wells fargo insurance services usa, inc. 1 e merging e xposures not i nsured by sc i nsurance r...

Wells Fargo Insurance Services USA, Inc.1

EMERGING EXPOSURES NOT INSURED BY

SC INSURANCE RESERVE FUND

2015 GFOASC Fall Conference2015 GFOASC Fall ConferenceMyrtle Beach, S.C. March 15, 2015

Presented by Greg JonesSenior Vice PresidentWells Fargo Insurance Services843-573-3560 [email protected]


AGENDA

Introduction Basic Coverages from IRF Changing Legal Landscape Emerging Exposures & Insurance

Employment Practices Liability example Available insurance for uninsured exposures

Fiduciary EPL & Management liability Pollution liability Cyber Liability

Common “gaps and gotcha’s” Q & A


Only state owned insurance company in US Standardized forms in 1985/86 Limited Eligibility Generally good, basic insurance coverage Very limited flexibility Not rated by AM Best Now part of State Fiscal Accountability Authority

Introduction to SC IRF


South Carolina Insurance Reserve Fund

Basic Coverages from IRFBuildings & personal propertyData processing equipmentBusiness Interruption/Extra ExpenseBuilder’s RiskInland Marine (“floaters”)General Tort Liability (i.e. Commercial General Liability)

Medical Professional LiabilityAuto liability & physical damageSchool Activity Vehicle CoverageUnderground Storage Tank coveragePrepaid legal


CHANGING LEGAL LANDSCAPECHANGING LEGAL LANDSCAPE

TY PES OF LEGAL L IABIL ITY

TORTS CONTRACTS STATUTES

MODIFY COMMON

LAW

NEGLIGENCE

INTENTIONAL TORTS

STRICT

LIABILITY

ABSOLUTE LIABILITY

ASSUMPTION OF LIABILITY

BREACH OF CONTRACT


Brief History of Employment Practices Liability

1991

“Tailhook” scandal

Clarence Thomas Hearings

1991 Civil Rights Act


LEGAL LANDSCAPELEGAL LANDSCAPE

STATUTORY BASIS (FEDERAL)

Title VII of the Civil Rights Act

race, gender, religion, national origin, etc. Includes same sex harassment

Allows for Jury trial

Compensatory & Punitive damages capped

Age Discrimination in Employment Act (ADEA)

Americans with Disability Act (ADA)

Family and Medical Leave Act (FMLA)

Pregnancy Discrimination Act

Equal Pay Act

COMMON LAW

Breach of Contract

Wrongful termination

Negligent and Intentional infliction of emotional distress

Defamation

Invasion of Privacy

Negligent Hiring/Supervision

Misrepresentation

Wells Fargo Insurance Services USA, Inc. 8

Wrongful Dismissal, Discharge or Termination

Breach of Employment Contract

Harassment

Racial, Gender, Age, National Origin, Religion, Sexual Orientation, Pregnancy or Disability Discrimination

Retaliation

Employment Related Misrepresentation or Personal Injury (libel / slander / defamation)

Wrongful Failure to Employ or Promote

Deprivation of Career Opportunity

Negligent Employee Evaluation

Wrongful Discipline

Failure to grant tenure

Violation of Civil Rights

Client and Customer Claims for Discrimination and Harassment

Common EPL claims


HISTORY OF EPLI

First Policy Created in 1985

Interest Grows in 1992

Current Environment

-Stand alone EPL

-Combination with D&O/Management Liability

-Endorsement to Commercial General Liability


GAPS IN EPL COVERAGE

S.C. Insurance Reserve Fund

Tort Policy covers “personal injury” claims Covers “discrimination on basis of race, sex, age,

religion, or handicap” Excludes “retaliation” (1998) Can purchase Pre-paid Legal Defense coverage


WHAT IS A CLAIM UNDER AN EPLI POLICY?

EPLI Polices are Claims-Made Policies. Claims have to be reported “as soon as practicable” - during the policy period.

CLAIM may be:

1. Written demand for Monetary Damages

2. Administrative Charge - EEOC or similar state agency charge of discrimination

3. A civil lawsuit

4. Demand for arbitration


COMMON EXCLUSIONS

Prior Notice Pending & Prior Litigation Date (includes administrative

charges) Bodily Injury/Property Damage OSHA/Workers’ Compensation Disability/Unemployment Compensation ERISA/Breach of Fiduciary National Labor Relations Act Fair Labor Standards Act/Similar State Wage & Hour

Claims Breach of Express Written Contract Costs of Physical Modifications under ADA


WHAT ARE THE “GOTCHA’S”?

Claims-made and Reported-Need incident reporting-Potential Issues at each renewal-Very careful when changing insurers-Notice/awareness provisions

Definition of employee-Independent contractors?-Leased/temporary employees?-Volunteers?

Defense cost within limits SIR vs. Deductible Panel Counsel Indemnity vs. “duty to defend” Hammer clause ERP or “tail” issues (“mini tail”) Application a warranty?


Limits/Self Insured Retention Broad Definition of Wrongful Employment Act Punitive damages coverage Option to select defense counsel Third party coverage - Covers Claims brought by

vendors, clients, customers or other non-employees Amended Reporting Provision - Risk Manager/General

Counsel & Human Resources + “mini tail” provision Full prior acts coverage Bordereaux Reporting Risk management tools

Issues to Consider Prior to Purchasing an EPLI Policy


Other Available Insurance

Coverages from Commercial Insurance

Fiduciary liability (ERISA 1974)

EPL & Management Liability (1991 & 2000)

Pollution liability (1988-89)

Cyber Liability (2010)


Cyber Liability Insurance

Coverages Available3rd Party Liability for Privacy breach, Network Security, or Regulatory1st Party Coverage for Privacy notification, crisis management, credit monitoring and forensics.Other 1st Party Options: cyber extortion, business interruption, data restoration.

Limits Available-Two ApproachesOne limit with “fund” sublimitsNumber of Persons notification approach

Wells Fargo Insurance Services

Marketing Summary

CARRIER: LIMIT OF LIABILITY: RETENTION (Each Claim):

ANNUAL PREMIUM:

ACE USA (Indication Only) $3,000,000$5,000,000

$250,000 $250,000

$85,000 - $105,000$115,000 - $135,000

Axis Insurance Co. (Non-admitted)

$1,000,000$3,000,000$5,000,000

$250,000$250,000$500,000

$48,291$102,417$145,923

Chartis(Admitted)

$1,000,000$3,000,000$5,000,000

$150,000 / $250,000$150,000 / $250,000$250,000 / $250,000

$46,601$78,000

$122,000

Federal Insurance Co. (Chubb)

No response as of 1/4/11 N/A N/A

Beazley (Non-admitted)

$3,000,000$5,000,000

$10,000,000

$100,000$100,000$250,000

$88,413$122,137$182,294

C.N.A(Non-admitted)

$1,000,000$3,000,000$5,000,000

$100,000$100,000$250,000

$46,050$97,755

$127,565

Zurich(Admitted)

$1,000,000$3,000,000$5,000,000

$250,000$250,000$500,000

$43,433$65,877$91,645


Legal Issues & The Regulatory Environment

Gramm Leach-Bliley Act: Requires financial institutions to safeguard customers’ records and information against unauthorized access. Imposes major privacy and security requirements on financial services companies

Health Insurance Portability and Accountability Act (HIPAA): Healthcare organizations required to safeguard individually identifiable health information. Imposes penalties on organizations that violate HIPAA (further amended by the HITECH Act)

California SB1386: A California law requiring companies to notify their CA customers and employees of computer security breaches. The law applies to any business that stores customer and employee information electronically even if the company is not based in the Golden State.

Privacy Breach Notification Laws: Spreading of California SB 1386; adopted by 47 states as of December 2010. Duty to notify customers where consumer/customer information has been compromised (electronic or non-electronic means, state legislation varies)

Massachusetts Privacy Law 201 CMR 17.00: This law is the first state law to require specific technology when protecting personal information. If you do business with residents in MA or have employees that reside in MA, compliance is mandatory by March 1, 2010.

Legislation has now imposed affirmative duties on companies as to how they handle data, principally client/customer information:


Legal Issues and The Regulatory Environment

PCI Security Standards: The standards globally govern all merchants and organizations that store, process or transmit cardholder data. PCI security standards are technical and operational requirements set by the Payment Card Industry Security Standards Council (PCI fines not generally covered under insurance policies).

FACTA (Fair and Accurate Credit Transactions Act): Prohibits businesses from printing more than 5 digits of any customer’s credit card number or card expiration date on any receipt issued at a point of sale. For machines in use before 1/1/05, the merchant has 3 years to comply. For machines in use after 1/1/05, the merchant has one year to comply.

Red Flag Rules: Established by FACTA, requires financial institutions or creditors to develop and implement an Identity Theft Prevention Program in connection with both new and existing accounts. The program must include reasonable policies and procedures for detecting, preventing and mitigating identity theft.

Federal HITECH Act – health plans, health care providers and health care clearinghouses (ie. Covered entities), among other things, must review and update their business associate agreements, as well as their privacy and security policies and procedures. Requires that any data breach event exceeding 500 records be reported to the Department of Health and Human Services.


What Should You Be Asking?

Have we analyzed our cyber liabilities?

What legal rules apply to the information we maintain or that is kept by vendors, partners and other third parties? The laws surrounding breaches are complex.

Have we assessed our legal exposure to governmental investigations?

Have we assessed our exposure to suits by our customers, vendors or suppliers?

Have we protected our organization in contracts with vendors?

What laws apply in different states and countries in which we conduct business?

Do we have adequate staffing to reasonably maintain and safeguard our important assets and processes?

Have we prepared an incident response plan and business continuity plan?

Do we have a documented, proactive crisis communications plan?

It is critical to have a solid incident response plan in place prior to any security or privacy breach.

** Questions supplied by the “The Financial Impact of Cyber Risk” Publication – American National Standards Institute (ANSI) and Internet Security Alliance.


Vendor Management & Requirements

IT/Software Companies

Request Tech E&O to include network security/privacy coverage

Some Tech E&O policies have security/privacy exclusions

Other Business Services – Payroll, Auditors

Request appropriate E&O coverage to include network security/privacy

Credit Card Processors/Acquiring Banks

Request Network Security/Privacy Coverage

Other Vendors that interact with your systems or sensitive information, or handle information on your behalf

Request Network Security/Privacy Coverage


What Can Be Covered Under a Network Security & Privacy Policy?

Breach of Security: Your liability to third parties arising out of a failure of your network security that results in a computer attack. Such failure can be caused by unauthorized access or use, transmission of a computer virus or a denial of service attack.

Invasion of Privacy: Your liability arising from disclosure and release of confidential or personally identifiable information stored on your computer system caused by a failure of your network security.

Enterprise Privacy: Your liability arising from any breach of privacy including violations of HIPAA, GLB or any state, federal or foreign privacy protection law (including regulatory defense expenses, notification expenses, credit monitoring, crisis management expenses)

Identity Theft: Your liability arising from theft of personal information of your employees, customers or clients.

Cyber Extortion: Protection against threats or demands made against you involving your computer network.

Internet Media: Defamation, Libel and Slander/Personal Injury – Liability arising out of the content disseminated on your Internet site; includes intellectual property infringement exposures

Business Interruption: Business Interruption losses sustained by you arising from the interruption or suspension of your computer network, due to failure of security (including extra expenses)

Data Asset Coverage: Information asset protection for you for property losses involving data, computer systems and information assets arising from a computer attack.


Enterprise Privacy Coverage

Non-network Privacy Breaches: What happens if a breach, which exposes confidential information, does not arise out of a failure of security of your computer system? ie. paper, PDA’s, lost data tapes.

Accountability For Outside Vendors: Your liability arising from others working on your behalf (those which you are legally responsible for).

Employee Privacy Exposure: What happens if a breach causes your employees’ confidential information to be compromised?

Regulatory Defense Expenses: Defense costs involved with a regulatory proceeding, a request for information, demand, suit or civil investigation by or on behalf of a government agency arising from allegations of violation of a privacy regulation (may include coverage for fines & penalties and related consumer redress fund expenses)

Notification Expenses: Costs to notify your customers/clients of security or privacy breaches. Most insurers will provide a sub-limit of coverage to assist with these expenses.

Credit Monitoring Expenses: Costs to provide your customers/clients with credit monitoring services as a result of privacy violation, if you have the duty to provide.

Crisis Management Expenses: Reasonable and necessary expenses incurred by you and approved by the Insurer in retaining the services of a public relations firm, law firm for advertising or related communications to assist with mitigating harm to your reputation.

* Regulatory Expenses, Notification Expenses, Credit Monitoring and other Crisis Management Expenses are generally offered on a sub-limited basis and varies by carrier.


Common Features & Gotcha’s of Additional Coverages

Generally proactive risk management

(EPL, Cyber, pollution)Claims-made & reportedPanel counsel requirementLimits

Defense costs inside limits Various coverages subject to sublimits


Other Commonly Seen Coverages

Coverages AvailableEmployee dishonesty/Faithful performance bondVolunteer Accident CoverageEducator’s E&OBuilder’s RiskProject Specific Professional/Owner’s Protective Professional LiabilitySpecial Events PolicyExcess liability coverage


SC IRF “Gaps & Gotcha’s”

Property

Off-premises service interruption

Coinsurance

Boiler & Machinery limits = $5MM

Business Interruption

Off-premises service interruption

Builder’s Risk

Only owner’s interest, coinsurance, no waiver of subrogation

Tort Policy

No vicarious coverage for independent contractors

No contractual coverage


QUESTIONS?

wells fargo insurance services usa, inc. 1 e merging e xposures not i nsured by sc i nsurance r...

Documents