precisely written definition of who may act as a financial advisor for governments, may complicate matters. Pools that provide public officials liability coverage may be at some risk of liability for the actions of ill-informed public officials, and thus have a financial stake in encouraging their members to educate council members about the decisions with which they will be involved.
Mandatory Bi-Annual Physical Fitness Testing
Law and Order, 9/2013
One approach to ensuring that public safety officers are able to perform their job duties professionally and safely is a physical fitness test administered twice annually. The officer’s ability to perform physical tasks associated with law enforcement would be tested, and a comprehensive program of moderate weight training, aerobic exercise, reduction of obesity, and monitoring of mental health status and cardiac fitness might also be a part of this program. Although pools might encounter resistance from members in implementing a program quite this comprehensive, elements of it might well be worthwhile incorporating into pools’ public safety programs.
Study: Traumatic Spinal Cord Injuries on the Rise in U.S.
Claims Journal, 1/30/2014
Falls among the elderly 65 and older) are an increasing cause of spinal cord injury. Serious spinal cord injuries can result in medical bills from $1 million to $5 million, depending on age at the time of the injury and its severity. As the boomer generation ages but tries to remain more active, this may create the potential for catastrophic workers’ compensation and liability losses based on what might have been less serious injuries in the past.
|In This Issue
> Data Breach & Cyber Security
> Employee Benefits
> Property Casualty
> Workers' Compensation
> Other Topics of Interest
> Upcoming Events
> Employment Opportunities
2014 NLC-RISC Trustees Conference Conference registration is now available!!
May 8-9, 2014
Westin San Diego Gaslamp Quarter
The NLC-RISC Trustees Conference provides trustees and pool administrators of state municipal league risk pools the opportunity to learn about industry trends, programs, services and pooling best practices. The conference offers many opportunities to share creative ideas and solutions, and to network with peers from across the country.
Conference registration and hotel reservations are now available. Click on the title above or here to be directed to the event page, which includes a preliminary schedule. The deadline to register is April 15th.
Employment Opportunities in Pooling
The following job postings are now available. Click on the job title to be directed to more information on the pool's website.
Director of Employee Benefits Insurance Program, Rhode Island Interlocal Risk Management Trust
Responsible for the operation of self-insured health and dental intergovernmental pools, as well as life insurance program for RI municipalities, schools and special purpose districts. Health and dental pools involve combined premiums in excess of $130M with nearly 10,000 employee subscribers. Read more.
Letter of interest, resume and compensation expectations to Heather A. Sheley, Chief Financial and Administrative Officer, RI Interlocal Risk Management Trust, 501 Wampanoag Trail, Suite 301, East Providence, RI 02915 or via email to EmployeeBenefitDirector@ritrust.com.