A major focus of RIMS 2017 was the many faces of cyber liability. This is a type of exposure which is growing exponentially. Not only are hackers getting better and bolder, but the focus of liability is, in many cases changing. The New York Law Journal in late April carried a fascinating (if depressing) look at new trends in liability for companies which have been hacked.
You've been hacked. You're the victim, the aggrieved party, right? Not necessarily. "The recent trend has been for federal regulators, such as the Federal Trade Commission (FTC) and, more recently, the Securities and Exchange Commission (SEC), to treat hacked corporations less like victims and more like potential wrongdoers," say the authors, Joseph Facciponti and Joseph Moreno. At issue is the data in your systems. If important private information of third parties - your clients, retail customers, say - is in your custody, you now have a duty to protect that information and to do so effectively, regardless of what the hackers throw at you.
This aspect of handling other people's information is especially important "where the regulator concludes that the hacked corporation ignored red flags or failed to take appropriate precautions to protect sensitive data from theft." The authors look at how both the SEC and the FTC view this exposure, as well as the potential consequences under civil law. Being able to demonstrate proper vigilance and appropriate measures to protect such data and to react promptly and correctly if a breach occurs may be very important to managing this burgeoning new risk. You can find a neat 17 point checklist for a basic cyber security review in a recent post to Health Care Law Today. While this list was compiled for health care organizations, its common sense provisions apply to all types of companies.
The laws and regulations are changing and new court decisions are arising across the US. Don't assume that last year's risk analysis can cover this year as well. (Note: this article is a summary of general interest reviews of the matter and should not be considered legal advice in any way.)
THE IOT: HOW MUCH INFORMATION IS TOO MUCH?
The Internet of Things generates data at a fearsome rate and creates a parallel risk universe where intentional use may create liabilities in addition to the hacking risks described above. A recent article in The Data Privacy Monitor describes many recent regulatory actions and court decisions, as well as pending legislation, which establish new rules around what data may safely be collected and how it must be protected. The article also addresses some of the risks involved in selling certain types of user/customer data derived from IoT devices to third parties.
The article uses the example of a couple of different internet connected sex toys (yes, truly) as well as baby monitors as case studies in what not to do and risks to avoid. While the cases presented deal primarily with the manufacturers of such equipment, similar risks may attach to other organizations in the manufacturing to distribution to retail pipeline or to the end users of IoT devices. As the author notes, "these cases are not outliers, and there are lessons to be learned for all companies considering a foray into the IoT."
IoT related exposures are a new and developing area of risk. For risk managers, they are potentially a minefield without a map. The article is especially valuable for the checklist it includes to help a risk manager navigate this territory. The list includes a good deal of common sense advice, such as, "build privacy and security into devices and software at the outset and continuously look for and cure deficiencies," but it also reminds you to "securely dispose of data when no longer needed." A rigorous sunset process should be part of every data retention plan for IoT devices.
New inventions create new liabilities and thus new risk planning and retention requirements. In 1891, William James Lambert took his prototype one cylinder auto out for a spin in Ohio City, Ohio - and promptly hit a tree root, causing him to lose control and plow into a hitching post, thus creating auto liability. The IoT is no different.
TWO, FOUR, SIX, EIGHT: WE ALL WANT TO LITIGATE
The Workers' Compensation Research Institute (WCRI) has struck again; this time with a fascinating look at the radical differences in rates of litigation from state to state. A summary of the FlashReport appeared on WorkersCompensation.com and the full report is available at the WCRI website for members of the Institute.
The headline news in this report may startle you. The WCRI analyzed rates of litigation in 18 representative states across the US and found that the percentage of claims litigated in the most contentious states is more than three times the rate in the least contentious states. About 13 to 14% of claims with more than seven days of lost time went to litigation in Wisconsin and Texas while 49 to 52% went the litigation route in New Jersey and Illinois. The median rate was about 30%.<br/ >
Well, why doesn't this surprise you? Workers' compensation was designed to be a "no fault" benefit back in the days of the Grand Bargain a century ago. Why is this important? "This study helps inform policymakers and stakeholders about whether worker attorney involvement in their state is lower, near the middle, or higher relative to other states," said John Ruser, WCRI's president and CEO. "It also helps facilitate discussions about why workers' compensation systems vary in attorney involvement."
The FlashReport includes important details about litigation in each of the 18 states studied, so it also offers workers' comp program managers and risk managers an excellent opportunity to benchmark their litigation stats in those states. Litigated claims are expensive claims. Are you going to court too often relative to a given state? If so, are there possible remedies, better claim practices or better management of your relationship with your injured workers? Litigation is a most unfortunate outlier for all parties, except the plaintiff's bar. Could you be doing more to promote win/win claim resolutions?