Category Archives: Specialty Coverage

Minimizing Human Error At The Oscars

One week since we were left scratching our heads following the botched best picture announcement at the 89th Academy Awards ceremony, the liability ripples from an apparent act of human error continue to spread.

Just to recap: the mix-up occurred after a PricewaterhouseCoopers partner mistakenly handed presenter Warren Beatty the wrong envelope for the best picture award.

As the LA Times reported early on, the mistake instantly turned into a public relations nightmare for the accounting firm which has handled the balloting process for the Academy Awards for 83 years.

For its part, PwC quickly moved to mitigate damage to its brand, issuing an apology and accepting full responsibility for the mixup.

Brian Cullinan and Martha Ruiz, the two PwC partners involved, have been permanently removed from all Academy activities. PwC said the partners did not follow through protocols for correcting the error quickly enough.

Whether or not the Academy will terminate its contract with PwC, industry lawyers say there are a number of potential liability issues that could arise, per this article by The Hollywood Reporter.

Others say public perception and doubts about PwC’s expertise could be a costly risk factor going forward.

As the fallout continues, the two PwC accountants involved now need security protection due to the public backlash.

While this human error did not happen in the process of crunching the numbers, it does highlight how important it is for businesses to manage their professional liability risks.

Insurers have developed professional liability policies to meet the unique needs of a wide range of industries. Crisis response and helping businesses to protect their reputation are among the services insurers provide.

Uber Case Highlights Employment Liability Risk

By now you’ll have read the troubling tale of alleged workplace sexual harassment as told by a former Uber employee on her personal blog.

As the LA Times reports, Uber CEO Travis Kalanick has called in former U.S. Attorney General Eric Holder to conduct an independent investigation and claimed that the blog post was the first he knew of the incident.

The allegations are a warning to the tech industry and its so-called rockstar culture, the LA Times notes.

The New York Times goes into more detail here.

In a statement issued following a meeting with Kalanick and staff to discuss diversity and inclusion, Uber board member Arianna Huffington said:

“I view it as my responsibility to hold the leadership team’s feet to the fire on this issue.”

This is not the first time that the ridesharing company has been in the hot seat for behaving badly, as discussed in this earlier blog post.

Charges of sex discrimination, including sexual harassment and pregnancy discrimination accounted for 26,934, or 29.4 percent of all job bias charges reported to the U.S. Equal Employment Opportunity Commission (EEOC) in 2016.

As the Insurance Information Institute (I.I.I.) notes, the number of employee lawsuits has increased in recent years, and any size business is vulnerable to this type of risk.

Employment Practices Liability Insurance (EPLI) provides important financial protection to businesses against claims or lawsuits filed by employees, former employees, or potential employees.

EPLI covers legal costs, settlements and judgments that arise from claims of: discrimination (age, sex, race, disability, etc.); wrongful termination of employment; sexual harassment and other employment-related allegations and lawsuits.

In addition to insurance protection, I.I.I. says businesses should take key steps to reduce the risk of an employee lawsuit, such as creating clear workplace practices on employment practices and educating management and employees.

A recent Insurance Journal article took a look at what to expect in EPLI in 2017.

Ransomware: Is Cyber Insurance On Your Radar?

Hotel guests locked out of their rooms at a four-star hotel in the Austrian Alps? Washington DC’s CCTV system disrupted days before Donald Trump’s inauguration? Libraries in St Louis brought to a standstill? Eight years of digital evidence lost by a Texas police department?

Ransomware is not just grabbing headlines, it’s now the favorite method of cyberattack used against businesses, particularly in North America and Europe, according to this Malwarebytes report.

In the fourth quarter of 2016 alone, Malawarebytes catalogued nearly 400 variants of ransomware, and 81 percent of ransomware detected in corporate environments occurred in North America.

Lloyd’s insurer Beazley saw ransomware attacks quadruple in 2016 and projects them to double again in 2017.

“Evolving ransomware variants enable hackers to methodically investigate a company’s system, selectively lock the most critical files, and demand higher ransoms to get the most valuable files unencrypted.”

In its white paper Cyberrisk: Threat and Opportunity, the Insurance Information Institute reports that insurers are issuing an increasing number of cyber insurance policies and coverage for cyber extortion, including payment of a ransom following a ransomware attack, is available.

According to the FBI, ransomware attacks are on the up, particularly targeting organizations because the payoffs are higher.

Going Gaga For Insurance

Insurers are known for helping us prepare for Mother Nature’s surprises, but did you know that insurers also have to evaluate the risks of Mother Monster, aka Lady Gaga–and other celebrities?

MarketWatch reports that Gaga, due to headline the Super Bowl halftime show on February 5, wants to perform on the top of the dome that covers the NRG Stadium in Houston.

Event organizers are working on how to keep the performer safe as well as securing insurance for the spectacle, according to the New York Post. Reports suggest such a stunt could cost over $100,000 to insure.

Specialist insurers (see our earlier post here) have a long history of protecting the stars — and the companies that promote and sponsor them — by providing appearance/event cancellation coverage, celebrity body parts insurance, and death and disgrace policies.

The Lloyd’s insurance market has insured a long line of celebrities and celebrity body parts. For example, Rolling Stones guitarist Keith Richards’ hands were insured for $1.6 million and Marlene Dietrich insured her voice for $1 million.

Insurance Insider recently reported  that the death of Star Wars actress Carrie Fisher is likely to trigger a $50 million “contract protection” policy underwritten in the Lloyd’s market that would cover Disney in the event that Fisher was unable to fulfil her obligations to act in the new Star Wars films.

Each celebrity risk profile comes with its own unique set of risks, according to the individual’s occupation, health, lifestyle and associated risks.

So, next time you go to see your favorite band, sports star or top chef perform, just think: there’s probably celebrity insurance for that.

Women’s Marches And Insurance

The Women’s March on Washington has inspired a grassroots movement of tens of thousands who will show their solidarity in sister marches held in cities across the country on January 21, the day after the inauguration of U.S. president-elect Donald Trump.

All 50 states and Puerto Rico are confirmed to have at least one grassroots-led march on that day, with more than 500,000 people expected to march across the U.S. and in 55 cities around the world.

For volunteer organizers of sister marches, what began with a simple Facebook posting in many cases has grown into a much bigger event for which organizers have taken on not just leadership responsibility, but potential liability consequences too.

Notwithstanding the rights of individuals to come together in peaceful protest, there’s the potential for claims for bodily injury or property damage in the event a march becomes less peaceful than expected.

What this means is that local volunteer organizers may want to explore their insurance options.

For example, many (but not all) municipalities require individuals or groups using public property to purchase liability insurance as part of the application process for a permit to hold an event.

This issue is already a hot topic in Phoenix, Arizona, where under state regulation, organizers of the sister march are required to secure some $2 million in liability insurance, per this AZCentral.com report.

A number of municipalities also offer tenant user liability programs (so-called TULIP programs) that enable organizers of certain public events on city property to more easily obtain event liability insurance.

Rolling Stone Defamation Case Highlights Insurance Need

As the Rolling Stone defamation case moves into the damages phase today, media businesses everywhere—and their insurers—will be watching closely.

A federal jury on Friday found that Rolling Stone magazine, its parent company Wenner Media and Sabrina Rubin Erdely, the author of a discredited 2014 article about an alleged gang rape at the University of Virginia, were liable for defaming Nicole Eramo, a former associate dean of students at the school.

According to this Wall Street Journal report, Ms. Eramo is seeking $7.5 million but the award could potentially go higher.

Rolling Stone also faces a defamation suit brought by the UVA chapter of the fraternity Phi Kappa Psi, the focus of the 2014 article. That case is seeking $25 million.

The verdict against Rolling Stone is the second large media liability claim this year.

In June, a jury awarded $140 million in damages to the former professional wrestler known as Hulk Hogan in an invasion-of-privacy case against Gawker Media Group over the publication of a sex tape.

Gawker settled the lawsuit just last week agreeing to pay the wrestling star, whose actual name is Terry Bollea, $31 million. Gawker was forced into bankruptcy and sold to Univision in August.

The cases have prompted legal experts to express concerns over the increasing frequency with which complaints about journalism are being settled in the “unpredictable and expensive sphere of the courts”, according to this New York Times article.

From the insurance perspective, the cases underscore how important it is for online and traditional publishers, broadcasters and other media-related firms to purchase media liability insurance.

This specialist type of errors and omissions (E&O) insurance protects creators of content against liability claims resulting from a range of exposures, including, but not limited to, defamation, invasion of privacy, infringement of copyright, and plagiarism.

While there is a fair amount of media liability insurance sold (an estimated $300 million to $500 million in the United States, and $50 million elsewhere (mostly in the United Kingdom)), according to this 2016 survey by Betterley Risk Consultants, further growth is predicted:

“We suspect that much of the media market is untapped risk, self-assumed by large organizations that can afford to self-insure, or ignored by small organizations that don’t think they are exposed.”

In the case of Rolling Stone, its parent company Wenner Media, is reported to have an undisclosed amount of media liability insurance to cover any damages related to the trial.

Still, at least one analyst cited in this report by the Wall Street Journal, says that if costs related to this lawsuit and other pending lawsuits exceed $50 million, Wenner Media may not be able to fund it with existing resources.

Check out I.I.I. resources on E&O insurance for small businesses here.

What IoT Cyber Attacks Mean for Insurers

The massive global distributed denial of service attack (DDoS) against internet infrastructure provider Dyn DNS Co. that left over 1,000 major brand name sites including Twitter, Netflix, PayPal and Spotify, inaccessible Friday has implications for insurers too.

While the nature and source of the attack is under investigation, it appears to have been (in the words of Dyn chief strategy officer Kyle York) “a sophisticated, highly distributed attack involving tens of millions of Internet Protocol addresses.”

As Bryan Krebs’ KrebsOnSecurity blog first reported, the attack was launched with the help of hacked Internet of Things (IoT) connected devices such as CCTV video cameras and digital video recorders (DVRs) that were infected with software (in this case the Mirai botnet) that then flooded Dyn servers with junk traffic.

The World Economic Forum (WEF) recently warned that failing to understand and address risks related to technology, primarily the systemic cascading effects of cyber risks or the breakdown of critical information infrastructure could have far-reaching consequences for national economics, economic sectors, and global enterprises.

As the IoT leads to more connections between people and machines, cyber dependency will increase, raising the odds of a cyberattack with potential cascading effects across the cyber ecosystem, the WEF noted.

While IoT connected devices have the potential to transform how businesses and individuals—and their insurers—conduct, manage and monitor their operations, workplaces and their homes, clearly there are embedded risks that insurers need to consider.

Over at Celent’s insurance blog, Donald Light, director of Celent’s North America property/casualty practice, says the Dyn DDoS attack has a number of potentially serious implications for insurers.

Light writes:

“An insurer with a Connected Home or Connected Business IoT initiative that provides discounts for web-connected security systems, moisture detectors, smart locks, etc. may be subsidizing the purchase of devices which could be enlisted in a botnet attack on a variety of targets. This could expose both the policyholders and the insurer providing the discount to a variety of potential losses.”

If the same type of safety and security devices are disabled by malware, homeowners and property insurers may have increased and unanticipated losses, Light suggests.

The Insurance Information Institute white paper on cyber threats and opportunities is available here.

Cyber Claims Costly To Businesses Large and Small

Data breaches can be costly, no matter how large or small an organization may be.

That’s a key takeaway of the latest NetDiligence study on cyber claims costs that analyzed 176 data breach claims submitted by insurers.

While the average claim for a large organization—at $6 million—was 10 times the average claim for a small organization, some of the largest claims in this year’s study came from smaller organizations with revenues of $2 billion or less.

This year’s dataset included 21 claims in excess of $1 million (12 percent) of which 81 percent (17 out of 21) involved nano-, micro- and small-revenue organizations that were victims either of hackers or malware.

The largest legal costs (defense and settlements) in this year’s study were from two micro-organizations (revenues of $50 million to $300 million). One lost valuable trade secrets to a hacker, while the other exposed protected health information due to a lost laptop.

The combined legal costs for these two organizations ranged from $1.5 million to more than $4.5 million, NetDiligence said.

Interestingly, the average claim payout across the dataset was $495,000, while the median claim payout was $49,000

The highest average claim payout—$1.3 million—was in the financial services sector.

The majority of claims (87 percent) submitted for analysis in this year’s study came from smaller organizations with revenues of $2 billion or less.

NetDiligence said this is in line with previous findings that smaller organizations experience most of the incidents. This is likely due to the fact that there are simply more small organizations, than large ones.

Other contributing factors may be that smaller organizations are less aware of their exposure or they have fewer resources to provide appropriate data protection and/or security awareness training for employees, NetDiligence said.

A point that underscores the growing need for smaller companies to purchase cyber insurance.

While many leading cyber liability insurers are participating in the study, NetDiligence noted that there are many insurers that have not yet processed enough cyber claims to be able to participate.

“It is our sincerest hope that each year more and more insurers and brokers will participate in this study—that they share more claims and more information about each claim—until it truly represents the cyber liability insurance industry overall.”

Allergic Reaction: EpiPen Needed to Restore Reputation

As the mother of a young child with a life-threatening nut and sesame allergy, it’s hard to remain objective and impartial when it comes to a company increasing the price of EpiPen, the life-saving allergy injector, by more than 400 percent since 2007.

However, the latest example of a company facing a public backlash, political pressure and social media storm due to its business practices illustrates the importance of having the necessary resources in place to mitigate the effects of a reputational risk crisis if and when it occurs.

As we’ve noted before in an earlier blog post, reputational risk is among the most challenging categories of risk to manage. A survey from ACE Group found that 81 percent of companies view reputation as their most significant asset—and most of them admit that they struggle to protect it.

The survey suggests that organizations need a clear framework for managing reputational risk that reduces the potential for crises, taking a multi-disciplinary approach that involves the CEO, PR specialists and other business leaders.

Mylan, the company at the center of the EpiPen controversy, has moved quickly to respond to the angry mob and to stem the drop in its share price which has so far lost investors $3 billion.

Yesterday, Mylan’s CEO Heather Bresch went on CNBC to announce the company was increasing financial assistance to patients to offset out-of-pocket costs of the EpiPen.

However, as The New York Times reports, Mylan did not say it would lower the list price — which has risen to about $600 for a pack of two EpiPens, from about $100 when Mylan acquired the product in 2007.

By the way, actress Sarah Jessica Parker also announced she is ending her relationship with Mylan after the pricing debacle broke.

Wherever you stand in this debate, the reality is the pharmaceutical industry is for-profit, as noted by Ms Bresch, and in the absence of a competitor or a generic, EpiPen is the latest example of a company trying to maximize profit.

Reputational risk is not covered by a standard business insurance policy, but companies can purchase coverage via a stand-alone policy which typically would pay fees for professional crisis management and communications services; media spending and production costs; some legal fees; other crisis response and campaign costs including research, events, social media and directly associated costs.

Newer reputation insurance products have also been developed that would cover a company’s financial losses due to reputational and brand damages.

In the mean time, in a climate of increased public, regulatory and investor scrutiny, the Mylan case is a good example of why companies need to be more proactive than ever to respond to challenges before they do serious damage to their brand and reputation.

Banner Health Breach: Are You Covered?

Up to 3.7 million payment card and patient medical records are reported to have been compromised in a cyber attack at Phoenix, Arizona-based healthcare provider Banner Health, underscoring the threat faced by the medical/healthcare sector.

Beginning June 17, the attack targeted Banner Health patients, health plan members, healthcare providers and retail customers.

On its website, Banner Health said it had discovered in early July that cyber attackers may have gained unauthorized access to computer systems targeting payment card data at food and beverage locations, including cardholder name, card number, expiration date and internal verification code.

In late July, Banner Health also discovered that patient information, health plan member and beneficiary information may have been compromised—including names, birthdates, addresses, physicians’ names, dates of service, claims information, and possibly health insurance information and social security numbers.

Physician and provider information may also have been compromised, including names, addresses, dates of birth, social security numbers and other identifiers.

As investigators look into the specifics of this breach, a glance at the numbers reveals that Banner Health will almost double the number of records compromised in U.S. data breaches targeting the medical/healthcare sector in 2016, per figures released by the Identity Theft Resource Center (ITRC).

As of August 2, 2016, some 206 data breach events, exposing just under 5 million records, had been tracked against the medical/healthcare sector, according to the ITRC. Make that 207 data breaches, exposing 8.7 million records.

With Banner Health, total data breach events year-to-date will also rise to at least 573 breaches, with 17.2 million records exposed. (This does not account for any other data breaches that may have occurred since August 2).

A recent Ponemon report wisely reminded us that “no healthcare organization, regardless of size, is immune from data breach.”

In the last two years, the average cost of a data breach for healthcare organizations was estimated at more than $2.2 million, according to Ponemon.

“Data breaches in healthcare are increasingly costly and frequent, and continue to put patient data at risk. Based on the results of this study, we estimate that data breaches could be costing the healthcare industry $6.2 billion.”

Criminal attacks are currently the leading cause of breaches in healthcare, Ponemon said. All the more reason for cyber insurance to be purchased, as the I.I.I. advises in this white paper.