Category: Liabilities Insurance

All posts on General Liability, Workers Compensation, Professional E&O, Insurance for Directors & Officers, Cyber liability, product liability, Indemnity, commercial auto, EPLI (Employment Practice Liability Insurance), Liquor liability and Work injury compensation

Categories
Liabilities Insurance

Lesson in Liability Insurance from Deaths in the Submersible

The Takeaways:

  1. The deaths of five passengers in the tourist submersible searching for the Titanic teach us a lesson about how important it is to have liability insurance. Asking people to sign liability waiver may or may not work in terms of absolving the OceanGate Expedition in case it is proven this is a wrongful-death case.  
  2. The makers of the submersible might also be liable if they caused any malfunction.
  3. Signing liability waiver is not a silver bullet, and liability waivers must be clearly worded and unambiguous in their intent to relieve any and all legal liability, even liability for negligence, which is unusual and unlikely to be a part of the insurance contract. If the waiver is buried inside other provisions and hard to find, it may not be enforceable. Finally, Waivers contrary to public policies are also not enforceable.
  4. We don’t know who the insurer is for the OceanGate but we can assume the company pays a high premium due to the nature of submersible business.

I don’t know about you, but I can’t stop thinking about the five passengers in the tourist submersible who have been declared dead by the Coast Guard today, as reported by USA Today. I know they did not want to die, as they had made an effort to make regular underwater noises on Tuesday and Wednesday, presumably trying to let the outside world know their dire situation. I can fully imagine how desperate they were in the last minutes of their lives, knowing they could not do anything to save themselves, even with all the financial resources they now left behind on the land.

The story is not over yet, as the vessel would have to be lifted out of the water and by then we will know more about what happened. But what can the insurance business learn from this catastrophic event?

What the AI Engine Has to Say

I asked the question to Perplexity.AI (Copilot 5) and here are what the AI engine has to say:

“From an insurance perspective, the missing tourist submarine searching for the Titanic teaches us that being adequately insured is the best way to prepare for unexpected losses. It is important for high-risk businesses to have liability insurance to cover any potential losses or damages. Liability waivers may not always absolve the company in a wrongful-death case, so it is important to have insurance coverage.”

” Most operators buy liability insurance anyway because the waiver forms they ask clients to sign may not ultimately be enforceable. It is important for high-risk businesses to have liability insurance to cover any potential losses or damage.”

” There is also a question of liability that goes back to not just OceanGate but the operator of the parent vessel, Polar Prince, as that vessel is Canadian flagged and based.”

In other words, liability insurance is needed for all three entities involved: The operator OceanGate, the manufacturer of the submersible, and the operator of the parent vessel.

The Insurability of Entities and Individuals

Just because entities need liability insurance does not necessarily mean they can get it. Even if they can find insurers to write policies for them, they (OceanGate and the manufacturer of submersible) may have paid high premiums because they are in a highly risky business and many insurers may not be willing to cover them.

The same is true for individual passengers on their personal lines of insurance: Many insurers may not be willing to cover them after finding out their plan to travel down to the ocean. This is insurers’ way of selecting good risks and avoiding bad ones. Even if they agree to offer a policy, they may specify riders or endorsements to ask for higher premiums to compensate for the extra risk they must take.  

The Public Cost from the Catastrophe

The cost will be high, and not all costs will be covered by insurers. For one thing, the cost involving the Coast Guard can be millions of dollars but according to the USA Today report, Coast Guard won’t charge people for search and rescue. as fear of costs could deter people from seeking lifesaving help. This means taxpayers will have to pick up a part of the bill.

I wonder if the insurers knew this before they issued a policy to OceanGate, although it is highly likely for any insurers who did the due diligence before issuing a policy to know this. It may even be a part of the contract that any rescue effort by the Coast Guard is to be excluded from insurance coverage.

Lawsuits Possible

As with many insurance cases, there are likely lawsuit(s) following the deaths of people and after more is learned about what exactly happened under the water in the near future. It doesn’t help that the submersible had previous battery problems. People may argue that the company had a negligent problem, which may be enough to weaken the power of any liability waivers the firm asked passengers to sign. Nonetheless, the AI is right that the importance of liability insurance can’t be denied, even for some of the richest people in the world.

Categories
Liabilities Insurance

Am I Covered for Covid-19 Under Workers’ Compensation Insurance?

The Takeaways:

  1. There is no universal answer to the title question, coverage depends on where you live and your particular conditions.
  2. If you are a federal employee, you are mostly in luck as The American Rescue Plan Act of 2021 (ARPA) makes it much easier for federal workers diagnosed with COVID-19 to establish coverage under the Federal Employees Compensation Act (FECA).
  3. In California, all workers, not just essential workers, will extend workers compensation coverage to include COVID-19 as a work-related illness.
  4. Some employers are required by law to provide paid sick leave or other benefits for COVID-19-related absences, regardless of whether the infection is deemed work-related or not.

What Does It Mean I’m Covered for Covid-19?

If COVID-19 becomes coverable in Workers Compensation insurance, it means that workers who contract the virus in the course of their employment may be eligible for compensation benefits.

According to National Conference of State Legislatures or NCSL on January 24, 2022,

“Beyond providing medical treatment at no cost to the employee, workers’ compensation also provides wage replacement benefits for lost wages resulting from time away from work. If a worker dies due to a qualifying condition, the worker’s family could be eligible for financial death benefits.”

In addition, “Most states have a dedicated workers’ compensation court system where judges make the final decision on claims and benefits awarded.”

Am I Qualified for Covid-19 Coverage?

The criterion for eligibility varies depending on the state and the specific insurance policy. In some states, such as Washington, COVID-19 claims are generally denied unless the worker can demonstrate that their contraction of the disease was not incidental to the workplace or common to all employment.

In other cases, such as under the Federal Employees’ Compensation Act (FECA), compensation is payable if the worker can demonstrate they have COVID-19 via a positive test result or a medical professional’s diagnosis, excluding home tests and exposure without a COVID-19 diagnosis.

Some states have amended their policies to include a presumption that COVID-19 infections in certain workers are work-related and therefore covered under workers compensation, making it easier for those workers to file successful claims.

A common approach is to amend state policy so that COVID-19 infections in certain workers are presumed to be work-related and covered under workers compensation. This presumption places the burden on the employer and insurer to prove that the infection was not work-related making it easier for those workers to file successful claims.

Some employers and insurers have raised concerns that these presumption policies will increase insurance costs for employers at a time when businesses are already facing significant financial challenges.

National Conference of State Legislatures or NCSL summarized on January 24, 2022,

“Every state has its own unique workers’ compensation policy landscape. States apply varying coverage requirements and standards based on industry, occupation, and the size and structure of a business.”

Generally, workers’ compensation does not cover routine community-spread illnesses like a cold or the flu because they usually cannot be directly tied to the workplace. Some states have made exceptions for certain workers who develop chronic illnesses, like cancer, resulting from repeated exposure to harmful materials and environments.

According to the National Council on Compensation Insurance, prior to the COVID-19, at least 19 states had policies stating that when firefighters and other first responders develop lung and respiratory illnesses, those conditions are presumed to be work-related and covered under workers’ compensation. It is unclear if those existing policies would include COVID-19 illnesses.

The Unique Challenge of Covid-19

The COVID-19 pandemic presents a unique circumstance where the many jobs that are not typically considered hazardous have suddenly become very dangerous for the workers. Workers deemed essential including health care workers, mass transit operators and grocery store workers are at a high risk of exposure to the virus while at work.

States are taking action to extend workers’ compensation coverage to include first responders and health care workers impacted by COVID-19.

In total, 28 states and Puerto Rico have taken action to extend workers compensation coverage to include COVID-19 as a work-related illness. 11 states have enacted legislation creating a presumption of coverage for various types of workers. Utah and Wisconsin limit the coverage to first responders and health care workers.

Illinois, New Jersey and Vermont cover all essential workers while California and Wyoming cover all workers, which is unsurprisingly more generous than other states. States have also used executive branch authority to implement presumption policies for first responders and health care workers as a part of their COVID-19 emergency responses. However, many of those executive orders have expired following the end of the state of emergency in certain states. 

Categories
Liabilities Insurance

Do You Know What Is “Silent Cyber?”

The Takeaways:

  1. Colonial Pipeline ransomware attack was one of the best known cyber insecurity incidents in the US. It potentially cost the firm multiple millions on ransom and disruption of operation for days with the largest fuel pipeline system.
  2. Cyber security threats range from phishing, ransomware, malware, Distributed Denial of Service, Advanced Persistent Threats, Zero-day exploit, social engineer, insider threat and Internet of Things (IoT) threat.
  3. The best approach to dealing with cyber security is to do both risk management and risk transfer.
  4. Risk management covers fields of identifying vulnerabilities (knowing where weaknesses are), prioritizing risks (knowing which risk brings bigger loss), developing risk mitigation strategies (firewalls, access control, incidence response plans and regular testing), monitoring for threat (staying up to date with the latest threat) and continuing improvement (regular review, invest in new technologies).
  5. Risk transfer means purchasing cyber insurance, which helps companies hedge against the potentially devastating effects of cybercrimes such as malware, ransomware, distributed denial-of-service (DDoS) attacks, or any other method used to compromise a network and sensitive data. It cover the costs associated with a cyberattack, including loss of business income due to the attack and additional direct costs such as forensic expenses. In some cases, policies can even cover losses from an attack on a third-party such as a vendor or partner. It can also incentivize companies to implement stronger cybersecurity measures as many insurance policies require businesses to meet certain security standards in order to be eligible for coverage.
  6. It’s worth noting that traditional insurance policies like property liability, general liability, or directors and officers insurance, may not cover some of the consequences of a cyber-attack. This concept is known as “Silent Cyber,” where traditional insurance policies are silent on whether they will cover cyber-related losses.
  7. Cyber insurance is designed to protect companies from these primary risks through four distinct insuring agreements: first-party coverage, third-party coverage, crime coverage, and cyber terrorism coverage.

The Cyber Insecurity Story

On May 13, 2021, Colonial Pipeline, the largest fuel pipeline system in the United States, allegedly paid an unknown amount to a ransomware group named DarkSide, despite FBI’s advice for not paying it.

For those not familiar with ransomware attack, it is an attack of criminal groups holding data hostage until the victim pays a certain amount of money as they demanded. In this case, the demanded sum was nearly $5 million, and the CEO of Colonial Pipeline said he authorized a ransom payment of $4.4 million.

The attack resulted in the company shutting down its operations of 5,500 miles of pipeline, carrying 45 percent of the East Coast’s fuel supplies for several days, which caused fuel shortages and price increases in many parts of the country, a move that has led to panic buying and massive lines at gas pumps.

As New York Times pointed out, “In recent months, officials note, the frequency and sophistication of ransomware attacks have soared, crippling victims as varied as the District of Columbia police department, hospitals treating coronavirus patients and manufacturers, which frequently try to hide the attacks out of embarrassment that their systems were pierced.”

Turns out that paying ransom in cryptocurrencies is a bad idea as it’s harder to trace perpetrators and exacerbated attacks “’hitting soft targets like hospitals and municipalities, where losing access has real-world consequences and makes victims more likely to pay,’ said Ulf Lindqvist, a director at SRI International who specializes in threats to industrial systems. ‘We are talking about the risk of injury or death, not just losing your email.’”

Cybersecurity Top Threats

A CNN Report tells us that “CISA and the FBI confirmed that DarkSide was used as a ‘ransomware-as-a-service,’ in which developers of the ransomware receive a share of the proceeds from the cybercriminal actors who deploy it, known as ‘affiliates.’” In other words, people are now calling themselves ransomware professionals offering specialized “services” for any clients with such a need.

Now is the good time to look at the top cybersecurity threats. ChatGPT lists the major types, to which I did addition search to add more details to each:

Phishing: This is a type of cyber-attack that can target both individuals and businesses. Phishing starts by an attacker sending fraudulent emails, text messages, or other electronic communications that appear to be from a legitimate source in order to trick the recipient into providing sensitive information such as login credentials, credit card numbers, or other personal data.

Phishing is also one of the most common cybersecurity threats. According to a report by Verizon, 36% of data breaches involve phishing. It is also relatively easy to execute through email, social media, SMS, or phone calls.

Ransomware (like in the Colonial Pipeline case): This is a type of malware that encrypts a victim’s files and demands a ransom payment in exchange for the decryption key.

Ransomware is a type of malware that has become increasingly common in recent years. According to a report by Cybersecurity Ventures, ransomware damages will cost the world $20 billion in 2021, up from $11.5 billion in 2019. The report also estimates that a business will fall victim to a ransomware attack every 11 seconds in 2021, up from every 14 seconds in 2019.

In addition, ransomware attacks have become more sophisticated and can now target specific organizations and industries.

It is important for individuals and organizations to take steps to protect themselves against ransomware, including regularly backing up important data, using strong passwords, and implementing security software and practices that can help prevent and detect attacks.

Malware, to which ransomware is one type, is any software that is designed to harm, disrupt, or gain unauthorized access to a computer system. It can include viruses, worms, Trojans, spyware, and adware.

Malware is a significant threat to individuals, businesses, and governments and can cause a wide range of problems, including theft of sensitive data, disruption of critical systems, financial losses, and damage to an organization’s reputation.

I should know because I have been hit by malware myself. It’s not a big deal but it switched my search engine from Google Chrome to Yahoo — without my knowledge. I finally called Microsoft supports and they had to use a tool to access my computer screens and after 2 hours they still cannot change the machine back to Chrome. In the end, I had to set up another new login account to move everything over in order to be able to use Chrome again.  

Malware can lead to legal liabilities and compliance violations, as well as loss of customer trust. According to a report by AV-TEST, there were over 700 million malware instances in 2020, a significant increase from previous years and highlights the growing threat of malware.

In addition, the report notes that the majority of malware is designed to steal data or gain unauthorized access to systems, making it a serious threat to organizations of all sizes.

Distributed Denial of Service (DDoS) attacks are designed to overwhelm a target system with traffic, making it unavailable to its intended users. An attacker floods a website, server, or network with a large amount of traffic, overwhelming its ability to respond to legitimate requests.

Imagine you are a Prime member of Amazon and one day you want to log onto your account to order something there. DDoS however could make the website appearing too busy to allow your access to the account.

A DDoS attack is typically carried out by a network of compromised devices, known as a botnet, that are controlled by the attacker. These devices can include computers, servers, routers, and even IoT devices. The attacker can use various methods to gain control of these devices, such as exploiting vulnerabilities or using social engineering tactics.

Needless to say, DDoS attacks can have serious consequences for businesses and organizations, such as loss of revenue, damage to reputation, and legal liabilities. In addition, DDoS attacks are often used as a distraction or smokescreen for other types of attacks, such as data theft or malware installation.

Zero-day exploits are a funny name because they are vulnerabilities in software or hardware that are unknown to the legitimate owners and are exploited by attackers before a patch or update is released. “Zero day” means threat discovered before the vendor or programmer is made aware of it.

In recent news, Apple released updates to its operating systems and Safari browser to fix a zero-day vulnerability in its WebKit browser engine that was actively being exploited.

Hackers like zero-day exploits as they can provide a way to gain access to sensitive data, systems, or networks without being detected. Because there is no patch or fix for the vulnerability, organizations may not be aware of the threat until it has already been exploited.

Keep in mind that it is always a game of time to see who moves faster than others.

Insider threats are threats that come from within an organization, such as employees or contractors who have access to sensitive information and use it for malicious purposes.

Social engineering is a technique used by attackers to manipulate people into revealing sensitive information or performing an action that is against their best interests. This type of attack usually involves psychological manipulation or deception rather than exploiting technical vulnerabilities.

Cloud securities are becoming more complex, such as data breaches, insecure APIs, and unauthorized access as the use of cloud service increases.

Internet of Things (IoT) securities are vulnerable to attacks due to their limited security features and the lack of standardization in IoT security protocols.

How Risk Management Helps Reduce Cyber Risk

Risk management is a process that helps entities and individuals identify, assess, and prioritize risks, and then implement strategies to mitigate those risks. Risk management is a key component of an effective cybersecurity strategy and can help reduce cyber risk in several ways:

  • Identifying vulnerabilities: Through risk assessments, entities and individuals can identify potential vulnerabilities in their systems, networks, and processes that could be exploited by cyber-attackers. By knowing these vulnerabilities, they can take steps to address them, such as implementing stronger passwords, regularly updating software, and conducting employee training.
  • Prioritizing risks: Not all risks are created equal, and risk management can help entities and individuals prioritize which risks addressing first. This ensures that resources are used most effectively to mitigate the most significant risks.
  • Developing risk mitigation strategies: Once risks have been identified and prioritized, entities and individuals can develop strategies to mitigate those risks. This may include implementing technical controls such as firewalls and intrusion detection systems, implementing policies and procedures such as access controls and incident response plans, and regularly testing and reviewing those controls.
  • Monitoring for threats: Risk management also involves ongoing monitoring for new threats and vulnerabilities. This allows entities and individuals to stay up-to-date with the latest threats and adjust their risk management strategies accordingly.
  • Continual improvement: Risk management is an ongoing process, and it requires continual improvement to stay effective. Entities and individuals should regularly review and update their risk management strategies to ensure they are keeping up with evolving threats and new technologies.

Why Firms and Individuals Need Cybersecurity Insurance

Cybersecurity insurance, also known as cyber insurance or cyber liability insurance, can help entities and individuals in several ways:

  • Financial protection: Cybersecurity insurance can provide financial protection in the event of a cyber-attack. It can cover the costs associated with data breaches, such as legal fees, forensic investigation expenses, and notification costs. It may also cover costs related to business interruption, lost income, and damage to computer systems.
  • Risk management: Cybersecurity insurance can also help entities and individuals manage risk by providing resources and tools to prevent cyber-attacks from occurring in the first place. Many policies offer risk assessments, cybersecurity training, and access to cybersecurity experts to help organizations better understand their risks and mitigate them.
  • Reputation protection: Cybersecurity insurance can help entities and individuals protect their reputation in the event of a cyber-attack. Some policies may cover the costs of public relations and crisis management, helping to minimize the damage to an organization’s reputation.
  • Compliance: Many industries have regulations and compliance requirements around data protection, and cybersecurity insurance can help ensure compliance by covering the costs of regulatory fines and penalties.
  • Peace of mind: Cyber-attacks can be complex and costly, and cybersecurity insurance can provide peace of mind knowing that there is a plan in place to help mitigate the damages should an attack occur. It can also help organizations and individuals feel more confident in their cybersecurity strategies and risk management plans.

What Does Cyber Insurance Cover?

Cyber insurance works similarly to other types of insurance. Entities or individuals purchase a policy from an insurance provider, pay a premium, and in the event of a covered cyber-attack, the insurance company provides financial assistance to help mitigate the damages.

The specific details of cyber insurance policies can vary depending on the insurance provider and the policy purchased, but there are a few key elements that are common to most policies:

  1. Network security and privacy liability – this coverage can include both first party (i.e., yourself as the policyholder, such as costs related to data breaches, such as legal expenses, notification costs, and credit monitoring services) and third-party (i.e., someone else) who suffers losses due to damages covered by the policy.
  2. Network business interruption – this coverage can protect a company from lost income due to a cyber-attack that disrupts business operations. This is first party protection for yourself.
  3. Media liability – this coverage can protect a company from claims of copyright infringement, defamation, or other types of media-related liability arising from the company’s website or social media activities. Again this is first party protection.

Errors and omissions – this coverage can protect a company from claims related to errors or omissions in the services or advice provided to customers in the course of doing business.

Categories
Liabilities Insurance

Boy Scouts of America Was Bankrupted from Sexual Abuse Lawsuits, What You Need to Know about Commercial Liability Insurance?

The Takeaways:

  1. The most fundamental commercial insurance is general liability insurance. No business should be doing any business without commercial liability coverage. In my opinion, commercial liability insurance should become mandatory by law, just like nobody should be allowed to drive without auto liability insurance for personal injures and property damages.
  2. Insurance coverage needs to meet the specific nature of business. BSA works exclusively with youth and therefore is exposed to sexual abuse with minors. It is far better to work on risk management to prevent risks from getting escalated and to avoid huge insurance payment.
  3. There will be lawyers trying to leverage the existing lawsuits to make money for themselves by filing unfounded claims. There will also be collusion between organizations and claimants to get insurers to pay. Once again, the best preventative step is to avoid lawsuits preemptively through means of risk management, especially in commercial insurance.
  4. Insurance and lawsuits are closely related. Insurers must pay close attention to legal battles that sometimes can make or break themselves.

The Stories in 2020 & 2023

This insurance journal article did a good job in offering a brief overview of the history of the Boy Scouts of America BSA bankruptcy case and quickly shows where the problem is:  

“When it sought bankruptcy protection in February 2020, the BSA had been named in about 275 lawsuits and told insurers it was aware of another 1,400 claims. The huge number of claims filed in the bankruptcy was the result of a nationwide marketing effort by personal injury lawyers working with for-profit claims aggregators to drum up clients, according to plan opponents.”

Guess what the number of claims is today? “More than 80,000 men have filed claims saying they were abused as children by troop leaders around the country… the staggering number of claims, when combined with other factors, suggests that the bankruptcy process was manipulated.”

Even “a plaintiffs’ attorney acknowledged that some 58,000 claims probably could not be pursued in civil lawsuits because of the passage of time.” That is, many or most men in the lawsuits will have little chance of winning any compensation.

Shortly after the bankruptcy in 2020, BSA had announced several plans (like this and this) to settle down its sexual abuse lawsuits with minors.

Why Insurers Want to Reverse the BSA Bankruptcy Reorganization Plan

Under the bankruptcy reorganization plan, which In September was approved by the U.S. Bankruptcy Judge Laurie Selber Silverstein for $2.46 billion, and described by the BSA as a “carefully calibrated compromise,” the BSA itself “would contribute less than 10% of the proposed settlement fund… The bulk of the compensation fund would come from the BSA’s two largest insurers, Century Indemnity and The Hartford, which reached settlements calling for them to contribute $800 million and $787 million, respectively. Other insurers agreed to contribute about $69 million.”

On the other hand, “Insurers opposing the plan argue that the BSA is contractually obligated to assist them in investigating, defending and settling claims, as it did before the bankruptcy. They say that the BSA, desperate to escape bankruptcy, colluded with claimants’ lawyers to inflate both the volume and value of claims in order to pressure insurers for large settlements, then transferred its insurance rights to the settlement trust. The insurers argue that if the BSA transfers its rights under insurance policies to the settlement trustee, it must also transfer its obligations under those policies.”

In other words, the insurance companies are accusing BSA for working under the table with claimants to inflate the value of claims and to shift the financial responsibility of compensating sexual abuse victims to insurers without working with insurers to verify the claims.

Lessons Learned

The bankruptcy of the Boy Scouts of America (BSA) serves as a case study in the importance of adequate insurance coverage.

Lesson 1: The importance of liability insurance. The organization was facing a large number of lawsuits related to the sexual abuse of minors. In the absence of adequate liability insurance, the BSA would have been forced to pay out millions of dollars in damages, potentially putting the organization’s very existence in jeopardy. However, the BSA had liability insurance in place, which allowed it to weather the legal storm and continue its operations.

Lesson 2: The need for insurance coverage to match the nature of the organization. BSA is a youth organization that works with minors, making it particularly vulnerable to sexual abuse lawsuits. Therefore, it was essential that the organization have liability insurance coverage that was adequate for this type of exposure. Organizations that work with minors should take this lesson to heart and ensure that their insurance coverage is sufficient to protect them in the event of similar lawsuits.

Lesson 3: The need for ongoing review of insurance coverage. BSA should have ongoing review of insurance coverage to ensure that insurance coverage remains adequate, as the insurance needs of an organization can change over time. For example, had BSA reviewed its insurance coverage in recent years and discovered that it was insufficient, it could have taken steps to increase its coverage and avoid the financial strain of the lawsuits it faced.

Lesson 4: The best strategy for all insurers is to manage risks and reduce them before they turn into large scale social scandals for policyholders, which will invite opportunists to seek financial gain from the “no risk, pure gain” legal class actions.