Certificates of Insurance: New CT Law & Cancellation Notice Requirement Solution An Email Swindle Yields a Trifecta of Insurance Issues Cyber Breach: A Billion Dollar Headache

Insurance Advocate Exposures and Coverages

Certificates of Insurance Yet Again

Want Expanded Coverage via Certificate in CT? FUHGEDDABOUDIT! Two months ago I wrote about Delaware’s new law that not only bars insurers and producers from issuing false or misleading certificates, but also bars anyone from requesting such a certificate.1 Connecticut has just passed a similar law to be effective October 1, 2014.

In addition to barring issuance of false or misleading certificates, the Connecticut law stipulates that no person shall:

• Warrant that the insurance policy complies with the insurance or indemnification requirements of a contract,

• Require an opinion letter or other document inconsistent with the law, except that an insurer or insurance producer may prepare an addendum to a certificate that explains the coverage. (In New York, that will be done with the new ACORD form 855 NY, which is also mentioned in the June Insurance Advocate article.2)

• Request that another person violate provisions of this law.3

This should be very helpful to producers. For example, contractors often ask that the certificate confirm coverage for the hold harmless provisions in their contracts with property owners. At present the producer is barred by insurance department regulations form complying. This leaves the producer at best with an irate client; at worst the client finds another producer who will issue the certificate and the producer loses the client. Starting October 1, 2014, such a request will be illegal in Connecticut. Both houses of New York’s legislature have again passed legislation similar to that just enacted in Connecticut. Governor Cuomo vetoed the bills last year; he hasn’t acted on this year’s versions as of this writing (July 7, 2014). Stay tuned.

Cancellation Notice Requirement Solution. Almost every contract that contains insurance requirements calls for a 30- day notice of cancellation to the additional insured. But you almost never see a certificate of insurance that provides it—and insurance companies almost never send such notices in any event. Here’s an interesting twist that would make life much simpler for everyone if it were widely adopted:

The Law Department of the City of Atlanta, GA realized that its staff was spending an inordinate amount of time fighting with contractors and their agents about non-conforming certificates. At a minimum, approval of contracts was delayed by at least a month. When the City surveyed its records, it found that in the prior 15 years, there were no known incidents linked to cancelled contractor insurance.

As a result, the City no longer requires the certificates show that Atlanta will receive notice of cancellation.4 Instead, the City’s contracts now require the contractor to fax or email a copy of the insurer’s cancellation notice within two business days of receipt. If the cancellation is for non-payment, the City can pay the premium to the insurance company and charge the amount back to the contractor, thereby keeping the insurance in force. As an added measure to prevent non-payment problems, an additional insured could require that a paid bill for the policies accompany the certificate.

Email Swindle Yields the Trifecta of Insurance Issues

Most court cases involving insurance claims deal with legal minutiae and don’t offer much enlightenment. But when one combines three odd points, we have what I’d call an insurance trifecta.

Horse One: Are there really people who fall for the impassioned emails offering to share a portion of some fictional pot of money with you in exchange for some simple assistance and a small investment?

Eric Carlson, an employee of Avon State Bank in Minnesota, “invested” $60,000 of his own money in response to an email promising a share of a $9,000,000 estate for help transferring the funds from Senegal to the United States.

Apparently eager to share the wealth with others, Carlson convinced two more bank clients to pony up $500,000 to “clear the final hurdle” so that the money could be released and they could all cash in. (Yes, Virginia, there is a Santa Claus.)

Carlson assured the “investors” that the bank was also an investor. He told them to make checks payable to the bank and then, in violation of bank rules, he wired the money from Avon to a Hong Kong bank. As is always the case, none of the investors ever received anything.

Horse Two: How broad is the property- covered provision in fidelity insurance? Broader than you think.

When the “investors” sued Avon for the money they’d lost, Avon submitted the claim to its insurer, BancInsure. BancInsure covered Avon for both liability and fidelity coverage. It denied the liability claim based on a fraudulent acts exclusion. It denied the fidelity claim arguing that fidelity coverage only applied to property owned or held by the bank. This defense failed when the court ruled that the bank “held” the funds as evidenced by the wire transfer from Avon to Hong Kong.

Horse Three: Does every fidelity policy have the same exclusions? Or, what a difference a word makes.

Most employee dishonesty policies have what’s called a “dual trigger.” That is, the employee must manifest intent to cause loss to the insured and that he/she, or someone else he/she intends to benefit, expects to gain from the scheme.5

It is very difficult to establish that the employee intended to cause a loss to the bank. However, Avon’s policy read “…cause loss to the insured or stand to gain…” The court had no trouble deciding that the employee expected to gain and therefore held that the loss was covered. The or meant that the insured had to satisfy only one of the conditions.6

Cyber Breach: Loss Control Comes First, Then Insurance OR a Billion Here a Billion There

Target has made cyber breach insurance the talk of the town—well the insurance village anyway. Latest figures estimate the cost to replace credit cards for Target customers whose data was stolen at more than $200 million.7 Target may well have to foot that bill. Target will also provide credit monitoring services to the cardholders whose information was stolen. Doing that for the 70 million customers won’t be cheap. The loss of business and loss of reputation can’t be exactly valued, but it’s the biggest problem Target faces. It’s possible that this may become a billion-dollar loss. Target had $100 million cyber breach coverage.8 Selling stolen credit card information isn’t pocket change. Reportedly, credit card information stolen from Target was on the black market almost at once for $20 or more per card.9 Multiply $20 by the 70 million credit card holders whose information was stolen and we’ve got a “street” value of another billion dollars!

It’s clear that any entity with the personally identifiable information of numerous customers may need insurance, but loss control is a vital first step. Suggesting how to properly protect electronic data is way above my pay-grade, but some insurers that sell cyber breach insurance offer free advice on protecting data as does the Federal Trade Commission’s Data Security web page:

http://www.business.ftc.gov/privacy-andsecurity/ data-security. Another source is an article by Melissa J. Krasnow of Dorsey

&Whitney LLP, “Guidance for Managing Cyber Security Risks” that was just posted on International Risk Management Institute’s website.10

Do Small Businesses Need Cyber Breach Insurance? Beware of overselling the coverage. It’s not full cyber liability insurance and not every firm has a meaningful cyber breach exposure. The question is: What would the insured stand to lose and how much of that would be covered by insurance?

One commonly quoted set of cost-ofbreach estimates is produced by Ponemon Associates. Every year since 2005, Ponemon has conducted in-depth studies of 50 or so firms that sustained cyber breaches that year to get the details of their losses. This year’s report is co-sponsored by IBM. The average cost per record over the nine-year period is just under $200. The latest study shows a cost of $201 per record.11

Sometimes insurers talk about the $201 per record figure, overlooking that only $67 of that is direct costs, which is all that would probably be covered by insurance. (Over the 9-year period that Ponemon has been conducting these surveys, direct costs have averaged about $60 per record lost.) Direct costs refer to expenses such as engaging forensic experts, hiring a law firm or offering victims identity protection services.

Most of these costs can be covered by insurance. One policy offers the following coverages: First Party Response expenses including but not limited to:

• Legal & Forensic Services

• Crisis Management/Public Relations

• Notification Expenses

• Good Faith Advertising Expenses, and Third Party Defense & Liability expenses (including defense costs).12

Indirect costs include the use of existing employees to help in the data breach notification efforts or in the investigation of the incident, loss of goodwill and loss of customers. For the most part, indirect costs are not covered by cyber breach insurance. To up the stakes for insureds, ISO has just mandated that data breach be excluded from coverage in CGL policies—most companies feel there’s no coverage even without the specific exclusion. The endorsement to implement the exclusion is CG 2106 05 14 (Exclusion – Access or Disclosure of Confidential or Personal Information and Data-Related Liability – With Limited Bodily Injury Exception). The exclusion is already incorporated in certain ISO forms, which won’t require the endorsement. The exclusion applies to:

1. Disclosure of any person’s or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information, or

2. The loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data. (This second part of the exclusion is not a part of cyber breach coverage at all.)

Tell your clients about cyber breach. Tell them they need to protect the information in their computer systems. And tell them about the insurance that’s available. But don’t oversell it.

1 Jerome Trupin, “Certificates of Insurance in the News Again,” Insurance Advocate June 9, 2014, pages 12

and 14.

2 Ibid

3 Excerpted from AAIS article “Connecticut Enacts Regulation on Certificates” http://www.aaisonline.com/

AAISFrame/ConnectFrame/AdvisoryFrame/tabid/143/ArticleID/831/Connecticut-Enacts-Regulationson-

Certificates.aspx (accessed 7/3/14) and Michael A. Bono, “Expanded Insurance Certificate? Don’t

Even Ask,” http://blog.wcmlaw.com/2013/06/expanded-insurance-certificate-ny/ 4 Bill Wilson, The Big ”I“ Virtual University insurance guru, sent me a copy of Atlanta City Attorney Robert B. Caput’s Power Point “Legal Aspects of Airport

Insurance; What Every Good Airport Lawyer Should Know.” It contained this information.

5 The “dual trigger” is the reason I prefer the employee theft form to the employee dishonesty form. While “theft” is arguably more limited than “dishonesty,” the

theft form does not contain the dual trigger language.

6 Avon State Bank v. BancInsure, Inc., CIV. 12-2557 RHK/LIB (D. Minn. Jan. 10, 2014) (An appeal is pending to the Eight Circuit and the decision may be reversed.

Attorneys often urge that lower court cases be disregarded, however this trifecta is too enticing and it’s enlightening even if it’s reversed.).

7 “Target Data Breach Cost for Banks Tops $200M” NBC News, http://www.nbcnews.com/business/business-news/target-data-breach-cost-banks-tops-200mn33156

(accessed 6/25/14).

8 John Vomhof Jr. “Target’s $165M Insurance Firewal,” Minneapolis/St. Paul Business Journal Afternoon Edition Newsletter, Jan. 21, 2014

http://www.bizjournals.com/twincities/news/2014/01/21/target-100m-insurance-firewall.html (accessed 6/28/14). In addition to the $100 million cyber

breach coverage, Target had $65 million D&O that might be exposed to loss.

9 Erin L. Webb “Target Data Breach Highlights Importance of Insuring Cyber Risks” Policyholder Informer DicksteinShapiro LLP

10 Melissa J. Krasnow “Guidance for Managing

Cyber Security Risks,” IRMI Risk & Insurance

http://www.irmi.com/expert/articles/2014/kras

now05-cyber-privacy-risk-insurance.aspx

(accessed 6/30/14)

11 “2014 Cost of Data Breach Study: United States”

http://www-01.ibm.com/common/ssi/cgibin/

ssialias?subtype=WH&infotype=SA&appna

me=GTSE_SE_SE_USEN&htmlfid=SEL03017USE

N&attachment=SEL03017USEN.PDF#loaded

(accessed 6/30/14)

12 “What is Data Breach Coverage?” Orr &

Associates, http://www.commercialquotes

insurance.com/what-is-data-breach-coverage/

(accessed 6/30/14)