Protecting Your Business Against Data Breaches - Page 1 Why Workers’ Compensation Rating Matters - Page 2 Safety Training May Prevent Costly OSHA Citations - Page 3 New Commercial Driver’s License Medical Certification Rules - Page 4 Risk Monitor MARCH 2014 A NEWSLETTER FOR CLIENTS AND FRIENDS OF BANCORPSOUTH INSURANCE SERVICES, INC. Protecting Your Business Against Data Breaches In December 2013, the prominent retail chain Target announced that hackers had breached their credit card processing systems. The breach comprised credit and debit card information for as many as 40 million customers who had shopped November 27 through December 15. Hackers comprised customer’s names, card numbers, expiration dates and card verification values (CVVs). Law enforcement authorities and Target’s own investigators confirmed that stolen card numbers were coming up for sale on Internet sites catering to identity thieves at anywhere from $20 to $100 per card. This hack was one of the largest data breaches in U.S. history. All businesses are at risk If your business fails to protect information from criminals both internal and external to your organization, you could be liable for damages. To locate an office near you, please visit us online at www.bxsi.com or contact us at info@bxsi.com. If Target’s modern internet security and encryption can be hacked, so can yours. If your business fails to protect information from criminals both internal and external to your organization, you could be liable for damages. the attorney’s fees alone involved in mounting a defense would be a very significant hardship, even in much smaller cases. The fact is that credit card thieves, hackers and extortionists do not attack just large businesses, but all size businesses. In fact, it happens every day. For example, servers in restaurants can swipe a credit card using a smart phone and a small reader they can carry around in their pockets. Advances in technology have also created new dangers for businesses, and an emerging area of insurance and law centered on cyberrisks. As a business, your risks are not confined to credit card numbers and transactions. You could be facing immense liability from any of these cyber-crime related risks: l l l Target was named a defendant in a lawsuit within days of the news breaking. The lawsuit against Target claimed, “Target failed to implement and maintain reasonable security procedures and practices appropriate to the nature and scope of the information compromised in the data breach.” Naturally, Target can afford the top attorneys in the country to defend its interests. However, for most small or medium-sized businesses, l l l Security breaches in business checking accounts Electronic theft of money you hold as a fiduciary for your clients or customers Health insurance records Theft of personal information such as e-mail addresses Customer bank account and other billing information Personally-identifiable medical information Criminals are not the only cause for cyber risks. A fire can destroy your servers or a virus can infect your continued on page 3 Welcome to the BancorpSouth Insurance Newsletter! It is with great satisfaction that we bring this newsletter to you. In this issue and in coming months, we will discuss pertinent risk management topics which may affect your organization. We sincerely hope that you will find this newsletter informative and please do not hesitate to contact us should you have any questions or needs. Why Workers’ Compensation Rating Matters Most business owners and executives understand that workers’ compensation insurance not only protects workers, but also protects their company. However, fewer business owners are aware of how premiums are determined and how their safety track record figures into their rating. Understanding the workers’ compensation rating process can help you to qualify for lower premiums, saving your business money and making you more competitive. Industry underwriters set workers’ compensation premiums using a process similar to how most companies price group health insurance. The underwriters look at the actual claims experience for similar workers in your area and your company’s claims history. Underwriters turn to the National Council on Compensation Insurance (NCCI) when there is insufficient local claims experience. The NCCI hosts a library of workers injury and compensation data. Generally, underwriters will take your payroll and multiply it by an average claim factor for a particular type of worker. This produces a baseline average of the total number of expected claims, which they subdivide as claims per $100,000 of payroll, claims per year or claims per time unit. Underwriters consider frequency of claims as a close representation of an individual business’s safety culture. They also average severity of claims for the type of worker in your industry. Then underwriters combine the frequency and severity of claims and arrive at a baseline prediction for expected losses. Underwriters must then try to assess your business and answer the following question: Given the policies and procedures in place at your business and your claims history, is your company likely to produce losses that are higher or lower than the industry baseline? Over time, underwriters have discovered that the most likely future claims predictor is a history of claims at your company. Therefore, to save money on workers’ compensation premiums, it makes sense for the company to focus on preserving the safety of the work environment. Businesses can invest in a safe work About Our CARE Program environment in terms of both resources and management focus. Your underwriters will then assign your business a workers’ compensation insurance rating also known as an experience modifier (E-Mod). An E-Mod of “1” means your business meets the average claims experience in your industry for the area. Any rating higher than “1” indicates a below-average risk for workers’ compensation claims and can result in an increase in premium. Your E-Mod represents your workers’ compensation claim experience and directly impacts your insurance premiums. By reducing your E-Mod by just 0.01, you can reduce workers’ compensation premiums by up to one percent. If your rating is higher than “1”, you may be able to qualify for future lower rates by reviewing your safety program and the types of losses your company has incurred. By identifying patterns and recurring themes within your claims history, you may be able to reduce the workplace accidents and injuries. Best Practices In the long run, your safety record is a reflection of your overall safety culture. Everyone is a part of your workplace safety culture, but your company’s leaders must support the mission. Below are a few best practices for improving your safety culture. l l l l Invest in safety training for all of your workers Make safety training programs tailored to specific job roles Appoint a team to monitor your safety and OSHA compliance, and empower him or her to enforce it throughout the company Empower any worker to halt work activities if he or she becomes aware of an unsafe work condition, until that condition can be corrected Our Claims Analysis Reducing Experience Modifiers, or CARE, program audits every workers’ compensation claim with reserves above $5,000, any claim with indemnity (lost time) reserves or any claim open longer than 180 days. Additionally, our audit service makes certain your E-Mod is properly calculated and is at its lowest possible point. To achieve this goal, our audit service includes: l l l l l Claim review (retrospective and prospective) with an assigned adjuster to ensure the file is reserved in accordance with best practices and claim closure is expedited Follow-up and verification of reserve reductions resulting from our review process Recalculation, confirmation and projection of E-Mods eliminating errors, reducing premiums and illustrating the impact of losses on premiums Affirmation with various rating bureaus verifying any corrections have been made No-cost analysis or math model For more information about workers’ compensation rating or our CARE program, please contact your BancorpSouth Insurance Services representative. continued from page 4 ... New Commercial Driver’s License Medical Certification Rules to Federal Motor Carrier Safety Administration (FMCSA) for a renewal of your variance. If a commercial driver fails to comply with the new requirements, he or she will fall into “not-certified” status. Drivers not in compliance may lose their commercial driver’s license, per federal regulations CFR 383, 384, 390 and 391. Specific requirements and procedures to provide medical clearance information vary by state. A breakout of specific requirements by state, along with contacts for more information, is available at http://www.fmcsa.dot.gov. continued from page 1 ... Protecting Your Business Against Data Breaches computer systems. Damages can quickly total into the hundreds of thousands or millions of dollars, depending on the size of the business and the nature of the comprised, destroyed or stolen data. Insuring Against the Risk Safety Training May Prevent Costly OSHA Citations The Occupational Safety and Health Administration (OSHA) recently cited a major piping company in Texas for three serious violations and four repeat violations. The company made clamps, expansion joints and pipe supports for oil refineries. OSHA cited the company after an employee at the piping company was injured by a mechanical press’ broken die piece. The combined total of the citations was almost $200,000. For the repeat violations, the company had failed to guard band saws and punch presses. They also failed to provide lockout/tagout education about energized sources to employees. In addition to this, they failed to conduct an annual review of such procedures. OSHA issues repeat violation citations if an employer has a previous citation for an offense and commits the same or similar offense again. This includes any of the employer’s other facilities in states where there are federal enforcement laws. Any previous offense applies for the past five years. In this specific case, the company had received citations in 2011. The company was cited for failing to use undamaged slings for moving and lifting equipment and failing to secure a fuel gas cylinder. They also did not provide proper strain relief for their electrical wiring. Employers can receive serious violations if there is a substantial risk of serious physical harm or death as a result of a condition that an employer knew about but did not fix. Approximately 700 employees at the company were receiving citations. In 2011, OSHA inspected the company twice. Citations were issued for failing to guard the operation points on the press brakes, shears and band saws. The company settled the 2011 cases; however, the company contested the 2013 citations. Every company can learn a lesson from this case. It is important to know how to avoid these types of risks. OSHA provides training for lockout/tagout procedures on their website through the 29 CFR 1910.147 regulation. Multiple OSHA departments and compliance officers helped develop the lockout/tagout program. This information gives new and seasoned workers the knowledge they need to stay safe and conduct lockout/tagout procedures correctly. To ensure thorough lockout/tagout training, there are three training components. OSHA provides a lockout/ tagout tutorial, several abstracts and discussions of major issues and seven simulated case studies. Machine guarding is another important issue in the lockout/tagout program. Moving parts in machines can severely injure or kill workers, so companies should properly train workers to know how to avoid injuries. Workers should safeguard machine parts to help prevent injuries. When injuries happen, employers have a responsibility to control or eliminate the machines causing the injuries. OSHA offers general information about motion hazards of machines and proper techniques for safeguarding them. OSHA also highlights standards and provides information about specific types of machines. If a company is cited by OSHA, the business has 15 working days from the time the citation was issued to comply or request a conference with an area Fortunately, it’s now possible to insure against the devastating effects of a data breach or network disaster. You can purchase a separate cyber liability policy helping protect your business against cyber risks. While there is no “standard policy form” at this point, most cyber liability policies provide coverage against the following types of risks: l l l l l l Data destruction Data recovery costs Business continuation Data theft costs Extortion Legal fees arising from cyber risks As with any type of insurance, definitions matter, so look beyond the monthly or annual premium costs. Be sure to review coverage definitions and any exclusions. Who to Involve Selecting appropriate coverage is a team effort. Best practices include getting input from not only management, but also dedicated IT personnel and your BancorpSouth Insurance Services agent. These professionals can help keep management apprised of the latest scams, risks and vulnerabilities within their own business. To learn more about protecting your business against data breaches, contact your BancorpSouth Insurance Services representative. director. If businesses feel there was an error in the citation or would like to contest the findings, they should schedule a conference. To learn more about compliance standards and the consequences of failing to comply, discuss concerns your BancorpSouth Insurance Services representative. New Commercial Driver’s License Medical Certification Rules The deadline for compliance with a new set of rules concerning the medical certification is upon us. As of January 30, 2014, commercial drivers must provide additional information to their state driver’s licensing authority. They must report information on the type of vehicle they operate or expect to operate. In some industries or operators of certain types of vehicles may have to submit a current medical examiner’s certificate to their State Driver Licensing Agenciy (SDLA) in order to receive a “certified” medical status. Specifically, State Driver Licensing Agencies (SDLAs) will be adding medical self-certification status and the information on your medical examiner’s certificate to your commercial driver’s license system (CDLIS) record. There is no change in overall federal standards for driver physical qualification requirements. Specific Instructions You must determine whether you operate in interstate or intrastate commerce, and if you are subject to the federal or state requirements. You must certify to your SDLA that you fall into one of the four operation categories listed below: l l l l Interstate non-excepted: You are an interstate non-excepted driver and must meet the Federal DOT medical card requirements Interstate excepted: You are an interstate excepted driver and do not have to meet the Federal DOT medical card requirements. Intrastate non-excepted: You are an intrastate non-excepted driver and are required to meet the medical requirements for your state. Intrastate excepted: You are an intrastate excepted driver and do not have to meet the medical requirements for your state. Drivers with physical impairments affecting their ability to operate a commercial motor vehicle (CMV) safely must obtain a “variance” from their state to drive commercially. Commercial drivers must carry the variance document when operating a commercial motor vehicle. A Skill Performance Evaluation (SPE) is a special type of “variance.” The SPE is required for drivers with impaired or missing limbs (e.g., a hand or finger, an arm, foot or leg). The commercial driver must carry the SPE certificate at all times. The document contains requirements for any special equipment that the driver must be wearing or the commercial vehicle must possess in order for the driver to operate the vehicle. If your medical certificate or variance is about to expire, you must have a new medical examination and obtain a medical certificate. You must then provide the new medical examiner’s certificate to your State Driver Licensing Agency (SDLA). You are also responsible for applying Information contained in this newsletter about product offerings, services, or benefits is illustrative and general in description, and is not intended to be relied on as complete information. While every attempt is made to ensure the accuracy of the information provided, we do not warranty the accuracy of the information. Therefore, information should be relied upon only when coordinated with professional tax and legal advice. BancorpSouth Insurance Services is powered by BancorpSouth Bank; a wholly-owned subsidiary of BancorpSouth Inc., a $13.4 billion-financial holding company based in Tupelo, Mississippi. BancorpSouth Insurance Services is annually ranked as one of the nation’s largest brokers by Business Insurance magazine. Equipped to service clients across the globe through our Worldwide Broker Network relationship, we have over 30 offices with almost 600 insurance and risk management professionals ready to serve. Risk Monitor