What are the Costliest and Most Common Small Business Claims?

Running a successful small business requires more than the ability to generate revenue. It also requires the ability to avoid (or at least limit) losses. Though revenue can make a business blossom, losses can make it wilt. Oftentimes, what makes a small business successful is the ability to understand operational risks and implement appropriate protective measures for the day those risks become a reality.

To do this, small businesses must first understand the risks they face. This isn’t always easy because risk exposures may be affected by business operations. Nevertheless, there are some risks that generally apply to all small businesses. Consider the followings lists created by The Hartford after analyzing five years of claims data from more than 1 million business policies.

Most Common Property and Liability Claims

  • Burglary and Theft (20%)
  • Water and Freezing Damage (15%)
  • Wind and Hail Damage (15%)
  • Fire (10%)
  • Customer Slip and Fall (10%)
  • Customer Injury and Damage (less than 5%)
  • Product Liability (less than 5%)
  • Struck by Object (less than 5%)
  • Reputational Harm (less than 5%)
  • Vehicle Accident (less than 5%)

Costliest Property and Liability Claims

  • Reputational Harm ($50,000)
  • Vehicle Accident ($45,000)
  • Fire ($35,000)
  • Product Liability ($35,000)
  • Customer Injury and Damage ($30,000)
  • Wind and Hail Damage ($26,000)
  • Customer Slip and Fall ($20,000)
  • Water and Freezing Damage ($17,000)
  • Struck by Object ($10,000)
  • Burglary and Theft ($8,000)

Risks that are both common and costly, like fire, obviously require special attention. However, a proper risk assessment must go deeper. Note how burglary and theft rank as the least costly, but most common claim. Similarly, two of the costliest claims, reputational harm and vehicle accidents, are among the least common. This is significant because risk is a product of likelihood and severity.

Small businesses can use this information as a starting point. However, a comprehensive assessment requires analyzing exposures within the context of specific business operations. For example, a small convenience store is likely to have a higher risk of customer slips and falls than a large wholesale warehouse. Cyber risks are also likely to be greater for an online technology company than a traditional brick-and-mortar operation.

Though a standard Business Owners’ Policy may be sufficient, specific business operations may require additional coverage. Since it’s not always easy to see how operations may affect risk, small businesses should work with an experienced and reputable insurance agent.

If you would like to learn more about identifying and protecting against business risks, please contact us.

If you would like to subscribe to our newsletters please click here.

Is Your Self Storage Facility a Hazardous Workplace?

The fact that self storage facilities aren’t typically considered dangerous workplaces doesn’t mean operators can be casual about workplace safety. According to the most recent statistics from the Bureau of Labor Statistics, of over 3 million private industry nonfatal reportable injuries and illnesses in 2013:

  • 917,100 involved days away from work
  • 327,060 involved sprains, strains and tears
  • 170,450 involved injuries to the back
  • 229,190 involved falls, slips and trips.

Though employees are the primary victims of poor workplace safety standards, self storage facilities also pay the price. In addition to direct costs associated with workplace injuries, self storage facilities may also incur a variety of indirect costs, such as:

  • Wages paid to absent injured workers;
  • Wages lost during work stoppages;
  • Administrative time spent by supervisors following injuries;
  • Costs to train replacement employees;
  • Lost productivity and opportunity costs;
  • Replacement costs of damaged material, machinery and property; and
  • Higher workers’ compensation insurance premiums.

Self storage facilities can avoid or at least limit these costs by making workplace safety a priority. The Insurance Information Institute suggests taking the following steps:

Engage Management and Employees. Workplaces are safer when management and employees collaborate. Though specific employees should be in charge of safety programs, everyone should be responsible for workplace safety.

Evaluate Workplace and Operations. Perform a comprehensive evaluation of the entire operation, including equipment and all workplace activities, to identify all hazards. Talk to employees about their safety concerns.

Mitigate Hazards. Identified hazards must be eliminated or controlled. This may require implementing new safety measures, changing workplace operations or repairing/replacing equipment.

Training. Employees should receive training about workplace hazards and safety. Training should be part of the onboarding process. Refresher training should be provided on a regular basis and as needed.

Review, Respond and Improve. Maintaining a safe workplace is an ongoing process. Safety programs must be reviewed regularly. Safety incidents should be used as an opportunity for improvement. Employees should be reminded of their obligation to report hazards and incidents so they can be addressed.

Creating and maintaining a safe workplace requires commitment and vigilance. Despite the extra effort and expense, self storage facilities are sure to benefit from an effective workplace safety program. For example, maintaining a safe workplace is the best way to control workers’ compensation insurance premiums.

Setnor Byer Insurance & Risk’s Self-Storage Insurance Program and Risk Management Group work closely with self-storage facilities throughout Florida and nationwide to profile risks, compare coverage options, and match our clients with an insurance program that meets their needs.

If you have any questions or would like discuss how our programs can help your organization, please contact us

National Flood Insurance Program Reform

Many people don’t realize that flooding is the most common natural disaster in the United States. In the past 5 years, all 50 states have experienced floods. According to the Federal Emergency Management Agency (FEMA), total flood claims average nearly $4 billion per year. The average flood claim is nearly $42,000.

Unfortunately, many people also don’t realize that standard homeowners’ and renters insurance policies do not cover flood damage, and that they need a separate flood insurance policy. These policies are commonly obtained through the National Flood Insurance Program (NFIP). Though created by Congress in 1968, recent legislation is reforming the NFIP.

The Homeowner Flood Insurance Affordability Act of 2014 (HFIAA), which repeals and modifies the Biggert-Waters Flood Insurance Reform Act of 2012, will slow some flood insurance rate increases and offer relief to some policyholders who experienced steep flood insurance premium increases in 2013 and early 2014. Flood insurance rates and other charges will be revised for new or existing policies beginning on April 1, 2015.

HFIAA requires gradual rate increases to properties now receiving artificially low (or subsidized) rates instead of immediate increases to full-risk rates. Implementation of the rate changes is subject to a rate-increase limitation of 18% for individual premiums and 15% for average rate classes.

HFIAA also slowed the elimination of subsidies provided for in Biggert-Waters and amended most of the provisions mandating that certain policies transition immediately to higher full-risk rates. To compensate for the decrease in revenue, HFIAA calls for the addition of a surcharge on all policies. This surcharge, which also applies to renters’ contents-only policies, is a flat fee based on occupancy type rather than a building’s flood zone or construction date.

  • Primary Residential (single-family / individual condominium units): $25
  • Non-Primary Residential (single-family / individual condominium units): $250
  • Multifamily Residential (condominium and other buildings): $250
  • Non-Residential: $250

Under HFIAA, the maximum deductible for a flood insurance policy will increase to $10,000 for single-family and two- to four-family dwellings. If used, the deductible must apply to both building and contents. For single-family homes, choosing the maximum deductible will result in up to a 40 percent discount from the base premium. It is important to remember that using the maximum deductible may not be appropriate in every financial circumstance and may not be allowed by lenders to meet mandatory purchase requirements.

The Federal Policy Fee under HFIAA will increase by $1 for most policies. The fee for policies rated using the map change table will increase to $45. The fee for Preferred Risk Policies will remain $22.

Since the NFIP is in the process of implementing HFIAA-mandated reforms, the final picture is still a bit blurry. However, since floods are not only common, but costly, the need for flood insurance is quite clear.

If you have any questions or would like to learn more about protecting your homes, please contact us.

If you’d like to subscribe to our weekly newsletters, please click here.

EEOC Releases 2014 Enforcement and Litigation Data

The Equal Employment Opportunity Commission (EEOC) is responsible for enforcing various federal equal employment opportunity laws. Every year the EEOC releases information about its enforcement and litigation efforts during the previous fiscal year (FY), which runs from October 1st to September 30th. This data can be used to get a better understanding of potential employment-related liability exposures that continue to pose a significant risk to most employers.

In FY 2014, the EEOC received a total of 88,778 charges of workplace discrimination, which is lower than recent fiscal years. There were 93,727 charges filed in FY 2013 and 99,412 charges filed in FY 2012. According to the EEOC, this decrease is due in part to the government shutdown during the first quarter of FY 2014.

The EEOC obtained $296.1 million in total monetary relief through its pre-litigation enforcement program in FY 2014, which is also lower than recent fiscal years. The EEOC obtained $372.1 million in FY 2013 and $365.4 million in FY 2012. Monetary relief from cases litigated in FY 2014, including settlements, totaled $22.5 million.

The total number of charges filed in FY 2014 can be broken down as follows:

  • Retaliation under all statutes: 37,955 (42.8%)
  • Race (including racial harassment): 31,073 (35%)
  • Sex (including pregnancy and sexual harassment): 26,027 (29.3%)
  • Disability: 25,369 (28.6%)
  • Age: 20,588 (23.2 percent)
  • National Origin: 9,579 (10.8%)
  • Religion: 3,549 (4.0%)
  • Color: 2,756 (3.1%)
  • Equal Pay Act: 938 (1.1%) [Note: Sex-based wage discrimination can also be charged as sex discrimination under Title VII.]
  • Genetic Information Non-Discrimination Act: 333 (0.4%)

The states with the most charges filed in FY 2014 were:

  • Texas (8,035)
  • Florida (7,528)
  • California (6,363)
  • Georgia (4,820)
  • Illinois (4,487).
  • Pennsylvania (4,045)
  • North Carolina (4,017)

It’s interesting to note that of the 88,778 charges filed, 57,376 were closed because the EEOC determined there was no reasonable cause to believe that discrimination occurred based upon evidence obtained in investigation. This means that nearly 66% of employers had to endure an EEOC investigation despite the lack of reasonable cause to support a claim of discrimination. Since even baseless EEOC investigations can be expensive, employers should consider employment practices liability insurance to help cover the costs.

Employers can avoid the EEOC’s enforcement efforts by creating and enforcing a policy against discrimination and harassment. Employees must also be trained to prevent, detect and address any unlawful behavior. Training should cover all relevant topics, such as employment liabilities, sexual harassment for managers and employees, discrimination and harassment prevention and disability discrimination.

If you would like to learn more about controlling employment-related liabilities, check out The Human Equation’s library of online courses or contact us.

The Human Equation prepares all risk management and insurance content with the professional guidance of Setnor Byer Insurance and Risk.

Is Anonymous Credit Card Data Really Anonymous?

Every business needs to be concerned about data security and cyber liability, which is why many are taking steps to protect their data and reduce the likelihood of experiencing a data security breach. Unfortunately, not every business believes they are at risk of experiencing a data security breach. Perhaps a recent study of credit card data will help these businesses realize that the risk of cyber liability is very real and can be very costly.

Researchers at the Massachusetts Institute of Technology found that anonymous credit card data isn’t so anonymous after all. According to the MIT study, removing personally identifiable information from credit card transaction data does not make it anonymous and does not make it safe for release to the public or to third parties.

The study analyzed credit card data of 1.1 million users in 10,000 stores over a 3-month period. Each credit card transaction was time-stamped and associated with a specific store. However, the data was ‘anonymized’ by stripping names, account numbers and obvious identifiers, such as addresses, phone numbers or other personally identifiable information.

Despite being ‘anonymized’, MIT researchers found that knowing four random spatiotemporal points (an individual’s location at a specific time) is enough to uniquely identify 90% of individuals and uncover their records. Consider the following example included in the study:

Let’s say that we are searching for Scott in a simply anonymized credit card data set. We know two points about Scott: he went to the bakery on 23 September and to the restaurant on 24 September. Searching through the data set reveals that there is one and only one person in the entire data set who went to these two places on these two days. Scott is re-identified, and we now know all of his other transactions, such as the fact that he went shopping for shoes and groceries on 23 September, and how much he spent.

Researchers also discovered that an additional piece of ‘anonymized’ data significantly increases the chances of being identified.

Although knowing the location of my local coffee shop and the approximate time I was there this morning helps to re-identify me, knowing the approximate price of my coffee significantly increases the chances of re-identifying me. In fact, adding the approximate price of the transaction increases, on average, the [risk of being identified] by 22%.

MIT researchers also studied the effects of gender and income on the likelihood of being identified. According to their results:

  • The odds of women being identified are 1.2 times greater than for men.
  • The odds of high-income people being identified are 1.7 times greater than for low-income people.
  • The odds of medium-income people being identified are 1.1 times greater than for low-income people.

Since individuals may be relatively easily identified by anonymous credit card data, MIT researchers suggest that simply removing names, home addresses, phone numbers, or other personally identifiable information may not be sufficient to protect the privacy of individuals. From a policy perspective, MIT researchers believe data protection mechanisms must move beyond the concepts of personally identifiable information and anonymity toward a more quantitative assessment of the likelihood that data can be used to identify individuals.

Until then, businesses should do everything in their power to protect their data and obtain insurance to manage their cyber risks. There are a number of cyber liability products that protect against privacy injuries, such as identity theft, and that cover the cost of complying with various data breach notice laws.

If you would like to learn more about insuring against cyber risks, contact us.

If you would like to subscribe to our newsletters please click here.

Are You Protecting Customers’ Credit and Debit Card Data?

It’s hard to ignore the fact that data security breaches seem to be increasing in frequency and severity, particularly those involving credit and debit card data. Just ask Home Depot, Michaels Stores, Neiman Marcus, or their 50+ million customers whose payment card data may have been compromised in 2014. To reduce the chances of making the list in 2015, preventative measures must be taken by every business that accepts credit and debit card payments.

The PCI Security Standards Council developed the Payment Card Industry Data Security Standard (PCI DSS) to encourage and enhance cardholder data security. This standard includes 12 requirements.

Build and Maintain a Secure Network and Systems

  • Install and maintain a firewall to protect cardholder data.
  • Do not use defaults for system passwords or security parameters.

Protect Cardholder Data

  • Protect stored cardholder data.
  • Encrypt transmission of cardholder data.

Maintain a Vulnerability Management Program

  • Protect systems against malware and regularly update anti-virus software.
  • Develop and maintain secure systems and applications.

Implement Strong Access Control Measures

  • Restrict access to cardholder data to those who need to know.
  • Identify and authenticate system access.
  • Restrict physical access to cardholder data.

Regularly Monitor and Test Networks

  • Track and monitor all access to networks and cardholder data.
  • Regularly test security systems and processes.

Maintain an Information Security Policy

  • Maintain a policy that addresses information security for all personnel.

The PCI Security Standards Council also provides a number of tips and strategies to increase the security of payment card data, such as:

  • Never store Sensitive Authentication Data, such as the full track contents on the magnetic stripe or chip, card verification codes/values, or PINs.
  • Ask point-of-sale vendors about the security of payment card systems.
  • Do not store cardholder data that is not needed.
  • Consolidate and isolate cardholder data that is needed.

The Council notes that the PCI DSS provides minimum security requirements that may be enhanced by additional controls and practices. Various laws, rules or regulations may also require enhanced security measurers. For example, under the Fair and Accurate Credit Transaction Act (FACTA), electronically printed credit and debit card receipts given to customers cannot include a card’s expiration date or more than the last five digits of the card number.

Sometimes security measures aren’t enough to prevent a data security breach, so businesses should use insurance to manage their cyber risks. There are a number of cyber liability products that protect against privacy injuries, such as identity theft, and that cover the cost of complying with various data breach notice laws. However, given the complexity of the risk, an experienced insurance agent should be consulted to ensure that adequate coverage is obtained.

A solid understanding of your insurance needs is the key to overcoming the quality versus cost argument. An experienced and reputable independent insurance agent can help you purchase insurance that is both economical and effective.

If you would like to learn more about insuring against cyber risks, contact us.

If you would like to subscribe to our newsletters please click here.

Understanding Business Insurance: What is BOP?

Many businesses take a piecemeal approach to buying insurance. One policy for property insurance, another for liability insurance, and so on. Unfortunately, this approach can be difficult and time consuming, particularly for small- and medium-sized businesses. For these businesses, a Business Owners Policy, a BOP, may be an attractive alternative.

A BOP is a pre-packaged bundle of coverages that insurance companies offer to eligible small- and medium-sized businesses. BOPs are designed to provide a number of essential insurance coverages in a convenient and cost effective manner. BOPs typically provide:

  • Property insurance to cover damage to buildings and contents;
  • Business income (business interruption) insurance to cover the loss of income resulting from a covered loss that Disrupts business operations; and
  • Liability insurance to protect against liability claims for bodily injury and property damage occurring on a business’s premises or arising out of its operations.

Depending on the insurance company, additional coverages may be included in a BOP, or added for an additional premium, such as:

  • Cyber Liability
  • Employment Practices Liability
  • Valuable Papers and Records
  • Personal and Advertising Liability
  • Liquor Liability
  • Equipment Breakdown
  • Sale and Disposal Liability coverage for self storage facilities

Though BOP eligibility requirements can vary significantly among insurance companies, BOPs are typically limited to small- and medium-sized businesses, which are generally those with fewer than 100 employees and annual revenues of less than $5 million. BOPs may also not be available to businesses operating in specific industries or those with highly specialized or high-risk operations.

Alternatively, BOPs may not be the solution for some businesses, even those that are eligible for them. For example, some businesses may require higher limits or broader coverage forms that are not available in a BOP. There are also a number of coverages that BOPs do not provide, such as workers compensation, commercial automobile and professional liability insurance. Even with a BOP, additional insurance policies may still be necessary.

Since BOPs are customized insurance products, it is important to note that coverage options and features (limits, exclusions, etc.) can vary significantly among insurers. Unfortunately, the lack of uniform eligibility requirements, coverage options and policy features makes it difficult to understand and compare the various BOP options that may be available. An experienced insurance agent should be consulted throughout the process.

If you would like to learn more about BOPs or the various options that may be available to insure your business, contact us.

If you would like to subscribe to our newsletters please click here.

Is Your Self Storage Facility Prepared for the Next Disaster?

Preparation is the key to surviving a natural or human-caused disaster. Nevertheless, a survey by the Ad Council found that 62% of respondents did not have an emergency plan in place for their business. Since up to 40% of businesses affected by a natural or human-caused disaster never reopen, self storage facilities intent on surviving the next disaster must be prepared.

Natural or human-caused disasters can affect a self storage facility’s operations and finances by disrupting critical business functions and processes. During and after a disaster, a self storage facility may experience:

  • Lost or delayed sales and income
  • Increased expenses
  • Customer dissatisfaction
  • Repair and replacement costs

To prevent or limit the damage from a disaster, the Federal Emergency Management Agency (FEMA) recommends developing a preparedness program using these five steps.

Program Management. An effective preparedness program requires leadership, commitment and financial support. Beyond any applicable laws or regulations that may establish minimum standards, each self storage facility must determine how much risk it can tolerate and take steps to minimize the likelihood of exceeding that risk.

A preparedness policy should be developed by management and distributed to staff. The policy should define roles and responsibilities. Select employees should be given the authority to develop the program and keep it current. The policy should also define the general goals and objectives of the preparedness program, such as:

  • Protecting the life and safety of employees, tenants, visitors, etc.
  • Protecting facilities, physical assets and electronic information
  • Minimizing interruptions or disruptions of business operations
  • Protecting the facility’s brand, image and reputation

Planning. Preparing for a disaster requires planning. During the planning process, self-storage facilities should consider all threats, not just those that are most likely to occur. Special attention should be given to threats that are classified as probable and threats that could cause injury, property damage or business disruption.

Implementation. Implementation of a preparedness program includes identifying and assessing resources, writing plans and developing a system to manage incidents. An effective preparedness program should address:

  • Resource and incident management
  • Emergency response
  • Crisis communications
  • Business continuity
  • Information technology
  • Training

Testing and Exercises. An effective preparedness program requires testing and exercises to:

  • Train personnel
  • Reinforce knowledge of procedures, facilities, systems and equipment
  • Improve individual and organizational performance
  • Identify strengths
  • Reveal weaknesses and gaps

Program Improvement. Self storage facilities must take advantage of every opportunity to improve their preparedness program. After an actual incident, a critique should be conducted to assess effectiveness. Lessons should also be learned from incidents occurring elsewhere.

An effective preparedness program can control a number of risks associated with natural or human-caused disasters. An effective insurance program is needed to protect against those risks that cannot be controlled. Since self storage facilities face unique risks, it helps to have an insurance program that is specifically designed for the self storage industry.

If you would like more information about protecting your self storage facility, please contact.

Loss of Business Income Caused by Civil Authority Action

Public safety concerns may prompt civil authorities to take action to protect people and property. For example, a governor can issue a mandatory hurricane evacuation, a mayor can close roads during inclement weather, the police can enforce curfews during riots, or a fire department can restrict access to a neighborhood during a gas leak. Though these actions may be good for public safety, they may be bad for business.

In some cases, a Business Interruption policy’s Civil Authority coverage may offset income losses suffered during a civil authority action. Business Interruption, also known as Business Income, is a type of commercial insurance that protects against loss of income when a covered loss causes a business to reduce or suspend its operations. Civil Authority coverage is an additional protection that may be included in a Business Interruption policy.

A typical Civil Authority clause states: We will pay for the actual loss of Business Income you sustain and necessary Extra Expense caused by action of civil authority that prohibits access to the described premises due to direct physical loss of or damage to property, other than at the described premises, caused by or resulting from any Covered Cause of Loss.

Under this framework, the Civil Authority provision will not provide coverage unless all four of the following conditions are met.

  • The loss of business income must be caused by the civil authority action. There must be a direct relation between a civil authority action and a loss of income.
  • The civil authority action must prohibit access to the insured business. Courts have held that access must be completely prohibited in order to satisfy this requirement. A civil authority action that makes travel to an insured’s business difficult or inconvenient is not enough to trigger Civil Authority coverage.
  • The civil authority action must be caused by direct physical loss of or damage to property away from the insured’s premises. Unlike Business Interruption coverage, which requires loss or damage to the insured’s property, Civil Authority coverage requires loss or damage to property somewhere else. For example, an explosion at a nearby warehouse causes the fire department to shut down the area surrounding an insured business for two weeks.
  • It’s worth noting that claims for Civil Authority coverage often fail to meet this requirement because the decision to take civil authority action is not caused by direct property damage, but by the desire to prevent it. Courts have denied coverage for losses caused by civil authority actions that were designed to prevent future damage rather than address existing property damage, such as pre-hurricane evacuation orders and curfews imposed to prevent looting and rioting. According to one court, Civil Authority coverage is designed to address situations involving civil authority action that is taken after damage occurs.
  • The loss or damage to property away from the insured’s premises must be caused by or result from a loss that is covered under the insured’s policy. A business without hurricane insurance, for example, would not be covered if a civil authority action was caused by hurricane wind damage.

Though many aspects of Civil Authority coverage are relatively standard, there are some variations among insurers and policy forms. For example, some policies provide that coverage will not begin until 24 hours after the civil authority action was taken, and others require 72 hours. The duration of Civil Authority coverage may also be different.

Given the complexity of Civil Authority coverage under a Business Interruption policy, an experienced and reputable insurance agent should be consulted to help identify needs and evaluate options.

If you have any questions or would like to speak with one of our Risk Management Professionals, please contact us.

If you would like to subscribe to our newsletters please click here.

Florida’s New Data Breach Notice Law

Florida has a new law to combat the recent surge of data security breaches involving sensitive personal information. On July 1, 2014, Florida’s current data breach notification statute will be replaced by the Florida Information Protection Act of 2014 (Act). Though similar to Florida’s current statute, the Act makes some significant changes that businesses must incorporate into their data security practices and procedures.

Under the Act, sole proprietors, partnerships, corporations, trusts, estates, cooperatives, associations and other commercial entities that acquire, maintain, store or use personal information (Covered Entities) are required to take reasonable measures to protect and secure such personal information. The Act broadens the definition of Personal Information to include:

  • An individual’s first name or first initial and last name in combination with that individual’s social security number, driver license or identification card number, passport number, military identification number, or other similar number issued on a government document used to verify identity. (Broader)
  • Financial account, credit and debit card numbers, in combination with any security code, access code or password.
  • Information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional. (New)
  • An individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual. (New)
  • A user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account. (New)

Like the current statute, Personal Information does not include information that is encrypted, secured or modified by any other method or technology that removes personally identifying elements or that otherwise renders the information unusable.

In the event of a breach, Covered Entities must follow one or more of the Act’s various notice requirements. The Act generally defines a breach as unauthorized access of electronic data containing personal information. Covered Entities must notify each individual in Florida whose Personal Information was, or is reasonably believed to have been, breached no later than 30 days after the Covered Entity determines that a breach occurred or has reason to believe a breach occurred. Under the current statute, Covered Entities had 45 days to provide notice.

This notice, which may be sent by mail or e-mail, must include:

  • The date, estimated date or estimated date range of the breach
  • A description of the Personal Information that was or may have been accessed during the breach
  • Contact information that individuals can use to inquire about the breach

If a Covered Entity is required to notify more than 1,000 individuals at a single time, the Covered Entity must also provide notice to all national consumer reporting agencies. If a breach affects 500 or more individuals in Florida, the Department of Legal Affairs must be notified no later than 30 days after the Covered Entity determines that a breach occurred or had reason to believe a breach occurred. This is a new notice requirement.

If a Covered Entity uses a third-party vendor to maintain, store or process Personal Information, then that third-party agent must notify the Covered Entity no later than 10 days after the third-party agent determines that a breach occurred or had reason to believe a breach occurred. Though a third-party agent may provide the required notices, the Covered Entity is ultimately responsible for compliance with the Act.

The Act also requires Covered Entities and their third-party agents to take all reasonable measures to dispose, or arrange for the disposal, of customer records containing Personal Information within its custody or control when they are no longer retained. Disposal shall involve shredding, erasing, or otherwise modifying the records to make Personal Information unreadable or undecipherable through any means.

Unlike the general descriptions provided in this article, the Act is highly technical and very specific. Though the Act does not create a private cause of action, civil penalties of up to $500,000 should be enough motivation for Covered Entities to learn more about Florida’s new law and ways to limit the new risks with insurance.

If you would like to learn more about insuring against data security breaches, contact us.

If you would like to learn more about preventing data security breaches, take our online course Information Risk Management: Strategies for Preventing and Mitigating Information Security Breaches.

If you would like to subscribe to our newsletters please click here.