“The man who makes no mistakes does not usually make anything.”

Inspiring words from Edward J. Phelps, and certainly in some aspects of life, mistakes need to be made in order to learn and grow. Unfortunately, in the increasingly digitized world in which we live, when people make mistakes online, the things they create are usually very messy and very costly.

Employees play a large role in the state of your organization’s cybersecurity. Here are some tips to help you refine your strategy:

Employee Training

Odds are you have an army of defenses against external threats, such as malware, network attacks, viruses and phishing scams. These walls can be easily scaled if your employees aren’t aligned with your cybersecurity strategies. Did you send a company-wide memo on security? Great. But as we all know, standard policies are often times skimmed through and easy to overlook.

To really capture the attention of your workers and educate them on the nuances of the latest security threats, organizations should be offering frequent and interactive training sessions. According to the Ponemon Institute, employee training is the third-most effective method of decreasing the per capita cost of a breach.

As with shampoo and conditioner, rinse and repeat is the recommended best practice for employee training. A single session is not going to arm your employees with the tools they need to keep up with the constant change in security threats.

Identify and Intervene with High-Risk Users

My mother has a list of passwords for a wide variety of websites she uses taped to her computer monitor because it’s convenient. While risky behavior like that is difficult to detect with analytics software, there are tools available to help organizations identify many common indicators of negligent or malicious activity, including:

• Inappropriately creating, sending or storing sensitive data
• Accessing, deleting or moving a large amount of sensitive content
• Emails and messages that contain extremely negative sentiment against the company

While taking advantage of these types of technologies to close the risk gap against cyber threats, companies need to pay close attention to the issue of privacy, which can create a new set of challenges if not managed correctly.

Every day the media reports on new stories involving children harmed by bullying, in both big and small ways. Any institution that provides programs for children (e.g. schools, day camps, park districts, recreation departments) faces the potential that bullying may occur on its watch and the risk that it may be held responsible for the impact of that behavior, or, at a minimum, be required to defend itself against allegations that it should have done more. If this responsibility is not lived up to it can result in significant attorney’s fees, settlement payments and other expenses as a result of a lawsuit filed by or on behalf of a bullied minor.

Federal anti-discrimination laws impose an obligation on schools to intervene and stop bullying that rises to the level of harassment. This obligation arises whenever harassment as a result of a student’s race, color, national origin, sex or disability deprives that student of the educational benefit of attending school. Typically, an institution will not be liable for an initial act of harassment. However, once it is known that harassment has occurred, the organization must intervene to prevent further harassment.

State laws often impose even greater and more demanding obligations on schools and other organizations that work with minors. All fifty states have enacted anti-bullying legislation. The definition of bullying used in these state laws can be much broader than the harassment addressed by federal law. For example, Illinois prohibits bullying related to a lengthy list of characteristics, such as ancestry, sexual orientation and gender identity or expression (whether these are “actual or perceived characteristics”) and also prohibits bullying based on “any other distinguishing characteristic.” The law also applies to bullying of a person based on their association with a person or group with such characteristics.

Many states impose an affirmative duty on schools to protect their students from bullying. Some require schools to adopt an anti-bullying policy. States may even dictate some of the provisions of a school’s anti-bullying policy. In some states, the strictness of these requirements can be limited by or balanced against tort immunity laws that make it more difficult for a victim of bullying to bring a private lawsuit against an educational institution than against other parties, such as a private citizen or a for-profit corporation. Those limitations, though, may still allow for suits against teachers, principals, administrators and other institutional leaders.

In an effort to satisfy these responsibilities, schools and other organizations can also inadvertently impose even more demanding obligations on themselves if they enact an anti-bullying policy that is too strict and/or too specific. An organization that drafts a policy that is stricter than what is required by law can be held liable for not adhering to the tougher standard they set for themselves. An organization can also be held liable if it drafts a policy that is more specific than necessary when stating the steps that must be taken in response to bullying and fails to adhere to those steps, even if its response was reasonable and responsible.

Moreover, schools and other organizations that work with minors need to be aware that much bullying behavior takes place on social media or through means of electronic communication. Kids who engage in bullying purposefully attempt to hide their actions from authority figures, whether they are acting in-person or by taking their behavior online. Schools and other institutions must be prepared to respond to both traditional bullying and the developing problem of cyber-bullying. They can be obligated to respond to cyber-bullying even if it is committed by a minor using an off-site computer that is not owned or in the possession of the organization.

Adequately preparing to prevent and respond to bullying is a challenging task that is made more complex because of the variation in state laws regarding this issue, but your school or organization must be equipped for the challenge. The well-being of the minors you work with depends on it. So does the well-being of your organization.

Sunshine laws are intended to promote transparency in government by requiring that information about government activities be made available to the public. Public access to this information allows citizens to make informed judgments and identify corruption and waste. Consequently, sunshine laws are critical to maintaining accountability, trust and efficiency in government.

All fifty states, the District of Columbia and the federal government have enacted sunshine laws. While these laws vary by jurisdiction, they can be separated into two general categories: open meetings laws and open records laws.

Open Meetings Laws

Open meetings laws mandate that meetings of certain government agencies be open to the public. These meetings are typically required to be held at times and places that are convenient and accessible. It is also compulsory for notices and agendas to be published in advance of these meetings and that minutes and transcripts are kept.

Generally, open meetings requirements apply only when a quorum is present and public business is discussed. However, these requirements usually do not apply to social and ceremonial gatherings held for purposes unrelated to public business. In recent years, many jurisdictions have added a new wrinkle, clarifying that electronic communications may be subject to open meetings requirements.

Open meetings laws in every jurisdiction provide for exceptions that allow public bodies to hold closed meetings to consider certain subjects. Most, but not all, provide exceptions for personnel matters, collective bargaining, litigation and the acquisition or sale of real property. However, public bodies are generally prohibited from taking action unless in public session.

To ensure compliance with open meetings laws, it is important for agencies to observe advance notice requirements and to post notices at principal offices, on websites and with the news media. Full agenda packets should also be prepared, including items subject to final action. Finally, avoid repeated use of “reply all” when sending e-mails for public business and consider a non-voting member as an intermediary for electronic communications.

Open Records Laws

Open records laws, also known as freedom of information laws, create a presumption that the records of certain governmental bodies are to be open to the public. These laws establish procedures for making requests, time limits for public bodies to respond and fees public bodies may charge for making records available.

Most open records laws broadly define the scope of records which must be made publicly available to include all documentary materials relating to the transaction of public business. However, these laws generally cover only the existing records of a public body. In short, open records laws do not compel public bodies to create or search for information that is not already in their possession or under their control.

Like open meetings laws, open records laws in every jurisdiction provide for exceptions that allow—but do not require—certain records to be withheld. Common examples include records containing confidential, proprietary, or privileged information or where disclosure is prohibited by law. Many jurisdictions also permit denial of requests that are unduly burdensome.

In an effort to abide by open records laws, prepare written policies and forms to manage requests. Be sure to document receipt of those requests and monitor all response deadlines. Also, beware of all prohibitions on disclosure laws in contracts. Make information available on a website where a requestor can be referred and communicate with requestors before denying their request.

.

Whitewater rafting, kayaking and river surfing are quickly becoming some of the most popular adventure sports in America. Given this growing popularity, recreation departments across the country are building whitewater parks as entertainment attractions. Before building a whitewater park in your city, town or county, it is important to understand the hazards that accompany the construction of these parks. This evaluation will require significant skills in risk identification, contractual risk transfer, signage wording, site inspection and working with your legal consultant, etc.

Infrastructure and Hazards

There are a number of approaches in which to construct a whitewater park, all of which utilize unique methods to shape the course of the river. In-channel parks modify the flow of water to create hydrologic features in the river. Out-of-channel whitewater parks divert the flow from another body of water to manipulate the river’s features. After the desired affect is applied to the course, the flow is then redirected back to the original body of water. Recirculating parks use pumps to move water to and through specific areas. Parks may also employ diversions to obstruct or move water off-river, similar to a dam.

All methods of construction require man-made infrastructure to create chutes, waves and pools. The complexity of the infrastructure used also introduces risks. As a result of these additional risks, it is especially important to hire experienced contractors and engineers that specialize in whitewater infrastructure, water sports knowledge and hydraulics.

One type of artificial infrastructure that is commonly used on whitewater courses is a weir. A weir is a short dam built across a river to increase the river’s depth upstream. This causes the water to spill over the top, often creating a current flow on the backside of the structure that can entrap swimmers and watercrafts. Cement blocks are also commonly used in the construction of whitewater parks, which can often be as large as small cars. They are placed strategically throughout the course to create waves or chutes and often use existing rock from the river bed. The rapids that result from these material often lead to increased water movement. Due to seasonal water flow fluctuations, the park may shift from a low hazard level to a moderate hazard level in a matter of seconds.

Inspections and Signage

In addition to routine inspections, consider increasing inspection frequency during times of drought or high rainfall. Hazards posed by low or high water should be included in park signage so that visitors can take appropriate action depending on the seasonal flows observed that day. When considering the severity of the risks involved, whitewater parks should be signed as “use at your own risk” and “unsupervised facility.” The signage should also recommend that a user wear appropriate safety gear, such as a life preserver and helmet.

After identifying the hazards for the type of park you wish to construct, other items to explore include recreational immunity and general liability. Check your state’s statutes regarding these factors, as well as for duty to warn and protection lost if a fee is charged.

Risk Management Plan

While whitewater parks are growing in popularity, the risk management guidance information is limited. One of the best forms of protection against litigation and liability is a strong risk management plan developed in conjunction with your entity’s legal counsel. A risk management plan for a whitewater park should include, but not be limited to, designing the course using whitewater industry consultants/contractors, using signs to warn visitors of the risks at hand, developing a use-at-your-own-risk approach, recommending appropriate life preservers/helmets and routine inspections with documentation.

If your public entity is considering adding a whitewater park, consult with not only your risk management team, but also an engineer specializing in the infrastructure.

Just as fictional TV newsman Ted Baxter on The Mary Tyler Moore Show had humble beginnings (“It all started at a 5,000 watt radio station in Fresno, California”), so did social media. Emerging as bulletin board systems (BBS), progressing to platforms like CompuServe and AOL, then transforming to the now-ubiquitous Facebook, LinkedIn and Twitter, social media has evolved from a unique space for narrowly focused hobbyists to the medium of choice for information sharing.

Most communities use social media

Today, besides people using it to share the latest cute kitten video or network with like-minded professionals, local governments are using social networking platforms to reach out to their citizens.

It is estimated that more than 85 percent of the 75 largest cities in the U.S. utilize social media, according to Rutgers. It has now filtered down to smaller cities and towns, with more than 50 percent in some studies reporting a high level of use of at least two platforms. These towns are engaging the eight out of 10 people using Facebook regularly and the more than 25 percent on other platforms like LinkedIn, Twitter and Pinterest.

The advantages for governments using social media

Local governments using social media to engage with their communities can enjoy many benefits. The platforms can increase citizen participation in local decision-making, enhancing the public perception of the town, its leaders and staff. Local businesses, schools and non-profits gain exposure by informing people about events, activities and fund-raising efforts. Law enforcement gains support for its efforts to report and monitor public safety. Social media has become today’s town square, local newspaper and neighborhood coffee shop rolled into one.

The challenges of social media

Although it has its benefits, don’t forget that all technology creates challenges and responsibilities. Cities should define what objectives they want to achieve with social media and align their presence with those goals. Common-sense policies and procedures should be written and broadly shared within departments. While some larger governments now have employees specifically hired to act as “social media coordinators,” most towns continue to administer their social media presence ad hoc. If you don’t have a staff position dedicated to social media, identify a heavy user who, with some training, is willing to act as your “social media ambassador.”

Craft a sound, legal social media policy

Understanding the legal implications is also crucial. Research your state’s policies for local governments on open meetings, public records and retention. Be aware of First Amendment implications, and remember your archive policies need to match Freedom of Information Act requirements. Your community is not alone on these platforms. Peer governmental entities offer many resources to help you craft an effective social media policy.

Social media can be an effective public safety tool as well

Don’t let the challenges discourage your town from participating in social media. Citizens appreciate the information on severe weather and road closures, town meeting reminders and the general opportunity to talk (yes, even virtually) with town leaders and fellow citizens. Even more importantly, recent events – from multiple catastrophic hurricanes to the California wildfires – have shown how well-thought-out social media communication plans can enhance emergency management and response. Feel free to join the conversation!

It’s request-for-proposal time again for workers’ compensation and property & casualty claims administration. What should you do? Should you regurgitate the past proposal questions? Should you just re-sign with your TPA? It’s time to decide what is best and what may be counterproductive for your RFP development.

COUNTERPRODUCTIVE:

If you write the proposal without determining what has changed in your program over time, it may not be complete and it will not be optimized to make an informative decision. Preparing to write a proposal does not mean writing for only a narrative response or compliance with purchasing’s RFP requirements (timing, contract terms, etc.). It means preparing targeted questions to make sense of what is vital to your claims program. For example, there may be sections of your proposal that are routine, such as required settlement authority, caseloads and reserve practices. There are also sections where you think nothing needs to change, such as enhancements in risk management information systems and imposed pharmacy benefit management regulations. It is important to address everything claims related.

Knowing what you are about to structure in your proposal and discussing it with a TPA may also be helpful. Arranging for time to meet before proposal release, rather than the email question and answer process in the early, time-limited stages after RFP release, can help you organize better. Also, pre-RFP meetings can reduce any errors or misinformation otherwise not caught in the final presentation process, or worse, after contract signing.

Your claims program must not be run as if it were a commodity; people who have a vested interest in your risk management program must execute it. Scoring pricing with an all-is-equal attitude can hurt your outcome. Heavily weighting pricing will make it more likely that the TPA will describe the service either without all of the details or by “throwing the kitchen sink” into their response for you to decipher.

PRODUCTIVE:

Ask the proper questions and ask the most important ones twice. You want to be able to not only write a comprehensive proposal, you also want to reinforce through repetitiveness what sections of the proposal are most important to you. Whatever you believe is essential should be included in a questionnaire, but you may also suggest the TPA discuss these matters in a methodology section or response to a scope of services agreement. Also, allow the TPA to address how they can assist you best. You can do so by enabling them to differentiate themselves and explain what their value proposition may be. The key takeaway is clarity in questioning and instructions to best prepare for the rest of the process. After all, you do not want the wrong finalists at your presentation table.

Before drafting a proposal, it would benefit you to include key reviewers to discuss areas of concern for claims administration. Parties involved in the review process may consist of loss control and safety personnel, or department/division managers or supervisors, each of whom is intimately familiar with lost-time woes and the causes of the injuries or P&C incidents. Key personnel can provide valuable insight. What claims investigation approaches are you going to take? What staff will you offer us? Who pursues subrogation?

In addition to pre-proposal preparation, the final decision will be more effective if key risk management personnel sit on the review panel. You should compare everything against your requirements, such as the TPA’s willingness to comply, price versus value and clarity over the canned response. When you join forces, you are more likely to choose the best presentation finalists and ultimately the best solution for your programs.

Lastly, you should consider your time and the time of your reviewers when drafting a proposal. You may have to review multiple responses at one time and within a particular, time-limited schedule. Hint: if you ask targeted questions and limit the answers to a few sentences, you are likely to receive a clearer response. Additionally, placing a limit on the total number of pages is another consideration to keep the responder focused. Leave the rest for the appendix. The more you can do to limit the proposal response before the RFP is released, the better your chances of being able to verify that your program matches the TPA’s offering before the deadline forces you to choose finalists and plan schedules.

Employees have dramatically changed in comparison to the workforce of 25 years ago. Starting in 2012, 10,000 Americans a day turn 65. Many of these Americans will continue to actively participate in the workforce.

With the changing demographics, further attention is required to ensure our employees remain safe and potential injuries are prevented. Within the next decade, 40 percent of the labor force will be eligible for retirement and as many as 75 percent of older adults expect to work after age 70.

Many older workers defined as 55 or older do not have adequate savings to support full retirement and cannot live at the standard of living for which they have become accustomed; therefore, they must work to support their lifestyle choices. In addition, depending on your date of birth, electing to take Social Security earlier at the age of 62 will create a reduction in benefits from 20 percent to 30 percent. Retirement age will soon reach 70 years old, if you chose to receive the maximum benefit.

Let’s start with understanding the effects of aging. The normal aging process affects every area of the body. Generally, as an individual ages they will experience decreased strength and range of motion, vision and hearing loss, reduced cardiac and lung function and balance changes that can increase the risk of falls. There is also an increased incidence of chronic conditions, which require medication management and side effects that go along with them.

This can impact the top five types of injuries of an aging workforce, which include rotator cuff sprains, lumbar disc disease, knee cartilage injuries, brain injuries (due to high risk of falls/MVA), and nerve compression conditions such as carpal tunnel syndrome. Decreased blood flow from reduced cardiovascular capacity, pre-existing osteoarthritis, and diabetes can impact the healing of these common injuries.

Now that we understand the increased risk, prevention is the key. To prevent the most common injuries for aging, or any, employees we can start with the basics. Any work area should be well lit, clear of clutter, clean, dry and with cushioned walking or standing areas if possible.

The costliest injury of employees age 50 to70 is an injury to the rotator cuff. To protect the shoulder, overhead work needs to be limited, if unable to be eliminated, and closely monitored. Lumbar conditions make up the next highest cost of this demographic. Minimizing heavy lifting, offering proper lifting training and reinforcement, and avoiding static positions including standing, are all valuable to maintaining proper low back protection. Avoiding or minimizing work on ladders will also help protect the third cost driver, the knee. Providing even working surfaces to prevent a slip, trip, or fall is also essential.

It’s important to identify the differences in diagnostic results in a population over the age of 55. By age 67 at least 30 percent of the population will have degenerative rotator cuff tears in both shoulders. These tears are not due to an acute injury and, in general, it is advisable to undergo a surgical repair. For the lumbar spine, degenerative disc disease (DDD) is not actually a disease but rather a normal aging process in the body. People with DDD are asymptomatic in 46 to 93 percent of cases. It is an incidental radiographic finding unrelated to the symptoms. Spinal stenosis is a narrowing of the spinal cord space with possible spinal cord compression. Spinal stenosis is common in people older than 60 and the vast majority of patients have no symptoms.

Osteoarthritis is a normal finding in the knees of aging workers. If an employee is above the recommended BMI this could have an additional impact on the wear and tear of their knees, which contributes to the amount of osteoarthritis and internal derangement found in testing. Overall, an aging worker may take longer to heal.

The process is similar to any claim regardless of the age of the injured employee. During the initial evaluation gather as much medical and supplemental information about the accident or injury as possible. During conversations, introduce and encourage the plan for return to work. Early intervention remains crucial. It always better to anticipate obstacles and prevent them from materializing, rather than trying to chase and manage problems after they have developed. Staying in touch with the injured employee remains imperative. In asking about the individuals general health, a lot of information can be obtained about how they are healing from their injury. Emphasizing the focus of increasing function and managing their symptoms can also be beneficial. Allowing transitional duty to ensure a successful return to the workforce can also be valuable.

The aging workforce is a factor most employers deal with today. Knowing the risks and how to manage them will provide an advantage in handling the complicated claims that can occur.

Any safety professional that has to deal with the seemingly constant exposure to risk from EMS and fire-rescue first responders has no doubt struggled with finding solutions. The Center for Disease Control (CDC) and the National Institute for Occupational Safety and Health (NIOSH) released recommendations detailing the 5 root causes of exposure in the field. These include:

• Body Motion injuries form excessive physical effort, awkward posture & repetitive motion.
• Slips, trips and falls
• Motor vehicle incidents from sudden stops (unrestrained in the ambulance), swerves and crashes.
• Violence & assaults
• Exposure to harmful substances

The CDC/NIOSH goes on to make recommendations for handling these five areas of exposure, in turn addressing the question: How do we truly reduce exposure to these risks in such a dynamic environment?

EMS and fire-rescue have the best patient-handling (lifting, moving, pushing, pulling, carrying, sliding) technology ever. Yet the root cause of many injuries to emergency personnel stem from transporting the patient to and from the engineered solution (e.g. cot or stair chair). First responders must adhere to a methodology that facilitates safer use of the patient-handling tools at their disposal. Resource

The effectiveness of any safe patient-handling methodology is minimized when the first responder has poor biomechanics. Obesity, poor mobility and poor job specific strength are all huge contributing factors to risk exposure. Here is a mantra to take heed to in an effort to promote wellness, especially while on the job: “You have to move well before you can move patients/gear well.”

Many wellness programs fail to meet the needs of shift workers, as they are geared to the 9-5 crowd. Driving errors, medication errors, soft tissue traumas and simple human errors (such as those that result from fatigue) serve as common risks that are rarely addressed. It is vital to teach responders how to make educated decisions regarding food choices in an ever-changing environment, how to employ sleep hygiene strategies and, most importantly, how to manage their health. Shift work and working in high stress environments can prime first responders to commit the aforementioned errors and may also result in PTSD and resiliency issues.

Assaults against EMTs are under-reported yet they are a major cause of exposure, injury and PTSD. There are validated training systems that teach responders how to deescalate, evade and, as a last resort, defend against an attacker. Resource

Ambulances should be fitted with modern restraint systems with forward facing 4-point harnesses that have the ability to keep the EMT seated at all times. Up-to-date ambulance specifications are recommending this standard. In a call back to overall wellness, employees should also be educated on fatigue mitigation and effective sleep practices to reduce exposures related to operating a motor vehicle.

In an effort to address the potential complex nature of any given risk, it is important to work with your safety staff and get in front of the crews. Talk to them, find out their needs and concerns and work as a team to determine the best plan to help these dedicated first responders thrive, survive and ultimately reduce their risk in such a hazardous profession.

According to a recent report by the Bureau of Labor Statistics, roadway incidents accounted for 1264 work-related fatalities in 2015. That is about one out of every four fatal work injuries in the United States, which easily makes it the top cause of work-related fatalities followed by falls (800), contact with objects and equipment (722) and violence and other injuries by persons or animals (703).

Public entities have a unique exposure to fleet-related claims as drivers can range from employees who occasionally run errands to emergency personnel patrolling the streets 24 hours a day, 7 days a week. Many entities (public and private) think of fleet safety as the prevention of physical damage to automobiles. However, fleet-related claims can have a devastating impact on so much more. A lack of fleet safety can also result in property damage, employee and civilian injury/death, public relations nightmares, etc.

Some key elements of an effective fleet program:

Management Buy-In

Management buy-in plays a major role in the success or failure of any program. If employees feel that the safety program is just another “thing”, they will treat it as such. Managers and supervisors must understand the need for good controls, how fleet safety affects their operations and the importance of promoting/enforcing the program.

Strong Hiring Practices

There are many things that can be done to ensure that a qualified individual is hired. Running a pre-hire motor vehicle record (MVR) for all employees operating a company automobile provides a snapshot into their driving record.

Regular Driver Checks

The implementation of the program isn’t finished once the initial check is completed. Things can change over the course of a year. Employees’ motor vehicle records should be checked regularly to confirm they have not incurred additional violations. Significant or repeated infractions may indicate lack of sufficient training and/or a poor attitude toward driving.

Written Criteria for Drivers

It is not enough just to check the MVRs. It is essential to have criteria in place that approves or rejects drivers according to their MVR results. This should be in writing and communicated to the employees. When employees understand they can lose their driving privileges and/or job because of certain driving violations, they will be more apt to drive responsibly during both work and personal time.

Formal Written Programs

If it is not in writing, it does not exist. Employers should make sure there is a formal written program that spells out conditions such as driver selection, responsibilities, policies, procedures and maintenance. This program should be tied into the safety program and communicated to the employees.

Sufficient Training

Driving is similar to other hazards in the workplace (falls, back injuries, lockout/tagout, etc). Entities usually have training procedures established for those issues. Driver safety training should be included as well.

There are plenty of options when it comes to driver safety. Start by assessing your current program and have an idea as to what your ultimate goal will be. Your current insurance carrier can be a great resource to assist you with any of your safety and health efforts.

Two recent cases highlight the importance of understanding the nuances of insurance coverages pertaining to cybercrime and liability.

American Tooling Center, Inc. v. Travelers Casualty and Surety Company of America

The U. S. District Court in Ann Arbor, MI ruled that a 2015 incident involving spoofed emails was not covered by American Tooling Center, Inc.’s (ATC) insurance policy with Travelers, which provided coverage for computer fraud. The incident involved an outside party forging an email which appeared to come from a vendor of ATC. The emails instructed ATC to direct payments for outstanding invoices to a new bank account. ATC did not verify the new account information and subsequently transferred approximately $800,000 to a fraudulent account.

ATC filed a claim for the loss with Travelers but was denied. On August 1st, 2017, Judge John Corbett O’Meara found that ATC’s policy with Travelers required a “direct loss…directly caused by the use of any computer.” Judge O’Meara found that ATC’s loss wasn’t directly caused by the use of a computer due to ATC’s failure to verify the authenticity of the new bank account information provided in the spoofed email.

Medidata Solutions, Inc. v. Federal Insurance Co.

In a somewhat similar case, albeit with a different outcome, a U.S. District Court in New York ruled that Medidata’s claim, also involving email spoofing, was covered under an insurance policy that had been acquired through Chubb Ltd. A forged email, which appeared to be from the president of Medidata, was sent to an employee of the company, directing said employee to wire money to a fraudulent account. The employee wired approximately $4.8 million to the account.

Chubb Ltd. initially denied Medidata’s claim, stating that the emails did not involve a manipulation of Medidata’s computers and were instead due to the manipulations of the individual employees involved. However, the U. S. District Court in New York later ruled that the circumstances of the claim fell under the computer fraud language of Medidata’s policy.

These two cases exhibit the importance of fully understanding the specific policy language of your coverages related to cybercrime and liability, as well as the need for sophisticated internal controls governing wire transfers. The fact that an outside entity may use a computer to facilitate a fraud through social engineering techniques, such as email spoofing and phishing, does not guarantee that you will be covered under a computer crime or cyber liability policy. Regardless of your cyber hygiene protocols and barriers against network penetration, your greatest weakness as it pertains to cyber liability will always be the fallibility of your employees, and it is paramount to understand whether that risk is being adequately managed to avoid unplanned retention.