Page 1

IN THIS ISSUE: The case for agency data breach coverage 6 steps to conquer the cyber app Windows XP’s end triggers security threats



Data breach hits close to home It’s time to rethink data breach liability. Running a multi-billion dollar company that boasts millions of customers (Adobe, anyone?) is not a prerequisite for a breach. In fact, it’s small businesses that are most vulnerable, and thanks to the nature of the industry, insurance agencies make a tempting target.


Page 10 Six steps to conquer the cyber application Data breach exposures can be difficult for underwriters, producers and business owners alike to wrap their heads around. And effectively covering those risks can be even more challenging. In this article, risk advisor Brian Brown shares his insight on how to most accurately address this emerging threat.

Page 16

24 Mission Statement Primary Agent delivers ideas to help Insurance Agents & Brokers’ members negotiate their unique position as guardians of trust between insurance consumers and companies while facing the challenges of maintaining a small business. Primary Agent also supports IA&B’s mission to preserve and advocate the American Agency System.

Get social with IA&B

Support for Windows XP ending If your agency uses the Windows XP operating system, you’re facing a data security nightmare. Beginning April 8, Microsoft will no longer offer security updates on the system. And for agencies subject to HIPAA/HITECH, continued use of XP could be seen as non-compliance and trigger regulatory actions. Here, Steve Anderson shares how to upgrade.

Page 24

In every issue 2 3 4 6 8 13

Chair of the Board’s Message Ask Our Experts State News Preventing E&O Coverage Corner My Events

21 22 24 IBC IBC IBC

IA&B Partners H.R. Headquarters Technology Update Advertisers Index Classified Ads Last & Least

Subscriptions: Non-member price: $2.25 per copy or $15 per year. All communications for publications, including news, features, advertising copy, cuts, etc., must reach the editor by 1st of month two months prior to publication. Advertising rates furnished upon request. Address inquiries to:   Primary Agent Editor 5050 Ritter Road    Mechanicsburg, PA 17055-0763    Phone (800) 998-9644 or (717) 795-9100    Fax (717) 795-8347 Periodical postage paid at Mechanicsburg, Pa. and additional entry post office. Postmaster: Send address changes to above address. Primary Agent (ISSN 1543-3110), Permit # 638-620, Issue # 2014-1 is published monthly by IA&B Service Group Inc., a subsidiary of IA&B.  Copyright 2014. All rights reserved. No material may be reproduced in whole or in part without written consent of the publisher. The information in this publication is general in nature and is not intended to serve as legal, accounting, financial, insurance, investment advisory or other professional advice as to any reader’s particular situation. Users are encouraged to consult with competent legal, financial, insurance, investment advisory and or other professional advisors concerning specific matters before making any decisions and we disclaim any responsibility for any decisions or actions by readers. Statements of fact and opinion in Primary Agent are the responsibility of the authors alone and do not imply an opinion on the part of the officers or the members of the IA&B. Participation in IA&B events, activities and/or publications is available on a non-discriminatory basis and does not reflect IA&B endorsement of the products and/or services.

Board of Directors Officers G. Greg Gunn, CIC Chair of the Board Lemoyne, Pa. Diana M. Hornung Hanby, ACSR Vice Chair of the Board Wilmington, Del. Norman F. Basso, CPCU Immediate Past Chair of the Board York, Pa.

Members Henry “Butch” Bradley, Jr. Forest Hill, Md. E. Stephen Burnett, CIC, ARM Wilmington, Del. Richard F. Corroon, CPCU Wilmington, Del. N. Lee Dotson, CIC, AAI Wilmington, Del. Michael P. Ertel Columbia, Md. John L. Frankenfield Telford, Pa. John B. Hollister Milford, Pa. Jocelyn R. Howard-Sinopoli, CIC, CISR Butler, Pa. Robert S. Klinger, LUTCF, CPIA+ Germantown, Md. Douglas A. Loesel, CPCU Erie, Pa. Michael F. McGroarty Sr. Pittsburgh, Pa. Craig S. Mader Gambrills, Md. Ann Gallen Moll, CIC Reading, Pa. Joseph R. Pastor, CPCU, AAI Oil City, Pa. Richard M. Rankin, CIC Lancaster, Pa.

G. Greg Gunn, CIC

Chair of the Board’s M






The next big thing Remember back in the ‘90s when EPLI first came on the market? Despite revolving doors on courtrooms across the country and jaw-dropping settlements, employers balked at coverage. Fast forward to 2014, when our large accounts consider it a necessity and even the smaller ones are coming along. It’s safe to say that there are parallels in the emerging data breach liability market. You can’t read the news without stumbling upon an article about a cyber attack or a privacy breach or, for some unfortunate companies, the two combined. At the same time, data breach liability policies are too new for comfort for many clients ... and even for many of us. At a recent meeting of P/C insurers, former U.S. Secretary of Homeland Security Michael Chertoff spoke, calling cyber security the most significant threat we face and noting that the risk “affects virtually every kind of enterprise.” So here we are in a new year, ready for new goals. This year, consider including cyber security in your risk-management planning — for your clients and for your own agency. (Gunn Mowery finally bought coverage a couple years ago.) Yes, it’s a brave new world and this means educating ourselves and our clients. But, as Mr. Chertoff warned, “This one we can see coming.” Until next time,

April E. Ressler, CIC Altoona, Pa. Scott C. Rogers, CPIA* York, Pa.


G. Greg Gunn, CIC

David B. Wasson Sr., CIC State College, Pa. Lawrence A. Wilson, CIC, CPIA, CPCU, ARM** New Castle, Del. * Pa. IIABA National Director ** Del. IIABA National Director + Md. PIA National Director


Ask our Experts QUESTION: When binding coverage, should we issue a “physical” binder or not? Not everyone in the agency agrees that it is necessary or a good idea.

ANSWER: Is it absolutely necessary to deliver a written binder for coverage to be afforded? No. An oral binder can be valid, just as an oral contract can be. It stands to reason, however, that when a contract is executed orally, the evidence becomes more tenuous.

w Is a written binder better? Yes, we would argue it is. w How detailed? A binder will never be as detailed as a policy, nor should it. However, it is best not to omit policy essentials w Things to take into consideration: Does your agency agreement or company guidelines state anything about the need to issue the binder in writing whenever coverage is bound? If so, you now have a contractual duty to do it.

According to Couch on Insurance (a leading treatise on insurance law), “whether a binder effects temporary, current insurance is a question of the intention of the parties.” While it can be — and usually is — brief, “it represents the insurance agreement at that point, and it is critical to know what is covered and what is not.” There you have it! The binder is a document that is there to ascertain that coverage was granted and, to a certain extent, what coverage was granted.

w Will this solve all issues related to binders? Probably not. There is always room for ambiguity, because again, the policy has not been issued yet. It will, however, help in ascertaining what you and your customers had agreed upon, and that’s exactly what it’s supposed to do.

As Couch states, the issue of written versus oral binders really boils down to evidencing the intent of the parties. When a claim occurs between the effective date of the binder and the issuance of the policy (and they do!), the documentation relative to the binder will be an important element to determine that intent. Relying on verbal statements will be prone to potentially conflicting memories … particularly after a claim has occurred. So what do you do?

HAVE A QUESTION? ASK OUR EXPERTS! Rely on our experts to answer your most perplexing questions. Visit the new Ask Our Experts section of IA& (find the link in the website footer) to submit your question and review answers to other frequently asked questions. Or email your question to us at We look forward to hearing from you!


Primary Agent | January 2014

State News New Pa. law provides guidance for carriers on electronic notification Carriers may soon feel more comfortable issuing non-renewal notices electronically or posting policies on their websites for customers to download. A new state law allows companies to use electronic notification for insurance notices and documents, provided the insurer and insured agree to transact electronically. While the state’s Electronic Transaction Act and the federal E-SIGN Act already gave electronic documents the same validity as paper documents, this law confirms that, where a Pennsylvania statute requires insurers to provide a paper notice, an electronic version of that notice is acceptable as long as: w The parties (insurer and insured) have agreed to the electronic transaction w The recipient can store or print the document upon receipt The new law also allows the posting of policies and endorsements on a carrier’s website, so long as the posting does not contain any of the insured’s personally identifiable information, among other requirements.


This portion of Act 78 of 2013 took effect Dec. 24, 2013. While this new law does not specifically describe how the consent to receive electronic notification should be secured, the federal E-SIGN law stipulates that policyholders have to give their express consent after reviewing a statement that outlines the parameters including: w Their right to withdraw their consent at any time w The hardware and software requirements for receiving the electronic notices w Means of obtaining a paper copy in addition to the electronic copy policy_cancellations

Resolve to pass the Pa. licensing exam If securing a Pennsylvania Property & Casualty license is on your New Year’s to-do list, have no fear. Our newly revised licensing-exam prep course is providing unprecedented pass rates. Our new course, which debuted last fall, combines feedback from past participants and instructors, as well as agency principals who attended our Member Agent Panel (MAP) meetings. In the end, we refocused our course from introducing students to the industry to specifically preparing them to pass the licensing test. Here’s how we’re accomplishing that: Improved materials We rewrote the book. The new course manual includes a survival guide that explains the entire test process (from registration through test-taking tips), provides a study schedule and encourages seeking out a mentor. Then each of the 10 chapters opens with goals to meet and key terms to learn. Mentor program We heard you loud and clear. MAP participants spoke candidly about the need for their employees to learn how to pass the test, not necessarily receive an industry orientation, from our course. And they shared their willingness to support their employees in the process, which spurred our development of a mentor program. Each pre-licensing course attendee is encouraged to partner with a mentor in his or her agency, who is provided with our mentor guide complete with strategies, schedules and sample questions.

Pass guarantee We didn’t fix what wasn’t broken. As always, attendees of our course who register at least four weeks in advance are guaranteed to pass the exam. If they don’t, we’ll foot the bill for them to attend another study course within one year. (Updated course-material fees may apply.)

Our gratitude Our sincere thanks goes to the following IA&B of Pennsylvania members, who recently completed their terms on our boards of directors.

Surplus lines reg simplifies diligent search process Kiss the days of diligent search headaches goodbye. Our work with the Pennsylvania Insurance Department netted a revised surplus lines regulation that recognizes underwriting guidelines as a basis for an admitted insurer’s declination. It took effect Nov. 25. The long-standing protocol that required producers to request a formal, written declination from carriers even for risks clearly stated as not acceptable in their underwriting guidelines led to wasted time and frustrations for producers and underwriters alike. The revised reg amends that. While producers still need three declinations and to complete the 1609-PR affidavit, they will be able to rely on their knowledge of a carrier’s underwriting guidelines, as long as they properly reference them in their files. surplus_lines

Robert B. Hall PCU, CLU, ChFC, ARM, ARM-P Francis Hall Insurance Services West Chester

Timothy P. Burris Sausman Insurance Agency Mifflintown


New Members

Radnor Benefits Group Inc. Wayne, Pa. Samuel F. Light Agency Inc. Myerstown, Pa. Myers and Bell Insurance Agency Inc. Stevens, Pa. McKee Risk Management Solutions Ltd. Havertown, Pa.


Primary Agent | January 2014



The Utica National E&O Program supplied this article. Insurance Agents & Brokers Service Group Inc. is the exclusive agent for the Utica E&O program in Delaware, Maryland and Pennsylvania. For questions regarding this article or your E&O coverage, contact IA&B at 800-998-9644 or

Managing an insurance agency is a challenging and demanding undertaking. Key decisions must be made every day. Most owners would agree that one of those involves the E&O coverage they choose to protect their agency. Significant financial consequences, up to the possibility of the agency’s demise, could result from inadequate coverage or insufficient limits.

claims against insurance agencies are at a low level compared to the past. In the early 1990s, E&O claims frequency was in the 12-14 percent range; that is, 12 to 14 claims per 100 E&O policies. This translates into one claim for every seven to eight agencies around the country. Today, frequency is at the 6 percent level, less than half of what it was 20 years ago. This is an excellent result despite a society that sues with regularity.

That no two policies are alike adds to the complexity of this line of business. Properly addressing such issues as who is covered and what activities are covered are critical to ensuring that if an E&O claim is made against an agency, it will be well protected.

Good results like this don’t “just happen,” though, so how did this transpire? To begin, today there is a much greater commitment to E&O in agencies in the United States. It is also fair to say that as issues and procedures are discussed at the agency level, the topic of E&O is likely to find its way into the conversation.

Frequency and severity Interestingly, despite our living in an increasingly litigious society, E&O [6]

Another alarming yet impressive number is that E&O carriers that aggressively defend their E&O customers are able to close out 60-70 percent for no loss payment. There are typically some defense costs, which is one reason most agencies have a lossonly deductible on their E&O policy. That means that the agency will only have to pay the deductible if it is found legally liable. The average-size E&O claim is in the $50,000 range, but agents should be careful not to factor this number into the decision when choosing the size of their E&O limit. Why? It is only an average, and E&O claim settlements in the millions do occur. E&O claims involving personal lines are typically smaller, while heavy commercial lines agencies tend to generate fairly large E&O claims due to the nature of the business they write.

Who generates claims Producers seem to be most culpable in generating E&O claims, with customer service representatives next in line. Yet virtually every person in an agency, including the claims staff and the receptionist, has an E&O exposure and has been known to generate E&O claims. Types of claims For at least the last two decades, the No. 1 cause of E&O claims has been failure to provide the proper coverage. Consequently, when an agency customer suffers a loss and does not receive the settlement he or she was expecting, there is significant potential for the customer to try to find fault with the agency. Mother Nature has not been kind to agents E&O either, with Superstorm Sandy generating a significant number of E&O claims in recent times. Agencies must be proactive in communication and education on the coverages available before such loss-generating events occur. An annual account review has shown to be a great way to make a customer more accountable for his or her insurance program. Agencies must also be careful in how they promote themselves to the public. It is prudent for an agency to review its letters, promotional pieces, website, etc., to ensure these materials don’t raise the legal liability standard to that of a “special relationship.” What is the typical legal liability standard? Absent a specific request for coverage, the producer should not be liable for failure to procure a particular type or amount of coverage. The producer does owe the client a duty of reasonable care and diligence, yet again, absent a specific request for coverage not already in the client’s policy or the


existence of a special relationship with the client, the agent/broker should have no continuing duty to advise, guide or direct a client to obtain additional coverage. Plus, while a producer owes a duty of reasonable care, an agent/broker in the basic relationship with the customer should not be held liable for failing to provide unsolicited advice after coverage is obtained regarding a client’s ever-changing insurance needs. What are some of the more common issues? The “Additional Insured” issue seems to be getting worse. As insurance carriers look to transfer risk via phrases such as “primary and noncontributory,” this is causing problems when the coverage is not properly structured. Moreover, E&O claims are being generated from: w Improperly completed certificates of insurance w Valuation w Excess & Surplus Lines w Customers not understanding the coverage they do or don’t have

The key element What is the key element in an E&O loss prevention program? Document, document, document. There is truly nothing that determines whether an E&O claim develops and what direction it will go if it does as much as documentation. An agency’s E&O culture The agency’s ownership determines its errors-and-omissions culture, so it must “walk the walk” and “talk the talk” daily. It is unfair to expect the agency’s staff to be committed to E&O prevention if ownership shows a lack of commitment. Don’t be scared of E&O E&O claims happen, but that doesn’t necessarily mean the agency did anything wrong. The staff should not be intimidated by E&O. The best mindset is for the staff to have a healthy respect for it and to know there are many things they can do to minimize the potential of facing an E&O claim.

w Coverage not properly placed w Lack of documentation, etc.




Coastal Agents Alliance, LLC



Primary Agent | January 2014

Coverage COR N E R

BUILDING OWNERS BEWARE: TENANTS’ ACTIVITIES COULD AFFECT PROPERTY COVERAGE JERRY M. MILTON, CIC Jerry M. Milton, CIC teaches and consults on industry issues. The legal profession recognizes him as an expert on insurance coverages. He is also the education consultant for IA&B, working with CISR, CIC and continuing education programs.

The Insurance Services Office (ISO) introduced a new Commercial Property endorsement which was effective in most jurisdictions in October 2013. This new endorsement is for use with rental properties and can be attached to the Building And Personal Property, Business Income (And Extra Expense), Business Income (Without Extra Expense), and Extra Expense Coverage Forms. The endorsement is titled Exclusion Of Loss Due To By-Products Of Production Or Processing Operations (Rental Properties) (CP 10 34).

or processing operations performed at the rental unit(s) described in the Schedule.” The exclusion does not apply to loss or damage by fire or explosion resulting from the release of a byproduct of the production or processing operation. The exclusion applies regardless of whether the operations are legally permitted, legally prohibited, permitted under the terms of the lease, prohibited under the terms of the lease, or usual to the occupancy or the premises. Simply stated, the purpose of this endorsement is to exclude coverage for the owners of rental properties for damage that tenants cause to the property arising out of the tenants’ occupancy or activities. Although ISO did not say so in their filing, it appears that one of the primary targets

The endorsement requires the premises address plus a description of the rental unit. It specifically excludes loss or damage to the described premises caused by or resulting from “smoke, vapor, gas or any substance released in the course of production operations


of this endorsement is the manufacture of methamphetamine – better known as “meth labs.” This activity can produce an ugly result. The majority of claims for damage to rented properties resulting from the illegal operation of meth labs have dealt with rental houses, rather than apartment buildings. Most of the claims for damage to rental houses arising out of the operation of a meth lab have been in the northwestern states of Oregon and Washington. Don’t ask me why – I don’t know why. For the most part insurers have not been successful denying claims for the damage caused by the tenants’ operations. For example, in Largent v. State Farm Fire & Casualty Company, 842 P.2d 445 (Ct. App. OR. 1992), the owner of a house filed a claim under his property

policy for damage to the house which was caused by the operation of an illegal meth lab. State Farm denied the claim on the basis that the damage was caused by contamination, which was excluded. The insured argued that State Farm’s reasoning for denying coverage would remove most of the policy’s coverage because many covered perils (fire, smoke, explosion, etc.) result in chemical by-products and contamination. The court agreed with the insured.

property policy on the basis of the covered cause of loss of vandalism.

In Gaff v. Allstate Insurance Company, 54 P.3d 1266 (Ct. App. Wash. 2002), Allstate argued that the damage to the rental property caused by the operation of an illegal meth lab was not covered because of the contamination exclusion. The court did not address this issue. Instead the court found coverage under the

One final thought — this endorsement is free!

As of this date ISO has not introduced a similar endorsement for use with their Dwelling and Homeowners policies. I’m sure it’s just a matter of time. However, some of our insurers may be developing their own version of this endorsement for use with their personal lines policies. After all, as mentioned earlier, most of these claims involve rental houses.

Y’all take care!

ISO 2013 changes The Commercial Property endorsement described in this column is just one of many changes ISO introduced last year. Learn about rest at your our pace and in your own place by attending our On-Demand courses: “ISO 2013 Commercial Property Changes” and “ISO 2013 CGL Changes.” Written by Jerry Milton, CIC, and presented by national faculty member Dan Lawyer, CIC, CPCU, the seminars offer 4 CE credits and cost just $75 each for members.

We See a Bright Future More options await you with Preferred Property Program’s umbrella policies Our umbrella programs are designed to offer the most comprehensive coverage so the future is never in doubt. Our umbrella liability policies are written by XL Insurance, with Chubb Insurance Group for the excess layer, featuring flexible, broad coverage that includes: • $5 to $25 Million in umbrella coverage with up to $50 Million in total limits. • Hi-Rise apartments up to 35 stories eligible, with higher eligible by referral. • Excess of D&O, General Liability, Auto, Employers Liability, Employee Benefits and more. • Developer-sponsored boards eligible.

Contact us for a quote:

888.548.2465 A subsidiary of



Service is our specialty; protecting you is our mission ®

960 Holmdel Road, Holmdel, NJ 07733 XL Insurance is the global brand used by XL Group plc's insurance companies. Preferred Property Program’s XL policies are underwritten by Greenwich Insurance Company.




Data breach hits close to home The case for agency liability coverage

It’s time to rethink data breach liability. Running a multi-billion dollar company that boasts millions of customers (Adobe, anyone?) is not a prerequisite for a breach. In fact, it’s small businesses that are most vulnerable, and thanks to the nature of the industry, insurance agencies make a tempting target.

[ 10 ]

Primary Agent | January 2014

Exploring agencies’ exposures When it comes to data breach liability, agency owners’ reservations often echo their small-business customers’: “I’m just a small shop.” “I don’t operate a tech-driven business.” “I’m not at risk.” But the facts of data breach don’t support those objections. Debunking the small-business sense of security Forty-four percent of small businesses have been the victim of a cyber attack, according to a 2013 National Small Business Association survey1. They suffered repercussions ranging from service interruption, to sensitive data being stolen, to business bank accounts being hacked. Verizon reports that only 38 percent of breaches in 2012 impacted larger businesses2. While the payoff of targeting a small business may not be as great, data breach perpetrators often find a small business’s lack of information security worth the tradeoff. And the risks for small businesses are likely on the rise: Thanks to the rapid adoption of cloud computing, smart phones and tablets, and portable memory devices, attackers are finding additional access points to sensitive data3. Beyond being the target of an intentional, targeted attack, small businesses often become victims of data breach by accident. A recent report attributed human error and system glitches to two out of three data breaches in 20124. These accidental breaches stem from relatively innocuous — and common — mistakes: connecting to an insecure wireless Internet connection, reusing the same username and password for multiple logins, leaving a computer or USB drive unattended outside of the office, or failing to delete unneeded information from a computer. Unfortunately, adding to the danger of these frequent, employeetriggered breaches is employees’ typical reluctance to self-report them. And that delay can complicate an agency’s ability to comply with data breach notification requirements. (See sidebar on page 12 to learn more about state and federal requirements.) Rethinking an agency’s exposure Insurance agencies are particularly vulnerable to a breach because of the data they collect — everything from personally identifiable information (Social Security and drivers’ license numbers) for personal lines customers and prospects, to financial information (bank account and credit card numbers) or employees’ personal information for commercial lines customers. Add an online application process to an agency website, and depending how information is transmitted, the risk of a breach could increase exponentially. And for agencies that

What amps your agency’s exposure? Answering yes to any of these questions: Do you have employees and keep employee records? Do you hold clients’ sensitive information such as Social Security numbers or drivers’ license numbers? Do your client records include third-party corporate information (such as company financials)? Do you offer premium financing? Do you have computers, back-up tapes, a copier, a fax machine? Source: Beazley, June 2013

1 National Small Business Association, 2013 Small Business Technology Survey, p. 10 2 Verizon, 2013 Data Breach Investigations Report, p. 5 3 Emma Beck, “Study: Cyberattack Concerns Run High Among Small Businesses,” Associations Now, Oct. 3, 2013 4 Symantec Corp. and Ponemon Institute, “2013 Cost of Data Breach Study: Global Analysis”

[ 11 ]


Notification requirements and resources Federal laws, as well as laws on the books in 46 states, spell out how a business must respond to a data breach. Delaware, Pennsylvania and Maryland require notification without unreasonable delay following the discovery of a breach. What’s more, these states’ laws pertain to information that was accessed — or was reasonably believed to be accessed — by an unauthorized person. Generally, state law limits the notification requirement to the breach of unencrypted personal information (unless the encryption key or other method to decrypt the data was also breached). Agencies that sell health insurance typically fall into the covered entity or business associate category under the federal Health Insurance Portability and Affordability Act, commonly known as HIPAA, and its suite of rules. Together, they trigger their own set of data breach notification requirements, as well as other — generally more stringent — privacy and security requirements. Learn more about state and federal requirements and access sample notification letters at resource_center/privacy.

write health policies, HIPAA triggers additional obligations due to their relationship with the companies they represent and/ or their handling of “protected health information.”

most agency owners realize. But beyond providing peace of mind, data breach liability coverage can aid in the sale of similar liability policies to an agency’s clientele.

More importantly, agencies must understand that the data breach exposure is not contained to “cyber” or electronic data, but encompasses all other forms of privacy breach. This would include improperly disposing of paper records by throwing them in a dumpster — unfortunately a real example.

Understanding the risk

Beyond what an agency stores in-house is what it entrusts to a third-party, such as an agency management or document management system or a cloud provider. Some 65 percent of businesses that outsource consumer data to a vendor reported that they suffered a breach in 20125. “Businesses often mistakenly think they are protected if they use a third-party vendor to manage their information,” says James Lannon, territory manager with Beazley Group. “However, according to data breach laws, it is the data owner’s legal responsibility to notify its clients, even if a third party was handling the information when it was breached.”

Making the case for coverage Data breach triggers more notification requirements, headaches and expense than

The breach response process is dictated by state and federal law and, in many cases, is complex and expensive. Costs include: notifying affected individuals, investigating the scope and cause of the breach, and providing credit- or identity-monitoring services for impacted customers. Depending on the severity of the breach and notification requirements, an agency may even need to secure assistance from a crisis management or public relations firm to minimize damage to its good name. (Reputation management can seem unnecessary until certain agencies realize they are subject to stringent requirements, including notification of prominent media outlets depending on the number of affected individuals.) “A single laptop left on a commuter train or stolen at an airport can cost a firm nearly $50,000, most of that being expenses to respond to data breached – or potentially breached,” says Lannon. When you add “the cost of investigation and reputation management, it can add up to an estimated $200,000.”

5 Ponemon Institute, “Securing Outsourced Consumer Data,” 2013

[ 12 ]

continued on page 14





JANUARY 2014 14-16

P&C Licensing Study Course

Mechanicsburg, PA


CISR Commercial Property

Lehigh Valley, PA


William T. Hold: Dealing with Disasters

Reading, PA


CISR Personal Residential

York, PA


CISR Personal Auto

Philadelphia, PA


CISR Personal Auto

Mechanicsburg, PA


CISR Commercial Casualty I

Baltimore, MD

FEBRUARY 2014 4-6

P&C Licensing Study Course

Lehigh Valley, PA


CISR Personal Residential

Erie, PA


CISR Personal Lines Miscellaneous

Pittsburgh, PA


CISR Personal Lines Miscellaneous

Wilkes-Barre, PA


CISR Personal Auto

Lancaster, PA


E&O Risk Management

Philadelphia, PA


CIC Agency Management

Harrisburg, PA


L&H Licensing Study Course

Philadelphia, PA


CISR Personal Auto

Hagerstown, MD


William T. Hold: 3 Cs—Comp, Crime, Cyber

Newark, DE

[ 13 ]

INSURANCE FOR YOUR AGENCY continued from page 12 Beefing up your sales arsenal Truth be told, data breach liability coverage is not an easy sell yet. The exposure — and the policies that address it specifically — are relatively new, which can leave customers suspect. Compounding on this is resistance from many clients’ IT departments, which look at the need as a sign of their failing. However, as in any emerging market, agencies that familiarize themselves and educate their customers early will be able to reap the benefits. Market growth is in the double digits and has nowhere to go but up. Now is the time for agents to add that arrow to their quiver, while demand is on the rise. The selling point, ironically, will likely be heavily publicized news of more data breaches that are sure

to happen. And as independent agencies purchase their own coverage, they may be able to use their own circumstances to illustrate that a data breach policy is, first and foremost, a useful and sound mitigation strategy. As a matter of fact, agencies that purchase data breach liability coverage often report being able to leverage it to assist in the sale of similar policies to customers.

IA&B has partnered with Beazley to offer an insurance policy tailored to insurance agencies of all sizes. The goal was to offer a sound and affordable alternative to policy endorsements that often left out important exposures. For more information on this new product, contact IA&B’s Sales Center at 800-998-9644, option 2.

Protection and preparation Relying on IA&B for all of your agency’s insurance needs saves you time, provides you with peace of mind and ensures the most complete coverage. Our IA&B Sales Center is proud to announce its partnership with Beazley, allowing us to add data breach protection to our suite of coverage offerings. Whether the cause stems from a lost flash drive or a persistent attack by hackers a world away, every breach is different and requires a smart, strategic response. With Beazley Breach Response, your agency can secure comprehensive coverage for expenses incurred to respond to a breach – and have experts standing ready to deliver the well-coordinated response you need to mitigate financial damages and protect your reputation. Contact the IA&B Sales Center at 800-998-9644, option 2, or to learn more.

A new logo for a new era.




Upon our acquisition by National Indemnity Company/Berkshire Hathaway in October of 2012, a new and improved GUARD emerged. A year later, we are pleased to introduce a new logo that better reflects our ENHANCED GUARD BRAND. As you can see, we highlight the immense resources available to us through our ultimate parent as we continue climbing to the top of our industry . . . while retaining reminders of the steps behind us – an assurance that the best of our old values still remain. Join us as we reach new heights: visit

Berkshire Hathaway GUARD Insurance Companies are rated A+ (“SUPERIOR”) by A.M. Best Company and specialize in small- to mid-sized accounts – featuring Workers' Compensation coverage in 37 states and complementary Businessowner's Policy (BOP), Umbrella, and Commercial Auto products in select jurisdictions.

[ 14 ]

For me,

IA&B continues to be an excellent resource for timely and relevant training and education. April Ressler, CIC, CRM President Teeter Group

MY Training IA&B provides award-winning continuing education and specialized training programs that are based on agent feedback and tailored to your needs. Explore your professional development options at [ 15 ]


Six steps to conquer the cyber application Data breach exposures can be difficult for underwriters, producers and business owners alike to wrap their heads around. And effectively covering those risks can be even more challenging. On the following pages, risk advisor Brian Brown shares his insight on how to most accurately address this emerging threat.

[ 16 ]

Primary Agent | January 2014

Identifying key players “Cyber” (network security and privacy) insurance applications are particularly challenging for agents and brokers to complete because the coverage touches on so many aspects of an enterprise and requires multiple individuals to complete various sections. These include: w R  isk managers and financial officers: general information, limits and retention options w  Information technology officers: technical safeguards to the network such as firewalls, intrusion detection, back-up procedures, patch management and data encryption w  Privacy officers: data encryption on mobile devices, procedures regarding paper files containing confidential information, policies and procedures regarding privacy training w Marketing officers: because most cyber policies offer a website media option, questions about content acquisition and clearance w  General counsel: networks typically use third-party providers for some data backup, hosting or security; general counsel needs to review the contracts with these providers w  Human resources: may be responsible for disaster recovery or incident response Given this complexity, it’s no wonder that many cyber applications come back incomplete or with contradictory information.

Underwriting complexities One of the problems with cyber applications is endemic to the rating methodology itself. The largest share of the loss dollars paid by carriers has been to satisfy the state notification laws. These require companies to notify people whose personally identifiable information (PII) may have been compromised. Therefore, the insurers should be rating off the real exposure — the amount of PII an insured maintains. Instead, insurance carriers typically use revenues as a rating basis. This may or may not relate to the actual loss exposure, which differs dramatically between a hospital and a manufacturer with the same revenue. Insurance underwriters are now trying to ferret out the true amount of PII maintained by the prospects and rate the account based on the real exposure. Some applications are now specifically asking this question. This is a difficult number to obtain for most organizations but one that will go a long way to reducing the cost of cyber insurance, even if it is only an estimate.

Presenting coverage options With cyber coverage, it is not unusual to approach a few carriers for a ballpark figure before completing an application. Typically, an experienced underwriter can give an accurate estimate of the terms, including cost from a website review and the revenues. In this way, the

[ 17 ]

Given [their] complexity, it’s no wonder that many cyber applications come back incomplete or with contradictory information.


agent can present cyber, which in most cases may be a new coverage for a customer, in conjunction with other coverages such as the propertycasualty or D&O renewal proposals. The insured can then determine whether they are interested in purchasing the coverage at that estimated price without the hassle of completing an application.

It is critical that the underwriter has a complete understanding of the business. The more detailed the description, the better the ultimate outcome.

Understanding the exposure When determining a prospect’s level of risk, it may be helpful to think of the exposure in terms of “realms”: Network: the information digitally contained within the system Remote access: how employees not working within the network access the system’s functionality and how it is protected; since access is typically through laptops, the protection of laptops is critical; encryption may be the best “bang for your buck” risk management investment available Wireless: now normally well controlled; the lessons of DSW loss have tightened these controlled in nearly all instances Vendors: some of the network’s functionality lies with third-party vendors who are responsible data storage, hosting, managed security, backup tape storage, etc.; contracts with these providers should be included with the application if possible and should contain hold harmless and indemnity clauses Although there is no universal application, most carriers are

willing to work with another carrier’s application and offer a bindable quote. Although all different in format, they all have similar sections: General information: This section is the same as for any insurance application: name, address, years in business, etc. (One quick note on international companies: networks do not have national boundaries, and trying to insure only a U.S. entity might pose a problem.) Questions may be included in this section requesting a description of services or products provided. This is one area where scrimping on information may be costly since, as mentioned above, insurers determine premium on revenues then discounted based on operations. It is critical that the underwriter has a complete understanding of the business. The more detailed the description, the better the ultimate outcome. A breakdown of sales by method (online, retail, and wholesale) is invaluable, for instance. Underwriters will

[ 18 ]

penalize for uncertainty or ambiguity, so details on clients is critical since much of the pricing is determined by the amount of PII the organization collects and maintains. System controls: This section is typically completed by the IT department. Underwriters look for how the organization’s controls stack up against its peers so it isn’t an easy target for scammers. Questions will include technical controls (firewalls, intrusion detection and antivirus), network structure (is there a hosting company, how many data centers, how may servers, etc.). General security: This section may include questions regarding corporate orientation regarding digital and privacy risks. Questions such as, “Do you have a formal security and privacy program in place? Is training given to employees with regard to security and privacy?” are examples. The answers will affect the amount of credit given by underwriters because one of the elements that has the most impact on an underwriter’s comfort (reflected in the price) is management attitude and willingness to expend resources on security and privacy. Carriers generally look for these security measures: 1. Backup tape procedures: Many claims arise from lost or misplaced backup tapes. Networks need regular (usually daily) backup in case something devastating should happen the next day. The enterprise has the

Primary Agent | January 2014

assurance that they can quickly restore the network to its previous state with little loss of data. However, by necessity, all the data on the network is now exposed to compromise.  Most organizations hire an outside firm to transport and store tapes. These are picked up in a locked box which was left the night before. Another method is to ship tapes via air carrier. However, there was one claim where an airfreight carrier was used and the package with the tapes never arrived. A large loss was paid because the PII may have been compromised. Ideally, backup tapes should be encrypted. State laws, as a rule, consider encrypted data to be similar to shredded documents which do require notification.

Written by Brian D. Brown, a professional risk advisor who has been in the cyber field since its infancy in 1998. He has more than 20 years of insurance experience and has been a featured speaker on network security and privacy at numerous conferences such as PLUS and CyberRisk. Contact him at Reprinted with permission from National Underwriter Property & Casualty.

2. Website media and extortion: As cyber insurance evolved, insurers added coverages addressing specific loss instances. Cyber extortion and website media are two examples. Cyber extortion primarily occurred in the mid 1990s when thieves would steal data and extort the organization for money. This quickly fell out of vogue since there had to be a physical exchange and law enforcement was able to exploit this and capture perpetrators.  Website media is a standard cyber coverage because some general liability policies may not appropriately cover this new form of advertising, particularly if the company can be construed as being in the business of advertising. Therefore, the application asks questions regarding content: Who creates it? If not original, how is the company protecting itself against copyright suits? 3. Claims: When asked if anyone ever tried to break into his system, one CIO checked his watch and said, “There are about a dozen right now; school is out.” If the answer to any of the claim questions is “Yes,” a narrative is mandatory. It may be that privacy losses are a regular occurrence. For instance, hospitals can use an incorrect email and send personal medical information to the wrong person. A short narrative will put the underwriter at ease and also help fix an appropriate deductible amount.

[ 19 ]

Want to partner with a reliable agency? Ready to sell your insurance agency? Want to retire, or sell part of your book? Or are you ready to expand your services and products? If you answered yes to any of these questions, contact me:

Judy Dodds

Business Development Manager 302-299-4776

©2014 AAA Insurance

Platinum Profile Insurance Agents & Brokers proudly recognizes MMG Insurance as one of its Platinum Partners. IA&B Platinum Partners dedicate the highest level of sponsorship to ourorganization.

Proud Partner of the Trusted Choice network of Independent Insurance Agents

FEATURED PARTNER MMG Insurance Company PRESIDENT & CHIEF EXECUTIVE OFFICER Larry M. Shaw, CPCU COMPANY LOCATIONS Presque Isle, ME (Home Office) Concord, NH & Allentown, PA 1-800-343-0533 A.M. BEST RATING A- (Excellent) WEB SITE RECENT AWARDS 2013 #1 Performing Company Overall in Commercial Lines Insurance Agents & Brokers

2013 Interface Partner Award Applied Systems


very minute of every day, you can count on us to protect your piece of the world — in good times and bad — just as we have for all of our customers for over 115 years. At MMG Insurance, a progressive regional property/casualty insurance company, we value the trusted relationships we’ve built with our agency partners and work to serve our policyholders. It’s our belief that behind every accomplishment you’ll find hard work and a commitment to excellence. That’s a big reason MMG is a carrier of choice for agencies across Maine, New Hampshire, Vermont, Pennsylvania and Virginia. To differentiate ourselves from the larger companies, MMG works to ensure top-notch service. We take a tremendous amount of pride in being there when our agents and policyholders need us. We still [ 20 ]

answer the telephone in person and have empowered employees to resolve issues quickly. We do business exclusively through independent agents and live by the philosophy that people do business with people. MMG management and staff meet face to face with agents to see what they are dealing with and bring innovative ideas back, making changes where necessary. We strive to add value to the agents’ operations, so our major focus is making it easy for them to do business with us, particularly through cutting-edge automation. It’s that combination of high-tech, high-touch that enables business to flow quickly from the agents to us and back, and ultimately benefits the policyholder. Named one of the Best Places to Work in Maine in 2013!

Listed below are those companies that strongly support the independent agency system and Insurance Agents & Brokers. Thank you for your continued sponsorship.

WHAT IS IA&B PARTNERS? The IA&B Partners program gives company and allied businesses the opportunity to demonstrate their commitment of support to independent agents and receive maximum market exposure. As an IA&B Partner, you will also realize the benefits of IA&B membership to help you succeed in the insurance industry.

DO YOU SEE YOUR NAME? To become an IA&B Partner, choose the sponsorship package that matches your commitment of support. Contact the Member Sales Center at 800-998-9644, 717-795-9100 or visit us online at to get started.

PLATINUM LEVEL ACUITY Berkley Mid-Atlantic Group Donegal Insurance Group Erie Insurance Group Harleysville Insurance HM Insurance Group Insurance Agents & Brokers Service Group Inc Liberty Mutual Insurance MMG Insurance Company Millers Mutual Group Millville Mutual Insurance Co Mutual Benefit Group Penn National Insurance Swiss Re The Main Street America Group Utica National Insurance Group

BRONZE LEVEL Aegis Security Insurance Co Agency Insurance Company AmWINS Program Underwriters Inc Auto-Owners Insurance Company Briar Creek Mutual Insurance Company Chubb Group of Insurance Companies Conemaugh Valley Mutual Insurance Co Countryway Insurance Company Encompass Insurance Foremost Insurance Group GMI Insurance Goodville Mutual Casualty Company Guard Insurance Group Hanover Fire & Casualty Insurance Company Harford Mutual Insurance Co Insurance Alliance of Central PA Inc


Insurance Placement Facility of PA Keystone Insurers Group Inc

ISU Insurance Agency Network Progressive Westfield Insurance

Lebanon Valley Insurance Company Mercer Insurance Group Merchants Insurance Group


Mercury Casualty

Access Insurance Company Allied Insurance American Mining Insurance Co Burns & Wilcox Limited Cumberland Insurance Group Farmers Mutual Insurance Company of Western Pennsylvania Frederick Mutual Insurance Co ICW Group Insurance Companies Juniata Mutual Insurance Co PSBA Insurance Trust Selective The Philadelphia Contributionship [ 21 ]

Mutual Aid Exchange Penn PRIME Municipal Insurance Reamstown Mutual Insurance Company Rockwood Casualty Insurance State Auto Mutual Insurance Company TAPCO Underwriters Inc The Brethren Mutual Insurance Company The Motorists Insurance Group The Mutual Service Office Inc Travelers Tuscarora Wayne Group of Companies Zenith Insurance Primary Agent January 2014


Primary Agent | January 2014



JEFFREY W. GERHART CEBS, MBA Jeffrey W. Gerhart, CEBS, MBA, provided this article on behalf of Mosteller & Associates, IA&B’s contracted human resources consulting firm. Protect yourself and your agency from regulatory and legislative missteps by accessing HR Solution©. Our compilation of products and services — available exclusively for member agencies — simplifies establishing or improving your human resources program. It also includes base-level consultation and discounted professional services from Mosteller & Associates. Learn more at resource_center/HR_Solution.

In the past few years, the National Labor Relations Board (NLRB) has focused particularly on employer policies that, in the board’s opinion, have the effect of interfering with or “chilling” employee rights to “protected and concerted activity.” In particular, the NLRB has gone after social media and related policies that appear “overly broad” in their interpretation to restricting employee activity.

What can I do to minimize my risk? Examine your current handbook, policy manual or current practices to ensure you are not curtailing employee discussions about wages and terms or conditions of employment. If you have policies that restrict employee discussion, remove them. Reconsider the reasons why you may terminate someone if based on these grounds. For example, employees can discuss their wages, pay practices, benefits or safety with each other, raise complaints about inequities amongst them or how supervisors treat them.

The NLRB wants to become “relevant” to employees, meaning they want to offer employees protection from adverse employment decisions around these policies. In short, the NLRB is more proactive in encouraging collective bargaining among employees. This focus is consistent with the Obama Administration’s support of organized labor.

The NLRB will not, however, pursue those instances where there are individual complaints or gripes, or where employees actively interfere with work schedules or operations;

[ 22 ]

those are not protected activities. The NLRB may likely support your decision to terminate those employees who do so. Policies on which to focus While not an exhaustive list, the following policies or practices seem to draw attention from the NLRB: w At-will disclaimers – good to have the company president or designee allow written exceptions w Use of social media – access during and after work hours, and what one can say w Speaking to the media – who is able to and who is not w How computers are used – during working hours and what access you allow

w Confidentiality of investigations – no more blanket statements, but case-by-case decision w Solicitation policies – will the on-site sub sale to support the soccer team continue w Off-duty access – who can come back onto your property after hours and for what reason

consistent application of policies to regulatory agencies without them.

What is the NLRB?

The Associate Handbook available through HR Solution ( resource_center/HR_Solution) can help you craft language to address these issues as well.

The NLRB is an independent federal agency that issues administrative rulings on employment law complaints. Generally, most private employers — including IA&B member agencies — are covered by the NLRB. Any covered employee may bring an action in front of the NLRB. NLRB rulings may render decisions that agree with or conflict with other federal agencies, such as the EEOC or the DOL Wage & Hour Division.

Some employers have considered moving away from handbooks or policy manuals altogether. While a few have been successful in abandoning those traditions, it becomes more difficult to defend

NLRB drama The NLRB recently found itself in a bit of a fray. For the first time in many years, the board had its full complement of five members. However, the President appointed filled three vacancies during a Senate recess, meaning the board members did not receive their required Senate approval.

For tips on adding or revising a social media policy, look to the model policy posted on the NLRB website. The January 2013 issue of Primary Agent magazine included a synopsis, which is available on our website.

[ 23 ]

These appointments were litigated in the District of Columbia federal circuit court as not properly authorized and therefore unconstitutional. At the time of this writing, the decision was under review, making it unknown if the rulings issued by these board members will remain enforceable.

Primary Agent | January 2014

Technology U P DAT E


STEVE ANDERSON Steve Anderson provides information to insurance agents about how they can use technology to increase revenue and/or reduce expenses. He speaks professionally to hundreds of agents each year at National Alliance events and at many state association conventions and technology forums on the future of technology, the social Web, and how insurance agencies can establish their Internet presence. He has authored many articles that have appeared in virtually every insurance industry publication and has over 30 years experience in the insurance community.

The Windows XP operating system was released August 24, 2001, and has been widely deployed in agency organization. Based on a simple analysis of traffic to several of my own websites, about 20 percent of these visitors continue using a computer with Windows XP installed. Microsoft has announced that on April 8, 2014, they will stop delivering security updates and support for the Windows XP platform. This means there will be no new security updates, non-security hotfixes, free or paid assisted support options, or online technical content updates. Most XP support for regular consumers ended in 2009, although security updates continue to be released. But not for long.

protect you from known threats. This is not a good solution.

much easier to upgrade just your workstations than your entire network.

Because of the security requirements contained in the HIPAA / HITECH legislation regarding protecting sensitive personal information, any organization continuing to use the Windows XP platform after April 2014 will likely be considered non-compliant and possibly open to regulatory actions. If your organization has an actual data breach, the fact that the organization was using a non-secure operating system platform would be problematic at best.

3. Get training: When you make the move, make sure your staff has the training they need to take full advantage of the new operating system platform.

Here are a few suggestions on steps you can take to upgrade your systems: 1. Talk to your current agency management system vendor: They should be able to advise you on the best way to upgrade.

This is especially troublesome for the insurance industry and insurance agencies in particular.

2. Move to a cloudbased platform: This may be the time to seriously consider moving your technology infrastructure to a third party. It will be

While you might be able to keep XP going with a good anti-virus package for a while, that will only [ 24 ]

4. Don’t delay: You should plan to make the move off of Windows XP as soon as possible. Now is the time to take action. Start working on your strategy for moving your organization off Windows XP. Size up your vendor support for upgrading to a newer operating system, get an inventory of your impacted computing devices, and evaluate how you will update these systems. Moving to a newer operating system will help you provide a more secure environment in your organization and ensure compliance with HIPAA / HITECH. Reprinted with permission from Steve Anderson’s TechTips. Subscribe at http://techtips.

Classified ADVE RTI S E M E N T S

SOUTHEAST PA PRODUCERS & AGENCIES Professional agency since 1926 located in Feasterville, Bucks County, Pa. Call for confidential information and a review of our services. Contact Ray Reinard at 215-375-8600, Ext. 119.

If you would like to place a Classified Advertisement, simply fax your ad on company letterhead to 717-795-8347, and we will take care of the rest.

The Obamacare punch line Love it or hate it, health coverage under the Affordable Care Act begins Jan. 1. In honor of the date, we’ve compiled a few of our favorite late-night comedians’ jokes on the subject.

Ad Index

“According to CBS News, only six people enrolled in Obamacare on the first day of the rollout. Six! That means more people have walked on the moon than have signed up for Obamacare.” –Jay Leno

AAA Mid-Atlantic . . . . . . . . . . . . . . . 19

“Obamacare needs the premiums of healthier people to cover the costs of sicker people. It’s a devious con that can only be described as insurance.” –Stephen Colbert

Coastal Agents Alliance . . . . . . . . . . . 7 Guard Insurance Group . . . . . . . . . . 14 IA&B Partners Program . . . . . . . . . . 21 IA&B . . . . . . . . . . . . . . . . . . . . . . . . . 15 Interstate Insurance Mngmnt. . . . OBC Millers Mutual . . . . . . . . . . . . . . . . IFC Preferred Property Program . . . . . . . 9

“Now that health care is guaranteed, I’m frying everything I eat. Fried food and cigarettes.” –Craig Ferguson Source: Daniel Kurtzman, Political Humor ________________________________________________________________

The Last & Least column is dedicated to the industry’s oddities — from creative claims and kooky coverages, to (tasteful) jokes and strange stories. Submit yours to, subject line: Last & Least. The editor will happily protect sources’ anonymity upon request.


Interstate has been writing commercial transportation insurance for over 40 years and our dump markets are now stronger than ever! If you have clients hauling bulk dump commodities, our A+ rated carriers can provide auto liability, physical damage, cargo, G.L. and non-trucking liability for many commodity classes:

Coal (PA, MD & WV only) Sand/Gravel/Stone

Dirty Dirt Aggregate

Demolition Debris Scrap Metal

We can also offer your clients several coverage enhancements: r r r r r r r r



Contact your Interstate underwriter today for a quick, competitive quote or email your applications to Call today for more details.

In Pennsylvania, Delaware, Indiana, Maryland, Michigan, New Jersey, Ohio, Virginia & West Virginia 2307 Menoher Blvd. Johnstown, PA 15905 814-255-7878 1-800-452-0297 Fax 814-255-6010


PrimaryAgent - January 2014 - PA Edition  
PrimaryAgent - January 2014 - PA Edition