Tag Archives: insurance

Don’t Make Your Cyber Insurance Coverage Illusory – Address Cyber Security Practices Before Purchasing Coverage

cyber insuranceThe risks of purchasing cyber insurance coverage before a business addresses its existing cyber security practices has just been made painfully clear by a recent case filed by an insurer in California.  Columbia Casualty, a unit of Chicago-based CNA, is seeking a judicial ruling that it is not obligated to pay a $4.125 million class action settlement paid by California based Cottage Health System, a nonprofit organization that operates a network of hospitals in Southern California, arising out of a data breach at the hospital.

According to the complaint: (1) the insurer issued a cyber insurance claims made policy to the hospital effective from October 1, 2013, to October 1, 2014; (2) the hospital subsequently suffered a data breach involving over 32,500 confidential medical records between October 8, 2013, and December 2, 2013; (3) a class action lawsuit was filed against the hospital on or about January 27, 2014, with a $4.125 million settlement receiving preliminary court approval on or about December 24, 2014; and (4) the insurer agreed to fund the settlement, subject to a complete reservation of rights.  Click here to review the complaint.

In its complaint, the insurer has asserted that a “failure to follow minimum required practices” exclusion precluded coverage on the alleged ground that the hospital did not follow its own description of its data security system in the insurance application. In the complaint, the insurer also asserted that the hospital’s failure to follow the data security protocols detailed in its application constituted a misrepresentation, and that all coverage was forfeited as a result of the alleged misrepresentation. As a result, the insurer has requested reimbursement of defense and settlement payments.

This case highlights the need for a policyholder to be diligent from the first day it reviews and completes an application for cyber insurance to make sure it understands the requirements for coverage. Stakeholders in information technology, treasury, finance, legal and risk management should all be involved in any review of a cyber insurance application to insure that appropriate coverage language is in place.  In addition, after cyber coverage is purchased, a policyholder must be vigilant in implementing its cyber security practices, and create a record sufficient to prove that it has complied with policy requirements.  At the end of the day, money spent on cyber insurance coverage is well spent only if covered losses are ultimately paid by the insurer.

If you have questions or would like to discuss cyber insurance coverage for your business, please contact a member of the McGrath North Privacy and Data Security team.

Share Button

Cyber Insurance: A Valuable Tool In The Cyber Security Readiness Toolbox

cyber insuranceCyber security breaches impose significant costs on affected businesses that can materially affect their finances and reputation. Such costs include expenses related to various federal and state law breach notification requirements, as well as significant civil liability and regulatory fines. Now more than ever, stakeholders in businesses that handle a significant amount of personal identifying information, or hold key trade secrets, must educate themselves about the threat of a potential cyber security breach, as well as the tools available to help mitigate that threat.

Any response to this potential threat should include a review of the degree to which the risks of a cyber security breach are covered by the various insurance policies held in a business’ insurance portfolio. Such a review should address whether all operational, legal and regulatory risks have been identified; whether everyone who needs to be, whether inside or outside the business, is covered (for example, cloud providers and various other vendors and third-party service providers); whether policy language creates unintended exclusions or gaps in coverage; and whether all first party and third party costs associated with such a breach are addressed. First party coverage addresses theft and fraud, forensic investigation costs, business interruption, extortion and computer data loss and restoration, while third party coverage addresses litigation and regulatory expenses, notification costs, crisis management and public relations costs, credit monitoring, privacy liability and media liability.

We encourage businesses to carefully review with their respective insurance and legal advisors the terms of their existing insurance coverage to help gauge their readiness to respond to a cyber security breach. If you have questions about your organization’s cyber security insurance coverage, or that of your vendors and third-party service providers, contact a member of the McGrath North Privacy and Data Security Group.

Share Button

Health Care Reform: New Employer Reporting Rules Issued

healthcare-reporting-rulesMany employers offering health insurance coverage to their employees have been anticipating the final regulations setting forth the new employer reporting requirements under health care reform. These final regulations were issued last month.

Beginning in 2016, insurers and employers offering self-funded group health plans will be required to report certain information relating to coverage offered in 2015. This information must be reported to both the IRS as well as the covered individual. Additionally, large employers with 50 or more full-time equivalent employees will be required to report information about health coverage offered during the prior year to full-time employees. The regulations specify that the information will be reported on new IRS Forms 1094 and 1095, which have not yet been released, and not on Form W-2, as many had hoped.

As a preliminary matter, there are really two separate reporting requirements at play. One is required by Code Section 6055, “Provider Reporting” and another is required by Code Section 6056, “Employer Reporting.” The following is a summary of each of the reporting requirements pursuant to the final regulations:

Provider Reporting.  Section 6055 requires most entities that provide minimum essential coverage to report annually to the IRS and to covered individuals certain information regarding that coverage. This requirement applies to insurers and employers sponsoring self-insured group health plans. The report must include the following information:

  • the name of each covered person;
  • the name and address of the responsible person (for example, an employee spouse or parent) who submitted the application for coverage;
  • the taxpayer identification number (TIN) for each covered individual (a date of birth may be used instead but only in limited circumstances);
  • the months for which each individual was covered (for this purpose, coverage during a month means a month during which, for at least one day, the individual was enrolled in coverage and entitled to benefits); and
  • the name, address, and employer identification number (EIN) of the employer/insurer maintaining the plan.

The final rule does not require reporting of the specific dates of coverage (only months of coverage are relevant) and did away with the requirement that employers report their share of the premium. The report must go to the IRS and to each covered person.

The return under Section 6055 must be filed by February 28 of the year following the calendar year in which the minimum essential coverage was provided. Any reporting entity may file electronically, and must do so by March 31. Statements must be provided to covered persons by January 31 (similar to W-2s).

Employer Reporting.  Section 6056 requires large employers (i.e., those with 50+ full-time employees or employee equivalents), to file a return with the IRS and to send a statement to each full-time employee containing certain information. Similar to Forms W-2, the regulations require a separate return for each employee which would be filed with the IRS accompanied by a single transmittal form.

The employer must report the following information:

  • the name, address, and employer identification number of the plan sponsor;
  • the name and telephone number of a contact person for the employer;
  • the calendar reporting year;
  • a certification as to whether the employer offered its full-time employees and their dependents the opportunity to enroll in minimum essential coverage and the months for which this coverage was offered;
  • the number of full-time employees for each month in the calendar year;
  • for each full-time employee, the months for which coverage was made available;
  • for each full-time employee, the employee’s share of the lowest-cost monthly premium for self-only coverage providing minimum value, by calendar month; and
  • the name, address, and TIN for each full-time employee and the months, if any, for which the employee was covered under the employer’s plan.

A copy of this report must also be provided to each full-time employee. Employee statements must be provided by January 31. Section 6056 returns must be filed with the IRS by February 28 or by March 31 if filed electronically. Employers filing 250 or more returns must file electronically.

Effective Date. Reporting entities will not be subject to penalties for failure to comply with the Section 6055 and 6056 reporting requirements for coverage in 2014, which would have resulted in reporting in 2015 and furnishing statements to covered individuals in 2015. Accordingly, a reporting entity will not be subject to penalties if it first reports beginning in 2016 for 2015 coverage, including the furnishing of statements to covered individuals in 2016 with respect to 2015 coverage.

The reporting requirements are complex; however, employers have some time to get ready. Employers should use 2014 to evaluate their information systems and ensure they have access to the information needed to complete the reports in 2016. This may require upgrades to information systems and/or requesting additional information from participant (e.g., information regarding dependents’ TINs).

Share Button

Premium Increases Expected for 11 Million Americans

premium increaseThe Affordable Care Act requires adjusted community rating for plan years beginning on or after January 1, 2014.  Specifically, premium rates in the individual and small group market for fully-insured, non-grandfathered health plans may vary based only upon the following characteristics:

  • Individual or family enrollment.
  • Geographic area – premium rates can vary by the area of the country.
  • Age – premium rates can be higher for older individuals than that for younger individuals, but the premiums for these populations cannot exceed a 3:1 ratio for adults.
  • Tobacco use – premium rates can be higher for smokers, but the ratio cannot exceed 1.5:1.

Additionally, the Affordable Care Act requires the guaranteed issuance of health insurance coverage (subject to certain exceptions). This means that insurers generally must accept all individuals applying for coverage in that market and must renew their coverage going forward.  This does not apply to grandfathered health insurance coverage.

The above rating requirements will impact premiums paid by individuals and families working for small employers who offer fully insured group health plans. Specifically, a recent report from the government estimates that the premium rates for roughly 11 million people will increase whereas about 6 million people will benefit from lower premiums. 

To read the full study, click here.

For additional information on premium rating and how it may affect your business, contact a member of the McGrath North Employee Benefits practice group.

Share Button