Meeting Today’s Compliance Challenge: ERM & ORSA

This copy is for your personal, non-commercial use only. To order presentation-ready copies for distribution to your colleagues, clients or customers, click the "Reprints" link at the top of any article. Or click here

Over the past few years, both international supervisors, U.S. state regulators, and major rating agencies such as Standard & Poor's and A.M. Best,  have adopted regulatory and rating review processes to help ensure that insurers build strong enterprise risk management (ERM) frameworks to help evaluate, govern, and manage risks of loss company-wide. 

This year, the National Association of Insurance Commissioners (NAIC) is finalizing a more formalized reporting requirement to monitor risk and solvency levels of the largest insurance companies, going above and beyond the recent state regulatory push towards risk-based financial examinations. The NAIC's Own Risk and Solvency Assessment Proposal (ORSA) is defined as a set of processes used for decision-making and strategic analysis, based on how the company manages and controls its risks.

The goal of performing an ORSA is to analyze, in a continuous and proactive way, the overall solvency and capital requirements of an insurance company in light of the specific business, operational, and underwriting risks uniquely faced by that company. However, an ORSA exercise is not just about capital. It marks a change in behavior, signaling a fundamental shift towards a comprehensive enterprise risk management (ERM) culture. Ultimately, regulators are moving towards supervisory rules and standards requiring insurance companies to integrate risk and risk management in all aspects of corporate day-to-day decision-making.

Under the ORSA requirement, insurers writing more than $500 million of annual direct written and assumed premium, or groups collectively writing more than $1 billion, will be expected to "self-evaluate," using their own internal models, the sufficiency of their capital given a wide range of risks inherent in current and future business operations.  As currently proposed, insurers will be expected to detail the elements of their ERM framework and ORSA results in an annual Summary Report to their home-state regulator. Major changes to the ORSA review will be submitted to the regulator on a rolling basis as needed, such as following an update to the company's strategic business plan. In this Summary Report, subject insurers are asked to provide detail in three key sections:

• Section 1 — A description of the Insurer's Risk Management Framework
• Section 2 — An Insurer's Assessment of Risk Exposures
• Section 3 — Group Risk Capital and Prospective Solvency Assessment

To be ready for ORSA reporting by 2014, insurers may be at very different stages of preparedness, depending on how they have allocated resources and budgets to their overall ERM efforts over the past few years. Many companies are running into practical challenges in identifying, organizing, assessing, and managing their necessary risk and control data, which need to be addressed before any reports are compiled. How can companies meet some of those challenges?

Practical Compliance Challenges

Companies may find it challenging to comply with the ORSA requirements for several practical reasons. First, the guidance itself is not strictly prescriptive, giving companies great flexibility in how and what to report in the narrative sections on risk management and control framework or governance process. This means that some companies may provide too much information and some, not enough, and many companies have concerns about privilege, confidentiality and trade secret protection in disclosing information in the amount of detail that regulators might expect.

Second, the basic requirement of Section 1, a description of the insurer's risk management framework, assumes that companies of the stated size already have an overall ERM framework in place, as described. However, even some larger companies may be still working on developing a framework, or may have only a basic ERM program or governance system that they will want to improve on over time, addressing more complex functions or elements.

Third, where companies do have a framework, the framework will not be the same from company to company. There is not yet an established body of "best practices" or standardization of documents, forms, reports, etc. that can simply be adopted or configured for individual entities. Companies continue to look for guidance and recommendations on how to develop solid procedures and practices that will not only meet regulatory minimums for reporting, but can help actually manage, mitigate, and control risk effectively.

With respect to Section 2, the Guidance Manual addresses the insurer's assessment of risk exposures. However, per the NAIC, "one of the most difficult exercises in modeling insurer/group results is determining the relationships, if any, between risk categories." Even where companies are implementing frameworks to create risk and control libraries and score/prioritize risks, it is difficult for insurers to take the "next step" to connecting risks which might have related or "knock-on impact" between departmental functions or areas.

For example, a hurricane may cause (a) underwriting loss (for issued property policies), (b) operational loss (if the company has physical operations or staff in the impacted territory), (c) increased legal, compliance and regulatory costs to comply with state reporting and data call obligations, and (c) cash flow problems, interest loss, reinsurance collection issues, and other financial difficulties due to a sudden run of claims. Some frameworks can accommodate risk measurement but fail to adequately show linkage of interconnected risks.

Further, today management of ERM-related tasks may often be handled informally or haphazardly, without consistent controls in place to confirm that needed action steps, such as risk assessments, have been accomplished. Tracking of activities may be a difficult, manual process, reliant on email spreadsheets and ad-hoc databases without adequate version or content control.  With the implementation of the ORSA requirement, insurers may find that they need to "beef up" and significantly improve their documentation, attestation  and record-keeping practices generally, particularly of any processes that underlie the ORSA report or feed other ERM-related strategic risk analysis.

Finally, whether preparing for the ORSA, or just implementing ERM for other reasons, insurers may struggle with the balance and tension between their "high level" ERM governance practices, and their day-to-day compliance or operational management functions. Companies constantly struggle to improve a wide variety of internal controls, policies and procedures. However, with the implementation of ERM protocols which rate/rank control effectiveness, and attest to the operation of risk mitigation procedures, gaps and deficiencies in controls may become more obvious, and reveal the need for more resources in functional areas. Prioritizing and scoring risks and controls within an ERM program may, over time, actually lead to a shift of internal resources and management focus away from original goals of analyzing high-priority risks. Additionally, it may result in using ERM information for strategic planning, back to the nitty-gritty detail of better inventorying or managing operational, compliance, legal and regulatory risks.

Recommendations

More than ever before, the ORSA reporting requirement will require insurance companies to assimilate strong risk and control management practices into all aspects of everyday corporate decision making, from setting financial strategies and establishing business plans, to controlling routine compliance, legal, and operational risk. Companies must widen and solidify the links and inter-relationships between all departments and functions that might impact either corporate losses, or business opportunities. What can be done?

Don't wait to design a solid ERM program until regulatory reporting demands are imminent; develop a more integrated program of risk and control assessment and management now.

Even in companies which historically have a strong focus on compliance or internal control issues in specific functional areas such as finance, claims or underwriting, the process of implementing an integrated program of  risk identification, assessment and control on a larger scale - across an organization - can take many months, if not years. It takes time to review and catalog what controls are currently working, or not, and put remediation plans in place. It takes time to roll out new risk assessment and communication protocols to key staff. It also takes time to determine what risks are higher in potential impact to the company, and thus, where to dedicate resources. Waiting until the last minute to start even a rudimentary review process, with the thought "we'll do it when we know exactly what regulators want us to report," will be too late to embed and test the success of expanded risk management tools and techniques.

Build on the company's current risk and control management expertise, and keep control-related functions well-coordinated.

To ensure thorough review of risks and controls, as well as to prevent duplicating work, look for potential  synergies between the ERM process and other control functions, such as legal and regulatory compliance, internal audit, and operational management teams. Try to integrate ERM/ORSA record keeping and supporting tasks with other uses for related data, such as SOX certifications, regulatory compliance or market conduct compliance management audits, and any other processes that involve any review or analysis of potential loss to the company. 

For example, any process asking employees to sign off on or attest to the effectiveness of policies and procedures, SOX "key controls," or other controls mitigating risks should be discussed with team members from other compliance-type functions to see if the sign-off process can be timed, or documents drafted, to be used for multiple purposes. Also, members of the various departments responsible for the tracking of emerging risks, financial models, or the development of business plans should liaise on a regular basis, to help ensure a consistent approach to those important planning processes.

Invest in technology to ensure risk information will be assessed and prioritized effectively, to help create links between risks in different areas, and to streamline workflows.

Understanding and managing the quality and availability of existing information within the insurer is key to a successful ERM or ORSA implementation. Whether adopting ERM to comply with regulatory challenges, to meet rating agency expectations, or just as a good business practice, companies should not limit their technology and planning efforts to the actuarial modeling of risk, or calculation of capital. Rather, implementing ERM should be viewed as a key opportunity to improve existing control processes and reporting tools, and to automate as many processes as possible.

In sum, the NAIC's ORSA approach continues to evolve rapidly. Investing time and resources now to improve overall compliance and control efforts, and establish solid enterprise-wide risk assessment, documentation, and communication, should go a long way to meet upcoming ORSA reporting obligations. Ultimately, having a complete, solid ERM framework, integrated with other company compliance and control functions, should be a strong foundation for insurers' long-term risk-based capital assessment goals.

20 Sep, 2012

-
Source: http://www.propertycasualty360.com/2012/09/20/meeting-todays-compliance-challenge-erm-orsa?ref=rss
--
Manage subscription | Powered by rssforward.com

11.30 | 0 komentar | Read More

Top 10 Car Technologies for Mature Drivers

This copy is for your personal, non-commercial use only. To order presentation-ready copies for distribution to your colleagues, clients or customers, click the "Reprints" link at the top of any article. Or click here

Smart headlights, emergency response systems and reverse monitoring features rank highest in car technologies that enhance the abilities and promote safe driving for older motorists, according to a new study by The Hartford and MIT AgeLab.

Using more than a decade of research on older driver safety, The Hartford and MIT AgeLab worked with a panel of experts in driving, aging and technology to examine 25 new technologies designed to benefit mature drivers, who are more likely than other age groups to purchase the types of vehicles that contain modern technology.

Jodi Olshevski, gerontologist at The Hartford, said:"While older drivers as a group are relatively safe, these technologies can help to enhance their abilities and promote safe driving for a lifetime."

The Hartford maintains a top technologies list (www.thehartford.com/lifetime) which drivers can match with their vehicle manuals to understand what their car is equipped with and how the features work.

The study also recommends three steps older drivers should consider for their driving wellness:

1. Be a healthy driver. Get regular physicals and annual eye exams, consider the side effects of medications and exercise regularly.

2. Keep learning. Take a driver safety course such as the one offered through AARP Driver Safety.

3. Adjust to changes in driving skills. Be aware of normal age-related changes and make appropriate adjustments to driving.

See the following slideshow for the top 10 most popular technologies.

1. Smart headlights adjust the range and intensity of light based on the distance of traffic and to reduce glare and improve night vision.

2. Emergency response systems offer quick assistance to drivers in case of a medical emergency or collision, often allowing emergency personnel to get to the scene more quickly.

3. Reverse monitoring systems warn of objects to the rear of the vehicle to help drivers judge distances and back up safely, and helps drivers with reduced flexibility.

4. Blind spot warning systems warn drivers of objects in blind spots, especially while changing lanes and parking, and help those with limited range of motion.

5. Lane departure warning monitors the vehicle's position and warns the driver if the vehicle deviates outside the lane, helping drivers stay in their lane.

6. Vehicle stability control helps to automatically bring the vehicle back in the intended line of travel, particularly in situations where the driver underestimates the angle of a curve or experiences weather effects, and reduces the likelihood of a crash.

7. Assistive parking systems enable vehicles to park on their own or indicate distance to objects, reducing driver stress, making parking easier and increasing the places that a driver can park.

8. Voice activated systems allow drivers to access features by voice command so they can keep focused on the road.

9. Crash mitigation systems detect when the vehicle may be in danger of a collision and can help minimize injuries to passengers.

10. Drowsy driver alerts monitor the degree to which a driver may be inattentive while on the road and help alert drivers to the driving task.

For a more detailed list of the top ten technologies, free guidebooks, practical tools and an informational video, visit www.thehartford.com/lifetime and www.youtube.com/thehartford.

20 Sep, 2012

-
Source: http://www.propertycasualty360.com/2012/09/19/top-10-car-technologies-for-mature-drivers?ref=rss
--
Manage subscription | Powered by rssforward.com

03.18 | 0 komentar | Read More

Staying Compliant Amid Escalating Cyber Threats

This copy is for your personal, non-commercial use only. To order presentation-ready copies for distribution to your colleagues, clients or customers, click the "Reprints" link at the top of any article. Or click here

(Editor's Note: This article has been contributed by David M. Governo, founding partner of Governo Law Firm LLC, and Corey M. Dennis, attorney at Governo Law Firm LLC. Accompanying footnotes begin on page 6.)

Data privacy breaches occur daily and are estimated to cost $5.5 million per breach,[1] while the worldwide cost of cybercrime is estimated to be $388 billion annually.[2] In addition to the risk of significant financial loss, cyber attacks can ruin a company's reputation virtually overnight.

Although companies in the health care, hospitality, and retail industries are considered the prime targets of cyber attacks, companies in the insurance industry share the same risks of financial and reputational loss. In fact, a recent report found that despite increased focus on data security, approximately 40 percent of the 46 major insurance organizations have experienced data breaches in the past 12 months.[3]

The insurance industry has responded to the need for financial protection due to cyber risks by offering cyber liability insurance coverage. However, the insurance industry must recognize that it too is vulnerable to cyber attacks and subject to a myriad of data privacy laws and regulations.  This article discusses the compliance obligations insurance companies face in the wake of these complex local, national, and international regulatory schemes.   

 The Gramm-Leach-Bliley Act

A federal law enacted in 1999 to reform the financial services industry and to address concerns relating to consumer financial privacy, The Gramm-Leach-Bliley Act established a Privacy Rule and a Safeguards Rule applicable to nonpublic consumer personal information held by any "financial institution," which is broadly defined to include insurers, as well as insurance agents and brokers.[4] Under the Privacy Rule, these financial institutions must send their customers privacy notices describing their protections with respect to the customers' nonpublic consumer personal information, as well as "opt-out" notices before the customers' nonpublic personal information is shared with nonaffiliated third parties.[5]  

The Safeguards Rule requires financial institutions to develop a written information security plan to protect the security and confidentiality of customer information.[6] Violations of the Act, which preempts weaker state laws,[7] may be enforced by the Federal Trade Commission, state insurance authorities, and other federal agencies.[8]

In 2000, the National Association of Insurance Commissioners (NAIC) adopted the Model Privacy of Consumer Financial and Health Information Regulation to implement the insurance industry privacy obligations under the Gramm-Leach-Bliley Act. The Model Regulation, which is similar to the Act, has been adopted in the vast majority of states.

HIPAA Privacy and Security Rules

The federal Health Insurance Portability and Accountability Act (HIPAA), enacted in 1996, established national health information privacy standards applicable to health care providers, health plans (including health insurance companies, HMOs, and company health plans), and health care clearinghouses holding individuals' "protected health information."[9] The HIPAA Privacy Rule, promulgated in 2000, generally prohibits the unauthorized disclosure of protected health information.[10] Covered entities must also require by contract any "business associates" to whom they disclose protected health information (e.g., insurance brokers and agents, third party administrators of health plans, accounting firms providing services to health care providers) to appropriately safeguard the information.[11] 

The HIPAA Security Rule, promulgated in 2003, requires covered entities to maintain "reasonable and appropriate" safeguards for protecting electronic health information, which must be documented in written policies and procedures.[12] The HIPAA Privacy and Security rules, violations of which may result in civil and criminal penalties, generally preempt less stringent state laws.[13] 

The HITECH Act and Breach Notification Requirements

The Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted in 2009 to combat the privacy and security concerns associated with the electronic transmission of health information. The Act strengthens penalties for HIPAA violations, extends HIPAA violation liability to business associates (such as insurance brokers and agents), establishes an audit program mandate, and authorizes state attorneys general to bring civil enforcement actions for HIPAA violations.[14] To implement the audit program mandate, the U.S. Department of Health and Human Services began a privacy and security audit pilot program in November 2011, and 115 audits will be conducted through December 2012.[15]

The HITECH Act's breach notification regulations require HIPAA covered entities to report data breaches affecting 500 or more individuals to the affected individuals, the U.S. Department of Health and Human Services, as well as to "prominent media outlets serving a State or jurisdiction."[16] Breaches affecting fewer than 500 individuals must be reported to the Department annually. [17] In addition, business associates must notify covered entities of any breaches.[18]

State Data Privacy Laws

Over the past several years, 46 states have enacted laws governing data privacy and security.  To comply with these laws and minimize the risk of a data breach, businesses, including those in the insurance industry, must adopt security measures to protect the personal information of both their customers and their employees.

Under the data privacy laws of California and Rhode Island, for example, businesses holding unencrypted personal information of state residents must implement "reasonable security procedures and practices," and must require by contract third parties to whom they disclose such information to implement those safeguards.[26] Further, the laws of both states require notification to affected residents of any data security breaches "in the most expedient time possible."[27]    

The Massachusetts data privacy regulations, which became effective in March 2010, are among the most burdensome in the country. The regulations apply to every "person" or other entity, including companies both inside and outside of Massachusetts, holding personal information of Massachusetts residents.[28]

They require such entities to establish physical, administrative, and technical information security measures to safeguard personal information and to develop a "written comprehensive information security program" outlining those measures.[29] Covered entities must also require their third-party service providers (for example, payroll providers, outsourcers, contractors) to implement security measures by contract, and must ensure encryption of records containing personal information stored on portable devices or transmitted over wireless networks.[30]

In the event of a data security breach, covered entities are required to give notice to any affected Massachusetts residents, as well as to the Massachusetts Attorney General's Office and the Massachusetts Office of Consumer Affairs and Business Regulations.[31] The Massachusetts Attorney General is authorized to enforce the Massachusetts data privacy laws by bringing civil actions, which may result in substantial liability.[32] 

Under Connecticut's data privacy laws, any business holding personal information must safeguard it to prevent misuse by third parties, and any business that collects Social Security numbers in the course of its business must create a "privacy protection policy" establishing safeguards for those Social Security numbers.[33] The laws also require those doing business in Connecticut to disclose any security breach involving unencrypted personal information to state residents and the state attorney general "without unreasonable delay." [34]

In August 2010, the State of Connecticut Insurance Department issued Bulletin IC-25 regarding information security incidents, which applies to all entities regulated by the Department, including insurance producers, property and casualty insurers, life and health insurers, public adjusters, casualty claim adjusters, and pharmacy benefit plans. The Bulletin requires regulated entities to notify the Connecticut Insurance Commissioner of any information security breach of a Connecticut insured, member, subscriber, policyholder, or provider, including those involving their business associates, within five days.[35] The Departments of Insurance of several other states, including Rhode Island, Ohio, and Wisconsin, have issued similar bulletins and regulations requiring insurers to notify the state departments of insurance in the event of a data breach.[36]

The Payment Card Industry Data Security Standard (PCI-DSS), an international information security standard established by the Payment Card Industry Security Standards Council, imposes a set of security requirements on organizations that handle cardholder information for major credit and debit cards, including protecting cardholder data as well as maintaining a secure network, a vulnerability management program, and an information security policy.  Several states, including Nevada, have incorporated the PCI-DSS requirements into their data security laws.[37]

To view the accompanying footnotes, click through to page 6.

International Data Privacy Laws

Insurers conducting business overseas must understand the compliance challenges posed by international data privacy laws. Significantly, the European Union Data Protection Directive (Directive 95/46/EC) represents one of the strictest data privacy frameworks in the world.[38] The Directive governs the processing of personal data and the free movement of such data and applies to all companies processing data of European residents.[39] It permits processing of personal data only under specified circumstances, such as when the data subject has given consent or it is necessary to fulfill a contract or meet another legal obligation.[40]  

Under the Directive, personal data must be processed in accordance with certain data protection principles, including the requirements that it be processed fairly and lawfully; collected only for specified, explicit, and legitimate purposes; as well as adequate, relevant, and not excessive in relation to the purposes for which it is processed. Further, covered entities are required to implement appropriate technical and organizational measures to safeguard the data.[41]  

The Directive prohibits the transfer of personal data to a non-EU country unless that country's level of protection is deemed adequate.[42] U.S. data privacy laws have been deemed inadequate.  As a result, the U.S. Department of Commerce and the European Commission negotiated the U.S.-EU Safe Harbor Framework in 2000, under which U.S. companies are permitted to receive personal data transfers from the EU if they certify that they will comply with requirements similar to those imposed by the EU Data Protection Directive.[43] U.S. companies failing to comply with the Safe Harbor Framework have recently been subject to Federal Trade Commission enforcement actions.[44]

In light of the growing risk of cyber threats to all businesses, including insurance companies, attorney-directed data risk assessments have become critical in detecting vulnerabilities and ensuring compliance with applicable laws.  It is recommended that outside counsel be retained to preserve the attorney-client privilege applicable to any reports or other communications relating to the assessment.[45] Such documents may also be protected by the work-product doctrine if they are prepared in anticipation of litigation,[46] or by the "self-critical analysis privilege," which some courts have recognized in limited circumstances.[47]

President Obama recently declared that "the cyber threat to our nation is one of the most serious economic and national security challenges we face."[48] While companies in the insurance industry may recognize that other businesses face these cyber liability risks, they should not disregard their own vulnerabilities and compliance obligations. Complying with the complex web of data privacy laws is challenging, but necessary to mitigate the liability and reputational damage that often results from data breaches today.

Click on "Next" at the bottom right to view accompanying footnotes.

Footnotes

1. See Ponemon Institute, 2011 Cost of Data Breach Study: United States

2. See Elise Ackerman, Secretary of Homeland Security: cybercrime as big a threat as Al Qaeda, Forbes QUBITs Blog (June 3, 2012). Since 2005, over 3,300 data breaches, resulting in more than 563 million comprised records, have been reported in the United States. See Privacy Rights Clearinghouse, Chronology of Data Breaches. As the reported cyber attacks "represent only a small fraction of cyber attacks carried out," these figures may well be underestimates. See Bipartisan Policy Center, Too many cyber attacks hushed up, US panel says (July 19, 2012)    

3. See Deloitte 2012 DTTL Global Financial Services Industry Security Study. The report also found that insurers are "bracing for the impact of more stringent consumer financial laws as well as the risks associated with newer technologies to meet the growing demand for virtual operations."  Id.

4. See 15 U.S.C. § 6801 et seq.; 16 C.F.R. § 313.3(k)(1).

5. See 16 C.F.R. § 313.1 et seq.   

6. See 16 C.F.R. § 314.1 et seq.  

7. See 15 U.S.C. § 6807; 16 C.F.R § 313.17.  

8. See 15 U.S.C. § 6805. Three credit report resellers recently settled FTC charges based on their failure to reasonably protect consumers' personal information in violation of the Act, which resulted in computer hackers accessing the information. The settlements required the companies to strengthen their data security procedures and submit to audits for 20 years. See Federal Trade Commission Press Release, Credit Report Resellers Settle FTC Charges; Security Failures Allowed Hackers to Access Consumers' Personal Information (February 3, 2011),

9. See 45 C.F.R. § 160.102; 45 C.F.R. § 160.103. "Protected health information" is defined as individually identifiable health information relating to the individual's physical or mental health conditions, or the provision of or payment for health care to the individual.  See 45 C.F.R. § 160.103. This includes the individual's name, address, birth date, and social security number.

10. See 45 C.F.R. § § 164.500 et seq.   

11. See 45 C.F.R. § 164.502(e); 45 C.F.R. § 160.103. 

12. See 45 C.F.R. § § 164.302 et seq.  

13. See 45 C.F.R. § 160.203.  

16. 42 U.S.C. § 17932.  

18. 42 U.S.C. § 17932(b).

21. See Maureen McKinney, Health Net data breach affects 1.9 million, Modern Healthcare (March 15, 2011). This was not Health Net's first data breach. In 2010, the Connecticut Attorney General filed an enforcement action against Health Net based on the breach of 500,000 enrollees' medical records and financial information. See Connecticut Attorney General's Office Press Release, Attorney General Sues Health Net For Massive Security Breach Involving Private Medical Records And Financial Information On 446,000 Enrollees (Jan. 13, 2010).  

22. See Jessica Silver-Greenberg, Medical Debt Collector to Settle Suit for $2.5 Million, The New York Times (July 30, 2012). The action alleged violations of HIPAA and the HITECH Act arising from a laptop theft that compromised over 23,000 patients' health information, as well violations of state debt collection and consumer protection laws.

24. See Sabrina Rodak, TRICARE Contractor Faces Second Lawsuit Over September Data Breach, Becker's Hospital Review (Jan. 10, 2012); Bob Brewin, Class Action Suit Seeks $4.9 Billion in Damages from TRICARE Data Theft, Nextgov (October 13, 2011).  

25. See Kay Lazar, Laptop theft may affect 3,900 Beth Israel patients, The Boston Globe (July 21, 2012). Last year, the same hospital reported a data breach involving more than 2,000 patients' personal health information after a computer became infected with a virus and transmitted data files to an unknown location. See Hiawatha Bray, Beth Israel data breach may affect over 2,000, The Boston Globe (July 19, 2011).

26. Cal. Civ. Code § 1798.81.5; R.I. Gen. Laws § 11-49.2-2.   

27. Cal. Civ. Code § 1798.82; R.I. Gen. Laws 11-49.2-3.

Footnotes (contd.)

28. See 201 CMR 17.02.  "Personal information" is defined as a Massachusetts resident's first name (or initial) and last name, in combination with the resident's: (1) social security number; (2) driver's license number or state-issued ID card number; or (3) financial account number or credit/debit card number.  See id.

30. See 201 CMR 17.03 & 201 CMR 17.04.    

31. See Mass. Gen. Laws ch. 93H § 3.

32. Recent Massachusetts data breach enforcement actions resulted in a $750,000 settlement with a Massachusetts hospital, a $110,000 settlement with a major Boston restaurant group, and a $15,000 settlement with a property management firm. See Massachusetts Attorney General Press Release, South Shore Hospital to Pay $750,000 to Settle Data Breach Allegations (May 24, 2012); Massachusetts Attorney General Press Release, Major Boston Restaurant Group That Failed to Secure Personal Data to Pay $110,000 Under Settlement with AG Coakley (March 28, 2011); Massachusetts Attorney General Press Release, Property Management Firm to Pay $15,000 in Civil Penalties Following Data Breach (March 21, 2012). 

33. See Conn. Gen. Stat. § 42-471.   

34. Conn. Gen. Stat. § 36a-701b. 

35. See State of Connecticut Insurance Department, Bulletin IC-25. The Bulletin was issued pursuant to statutory authority.

36. See Rhode Island Insurance Regulation 107; Ohio Insurance Bulletin 2009-12; Wisconsin Office of the Commissioner of Insurance December 4, 2006 Bulletin.

37. See Nev. Rev. Stat. § 603A.215.

Footnotes (contd.)

38. The Directive was promulgated in 1995 and later implemented, with some variation, by the EU member states.  Other international data privacy laws include Canada's Personal Information Protection and Electronic Documents Act, the Asia-Pacific Economic Cooperation's Privacy Framework, Japan's Personal Information Protection Law, Australia's Federal Privacy Act, and Argentina's Law for the Protection of Personal Data.

39. "Personal data" is defined very broadly to include any information relating to a European resident that identifies the resident by reference to an identification number or by his or her "physical, physiological, mental, economic, cultural or social identity." See EU Directive 95/46/EC, Article 2. 

40. See EU Directive 95/46/EC, Article 7.

41. See EU Directive 95/46/EC, Articles 6 & 17.

42. See EU Directive 95/46/EC, Article 25.

45. Communications with in-house counsel are often not protected by the attorney-client privilege, as in-house counsel typically hold dual roles, providing both business and legal advice. See Rossi v. Blue Cross & Blue Shield of Greater New York, 73 N.Y.2d 588, 592-93 (1989) (explaining privilege must be applied with particular caution to in-house counsel, given blurred roles); see also TVT Records v. Island Def Jam Music Group, 214 F.R.D. 143, 144 (S.D.N.Y. 2003) (explaining privilege issues complicated by fact that "in-house attorneys are more likely to mix legal and business functions"); In re Seroquel Products Liab. Litig., No. 606MD1769-ORL-22DAB, 2008 WL 1995058, a *8 (M.D. Fla. May 7, 2008) (holding  "primary purpose" of communication must be to provide legal, rather than business, advice for privilege to apply).

46. See Fed. R. Civ. P. 26(b)(3)(A) (providing documents prepared "in anticipation of litigation" ordinarily not discoverable).  

47. See Clark v. Pennsylvania Power & Light Co., Inc., No. 98-3017, 1999 WL 225888, at *2 (E.D. Pa. Apr. 14, 1999) (applying "critical self-analysis privilege" in employment discrimination case); In Re Crazy Eddie Securities Litigation, 792 F. Supp. 197, 205 (E.D.N.Y. 1992) (applying privilege to audit and peer review reports in securities law case); Hickman v. Whirlpool Corp., 186 F.R.D. 362, 364 (N.D. Ohio 1999) (holding company's minutes from safety meetings privileged in personal injury action).  The self-critical analysis privilege has been defined as "a qualified privilege that protects from disclosure documents reflecting a party's own forthright evaluation of its compliance with regulatory, legal or professional standards."  Robinson v. Troyan, No. CV 07-4846 ETB, 2011 WL 5416324, at *4 (E.D.N.Y. Nov. 8, 2011).  Several states have enacted statutes codifying the privilege as applicable to insurance companies.  See N.J. Stat. Ann. 17:23C-1 et seq.; D.C. Code Ann. § 31–853; 215 Ill. Comp. Stat. 5/155.35; Kan. Stat. Ann. § 60-3351; Or. Rev. Stat. § 731.761; N.D. Cent. Code § 26.1-51-02.

48. See Barack Obama, Taking the Cyberattack Threat Seriously, The Wall Street Journal (July 19, 2012).

18 Sep, 2012

-
Source: http://www.propertycasualty360.com/2012/09/17/staying-compliant-amid-escalating-cyber-threats?ref=rss
--
Manage subscription | Powered by rssforward.com

02.29 | 0 komentar | Read More

Mercury and L.A. Dodgers Right Fielder Team Up To Help Homeless

This copy is for your personal, non-commercial use only. To order presentation-ready copies for distribution to your colleagues, clients or customers, click the "Reprints" link at the top of any article. Or click here

Prior to the Cardinals-Dodgers game on Friday, Sept. 14, Dodgers right fielder Andre Ethier, on behalf of Mercury Insurance, presented a $5,000 check to the Union Rescue Mission (URM).

Mercury, celebrating its 50th anniversary this year, began its relationship with Ethier in July when partnering to produce a "Don't Text and Don't Drive" PSA.

Ethier presented the check alongside Erik Thompson, advertising and communications director for Mercury, to five representatives from the Mission, which is a 501(c)(3) nonprofit serving homeless men, women and children. Established in 1891, URM is one of the largest rescue missions in the United States and the oldest in Los Angeles.

"I would like to thank Mercury Insurance for their donation to the Union Rescue Mission," said Ethier. "I have been involved with the Mission for many years and I know this donation will provide much needed help for those in need."

Ethier drives through the downtown area on his way to and from Dodger Stadium and he has witnessed firsthand those who are down on their luck, which is why he has supported the Union Rescue Mission since he came to the Dodgers.

"Mercury's thousands of employees and agents have been active members in their Southern California communities for more than 50 years," Thompson says. "Just like Andre, they take pride in working with local organizations to give back to the communities in which they live, work and play."    

19 Sep, 2012

-
Source: http://www.propertycasualty360.com/2012/09/18/mercury-and-la-dodgers-right-fielder-team-up-to-he?ref=rss
--
Manage subscription | Powered by rssforward.com

02.29 | 0 komentar | Read More

Fighting Fraud: The New Cost of Doing Business

This copy is for your personal, non-commercial use only. To order presentation-ready copies for distribution to your colleagues, clients or customers, click the "Reprints" link at the top of any article. Or click here

I once asked a colleague who had worked for multiple insurers why some carriers worked hard on fighting fraud through investments in technology and Special Investigative Units, while other insurers chose to do little if anything to combat fraud.

Those that chose not fight fraud looked at this strategy as "the cost of doing business," he said.

That conversation occurred a little over a decade ago, so many of the technology tools that are used today weren't even available to most insurers at that time, but the idea of doing nothing  still struck me as crazy.

Today, we know that investing in technology to fight fraud and the employment of SIUs is the cost of doing business. Insurers no longer concede the battle to the liars and cheaters of the world, which policyholders should appreciate. Insurance premiums are high enough without honest people having to cover a carrier's losses from fraud with higher premiums.

In a survey conducted by the Coalition Against Insurance Fraud (CAIF) and the technology company SAS, the results showed a significant increase in the number of insurers doing at least minimal work to fight fraud with technology.

In an article written by Claims magazine editor Christina Bramlet for our website, CAIF executive director Dennis Jay reports on the encouraging results of the study, including the fact that close to 90 percent of the insurers surveyed are at least using basic analytic tools such as automated red flags, claims scoring, and link analysis.

This begs the question, though: What are the other 10 percent from this survey thinking?  I'm sure there are small, mutual insurers that don't see fraud as a problem worthy of investment, but that's a dangerous way to proceed since not all their claimants are members of the mutual organization.

The good news for insurers is the technology carriers are employing continues to mature, although not everyone is taking full advantage of what is available.

"Although the study suggests that less than half of the insurers surveyed are employing predictive modeling, text mining, geographic data mapping and other advanced analytics, we must keep in mind that we are in an era of tremendous pressure on funding," says Jay. "The fact that the majority of survey participants say they plan to either increase investment in these technologies in 2013 or at least maintain current levels of spending is positive news."

The battle against fraud is not over by a long shot, but at least today's insurance carriers are more vigilant than their predecessors of less than a generation ago. Many carriers were led kicking and screaming into the battle thanks to government regulations, but no matter how they got there let's keep reminding them that honest policyholders appreciate the effort.

18 Sep, 2012

-
Source: http://www.propertycasualty360.com/2012/09/18/fighting-fraud-the-new-cost-of-doing-business?ref=rss
--
Manage subscription | Powered by rssforward.com

21.31 | 0 komentar | Read More

Bed & Breakfast Market Warms Up With New Coverage Opportunities

Competition among bed & breakfasts, a thriving sector in the hospitality industry, has led many B&Bs to expand their offerings to include activities that promise a more adventure-based stay—creating exposures that provide agents and brokers inroads to new or expanded business.

According to the Professional Association of Innkeepers Inter-national (PAII), bed & breakfasts  are a $3.4 billion industry. There are some 15,000 B&Bs operating in the United States, says PAII President & CEO Jay Karen. And while the number of locations has dropped from 17,000 in 2009, the industry remains healthy because the performance of the existing inns has been solid.

"Supply is down, but [business] is certainly up for B&Bs," says Karen. The recession, he explains, is causing many travelers to rethink big hotel chains and expensive flights, opting instead for closer-to-home, travel-by-car trips, wrapped around local activities.

Many inns are targeting this "staycation" crowd with packages that include outdoorsy adventures like ATV trails, hiking, hot-air ballooning or even zip-lining. Others are offering home comforts like organic meals served from local farms, hot tubs with views of nature or local winery tours.

The clientele interested in such adventures are mainly Baby Boomers—older couples with empty nests, looking for comfort and adventure close to home, says Brent Skiles, assistant vice president of underwriting for Philadelphia Insurance Cos. in Bala Cynwyd, Pa. And so far, he adds, these expanded offerings have been good news for the B&B insurance market.

"From horseback riding to mountain biking, [B&Bs are seeing] increased exposures," says Skiles. What's more, B&Bs that are building new facilities—like henhouses, spas and stables—to accommodate new attractions are also increasing their property exposures, creating further selling opportunities for agents.

"I know one couple at a B&B where they've added a treehouse and yurts (tent-like portable housing) where you can stay, and added this exposure," he says. "They're catering toward a [more active] type of clientele from a liability standpoint. Their insurance agent needs to make sure [the insured is] covered."

But not all insurers want to take on exposures like zip-lining or mountain biking. Some insurance companies will package a B&B's coverages together, including those for the new offerings. In other cases, producers will need to turn to carriers that specialize in policies for activities like ATV riding or kayaking.

When it comes to some of the new exposures, Philadelphia Insurance Cos. has a Guides and Outfitters program through its Gillingham & Associates insurance arm to cover activities like hunting, boating, fishing, hiking, biking, photography tours and horseback riding. Outdoor Insurance Group of Louisville, Colo. offers stable and trail-ride insurance, coverage for ATV and snowmobile tours, and a B&B package that includes Equine Liability.

Veracity Insurance Solutions of Pleasant Grove, Utah, offers an Outdoor Recreation Insurance Program that includes several classes of adventure-like activities: trail rides, trap-shooting ranges, bicycle tours, canoes & kayaks, guided snowmobile tours and zip-line & canopy tours. 

HOW AGENTS CAN COZY UP TO B&B BUSINESS

Bill Montgomery, owner of Insurance Works for You, a full-service independent agency in Dayton, Ohio, says the B&B industry is good business for an independent or brokerage, but it's a specialized area that requires education and attention.

"You have to have a certain desire to want to do it," he says. "It's not quick; you have to be willing to invest a certain amount of time" in learning how carriers determine rates for B&Bs. For one thing, he says, most insurers very much prefer that the owner or a manager live on the premises.

The insurance carriers he works with—among them Erie Insurance, a multiline insurer based in Erie, Pa.; Auto-Owners Insurance Co. in Lansing, Mich.; Western Reserve Mutual Casualty Co., Wooster, Ohio; and German Mutual Insurance in Napoleon, Ohio—are more open to quoting B&Bs from the straight bedroom-and-breakfast route, rather than those boasting newer amenities like massages, spas, horseback riding, canoeing or ATV trails, he says.

All B&Bs have to have General Liability and Property insurance, and if they have a liquor license, a Liquor Liability policy is also required, Montgomery says. 

A typical commercial B&B coverage program such as the one offered by Montgomery's agency features replacement costs for building and contents; loss of business income up to 12 months; and liability that includes bodily injury, property damage, the host's liquor liability and personal property.

Insuring the B&B market is not a cookie-cutter operation, Montgomery adds: "Our job is to tell them their liability limits, not price. Every B&B is a different operation, and they need appropriate liability cover."

GROWING CYBER EXPOSURES

Skiles says more innkeepers are starting to look at Cyber insurance after hearing of other B&Bs experiencing exposures in this area. In one such case, an employee at one well-known bed & breakfast posted personal information about a celebrity guest's stay on the business' Facebook page, much to that guest's dismay.

Such a slip of the fingers is not covered under General Liability, he notes, should the celebrity or any B&B guest wish to sue for invasion of privacy.

And while large data breaches are not that common in the B&B industry, insurance agents would still do well to encourage B&B owners to look into a Cyber policy, says Skiles.

Even a small breach, he points out, could be costly if the inn has to hire a third party to inform everyone on its mailing list that its customer database has been compromised. The B&B could have to pay up to $200 per identity stored in its data files, to clean up the mess.

Indeed, opportunity exists for agents to open a conversation about Cyber coverage, especially with the most Internet-active B&B clients—many of whom don't realize they need coverage.

"It's a piece of the insurance conversation that probably nobody else has had with the insured," adds Skiles—and an opportunity for selling.

Dave and Heidi Lanford, for example, who run the Iris Inn in Waynesboro, Va., do not have Cyber Liability as part of their commercial-insurance package, although they maintain a Facebook presence, a Twitter page and a blog on their company website. Before speaking with NU, they had never heard of this coverage line—even though Heidi Lanford serves as vice president of the Bed & Breakfast Association of Virginia.

17 Sep, 2012

-
Source: http://www.propertycasualty360.com/2012/09/17/bed-breakfast-market-warms-up-with-new-coverage-o?ref=rss
--
Manage subscription | Powered by rssforward.com

11.17 | 0 komentar | Read More

Property Technical Certification II Available for Claims Adjusters

KMC On Demand(SM) and a key insurance industry advisory committee have released the second Property Technical Certification (PTC) program, which focuses on exterior loss adjusting.

PTC is designed to fill a gap in validation of expertise among property claims adjusters. "As experienced adjusters move toward retirement, we are seeing a growing need for claims processing skills and technical know-how," says Douglas F. Dell, senior vice president of eLearning for Crawford Educational Services, which includes KMC On Demand. "PTC can help organizations handle the professional development and succession planning challenges they are facing in today's market."

PTC II reviews key elements of residential and commercial exterior loss adjusting, including framing, roofing, siding, fencing, drains and claims handling. The program is available via KMC On Demand and also AdjusterPro, which offers educational and career resources for adjusters, and the National Association of Catastrophe Adjusters.

PTC I, which was launched in early 2011, focuses on core property adjusting skills. As the module enters its second year of deployment, test results indicate enhanced skills and early signs of improved claims administration among those who have taken the program, according to Dell.

"If you compare pre- and post-mastery test questions answered by certificate holders, the average improvement is significant," Dell said. "This shows that the program helps adjusters absorb and retain what they have learned. Our initial results also show improvement in the speed of claim handling and a reduction in the days that claims remain open, a validation that adjusters can apply the knowledge once they are back in the field."

Comprising the Property Advisory Committee (PAC) are high-level professionals from insurance companies, independent adjusting companies, and contractor networks. PAC committee members worked together for more than two years to establish the PTC, including collaboration on technical content. The program provides:

• Online instruction and training in specific property technical knowledge, skills, and competencies.
• Evaluation of achievements that demonstrate knowledge.
• Certificate and CE credits awarded to participants who meet performance and proficiency goals.

PTC III, which deals with interior property construction and claims handling, is in development.

14 Sep, 2012

-
Source: http://www.propertycasualty360.com/2012/09/14/property-technical-certification-ii-available-for?ref=rss
--
Manage subscription | Powered by rssforward.com

13.20 | 0 komentar | Read More