Just several months ago, the U.S. reached a 50-year low in unemployment at 3.3 percent. Now, according to the Federal Reserve, Coronavirus job losses could total 47 million or an unemployment rate of 32 percent! This pandemic will affect us all moving forward.
Many of you have immediate questions and concerns, especially about the viability and sustainability of your company. We are confronted with unprecedented complexities and risk issues. That’s why The Mid-State Group released our COVID-19 Resource Kit on April 7 to provide comprehensive information for HR, Safety, Finance, Cyber, Benefits, Health & Wellness, along with helpful government resources. If you have not received this kit, please to visit our website blog at https://midstateins.com/resources/blog/mid-state-covid-19-client-resource-kit/
This Insurance Coverage FAQ was created to answer questions and concerns specific to Property & Casualty (P&C) insurance-related questions. P&C specifically relates to Bodily Injury, Property Damage, Business Income, Auto, Workers’ Compensation and other specialty coverage such as Directors & Officers, Employment Practices, and Cyber Liability. This FAQ will discuss some hot button issues that are stirring confusion or even anger. The FAQ, however, will not be an exhaustive review. With the pandemic still in full swing and job losses still not fully realized, the situation is still very fluid and answers we have today may change tomorrow. We will monitor any changes and provide updates as needed to keep everyone up to date.
Please keep in mind that Mid-State is not a law firm, and, under Virginia State Insurance Bureau Regulations, we are not qualified to determine whether a claim will be approved or denied. Only the insurance carrier that issued a policy can approve or deny coverage. Regardless of the answers below, any Mid-State agent will submit a claim regarding COVID-19 losses when requested.
For additional questions or concerns, please do not hesitate to reach out at firstname.lastname@example.org.
Table of Contents
- Question 1: Will my policy cover my “losses” due to the Coronavirus?
- Question 2: Will my policy cover my business income “losses” due to the Coronavirus?
- Question 3: The Governor of Virginia executed an Executive Order effectively forcing my business to close or operate with reduce staff or hours. This will dramatically affect business income. Will this be covered under “Civil Authority” within my policy?
- Question 1: If my business remains open, and during operations the business is responsible for exposing our clients to the Coronavirus or negatively impacting the operations of another business due to this exposure, could my business have legal liability?
- Question 1: I have an employee who was exposed to the coronavirus from another employee while at work. Will my Virginia Workers’ Compensation policy provide coverage?
- Question 2 (from the NCCI FAQ): A business has suspended operations due to COVID-19, but continues to pay employees, although they are at home and not working. Is this payroll included in the premium calculations for Workers’ Compensation?
- Question 3 (from the NCCI FAQ): An employer has limited operations due to COVID-19. As a result, some employees are placed into new roles for the duration of the pandemic. What classifications could be assigned to these employees?
- Question 1: Due to my states Stay-at-home mandate, our fleet of trucks, automobiles and trailers are idle. How can we reduce the cost of our automobile policy until we resume operations?
- Question 1: Can I be sued personally for not adequately responding or managing the company effectively during the COVID-19 outbreak?
- Question 1: We do not have an extensive HR team! How can a small company keep up with all the various government regulations (new and old) and make the right decision in response to COVID-19 to limit our exposure to lawsuits?
- Question 1: Will my Cyber Liability policy cover my business if my payables department pays an invoice received from a hacker’s targeted COVID-19 phishing email scheme?
- Question 2: Most of my employees are now working from home? What cyber risks do I now face?
Question 1: Will my policy cover my “losses” due to the Coronavirus?
If your business did not experience any loss to property, then coverage most likely will not be available. If it was discovered that your place of business was infected with COVID-19 and must close to thoroughly clean and disinfect all property (buildings and business personal property, as an example) then possibly coverage may exist unless there is a specific exclusion (as discussed below) for losses caused by bacteria or virus. Many insurance carriers utilize ISO forms and will probably have an exclusion as part of the policy. As the ISO indicated in 2006, it was never intended to cover such losses “relating to contamination by disease causing viruses or bacteria or other disease-causing microorganisms.” Due to this fact, no premiums were collected nor were reserves established to pay for such losses.
**Please be aware that Mid-State agents will submit a claim on behalf of our clients when asked.
This is a difficult question and many carriers are no longer taking the position to simply deny coverage. The question above was purposely broad in nature. To give you a foundational understanding of property insurance, we must first adequately explain the insuring agreement and key definitions. Generally speaking, property coverage may include losses incurred to buildings and business personal property but may also cover critical business income.
Property Damage Insuring Agreement: Every property policy will describe in its insuring agreement what is being covered. Please note the following example of a typical insuring agreement:
“We will pay for direct physical “loss” of or damage to covered property at the premises described in the “Declarations” caused by or resulting from a peril insured against.”
To understand what is being covered, we must define “loss.” For the Insuring Agreement above, the carrier will have a separate section of “Definitions” which will define keys terms such as loss.
Loss is defined in this example as: “direct and accidental loss of or damage to covered property”
As you can see from the insuring agreement and the definition of loss, coverage depends solely on damage to property! Without property damage resulting from covered perils, the policy will not respond in any capacity.
If an insured was successful in demonstrated property damage due to COVID-19, other parts of the policy must be considered, such as Exclusions. Since the SARS outbreak in 23 countries in 2003, many insurance carriers simply excluded losses due to Bacteria and Viruses, since no premium was collected or anticipated within their actuarial models for such a loss. Certain industries exposed to this type of bacteria or virus risk were offered endorsements to remove the exclusion but for a considerable premium increase.
An example of the Exclusion Loss Due to Virus or Bacteria (using form CP0140 0706) states:
“We will not pay for loss or damage caused by or resulting from any virus, bacterium or other microorganism that induces or is capable of inducing physical distress, illness or disease.”
This first exclusion form created by the Insurance Services Office in 2006 specifically had viruses like COVID-19 in mind. ISO’s July 6, 2006 circular [LI-CF-2006-175]—prepared as part of its filing of the exclusion with state regulators—makes specific reference to viral and bacterial contaminants such as rotavirus, SARS, influenza (example: avian flu), legionella and anthrax.
The policy form goes on to describe their current concerns:
“Although buildings and personal property could arguably become contaminated (often temporarily) by such viruses and bacteria, the nature of the property itself would have a bearing on whether there is actual property damage. An allegation of property damage may be a point of disagreement in a particular case. In addition, pollution exclusions are at times narrowly applied by certain courts. ***
While property policies have not been a source of recovery for losses involving contamination by disease-causing agents, the specter of pandemic or hitherto unorthodox transmission of infectious material raises the concern that insurers employing such policies may face claims in which there are efforts to expand coverage and to create sources of recovery for such losses, contrary to policy intent.
In light of these concerns, we are presenting an exclusion relating to contamination by disease-causing viruses or bacteria or other disease-causing microorganisms.”
Question 2: Will my policy cover my business income “losses” due to the Coronavirus?
Unless your Property policy has been specifically endorsed to provide coverage under loss for Bacteria or Virus, then most likely the Coronavirus will not be a trigger for coverage since no property damage occurred. Again, read your specific policy carefully and look for key definitions for loss and any exclusions that may apply.
Whether you have a Business Owner Policy that provides automatic Business Income Coverage or a Commercial Package Policy where it was endorsed, then you will have policy language spelling out the parameters of this coverage. For example, Income Protection Coverage states:
“This extension provides for loss of “income” and/or “rental income” you sustain due to partial or total “interruption of business” resulting directly from “loss” or damage to property on the premises described in the “Declarations” from a peril insured against. “Loss” or damage also includes property in the open, or in a vehicle, on the premises described in the “Declarations” or within 1,500 feet thereof.”
This standard policy language clearly connects business income coverage directly “from loss or damage to property.” The purpose of explaining the insuring agreement and definition of loss in the first question was to show how all coverage within the Property Form is contingent on first being a loss to property. If property damage does not exist, then the secondary coverage afforded such as Business Income most likely will not be covered either.
Question 3: The Governor of Virginia executed an Executive Order effectively forcing my business to close or operate with reduced staff or hours. This will dramatically affect business income. Will this be covered under “Civil Authority” within my policy?
If you have similar policy language provided in the Explanation below in which there first must be damage to property, and, there are no endorsements changing the definition of loss to include perils such as the Coronavirus, then most likely you will not have coverage under your policy.
** Multiple states, including New Jersey, New York, Massachusetts, and Ohio, have proposed legislation that would mandate business interruption coverage for alleged COVID-19-related losses even where policies have explicit bacteria/virus exclusions.
Cases to watch:
- Cajun Conti, LLC, et al. v. Certain Underwriters at Lloyd’s London, et al. (Civil District Court for the Parish of Orleans, Louisiana—filed March 16, 2020)
- Chickasaw Nation Department of Commerce v. Lexington Insurance Co., et al. (District Court of Pontotoc County, Oklahoma) and Choctaw Nation of Oklahoma v. Lexington Insurance Co., (District Court of Bryan County, Oklahoma—filed March 24, 2020)
Many standard insurance policies offer business income and extra expense coverage under their “civil authority” provisions. This coverage applies when a civil authority (e.g., state, local or federal governmental entity) prohibits access to an insured’s premises due to direct physical loss of or damage to property other than at the insured’s premises, from a covered cause of loss. Here is an example of Civil Authority policy language:
“When a peril insured against causes damage to property other than property at the premises described in the “Declarations, we will pay for the actual loss of “income” and/or “rental income” you sustain and necessary “extra expense” caused by action of civil authority that prohibits access to the premises described in the “Declarations” provided that both of the following apply:
1) Access to the area immediately surrounding the damaged property is prohibited by civil authority as a result of the damage, and the premises described in the “Declarations” are within that area but are not more than one mile from the damaged property; and
2) The action of civil authority is taken in response to dangerous physical conditions resulting from the damage or continuation of the peril insured against that caused the damage, or the action is taken to enable a civil authority to have unimpeded access to the damaged property.”
As this policy language clearly states, “when a peril insured against causes damage to property” this coverage will be triggered. As we explained with Business Income, all coverage within the Property Form is firstly contingent on a loss to covered property resulting from covered perils.
Question 1: If my business remains open, and during operations the business is responsible for exposing our clients to the Coronavirus or negatively impacting the operations of another business due to this exposure, could my business have legal liability?
Yes, a typical Business Owner Policy and Commercial General Liability policy should trigger bodily injury liability coverage under the policy if it is alleged that your business exposed the Coronavirus to its clients, students, independent contractors, invitees, tenants or any other non-employee. As with any allegation of legal wrongdoing, it is imperative to notify your insurance carrier immediately so they can quickly review the allegations and appropriately respond. Failure to quickly notify your carrier could lead to the claim being denied due to late reporting.
**Exposure to employees was specifically not mentioned above since Workers’ Compensation is the sole remedy for employees “injured” at work.
Commercial general liability policies are the most common policies available. Under a typical Insuring Agreement the language will state: “We will pay those sums that the insured becomes legally obligated to pay as damages because of “bodily injury” or “property damage” to which this insurance applies.”
General liability from a coverage perspective is more straightforward, since bodily injury is a coverage afforded under the policy. Bacteria and virus exclusions are not typically included. Generally, these commercial general liability policies will be triggered to respond based on a person’s exposure to and contracting COVID-19 allegedly due to the failure of a business to sanitize the premises, close/quarantine more quickly, or otherwise prevent the spread of COVID-19.
However, the difficulty will be in a third party proving the causation considering that individuals can become exposed from asymptomatic individuals for up to 14 days.
Question 1: I have an employee who was exposed to the coronavirus from another employee while at work. Will my Virginia Workers’ Compensation policy provide coverage?
Maybe. It will be highly unlikely any employee will be eligible for Workers’ Compensation Coverage. The Act excludes “ordinary disease of life” unless the employee is a medical professional or first responder and the exposure was directly related to work. Any claim filed under Workers’ Compensation for COVID-19 would be reviewed on a case-by-case basis by the carrier and the state insurance bureau. As stated in more detail below in the Explanation, as more individuals contract COVID-19, the less likely the state would regard contraction of the virus as work related and designate it as an “ordinary disease of life.”
**Please be aware that all Virginia health insurance carriers will be covering COVID-19-related expenses. Please see our COVID Resource Kit at https://midstateins.com/resources/blog/mid-state-covid-19-client-resource-kit/
Each state decides the specific coverage and eligibility requirements for workers compensation, so the answer to this question will depend on the state in which your workers live. For Virginia, for an employee to be eligible for benefits, they must meet the following:
- Individual injured was an employee at the time of the injury
- It was a work-related injury or occupational illness
- Employee must meet the deadline for reporting the injury
Assuming both 1 and 3 are met, we must understand #2 in more detail to fully answer this question. While the Virginia Workers’ Compensation Act provides coverage for injuries that arise out of the course of employment, it has specific definitions for “injury” and “occupational illness.”
First, the Act specifically defines injury on their website at https://law.lis.virginia.gov/vacode/title65.2/chapter1/section65.2-101/:
“Injury” means only injury by accident arising out of and in the course of the employment or occupational disease as defined in Chapter 4 (§ 65.2-400 et seq.) and does not include a disease in any form, except when it results naturally and unavoidably from either of the foregoing causes.
As it clearly states above, an injury does not include a disease in any form unless it results for the course of employment or occupational disease. The Act goes further by limiting what diseases are covered within their definition of “occupational disease.”
“Occupation disease” is defined by the Act on their website at https://law.lis.virginia.gov/vacode/title65.2/chapter4/section65.2-400/ as:
A. As used in this title, unless the context clearly indicates otherwise, the term “occupational disease” means a disease arising out of and in the course of employment, but not an ordinary disease of life to which the general public is exposed outside of the employment.
B. A disease shall be deemed to arise out of the employment only if there is apparent to the rational mind, upon consideration of all the circumstances:
- A direct causal connection between the conditions under which work is performed and the occupational disease;
- It can be seen to have followed as a natural incident of the work as a result of the exposure occasioned by the nature of the employment;
- It can be fairly traced to the employment as the proximate cause;
- It is neither a disease to which an employee may have had substantial exposure outside of the employment, nor any condition of the neck, back nor spinal column;
- It is incidental to the character of the business and not independent of the relation of employer and employee; and
- It had its origin in a risk connected with the employment and flowed from that source as a natural consequence, though it need not have been foreseen or expected before its contraction.
- A direct causal connection between the conditions under which work is performed and the occupational disease;
C. Hearing loss and the condition of carpal tunnel syndrome are not occupational diseases but are ordinary diseases of life as defined in § 2-401.
The Act is very specific in how coverage can be afforded within this area. The key point in this section is that “ordinary disease of life” will not be covered when such disease occurs within the general public unless it meets specific guidelines provided under https://law.lis.virginia.gov/vacode/title65.2/chapter4/section65.2-401/ which states:
An ordinary disease of life to which the general public is exposed outside of the employment may be treated as an occupational disease for purposes of this title if each of the following elements is established by clear and convincing evidence, (not a mere probability):
- That the disease exists and arose out of and in the course of employment as provided in § 65.2-400with respect to occupational diseases and did not result from causes outside of the employment, and
- That one of the following exists:
- It follows as an incident of occupational disease as defined in this title; or
- It is an infectious or contagious disease contracted during one’s employment in a hospital or sanitarium or laboratory or nursing home as defined in § 32.1-123, or while otherwise engaged in the direct delivery of health care, or in the course of employment as emergency rescue personnel and those volunteer emergency rescue personnel referred to in § 65.2-101; or
- It is characteristic of the employment and was caused by conditions peculiar to such employment.
All of these definitions point to the fact that the injury or occupational disease must have arisen out of the course of employment and must not be an ordinary disease of life which exists within the general public. If the general public is exposed to the disease and it was not specific to employment, it most likely will not be covered under the Act.
However, if you are a medical professional or a first responder, exceptions can easily be made since exposure can be work-related. Approval will only be done on a case-by-case basis so quick reporting of any potential claim is important. As the number of cases of COVID-19 increase significantly, it will be more and more difficult to prove exposure was work specific in nature and not due to outside conditions.
Question 2 (from the NCCI FAQ): A business has suspended operations due to COVID-19, but continues to pay employees, although they are at home and not working. Is this payroll included in the premium calculations for Workers’ Compensation?
Although a pandemic is not specifically listed within the manual rules, the existing rules for wages will still apply for this type of event and payroll should be included in the premium calculation.
Wages or salaries paid to employees while they aren’t working because of the suspension of the employer’s operations due to COVID-19 could be included in payroll in accordance with Rule 2-B-1-a in NCCI’s Basic Manual.
In addition, Basic Manual Rule 2-F-1 addresses wages for time not worked or “idle time.”
For the two rules above, these wages would be assigned to the classification for work normally performed by the employee.
Question 3 (from the NCCI FAQ): An employer has limited operations due to COVID-19. As a result, some employees are placed into new roles for the duration of the pandemic. What classifications could be assigned to these employees?
If any employee’s job has changed, they MAY qualify for a change in classification through Rule 1-D-3 and Rule 2-G. An example is provided below, but please remember, you must maintain accurate records to properly justify and track employee’s new job responsibilities. With HR assistance on creating new job duties, contact Taylor Tsoleas at email@example.com
NCCI provides the following example: “An example could be a retail store that remains open for delivery of goods but closes the showroom to consumers. Several of the retail showroom employees will work from home to assist with phone orders, customer service calls, and related clerical paperwork. These employees may be reassigned to Code 8871—Clerical Telecommuter Employees.
In addition, this same employer has other showroom employees delivering goods to customers. These employees would be reassigned to Code 7380—Drivers, Chauffeurs, Messengers, and Their Helpers NOC—Commercial while they are in their new role as delivery drivers.
In both situations, the employees’ original job descriptions were included in the applicable store code, but their new job descriptions place them in a new code. Once the employees return to their former roles after the pandemic has passed, their payroll would return to the store code that was assigned before the employer closed the showroom.
In accordance with Basic Manual Rules 1-D-3 and 2-G, the employer would be responsible for maintaining properly segregated payroll records for the wages earned while the employees were in their new job descriptions. If these records are not maintained, then all payroll would be assigned to the highest-rated applicable classification.”
Bottom line: KEEP THE RECORDS. Make sure you are prepared to explain what payroll was paid to employees who were simply not working and which employees saw their jobs change as a result of the virus. The auditor may be able to reclassify that payroll for those whose jobs have changed and the rules may wind up changing for those who were paid to not work.
See NCCI COVID-19 FAQ at https://www.ncci.com/Articles/Pages/Insights-Coronavirus-FAQs.aspx for additional questions and answers related to Workers Compensation and their press release at https://www.ncci.com/Articles/Pages/Insights-COVID19-WorkersComp.aspx#
Virginia Workers Compensation Legislative Activity: https://www.ncci.com/Articles/Pages/II_LegislativeAnalysisState_VA.aspx
Question 1: Due to my states Stay-at-home mandate, our fleet of trucks, automobiles and trailers are idle. How can we reduce the cost of our automobile policy until we resume operations?
Recently, many national and regional insurance carriers such as Progressive, Travelers, Chubb, Auto-Owners, Erie and many others began rebating premiums back to insureds due to COVID-19. It is estimated that $10.9 billion in premiums will be credited back to clients. Various news sites are reporting a decrease in commercial and personal vehicle mileage traveled down by as much as 50 percent. However, these premium reductions will not represent a substantial decrease. As explained further below, consider temporarily removing non-essential coverage such as collision, rental reimbursement, towing, hired auto, hired auto physical damage or reducing the number of employees or payroll if you are a garage operation. If considering this option, only do so if the cars are idle and allowed by any applicable loss payee.
- Progressive: According to https://www.insurancejournal.com, Progressive is “providing approximately $1 billion to its drivers. Personal auto customers who have a policy in force as of April 30th will be credited 20% of their April premiums in May and customers with a policy in force as of May 31 will be credited 20% of their May premiums in June. Commercial lines customers with a business owner or general liability policy will get a 20% credit on April and May monthly premiums. In addition, the insurer is suspending cancellations and non-renewals on personal and commercial lines policies for non-payment through May 15; expanding coverage for personal auto customers temporarily delivering food or medicine, and allowing commercial customers additional coverage options for delivery.”
- Travelers: 15% credit on April and May premiums.
- Chubb: According https://www.insurancejournal.com, Chubb’s “U.S. small business clients whose policies renew between April 1 and August 1, 2020 will receive an automatic 25% reduction in the sales and payroll exposures used to calculate their premium as well as a 15% reduction in premiums for their commercial auto insurance.”
- Erie: According to https://www.insurancejournal.com, “Erie will file to reduce rates by $200 million total for personal and commercial auto insurance customers in 12 states and the District of Columbia. This is not for short term auto insurance rebates. If approved, premium adjustments will take effect at the time of new policy initiation or renewal, will vary by state and it will also be based on individually purchased policies and coverages. The insurer is promising individualized payment flexibility and adding gift card reimbursement coverage to home insurance policies. This reimburses customers for remaining balances on gift cards that can no longer be used at independently owned and operated local businesses due to business closures.”
For a more extensive list of carriers and their refund programs, visit https://www.forbes.com/sites/advisor/2020/04/06/car-insurance-companies-start-offering-refunds-because-few-are-driving/#5a711a3a4350 or https://www.insurancejournal.com/news/national/2020/04/13/564510.htm for more information
Please keep in mind that most insurance carriers are only offering several months of rebates and will not continue for the entire year. Companies such as Chubb and Erie have differentiated themselves by providing a full annual premium reduction. However, this reduction in premium may not take effect until renewal or after state approval.
With companies facing severe revenue shortfalls, there are several other automobile policy changes to consider:
- Collision-Collision coverage will pay for damages incurred to a motor vehicle or trailer in the event of an at-fault accident. Pricing can vary based on the year, make, model, usage and cost new. Commercial clients with small, medium to large fleets can save substantially on their premiums by removing this coverage if fleets are idle. If these vehicles or trailers are not operated, then collision coverage is not a concern. Businesses should continue to maintain comprehensive coverage which will provide coverage in the event of damage due to weather, fire, animal collision, vandalism, flood, glass damage and other non at-fault accidents.
- Mileage-How far a commercial vehicle typically travels can greatly affect premiums. If you had fleets of vehicles traveling over 100 miles per day on average and are now idle or driving considerably less, then temporarily endorsing the policy to reflect less mileage can help reduce premiums.
- Rental Reimbursement, Towing, Hired Auto and Hired Auto Physical Damage-Read your policy carefully and review all non-core coverages that are not required by law or loss payee. If your vehicles and personnel are idle, then the exposure to loss in these areas are nonexistent and your company’s commercial auto or fleet policy can be endorsed to temporarily to remove.
- Garage Operations– if you operate an auto body shop, auto repair shop, franchised or used car lot or any auto related business, your premiums mostly are based on either the number of employees or payroll of your auto operations. With reduced hours and layoffs continuing to increase, contact your Account Executive or Risk Advisor to quickly amend your policy to update your employee count or payroll to help reduce premiums.
Once operations return to normal or when exposure to loss returns, please contact your Account Executive or Risk Advisor to ensure all coverages removed are endorsed back onto the policy.
Directors and Officers
Question 1: Can I be sued personally for not adequately responding or managing the company effectively during the COVID-19 outbreak?
Yes, there is a significant exposure to those directors and officers of companies who are attempting to navigate their companies through the complexities and new risk issues due to COVID-19. More than ever companies must identify, prioritize, control and monitor risks potentially impacting the company. Essentially, companies must implement a holistic risk management strategy to improve their risk profile during and beyond COVID-19. Failing to do so can leave those directors and officers of the companies held personally liable for alleged errors, omissions, misstatements, misleading statements, neglect or breach of duty.
**Please refer to our COVID-19 Resource kit at https://midstateins.com/resources/blog/mid-state-covid-19-client-resource-kit/ and contact our seasoned consultants in Human Resources, Safety, Security, Finance, Employee Benefits, Wellness, Leadership and Government Compliance for assistance.
Directors and Officers (D&O) Liability provides business “malpractice” coverage for those overseeing and managing the company. These policies protect against the insured’s “wrongful acts,” which are typically defined as the insured’s errors, omissions, misstatements, misleading statements, neglect, or breach of a duty. Lawsuits have already been filed for a variety of reasons such as inadequate company disclosures on COVID-19’s financial impact, failure to comply with government compliance, inadequate contingency plans, privacy data breaches, loss of liquidity, bankruptcy proceedings and simply not properly managing the virus’s impact on the company.
One interesting exposure due to COVID-19 is the increase risk of cybercrime. On March 20, 2020 the FBI issued an alert with the headline: FBI SEES RISE IN FRAUD SCHEMES RELATED TO THE CORONAVIRUS (COVID-19) PANDEMIC. Though D&O does not directly cover losses due to Cybercrime, those companies who fail to adequately protect against this increase risk or insure against privacy and cyber liabilities could face D&O liability.
Employers Practices Liability (EPL)
Question 1: We do not have an extensive HR team! How can a small company keep up with all the various government regulations (new and old) and make the right decision in response to COVID-19 to limit our exposure to lawsuits?
Although there is no guarantee that a company will not face legal action by its employees based on the decisions they make in response to COVID-19, there are steps employers and their HR team can take to limit their exposure. Read our Explanation below and call Mid-State HR along with your policy’s free pre-claim legal counsel for support. Mid-State also provides all Employee Benefit clients with ThinkHR which also provides access to a service center of Human Resource Professionals along with a web portal with HR resources and training videos.
This area of liability is highly complex and should be navigated carefully. Advice from veteran human resource experts and legal counsel is recommended, especially if your business is considering reduction of hours, furlough or layoffs. There is a myriad of laws such as FFCRA, WARN, EEO’s Adverse Impact provisions, FLSA, FMLA HIPAA and ADA, just to name a few, that ultimately could affect a company’s exposure to liability. There are an infinite number of possible questions to consider under COVID-19, but here are a few to consider:
- How do COVID-19 absences affect employee wages, and does that create an exposure to employers?
- What are the specific risk issues when considering furlough vs layoffs vs. reduced hours?
- How should employers handle employee quarantine (even if COVID-19 has not been confirmed) cases with respect to employment and health-related privacy?
- When can employers require employees to stay home? When can employers require employees to come in to work? Can employers require telecommuting? Must an employer now pay for an employee’s internet service?
- Must the Company purchase ergonomic office furniture and computer equipment for telecommuting?
- If I allow one employee to stay home with pay, must I offer all employees who want to stay home pay?
- The Governor issued an executive order effectively closing my business or severely reducing working hours. Do I still need to comply with the WARN Act?
This is only a small sample of questions employers are asking and how they act on any of these issues determine the amount of liability they become exposed to. Before acting on any decision please consider:
- Free Pre-Claim Legal Advice: Your company’s in-force Employment Practices Liability policy may provide needed legal support to assist in charting the right course with all the relevant risk issues in mind. Most EPL policies provide free pre-claim legal advice from specialized employment law professionals for their policy holders. If you do not know how to access this policy benefit, please call your Account Executive or Risk Advisor at 434-528-1001.
- Under the Mid-State family of companies, Mid-State HR provides seasoned human resource professionals who can support you team in navigating these issues. They will work with Mid-State Insurance and legal counsel provided under your policy or your company’s hired legal counsel to support your team in creating and implementing a risk management plan.
- Document, Document, Document! To adequately protect yourself and your business, it is imperative to document your actions and conversations with employees. Facts will be crucial in any employee dispute!
- Review Policies and Procedures: The workplace has changed dramatically since COVID-19. Your policies and procedures that were relevant in February of this year are now in need of a major overhaul and could expose you to legal liability if not amended quickly. Mid-State provided a COVID-19 Resource Kit with sample policies to consider. Our kit can be accessed on our website at https://midstateins.com/resources/blog/mid-state-covid-19-client-resource-kit/
If you are not familiar with an Employment Practices Liability, to trigger the insuring agreement, a claim must allege an employment wrongful act, which typically includes breach of employment contract, employment discrimination, Employment Harassment, Retaliation, Wrongful Employment Decision, Wrongful Termination, Workplace Tort, Invasion of Privacy or Defamation. All of these can be relevant to possible COVID-19-related employment claims.
**As stated in the D&O section above, companies must identify, prioritize, control and monitor risks potentially impacting the company—now more than ever. Essentially, companies must implement a holistic HR risk management strategy to improve their risk profile during and beyond COVID-19.
Question 1: Will my Cyber Liability policy cover my business if my payables department pays an invoice received from a hacker’s targeted COVID-19 phishing email scheme?
Maybe! Even though a hacker used electronic means to “trick” the person in your payables department, the fact that the employee “voluntarily parted” with monies without first verifying the authenticity of the email or identity of the person sending the email, could place your company with little or no coverage.
Some but not all carriers providing Cyber coverage will have limited Social Engineering Coverage. Review your policy carefully or call your Mid-State Risk Advisor at 434-528-1001 to review.
Remember, the best way to decrease your exposure to Social Engineering, is employee Security Awareness Training. Contact Mid-State Cyber at firstname.lastname@example.org to set up a Phish Simulation and training. There are also a number of resources for Cyber on our website at https://midstatecyber.com
As first discussed above within D&O, the FBI issued a March 20, 2020 alert warning of an increase in fraud schemes relating to COVID-19. World-wide cybercrime already costs an estimated $600 billion per year with over 2.3 billion data breaches in 2018.
With COVID-19, phishing attacks have increased by 667%! With Stay-At-Home orders firmly in place, the work environment has dramatically changed, providing new opportunities for cyber criminals to exploit unprepared small- and medium-sized businesses rushing to new technologies to fill work from home needs. COVID-19 may be uncharted waters for many, but the threat of cybercrime and liability is nothing new and businesses now more than ever are left virtually and literally exposed! This is even more evident with the fact that in 2018, only 59 percent of businesses carried Cyber Liability policies—even though 70 percent think that the risk of being victimized by a cyberattack is growing at an alarming rate!
If Cyber Liability is securely in place, then the policy typically has First-Party and Third-Party Coverage. Here is a typical breakdown of those coverages:
Loss or Damage to Electronic Data/Equipment: When hackers invade past your hardware, software or human defenses, they typically are looking for a source of revenue. One of their main tools is to encrypt access to data in attempt to extort money. When money is not provided, equipment can be rendered useless and must be reformatted or replaced. The expense to recover or replace can be expensive; this can all be covered. When hackers damage internal networks, hard-drives and other equipment, businesses rely on this coverage to provide funds to repair or replace.
Business Income and/ Extra Expense: Businesses that depend on servers, networks and other connected equipment for normal operations will also experience a loss of income when hackers take these systems offline. Business income and extra expense coverage replaces the income the businesses would have received if not hacked and pays extra expenses to expedite the business resuming operations.
Extortion: Extortion coverage to pay off hackers to restore access.
Notification Expense: State and federal laws specifically mandate companies to notify affected persons when a data breach occurs, especially when Protected Health Information (PHI) or Personally Identifiable Information (PII) are involved. This coverage provides coverage to notify those affected and even pay for Credit Bureau monitoring services.
Damage to Reputation: Also called Crisis Management, this coverage can be crucial in preventing the harsh reality that 33% of customers never return when a company has a security breach. Professional public relations and marketing costs can be covered when this is included in the policy.
Network Security and Privacy Liability: Covers claims against your firm for negligent acts, errors or omissions that result authorized access, Denial Of Service attacks, release of PHI and PII into the public domain, networks and equipment infected with malware, or any other security breach allegedly caused by your firm.
Electronic Media Liability: Though not related to cybercrime, this coverage provides much-needed protection for those companies publishing electronic data on the internet such as on a website, blog and/or social media by covering wrongful acts such as libel, slander, defamation, copyright infringement, invasion of privacy or domain name infringement.
Regulatory Proceedings: Companies who suffer a security breach inevitably face state and federal scrutiny and may face fines and penalties which would be covered along with the expense for legal counsel.
Social Engineering Fraud: This occurs when a third party impersonates another company or individual typically via phishing emails, but can also be via smishing (texts) and vishing (phone calls) with the intent to deceive so that confidential information will be given away or funds wired. Loss is also referred as “voluntary parting of title” since information or funds were provided by the actions of the insured and not directly stolen by the cybercriminal.
Not Covered or Limited Coverage
Social Engineering vs Cybercrime (Funds Transfer)
Cybercrime occurs when criminals hack into a system and obtain banking information to transfer funds. This is not usually covered on a cyber liability policy. This coverage for the theft of money via electronic means is typically found on a Crime or Bond policy. Though the lines between Cybercrime and Social Engineering are blurring, you must read your policy carefully to understand if all the exposures you are faced with are properly covered.
Most cyber liability policies will limit their Social Engineering exposure to only $25,000 or $50,000 without any ability to increase further. Since 93% of all successful cyber hacks occur via email, the best protection is training your employees on how to recognize fraudulent emails. Conducting phishing, smishing and vishing simulations and training can dramatically decrease your firm’s exposure.
This is a PDF you can print out and put in the breakroom and other places of prominence that lists most “Red Flags” to spot a phishing email – 22 Red Flags for Social Engineering Emails
To understand your company’s cyber security exposure, take our online Cyber Security Assessment at https://midstatecyber.com/cybersecurity-exposure-survey or get a 30-day phishing simulation to understand your employee’s susceptibility to phishing scams.
More information is available at https://midstatecyber.com
Question 2: Most of my employees are now working from home? What cyber risks do I now face?
Yes, companies now more than ever have an increase in cyber vulnerabilities and threats, especially with employees telecommuting. Employees are possibly working from unsecure internet connections and using outdated equipment, firmware and software creating opportunities for hackers to gain access and exploit.
If any hackers gain access, they can possibly steal critical passwords, encrypt data, steal PHI and/or PII, extort money or transfer funds from corporate checking or saving accounts. Exacerbating the problem further is the fact that 59 percent of companies do not have a Cyber Liability Policy to cover any losses. New concerns or risk are in the areas of personal hardware, outdated software, employee training, cyber liability, privacy and HIPAA, Human Resource/Employment Practices and even D&O as explained in the D&O section above.
One key response to social distancing is the migration of workers away from physical corporate workspaces and towards working from home. According to a March 17 Gartner, Inc survey of 800 global human resources executives, nearly 88% of organizations have encouraged or required their employees to work from home in response to COVID-19. This is a stark contrast to the approximately 7 percent of the workforce who telecommuted prior to the epidemic.
Cyber security within a corporate workspace was already a herculean task with bad actors attempting to hack every 39 seconds–on average 2,244 times a day! Fortunately, companies understand the workplace security risks and companies globally are predicted to spend over $1 trillion over the next five years on cybersecurity, according to Cybersecurity Ventures.
Now these reinforced corporate environments are completely bypassed, and employees are relying on personal computers, antivirus and malware software, modems, routers and firewalls and personal software patching practices (or lack thereof). Companies who quickly rushed to implement telecommuting technology may have disregarded or did not consider the security implications. Many headlines point to this with Zoom seemingly in the news almost daily! Unfortunately, companies are now fully exposed and liable due to the employee’s personal home equipment and security practices.
Cyber criminals understand these practices and new vulnerabilities better than anyone and are actively engaging small, medium, and large companies to take advantage. As stated above under Question 1’s Explanation, there has been a 667 percent increase in cyber attacks! Cyber criminals follow the headlines. With COVID-19, an unprecedented global crisis, hackers have lined up for an unprecedented payday!
Complicating matters more, employees working from home are more stressed and distracted than ever. Working from home can already be challenging enough for those new to telecommuting. Next, throw in at-home childcare or homeschooling needs, lack of essential home items due to national shortages or hoarding, home confinement due to state or federal stay-at-home mandates, and other forced changes to our daily lives due to COVID-19. It’s no surprise that employees are not clearly focused on work, much less focused on subtle nuances in URLs or domain names hackers use to trick individuals into opening an email or clicking on a link, or even falling prey to simple social engineering tactics.
Key Security Items to Consider During and After COVID-19
- Be sure to secure and safely manage passwords. It is recommended to use a secure password manager like 1Password, Dashlane and others, and not the ones built into browsers – i.e.: Chrome, Firefox, Safari, Edge, etc.
- Implement 2FA/MFA: Set up Two-Factor or Multi-Factor Authorization for access to any critical appliance or software. Providing two or more pieces of evidence to authenticate the appropriate user for corporate asset access is an additional layer of defense making it harder for bad actors to gain entry.
- Secure internet access from any device: In today’s work environment, it is simple for employees to access critical corporate servers or SaaS vendors which hold sensitive PHI and PII from cell phones, iPad/tablets, Chromebooks, or laptops.
- VPNs encrypt all inbound and outbound transmissions preventing hackers from scraping any sensitive data. Verify ALL traffic from the devices are tunneled over the VPN.
- Conditional Access Policies prevent access to corporate assets unless certain conditions are met.
- Implement Phishing Simulation and Security Awareness Training. Since 93% of all successful hacks use some sort of phishing scheme, the best protection is properly training employees. Phishing simulations provide a safe environment to determine which employees are susceptible to phishing emails and the type of email scams they fall for. This allows for simple and customized training for all employees to recognize and avoid common and even more sophisticated phishing schemes. Read more on our Phishing and Cyber Security Awareness Training HERE
- For more security tips, check out “18 Things to Make Your Remote Work Secure, Convenient, and Stress-Free“ from ConnectWise by clicking on the link here.
- Keep your Mobile Computing Habits SAFE – Review these 20 ways to Block Mobile Attacks
To understand your company’s Cyber Security exposure, take our online Cyber Security Assessment at https://midstatecyber.com/cybersecurity-exposure-survey or get a 30-day phishing simulation to understand your employee’s susceptibility to phishing scams.
More information is available at https://midstatecyber.com