Think “med pay,” then think bigger.

Commercial insurers today are expanding the number and scope of “expense” coverages, insurance that pays for specified costs policyholders incur in the event of a loss or potential loss, even if the insurers don’t cover the loss itself.

Violent acts insurance and data breach insurance, described below, are two examples of emerging forms of insurance that, while distinct from each other, bear certain common characteristics:

• They provide first-party coverage that reimburses an insured for its own costs, but the coverage is often implemented to avoid or limit liability claims.
• Claims are typically paid without regard to a finding of legal liability, even when coverage is added by endorsement to a liability policy.
• The coverages typically avoid open-ended exposure to first-party losses and third-party damages, paying instead for specified costs, usually up to a separate limit.

In short, expense insurance is analogous to medical payments coverage in some respects, but not in others. (Medical payments coverage in personal and commercial liability policies pays the medical expenses of injured third parties, up to per person and per occurrence limits, without requiring that the insured be found legally liable for the injury.)

No loss?

In 2000, AAIS extended the med pay concept to property damage when it introduced its “Voluntary Property Damage Coverage” option in commercial lines. Under the option, insured contractors are covered for damage to property in the insured’s care, custody, and control; or damage to property arising from the insured’s work.

The voluntary property damage coverage applies, up to an internal limit, no matter who is legally liable for the damage, a critical distinction from standard liability coverages for similar losses.

While the concept of “med pay” provides a convenient frame of reference for describing expense insurance, it does not fit in one important respect.

Under medical payments and voluntary property damage coverage, the scope of a loss has been established, at least theoretically. The coverages seek to keep relatively small losses from becoming court cases.

Under violent acts and data breach insurance, something bad has happened, but
the scope of a loss has not been determined. In the case of a data breach, there may have been no loss at all, if the data has not been used fraudulently.

But organizations will almost certainly incur additional expenses when certain events occur, and they are willing to purchase insurance for those costs.

Violent acts coverage

How often have you seen this happen?

A senseless act of violence shocks the nation or your community, and churches and schools immediately implement new security measures designed to monitor who goes in and out of buildings.

Then, over time, these precautions are relaxed, and perhaps abandoned entirely, as people are once again allowed to come and go and carry on their customary activities.

The fact is, certain places are open by nature, and cannot implement heavy-handed control over ingress and egress without sacrificing part of their essential mission.

That’s why churches and schools are especially vulnerable to violent acts which, while rare, are especially traumatic because they impact entire communities.

And that’s why an emerging form of insurance for expenses arising from violent acts is becoming common among schools and churches.

AAIS work

AAIS was recently engaged by one of its affiliates, Southern Mutual Church Ins. Co., Columbia, S.C., to assist in the drafting of an endorsement option for adding the coverage to a church general liability policy.

“It’s one of the [exposures] we see with churches because they keep an open door to people,” says David Karns, underwriting manager for Southern Mutual Church.

“It’s not like they’re going to put up metal detectors,” he adds. “They welcome people. It’s part of their ministry.”

As currently drafted, “Coverage Y - Violent Acts Expense,” will provide coverage for emergency medical expenses, plus other reasonable and necessary expenses approved by the insurer, to help the insured and victims of certain violent acts recover from the trauma.

The coverage applies only to violent acts where someone is held hostage or sustains a “critical injury,” defined as death or substantial risk of death, or the disfigurement or impairment of part of the body.

Payments under the coverage extend to funerals, emergency medical care, counseling, and lost wages for victims and specified relatives caring for them.

In addition, the insured is covered for additional costs it may incur for security services, public relations consultants, group counseling, and rental of alternative facilities in the wake of a violent act.

Commercial

“I don’t think churches should be liable for violent acts,” Karns says, “but there are much greater costs [associated with such acts] than compensated by med pay.”

“This coverage is entirely expense-driven,” says Tony Leist, AAIS assistant vice president for commercial lines. “There is no recovery, except for emergency medical expenses, without the insurer first approving the expenses.”

Violent acts expense coverage as currently being developed by Southern Mutual Church carries its own limits per person, per event, and for annual aggregate.

Other carriers that specialize in insuring churches and schools offer similar types of insurance for expenses that follow violent acts.

The coverage is also starting to appear in commercial insurance.

Chubb markets its “Workplace Violence Expense Coverage” to commercial accounts as a stand-alone policy or as a part of its ForeFront Portfolio package along with liability, crime, and kidnap/ransom/extortion policies.

According to Greg Bangs, vice president and manager of the product, Chubb’s workplace violence expense policy reimburses policyholders after a covered event for the costs of independent security consultants, public relations firms, psychological counseling for employees, security guards, and the salaries of affected employees and temporary replacement workers.

“The policy has its own per occurrence limit, and applies regardless of negligence,” says Bangs. “It is an expense coverage, not a liability coverage, and there is no aggregate limit.”

Data breach insurance

For some years, insurers have been providing identity fraud coverage to policyholders for costs they incur to put their financial affairs in order after they have been victimized by identity theft. (AAIS introduced an identity fraud endorsement in 2002.)

Typically, the coverage extends only to those costs--such as time lost from work, express postage, document fees, and others--and not to any financial loss the insured may have suffered as a result of the fraud.

Data breach insurance has emerged as the commercial counterpart of identity fraud coverage: Insurance for the costs of containing the impact of a data breach, but not for losses incurred by those whose data was stolen or compromised. (However, data breach insurance can be incorporated into cyber policies or packages offering a wide range of coverage for Internet-related exposures.)

Requirements

A key impetus for the emergence of data breach insurance as a distinct product was the rapid proliferation of state requirements that businesses notify potentially affected persons if their personal information has been breached or compromised.

As of the end of 2008, 44 states, Puerto Rico, and the District of Columbia had such requirements in place, according to Identity Theft 911, Scottsdale, Ariz. Identity Theft 911 is an organization that partners with insurance carriers to provide services to individuals seeking to recover from an identity theft, and to businesses seeking to recover from a data breach.

Data breach notice requirements apply regardless of the method used to affect the breach.

Whether the breach is the work of a hacker, or a laptop is stolen, or data on a disk is misplaced and unaccounted for, the breach will trigger certain expenses, according to a report by Jeff Jurick, president of The Jurick Group, which specializes in data breach communications, training, and management.

According to Jurick, those costs include, among others:

• Costs for notifying individuals by e-mail and postal mail;
• Costs to set up web pages and/or a call center to answer inquiries and provide support;
• Costs to implement credit monitoring and fraud detection services for affected individuals; and
• Costs to develop a crisis management and public relations strategy aimed at internal and external audiences.

Identify Theft 911 partners with carriers to develop and file policy forms to provide coverage for such costs.

“Currently, 13 carriers have partnered with us to roll out data breach programs for their business policyholders,” says Matthew Cullina, CEO. “These solutions are being built into businessowners and commercial package policies as well as a variety of professional liability policies and cyber-risk coverages.”

Insurers often think of data breach insurance as a first-party property coverage, says Cullina, but the threat of regulatory sanction and third party liability drives policyholders to purchase it.

Any failure to notify consumers and implement measures to protect them following a breach will
be used as an allegation in a law suit, says Cullina. “It’s usually about what the business did to respond,” he says.

Property

Boston-based One Beacon Insurance Group has worked with Cullina to offer data breach insurance
and related services.

According to Roger Pare, chief underwriting officer for the commercial middle market, One Beacon’s “Data Breach Expense” endorsement covers the following expenses in the wake of a data breach:

• Expenses incurred to notify impacted individuals ;
• Expenses incurred to determine the nature and extent of the breach;
• Expenses incurred for credit monitoring services made available to affected individuals;
• Expenses incurred for legal review of a breach and proposed responses; and
• Expenses incurred for public relations or crisis management services.

The coverage also extends to expenses to notify the insured’s customers of a breach of their data entrusted to a third-party processor, as well as to monies extorted by persons threatening a data breach and monies paid to obtain information that leads to the arrest and conviction of data breach offenders.

According to Pare, One Beacon’s Data Breach Expense coverage is provided as an endorsement option to its commercial property policies, and the resulting premium and loss data are reported under property lines.

“The coverage is clearly a first-party coverage at its core,” he says.

Services

However, in addition to the expense coverage, Pare says “we also provide data breach response services to customers of our insured whose data was compromised.”

These services, provided by Identity Theft 911, include:

• Consulting services to assist insureds with notification requirements and the news media;
• A toll-free help line for affected individuals;
• Assistance with placing alerts for affected individuals with the main credit bureaus; and
• Access to an identity restoration professional who can help victims of identity theft restore their stolen identity.

“The customer response services are provided within the policy as a service without limit,”
Pare says.