Wednesday, December 31, 2008
Bookmark our new address and please surf by. In 2009 our new site will have expanded content including a white paper archive and other PL-related resources. See you there!
Sunday, November 23, 2008
The Wild and Woolly World of Real Estate.....
Almost every real estate-related profession has seen quite the roller coaster in the last couple of years, and the end is nowhere in sight.
Two of the higher profile classes of business -- mortgage brokers and real estate agents -- are in a state of high turmoil. We have seen consolidations and closures of businesses, and insureds dropping their coverage because they don't anticipate continuing in the field, or cannot produce sufficient business.
The flip side of the coin is on the carrier side, where many, many markets that used to write these lines of business quite readily are no longer in play. There are a few carriers that are still willing and able to write, although they are taking a conservative approach.
The real estate classes of business which you will run into, and which may be more difficult to place are:
Real estate agents and brokers
Mortgage brokers and bankers
Home (and other) Inspectors
In the world of real estate, agents are differentiated from brokers with regard to legal scope and services rendered. Generally speaking coverage is available only for brokers, or for firms with a licensed broker. As a practical matter, this does not pose a problem, because agents need to affiliated with a broker in order to perform services, so you will not (one would hope) ever face a situation where you need to insure an agent who is not working with a broker.
In some states, professional liability coverage is required to meet licensing standards, and in those states, there is frequently an "approved" program. The state-endorsed programs I have reviewed tend to cover only the individual agents and brokers, not the real estate agency (entity) itself. To the extent the agency holds no assets, it may not need protection, as it has "nothing to lose", but unless the owner is willing to fold the entity should a claim be made against it, declare bankruptcy, and open up another agency (all of which might create heartburn with the regulatory bodies) it's a good idea to contemplate a separate or excess policy for the entity.
Be aware that some carriers are very good at insuring pure real estate agents/brokers, but falter when mortgage broking, property management, escrow, or other related services are provided. Carriers' approach to real estate agents conducting transactions on owned properties also varies widely. Most carriers also require a minimum number of years experience (usually three to five) before a new firm will qualify for coverage.
Common causes of loss for real estate agents and brokers include failure to disclose (problems in a property or conflicts of interest such as dual agency), and discrimination. Discrimination is frequently excluded in a typical policy, but it could be picked up by third party coverage on an EPL policy, if the EPL underwriter is willing. Personal injury (libel, slander, etc.) is a good coverage to keep an eye out for, and most real estate professionals have a strong privacy liability exposure which is generally not covered by a typical E&O policy. A privacy liability policy that includes loss of paper documents would be key to address this exposure.
Next on the list is mortgage bankers and brokers.
This is such a rich and complex topic, I could spend two or three weeks, or a book, on just these opportunities and exposures. But I'll spare you for now, and perhaps put together a white paper, which I will later post on the blog. (www.professionalliabilitytidbits.blogspot.com)
First thing to know is that "mortgage banker" and "mortgage broker" are not interchangeable terms. Sometimes it doesn't seem that way, because insureds will say they're a "mortgage company", and they're not specific about what they do. Also, many carriers will say they cover "mortgage brokers/bankers" when in fact they don't provide coverage to mortgage bankers at all, or they do so on a very limited basis.
Here's the basic difference between the two:
A mortgage broker simply originates loans. They work as an intermediary between the lender (or many lenders) and the borrower. Not unlike an insurance agent.
A mortgage banker may originate loans, but most importantly, they actually fund the loans. They can do this with their own funds, or through what's called a "warehouse line of credit" where the money is supplied by investors or other lenders. After they fund enough loans, they resell them, replenish their coffers (or their credit line), and fund more loans.
Both types of entities can service loans (collect payments, manage hazard/tax escrow accounts, etc.), but that is a separate service in which they may or may not engage. More mortgage bankers do at least a little servicing, because they need to manage their loan portfolio until they can sell the loans to the secondary market. They can do the servicing themselves, or they can outsource it.
In many states, mortgage brokers must be licensed. Some states do not have a specific mortgage broking license, and the mortgage broker operates under a real estate agent's or broker's license. Licensing is one way you can tell the difference between a mortgage broker and a mortgage banker. Another way is a look at the company's balance sheet. A mortgage banker will have money somewhere. If you suspect an entity is a mortgage banker, and they don't have money on their balance sheet, the next question is "do you have a warehouse line of credit?"
• Lack of disclosure of loan terms or fees
• Violations of RESPA (a real estate regulation)
• Conflicts of interest
• Inappropriate underwriting or submissions
Some, but not all, of these exposures can be covered by E&O policies.
A lot of markets who were writing mortgage brokers have stopped, or are only writing retro inception now. Many who were writing mortgage bankers have stopped. Most markets are excluding subprime loans and have added other exclusions. Since many of your potential insureds have a retroactive pool of subprime activities, beware of this exclusion and try to get subprime coverage at least on the past acts, so you can avoid a gap.
Home (and Other) Inspectors:
There are several types of inspectors for whom E&O can be written. Some -- usually home inspectors -- are required to carry coverage by law in certain jurisdictions.
As a rule of thumb, most carriers want to cover those inspectors that only carry a clipboard, not a toolbox. So if an inspector also offers repair services, he or she becomes virtually uninsurable.
A quick summary of the types of inspectors:
Home Inspectors -- checking for habitability on behalf of the purchaser, generally pre-purchase
Commercial Building Inspectors -- pre-purchase inspections, or construction-completion inspections
Building Code Inspectors -- inspect for code compliance
Environmental Inspectors -- check for mold, radon, clean air, water potability, etc.
Home inspectors are the most common of these, and there are several programs for them, and some association programs. GL is frequently offered in combination with the PL. Contingent BI/PD, or lack of a BI/PD exclusion altogether, is a must for this class, as well as for all inspectors.
Some of the home inspector markets will write commercial building inspectors as well.
Code compliance inspectors are probably the most difficult class to write, but there are a few carriers who will entertain them, and a bare handful that will provide contingent BI/PD.
Environmental Inspectors are easier to write than one might think, but only if you're using the right markets. Most home inspector markets, and indeed most E&O markets, do not have an appetite for the pollution hazard and catastrophic contingent BI/PD exposure presented by environmental inspectors. Environmental markets, however, view this class favorably, and provide broad coverage and attractive pricing.
One thing to note -- the word "environmental" sometimes can refer to matters of industrial hygiene (the "environment" in which the workers perform their tasks). If the insured is involved in inspecting industrial plants and recommending modifications to ergonomics or processes, they are more along the lines of a safety consultant than a true "inspector", although the terms are somewhat interchangeable.
So after exploring real estate agents/brokers, mortgage brokers/bankers, and all manner of inspectors, your might ask "What else is there?"
It just so happens I have an answer for you.
Title agents, escrow agents, appraisers, foreclosure services, mortgage field reps, debt negotiators, property managers, leasing agents, as well as real estate investors and investments.
The first three classes mentioned above have seen an increasingly shrinking marketplace. Used to be they could be written for pennies on the dollar, and had many association programs that offered broad coverages on the cheap. However, with the downturn in the housing marketplace, and homeowners scrambling to find any way they can to hold onto their houses, there are increasing claims against these professionals.
Also, appraisers have been deemed to be in cahoots with real estate agents and mortgage brokers in supporting inflated home values that justified suspect loans, and now they are viewed with quite a bit of distrust by the carriers.
Several carriers have just outright stopped insuring these classes, and others are more closely underwriting and are increasing pricing and retentions.
Mortgage field reps are those people who will go out to a foreclosure property to make sure it's there, take a few pictures from the outside, and report back to the mortgagee. An interesting class without a huge exposure, they are frequently required by the mortgagee to carry coverage. One must be very careful to distinguish them from "home inspectors" because the risk is not at all the same, and only certain niche carriers do a good job with home inspectors, while other carriers altogether can do a good job with field reps.
Debt negotiators are all the rage. They will intervene with lenders on behalf of borrowers (or sometime at the behest of real estate agents or mortgage brokers looking to get some deals done) and facilitate the borrower and lender reaching a mutually beneficial agreement about how a loan can be structured. If the debt negotiator actually goes to the extent of proposing refinancing and/or shopping a refinance deal, they are actually a mortgage broker and must be insured as such.
Property managers and leasing agents haven't seen too much of an upset in this real estate market yet. Perhaps because rental properties are only more valuable and needed in this time where people are having to leave their homes, or where home sales have diminished. Commercial risks are not as easy to insure as residential, for the obvious reason that there is a lot more at stake in each transaction. Tenant discrimination coverage is generally provided separately from E&O. It can be written on the same policy, or in concert with the E&O, but it is a separate underwriting process, separate app or supplemental (or segment of the app).
Real estate investors and investments include all manner of private equity firms, REITs, 1031 exchanges, and any other type of person or firm that purchases, holds, manages, or sells property with investment funds for any reason other than to occupy it themselves. Most of these firms execute deals on behalf of third parties on at least one-half of the transaction (i.e. a third party buyer, or a third party owner), they may be completely arms-length facilitators with both buyer and seller being third parties, or they may be executing transactions for the benefit of investors. This private equity exposure has become more difficult to insure as the profit prospect of this line of investment has become more questionable. However, coverage is still available at a price, especially for insureds who have a track record of success and who provide proper disclosures to investors.
One interesting thing regarding real estate investment-related firms -- the D&O and E&O exposures are frequently indistinguishable and should generally be written together on one policy, or at least with one carrier. You can imagine the difficulty in trying to sort out whether the sale or management of a property gone bad is an affront to the investors as a fiduciary issue of proper caretaking of corporate assets, or whether the investors got rooked into a deal where the so-called professionals couldn't tell La Jolla from a hole in the ground and were incompetent to perform the services of evaluating, buying, managing or selling properties. Does the claim arise from the professional service rendered? Or does it arise from the breach of fiduciary duty as a D or O of the company? Much safer to insure both whenever possible.
Friday, August 15, 2008
Friday, August 8, 2008
And you can see the even greater difficulty if Joe's Business Consulting was the Named Insured, Joe performed his services as Acme Corp., and a claim came in against Acme, as we discussed last week.
There are a few ways to address these issues and pitfalls.
First, make sure you understand how your insured is structured and what their legal names and entities are. Make sure all legal entities are shown on the applications, and on the policies. That will eliminate the situation where the carrier pleads ignorance, never having heard of the underlying entity prior to the claim.
Second, if your insured is concerned about coverage for DBAs, ask them to provide you with a list of all dbas, and refresh that list during your annual account review. Also advise your insured to keep you apprised of any and all changes and additions to DBAs. Take that list, and submit it to your underwriter or wholesaler, and ask them DBAs are handled, and how they want to keep track of them, if they feel they need to. The key question is - does a DBA need to be shown on the policy to trigger coverage if a claim is made against them. (I will survey companies on this matter at some point in the future and share my results.)
Third, if your insured does 100% of their operations under a limited, stable number of DBAs, listing the legal entity and the DBAs on the dec is relatively safe and straightforward, but see concern 4 above.
Carriers are generally more likely to respond to a claim against a DBA if they insure the underlying legal entity, than they are the other way around. So the most important thing to remember is that the underlying legal entity must be named on the policy.
There are more things to discuss regarding names, but we'll take a bit of a break and return to the subject later.
What is a "DBA"? Generally, a "DBA" is a trade name your insured has registered with state or local agencies, as required, in order to use that name in the public domain. The DBA may or may not have any relationship to the insured's legal name. In some jurisdictions, as long as the trade name has certain things in common with the legal name, it need not be registered.
Many insureds want their DBA listed on their policy. This is understandable, since it's the name the public sees most often, and the insured is concerned that if a claim is made against them, it will be made in the name of the DBA, not the insured's legal name, which may not be readily apparent.
However, having the DBA as the Named Insured is a technical error, and even including them along with the Named Insured can be a slippery slope. Here's why:
1. Most applications and declarations pages in professional liability refer to the insured organization or entity. A DBA is neither an organization, nor an entity; it is merely a name. If the DBA is the *only* item shown on the dec, there can be issues when a claim is made against the legal entity behind the DBA, as this will be the first the underwriters have heard of the legal entity, and they tend to not appreciate the lack of disclosure when the application has previously requested the information. (I have seen a claim declined for this, although eventually, after much proof and hassle, we were able to get the carrier to agree to accept the claim.)
2. As an agent, there are many tricks of the trade you can use to make sure you're getting the right information from your insured. Among the foremost is spotting an inconsistency between the organizational form and the insured's proposed name on the app. If the insured is an LLC, a corporation, partnership or other legal form of organization, there are generally laws requiring that a signifier, like "inc." "corp" or "LLC" be used in their name. If your insured is not a sole proprietor, but you don't see "inc." or some other kind of organizational signifier on their app, ask if the Insured Name provided to you is a dba, and if so, get the legal entity name and use it instead of, or in addition to, the dba. (This is a best practice for all your lines of coverage -- not just professional.)
3. Some insureds "do business as" one name for certain operations of their company, and "do business as" a different name (or perhaps no name other than the actual company's legal name) for other operations. This is not uncommon when there are various operating divisions or diverse income centers in an entity. If you have listed one DBA on the policy, then another pops up and you are not advised about it and therefore it is not added to the policy, is it covered? It may depend on how your claims adjuster feels at the time of loss. And as a practical matter, maintenance of a large schedule of DBA names may not be a cost-effective or prudent use of your time.
Stay tuned for more issues and some solutions next week....
If Acme Corp. had not merely changed its name to Beta Corp. but had actually had a change in ownership, had reincorporated, or had taken on investors who acquired a majority interest in the company, there could be significant interruptions to coverage well beyond what a change of name would entail.
We won't go into those right now (stay tuned for a later Knowledge Knugget about Change of Control), but suffice it to say that any time one of your insureds approaches you with a request to do anything to its name on its insurance policies, you are in a red flag situation (at least as it pertains to their professional liability coverages) and will likely need to pose some additional questions.
Insureds frequently underestimate the impact of their internal or structural changes on their coverages, and they also frequently do not want to divulge all of the particulars to their agent.
That having been said, here are some areas in which your insureds' name(s) can cause challenges:
1. DBAs -- to include or not include is the question
2. Operating divisions or trade names
3. Parent or sister companies
4. Shareholders/owners/partners/LLC members
6. Additional Insureds
7. Scheduled Insureds
8. Deleting individuals
These areas are in a broad category regarding "Who is an Insured", and we'll explore them over the weeks to come.
Thursday, July 17, 2008
There are several situations in which the naming of the insured and the timing of the name can create challenges.
Here is an example:
Acme Corp. is insured with a policy running January 1, 2006 to January 1, 2007. In
October of 2006, Acme changes its name to Beta Corp. Nothing else changes. The operation remains the same; the ownership remains the same. You would want coverage to continue with no changes.
The agent will usually request the named insured be changed to Beta Corp in this situation. What you really want is to add Beta as an Insured. Here's why:
Although there would be a paper trail of coverage for both Acme and Beta in the '06-'07 policy, what happens when the policy renews January 1, 2007, and the Named Insured on the policy now reads "Beta Corp.," and Acme is nowhere to be found?
If a claim is made and reported on April 1, 2007, and the defendant is Acme Corp., does the policy need to respond?
Technically, unless there is predecessor firm wording in the policy, Acme Corp. is not an insured during the '07-'08 policy period, so a carrier could decline coverage. As a practical matter, if the '07 policy renewed with the same carrier that wrote the '06 policy, they would have a difficult time declining. However, if the '07 carrier is a new one, they have no history with Acme Corp., possibly no knowledge of Acme Corp., and even though they may have provided prior acts coverage on the policy, the defendant is not an Insured.
To avoid this stumbling block, leave the Acme name on the policy. Do not "change" the name. Merely add Beta to the policy.
Stay tuned for more examples and solutions next week.
Thursday, July 10, 2008
Thursday, July 3, 2008
- Most professional liability policies contain what is known as a "consent to settle" clause. This coverage provision extends to the Insured control of the settlement of a claim. The insuror may negotiate a potential settlement, but cannot settle without the Insured's agreement.
- This provision arises from recognition of the potential reputational harm that can be done to a professional by virtue of a carrier settling a claim, thereby imputing liability where none may have existed.
- This reputational harm can have a negative impact on the professional's ability to earn a living, and can also be a magnet for additional claims. Carriers are very cognizant of this slippery slope and endeavor to avoid it by seeking the insured's agreement to any proposed settlement.
- In policies where the carrier does not assume the duty to defend, there is generally no consent to settle provision, as the carrier does not take control of the settlement negotiations. There are just a handful of exceptions to this rule.
- I have heard some people opine that the consent to settle provision is mere window dressing. After all, GL policies do not provide such an enhancement to their insureds. True, but GL claims do not speak to the reputation of the professional, do they? In any situation where all other things are equal, I would definitely prefer to provide the consent to settle to our insured, rather than underestimate its importance. Certainly, the decision to forego such an enhancement should be made by the insured. Not by his or her broker
Friday, June 6, 2008
Thursday, May 29, 2008
- If a claims-made policy is incident sensitive, or has a discovery provision, the insured may report to the carrier an error, a wrongful act, a circumstance, or an incident that it believes is likely to develop into a claim.
- The claim trigger in a professional liability policy is usually a demand for damages. In the absence of a demand for damages, coverage cannot be triggered.
- An insured could have a threatening letter from a disgruntled customer, a notice of intent to sue, a subpoena for information, or just a sick feeling in their gut when they realize an error has occurred that is likely to arise in a claim. However, until the demand for damages is actually made, whether in a demand letter or a suit, there is no claim.
- In the absence of the ability to report a circumstance, an insured can know it will have a claim made against it in the future, and can be unable to move coverage when needed because it cannot ensure the future claim will have a home. New carriers will exclude the circumstance as a known wrongful act, or a circumstance which could reasonably be believed to give rise to a claim. The expiring carrier would not respond to the circumstance because it is not a claim, and would not respond to the future claim, because the policy would no longer be in force.
When we left our hapless insured, they knew they would likely have a claim in the future, and wanted to change to a new carrier, but could not put their current carrier on notice of the circumstance due to the lack of incident sensitivity. The new carrier wouldn't pick up the circumstance because it was *known* to the insured as a circumstance that would likely result in a claim. Can the purchase of an extended reporting period allow the insured to move to the new carrier and still sleep at night?
- If the claim develops within the right time period, (within the ERP) the carrier would respond to it.
- However, many carriers offer limited ERPs. Some are as short as 90 days. One, two or three years are the usual periods offered. A handful of markets will offer 6 or 10 year ERPs.
- A detriment to purchasing the ERP is that the insured has now also limited his reporting period and coverage for all unknown previous acts that might give rise to a claim.
P&P stands for "Pending or Prior". Lit stands for "Litigation".
Almost all claims-made professional liability policies have an exclusion for P&P Lit in them somewhere. It can be found in the insuring agreement, or in the qualification of what constitutes a claim, but is most commonly found in the Exclusions section of the policy.
P&P Lit is any litigation filed against an insured, or any litigation that is going to be filed against an insured. Seems fair, right? A new carrier does not want to be responsible for defending any claims that have already been filed against the insured or that are in progress.
Danger zone 1: A plaintiff can file a suit but not immediately serve the insured. This is known as a "blind lawsuit". The insured cannot report the claim, because he doesn't know about it. The current carrier cannot assume defense, because the claim has not been reported. The new carrier will not assume defense because the litigation was already in progress, even though the insured had not yet been served.
Danger zone 2: The "Interrelated Wrongful Acts" definition can take the general subject matter of existing litigation and tie it to what would otherwise appear to be a new demand. That relationship will subject the new demand to the P&P Lit exclusion. The exclusion itself sometimes casts a wide net and picks up related acts or subject matter.
These third party exposures are not the only ones facing your techie insureds. There are additional First Party exposures you will want to consider.
These exposures include many types of attacks on systems that render your insured's technology unable to perform its core functions. Your insured's business basically cannot continue in the absence of the systems, or it is seriously hampered in its performance.
Some insureds rely upon backup tapes or hot sites in case of disaster -- whether physical or technological. However, data restoration can be flawed, and hot sites are quite expensive.
A proper first party technology policy will defray extra expenses and provide business interruption coverage for claims arising from covered perils.
Learn about those perils in next week's Knowledge Knugget.
One of the most important things an EDP form does is confirm that data is insurable property. EDP policies add coverages such as mechanical breakdown, brownout, and data reconstruction to your client's property coverages.
Neither a property policy nor an EDP policy or endorsement are likely to cover:
- Corruption of data due to a hacker
- Introduction of a virus that disables your client's system
- Overloading of your client's bandwidth or email such that it can no longer function
- Employee tampering or human error
- Cyber-attack on your client's business partners that affects your client's operations
(Again, we are focused here only on first party exposures, so the damages that can be done to third parties and the resultant liability are topics for another day.)
Unintended Consequences -- Or Ooops! What did that exclusion just do to my insured? (5/22/08 Knowledge Knugget)
General Liability policies cover bodily injury or property damage arising from the insured's operations or products. They also generally exlude claims arising from professional services, thereby limiting coverage for a professional to premises liability.
Professional Liability policies cover claims for damages made against the insured by a third party arising from a Wrongful Act. The Wrongful Act is generally an error, act or omission in the rendering of or failure to render professional services.
For most classes of professional liability coverage (Architects and Engineers, and Medical Malpractice being the notable exceptions), there is some kind of exclusion regarding claims arising from bodily injury or property damage.
What happens if your insured is a home inspector, and he fails to notice a leak in the roof? The leak goes undetected until the ceiling collapses. Could he be liable for the collapse? Would his GL policy respond?
If we want the home inspector to have coverage for property damage that occurs due to his negligence, we need to make sure that his professional liability policy provides contingent bodily injury/property damage coverage.
The "contingent" part of that phrase refers to the BI/PD arising *as a result of* his professional services. They are not a result of his direct actions. They are a result of others relying upon his expertise.
More examples and detail to follow next week......
There are many markets offering monoline first party policies, and even more offering first party coverage as part of a combo policy covering both first and third party exposures.
These policies cover many non-physical and some physical causes of loss, provide extra expense and business interruption coverage, and other bells and whistles. Perils and coverages vary widely. A quick run-down of possibilities:
Perils covered include:
- Computer virus
- Unauthorized access
- Employee mistake or tampering
- Internal/External hack attacks
- Denial of service attacks (such as flooding bandwidth)
- Loss to customers or vendors that impacts your client's business
- Natural disaster
- Power surge
- Theft/physical damage
Types of loss covered:
- Business interruption
- Extra expense
- Forensic expense
- Data recovery cost
- Public relations cost
Sunday, March 16, 2008
Below is a copy of the very high level overview. Feel free to use it to educate your insureds.
D&O Coverage Overview
By law, directors and officers of corporations bear legal responsibility for certain actions pertaining to their management and oversight of the entity. This responsibility arises generally from the three common law duties of directors and officers. They are:
The Duty of Loyalty
The Duty of Obedience
When a director or officer violates one of these duties, claims can arise, brought by shareholders, customers, vendors, competitors, employees, or regulatory or governmental entities. Claims brought by shareholders can be made on their own behalf, or on behalf of the corporation (known as a “derivative” suit).
The corporation may or may not be able to indemnify directors and officers for their legal expenses and any settlements or judgments. Whether the entity is able to indemnify can be a matter of legality, parameters of the bylaws, or financial ability.
Directors and Officers liability policies are a common tool used to ensure that the entity will have the financial means to indemnify directors and officers for their expenses. The policy also removes some of the questions regarding legality or bylaws, because the entity is not forced into an adversarial position with the Ds & Os in order to protect its own assets.
Most directors and officers liability policies for privately-held entities have another coverage feature – the entity is also an insured. This is a recent coverage development, having begun in 1994.
This protection for the entity for claims brought against it for its own actions brings into coverage many causes of loss that used to be considered “business risk” and uninsurable.
Claims from competitors, vendors, and customers regarding business practices, competitive position, corporate conduct, and sometimes even contractual breaches can frequently be subject to coverage at least for defense, and sometimes for indemnity.
Thursday, March 13, 2008
Monday, March 3, 2008
The 2004 CGL form automatically excludes AI/PI for many of these insureds.
The following coverages can be found in technology or cyberliability forms:
- Intellectual property -- coverage for plagiarism; infringement of slogan, trademark, or copyright; unfair trade practices arising from same
- Unauthorized access -- unauthorized persons intruding into system, or authorized persons engaging in unauthorized acts
- Malicious coding or programming -- introduction of viruses or other harmful code
Other coverages may be available. Policies are manuscript, and coverage varies widely.
Sunday, February 24, 2008
An insured may have control over three kinds of information, the misuse or loss of which can cause harm.
- Private information (social security numbers, drivers licenses, bank account, credit card, address, familial connections, etc.)
- Medical information (illnesses, prescriptions, physician relationships, prognoses, genetic predisposition)
Missioncritical information (client-specific data used to deliver care, billing information, information used to support credentialing and compliance)
Loss or impairment of the first two types of data can result in third party liability. Loss or impairment of the third type can result in business interruption.
From whence does liability arise?
Inherent in an insured’s relationship with its clientele is faith on the clientele’s part that it will be no worse for dealing with the insured than if it had not done so. When a client puts its private, sensitive information in the insured’s hands, it has a right to expect that information will not be intentionally, accidentally, or negligently used to harm the client.
This basic presumption has been bolstered by legislation in many states, and in some federal acts. Requirements for proper caretaking of private information are specifically codified for medical information, and are addressed in various legislative acts pertinent to certain industries, and in some cases, general business. These legislative acts require not only the proper securing of data, but also the notification of clients whose data has been compromised, among other actions.
Additionally, an insured may assume liability through commitments made in its contracts with clientele.
What kind of loss may occur?
A client whose data is compromised may become the victim of identity theft or other fraud. Fraud has long been an issue in an environment where the client may not be fully in charge of his or her faculties, or may be dependent upon others to take care of his or her estate or business and private affairs. This historical exposure has now been complicated by the rampant abuse of private information in establishing false identities, false accounts, false medical identities (to steal medical care), and false working credentials.
Any of these breaches of a client’s identity could cause not only financial harm to the client, but also to his or her estate and/or beneficiaries, as well as untold amounts of stress, emotional distress, mental anguish, time and money spent repairing damage and getting records corrected, and so on.
Loss or impairment of mission-critical information also can compromise the insured’s day-to-day operations and require costly data reconstruction or extra expense to operate emergency backup systems. As a side note, if the entity is not properly protected against loss of data, or does not have a plan to quickly replace lost data that is mission-critical, there could be liability to the directors and officers for failing to have such a plan, especially if the loss of the data impairs patient/client care in any way.
Impairment, loss or misuse of data can occur through malicious actions of intruders, or can be perpetrated by employees. It can also occur accidentally, such as through transmission of data to an unintended recipient, or failure to shred sensitive documentation.
In addition to third party liability and business interruption exposures, the insured is at risk for a reputational loss. Due to requirements to disclose data breaches, it is no longer possible to keep such an event completely quiet. Add to the required disclosure “word of mouth” publication of the event, and the insured can easily be harmed by common knowledge of its inability to safeguard sensitive information.
What coverages can be found?
Many policies today can provide coverage for third party liability for private and medical information. The scope of coverage can vary from web or network-based exposures to physical forms of data, and from solely outsider actions, to those perpetrated by an employee. Most policies will cover not only identify theft outcomes to data breaches, but also personal injury damages. Some will provide sublimits for notification costs, and for credit repair costs, as providing credit repair to breach clients mitigates the potential liability loss.
Some of these policies will also extend coverage to first party exposures. The causes of loss revolve around hacking, denial of service attacks, viruses, and other technology-driven actions. Many insureds rely upon their backup systems as protection from business interruption due to information loss. However, backup tapes may not be as current as expected, duplicate systems can be expensive, and technology-driven loss of data does not trigger an
Sunday, February 17, 2008
* Nonprofits with revenue greater than $1,000,000
* Nonprofits expending more than $500,000 of federal funds
* Must comply with certainSarbanes-Oxley provisions regarding audits.
Failure to comply can result in personal liability for the directors and officers. Check your nonprofits' D&O coverage to make sure it is up to date and limits are adequate.
Wednesday, February 13, 2008
I'm looking forward to delivering these critical pieces of information into agents' hands and minds on a regular basis and am sure they'll provide much food for thought and stimulate conversation and production opportunities for all.
If you are not currently receiving Knowledge Knuggets and want to be added to the mailing list, please let me know by emailing me at firstname.lastname@example.org.