RISC eNews

March 31, 2014
Image
MARCH 31, 2014
NLC-RISC Update

New Staff Member for NLC-RISC & NLC Mutual
We are thrilled to announce that Jessica Carmona has been hired as our new Senior Program Coordinator supporting both NLC-RISC and NLC Mutual. Jessica is originally from Houston, Texas and received her B.A. from Sam Houston State University in Huntsville, Texas. She worked as a program assistant for the City of Huntsville, and most recently she was a law assistant at a D.C. law firm and did an internship at the Department of State. You will have a chance to meet Jessica at the upcoming Trustees Conference and will start seeing communications from her in the coming weeks. Please join us in welcoming Jessica to the NLC-RISC and NLC Mutual family.

NLC-RISC Online Training Issue Group
NLC-RISC is working to establish issue groups around key areas where there are opportunities for greater collaboration among NLC-RISC member pools. Online training is one area where there are strategic issues and questions facing pools. Some pools are just starting out while others have been offering online training for some time.
The Online Training Issue Group, led by Michael Fann and George Dalton of the Tennessee Municipal League Risk Management Pool (The Pool), has been established by the NLC-RISC Board of Directors. The goal of this group is to evaluate opportunities for greater collaboration of pools in online training modules, and to consider the extent that NLC-RISC can (or should) leverage the collective group to bring economies of scale and enhanced online training services and products to pools and their members, much in the same way that we have leveraged the collective group in the areas of cyber security / data breach and disaster recovery.

One of the important tasks of the issue group is to identify the online training needs of other RISC member pools. This will help inform and guide their work in developing recommendations on specific goals and outcomes of this project.

The survey was sent to pool administrators earlier this month.  The deadline to complete the survey is Friday, April 4th. Results will be shared with the Online Training Issue Group in April and with the NLC-RISC Board of Directors at their May meeting.  We will also offer a conference session on this topic at the Trustees Conference in San Diego and will keep the RISC membership updated on this project.



Data Breach & Cyber Security

The Wild West Of Data Breach Enforcement By The Feds
Mondaq, 3/18/2014

Both the Federal Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC) have authority over data breach enforcement. HHS has authority under HIPAA, but is subject to defined criteria for determining whether rules have been violated. The FTC has the power to bring an enforcement action based on an allegation that the entity’s data practices are “unfair” because they are not “reasonable”, without regulations or guidance as to how these terms are applied. The lack of guidance for application of the FTC’s rules hampers compliance efforts, but is not likely to be remedied in the near future because courts are limiting targets’ ability to determine the legal reasoning behind the action against them.

How To Respond To A Data Breach
Mondaq, 3/17/2014

This is a detailed to do list for following up on a data breach. Although not a substitute for a post-breach consultation with a breach coach, it can help prepare pools and their members for the process that will ensue after a breach.

OCR Settles Potential HIPAA Violations With County Government For $215,000
Mondaq, 3/14/2014

The Department of Human Services Office of Civil Rights has entered into its first HIPAA settlement with a county government, confirming that local governments must comply with HIPAA when handling patient information. The violation occurred when electronic protected health information was inadvertently moved by the county to a publicly accessible server and accessed by unknown parties. The investigation found:

  • The information was disclosed
  • The county failed to provide breach notification as required by HIPAA
  • The county did not have policies and procedures to ensure compliance with the HIPAA security rule
  • The county failed to provide security awareness training to its staff

Is Government Ready to Say Goodbye to Windows XP?
Government Technology, 3/14/2014

As of April 8, 2014, Microsoft will no longer be supporting Windows XP, an operating system still relied upon by many local governments. That means no security updates if they continue to use XP and fail to enter into a special paid support relationship being offered by Microsoft, which is unlikely to be cost effective for small public entities. Pools may want to ensure that their members are aware of this pending increase in cyber vulnerability.

Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It
Bloomberg Business, 3/13/2014

Target’s malware detection system identified the intrusion into its system that resulted in the loss of 70 million pieces of personal information. Security specialists located in Bangalore were alerted by the malware detection system, and the Minnesota based security team was notified but failed to respond. This detailed analysis of the breakdown in the system indicates that had the security team responded to the alerts by the system, it could have prevented the loss, reinforcing once again that the human factor is one of the greatest risks to data security.

BYOD Could Spell Trouble: Survey
Property Casualty 360, 3/11/2014

A survey conducted by a technology vendor found that roughly 30% of responding organizations, which ranged in size from 200 to more than 10,000 employees, are not addressing specific BYOD security issues in their workplace. This could be a concern for pools, which may have exposure for much smaller organizations that may be even less cognizant of the BYOD issue.

Five Valuable Takeaways from Recent Cyber Breaches
Property Casualty 360, 2/28/2014

The five takeaways identified – and some additional comments - are:

  • Communicate quickly and carefully (You don’t want victims to find out through a third party source, but you also want to take time to determine what happened before taking action.)
  • Hackers aren’t the only concern (Internal physical access, employees, vendors, improper access or disposal of paper records can all be a threat too)
  • Develop and enforce policies for all levels of the network
  • Institute controls for vendor access
  • Make the right response tools available

Five out of state Minnesota banks sue Target over data breach
Star Tribune, 2/25/2014

One of the causes of action is based on the Minnesota Plastic Card Security Act, Section 325E.64 of the Minnesota statutes. The statute prohibits retention of credit or debit card data for more than 48 hours after a transaction. That statute imposes on any person or entity that violates statutory requirements liability for financial institutions’ costs of reasonable actions taken to protect their cardholders after a breach. Several other states have adopted similar laws, so pools may want to investigate whether their state has adopted such legislation and, if so, what exposure it produces for the pool and its members.

Email Attack on Vendor Set Up Breach at Target
Krebs on Security, 2/14/2014

In a demonstration of how carefully one must choose one’s business partners, investigators believe that the attack on Target began with a phishing attack conducted through email directed at employees of a HVAC vendor to whom Target had issued network credentials. The vendor may have been identified through internal documentation for vendors on public facing web sites.

Data Breaches and CGL Policies
Wiley Rein, LLP, 2/12/2014

Organizations affected by data breach are subject to demands from all sides – their customers whose data has been breached, regulators, and credit card companies - to name a few. Some, especially those that do not have special cyber coverage, look for coverage under CGL policies. Among the interesting points made are:

  • Coverage A - Bodily Injury and Property Damage - More recent CGL policies attempt to avoid coverage for property damage and bodily injury by providing that “electronic data is not tangible property (ISO Form No. CG 00 01 10 01 (2001)) and may exclude “damages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data” (ISO form No. CG 00 01 12 04 (2004)).
  • Coverage B – Personal and Advertising Injury – Policyholders are seeking coverage under the provision that covers “damages due to oral or written publication of material that violates a person’s right to privacy”. Currently, meeting the requirement of “publication” remains a key challenge in data breach situations, and some of the questions that will determine whether publication has occurred are:
    • Does breach by a criminal result in a sufficiently widespread distribution to constitute publication?
    • Is a voluntary, affirmative action on the part of the insured is required to constitute publication, or is a passive and perhaps negligent failure to protect data enough?
  • The evolution of claims from being based on “publication” to being based on failure to notify under state statutes may reduce the viability of this argument.
  • Some relief sought – such as statutory penalties – may not constitute covered damages.
  • New exclusions being proposed by ISO for May 2014 would exclude claims “arising out of any access to or disclosure of any person’s or organization’s confidential or personal information”.
  • Some CGL policies include exclusions for violations of statutes, which would exclude the failure to notify claims.
  • Contractual claims, such as those for credit card industry fines, can arise from a data breach and are not generally covered under a CGL policy. However, the amounts are very substantial and how they are characterized – compensatory v. punitive – may affect whether there is an argument for coverage.

A link to the full article is available above.

This Brand of Terrorism Could Be a Bigger Risk Than Cyber Attacks
Daily Finance, 2/8/2014

Cyber attack on utilities has been a major security concern, but this physical attack on an electric utility in California shows how a relatively low-tech physical approach can seriously damage a utility and bring it offline for a significant period of time. In this case, a blackout was avoided by using excess capacity, but such capacity may not always be available. A service provided by NLC-RISC partner Agility Recovery services could help a pool’s member continue operations.

10 Questions to Ask About Your Agency's System Security
Property Casualty 360, 2/6/2014

Among the issues for insurance agencies and others to consider are:

  • Ensuring that staff and contractors understand and carry out their responsibilities
  • Compliance with laws
  • Adequacy of technological defenses
  • Vulnerabilities of software developed in-house
  • Response planning
  • Business continuity



Employee Benefits

Final HHS rules set PPACA reinsurance fee amounts, payment schedule
Business Insurance, 3/6/2014

The U.S. Department of Health and Human Services recently finalized the rules for the transitional reinsurance fees and payment schedule.  The final rules also provide for a limited exception for those plans that are both self-insured and self-administered.  NLC co-signed with AGRiP on a comment letter arguing that HHS lacked authority to exempt self-insured and self-administered plans.  The comment letter also argued for a tiered approach to the fees so that those plans that would not directly benefit from the fees would be less.  Both arguments were rejected in the final rules so NLC-RISC member health pools that are self-insured will be required to pay the fee unless they are self-administered. 

Employment Practices

EEOC's Important New Guidelines On Accommodating Religious Dress And Grooming
Mondaq, 3/8/2014

The EEOC has published a report entitled Religious Garb and Grooming in the Workplace: Rights and Responsibilities. The Guidelines underscore the need to accommodate an employee’s religious beliefs in the workplace unless it is an undue hardship on the operation of its business. They also provide a number of examples that may be useful to pools during training. A link to the guidelines is provided in the article.

Pregnant Employees Become The Subject Of Heightened Attention And New Legislation
Mondaq, 2/23/2014

The EEOC has increased its focus on discrimination related to pregnancy, including denial of reasonable accommodations, such as bathroom breaks, rest breaks, private locations for pumping breast milk, the need for increased fluid intake, and less strenuous or hazardous work, and leave. A Pregnant Workers Fairness Act is in committee in both houses of Congress, and a number of states have passed or are considering their own laws prohibiting pregnancy discrimination. Pools can help their members by including information about pregnancy discrimination in their employment practices liability training curriculum.

Environment

Oil and gas wastewater disposal causes cascade of Oklahoma quakes-USGS
Reuters, 3/11/2014

The United States Geological survey has released a study concluding that a series of earthquakes in Oklahoma during November 2011 were likely triggered by underground disposal of wastewater used in fracking.

Liability

Dropped Stretcher Case Brings Clarification To Good Samaritan Law
Connecticut Law Tribune, 3/7/2014

Another case has raised the issue of whether EMT’s are entitled to immunity for injuries suffered by a plaintiff who falls off a stretcher while being transported. The Connecticut Good Samaritan Statute provides EMT’s and other medical professionals with immunity if an injury occurs while providing first aid. A trial court judge in Connecticut has ruled that the EMT’s are entitled to immunity under the statute even though the injury occurred from a fall off of a stretcher, which is arguably outside the course of providing first aid. Although it is not expected that this case will move forward on appeal, if enough similar cases come forward one of them may go to an appellate court and result in precedent. Pools may want to be sensitive as to how their state’s law operates, and whether it draws this type of distinction between immune and non-immune functions of EMT personnel.

Florida trooper who stopped speeding cop sues after alleged harassment
Fox News, 2/11/2014

A Drivers Privacy and Protection Act case is pending in Florida, where a Florida Highway Patrol trooper pulled over and arrested a Miami Police Department officer for driving 120 MPH on his way to an off duty job. The arresting officer began to be harassed and made a public records request from the Department of Motor Vehicles, where she found that her records had been accessed by 88 officers from 25 different agencies. Attorneys for the agencies have sought dismissal, claiming that police officers cannot be held liable unless they try to sell the information. The US Department of Justice takes the position that Congress can regulate the activity even if the data isn’t being sold.

California Appeals Court Widens Employer Liability for Employees’ Traffic Accidents
Saqui Law Group

A decision by the Second Appellate Division of the California Appellate Court may expand the liability of employers for accidents that occur while employees are commuting to and from work. On her way home at the end of the work day, the employee collided with a motorcycle in the parking lot of a yogurt shop where she was stopping for personal reasons. Although this is a liability case, it has potential implications for workers’ compensation as well. The employer argued that it was not liable for injuries to the motorcyclist under the “coming and going rule”. The court held that because the employer required the employee to have a vehicle at work and make regular work-related trips using that vehicle, and thus derived an “incidental benefit” from the use of the vehicle, the employee’s use fell under the “required vehicle” exception to the “coming and going rule”. The employee’s personal use on the way home was foreseeable and not a substantial deviation from her commute. Although this is a California case, pools may want to review their own states’ “coming and going rules” to evaluate whether there is the possibility for this extension. The California Supreme Court denied the petition for review on December 18, 2013, so this is the final decision. The full opinion is available here.

Medicare Secondary Payer

CMS Publishes New Version of MMSEA Section 111 Medicare Secondary Payer Mandatory Insurer Reporting User Guide, Version 4.1
Franco Signor, 2/19/2014

CMS has published Version 4.1 of its MMSEA Section 111 Medicare Secondary Payer Mandatory Insurer Reporting User Guide. Some previously used codes are now invalid, and a link is provided to a list of those codes. A new website has also been established, effective April 1, for the Benefits Recovery and Coordination Center. The Coordination of Benefits Contractor and the Medicare Secondary Payer Recovery contractor will be retired.

CMS Listens to WCMSA Community and Requests Industry Comments to Expand Re-Review Process for WCMSA
FrancoSignor Blog, 2/12/2014

The Center for Medicare and Medicaid Services has issued a non-regulatory request for comments on its intent to expand its re-review process for Workers’ Compensation Medicare Set Aside Agreements. Comments are due by March 31, 2014, and Franco Signor is planning on commenting. At present, the situations where re-review is granted are very narrow, and they prevent correction of obvious errors. Under the proposal, re-review would be available at any time for a math error in the set-aside amount or an original submission that included case records for another beneficiary. Re-review within 180 days of the WCMSA approval would be granted in a variety of situations. It isn’t clear why there should be a 180 day limit on changes. Some of those reasons could easily develop after the 180 day period, such as changes in the beneficiary’s treatment plan or potential harm to the beneficiary due to a recommended treatment. Failure of the claim to settle could also take place outside the 180 day period.

Property & Casualty

Senate Passes House NFIP Rate-Hike Delay; Bill Goes to President
Property Casualty 360, 3/14/2014

HR 3370, the bill that delays implementation of many of the more controversial components of the Biggert-Waters Act of 2012, was passed by both the House and the Senate and is awaiting signature by President Obama. Biggert-Waters attempted to return solvency to the National Flood Insurance Program by implementing actuarial sound rates in flood prone areas. The dramatic increase in flood insurance costs motivated the relatively speedy passage of the legislation. Reaction of the insurance industry has been mixed, with ongoing concern that NFIP as it exists is financially unsustainable.

The Washington Report: With Flood Out of the Way, Time to Focus on TRIA
Property Casualty 360, 3/17/2014

Expiring commercial and property casualty policies are increasingly including exclusions for terrorism events that will take effect if Congress does not renew the Terrorism Risk Insurance Act or makes significant changes to it. Discussion is expected to begin in the spring, which may result in passage of TRIA renewal too late to be of help for public entities with July 1 renewals.

A Bird’s Eye View of Visual Underwriting
Claims Journal, 3/10/2014

Although pools are unlikely to eliminate site visits from their underwriting and customer relations processes, aerial technology and other technology resources may be useful adjuncts in some situations.

The Changing Face of Right to Reimbursement for Defenses Provided Under Reservation of Rights
Property Casualty 360, 3/5/2014

There is a national move away from courts approving an insurer's recoupment of defense or settlement costs in claims defended under reservation of rights. This survey of case law throughout the US concludes with recommendations that insurers amend policies to specifically provide for a contractual right to reimbursement and insurers consider a declaratory rights action early in investigation to confirm whether or not there exists a duty to defend.

The Future of Drone Use in the Insurance Industry
Claims Journal, 3/3/2014

Drones may in the next few years be a tool commonly used by insurers for insurer property damage assessment and for underwriting purposes. Although internal expertise in drone operation might be developed by some large insurers, it seems more likely that pools would contract out for these services if and when they are needed. Privacy concerns may not be a barrier, because similar access to property is available using fixed wing aircraft and site visits. One issue that remains unclear is FAA authority over the activity.

Tornadoes and Severe Convective Events: Insurance Trends and Challenges in an Era of Climate Volatility
Insurance Information Institute, 2/11/2014

A wealth of CAT data is explored in this presentation by Insurance Information Institute president Robert Hartwig. Trends in data related to losses show that tornadoes and convective events (straight line winds, tornadoes, hail, heavy precipitation, flash floods and lightning) are an increasingly leading cause of catastrophic claims in the U.S. In 2013, severe thunderstorms account by far for the greatest number of events, fatalities, estimated overall losses and insured losses. Data from 1993 through 2012 are reviewed for various types of CAT losses, and show an increase in the share of tornadoes in these losses. The losses associated with the top 16 major disasters in US history are explored, as are the trends in losses from 1980 through 2013, with a special focus on the losses from tornadoes.

Social Media

Trojan Horse Privacy Laws: Facebook Snooping
Mondaq, 3/3/2014

Employer policies reserving the right to monitor employee activities on employer owned computers may not protect the employer from liability under new state privacy laws if they try to access employee social media. The new state privacy laws that protect employee social media from employer access may be relied upon by courts even if the employer takes a more oblique approach to access, for example asking a co-worker who is friends with the employee to provide access.

Workers' Compensation

The Holy Grail Of Safety: A Single, All-Encompassing Safety Leading Indicator
EHS Today, 2/6/2014

A research team at Carnegie Mellon University has used predictive analytics to support what safety professionals have been saying for years: that accidents are correlated with the outcomes of safety inspections, and thus inspections are a critical part of a good safety program. The research was conducted by using computers to compare the history of safety inspection outcomes with accident experience over the same four-year time period.

Is The Super Potent New Opiate Painkiller Zohydro Just Too Dangerous?
Forbes, 2/28/2014

A potent new opioid painkiller has been approved for release by the FDA. Zohydro is an extended release of hydrocodone that is five to ten times more powerful as Vicodin. A coalition of doctors, lawmakers and addiction specialists believe it may trigger an increase in overdoses and deaths. It is believed that a new user could die from ingesting as few as two pills, and that a child could be killed by a single pill. Pools that cover workers’ compensation for their members may find this new medication to be of special concern, especially if workers’ compensation claimants get access to it through physicians treating them for work related injuries.

Conn. Legislators Propose Workers’ Comp Coverage for Mental Trauma
Insurance Journal, 3/13/2014

The Connecticut legislature is considering legislation that would make post-traumatic stress disorder compensable for employees who visually witness the death or maiming, or the immediate aftermath of such death or maiming, of one or more human beings. The full text of S.B. 56 is available here. A link to comments by the Connecticut Conference of Municipalities, which opposes the measure as a new unfunded state mandate, is here. Another bill would affect all employees who witness an intentional death or maiming, or its aftermath, for an emotional or mental impairment, not just PTSD.

Workers’ Comp Needs to Catch Up with Healthcare Changes
Insurance Journal, 3/12/2014

Workers’ compensation could see reduced costs as people have less need to falsely claim work-related injuries to obtain medical coverage. However, if employers move to high deductible plans and severely restrict access to care, workers’ compensation may still see overuse because it will have the broadest possible networks and lowest cost sharing requirements.

In This Issue

Upcoming Events

NLC-RISC 2014 Trustees Conference
May 8-9, 2014
San Diego, CA

Registration and hotel reservation deadline is April 15th!!  The NLC-RISC Trustees Conference provides trustees and pool administrators of state municipal league risk pools the opportunity to learn about industry trends, programs, services and pooling best practices. The conference offers many opportunities to share creative ideas and solutions, and to network with peers from across the country.  Click here for details.



Employment Opportunities in Pooling

Please click on the job title below to be directed to the pool's job posting on their website. To post a job add in the RISC eNews, please Erin Rian, Program Manager.

Underwriter
Texas Municipal League Intergovernmental RIsk Pool
Austin, Texas

The Texas Municipal League Intergovernmental Risk Pool, a public entity risk pool providing property, liability and workers' compensation coverages to more than 2,700 local governments in Texas, is seeking an Underwriter specializing in commercial lines of business. Read more.

Underwriting Representative
CIRSA
Denver, Colorado

CIRSA is seeking an Underwriting Representative at the experienced or senior level. Read more.