Cyber Security Insurance – Traps for the Unwary

It has been awhile since I last posted anything about cyber security, but it continues to be a very hot topic in the various insurance related newsletters that I receive.  As I noted in my first two posts of this year, cyber security is a two-edged sword for insurance agencies.  While they need to protect themselves from data breaches and their consequences, that same need of other businesses presents a selling opportunity for agencies.  With that selling opportunity come risks that are not present in more established lines of business due to the lack of standardized language for cyber security insurance policies.

A recent federal court case in Arizona involving the restaurant chain P.F. Chang is a good example of those risks.  P.F. Chang suffered a data breach involving its customers’ credit card information.  Like most businesses, P.F. Chang used a third-party payment service to process its credit card transactions.  Its agreement with that service required it to indemnify the service for any claims that may be made against it by the issuers of the credit cards for which payment services were provided.  Those issuers did make claims against the payment service as a result of P.F. Chang’s data breach in the amount of $1.9 million and when the payment service looked to P.F. Chang to pay those claims, P.F. Chang found out it did not have insurance coverage for them under its cyber insurance policy with Federated Insurance.

Even though Federated had marketed its cyber insurance policy as “a flexible insurance solution designed by cyber risk experts to address the full breadth of risks associated with doing business in today’s technology-dependent world” that “[c]overs direct loss, legal liability, and consequential loss resulting from cyber security breaches”, its coverage only applied to claims made by persons whose information had been taken and it excluded liability for any claims made as a result of P.F. Chang’s contractual assumption of liability. It did not include payment card industry coverage, which would have protected P.F. Chang in this situation.  It’s not hard to imagine the conversation that took place between P.F. Chang and its insurance agent when P.F. Chang lost its court case against Federated. Hopefully, that agent properly documented his or her discussions with P.F. Chang about the types of cyber coverage it wanted.  Even so, that agent will likely never sell another insurance policy to P.F. Chang.

To avoid being put in the situation of P.F. Chang’s insurance agent, it is essential that an agent find out all the possible exposures of their customers to a data breach.  A recent post on Property Casualty 360 discusses the five essential coverages that every cyber insurance policy should have.  Depending on the size and business activities of a particular customer, coverage for public relations expenses may not be necessary in every case, but the other four coverages should be a part of every cyber insurance policy sold.  Forensics and legal expenses are necessary to determine the scope of any breach and what legal responsibilities are created by it.  Those responsibilities will typically include notification of the affected customers and possibly, the provision of credit monitoring services.  Business interruption coverage will help the customer overcome the inevitable loss of income that will occur as the customer focuses on dealing with the consequences of the data breach and with the rise of ransom ware attacks this year, every business should have protection against having to pay a hacker to unlock their data that has been encrypted by malware.

Of course, every business that accepts credit cards as payment for their goods or services will need the payment card industry coverage that P.F. Chang lacked.  That includes insurance agencies, all of whom should be checking their cyber insurance policies to be sure they have such protection.

One More New Law of Interest to Insurance Agents

My last post concerned new laws affecting insurance agencies and agents that became effective as of July 1, 2016.  This post concerns a law that became effective on June 3, 2016.  That law effectively rewrote the procedures for the filing of garnishments to collect judgments that have been entered against a person.  Some changes were made to those procedures for garnishments served on employers of which all Georgia employers should be aware.

Before discussing the changes made to those procedures, I want to point out three things that were not changed.  First, it is still illegal to fire an employee because their wages were garnished for “any one obligation.”  It appears that it remains legal to fire an employee who has his or her wages garnished for more than one obligation.  Second, it remains legal for an “authorized officer or employee” of a legal entity to sign and file an answer to a summons of garnishment and to pay any money shown on the answer into the court’s registry.  However, if a traverse, or objection, is filed to the answer by the plaintiff or the employee, the legal entity must hire an attorney to represent it from that point forward.  Finally, if an answer to a summons of garnishment is not filed by the statutory deadline or within 15 days thereafter, a default judgment for the full amount of the debt owed by the employee can still be entered against the employer.

What has changed involves how an employer must answer a summons of garnishment and what the employer must give the employee at that time.  As of June 3, 2016, an employer’s answer to a summons of garnishment must state when the employee’s wages were earned, whether they were earned on a daily, weekly, or monthly basis, the employee’s rate of pay and hours worked, and  “the basis for computation of earnings.”  If the employer has been served with a summons of garnishment for more than one debt of the employee, in its answers to all such summons, the employer must state to which court any money owed will be paid and the case numbers of all the cases in which a summons of garnishment has been served on it.

In addition to serving a copy of its answer to a summons of garnishment on the plaintiff or its attorney, an employer is now required to serve a copy of its answer on the employee or his or her attorney by personal delivery or mail and to include with that document two new documents, Notice to Defendant of Right Against Garnishment of Money, Including Wages, and Other Property and Defendant’s Claim Form.  Copies of these documents are to be provided to the employer by the plaintiff, along with the summons of garnishment.   Their purpose is to inform the employee of his or her right to claim that some or all the property shown on the employer’s answer is exempt from garnishment and to provide a form for the employee’s use in making an exemption claim.

The Georgia Attorney General is required to maintain a list of all the exemptions from garnishment and it can be found here.  There are a surprising number of exemptions, but very few, if any, will apply to the money or other property ordinarily owed employees by employers.