Immediate Vault Immediate Access

Five States Most Likely to See Employee Lawsuits

Businesses in California, Illinois, Alabama, Mississippi and the District of Columbia face a markedly higher risk of being sued by their employees compared to the national average, according to a study by Hiscox.

“Not only are employment lawsuits more likely in those states, but the likelihood of catastrophic verdicts is also significantly higher,” Mark Ogden, managing partner of Littler Mendelson, employment and labor law firm said in a statement. “Unlike their federal counterparts, where compensatory and punitive damages combined are capped at $300,000.00, most state employment statutes impose no damages ceilings. Consequently, employers in high-risk states must ensure that their workforces are adequately trained regarding workplace discrimination, harassment and retaliation and that policies forbidding such conduct are strictly enforced.”

The study found that a U.S.-based business with at least 10 employees has a 12.5% chance of having an employment liability charge filed against it. Businesses in several states, however, face a much higher level of exposure to litigation. California tops the list with establishments with at least 10 employees having a 42% higher chance above the national average of being sued by an employee. Other states and jurisdictions include the District of Columbia (32%), Illinois (26%), Alabama (25%), Mississippi (19%), Arizona (19%) and Georgia (18%). Lower-risk states for EPL charges include West Virginia, Massachusetts, Michigan, Kentucky and Washington.

State laws can have a significant impact. For example, the employee-friendly nature of California law in the area of disability discrimination may contribute to the high charge frequency in the state. Discrimination cases filed at the state level in California are brought under the Fair Employment and Housing Act (FEHA).

FEHA applies to a broader range of businesses, covering any company with five employees, versus a 15-employee minimum for cases brought under federal law as outlined in Title VII of the Civil Rights Act, according to Hiscox.

Hiscox Introduces Terrorism Insurance for Hospitals

In 2007, Congress extended the Terrorism Risk Insurance Act, which was first introduced in 2002 in response to the concern of subsequent attacks after 9/11, for seven years. So although the federal backstop that complements the private insurance market for terrorism insurance will be around in its current form until at least 2014, this risk is still one that many feel needs to be better addressed by insurers.

Enter a new product from specialty insurer Hiscox. The company’s press release introducing its new health care terrorism liability coverage calls hospitals soft targets for terrorists to attack “due to their relatively low level of protection, a high throughput of people, and the knock-on effect that one successful attack could have on the entire U.S. health-care system.” The policy offers $50 million in liability (including evacuation costs, surge costs, safe notification expense, and triage costs) with nuclear, chemical, biological and radiation attack coverage also available.

Ian Thompson, senior vice president for Hiscox’s health-care business, says that is the first terrorism liability for U.S. health-care companies, which “have a genuine vulnerability to the terrorist threat whether perpetrated by single issue, direct action groups such as animal rights or anti-abortion organisations, disturbed/disgruntled individuals, or religious extremists.”

Hiscox Studies Privacy & Data Security

On Monday at RIMS 2009, Hiscox unveiled its new study “Data Privacy and Corporate America: Who’s Recognizing the Risk.” So I sat down earlier today with one of the report’s authors Jim Whetstone, who is the company’s senior VP of technology E&O.

The chief finding is that 38% of Fortune 500 companies surveyed do not explicitly mention privacy/data breach in the risk factors section of their SEC 10-K filings, which when broken down by sector is even more alarming: 46% of diversified financial companies, 50% of telecommunications firms and an astounding 80% of utilities. 

Worse still is that, according to Whetstone, many of even those that do realize the financial and reputational risks associated with a potential security breach deem the easiest solution, encryption, to be too cost-prohibitive to use even though they realize it would largely mitigate the threat altogether. You see, currently around 45 states now have laws that require any organization that loses confidential consumer/patient/student/etc. data to notify anyone who was affected. And that’s when the lawsuits, complaints and horror stories of identity theft begin. Not only is this a huge financial burden — the costs of hiring computer forensic specialists, mailing notifications, setting up call centers and offering free credit monitoring adds up very, very quickly — but the comparable reputational fallout is nearly impossible to quantify.

All this could be averted in most cases, however, with data encryption since almost all those same state laws also include a “safe harbor” provision that allows companies who safeguarded the data to forego the onerous notification process.

To put this all in proper perspective, all Whetstone had to do was ask me one question: “You know why a car has brakes?” 

Since I learned this fact around first grade, I thought to myself “I got this one…to stop, right?”

But before I said anything he answered his own question: “So it can go fast.”

Most companies are prioritizing innovation — and rightly so. They’re trying to gather as much consumer data as possible to put this to use in sales, development and improved customer relations. But in making these technological advances, it’s also important to ensure you have the right safeguards in place. “It’s a constant battle between technology and the brakes on the car,” said Whetstone. “Companies are trying to be innovative — they’re trying to push the envelope — and that’s always dangerous.”

Whetstone has no delusions that any company should stall innovation for the sake of encryption and data security, however. On the contrary, he thinks gathering all this data is huge advantage for companies. They just have to be careful and understand their vulnerabilities. And all it takes is glancing at a few of the colorful charts in Hiscox’s report to realize that most companies are failing at the latter endeavor. In TJ Maxx’s infamous data breach, for example, the company was attempting to improve its store’s operations by implementing a wireless network yet it failed to realize that sub-par security opened up the location to nefarious data thieves.

Of course, it is indeed true that encryption is still expensive in some cases — back-archiving old legacy systems, for instance. But using encryption doesn’t have to be an all-or-nothing proposition and Whetstone believes that, at a minimum, companies need to at least encrypt the data stored on laptops, USB drives and back-up tapes. He includes this in what he calls a “defense-in-depth approach” to IT security. By securing those physical items that can be left at an airport or in a taxi cab, you allow risk managers and legal counsel to rest easy knowing that their employees at least won’t be giving confidential data away. Hackers can still breach the network and that will remain a concern, but protecting the physical storage devices provides a first level of defense.

And most importantly, risk managers need to be involved in the IT discussion. The ideal balance between the legal team, IT and risk management is unique for each company. But unless everyone is talking and understands the priorities and recommendations of the others, data breaches are only going to happen more often.

Hiscox found that only 7% of US companies have implemented end-to-end encryption on their confidential personal data.

Hiscox found that only 7% of US companies have implemented end-to-end encryption on their confidential personal data.