Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Risk Management Interest Group Risk Insights Volume 30 | Number 1 | October 2013 Message From the Chair by Dave Stokey, CPCU, ARM Dave Stokey, CPCU, ARM, is vice president of Willis of Texas, Inc., in Dallas. He has held this position since 2005 and has more than forty years’ experience in insurance and risk management. Previously, Stokey was chief underwriting officer for Deep South Surplus, Inc., a large, regional managing general agency, and regional vice president for Crum & Forster Insurance Companies’ Atlanta regional office. He holds a bachelor’s degree in business administration from The University of Texas at Austin. We are pleased to bring you the Risk Management Interest Group’s latest newsletter! interest group’s newsletter might not address. This newsletter includes articles on these diverse topics: Our interest group mission statement is: “Our group is dedicated to the study of, and participation in, all aspects of risk management. We provide current and relevant information to members pertaining to the practice of risk management and its principles through supportive interdisciplinary communication.” That’s an accurate statement, but it seems pretty dry to me, so let me try to humanize it. • “ The Crimes They Are a-Changin,” by Jerome “Jerry” Trupin, CPCU, CLU, ChFC As you know, risk management is much broader than the purchase of insurance products. Risk management is a process of identification, assessment, control, avoidance, minimization, or elimination of unacceptable risks via risk assumption, risk avoidance, risk retention, risk transfer, or a combination thereof to address the management of future events (once again, a broad statement). As CPCUs, we understand that insurance (a type of risk transfer), while an important part of risk management, is one way of dealing with the financial impact of a covered loss. It is a way to have a third party pay for the loss and minimize the impact on an organization’s balance sheet—or, put another way, of trading uncertainty for certainty. • “ Near Field Communications: A Change in ‘Frequency’,” by Larry Collins, vice president, e-solutions, Zurich Services Corporation • “ When a Client Uses Temporary Labor Firms,” by Glenn Peterson, CPCU, ARM-E, CIC, CRM, RIMS Fellow If you haven’t already selected your primary interest group, please consider joining the Risk Management Interest Group by signing on to www.cpcusociety.org, then going to My Account > Interest Groups > Edit Primary Interest Group and selecting the Risk Management Interest Group. If you’ve already selected a primary interest group, we welcome you to select Risk Management in My Additional Interest Groups. Because of the broad-based nature of risk management, there is very little that our What’s in This Issue Message From the Chair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 When a Client Uses Temporary Labor Firms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 What You Don’t Know Can Hurt You . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 The Crimes They Are a-Changin’ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Near Field Communications: A Change in “Frequency” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 www.CPCUSociety.org | Visit us online. When a Client Uses Temporary Labor Firms by Glenn Peterson, CIC, CRM, CPCU, ARM-E, RIMS Fellow Editor’s note: This article appeared in the July 2012 issue of Rough Notes magazine and was furnished by The National Alliance for Insurance Education & Research. It is used with permission. Examine the terms of temp service agreement carefully With a properly structured labor services agreement, should an accident or incident occur, you know who is responsible for what. Glenn Peterson, CIC, CRM, CPCU works for EWI Risk Services—the risk management arm of Dallas-based Contran Corporation. He is responsible for global risk management and loss control for the Contran group of companies. The group is diversified and includes steel and related products, titanium metal products, titanium dioxide products, mining, metal working businesses, marine businesses, and the treatment and disposal of low-level radioactive waste. Organizations face a number of exposures when utilizing services provided by contract/ temporary labor companies. In most cases, the organization utilizing the services expects that, in exchange for paying the labor provider a rate, the labor provider will address any issues/losses/claims associated with the services provided by its employees. A properly written agreement, supported by insurance, is a critical part of the process necessary to ensure that such expectations are met. Without a proper written agreement in place, there may be situations where your client’s organization could be financially responsible for paying claims or dealing with lawsuits relative to injuries to, or the actions of, the labor provider’s employees. Examples include the following: • Injured contract labor workers could be deemed to be your client’s employees for workers compensation purposes (for both benefits and premium payment). • T he contract labor provider’s insurers may subrogate against your client. In other words, the contract labor provider’s insurers will try to make your client’s organization reimburse them for any payments they have made on behalf of their insured. You can overcome this by requiring that the labor provider’s insurers waive subrogation in favor of your client; • Y our client could be liable in lawsuits brought against it by the contract labor provider, its employees or their families, their legal representatives, and/or heirs. • Y our client could be subject to laborrelated fines/penalties. • Y our client could be deemed vicariously liable for auto accidents involving 2 contract labor workers while they were driving a vehicle related to work for your organization. In order to manage the types of exposures set forth in the above examples, it is necessary that the applicable agreement contain appropriate indemnity and insurance provisions to protect your client. Note that such agreements should always be reviewed by legal professionals prior to their acceptance and execution. It is important that the contract labor provider has the financial capacity to support the indemnities/liabilities that they assume. There are two general ways to do this: 1) ensure that the contract labor provider is financially sound and credit-worthy, and 2) insurance. If a contract labor provider is financially strong, it will have the funds available, or can borrow the funds to support the indemnities that it has assumed in the written agreement. By incorporating insurance requirements that backstop the indemnities into agreements, you can look to both the contract labor provider and its insurance for compliance. It is important to clarify each party’s responsibility for safety- and health-related issues in the written agreement. Questions that need to be addressed include: • W hat general types of safety training are required by law and by your client’s policy (safety orientation, Material Safety Data Sheet location, emergency response plan, etc.)? Which specific types of training are needed for the jobs to be performed? Of the identified training, which party provides the initial safety training and which party provides site-specific training? (Remember that your safety policies may be more stringent or more specific than OSHA requires.) Regarding training provided by the contract labor provider, are their instructors qualified to conduct the training? Do they keep the required written training records? Where are the records stored and how does your client gain access, if needed? For example, the contract labor firm may provide general Hazard Communication training that must CPCU Society Risk Management Interest Group | Risk Insights | October 2013 be supplemented by your client’s sitespecific Hazard Communication training. • W hich party is responsible for supplying personal protective equipment? • H ow will the issues of medical monitoring and contract/temporary laborer medical files be addressed? • W ho is responsible for drug testing, if utilized? • If contract or temporary workers are to drive any vehicle on behalf of the organization utilizing the services, there should be a provision relating to driving records/vehicle use. In other words, what steps does the contract labor provider take to ensure that its employees have responsible driving records? Note that, if your client is the host employer, it is likely responsible for OSHA reporting and record keeping relative to employees of contract labor firms working at its sites. This includes the completion of OSHA 300 and 300A forms. Whether your client is deemed to be the employer in such a situation depends on a number of “control” tests. Information on these tests can be found in letters of interpretation at www.osha.gov. Suggestions for your clients (or for you if you use temporary labor firms): • B e wary of issuing job orders over the Internet. In order to do so, you may have to acknowledge that you accept the contract labor provider’s electronic terms and conditions as a precedent to completing the order. Such terms could be contrary to your organization’s interests. In order to avoid this, the written agreement should contain a section stating that the agreement controls over any provisions to the contrary contained in purchase or work orders, on Web sites, or in other related documents issued by, or owned by, the contract labor provider. • B e sure that the agreement does not limit your organization’s ability to use other labor contractors as you deem appropriate (do not agree to exclusive provider terms). • O ne advantage of contract labor is that an organization may identify persons sent by the temporary labor firm whom it wishes to hire as full-time employees. Thus, the organization should ensure that the agreement sets forth the terms for its being able to do so (timing, fees, etc.). • Include language stating that the indemnities assumed by the contract labor provider will survive termination of the agreement. If an action is brought against your organization after termination of the agreement for an event that took place during the term of the agreement, you want the contract labor provider to assume the liability. • T he agreement should specify that the labor provider is not permitted to utilize any subcontractors on jobs performed for your organization. The permitted use of subcontractors in these types of agreements opens up another set of potential liabilities. • C larify that your organization can immediately remove any contract labor employee it deems to be unsafe or unsuitable for the job, in your organization’s sole discretion. • T here is a relatively new trend in indemnity language whereby companies try to contractually limit their assumed liabilities. There are two common forms of this. The first form is where the company assuming the indemnity limits its liability to a specific dollar amount--say $100,000. The second form is where the company assuming the indemnity limits its liability to the amount of money your organization has spent with it. For example, suppose your organization enters into an agreement with a labor provider and ultimately pays the provider $240,000 for services. Further assume that the service agreement with the labor provider states that its liability is limited to the amount it is paid under the written agreement (in this example, the $240,000). To take this example a step further, suppose that as a result of an accident involving one of the labor provider’s employees, your organization is sued for $1 million and is ultimately deemed liable for the full amount. In this example, the most the contract labor provider would pay under the indemnity is $240,000. Your organization would then be responsible for the remaining $760,000. In this writer’s view, if the contract labor provider holds itself out to the public as a provider of qualified/trained labor, then it should assume the liabilities associated with same. • R equire that the labor provider’s workers compensation coverage includes an Alternate Employer endorsement in favor of your organization. It is always preferable to take the time, up front, to clarify the terms of business. With a properly structured labor services agreement, should an accident or incident occur, you know who is responsible for what. Without clarification, after-the-fact events can become expensive, time-consuming, high-profile, and potentially damaging to the reputation of your organization (litigation, regulatory fines and penalties, media coverage, etc.). Social Media Sites Join the Risk Management Interest Group on LinkedIn! http://www.linkedin.com/groups?gid=2344799&trk=myg_ugrp_ovr CPCU Society Risk Management Interest Group | Risk Insights | October 2013 3 What You Don’t Know Can Hurt You by Jeff McKissack Jeff McKissack, president of Defense By Design, is a noted authority in the field of preventing violent crime and provides consulting and training to a wide range of businesses and industries across the country. He has personally addressed over 350,000 people in live training and addressed countless others through radio and television interviews across the United States and Canada. McKissack has conducted continuing education seminars for those in the legal, medical, educational, financial, human resource, risk management, and insurance professions. McKissack is a contributing writer to several state and national trade publications and is author of the book, Power Proverbs for Personal Defense. He is based in Dallas. From shootings at a movie theater in Aurora, Colorado, to shootings at an elementary school in Newtown, Connecticut, we have seen our share of instances of workplace violence in this country over the past year or so. But along with these stories, how many think of other workplace violence cases, such as the recent scandal at Penn State University or even the University of Virginia case in which one of the school’s star athletes murdered his former girlfriend? How about the never-ending cases of sexual exploitation in schools and churches and various youth-oriented organizations? Wherever you have employees or staff and patrons or students, and something criminal occurs causing someone intentional harm, you have workplace violence—and liabilities. And it is often what businesses don’t know that is hurting them, whether in their local media, the courts, or their bank accounts. Several years ago at a national gathering for the American Society of Industrial Security (ASIS), workplace violence was addressed, with two major areas of concern coming from the security industry: fired employees who decide to return with a vengeance and cases of domestic violence following (predominately) women into the workplace, often causing additional collateral damage to other workers and/or patrons. Such stories as the above immediately garner the attention of those in the legal community who specialize in cases of corporate or institutional negligence leading to personal injury. And often, because of both the severity of these cases and the harm that is done through them, as well as the usual highprofile media coverage that comes with such cases (whether local or national), settlements are high, and judgments can be even higher if pursued in court without a proper paper trail of due diligence as a defense for the company or institution. The Occupational Safety and Health Administration (OSHA) states that some 2 million American workers are victims of workplace violence each year. Who are those typically affected? According to OSHA’s research, certain groups are at greater risk: Among them are workers who exchange money with the public; deliver passengers, goods, or services; 4 or work alone or in small groups, during late night or early morning hours, in high-crime areas, or in community settings and homes where they have extensive contact with the public.1 Businesses are not simply responsible for work done inside the office either. According to the same report above, the list of possible outside employees include “health-care and social service workers, such as visiting nurses, psychiatric evaluators, and probation officers; community workers, such as gas and water utility employees, phone and cable TV installers, and letter carriers; retail workers; and taxi drivers.” But this list can easily be extrapolated to include any person that a business sends out on sales- or servicerelated appointments or trips, including trade shows, conferences, conventions, etc. Those in outside sales are therefore vulnerable as well. The message is clear: when businesses send people out, they are responsible for the safety of those people while they execute their duties or assignments. Where OSHA and plaintiff attorneys share a common concern and approach is in the area of education. This is where a proper paper trail can be created and thus documented to help mitigate risks and reduce liability concerns if or when such an instance occurs. But all too often, the typical corporate or institutional response is to invite in local (and often free) law-enforcement officers, akin to the approach a homeowners association (HOA) might apply to its local crime watch. The problem lies in that if something happens in a neighborhood, the likelihood of the HOA being held negligent is slim to none, as opposed to the same happening with or in a business or institution. Local law-enforcement is typically not educated in these matters, or in the process that should precede or follow such training to document said due diligence efforts. Their training is in public safety, after all. This is where Human Resources (HR) and Risk Management are more desirable in-house sponsors or coordinators of such efforts. They understand (a) the need and (b) the processes that should follow any and all such initiatives should those efforts later be questioned or called upon for documentation in court. CPCU Society Risk Management Interest Group | Risk Insights | October 2013 The typical areas of vulnerability can best be summarized in the following three areas: 1)On-the-Clock Mistakes—These are usually in the areas of hiring and firing and are directly related to HR efforts and practices, but obviously not always if no official HR director or department is present. There are many common mistakes made on the front side of hiring just as there are on the back side of unfortunate firings or layoffs. But as stated before, this is one of the primary areas of concern by the industrial security community regarding instances of workplace violence. However, such crimes as road rage are also becoming an issue when one of the drivers involved is an employee. 2)Off-the-Clock Mistakes—These are generally in the area of employees making bad judgment calls in their personal life leading to incarceration (and unfortunate PR and media for the company); hospitalization (and leave of absence as well as healthcare claims); or even potentially death, with ripple effects felt throughout the company, affecting both employee morale and productivity. 3)Unknown Dramas—These are typically in the areas of domestic violence or (nondomestic) restraining orders being filed against any number of individuals. While most minds lean toward spouse or paramour scenarios, such cases have also been seen involving former vendors/suppliers, former customers, and even private contractors of employees outside of work who knew where the employee could be found for confrontation or retaliation during business hours. Anytime a restraining order (often referred to as a TRO, or temporary restraining order), is filed, it should be a point of concern for an employer. But how many employers have a policy of knowing about such situations prior to their potential escalation in the workplace? While there are certain physical aspects of security that can be enhanced, such as cardkey or keypad access, self-locking doors, security cameras, metal detectors, or even physical on-site security, the human factor must also must be accounted for, which OSHA relates to as well. The impact of educational programs within the workplace, like those that address sexual harassment, cannot be underestimated. And, again, the very practice of such training provides opportunity for both evaluation and documentation. So, what are some of the best practices that companies and institutions easily, and often cheaply, employ to decrease these liabilities? Below are the previously discussed areas of vulnerabilities and ways to address them: On-the-Clock Mistakes • A consistent check-in policy at the company for anyone with access to other employees beyond the front desk. • E nhanced background and reference checks for potential new hires. • E valuation of current firing practices, including the need for security escorts. These are not always necessary and may, in fact, actually incite actions of physical or legal retaliation if an employee feels he or she has been needlessly disgraced in public. Off-the-Clock Mistakes • E ducational programs that address employee safety both on and off the clock. These programs can even address afterhours events attended by family members of employees. Security breaches can occur during such events and compromise the safety of family members, so this additional layer or approach might be considered. • O ptional after-hours educational or training events addressing stress or anger management; even physical self-defense could be considered. Regarding the latter, making such training optional is advised. If it were mandated by management, injuries incurred during training could possibly be assessed to the business or institution. Unknown Dramas: • O n-site training of employees so that they understand the impact such situations can have in the workplace, on both themselves and their co-workers, if kept to themselves • E nhanced HR policies and procedures to be implemented once such cases are known to the employer • Improved employee contracts and agreements that clearly spell out these policies and procedures so that any noncompliance leading to violence is associated with an employee’s personal negligence rather than institutional negligence Another factor that may become more of an issue is the ever-increasing number of gun owners in this country. Ownership itself is not the issue, but the training (or lack thereof) of the owner and where firearms are kept or hidden, including in places of business, are concerns. For the multitenant office building and multifamily apartment industries, this will be even more of a concern. I think all would recognize the importance of responsible gun ownership. However, irresponsibility in this regard leads to many of the cases we see manifest in local and national media. But all too often, we also see them playing out in court when someone is held negligent due to lack of education, proactive posturing, or consistent corporate policy. While our minds will always gravitate toward the more visual cases, such as a theater or school shooting, we cannot forget the everyday cases of domestic violence, child/youth exploitation, crime on college campuses, road rage, and other similar situations that cost not only lives but significant financial judgments as well. Most employees know what to do and where to go if there is a fire, a tornado, a hurricane, or an earthquake. Many even know what to do and where to go if there is an instance of sexual harassment in today’s working world. But how many know what to do or where to go if a shooter appears onsite? How many know what to do or where to go if they see another employee being inappropriate with a patron? How many know what to do or where to go if someone on staff or from the outside makes a verbal threat against them? And how many know what to do or where to go if their jobs are constantly outside the office, dealing with the public, and they are faced with threats of violence? As the old saying goes, “It’s what you don’t know that can hurt you.” The legal profession, however, has another word for continued on page 12 CPCU Society Risk Management Interest Group | Risk Insights | October 2013 5 The Crimes They Are a-Changin’ by Jerome Trupin, CPCU, CLU, ChFC Am I the only one providing expert witness assistance for fidelity claimants? Fidelity coverage (also known as employee theft or employee dishonesty coverage) is just a small part of the insurance universe, generating many fewer claims than property and liability coverage, and of those, even fewer end up as lawsuits. Nevertheless, my expert witness activity of late has involved a disproportionate number of fidelity disputes. In the last few years, I’ve worked with three insureds and their attorneys to resolve fidelity claims.1 In all three cases, the claimants have prevailed. Jerome Trupin, CPCU, CLU, ChFC, is a partner in Trupin Insurance Services located in Briarcliff Manor, New York. He provides propertycasualty insurance consulting advice to commercial, non-profit, and governmental entities. Trupin has been an expert witness in numerous cases involving insurance policy coverage disputes and was the coauthor of over ten insurance texts used in The Institutes’ programs including the texts Commercial Property Risk Management and Insurance and Commercial Liability Management and Insurance. The most recent case in which I was involved is particularly interesting: • It involved important changes in employee theft coverage policy provisions. • It exhibited how dismally poor insureds and their advisers can be at selecting fidelity insurance limits. • It demonstrated the advantage of using the Discovery Form version of crime coverage. The firm that was a victim of the embezzlement, which I’ll call Service Company, serviced self-directed individual retirement (IRA) accounts for numerous individuals who wanted to purchase portions of real estate and other complex investments for their own IRA accounts. Service Company collected and deposited funds from investors, transmitted the funds to the investment trusts, and maintained records of each investor’s individual accounts. When an investor wanted to withdraw funds, the investor contacted Service Company, which in turn instructed the trust to sell the necessary shares. Once the proceeds from the sales were deposited into Service Company’s bank account, Service Company’s employee instructed the bank to transmit the funds to the IRA participant. But there was a fatal flaw in the process. Although the instructions to sell shares and issue drafts required the signature of at least one of Service Company’s executives, in practice, the executives just signed whatever papers the employee who handled the transactions prepared. It was simple for her to prepare orders for the bank to issue checks to 6 her boyfriend as if he were an IRA participant. The pair split the proceeds. In more than six years of embezzling, they netted $1.3 million!2 Did Service Company have employee theft coverage? Yes, it did. But the amount of coverage was just $50,000 a year until the very last year of the scheme. In that year, the limit had been increased to $1 million.3 It is astonishing that the insured and its broker felt that $50,000 was in any way an appropriate amount of coverage. Furthermore, the increase to $1 million was the result of a demand from the investment trust, not something that Service Company’s insurer or the broker suggested. The policy in force at the time the loss was discovered contained two separate provisions that govern loss during previous policy periods: “Loss Sustained During Prior Insurance Issued By Us Or Any Affiliate” and “Loss Sustained During Prior Insurance Not Issued By Us Or Any Affiliate.” (The provisions were identical to those used in the Insurance Services Office, Inc. (ISO) “loss sustained” crime forms.) Neither provision triggered coverage for losses before the inception of the policy unless coverage under the previous policies had been continuous. If there were any lapse in coverage, no loss before the time of the lapse would be covered. Furthermore, a loss is covered only if it would have been covered by the current policy had it been in force at the time of the loss. When coverage in the prior period was written by a company not affiliated with the current insurer, it is clear that coverage under the previous insurer’s policy is also limited to the amount of insurance in force when the loss occurred. In the case of Service Company, because the loss took place primarily during the policy periods when the limit of insurance was $50,000 per year, the amount Service Company could collect for the $1.3 million loss would have been, at the most, $300,000. However, Service Company’s coverage was written by the same insurance company for almost five years―from April 1, 2004, until the loss was discovered in December 2008. The provision applying to loss covered by CPCU Society Risk Management Interest Group | Risk Insights | October 2013 the current policy and by prior insurance issued by the current insurer or any affiliate in Service Company’s policy read: If any loss is covered: (1) Partly by this insurance; and (2) Partly by any prior cancelled or terminated insurance that we or any affiliate had issued to you or any predecessor in interest; the most we will pay is the larger of the amount recoverable under this insurance or the prior insurance.4 Service Company argued that this meant the highest limit carried ($1 million) was available to cover the entire loss; it did not matter in which policy period the funds had been stolen. The insurance company contended that the amount collectible is limited to the amounts embezzled in each policy period up to the coverage applicable to each of those policy periods, but not more, in total, than the highest limit carried in any one year. In short, the insured felt it was entitled to $1 million; the insurance company offered less than $300,000. My interpretation of the meaning of the prior insurance provision has always agreed with Service Company’s. I can see the insurance company’s position as a possible interpretation. But that would make the policy wording ambiguous, and the accepted rule for resolving ambiguities in insurance policy wording is that ambiguities are resolved in favor of the insured.5 The clinching factor for me, and the reason for writing about it here, is a change in the ISO crime form introduced in 2006. Until then, the ISO wording regarding coverage for losses sustained during prior insurance issued by the current insurer or an affiliate was the same as the wording quoted above. ISO form CR 00 21 05 06, Commercial Crime Coverage Form (Loss Sustained Form), introduced in 2006,6 replaced the five lines shown above with a provision that runs just shy of two pages. The key wording is as follows: (1) Loss Sustained Partly During This Insurance And Partly During Prior Insurance If you “discover” loss during the Policy Period shown in the Declarations, resulting directly from an “occurrence” taking place: (a) Partly during the Policy Period shown in the Declarations; and (b) Partly during the Policy Period(s) of any prior cancelled insurance that we or any affiliate issued to you or any predecessor in interest; and this insurance became effective at the time of cancellation of the prior insurance, we will first settle the amount of loss that you sustained during this Policy Period. We will then settle the remaining amount of loss that you sustained during the Policy Period(s) of the prior insurance. (2) Loss Sustained Entirely During Prior Insurance If you “discover” loss during the Policy Period shown in the Declarations, resulting directly from an “occurrence” taking place entirely during the Policy Period(s) of any prior cancelled insurance that we or any affiliate issued to you or any predecessor in interest, we will pay for the loss, provided:(a) This insurance became effective at the time of cancellation of the prior insurance; and (b) The loss would have been covered under this insurance had it been in effect at the time of the “occurrence”. We will first settle the amount of loss that you sustained during the most recent prior insurance. We will then settle any remaining amount of loss that you sustained during the Policy Period(s) of any other prior insurance. (3) In settling loss subject to this Condition: (a) The most we will pay for the entire loss is the highest single Limit of Insurance applicable during the period of loss, whether such limit was written under this insurance or was written under the prior insurance issued by us. This provision ends with more than one page of examples showing how the provision would work in various situations. One of the examples should suffice to demonstrate the new ISO approach: CPCU Society Risk Management Interest Group | Risk Insights | October 2013 An employee embezzled $250,000 during the current policy period and the prior period. One insurance company covered the insured during both periods. The current limit in Policy A is $125,000. The coverage in prior Policy B was $150,000. A total of $175,000 of the loss was sustained in the current policy period, and $75,000 was sustained in the prior policy period. The insured can collect $125,000 for the loss under Policy A (its limit) but only $25,000 of the loss during Policy B’s term, for a total of $150,000, which is the highest amount of insurance provided by either of the policies during the period of the loss and is therefore the maximum collectible for the entire loss.7 In essence, the new ISO form calls for the loss to be settled in the manner proposed by the insurance company in the Service Company matter. However, the new wording makes that clear; the previous wording did not. The expansion of the provision wording (more than ten-fold, plus the addition of more than a page of examples) demonstrates that the previous version was unclear. The insurer’s lawyer in the Service Company case apparently agreed. This issue was not raised at trial, although it was part of the insurance company’s letter of declination. Discovery Form—A Better Alternative The crime policies discussed so far were all “Loss Sustained” forms—that is, the policy covers loss sustained during the policy period. The only exceptions are losses that meet the requirements of the loss under prior coverage provisions. The Discovery Form is a better alternative. I like the discovery form because the policy in effect when the loss is discovered covers the entire loss. It’s irrelevant what the previous limits were or whether there was any prior insurance at all.8 The two lossunder-prior-insurance provisions found in the loss sustained version do not appear in the discovery form; there’s no need for them. Had Service Company’s policy in effect when the loss was discovered been a discovery form, continued on page 8 7 The Crimes They Are a-Changin continued from page 7 the $1 million limit would have been clearly available to cover the entire loss. The discovery form does not help the insured when the current policy has a lower limit of insurance than prior coverage. In the example from the new ISO form cited earlier, had the most recent form been a discovery form instead of a loss sustained form, the insured would have been able to collect only $125,000, not $150,000, because the current limit was $125,000. That makes for an interesting illustration, but in the real world, why would an insured reduce its coverage from $150,000 to $125,000? The longer an insured is in business, the greater the chance there has been an undiscovered loss extending over many periods. Employee theft insurance should be increased, not decreased. Discovery form is the way to go. 8 Ownership of Property; Interests Covered The key issue raised when the Service Company case went to trial was whether Service Company’s interest in the money its employee stole met the standards set out in the “Ownership of Property; Interest Covered” policy provision. Under that provision, only property owned or held by the insured or for which the insured was legally liable was covered property. Service Company did not own the IRA funds, but the jury decided, after deliberating for about twenty minutes, that Service Company did “hold” the funds, presumably because the insured, through its employee, could direct disbursement of the funds. The jury awarded Service Company the full policy limit of $1 million. (Because this case occurred in California, there was a separate action against the insurance company for bad-faith claims handling. The insurance company paid Service Company $250,000 to settle that matter.) Clients’ Property Endorsement Another argument the insurance company made in the Service Company case was that the insured had not elected the Clients’ Property endorsement offered in the quote for the policy. The clients’ property endorsement provides coverage for theft of clients’ property by the insured’s employees. While the jury didn’t find this point persuasive, it is of importance to those of us in the insurance and risk management community because it highlights another change that was made to the ISO employee theft program in 2006. Before the 2006 changes, the Clients’ Property endorsement provided coverage for theft of a client’s property by the insured’s employees, provided the theft took place on CPCU Society Risk Management Interest Group | Risk Insights | October 2013 the client’s premises. The requirement that the theft take place on the client’s premises was eliminated in the 2006 version. Both versions are entitled “Clients’ Property,” but the form number of the new form is CR 04 01 08 13. The earlier version was CR 04 01 03 00. 9 One example of the difference in coverage is a theft from an accounting firm’s client by the accountant’s employees. Let’s assume the employees empty the client’s bank account by wiring fraudulent instructions to the client’s bank from their home computers. This would not be covered under the old form but would be covered under the new one. Learning Points: 1.Employee theft dishonesty coverage should be written on a discovery basis form, but the amount should not be less (and should probably be more) than prior insurance. 2.If the insured’s employees can steal clients’ property, the new clients’ property endorsement should be added to the policy. 3.Embezzlement losses are seemingly everywhere. Insurance is important, but so is risk management. The New York Times reported on January 30, 2012, that a trusted employee of the New York Archdiocese was charged with stealing more than $1 million of the archdiocese’s funds in a seven-year-long embezzlement. Had a criminal background check been done before she was hired, it would have revealed that she had been convicted of grand larceny in one case and pleaded guilty to a misdemeanor in another.10 Endnotes 1 Expert witness services are just a small part of my work as an insurance consultant for businesses. I turn down far more cases than I accept, often because I don’t agree with the claimant’s theory. 2U.S. Justice Department, “Palo Alto Pair Plead Guilty In $1.3 Million Financial Institution Fraud Scheme” press release, www.justice.gov/usao/can/ news/2010/2010_08_04_kerr.perrone. guiltyplea.press.pdf (accessed September 12, 2013). 3 A t first, the insurance company felt that the amount of insurance had been increased because the insured had discovered the embezzlement. However, the insurer did not raise this issue in court. 4 T he form is identified as ISO copyrighted form CR 10 00 10 90 (Crime General Provisions), a form that is no longer in use. That form provided employee dishonesty coverage rather than the employee theft coverage of current ISO form, but that was not an issue in this loss. 9 The last four digits in ISO forms are the month and year that the form was promulgated in MM YY format. 10 Sharon Otterman and Ross Buetner, “In Million-Dollar Theft Case, Church Worker With a Secret Past,” The New York Times, January 31, 2012, www. nytimes.com/2012/01/31/nyregion/ new-york-archdiocese-bookkeepercharged-with-stealing-1-million. html?nl=nyregion&emc=ura2 (accessed September 12, 2013). 5 T his is derived from the standard rule for interpreting contracts: ambiguities in a contract are construed against the one who imposed the wording. The legalese for the rule is “contra proferentem.” See http://definitions.uslegal.com/c/contraproferentem-doctrine/ (accessed September 12, 2013). 6 T he most recent version of Form CR 00 21 carries an edition date of 08 13. No changes have been made in the form with respect to the quoted provisions. 7 The form also specifies that the current deductible applies to the loss if the loss occurred during the current policy period. If not, the deductible in the most recent policy applies. However, the deductible is applied to the loss, not to the limit of insurance when the loss exceeds the limit. In this hypothetical situation, the deductible was $10,000 in the most recent policy, which would not reduce the amount collectible. 8 The insurer can eliminate claims before a certain date by attaching endorsement CR 20 05 10 10 (Include Retroactive Date) or can provide only limited coverage before a certain date with endorsement CR 20 24 10 10 (Provide Limited Coverage For Loss Occurring Before Retroactive Date). CPCU Society Risk Management Interest Group | Risk Insights | October 2013 9 Near Field Communications: A Change in “Frequency” by Larry Collins Larry Collins is the vice president of E-Solutions for Zurich Services Corporation, leading a team that provides electronic services to tens of thousands of online customers. His team received the 2012 Arthur Quern Quality Awards from the Risk and Insurance Managers Society (RIMS) for their Accident Review Tool. He has more than thirty-five years of experience in risk engineering, having previously been employed by The Hartford, Commercial Union, and Insurance Company of North America (INA). Collins has appeared on television to discuss cyber security, spoken on a number of panels, and published several articles and white papers on security- and privacyrelated risk issues. Collins is certified by the Board of Certified Safety Professionals, is a member of the American Society of Safety Engineers, and is a Microsoft Certified Systems Engineer. He earned his bachelor’s degree in physics and mathematics from Dowling College and his master’s degree in occupational safety and health from New York University. Editor’s note: The following is reprinted with permission. © Entire contents copyright 2012 by Zurich Services Corporation. All rights reserved. More consumers are electing for “wallet-less transactions,” whereby they can use their smart phones, PDAs or other mobile devices to make purchases at sales counters, receive discounts and earn rewards points- rather than digging around for their credit cards, coupons or one of the many customer loyalty cards on their key chains. Gross transaction volume from mobile payments is expected to reach $630 billion globally by 2014, according to information from the National Retail Federation. Retailers aside, other businesses are also turning to mobile technology to seamlessly transfer company files or share documents among employees from anywhere in the world. Businesses that want to stay competitive in their marketplaces will likely need to adopt technology that can support such data transactions- potentially putting unprepared businesses at risk for costly data breaches. Convenient capabilities, risky ramifications The heightened risk for data breaches stems from a variety of technological advances including near field communications, which is the wireless technology that enables devices like smart phones- within a short range of other smart phones, point-of-sale terminals or “smart posters” -to exchange data. Advances in near field communications are driving the trend toward using mobile technology to authorize payments, transfer corporate documents or files, or pass along personally identifiable information to another individual or entity. Users of near field communication-enabled devices can, in an instant: • Make payments or use coupons via devices, instead of credit or debit cards. 10 • Transfer files and share documents. • Download information about objects, services or places from “smart posters.” • Display electronic identity documents, like air travel boarding passes. Such broad capabilities certainly offer conveniences but also elicit questions about the technology’s security, considering the potentially sensitive data being transmitted or the likelihood of a hacker intercepting that information during a live data exchange. Individuals are not the only parties at risk from having their personal information confiscated. Businesses engaging in mobile data transactions are also at risk, with the potential to be held accountable for any data breaches resulting in the exposure of their customers’ or employees’ personally identifiable information- not to mention any corporate data from shared files or documents that could be lost. Being smart about smart technology Companies cannot ignore the potential dangers of a data breach - from financial losses to reputational damage to legal liability. Cyber security was named one of the top five global risks for companies in 2011 at the World Economic Forum in Davos, Switzerland. Further, mobile device use was cited as one reason corporate data has become vulnerable to cyber attacks. According to the Ponemon Institute’s 2011 Cost of Data Breach Study: United States, the average cost of a data breach in 2011 was $5.5 million. Costs often stem from determining the severity and scope of a breach; establishing a call center to manage inquiries from affected parties; legal defense; public relations; regulatory proceedings, fines and penalties; credit or identity monitoring; and notifying third parties of the breach. Considering the high stakes, companies using near field communications should prepare themselves for the direct costs, as well as the indirect costs, of a data breach scenario by implementing risk management practices. CPCU Society Risk Management Interest Group | Risk Insights | October 2013 Businesses that rely on near field communications to share company information can implement these risk management tactics: • A utomatically shut off an employee’s smart phone if it’s lost, so information can’t be accessed by unauthorized parties. • E nlist the company’s telecommunications and information technology department to limit the content that employees can download or store. • Enforce a password requirement. • Encrypt data so it can’t be easily read. Businesses that rely on near field communications to accept payment from customers or to acquire information about customers can implement these risk management tactics: • U se transmitted data for the purpose it was collected. If a customer shared personal information solely to pay for something, don’t then use that data for targeted marketing. • S ecure collected data with encryption, passwords and by restricting access. • D etermine how long data should be stored; create a data purging cycle. • A n educated team, aware of global privacy laws, should be in place. one of their existing Property and Casualty policies, which are typically triggered by a “claim.” Data breaches, however, often don’t turn into actual claims that can be filed against a traditional liability policy because of effective breach response or difficulty proving actual damages. Property policies may not respond to loss of data since “data” is considered intangible, and property policies typically only cover the loss of tangible property. Even if a claim was filed, and a professional liability or commercial general liability policy partially responded, a company would still be held accountable for first party privacy breach costs like forensics, notification, call centers and public relations. Because of the gaps in these traditional insurance products, more organizations are using cyber risk insurance to mitigate risks associated with near field communications and mobile technology. Cyber risk insurance consists of two types of coverage. Liability coverage is for claims against an organization brought by third parties that covers defense costs in the event of regulatory proceedings. Coverage is also available for privacy breach costs, business interruption, digital asset loss and cyber extortion. Protection also can be found in the form of specialized liability insurance, such as Errors & Omissions and Security & Privacy coverage. These coverages go beyond liability insurance to cover management liability and employment practices. The bottom line Using mobile devices to pay for a latte, share a work document with a colleague, store corporate credit card data or check-in on a flight offer great advantages to consumers and businesses alike. At the same time, such capabilities pose risks that could jeopardize an individual’s privacy or threaten the bottom line and reputation of a company engaging customers or employees in near field communications - regardless of industry or size. Companies that traditionally have had little data about their customers now must become accustomed with data privacy and security laws, and protect their customers’ personal information. They must also protect company data so as to not reveal trade secrets or financial information. At the end of the day, though, the newness of near field communications makes it a mystery to many users - making it challenging to anticipate and mitigate all the risks, and furthering the need to explore all risk management tools – including insurance. • L imit data-reading devices’ power, allowing them to receive data only from short distances. • L imit the content that devices display during transactions. • Implement the electronic security measures that a near field system requires. Assurance with Insurance Risk management tactics are critical to protecting organizations from near-field related data breaches. Still, they are not enough, which is why the use of insurance as a risk management tool is so important. Many companies mistakenly believe they are covered against data breach events through CPCU Society Risk Management Interest Group | Risk Insights | October 2013 11 CPCU Society 720 Providence Road, Suite 100 Malvern, PA 19355-3433 Risk Management Interest Group Risk Insights Address Service Requested What You Don’t Know Can Hurt You continued from page 5 this old saying. They typically refer to it as “negligence.” The legal profession sees it as a responsibility of businesses to know these things. The point and plan is simple—be prepared. Educate, train, and document every point of the response process. And, obviously, those in a position to influence their clients to be more proactive should do so as “you” often pay those settlements and judgments when negligence is claimed. Even offering (as some already do) reduced premiums for initiatives that can be documented can both influence and empower companies to move toward a more proactive posture. Yes, what you don’t know can hurt you. But now you know. Endnote 1U .S. Department of Labor Occupational Safety and Health Administration, “OSHA Fact Sheet: Workplace Violence,” 2002, p. 1, https://www.osha.gov/OshDoc/ data_General_Facts/factsheet-workplaceviolence.pdf (accessed Sept. 10, 2013). For more information, please contact Jeff McKissack by email at jeff@DefenseByDesign. com. The Risk Management Interest Group newsletter is published by the CPCU Society Risk Management Interest Group. Risk Management Interest Group http://riskmanagement.CPCUSociety.org Chairman Dave Stokey, CPCU, ARM Willis of Texas, Inc. Email: [email protected] Editor Bruce McEwan, CPCU, ARM-E Email: [email protected] CPCU Society 720 Providence Road, Suite 100 Malvern, PA 19355-3433 (800) 932-CPCU (2728) www.CPCUSociety.org Statements of fact and opinion are the responsibility of the authors alone and do not imply an opinion on the part of officers, individual members, or staff of the CPCU Society. © 2013 Society of Chartered Property and Casualty Underwriters CPCU is a registered trademark of The Institutes. FacebookLinkedIn