Title: Emerging Exposures NOT Insured by SC Insurance Reserve Fund
1Emerging Exposures NOT Insured bySC Insurance
Reserve Fund
2015 GFOASC Fall Conference Myrtle Beach, S.C.
March 15, 2015
Presented by Greg Jones Senior Vice
President Wells Fargo Insurance
Services 843-573-3560 Direct Greg.A.Jones_at_WellsFar
go.com
2AGENDA
- Introduction
- Basic Coverages from IRF
- Changing Legal Landscape
- Emerging Exposures Insurance
- Employment Practices Liability example
- Available insurance for uninsured exposures
- Fiduciary
- EPL Management liability
- Pollution liability
- Cyber Liability
- Common gaps and gotchas
- Q A
3Introduction to SC IRF
- Only state owned insurance company in US
- Standardized forms in 1985/86
- Limited Eligibility
- Generally good, basic insurance coverage
- Very limited flexibility
- Not rated by AM Best
- Now part of State Fiscal Accountability Authority
4South Carolina Insurance Reserve Fund
- Basic Coverages from IRF
- Buildings personal property
- Data processing equipment
- Business Interruption/Extra Expense
- Builders Risk
- Inland Marine (floaters)
- General Tort Liability (i.e. Commercial General
Liability) - Medical Professional Liability
- Auto liability physical damage
- School Activity Vehicle Coverage
- Underground Storage Tank coverage
- Prepaid legal
5Changing LEGAL LANDSCAPE
6Brief History of Employment Practices Liability
- 1991
- Tailhook scandal
- Clarence Thomas Hearings
- 1991 Civil Rights Act
7LEGAL LANDSCAPE
- STATUTORY BASIS (FEDERAL)
- Title VII of the Civil Rights Act
- race, gender, religion, national origin, etc.
Includes same sex harassment - Allows for Jury trial
- Compensatory Punitive damages capped
- Age Discrimination in Employment Act (ADEA)
- Americans with Disability Act (ADA)
- Family and Medical Leave Act (FMLA)
- Pregnancy Discrimination Act
- Equal Pay Act
- COMMON LAW
- Breach of Contract
- Wrongful termination
- Negligent and Intentional infliction of emotional
distress - Defamation
- Invasion of Privacy
- Negligent Hiring/Supervision
- Misrepresentation
8Common EPL claims
Wrongful Failure to Employ or Promote
Wrongful Dismissal, Discharge or Termination
Deprivation of Career Opportunity
Negligent Employee Evaluation
Breach of Employment Contract
Wrongful Discipline
Harassment
Failure to grant tenure
Racial, Gender, Age, National Origin, Religion,
Sexual Orientation, Pregnancy or Disability
Discrimination
Violation of Civil Rights
Client and Customer Claims for Discrimination and
Harassment
Employment Related Misrepresentation or Personal
Injury (libel / slander / defamation)
Retaliation
9HISTORY OF EPLI
- First Policy Created in 1985
- Interest Grows in 1992
- Current Environment
- -Stand alone EPL
- -Combination with DO/Management Liability
- -Endorsement to Commercial General Liability
10GAPS IN EPL COVERAGE
- S.C. Insurance Reserve Fund
- Tort Policy covers personal injury claims
- Covers discrimination on basis of race, sex,
age, religion, or handicap - Excludes retaliation (1998)
- Can purchase Pre-paid Legal Defense coverage
11WHAT IS A CLAIM UNDER AN EPLI POLICY?
- EPLI Polices are Claims-Made Policies. Claims
have to be reported as soon as practicable -
during the policy period. - CLAIM may be
- Written demand for Monetary Damages
- Administrative Charge - EEOC or similar state
agency charge of discrimination - A civil lawsuit
- Demand for arbitration
12COMMON EXCLUSIONS
- Prior Notice
- Pending Prior Litigation Date (includes
administrative charges) - Bodily Injury/Property Damage
- OSHA/Workers Compensation
- Disability/Unemployment Compensation
- ERISA/Breach of Fiduciary
- National Labor Relations Act
- Fair Labor Standards Act/Similar State Wage
Hour Claims - Breach of Express Written Contract
- Costs of Physical Modifications under ADA
13WHAT ARE THE GOTCHAS?
- Claims-made and Reported
- -Need incident reporting
- -Potential Issues at each renewal
- -Very careful when changing insurers
- -Notice/awareness provisions
- Definition of employee
- -Independent contractors?
- -Leased/temporary employees?
- -Volunteers?
- Defense cost within limits
- SIR vs. Deductible
- Panel Counsel
- Indemnity vs. duty to defend
- Hammer clause
- ERP or tail issues (mini tail)
- Application a warranty?
14Issues to Consider Prior to Purchasing an EPLI
Policy
- Limits/Self Insured Retention
- Broad Definition of Wrongful Employment Act
- Punitive damages coverage
- Option to select defense counsel
- Third party coverage - Covers Claims brought by
vendors, clients, customers or other
non-employees - Amended Reporting Provision - Risk
Manager/General Counsel Human Resources mini
tail provision - Full prior acts coverage
- Bordereaux Reporting
- Risk management tools
15Other Available Insurance
- Coverages from Commercial Insurance
- Fiduciary liability (ERISA 1974)
- EPL Management Liability (1991 2000)
- Pollution liability (1988-89)
- Cyber Liability (2010)
16Cyber Liability Insurance
- Coverages Available
- 3rd Party Liability for Privacy breach, Network
Security, or Regulatory - 1st Party Coverage for Privacy notification,
crisis management, credit monitoring and
forensics. - Other 1st Party Options cyber extortion,
business interruption, data restoration. - Limits Available-Two Approaches
- One limit with fund sublimits
- Number of Persons notification approach
17Marketing Summary
CARRIER LIMIT OF LIABILITY RETENTION (Each Claim) ANNUAL PREMIUM
ACE USA (Indication Only) 3,000,000 5,000,000 250,000 250,000 85,000 - 105,000 115,000 - 135,000
Axis Insurance Co. (Non-admitted) 1,000,000 3,000,000 5,000,000 250,000 250,000 500,000 48,291 102,417 145,923
Chartis (Admitted) 1,000,000 3,000,000 5,000,000 150,000 / 250,000 150,000 / 250,000 250,000 / 250,000 46,601 78,000 122,000
Federal Insurance Co. (Chubb) No response as of 1/4/11 N/A N/A
Beazley (Non-admitted) 3,000,000 5,000,000 10,000,000 100,000 100,000 250,000 88,413 122,137 182,294
C.N.A (Non-admitted) 1,000,000 3,000,000 5,000,000 100,000 100,000 250,000 46,050 97,755 127,565
Zurich (Admitted) 1,000,000 3,000,000 5,000,000 250,000 250,000 500,000 43,433 65,877 91,645
18Legal Issues The Regulatory Environment
Legislation has now imposed affirmative duties on
companies as to how they handle data, principally
client/customer information
- Gramm Leach-Bliley Act Requires financial
institutions to safeguard customers records and
information against unauthorized access. Imposes
major privacy and security requirements on
financial services companies - Health Insurance Portability and Accountability
Act (HIPAA) Healthcare organizations required to
safeguard individually identifiable health
information. Imposes penalties on organizations
that violate HIPAA (further amended by the HITECH
Act) - California SB1386 A California law requiring
companies to notify their CA customers and
employees of computer security breaches. The law
applies to any business that stores customer and
employee information electronically even if the
company is not based in the Golden State. - Privacy Breach Notification Laws Spreading of
California SB 1386 adopted by 47 states as of
December 2010. Duty to notify customers where
consumer/customer information has been
compromised (electronic or non-electronic means,
state legislation varies) - Massachusetts Privacy Law 201 CMR 17.00 This
law is the first state law to require specific
technology when protecting personal information.
If you do business with residents in MA or have
employees that reside in MA, compliance is
mandatory by March 1, 2010.
19Legal Issues and The Regulatory Environment
- PCI Security Standards The standards globally
govern all merchants and organizations that
store, process or transmit cardholder data. PCI
security standards are technical and operational
requirements set by the Payment Card Industry
Security Standards Council (PCI fines not
generally covered under insurance policies). - FACTA (Fair and Accurate Credit Transactions
Act) Prohibits businesses from printing more
than 5 digits of any customers credit card
number or card expiration date on any receipt
issued at a point of sale. For machines in use
before 1/1/05, the merchant has 3 years to
comply. For machines in use after 1/1/05, the
merchant has one year to comply. - Red Flag Rules Established by FACTA, requires
financial institutions or creditors to develop
and implement an Identity Theft Prevention
Program in connection with both new and existing
accounts. The program must include reasonable
policies and procedures for detecting, preventing
and mitigating identity theft. - Federal HITECH Act health plans, health care
providers and health care clearinghouses (ie.
Covered entities), among other things, must
review and update their business associate
agreements, as well as their privacy and security
policies and procedures. Requires that any data
breach event exceeding 500 records be reported to
the Department of Health and Human Services.
20What Should You Be Asking?
- Have we analyzed our cyber liabilities?
- What legal rules apply to the information we
maintain or that is kept by vendors, partners and
other third parties? The laws surrounding
breaches are complex. - Have we assessed our legal exposure to
governmental investigations? - Have we assessed our exposure to suits by our
customers, vendors or suppliers? - Have we protected our organization in contracts
with vendors? - What laws apply in different states and countries
in which we conduct business? - Do we have adequate staffing to reasonably
maintain and safeguard our important assets and
processes? - Have we prepared an incident response plan and
business continuity plan? - Do we have a documented, proactive crisis
communications plan? -
- It is critical to have a solid incident response
plan in place prior to any security or privacy
breach.
Questions supplied by the The Financial
Impact of Cyber Risk Publication American
National Standards Institute (ANSI) and Internet
Security Alliance.
21Vendor Management Requirements
- IT/Software Companies
- Request Tech EO to include network
security/privacy coverage - Some Tech EO policies have security/privacy
exclusions - Other Business Services Payroll, Auditors
- Request appropriate EO coverage to include
network security/privacy - Credit Card Processors/Acquiring Banks
- Request Network Security/Privacy Coverage
- Other Vendors that interact with your systems or
sensitive information, or handle information on
your behalf - Request Network Security/Privacy Coverage
22What Can Be Covered Under a Network Security
Privacy Policy?
- Breach of Security Your liability to third
parties arising out of a failure of your network
security that results in a computer attack. Such
failure can be caused by unauthorized access or
use, transmission of a computer virus or a denial
of service attack. - Invasion of Privacy Your liability arising from
disclosure and release of confidential or
personally identifiable information stored on
your computer system caused by a failure of your
network security. - Enterprise Privacy Your liability arising from
any breach of privacy including violations of
HIPAA, GLB or any state, federal or foreign
privacy protection law (including regulatory
defense expenses, notification expenses, credit
monitoring, crisis management expenses) - Identity Theft Your liability arising from theft
of personal information of your employees,
customers or clients. - Cyber Extortion Protection against threats or
demands made against you involving your computer
network. - Internet Media Defamation, Libel and
Slander/Personal Injury Liability arising out
of the content disseminated on your Internet
site includes intellectual property infringement
exposures - Business Interruption Business Interruption
losses sustained by you arising from the
interruption or suspension of your computer
network, due to failure of security (including
extra expenses) - Data Asset Coverage Information asset protection
for you for property losses involving data,
computer systems and information assets arising
from a computer attack.
23Enterprise Privacy Coverage
- Non-network Privacy Breaches What happens if a
breach, which exposes confidential information,
does not arise out of a failure of security of
your computer system? ie. paper, PDAs, lost
data tapes. - Accountability For Outside Vendors Your
liability arising from others working on your
behalf (those which you are legally responsible
for). - Employee Privacy Exposure What happens if a
breach causes your employees confidential
information to be compromised? - Regulatory Defense Expenses Defense costs
involved with a regulatory proceeding, a request
for information, demand, suit or civil
investigation by or on behalf of a government
agency arising from allegations of violation of a
privacy regulation (may include coverage for
fines penalties and related consumer redress
fund expenses) - Notification Expenses Costs to notify your
customers/clients of security or privacy
breaches. Most insurers will provide a sub-limit
of coverage to assist with these expenses. - Credit Monitoring Expenses Costs to provide your
customers/clients with credit monitoring services
as a result of privacy violation, if you have the
duty to provide. - Crisis Management Expenses Reasonable and
necessary expenses incurred by you and approved
by the Insurer in retaining the services of a
public relations firm, law firm for advertising
or related communications to assist with
mitigating harm to your reputation.
Regulatory Expenses, Notification Expenses,
Credit Monitoring and other Crisis Management
Expenses are generally offered on a sub-limited
basis and varies by carrier.
24Common Features Gotchas of Additional Coverages
- Generally proactive risk management
- (EPL, Cyber, pollution)
- Claims-made reported
- Panel counsel requirement
- Limits
- Defense costs inside limits
- Various coverages subject to sublimits
25Other Commonly Seen Coverages
- Coverages Available
- Employee dishonesty/Faithful performance bond
- Volunteer Accident Coverage
- Educators EO
- Builders Risk
- Project Specific Professional/Owners Protective
Professional Liability - Special Events Policy
- Excess liability coverage
26SC IRF Gaps Gotchas
- Property
- Off-premises service interruption
- Coinsurance
- Boiler Machinery limits 5MM
- Business Interruption
- Off-premises service interruption
- Builders Risk
- Only owners interest, coinsurance, no waiver of
subrogation - Tort Policy
- No vicarious coverage for independent
contractors - No contractual coverage
-
27QUESTIONS?