Download Risk Management Interest Group

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
Document related concepts

Business ownership within England and Wales wikipedia , lookup

International commercial law wikipedia , lookup

Transcript 
Risk Management Interest Group
Risk Insights
Volume 30 | Number 1 | October 2013
Message From the Chair
by Dave Stokey, CPCU, ARM
Dave Stokey, CPCU, ARM, is vice
president of Willis of Texas, Inc.,
in Dallas. He has held this position
since 2005 and has more than forty
years’ experience in insurance and
risk management. Previously, Stokey
was chief underwriting officer for
Deep South Surplus, Inc., a large,
regional managing general agency,
and regional vice president for Crum &
Forster Insurance Companies’ Atlanta
regional office. He holds a bachelor’s
degree in business administration
from The University of Texas at Austin.
We are pleased to bring you the Risk
Management Interest Group’s latest newsletter!
interest group’s newsletter might not address.
This newsletter includes articles on these
diverse topics:
Our interest group mission statement is:
“Our group is dedicated to the study of, and
participation in, all aspects of risk management.
We provide current and relevant information
to members pertaining to the practice of
risk management and its principles through
supportive interdisciplinary communication.”
That’s an accurate statement, but it seems
pretty dry to me, so let me try to humanize it.
• “ The Crimes They Are a-Changin,” by
Jerome “Jerry” Trupin, CPCU, CLU, ChFC
As you know, risk management is much broader
than the purchase of insurance products. Risk
management is a process of identification,
assessment, control, avoidance, minimization,
or elimination of unacceptable risks via risk
assumption, risk avoidance, risk retention, risk
transfer, or a combination thereof to address
the management of future events (once again, a
broad statement).
As CPCUs, we understand that insurance (a
type of risk transfer), while an important part
of risk management, is one way of dealing
with the financial impact of a covered loss. It
is a way to have a third party pay for the loss
and minimize the impact on an organization’s
balance sheet—or, put another way, of trading
uncertainty for certainty.
• “ Near Field Communications: A Change in
‘Frequency’,” by Larry Collins, vice president,
e-solutions, Zurich Services Corporation
• “ When a Client Uses Temporary Labor
Firms,” by Glenn Peterson, CPCU, ARM-E,
CIC, CRM, RIMS Fellow
If you haven’t already selected your primary
interest group, please consider joining the
Risk Management Interest Group by signing
on to www.cpcusociety.org, then going
to My Account > Interest Groups > Edit
Primary Interest Group and selecting the
Risk Management Interest Group. If you’ve
already selected a primary interest group, we
welcome you to select Risk Management in My
Additional Interest Groups.
Because of the broad-based nature of risk
management, there is very little that our
What’s in This Issue
Message From the Chair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
When a Client Uses Temporary Labor Firms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
What You Don’t Know Can Hurt You . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
The Crimes They Are a-Changin’ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Near Field Communications: A Change in “Frequency” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
www.CPCUSociety.org | Visit us online.
When a Client Uses Temporary Labor Firms
by Glenn Peterson, CIC, CRM, CPCU, ARM-E, RIMS Fellow
Editor’s note: This article appeared in the July
2012 issue of Rough Notes magazine and
was furnished by The National Alliance for
Insurance Education & Research. It is used
with permission.
Examine the terms of temp
service agreement carefully
With a properly structured labor services
agreement, should an accident or incident
occur, you know who is responsible for what.
Glenn Peterson, CIC, CRM, CPCU
works for EWI Risk Services—the risk
management arm of Dallas-based
Contran Corporation. He is responsible
for global risk management and
loss control for the Contran group of
companies. The group is diversified
and includes steel and related
products, titanium metal products,
titanium dioxide products, mining,
metal working businesses, marine
businesses, and the treatment and
disposal of low-level radioactive
waste.
Organizations face a number of exposures
when utilizing services provided by contract/
temporary labor companies. In most cases,
the organization utilizing the services expects
that, in exchange for paying the labor provider
a rate, the labor provider will address any
issues/losses/claims associated with the
services provided by its employees. A properly
written agreement, supported by insurance,
is a critical part of the process necessary to
ensure that such expectations are met.
Without a proper written agreement in place,
there may be situations where your client’s
organization could be financially responsible for
paying claims or dealing with lawsuits relative to
injuries to, or the actions of, the labor provider’s
employees. Examples include the following:
• Injured contract labor workers could be
deemed to be your client’s employees for
workers compensation purposes (for both
benefits and premium payment).
• T he contract labor provider’s insurers
may subrogate against your client. In
other words, the contract labor provider’s
insurers will try to make your client’s
organization reimburse them for any
payments they have made on behalf of
their insured. You can overcome this by
requiring that the labor provider’s insurers
waive subrogation in favor of your client;
• Y our client could be liable in lawsuits
brought against it by the contract labor
provider, its employees or their families,
their legal representatives, and/or heirs.
• Y our client could be subject to laborrelated fines/penalties.
• Y our client could be deemed vicariously
liable for auto accidents involving
2
contract labor workers while they were
driving a vehicle related to work for your
organization.
In order to manage the types of exposures
set forth in the above examples, it is
necessary that the applicable agreement
contain appropriate indemnity and insurance
provisions to protect your client. Note
that such agreements should always be
reviewed by legal professionals prior to their
acceptance and execution.
It is important that the contract labor provider
has the financial capacity to support the
indemnities/liabilities that they assume. There
are two general ways to do this: 1) ensure
that the contract labor provider is financially
sound and credit-worthy, and 2) insurance.
If a contract labor provider is financially
strong, it will have the funds available, or can
borrow the funds to support the indemnities
that it has assumed in the written agreement.
By incorporating insurance requirements that
backstop the indemnities into agreements,
you can look to both the contract labor
provider and its insurance for compliance.
It is important to clarify each party’s
responsibility for safety- and health-related
issues in the written agreement. Questions
that need to be addressed include:
• W
hat general types of safety training are
required by law and by your client’s policy
(safety orientation, Material Safety Data
Sheet location, emergency response plan,
etc.)? Which specific types of training
are needed for the jobs to be performed?
Of the identified training, which party
provides the initial safety training and
which party provides site-specific training?
(Remember that your safety policies
may be more stringent or more specific
than OSHA requires.) Regarding training
provided by the contract labor provider,
are their instructors qualified to conduct
the training? Do they keep the required
written training records? Where are the
records stored and how does your client
gain access, if needed? For example, the
contract labor firm may provide general
Hazard Communication training that must
CPCU Society Risk Management Interest Group | Risk Insights | October 2013
be supplemented by your client’s sitespecific Hazard Communication training.
• W
hich party is responsible for supplying
personal protective equipment?
• H
ow will the issues of medical monitoring
and contract/temporary laborer medical
files be addressed?
• W
ho is responsible for drug testing, if
utilized?
• If contract or temporary workers are
to drive any vehicle on behalf of the
organization utilizing the services, there
should be a provision relating to driving
records/vehicle use. In other words, what
steps does the contract labor provider
take to ensure that its employees have
responsible driving records?
Note that, if your client is the host employer,
it is likely responsible for OSHA reporting
and record keeping relative to employees of
contract labor firms working at its sites. This
includes the completion of OSHA 300 and
300A forms. Whether your client is deemed to
be the employer in such a situation depends
on a number of “control” tests. Information
on these tests can be found in letters of
interpretation at www.osha.gov.
Suggestions for your clients (or for you if you
use temporary labor firms):
• B
e wary of issuing job orders over the
Internet. In order to do so, you may have to
acknowledge that you accept the contract
labor provider’s electronic terms and
conditions as a precedent to completing
the order. Such terms could be contrary
to your organization’s interests. In order
to avoid this, the written agreement
should contain a section stating that the
agreement controls over any provisions to
the contrary contained in purchase or work
orders, on Web sites, or in other related
documents issued by, or owned by, the
contract labor provider.
• B
e sure that the agreement does not limit
your organization’s ability to use other
labor contractors as you deem appropriate
(do not agree to exclusive provider terms).
• O
ne advantage of contract labor is that
an organization may identify persons
sent by the temporary labor firm whom
it wishes to hire as full-time employees.
Thus, the organization should ensure that
the agreement sets forth the terms for its
being able to do so (timing, fees, etc.).
• Include language stating that the
indemnities assumed by the contract labor
provider will survive termination of the
agreement. If an action is brought against
your organization after termination of the
agreement for an event that took place
during the term of the agreement, you
want the contract labor provider to assume
the liability.
• T he agreement should specify that the
labor provider is not permitted to utilize
any subcontractors on jobs performed
for your organization. The permitted
use of subcontractors in these types
of agreements opens up another set of
potential liabilities.
• C
larify that your organization can
immediately remove any contract
labor employee it deems to be unsafe
or unsuitable for the job, in your
organization’s sole discretion.
• T here is a relatively new trend in
indemnity language whereby companies
try to contractually limit their assumed
liabilities. There are two common forms of
this. The first form is where the company
assuming the indemnity limits its liability
to a specific dollar amount--say $100,000.
The second form is where the company
assuming the indemnity limits its liability
to the amount of money your organization
has spent with it. For example, suppose
your organization enters into an agreement
with a labor provider and ultimately pays
the provider $240,000 for services. Further
assume that the service agreement with
the labor provider states that its liability
is limited to the amount it is paid under
the written agreement (in this example,
the $240,000). To take this example a
step further, suppose that as a result of
an accident involving one of the labor
provider’s employees, your organization
is sued for $1 million and is ultimately
deemed liable for the full amount. In this
example, the most the contract labor
provider would pay under the indemnity is
$240,000. Your organization would then be
responsible for the remaining $760,000.
In this writer’s view, if the contract labor
provider holds itself out to the public as a
provider of qualified/trained labor, then it
should assume the liabilities associated
with same.
• R
equire that the labor provider’s workers
compensation coverage includes an
Alternate Employer endorsement in favor
of your organization.
It is always preferable to take the time, up
front, to clarify the terms of business. With a
properly structured labor services agreement,
should an accident or incident occur, you
know who is responsible for what. Without
clarification, after-the-fact events can become
expensive, time-consuming, high-profile, and
potentially damaging to the reputation of your
organization (litigation, regulatory fines and
penalties, media coverage, etc.).
Social Media Sites
Join the Risk Management Interest Group on LinkedIn!
http://www.linkedin.com/groups?gid=2344799&trk=myg_ugrp_ovr
CPCU Society Risk Management Interest Group | Risk Insights | October 2013
3
What You Don’t Know Can Hurt You
by Jeff McKissack
Jeff McKissack, president of Defense
By Design, is a noted authority in
the field of preventing violent crime
and provides consulting and training
to a wide range of businesses and
industries across the country. He has
personally addressed over 350,000
people in live training and addressed
countless others through radio and
television interviews across the United
States and Canada. McKissack has
conducted continuing education
seminars for those in the legal,
medical, educational, financial, human
resource, risk management, and
insurance professions. McKissack is
a contributing writer to several state
and national trade publications and is
author of the book, Power Proverbs
for Personal Defense. He is based in
Dallas.
From shootings at a movie theater in Aurora,
Colorado, to shootings at an elementary school
in Newtown, Connecticut, we have seen our
share of instances of workplace violence in
this country over the past year or so. But along
with these stories, how many think of other
workplace violence cases, such as the recent
scandal at Penn State University or even the
University of Virginia case in which one of the
school’s star athletes murdered his former
girlfriend? How about the never-ending cases
of sexual exploitation in schools and churches
and various youth-oriented organizations?
Wherever you have employees or staff and
patrons or students, and something criminal
occurs causing someone intentional harm, you
have workplace violence—and liabilities. And
it is often what businesses don’t know that is
hurting them, whether in their local media, the
courts, or their bank accounts.
Several years ago at a national gathering for
the American Society of Industrial Security
(ASIS), workplace violence was addressed, with
two major areas of concern coming from the
security industry: fired employees who decide to
return with a vengeance and cases of domestic
violence following (predominately) women into
the workplace, often causing additional collateral
damage to other workers and/or patrons.
Such stories as the above immediately garner
the attention of those in the legal community
who specialize in cases of corporate or
institutional negligence leading to personal
injury. And often, because of both the severity
of these cases and the harm that is done
through them, as well as the usual highprofile media coverage that comes with such
cases (whether local or national), settlements
are high, and judgments can be even higher if
pursued in court without a proper paper trail
of due diligence as a defense for the company
or institution.
The Occupational Safety and Health
Administration (OSHA) states that some 2
million American workers are victims of
workplace violence each year. Who are those
typically affected? According to OSHA’s
research, certain groups are at greater risk:
Among them are workers who
exchange money with the public;
deliver passengers, goods, or services;
4
or work alone or in small groups,
during late night or early morning
hours, in high-crime areas, or in
community settings and homes where
they have extensive contact with the
public.1
Businesses are not simply responsible for
work done inside the office either. According
to the same report above, the list of possible
outside employees include “health-care
and social service workers, such as visiting
nurses, psychiatric evaluators, and probation
officers; community workers, such as gas and
water utility employees, phone and cable TV
installers, and letter carriers; retail workers;
and taxi drivers.” But this list can easily be
extrapolated to include any person that a
business sends out on sales- or servicerelated appointments or trips, including trade
shows, conferences, conventions, etc. Those
in outside sales are therefore vulnerable as
well. The message is clear: when businesses
send people out, they are responsible for the
safety of those people while they execute
their duties or assignments.
Where OSHA and plaintiff attorneys share a
common concern and approach is in the area
of education. This is where a proper paper
trail can be created and thus documented
to help mitigate risks and reduce liability
concerns if or when such an instance occurs.
But all too often, the typical corporate or
institutional response is to invite in local (and
often free) law-enforcement officers, akin
to the approach a homeowners association
(HOA) might apply to its local crime watch.
The problem lies in that if something happens
in a neighborhood, the likelihood of the HOA
being held negligent is slim to none, as
opposed to the same happening with or in a
business or institution. Local law-enforcement
is typically not educated in these matters, or
in the process that should precede or follow
such training to document said due diligence
efforts. Their training is in public safety, after
all. This is where Human Resources (HR) and
Risk Management are more desirable in-house
sponsors or coordinators of such efforts. They
understand (a) the need and (b) the processes
that should follow any and all such initiatives
should those efforts later be questioned or
called upon for documentation in court.
CPCU Society Risk Management Interest Group | Risk Insights | October 2013
The typical areas of vulnerability can best be
summarized in the following three areas:
1)On-the-Clock Mistakes—These are usually
in the areas of hiring and firing and are
directly related to HR efforts and practices,
but obviously not always if no official HR
director or department is present. There are
many common mistakes made on the front
side of hiring just as there are on the back
side of unfortunate firings or layoffs. But
as stated before, this is one of the primary
areas of concern by the industrial security
community regarding instances of workplace
violence. However, such crimes as road rage
are also becoming an issue when one of the
drivers involved is an employee.
2)Off-the-Clock Mistakes—These are
generally in the area of employees making
bad judgment calls in their personal life
leading to incarceration (and unfortunate
PR and media for the company);
hospitalization (and leave of absence
as well as healthcare claims); or even
potentially death, with ripple effects felt
throughout the company, affecting both
employee morale and productivity.
3)Unknown Dramas—These are typically
in the areas of domestic violence or
(nondomestic) restraining orders being filed
against any number of individuals. While
most minds lean toward spouse or paramour
scenarios, such cases have also been seen
involving former vendors/suppliers, former
customers, and even private contractors
of employees outside of work who knew
where the employee could be found for
confrontation or retaliation during business
hours. Anytime a restraining order (often
referred to as a TRO, or temporary restraining
order), is filed, it should be a point of concern
for an employer. But how many employers
have a policy of knowing about such
situations prior to their potential escalation in
the workplace?
While there are certain physical aspects of
security that can be enhanced, such as cardkey or keypad access, self-locking doors,
security cameras, metal detectors, or even
physical on-site security, the human factor
must also must be accounted for, which OSHA
relates to as well. The impact of educational
programs within the workplace, like those
that address sexual harassment, cannot be
underestimated. And, again, the very practice
of such training provides opportunity for both
evaluation and documentation.
So, what are some of the best practices that
companies and institutions easily, and often
cheaply, employ to decrease these liabilities?
Below are the previously discussed areas of
vulnerabilities and ways to address them:
On-the-Clock Mistakes
• A consistent check-in policy at the
company for anyone with access to other
employees beyond the front desk.
• E nhanced background and reference
checks for potential new hires.
• E valuation of current firing practices,
including the need for security escorts. These
are not always necessary and may, in fact,
actually incite actions of physical or legal
retaliation if an employee feels he or she has
been needlessly disgraced in public.
Off-the-Clock Mistakes
• E ducational programs that address
employee safety both on and off the clock.
These programs can even address afterhours events attended by family members
of employees. Security breaches can
occur during such events and compromise
the safety of family members, so this
additional layer or approach might be
considered.
• O
ptional after-hours educational or
training events addressing stress or anger
management; even physical self-defense
could be considered. Regarding the latter,
making such training optional is advised. If
it were mandated by management, injuries
incurred during training could possibly be
assessed to the business or institution.
Unknown Dramas:
• O
n-site training of employees so that they
understand the impact such situations can
have in the workplace, on both themselves
and their co-workers, if kept to themselves
• E nhanced HR policies and procedures
to be implemented once such cases are
known to the employer
• Improved employee contracts and
agreements that clearly spell out these
policies and procedures so that any
noncompliance leading to violence is
associated with an employee’s personal
negligence rather than institutional
negligence
Another factor that may become more of an
issue is the ever-increasing number of gun
owners in this country. Ownership itself is not
the issue, but the training (or lack thereof)
of the owner and where firearms are kept or
hidden, including in places of business, are
concerns. For the multitenant office building
and multifamily apartment industries, this will
be even more of a concern. I think all would
recognize the importance of responsible gun
ownership. However, irresponsibility in this
regard leads to many of the cases we see
manifest in local and national media. But all
too often, we also see them playing out in
court when someone is held negligent due
to lack of education, proactive posturing, or
consistent corporate policy.
While our minds will always gravitate
toward the more visual cases, such as
a theater or school shooting, we cannot
forget the everyday cases of domestic
violence, child/youth exploitation, crime on
college campuses, road rage, and other
similar situations that cost not only lives but
significant financial judgments as well. Most
employees know what to do and where to go
if there is a fire, a tornado, a hurricane, or an
earthquake. Many even know what to do and
where to go if there is an instance of sexual
harassment in today’s working world. But
how many know what to do or where to go if
a shooter appears onsite? How many know
what to do or where to go if they see another
employee being inappropriate with a patron?
How many know what to do or where to go if
someone on staff or from the outside makes
a verbal threat against them? And how many
know what to do or where to go if their jobs
are constantly outside the office, dealing with
the public, and they are faced with threats of
violence?
As the old saying goes, “It’s what you
don’t know that can hurt you.” The legal
profession, however, has another word for
continued on page 12
CPCU Society Risk Management Interest Group | Risk Insights | October 2013
5
The Crimes They Are a-Changin’
by Jerome Trupin, CPCU, CLU, ChFC
Am I the only one providing expert witness
assistance for fidelity claimants? Fidelity
coverage (also known as employee theft or
employee dishonesty coverage) is just a small
part of the insurance universe, generating
many fewer claims than property and liability
coverage, and of those, even fewer end up
as lawsuits. Nevertheless, my expert witness
activity of late has involved a disproportionate
number of fidelity disputes. In the last few
years, I’ve worked with three insureds and
their attorneys to resolve fidelity claims.1 In all
three cases, the claimants have prevailed.
Jerome Trupin, CPCU, CLU, ChFC,
is a partner in Trupin Insurance
Services located in Briarcliff Manor,
New York. He provides propertycasualty insurance consulting advice
to commercial, non-profit, and
governmental entities. Trupin has been
an expert witness in numerous cases
involving insurance policy coverage
disputes and was the coauthor of
over ten insurance texts used in
The Institutes’ programs including
the texts Commercial Property Risk
Management and Insurance and
Commercial Liability Management and
Insurance.
The most recent case in which I was involved
is particularly interesting:
• It involved important changes in employee
theft coverage policy provisions.
• It exhibited how dismally poor insureds
and their advisers can be at selecting
fidelity insurance limits.
• It demonstrated the advantage of using the
Discovery Form version of crime coverage.
The firm that was a victim of the
embezzlement, which I’ll call Service
Company, serviced self-directed individual
retirement (IRA) accounts for numerous
individuals who wanted to purchase portions
of real estate and other complex investments
for their own IRA accounts. Service Company
collected and deposited funds from investors,
transmitted the funds to the investment trusts,
and maintained records of each investor’s
individual accounts. When an investor wanted
to withdraw funds, the investor contacted
Service Company, which in turn instructed
the trust to sell the necessary shares. Once
the proceeds from the sales were deposited
into Service Company’s bank account, Service
Company’s employee instructed the bank to
transmit the funds to the IRA participant. But
there was a fatal flaw in the process.
Although the instructions to sell shares and
issue drafts required the signature of at least
one of Service Company’s executives, in
practice, the executives just signed whatever
papers the employee who handled the
transactions prepared. It was simple for her to
prepare orders for the bank to issue checks to
6
her boyfriend as if he were an IRA participant.
The pair split the proceeds. In more than six
years of embezzling, they netted $1.3 million!2
Did Service Company have employee theft
coverage? Yes, it did. But the amount of
coverage was just $50,000 a year until the
very last year of the scheme. In that year,
the limit had been increased to $1 million.3
It is astonishing that the insured and its
broker felt that $50,000 was in any way an
appropriate amount of coverage. Furthermore,
the increase to $1 million was the result of
a demand from the investment trust, not
something that Service Company’s insurer or
the broker suggested.
The policy in force at the time the loss
was discovered contained two separate
provisions that govern loss during previous
policy periods: “Loss Sustained During Prior
Insurance Issued By Us Or Any Affiliate” and
“Loss Sustained During Prior Insurance Not
Issued By Us Or Any Affiliate.” (The provisions
were identical to those used in the Insurance
Services Office, Inc. (ISO) “loss sustained”
crime forms.) Neither provision triggered
coverage for losses before the inception of
the policy unless coverage under the previous
policies had been continuous. If there were
any lapse in coverage, no loss before the time
of the lapse would be covered. Furthermore,
a loss is covered only if it would have been
covered by the current policy had it been in
force at the time of the loss.
When coverage in the prior period was written
by a company not affiliated with the current
insurer, it is clear that coverage under the
previous insurer’s policy is also limited to the
amount of insurance in force when the loss
occurred.
In the case of Service Company, because
the loss took place primarily during the
policy periods when the limit of insurance
was $50,000 per year, the amount Service
Company could collect for the $1.3 million
loss would have been, at the most, $300,000.
However, Service Company’s coverage was
written by the same insurance company for
almost five years―from April 1, 2004, until
the loss was discovered in December 2008.
The provision applying to loss covered by
CPCU Society Risk Management Interest Group | Risk Insights | October 2013
the current policy and by prior insurance
issued by the current insurer or any affiliate in
Service Company’s policy read:
If any loss is covered:
(1) Partly by this insurance; and
(2) Partly by any prior cancelled or
terminated insurance that we or any
affiliate had issued to you or any
predecessor in interest; the most we
will pay is the larger of the amount
recoverable under this insurance or the
prior insurance.4
Service Company argued that this meant the
highest limit carried ($1 million) was available
to cover the entire loss; it did not matter
in which policy period the funds had been
stolen. The insurance company contended
that the amount collectible is limited to the
amounts embezzled in each policy period up
to the coverage applicable to each of those
policy periods, but not more, in total, than the
highest limit carried in any one year. In short,
the insured felt it was entitled to $1 million;
the insurance company offered less than
$300,000.
My interpretation of the meaning of the
prior insurance provision has always agreed
with Service Company’s. I can see the
insurance company’s position as a possible
interpretation. But that would make the policy
wording ambiguous, and the accepted rule
for resolving ambiguities in insurance policy
wording is that ambiguities are resolved in
favor of the insured.5
The clinching factor for me, and the reason
for writing about it here, is a change in the
ISO crime form introduced in 2006. Until then,
the ISO wording regarding coverage for losses
sustained during prior insurance issued by the
current insurer or an affiliate was the same
as the wording quoted above. ISO form CR 00
21 05 06, Commercial Crime Coverage Form
(Loss Sustained Form), introduced in 2006,6
replaced the five lines shown above with a
provision that runs just shy of two pages.
The key wording is as follows:
(1) Loss Sustained Partly During This
Insurance And Partly During Prior
Insurance
If you “discover” loss during the Policy
Period shown in the Declarations,
resulting directly from an “occurrence”
taking place:
(a) Partly during the Policy Period shown
in the Declarations; and
(b) Partly during the Policy Period(s)
of any prior cancelled insurance that
we or any affiliate issued to you or
any predecessor in interest; and this
insurance became effective at the time
of cancellation of the prior insurance, we
will first settle the amount of loss that
you sustained during this Policy Period.
We will then settle the remaining amount
of loss that you sustained during the
Policy Period(s) of the prior insurance.
(2) Loss Sustained Entirely During Prior
Insurance
If you “discover” loss during the Policy
Period shown in the Declarations,
resulting directly from an “occurrence”
taking place entirely during the Policy
Period(s) of any prior cancelled insurance
that we or any affiliate issued to you or
any predecessor in interest, we will pay
for the loss, provided:(a) This insurance
became effective at the time of
cancellation of the prior insurance; and
(b) The loss would have been covered
under this insurance had it been in effect
at the time of the “occurrence”.
We will first settle the amount of loss
that you sustained during the most
recent prior insurance. We will then
settle any remaining amount of loss that
you sustained during the Policy Period(s)
of any other prior insurance.
(3) In settling loss subject to this
Condition:
(a) The most we will pay for the entire
loss is the highest single Limit of
Insurance applicable during the period
of loss, whether such limit was written
under this insurance or was written
under the prior insurance issued by us.
This provision ends with more than one page
of examples showing how the provision
would work in various situations. One of the
examples should suffice to demonstrate the
new ISO approach:
CPCU Society Risk Management Interest Group | Risk Insights | October 2013
An employee embezzled $250,000
during the current policy period and the
prior period. One insurance company
covered the insured during both periods.
The current limit in Policy A is $125,000.
The coverage in prior Policy B was
$150,000. A total of $175,000 of the
loss was sustained in the current policy
period, and $75,000 was sustained in
the prior policy period.
The insured can collect $125,000 for
the loss under Policy A (its limit) but
only $25,000 of the loss during Policy
B’s term, for a total of $150,000, which
is the highest amount of insurance
provided by either of the policies during
the period of the loss and is therefore the
maximum collectible for the entire loss.7
In essence, the new ISO form calls for the loss
to be settled in the manner proposed by the
insurance company in the Service Company
matter. However, the new wording makes that
clear; the previous wording did not.
The expansion of the provision wording
(more than ten-fold, plus the addition of
more than a page of examples) demonstrates
that the previous version was unclear. The
insurer’s lawyer in the Service Company case
apparently agreed. This issue was not raised
at trial, although it was part of the insurance
company’s letter of declination.
Discovery Form—A Better
Alternative
The crime policies discussed so far were all
“Loss Sustained” forms—that is, the policy
covers loss sustained during the policy period.
The only exceptions are losses that meet the
requirements of the loss under prior coverage
provisions. The Discovery Form is a better
alternative.
I like the discovery form because the policy
in effect when the loss is discovered covers
the entire loss. It’s irrelevant what the
previous limits were or whether there was
any prior insurance at all.8 The two lossunder-prior-insurance provisions found in the
loss sustained version do not appear in the
discovery form; there’s no need for them. Had
Service Company’s policy in effect when the
loss was discovered been a discovery form,
continued on page 8
7
The Crimes They Are a-Changin
continued from page 7
the $1 million limit would have been clearly
available to cover the entire loss.
The discovery form does not help the
insured when the current policy has a lower
limit of insurance than prior coverage. In
the example from the new ISO form cited
earlier, had the most recent form been a
discovery form instead of a loss sustained
form, the insured would have been able
to collect only $125,000, not $150,000,
because the current limit was $125,000.
That makes for an interesting illustration,
but in the real world, why would an insured
reduce its coverage from $150,000 to
$125,000? The longer an insured is in
business, the greater the chance there has
been an undiscovered loss extending over
many periods. Employee theft insurance
should be increased, not decreased.
Discovery form is the way to go.
8
Ownership of Property; Interests
Covered
The key issue raised when the Service
Company case went to trial was whether
Service Company’s interest in the money its
employee stole met the standards set out in
the “Ownership of Property; Interest Covered”
policy provision. Under that provision, only
property owned or held by the insured or
for which the insured was legally liable was
covered property.
Service Company did not own the IRA funds,
but the jury decided, after deliberating for
about twenty minutes, that Service Company
did “hold” the funds, presumably because
the insured, through its employee, could
direct disbursement of the funds. The jury
awarded Service Company the full policy limit
of $1 million. (Because this case occurred
in California, there was a separate action
against the insurance company for bad-faith
claims handling. The insurance company paid
Service Company $250,000 to settle that
matter.)
Clients’ Property Endorsement
Another argument the insurance company
made in the Service Company case was
that the insured had not elected the Clients’
Property endorsement offered in the quote for
the policy. The clients’ property endorsement
provides coverage for theft of clients’ property
by the insured’s employees.
While the jury didn’t find this point persuasive,
it is of importance to those of us in the
insurance and risk management community
because it highlights another change that was
made to the ISO employee theft program in
2006.
Before the 2006 changes, the Clients’
Property endorsement provided coverage for
theft of a client’s property by the insured’s
employees, provided the theft took place on
CPCU Society Risk Management Interest Group | Risk Insights | October 2013
the client’s premises. The requirement that
the theft take place on the client’s premises
was eliminated in the 2006 version. Both
versions are entitled “Clients’ Property,” but
the form number of the new form is CR 04 01
08 13. The earlier version was CR 04 01 03
00. 9
One example of the difference in coverage is
a theft from an accounting firm’s client by the
accountant’s employees. Let’s assume the
employees empty the client’s bank account by
wiring fraudulent instructions to the client’s
bank from their home computers. This would
not be covered under the old form but would
be covered under the new one.
Learning Points:
1.Employee theft dishonesty coverage
should be written on a discovery basis
form, but the amount should not be less
(and should probably be more) than prior
insurance.
2.If the insured’s employees can steal
clients’ property, the new clients’ property
endorsement should be added to the
policy.
3.Embezzlement losses are seemingly
everywhere. Insurance is important, but
so is risk management. The New York
Times reported on January 30, 2012,
that a trusted employee of the New York
Archdiocese was charged with stealing
more than $1 million of the archdiocese’s
funds in a seven-year-long embezzlement.
Had a criminal background check been
done before she was hired, it would have
revealed that she had been convicted of
grand larceny in one case and pleaded
guilty to a misdemeanor in another.10
Endnotes
1 Expert witness services are just a small part
of my work as an insurance consultant for
businesses. I turn down far more cases than
I accept, often because I don’t agree with
the claimant’s theory.
2U.S. Justice Department, “Palo Alto Pair
Plead Guilty In $1.3 Million Financial
Institution Fraud Scheme” press
release, www.justice.gov/usao/can/
news/2010/2010_08_04_kerr.perrone.
guiltyplea.press.pdf (accessed September
12, 2013).
3 A t first, the insurance company felt that the
amount of insurance had been increased
because the insured had discovered the
embezzlement. However, the insurer did not
raise this issue in court.
4 T he form is identified as ISO copyrighted
form CR 10 00 10 90 (Crime General
Provisions), a form that is no longer in use.
That form provided employee dishonesty
coverage rather than the employee theft
coverage of current ISO form, but that was
not an issue in this loss.
9 The last four digits in ISO forms are
the month and year that the form was
promulgated in MM YY format.
10 Sharon Otterman and Ross Buetner,
“In Million-Dollar Theft Case, Church
Worker With a Secret Past,” The New
York Times, January 31, 2012, www.
nytimes.com/2012/01/31/nyregion/
new-york-archdiocese-bookkeepercharged-with-stealing-1-million.
html?nl=nyregion&emc=ura2 (accessed
September 12, 2013).
5 T his is derived from the standard rule for
interpreting contracts: ambiguities in a
contract are construed against the one
who imposed the wording. The legalese
for the rule is “contra proferentem.” See
http://definitions.uslegal.com/c/contraproferentem-doctrine/ (accessed September
12, 2013).
6 T he most recent version of Form CR 00 21
carries an edition date of 08 13. No changes
have been made in the form with respect to
the quoted provisions.
7 The form also specifies that the current
deductible applies to the loss if the loss
occurred during the current policy period. If
not, the deductible in the most recent policy
applies. However, the deductible is applied
to the loss, not to the limit of insurance
when the loss exceeds the limit. In this
hypothetical situation, the deductible was
$10,000 in the most recent policy, which
would not reduce the amount collectible.
8 The insurer can eliminate claims before a
certain date by attaching endorsement CR
20 05 10 10 (Include Retroactive Date) or
can provide only limited coverage before
a certain date with endorsement CR 20 24
10 10 (Provide Limited Coverage For Loss
Occurring Before Retroactive Date).
CPCU Society Risk Management Interest Group | Risk Insights | October 2013
9
Near Field Communications: A Change in “Frequency”
by Larry Collins
Larry Collins is the vice president
of E-Solutions for Zurich Services
Corporation, leading a team that
provides electronic services to tens
of thousands of online customers.
His team received the 2012 Arthur
Quern Quality Awards from the Risk
and Insurance Managers Society
(RIMS) for their Accident Review Tool.
He has more than thirty-five years
of experience in risk engineering,
having previously been employed
by The Hartford, Commercial Union,
and Insurance Company of North
America (INA). Collins has appeared
on television to discuss cyber security,
spoken on a number of panels, and
published several articles and white
papers on security- and privacyrelated risk issues.
Collins is certified by the Board of
Certified Safety Professionals, is a
member of the American Society of
Safety Engineers, and is a Microsoft
Certified Systems Engineer. He earned
his bachelor’s degree in physics
and mathematics from Dowling
College and his master’s degree in
occupational safety and health from
New York University.
Editor’s note: The following is reprinted with
permission. © Entire contents copyright 2012
by Zurich Services Corporation. All rights
reserved.
More consumers are electing for “wallet-less
transactions,” whereby they can use their
smart phones, PDAs or other mobile devices
to make purchases at sales counters, receive
discounts and earn rewards points- rather
than digging around for their credit cards,
coupons or one of the many customer loyalty
cards on their key chains.
Gross transaction volume from mobile
payments is expected to reach $630 billion
globally by 2014, according to information
from the National Retail Federation.
Retailers aside, other businesses are also
turning to mobile technology to seamlessly
transfer company files or share documents
among employees from anywhere in the
world.
Businesses that want to stay competitive in
their marketplaces will likely need to adopt
technology that can support such data
transactions- potentially putting unprepared
businesses at risk for costly data breaches.
Convenient capabilities, risky
ramifications
The heightened risk for data breaches stems
from a variety of technological advances
including near field communications, which is
the wireless technology that enables devices
like smart phones- within a short range of
other smart phones, point-of-sale terminals or
“smart posters” -to exchange data.
Advances in near field communications
are driving the trend toward using mobile
technology to authorize payments, transfer
corporate documents or files, or pass along
personally identifiable information to another
individual or entity.
Users of near field communication-enabled
devices can, in an instant:
• Make payments or use coupons via devices,
instead of credit or debit cards.
10
• Transfer files and share documents.
• Download information about objects,
services or places from “smart posters.”
• Display electronic identity documents, like
air travel boarding passes.
Such broad capabilities certainly offer
conveniences but also elicit questions about
the technology’s security, considering the
potentially sensitive data being transmitted
or the likelihood of a hacker intercepting that
information during a live data exchange.
Individuals are not the only parties at risk
from having their personal information
confiscated. Businesses engaging in mobile
data transactions are also at risk, with the
potential to be held accountable for any
data breaches resulting in the exposure of
their customers’ or employees’ personally
identifiable information- not to mention
any corporate data from shared files or
documents that could be lost.
Being smart about smart
technology
Companies cannot ignore the potential
dangers of a data breach - from financial
losses to reputational damage to legal liability.
Cyber security was named one of the top five
global risks for companies in 2011 at the
World Economic Forum in Davos, Switzerland.
Further, mobile device use was cited as one
reason corporate data has become vulnerable
to cyber attacks.
According to the Ponemon Institute’s 2011
Cost of Data Breach Study: United States,
the average cost of a data breach in 2011
was $5.5 million. Costs often stem from
determining the severity and scope of a
breach; establishing a call center to manage
inquiries from affected parties; legal defense;
public relations; regulatory proceedings, fines
and penalties; credit or identity monitoring;
and notifying third parties of the breach.
Considering the high stakes, companies using
near field communications should prepare
themselves for the direct costs, as well as the
indirect costs, of a data breach scenario by
implementing risk management practices.
CPCU Society Risk Management Interest Group | Risk Insights | October 2013
Businesses that rely on near field
communications to share company
information can implement these risk
management tactics:
• A utomatically shut off an employee’s
smart phone if it’s lost, so information
can’t be accessed by unauthorized parties.
• E nlist the company’s telecommunications
and information technology department
to limit the content that employees can
download or store.
• Enforce a password requirement.
• Encrypt data so it can’t be easily read.
Businesses that rely on near field
communications to accept payment from
customers or to acquire information about
customers can implement these risk
management tactics:
• U
se transmitted data for the purpose
it was collected. If a customer shared
personal information solely to pay for
something, don’t then use that data for
targeted marketing.
• S ecure collected data with encryption,
passwords and by restricting access.
• D
etermine how long data should be
stored; create a data purging cycle.
• A n educated team, aware of global privacy
laws, should be in place.
one of their existing Property and Casualty
policies, which are typically triggered by
a “claim.” Data breaches, however, often
don’t turn into actual claims that can be filed
against a traditional liability policy because of
effective breach response or difficulty proving
actual damages.
Property policies may not respond to loss of
data since “data” is considered intangible,
and property policies typically only cover
the loss of tangible property. Even if a claim
was filed, and a professional liability or
commercial general liability policy partially
responded, a company would still be held
accountable for first party privacy breach
costs like forensics, notification, call centers
and public relations.
Because of the gaps in these traditional
insurance products, more organizations are
using cyber risk insurance to mitigate risks
associated with near field communications
and mobile technology. Cyber risk insurance
consists of two types of coverage.
Liability coverage is for claims against
an organization brought by third parties
that covers defense costs in the event of
regulatory proceedings. Coverage is
also available for privacy breach costs,
business interruption, digital asset loss and
cyber extortion.
Protection also can be found in the form
of specialized liability insurance, such as
Errors & Omissions and Security & Privacy
coverage. These coverages go beyond liability
insurance to cover management liability and
employment practices.
The bottom line
Using mobile devices to pay for a latte, share
a work document with a colleague, store
corporate credit card data or check-in on a
flight offer great advantages to consumers
and businesses alike.
At the same time, such capabilities pose risks
that could jeopardize an individual’s privacy
or threaten the bottom line and reputation of
a company engaging customers or employees
in near field communications - regardless of
industry or size.
Companies that traditionally have had little
data about their customers now must become
accustomed with data privacy and security
laws, and protect their customers’ personal
information. They must also protect company
data so as to not reveal trade secrets or
financial information.
At the end of the day, though, the newness of
near field communications makes it a mystery
to many users - making it challenging
to anticipate and mitigate all the risks,
and furthering the need to explore all risk
management tools – including insurance.
• L imit data-reading devices’ power,
allowing them to receive data only from
short distances.
• L imit the content that devices display
during transactions.
• Implement the electronic security
measures that a near field system
requires.
Assurance with Insurance
Risk management tactics are critical to
protecting organizations from near-field
related data breaches. Still, they are not
enough, which is why the use of insurance as
a risk management tool is so important.
Many companies mistakenly believe they are
covered against data breach events through
CPCU Society Risk Management Interest Group | Risk Insights | October 2013
11
CPCU Society
720 Providence Road, Suite 100
Malvern, PA 19355-3433
Risk Management Interest Group
Risk Insights
Address Service Requested
What You Don’t Know Can Hurt You
continued from page 5
this old saying. They typically refer to it as
“negligence.” The legal profession sees it as
a responsibility of businesses to know these
things. The point and plan is simple—be
prepared. Educate, train, and document
every point of the response process. And,
obviously, those in a position to influence
their clients to be more proactive should
do so as “you” often pay those settlements
and judgments when negligence is
claimed. Even offering (as some already
do) reduced premiums for initiatives that
can be documented can both influence and
empower companies to move toward a
more proactive posture.
Yes, what you don’t know can hurt you. But
now you know.
Endnote
1U
.S. Department of Labor Occupational
Safety and Health Administration, “OSHA
Fact Sheet: Workplace Violence,” 2002,
p. 1, https://www.osha.gov/OshDoc/
data_General_Facts/factsheet-workplaceviolence.pdf (accessed Sept. 10, 2013).
For more information, please contact Jeff
McKissack by email at jeff@DefenseByDesign.
com.
The Risk Management Interest Group newsletter is
published by the CPCU Society Risk Management Interest
Group.
Risk Management Interest Group
http://riskmanagement.CPCUSociety.org
Chairman
Dave Stokey, CPCU, ARM
Willis of Texas, Inc.
Email: [email protected]
Editor
Bruce McEwan, CPCU, ARM-E
Email: [email protected]
CPCU Society
720 Providence Road, Suite 100
Malvern, PA 19355-3433
(800) 932-CPCU (2728)
www.CPCUSociety.org
Statements of fact and opinion are the responsibility of the
authors alone and do not imply an opinion on the part of
officers, individual members, or staff of the CPCU Society.
© 2013 Society of Chartered Property and Casualty
Underwriters
CPCU is a registered trademark of The Institutes.
FacebookLinkedIn
Related documents
What Diversity Means to Me and What a Diverse
What Diversity Means to Me and What a Diverse
New Patient Child - GLYNN ORTHODONTICS
New Patient Child - GLYNN ORTHODONTICS
Date_____________ PATIENT INFORMATION Patient`s Full
Date_____________ PATIENT INFORMATION Patient`s Full
clicking here.
clicking here.
Quiz 4 Solutions
Quiz 4 Solutions
DOC - Rawlins Orthodontics
DOC - Rawlins Orthodontics
COMMERCIAL AUTO PLUS ENDORSEMENT CA 81 68 HIGHLIGHTS
COMMERCIAL AUTO PLUS ENDORSEMENT CA 81 68 HIGHLIGHTS
Health declaration to the insured Basic information: English name
Health declaration to the insured Basic information: English name
Ethics to a “T”
Ethics to a “T”
intake evaluation - Megan A. Wuest, MS, LPA
intake evaluation - Megan A. Wuest, MS, LPA