New Overtime Rule – Who Is Exempt?

Judging by the reaction of the audience at a presentation on the new overtime rule I made a couple of weeks ago, that rule is going to create significant problems for independent insurance agencies.  I barely had time to introduce myself before the first question came and they just kept coming.  The focus of many of the questions was whether customer service representatives and producers could be exempt from the overtime pay requirements of the Fair Labor Standards Act (“FLSA”).

I addressed this issue in a post in early 2015.  At that time, the required minimum salary for an employee to be considered exempt was only $455 per week, or $23,660 per year.  I say only because as those of you who have followed my blog posts on the new overtime rule know, the required minimum salary will more than double to $913 a week, or $47,476 a year, on December 1, 2016.  That will significantly increase the financial cost of treating an employee as exempt, which cost should only be incurred if a particular employee can satisfy the duties tests for exempt employees.  If not, the employer is wasting their money and will need to look at other options.  (Click here for a more recent post on what those options are.)  

In my 2015 post, I discussed the most likely exemptions that could apply to customer service representatives and producers.  What was said in that post still applies, with one exception.  The commissioned sales person exemption will not apply to producers or any other employee of an independent insurance agency because that exemption only applies to employees of a “retail sales” business, and the U.S. Department of Labor (“USDOL”) has issued regulations that state businesses that sell insurance are not engaged in “retail sales” for purposes of that exemption.

As I told my audience, that leaves the administrative exemption as the most likely one for customer service representatives and the highly compensated employee exemption as the only one available for producers, unless they operate as door to door sales persons who have no office and meet with their customers only at the customers’ home or place of business. That is not how most producers perform their duties.  Producers will not qualify for the administrative exemption because the USDOL has ruled that an employee whose primary duty is the selling of a product or service cannot qualify for that exemption.  It will be very difficult to argue that a producer’s primary duty is not the sale of insurance products, especially if their main source of compensation is commissions from the sale of such products.  

Exceptions to the above general statements are possible because whether a particular employee is exempt from the overtime pay requirements of the FLSA is a case by case determination that is dependent on the duties actually performed by that employee. However, I told my audience that unless their producers were earning at least $134,004 a year, of which $47,476 was paid as a salary (highly compensated employee exemption), as of December 1, 2016, they would probably be required to pay their producers overtime for any hours worked in excess of 40 in any one work week.  That is true today for any producer who is not making the current threshold amount of $100,000 a year, of which at least $23,660 is paid as a salary.

As with any law, the fact I have never heard of a producer suing an agency for overtime pay does not mean that producers who don’t qualify for the highly compensated employee or outside sales exemptions cannot do so.  It just means no one has tried to do so for any number of reasons.  As explained in my 2015 post, the consequences of not paying required overtime to an employee can be severe and employees have an incentive to file such lawsuits.

For more detailed information on this subject, see the updated question and answer white paper prepared by IIABA and attend its seminar on this subject that is scheduled to begin at 2 p.m. on August 30, 2016.     

Office Printers – A Gateway for Hackers?

My last post dealt with gaps in coverages provided by cyber liability insurance policies.  I recently came across an article in Legaltech News that reminded me how many gaps there are in a business’ computer network that, if not properly protected, can be an entry point for the hacking of that network.  While the ability of modern printers to perform more than one function has eliminated the need for separate scanners and telefax and copy machines, that multi-function ability makes them vulnerable to hackers.

To perform its many functions, today’s printer must be connected to a business’ computer and telecommunications networks and it must have a hard drive on which information can be stored.  The printer’s ability to send and receive telefaxes and to send scanned documents to e-mail addresses makes it vulnerable to outside attack, and its connection with the business’ computer network gives a hacker potential access through it to other devices on that network, not to mention all the data stored on the printer’s hard drive.

To close the gap that a multi-function printer creates in a business’ computer network, it should be protected just like the desktop computers and any other devices that are connected to that network.  This means such a printer should be behind the network’s firewall, any security features it may have installed should be activated and continually updated, any default passwords for it should be replaced, and access to its features should be limited by passwords or other controls.  It is also a good idea to encrypt all data that is sent to or from the printer and at the least, to encrypt the data that is stored on its hard drive.  In addition, if possible, limitations should be placed on the destinations to which the printer can e-mail or telefax data or documents.

Finally, old printers, like lost laptops or smart phones, can lead to a data breach, if their hard drives are not wiped clean before they leave a business’ offices.

Cyber Security Coverage Gaps

My last post pointed out the need to carefully review a potential insured’s exposures to data breaches and then make sure that the policy chosen adequately covers those exposures.  The latter task is made more difficult by the lack of standardized cyber liability policies.  Each company has their own form for such policies and as the agent in the P.F. Chang case discussed in my last post found out, the wording of an exclusion clause can be critical.

Carefully reviewing the language of every company’s cyber insurance policies can be very time-consuming and sleep inducing.  Fortunately, someone has already done this.  Betterley Risk Consultants has recently published a reportthat explores in detail the  coverages available for 10 different types of exposures associated with data breaches.  Who provides coverage for regulatory and statutory claims, remediation costs, security assessment requirements, theft, third party liability, terrorism, and even bodily injury and property damage, along with other types of exposures, is discussed.  The executive summary for the report is available online.  If you are interested in getting detailed information about coverages, that can be obtained for a reasonable price from the International Risk Management Institute’s website.

One important trap for the unwary that was not discussed in my last post, but should be mentioned, is the exclusion found in many policies for the failure to maintain security standards.  As the Betterley report points out, this exclusion is very harsh on an insured who may be doing their best to meet the standards established when the policy was written, but for whatever reason are unable to do so.  Such a failure, event though having met the standards would not have prevented the data breach in question, can result in the denial of any coverage.  Policies with this exclusion should be avoided, if possible.

Another coverage trap for the unwary involves what has come to be known as “whaling”, or social engineering (the Betterley Report prefers to call this type of illegal activity deceptive funds transfer, which is not as colorful but more descriptive of what happens).  It involves the use of e-mails that appear to be from officers or employees of a company, but are really from hackers.  The hackers use the names and e-mail addresses of these officers or employees to request the transfer of funds by the company to an account set up by the hackers.  Millions of dollars have been lost by companies who have been the subject of these attacks.  Many of those companies have discovered to their dismay that they have no insurance coverage for such fraudulently induced transfers because the standard theft coverage in their insurance policies does not cover funds that are voluntarily transferred by the company, as opposed to being taken from the company by third parties.

In keeping with my theme of cyber liability being a two-edged sword for insurance agencies and agents, they and other small businesses should not assume that “whaling” only occurs at big companies and for large amounts of money.  As noted by Steve Anderson in post he did on this subject, “whaling” has happened to insurance agencies for relatively small amounts of money.  Mr. Anderson’s post also has some advice on what agencies can do to protect themselves from this type of attack.