Over the past 40 years, tidal flooding has quadrupled in many low-lying areas, but that change is accelerating due to sea level rising. According to a new study, even moderate rising could as much as triple coastal flooding events in many communities in the next 15 years. Based on even moderate projections for sea level rise from the 2014 National Climate Assessment, the Union of Concerned Scientists’ study “Encroaching Tides” calls attention to the threat of routine tidal flooding to much of the East and Gulf Coasts. As opposed to storm surges, tidal flooding occurs far more regularly, bringing water above the base sea level during routine tide patterns or, for example, twice a month due to the moon’s increased gravitational pull.

With anticipated sea level rise, even daily tides may flood many areas, according to the report. As the base sea level changes, deviations take on new meanings–which can have drastic implications for property.

Flood Levels

Further, as sea levels continue to rise, tidal flooding events will become notably more extensive, with accompanying increases in disruptions and damage. As illustrated below, even minor flooding events will impact larger regions, and putting more property on the front line of regular flooding.

Moderate Miami Flooding

The duration of these events will also increase, potentially straining existing public infrastructure, demanding more emergency assistance, and leading to regular business interruption. Flood-prone areas in five of the 52 mid-Atlantic communities studied could be inundated more than 10% of the time, for example. In all of the communities studied, the number of tidal flooding incidents increased dramatically in projections for 2030 and 2045.

Tidal Flooding Chart

{ 0 comments }

Takeover by ransomware–malware installed on computers that allows criminals to remotely lock the computer and demand a ransom to release files and programs–is a concern to 88% of IT professionals, a study by Spiceworks found. What’s more, almost one-third of IT pros have experienced a ransomeware attack at their organization.

According to Microsoft, ransomware is usually installed when a malicious email attachment is opened; or by clicking a malicious link in an email message, instant message or on a website, including a social networking site. Ransomware can even be installed when simply visiting a malicious website.

You can find out more about ransomware and what to do about it below:

{ 0 comments }

Cyberrisk

Rapidly developing computer technologies and the unrelenting evolution of cyberrisks present one of the biggest challenges to the (re)insurance sector today. Liabilities from cyberattacks and threats to the data security of cloud computing and social media have become key emerging risks for carriers. The unprecedented rise in cyberattacks, in addition to the threat cyberrisk poses to global supply chains, has seen the cyberinsurance market grow significantly in recent years.

Client demand for cyber coverage has been growing, on average, 30% annually in the United States over the past several years, according to Marsh. While demand varies by industry, the one constant has been that more clients are investigating and analyzing existing traditional insurance coverage and whether they need standalone cyberrisk insurance coverage.

Because cyberrisk is associated with the use of technology and the handling of all data and information, the threat transcends a company’s information technology (IT) department as well as what is confined to the internet. To help overcome some misconceptions that still exist for cyberrisks, some clarity around business exposures is needed to understand the scope of the threat.

Cyberattacks pose a danger to global supply chains

Cyberrisks are not isolated and are usually connected to other risks. Many companies that are exposed to cyberrisks are, for example, also exposed in turn to risks to their supply chain. Due to technological innovation and advances, many parts of a company’s or industry’s supply chain have become interconnected and automated.

Most commercial entities today are exposed to these risks as a growing number of businesses become more interconnected globally. A single cyberattack has the potential to put an entire company’s supply chain at risk. Therefore, cybersecurity and supply chain risk management must be considered in conjunction with one another.

There are a range of risks when it comes to online/computer security. Cyberattacks can result in first party liability, including business interruption, computer security breaches, privacy breaches of confidential information and even third-party liability losses. Technology failures have begun to outpace adverse weather, fire and social unrest as the major force in disrupting a corporate supply chain, according to a recent Guy Carpenter report.

Everyone is at risk – individuals, companies and governments

In 2014, cyber issues have become more of a concern for companies that once felt they had relatively little exposure. In fact, cyberattacks were ranked fifth among the top five global risks in terms of likelihood in this year’s World Economic Forum’s annual Global Risks 2014 report.

Governments consider cyberattacks to be among the most serious economic and national security challenges now facing them. And through the ubiquitous use of the internet, mobile devices and social media, companies of all sizes and in all nations are now finding themselves at risk of falling prey to the full range of cyber perils. Such attacks can run from hackers shutting down a company’s network, gaining access to customers’ and employees’ personal and financial information, to the theft of business trade secrets.

More data laws and regulations in place

High-profile data breaches and other cybersecurity incidents have become more commonplace with increasingly onerous outcomes. Target, one of the largest retailers in the United States, suffered a massive cyberbreach late last year which involved the theft of approximately 40 million credit and debit card account details as well as personal data of nearly 70 million customers. The breach reportedly occurred when hackers used the retailer’s heating and cooling vendor’s system to navigate their way into the retailer’s records. The resulting publicity cost the company a significant amount in lost sales, loss of reputation, class action lawsuits, and may have contributed to the ouster of the chief executive officer. And most recently, a U.S.-based online auction site announced that hackers accessed the company’s 145 million user accounts and urged customers to change their passwords.

More recently, home improvement chain Home Depot became the victim of another credit card data breach and the FBI is reportedly investigating cyberattacks at some of the largest banks in the United States.

As cyber incidents affect both consumers and institutions, governments everywhere are putting more data privacy laws and regulations in place in regard to disclosure and other related safeguards. In the United States, there are laws that require the protection of both personal financial and health information. Last year, the U.S. Securities and Exchange Commission, which oversees publicly-traded companies, adopted a directive requiring certain regulated financial institutions and creditors to adopt and implement identity theft programs in light of the new cyber threats.

Risk mitigation and insurance

With governments considering and enacting new laws in response to the rising number of cyber events, companies, especially those in the United States, are taking a closer look at cyberrisk mitigation, including insurance coverage of breaches and attacks.

Media reports of serious data breaches have prompted more companies to buy cyber coverage of $100 million or more compared to the prior year, Marsh said in its March 2014 report Benchmarking Trends: Interest in Cyber Insurance Continues to Climb.

Traditional insurance products often do not cover risks that cover damages resulting from an incident like a computer breach. As such, specific cyber liability insurance may be necessary.

The very process of applying for cyberrisk insurance is a constructive exercise for raising awareness and identifying potential vulnerabilities. By engaging in that process, a company can perform a review of information security protocols with respect to access control, physical security, incident response and business continuity planning.

As a result, businesses and other institutions are finding that cyberinsurance products have been broadened to include coverage that now addresses nearly all aspects of technology-based risk faced by today’s companies. Carriers have been adapting their policies to include a variety of loss prevention and risk mitigation tools, ranging from turnkey breach response teams to pre-emptive risk analytics.

As cyberthreats become more severe, more frequent, and continue to change along with technological advances, the (re)insurance industry will continue to stay one step ahead by creating new forms of cyberrisk coverage to meet the needs of their clients.

{ 0 comments }

On Sept. 22, 2014, in EEOC v. Vicksburg Healthcare LLC, et al., Judge Keith Starrett of the U.S. District Court for the Southern District of Mississippi granted defendant’s motion to dismiss an EEOC lawsuit for lack of personal jurisdiction and insufficient service of process. The EEOC had filed a disability discrimination claim on behalf of a nurse who worked at a hospital owned by a subsidiary of the defendant. The court held that the EEOC, which sued a subsidiary hospital in Mississippi and its Tennessee-based parent corporation, did not put forth prima facie evidence of the necessary factors to satisfy personal jurisdiction requirements for the parent corporation in Mississippi.

While this ruling is favorable for non-Mississippi parent corporations operating subsidiaries in Mississippi, it has larger significance for employers. It shows that nationwide jurisdiction is not a given when the EEOC sues. Additionally, the ruling provides the framework for how to prevent liability by avoiding personal jurisdiction.

Case Background

The EEOC filed an action on behalf of Beatrice Chambers alleging disability discrimination under Title I of the Americans with Disabilities Act of 1990. The complaint named Community Health Systems, Inc. (CHSI) and Vicksburg Healthcare, LLC (VHL) as Defendants, alleging that both CHSI and VHL have been continuously doing business as River Region Medical Center (River Region) in Vicksburg, Mississippi.

The EEOC alleged that the defendants terminated Chambers–who had worked as a nurse at River Region for about 36 years–because of her unspecified disability, and additionally failed to provide her with reasonable accommodations in violation of the ADA. VHL was a subsidiary of CHSI, which was incorporated in Delaware and had its principal place of business in Tennessee. While VHL admitted doing business as River Region and admitted employing Chambers, CHSI denied doing business as River Region and denied employing Chambers. Further, in its motion to dismiss, CHSI asserted the affirmative defenses of lack of personal jurisdiction, insufficient process, and insufficient service of process.            

The Court’s Decision

In granting CHSI’s motion to dismiss, the court held that the issue of personal jurisdiction was controlling. The EEOC has the burden of establishing a prima facie case for personal jurisdiction. The court noted that a non-resident defendant is amenable to being sued in Mississippi if: (1) Mississippi’s long-arm statute confers jurisdiction over the defendant; and (2) the exercise of personal jurisdiction comports with the requirements of federal due process. The Mississippi long arm statute consists of three prongs, including: the contract prong; the tort prong; and the doing-business prong. It was undisputed that the “doing-business” prong was case dispositive.

CHSI submitted an affidavit from its Senior Vice President and Chief Litigation Counsel to the effect that it did not conduct business in Mississippi and that it lacked sufficient minimum contacts to be hauled into court in Mississippi.

The affidavit confirmed that CHSI is a holding company with no employees; CHSI indirectly owned subsidiaries including VHL; CHSI neither operated nor controlled the day-to-day operations of River Region; CHSI and River Region maintained separate banking records and did not co-mingle funds; CHSI did not employ nor have control over any River Region staff; CHSI never made any employment decisions regarding Chambers; CHSI and River Region observed corporate formalities (including no overlap between the Board of Trustees of River Region and the board of directors of CHSI; the respective boards of River Region and CHSI each convened separate meetings, (the boards maintained separate minutes and records); and CHSI is not qualified to do business in Mississippi–owns no property there, has no offices there, does not market there, and does not pay taxes there.

Following well-established precedent, the court found this aggregation of factors to be dispositive. It held that the EEOC lacked personal jurisdiction to sue CHSI in Mississippi.

The court rejected the EEOC’s three arguments in opposition of dismissal. First, the EEOC argued that the 10-K form submitted by CHSI to the SEC demonstrated CHSI’s intent to do business in Mississippi as it often used language such as “we” when referring to the hospital.  The court rejected this argument, noting that the 10-K form also contained a provision saying the hospitals are expressly owned and operated by the subsidiaries. Next, the EEOC mistakenly speculated that the River Region employee handbook contained references to CHSI. The court cited an affidavit from CHSI’s litigation counsel clarifying that the entity referred to in the handbook was a different indirect subsidiary, and not the parent corporation. Finally, the EEOC erroneously relied on another case involving CHSI - Bass v. Community Health Systems, Inc., Case No. 2:00cv193 (N.D. Miss.). The court noted that no facts from that case illustrated that CHSI should be amenable to personal jurisdiction.

Implications for Employers

 When out-of-state parent corporations conduct business in Mississippi through subsidiaries, it is imperative that they observe corporate formalities to clearly maintain the parent-subsidiary relationship. Further, in documents such as 10-K forms and employee handbooks, employers must explicitly indicate that subsidiaries, and not the parent, own and operate local entities. If parent corporations follow the teachings of EEOC v. Vicksburg Healthcare, LLC, et al., they can avoid unwittingly submitting to personal jurisdiction in Mississippi courts while their subsidiaries do business there.

This blog was previously posted on the Seyfarth Shaw website.

{ 0 comments }