Your operations are as a General Contractor, but the contract you are looking to enter (or have entered) references to your organization as a Construction Manager. Is there an issue here?
Although at first glance you may see similarities between a General Contract (“GC”) and Construction Manager (“CM”), their difference in operations, and in turn exposures, are vastly different. Understanding the roles of a General Contractor (“GC”) and Construction Manager (“CM”) and their corresponding interests in a job is important to fully grasp the risk associated with each.
What is a General Contractor and their role?
A General Contractor is typically hired after the owner has a finalized design in place (the design-bid-build model). When bidding on the job, a General Contractor submits complete plans in accordance with the pre-designed specifications. In hiring a General Contractor, the Owner in turn is trusting the General Contractor’s network of employees (direct labor) and subcontractors to perform the work at the job site. The General Contractor will then oversee the day-to-day activity of all direct labor and subcontractors at the job site. The General Contractor’s incentive is to complete the job under budget to maximize their profit.
What is a Construction Manager and their role?
In contrast to a General Contractor, a Construction Manager’s services contract directly with the owner, typically for a fixed fee basis. The Construction Manager’s relationship with the Owner is more of a collaborative/consultative partnership. This brings a different relationship when compared to that of a General Contractor with Ownership since the Construction Manager is usually involved in the project from the start (the design-build model). The Construction Manager has input on the design phase of the project and works directly with the subcontractors during this phase. With this input comes a potential exposure to Professional Liability (E&O).
Defining your organization’s role early in the project is paramount, and a key factor to ensure you are protecting the organization. The contract will be the first place all parties look to when an incident occurs, and you want to be sure that your operations are clearly defined, and within the scope of your insurance coverage.
The New York Workers’ Compensation Insurance Rating Board (NYCIRB) has released a new class code for ‘Telecommuter Reassigned Employees’.
If you are a business owner you might be wondering how do I adjust my workers’ compensation rates for employees that we kept on the payroll, but did not actually perform their duties? It doesn’t make sense to pay workers comp premiums for an expensive labor class during a workers comp audit when those employees were essentially paid to sit home.
Over the past eight months, we have experienced difficult and trying times due to the pandemic. One critical aspect of the first few months of the pandemic was the ability of employers to keep their employees on the payroll whether or not they were actually performing their duties. The PPP program went a long way in helping employers achieve that important concession.
The question that has come up recently with many employers is how do we properly account for that portion of payroll we paid our workers when they actually didn’t perform their actual duties. In industries like construction or healthcare, the insurance costs basis can generate a lot of insurance premiums because the class codes for those labor components have a high insurance rate tied to it.
Now there is a relief for workers compensation premiums for these “reclassified” employees.
The New York Workers’ Compensation Insurance Rating Board (NYCIRB) has released a new class code for ‘Telecommuter Reassigned Employees’.
Temporarily Reassigned Employees, which establishes new classification code 8873, Telecommuter Reassigned Employees, requires that it be applied to the payroll of employees who, during New York’s stay-at-home order related to the COVID-19 pandemic (and future stay-at-home orders), are reassigned to either (a) not perform any work duties (idle), or (b) perform clerical work duties at home that they otherwise would not perform. The rate per $100 of payroll for Classification 8873 will mirror the rate for Classification 8810 (clerical office employees).
Further, this provision is applicable at the start of New York’s stay-at-home order and for up to 30 days after its conclusion. Employees who are classified to code 8871, Telecommuter Clerical Employees, are to remain classified as 8871.
In other words, the new 8873 classification only applies to employees who are reassigned and meet one of the two conditions described above. These amendments are effective for all new and renewal policies effective May 1, 2020, as well as to all in-force policies as of March 16, 2020.
We would be happy to review the parameters of the new class codes and the impact it may have on your business. Please contact one of our Risk Advisoryto discuss further.
Online transactions have become commonplace for many companies across all lines of industry. With the rapid growth in acceptance of online payments, many companies underestimate or are not even aware of requirements to maintain Payment Card Information (PCI) Data Security Standard (DSS) compliance.
What is PCI-DSS?
Payment Card Information (PCI) Data Security Standard (DSS) is a security standard developed and maintained by the PCI Council. The PCI Security Standards Council (PCI SSC) is a global forum. Payment industry stakeholders develop and drive the adoption of data security standards and resources for safe payments worldwide. The primary purpose of PCI-DSS is the assist in securing the payment card network.
Photo courtesy of pcisecuritystandards.org
Having one’s own data stored is a necessity, but risky. Having third party data stored brings on a whole new aspect of risk which requires its own assessment and treatment. Data breaches are a regular occurrence to which we have become desensitized. Recognizing this, the need for PCI compliance has never been more paramount.
What are the 12 requirements of PCI DSS?
We know, hearing there are 12 requirements sounds daunting. First, dive into the list and you will find the company is complying with some of these without knowing it. Additionally, the tips below can serve as a starting point for a self-assessment.
Install and maintain a firewall configuration to protect cardholder data
Configure unique passwords and settings. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect stored cardholder data
Encrypt transmission of cardholder data across open, public networks
Use of anti-virus software or programs
Develop and maintain secure systems and applications
Restrict access to cardholder data by business need to know
Assign a unique ID to each person with computer access
Restrict physical access to cardholder data
Track all access to network resources and cardholder data
Test security systems and processes. Conduct vulnerability scans and penetration tests
Maintain a policy that addresses information security for all personnel. Constant documentation and risk assessment are a must!
What if Our Organization is Non-Compliant?
If your organization is in non-compliance with the PCI-DSS standards, you could be looking for trouble. Non-Compliance will be directed by your Payment Card Agreement (PCA) in force with the credit card company. Additionally, non-Compliance can result in penalties. Fines are imposed ranging from $5,000 to $100,000 per month by the Credit Card companies.
Next Steps
Meeting these requirements ensures your compliance. And also protects the company and its client base. Separate yourself from the competition. Give your clients peace of mind with the ability to stand behind PCI Compliant Practices. Contact one of our Risk Advisors to begin taking steps towards PCI DSS compliance and peace of mind.
There is no such thing as infallible cybersecurity. No matter how many millions of dollars an organization spends on online security, some hacker, somewhere, at some time, may successfully break-in. A common example is JPMorgan Chase, who spent close to $100 million to shore up their systems only find their systems hacked and sensitive data at risk. Just because hackers may have the ability to continuously overcome firewalls does not mean that individuals and organizations should just sit around and wait for the inevitable. There are steps to minimize risk and thus potentially circumvent a data breach.
Below you will find current methods hackers utilize, along with best-practice preventive measures to protect your systems from such hacks. In addition, a case study illustrates both the risk and lessons learned, stressing the importance of education and developing a culture of security surrounding your organization.
Prevention Is the Best Defense with Cybersecurity
While it is the optimal solution, preventing a data breach is neither simple nor easy (when sufficient safeguards are enabled). In being proactive organization find themselves addressing the difficult situation of having to be prepared for something that has not yet happened; they have to forecast the future risks of cyber and privacy threats. Doing so often entails poring through mountains of data to find a needle in the haystack – a piece of malware or a threat that can compromise critical data.
Sometimes, as is clearly evidenced by the recent breaches made public, these threats can get lost in the noise. Furthermore, the tech industry’s greatest advantage is also its Achilles heel – their rapid updates. Product cycles move fast, but tech mainstays like software updates and patches move even faster. It takes dedicated personnel for organizations to keep up.
Nowadays, security is not just a locked shop door. Digital breaches are robberies that happen at any hour, without any warning, and with little to no immediate evidence, which is why you need a good cybersecurity system. If network configuration and employee education program is lacking, exposure to serious risk and liability is heightened. The potential loss of valuable digital assets, especially client information, can result. This thought may scare you, but do not despair! Being informed of these issues is the greatest defense an organization can have.
I. Conduct a CyberSecurity Assessment
The prevention and detection stages of security (those before a breach occurs) are typically informed by a digital security assessment, which goes beyond simply testing an organization’s network for vulnerabilities. An assessment allows for a more complete picture of an organization’s security posture focusing on policy, controls and procedures, as well as the effectiveness of their implementation.
Tech infrastructure is often a “set-it-and-forget-it” affair. How often do you click “remember me” while logging into a commonly visited site so save yourself the hassle of the sign-in process next time? Essentially, digital infrastructure is installed, configured, and then never touched again. To maintain a secure digital environment, it’s imperative to test, test, and test some more.
II. Assess the Human Element in Cybersecurity
When it comes to issues of information cybersecurity, the human element is just as important as the technology itself. Perhaps even more so. Hardware and software require regular human input to make sure the devices have the latest updates, security patches, etc. Therefore, the human element of cybersecurity is the single most important aspect of an organization’s security posture. It can only be achieved by fostering a culture of security achieved through education and implementation of a written digital use policy.
Consider the psychology of a hacker when assessing the role of human vulnerabilities in determining the viability of an organization’s cybersecurity practices. The term “hacker” is interesting in its ability to conjure up a vague, though widely held notion, of the cyber-criminal. The vision is fairly common: a scruffy socially challenged individual, slouched in a swivel chair, speedily typing on a keyboard as indecipherable streams of digits race down the computer screen. Cue The Matrix.
Compared to other criminals, the hacker largely remains an unknown, impersonal entity, tied intrinsically to a modern era of technological advancement. However, what is often forgotten is that although hackers are primarily recognized for their abilities to manipulate technology, they can be equally adept at manipulating people. Cybersecurity procedures rely heavily on human participation and interactions. The first step of a hacking scheme, the crucial point at which the probability of a data breach is determined, can (and often does) start at the human level. Unsuspecting personnel may encounter a hacker without even realizing it, giving them access to sensitive data simply by offering a Wi-Fi password or log-in credentials.
It is important to recognize that, similar to technology, individuals can be prone to trusting disreputable sources. A hacker is willing to take advantage of the breadth of an organization’s vulnerabilities; consequently, employees are just as vulnerable to attack as technological data sources.
On the flip side, employees can download malware without realizing it, such as through illegal downloads or torrents of movies and applications. These unsafe browsing habits can and often do lead to a malware infection. Don’t trust an e-mail scanning application or spam folder to stop the messages from getting to the inbox. A hacker’s job goes beyond exploiting strictly digital vulnerabilities; the successful ones look for human vulnerabilities.
III. Watch Out for Phishing Aggression
To assess and react to the danger humans pose to digital security, it is important to know what the “bad guys” are doing. While external hackers have a diverse arsenal of techniques there are a few that are more pertinent considering they can affect any employee within an organization. Hackers are often referred to as “social engineers,” as they try to manipulate and trick their targets to give them access.
One of the most prominent hacking examples is “phishing.” Phishing is the process by which cyber thieves are able to lure unsuspecting victims to a malicious link that then executes malware. These malicious links present themselves to a user through an e-mail message. This is when a user unknowingly initiates the malware by accessing the malicious web server.
Even more unsettling, though similar, is a “spear-phishing” attack. Unlike a phishing attack, spear-phishing is a directed attack. Cybercriminals gather information about a victim, which is then used to construct a fraudulent e-mail intended to trick the victim. Rather than being obviously nefarious, these e-mails are very realistic and tailored to the person hackers are trying to trick.
For example, in the banking industry, a hacker may use an e-mail message cloaked as a communication from the Federal Deposit Insurance Corporation (FDIC). Due to their nature, phishing attacks are not problematic unless a user physically clicks the link to the malicious web server. To prevent this within an organization, personnel need to be trained to identify false links. Before clicking the link, “hover” over it to see the true URL or, even better, train employees to manually type in the Web address they need to access in a Web browser.
IV. Provide the IT Department with Useful Tools
While a universal training program aimed at informing all employees of their role in the security posture is critical, it is also important to ensure that the information technology (IT) team is staying on top of current advancements in security and has the resources to minimize vulnerabilities. Often IT people are more concerned with making sure technology is being implemented for productivity, not necessarily for security. Digital assets vary for every organization, making specific preventive measures hard to define. In general, the prevention of attacks and threats should be consistently audited so that a specific information security policy can be created and carried out within the specific context of an organization.
As one general example, outdated and unpatched software applications pose a serious risk. Cybercriminals often target older outdated software because of its longevity. That is, the longer a piece of software is around, the more time cybercriminals have to develop malware based on an established exploit that will not be, or has not yet been, fixed by the developer.
In many industries, including healthcare, legacy technology is becoming a serious problem as an avenue for data theft. Furthermore, preventive measures can become expensive. An organization’s IT team or information security team, however, has a serious leg up on outside threats – they know where the valuable data is. Thorough knowledge of an organization’s infrastructure is a considerable advantage against outside threats. Consequently, it is worth investing in the people who know most about it. The avenues by which data can fall victim to a remote attack are as innumerable as the unique software and hardware contexts of companies all over the world. Keeping a team well equipped is key to a strong security posture.
V. Limit Access to Critical Information
An often under-analyzed piece of the preventive data security puzzle is data access controls. More simply put, not every employee of an organization should have full access to all data. Even in the case of IT, many recommend that members of the team use non-privileged credentials for daily activities. This is a central step to minimizing risk as it inherently reduces the number of access points for data to leave the confines of an organization’s network. More privileged credentials mean more credentials that elevate the threat of external hacking.
In line with this, it is also crucial to consider internal threats. For example, a disgruntled employee gains access to sensitive data, steals it, and posts its publicly online. Limiting access to critical data on an as-needed basis can, in some cases, preemptively eliminate this risk altogether. People are a company’s biggest asset but also the biggest liability as respects information security. Awareness and implementation of policy is key to maintaining that “culture of security.”
VI. Recognize the Risks of BYOD
Practicing and applying security and data access controls is crucial outside as well as inside of an office. Mobile computing revolutionized everything, from the maintenance of cybersecurity to reasonable policies. It is becoming increasingly common for employees to take sensitive data home with them (on thumb drives, laptops, phones, e-mails, cloud services, etc.).
With respect to policy, many organizations and their agents alike favor the cost benefits and choice of bring-your-own-device (BYOD) permission, which allows employees to use their personal devices, particularly mobile devices, to store and access company data. Unfortunately, in most instances, this policy relinquishes some defined, universal security strategy and inherently gives an organization less in the way of data control. Standard mobile device management tools are not typically applied and installed on employees’ personal devices.
BYOD can also invite unauthorized connections from an organization to the Internet. Many smartphones offer device tethering, whereby other devices share the phone’s cellular data connection. This type of network activity is not part of an organization’s network, and thus cannot be monitored for suspicious connections.
Before simply accepting BYOD as a cost-effective and desired approach, ensure that the organization understands the rules, risks, and rewards of the new policy. If the organization implements BYOD, do so in such a way that the organization maintains a modicum of control. Also, take legal ramifications under consideration and determine whether there are special regulatory concerns particular to a certain industry that need to be worked into BYOD and mobile computing policies. In some industries, such as health care, a lack of central data security policy and control opens up serious liability risks.
VII. Look Beyond Your Employees
Data control goes beyond just employees. Rather, it extends to include any entity that can store, access, or use a company’s sensitive data, including third-party vendors. Develop contracts that protect the organization, particularly those that use third-party vendors. Third-party vendors can introduce security lapses and vulnerabilities, but not hold themselves to the proper and necessary digital risk standards. Not doing so can result in a digital catastrophe.
This is best evidenced by the example of the devastating credit card breach Target experienced in late 2013. Target seemed to have the appropriate controls in place with dedicated IT and security appliances. Thinking that everything was fine with its security practices, management overlooked one critical issue. Target allowed outside heating, ventilation, and air-conditioning (HVAC) service vendor to connect to the same network responsible for point-of-sale device Internet traffic. This is an example of where the lapses in human execution renders good technical security measures ineffective.
Like Target, there have been other breaches where larger companies fail to audit third-party vendors, such as the Boston Medical Center and Goodwill. Often, smaller third-party vendors are a sort of hacking “stepping-stone” – compromise their information to get to their larger clients that have more valuable data. This is especially true today, as even the smallest companies have a digital presence. Once again, a company can have all the proper controls in its own offices, but sensitive information with its vendors could be compromised.
To mitigate third-party risk, ensure that appropriate parties, especially legal departments, communicate with the outside vendor hiring process and that contracts guarantee and protect audit rights. That means including audit clauses to contracts that allow the organization to regularly monitor and check that vendors are in compliance with any generally accepted or necessary standards. Including cybersecurity in the outside contracting process is now imperative.
VIII. Don’t Overlook the Importance of Data Backups
In addition to the risk of compromising data, loss of data entirely can be even more devastating. While most large corporations can afford to keep their sensitive data in multiple locations, others cannot. Irrespective of the size of an organization, individual workstations can contain important client data that should be regularly backed up. No matter how many backups an organization maintains, it is important to not get bogged down by the sheer volume and prepare for the absolute worst—a hurricane, tornado, or some other natural disaster that could destroy an entire organization’s data in one fell swoop.
Data loss can happen in other ways most people don’t expect.
A couple of months ago, I got a call from a local government agency that had horrible “ransomware. ” Ransomware is malware that seeks to exploit victims by encrypting their files. Clicking a link in a pop-up accidentally downloads it; or through a “phishing” e-mail. Once executed, the hacker notifies the user that they locked the files because they committed a crime, and that they must send money for the decryption key within a certain amount of time or their files will forever be inaccessible.
Unfortunately, paying the “ransom” usually will not unlock the files, but only serves to line the pockets of the extortionists. In this particular case, the local agency did not consistently keep a backup of its data, and lost months of work. This new ransomware infection prompts reflection on something overlooked as a serious risk to daily business activity—data backups, off site or otherwise.
IX. Develop a Security Culture
It is important to audit all controls to prevent attacks incurred from external and internal threats. Make sure that these controls are in place, effective, and attempt to penetrate your organization’s digital infrastructure. There should be a layered approach to information security. In other words, organizations should not only have a digital fence, but also a locked front door. In addition to simply having “locks” and “fences,” make sure there is a policy information session. This session should effectively teach people how to keep the gate closed and the door locked.
Incorporating these provisions into policy and executing that policy through employee training programs, moves organizations to a stronger security posture. Creating an atmosphere for effective security is just as important as the security practices themselves.
“Hope for the Best, Prepare for the Worst.”
The key balance between costs and preparation is something to consider and is much cheaper than the fallout of a breach. When it comes to security, prevention certainly is the first choice.
What happens if an organization takes all the preventive measures, but they still lose data? Technology constantly updates with new security measures, yet cybercriminals stay one step ahead of the latest preventive security measures. One of the primary reasons for their persistence is because a targeted organization’s data is exceedingly valuable. In recent history, credit cards have been an obvious target for the clear monetary value they carry. These breaches have dominated the headlines and are an unfortunate side effect of our increased reliance on credit technology’s conveniences.
X. Recognize the Value of Data
Not dissimilar from the recent credit card breaches, hackers consistently and target health data because health data is valuable—either to gather intel about specific people or as a tool for identity theft. It has also historically not been the most secure. Patient names, birth dates, billing information, and health histories have the potential for complex identity theft and medical fraud schemes.
More importantly, though, this data has a market on the “Dark Web” outside of those who are responsible for stealing it. To illustrate the Dark Web, Google indexes approximately 17 percent of websites where most people typically dwell online and do their browsing, shopping, and other online activities. But, below the Internet’s surface lurks the Dark Web, where criminals market a variety of different goods and services, from passports and drugs to “rent-a-hacker” services for the purposes of messing up someone’s life. Thanks to the Dark Web, stolen client data of all kinds has a market, therefore increasing its appeal.
Even if an organization conducts an audit of all security controls and policies, a new exploit could be found the next day, rendering a clean bill of security health void.
Case Study Illustrates the Risk of Not Participating in Cybersecurity
The following case study illustrates the point that employee education is key. About a year ago, a large corporation contacted me claiming they had compromised systems. They mentioned that an unauthorized $1 million wire transfer to Russia. Management suspected an inside job carried out by one of their employees. They had spent hundreds of thousands of dollars on security appliances, thinking this could not possibly happen to them. However, a review of their infrastructure revealed a lapse. They adopted a “set-it-and-forget-it” attitude. There was no “culture of security.”
Thinking their appliances would not allow such a thing, spam e-mail got to an employee’s workstation. That individual clicked a link and initiated “Zeus” malware. While the hacker’s toolbox is expansive and variable, there are certain tools worth mentioning, one being Zeus. Zeus, when executed, monitors an infected computer for certain types of user activity, including online banking. In some cases, it often remains dormant until a user accesses a financial service or banking website.
Once Zeus identifies the targeted activity (such as banking), it will then collect confidential data to include a log of all keystrokes and screenshots. This transmits the compromised data to the hacker. In this case, someone inadvertently left a security token plugged in. Hackers had everything they needed and set the software to wait for banking credentials. After that, all they had to do was log in and initiate the transfer.
This story teaches us that these lapses do happen, even when the victims think they have a great security posture. Fortunately, that company made the right choices in handling its breach of security. Management acted quickly, hired professionals, and assembled the narrative to recoup their money. They carried out reasonable steps for the safety of their customers’ information.
Lessons Learned about Cybersecurity
More often than not, though, incidents come unexpectedly and organizations have little preparation for the worst. Officers and employees often don’t have a clear picture of the chain of command, nor the roles and responsibilities in the face of a breach. This can lead to increased exposure to media and public relations fallout and executive meltdown.
While designing a preventive policy, try to design a policy or incident response manual. This should effectively prevent an operational shutdown in the case of a breach and allows for quick, decisive action. And be sure you have the right contacts to respond to such an incident. Be ready for the inevitable, even if it seems impossible.
Specialists can assemble the narrative, from the initial exploit, threat elevation, and context of data that was ultimately compromised. An organization is better able to prevent a similar attack from happening in the future and have a clear picture of how to handle other tasks related to the breach, such as client notification.
Breach Notification
Breach notification often goes undisclosed. The responsibility of organizations to notify their clients, partners and other parties about a breach varies from different situations. In certain industries, federal and state regulations are the rule, but others are solely up to the discretion of executives. In responding to the public, or proactively notifying clients, it’s best to wait until a full investigation is complete. It is important to know there is a huge difference between an infection (abnormal Web traffic) and a data breach. Evidence of a possibly data breach attempt does not mean these people were successful. Moreover, even if hackers steal data, the type of data is central to the notification procedure.
Oftentimes, organizations that suspect a breach will jump the gun and notify their clients before an investigation is complete. In the end, sometimes nothing serious happened—no confidential data was lost or stolen. Notifying clients before knowing there is a legitimate problem is, in and of itself, a huge risk. Understand that some clients might not be comfortable continuing business with a company that disclosed a breach. Organizations need to do themselves a favor and rule out the possibility of a false alarm first. That said, it is important to incorporate client notification as part of the defined incident response plan. It is always best to be proactive but don’t inform clients or authorities until a serious breach definitively happened.
Complete a Thorough Investigation
In the unfortunate case that personally identifiable information was stolen, it is important to work closely with legal professionals. Cybersecurity is very much a legal issue, with unique legal considerations. As previously alluded to, there are regulatory considerations that vary greatly between industries and states—for now. Until there is an overarching federal regulation that applies the same requirements of all industries and defines the type of data that must be stolen to report, the current compliance and digital security laws remain the law, and it is a patchwork.
Similarly, after an incident, education is still the most important aspect of preventing another breach. Take an incident or a breach and use it as a valuable learning opportunity. After a security breach investigation, walk employees through every detail of what happened. Pinpoint what the failures were and most importantly learn from the event and prevent the same thing from happening again. Hold the entire team responsible for a breach in security; not just one employee.
Conclusion & Takeaways of Cybersecurity
Preparation is key in any prevention strategy, and optimal security always starts at the human level, especially with cybersecurity. Best cybersecurity practices are just that—practices. Cybersecurity measures are always a work in progress and reflect the constant stream of new technology. It takes time to discover, learn, and implement the best methods. Ongoing education within this “culture of security” is imperative in trying to implement the best possible procedures. In this case, knowledge truly is power.
Equifax Inc. announced on September 7, 2017 a cybersecurity incident which occurred earlier in the year. On July 29, it was discovered criminals exploited a US web application to gain access to files of over 143 million US consumers. Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017. If you want a quick road map on what you should do to protect your family from the Equifax Breach read on.
The information accessed primarily includes names, social security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 US consumers, and certain dispute documents with personal identifying information for approximately 182,000 US consumers were accessed.
All consumers should conduct a quick check to see if they were potentially impacted by the event and sign up for the protection and monitoring, regardless of the result. Although it’s free; for a year….. I fundamentally don’t trust Equifax will do the right thing. They can and will actually make money on this hack by increasing their monitoring services for a fee.
5 Tactics To Prevent Your Identity From Theft:
(Courtesy of Daisy Maxey of The Wall Street Journal )
Check Credit Reports
Consumers should check their credit reports with Equifax but also with the other major companies, Experian and TransUnion. The reports are available free annually via annualcreditreport.com. Links are below.
After checking to see if you, or your family members, were affected, it is worth considering freezing your credit. Credit freezes are one of the most effective ways for consumers to protect themselves against identity theft as well as other credit fraud. Freezing the reports provides you a personalized PIN that allows only you to unfreeze them. While the reports are frozen, it becomes extremely difficult for new accounts to open under your name, as they generally require credit checks. Remember, you’ll need to freeze all THREE reports.
Monitor All Bank Accounts & Credit Card Account Activity :
Frankly, you should be doing this anyway, routinely. It’s one of the reasons I like actually getting the statements still in snail mail. It forces me to put eyeballs on my accounts every month. The Equifax breach makes this more of an imperative rather than a non-essential.
Utilize the Identity Theft Resource Center :
If you suspect you have had your identity stolen check out www.idtheftcenter.org. You may also call the center’s toll-free number (888-400-5530) for counsel on resolving stolen identify-theft challenges. All of the center’s services are free.
Equifax is offering a dedicated call center for consumers who have additional questions: 1-866-447-7559. It is open every day, including weekends, from 7 a.m. to 1 a.m. Eastern time.
Corrections & Amplifications :
Credit reports are available free annually via annualcreditreport.com. An earlier version of this article incorrectly cited the website as creditreport.com. (Sept. 8, 2017)
Life Lock :
It costs a few bucks but LifeLock offers a credit monitoring service that also includes credit freezes. It saves time by aggregating all three credit reporting agencies into Life Locks software which makes it easier for you to stay on top of. It’s a classic time versus money conundrum. We have used LifeLock and found the service to be very solid. Life Lock could be an alternative to the do it yourself deal. Further be careful of the Equifax links as thieves have set up counterfeit sites to look just like Equifax. Thus you could be hurting yourself by going the freebie route.
We know this is a pain, but a few minutes managing your risk is so much easier than days and weeks trying to repair the damage these folks could do. Lastly, don’t just focus on yourself. Your children’s social security #’s may be compromised too. Make sure to include them in whatever monitoring you may be doing.
Sorry to write this article, however fore warned is fore armed…..back to your regularly scheduled programming.
Still have questions? Contact a risk advisor by calling 914-357-8444.
New York State is implementing a new Cyber Security Regulation effective March 1st, 2017.
“New York is the financial capital of the world, and it is critical that we do everything in our power to protect consumers and our financial system from the ever-increasing threat of cyber-attacks,” Gov. Andrew Cuomo said February 16, 2017 in a statement.
Today’s marketplace continues to transition towards the way of the key stroke. It seems you can’t conduct a business transaction without a multitude of emails, electronically signed documents, or a cloud storing the most vital of information. These amenities have streamlined the means in which we conduct business, but have they left our information exposed? New York state seems to think so, and thus, has passed what appears to be the “first-in-nation” cyber security regulation.
Governor Cuomo continue in his above statement “These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place in order to protect themselves and the New Yorkers they serve from the serious economic harm caused by these devastating cyber crimes.”
The finalized cyber security regulation, which takes effect March 1, 2017, sets mandated standards for financial institutions (including treasurers and insurers) to continue the on-going battle with risk of cyber-attacks.
The regulation requires “regulated companies” to implement a cyber security plan, including requirements for a program that is adequately funded, staffed, overseen by qualified management, and reported periodically to the most senior governing body of the organization. Additionally, the new regulation calls on banks to scrutinize security at third-party vendors which are providing them services. In 2015, the New York Department of Financial Services found that a third of 40 banks polled did not require outside vendors to notify them of breaches that could compromise data.
“Throughout the regulatory review period, we emphasized how critical it is for insurers to have the ability to tailor and implement their cyber-security programs in a risk-based manner,” Alison Cooper, Albany, New York-based Northeast region vice president for the American Insurance Association, said in a statement. “While some challenges remain, overall the final cyber security regulation provides greater flexibility so insurers are able to better adapt to an evolving threat landscape.”
“With this landmark regulation, (the department) is ensuring that New York consumers can trust that their financial institutions have protocols in place to protect the security and privacy of their sensitive personal information,” Department of Financial Services Superintendent Maria Vullo said in a statement. “As our global financial network becomes even more interconnected and entities around the world increasingly suffer information breaches, New York is leading the charge to combat the ever-increasing risk of cyber attacks.”
At this point you’re probably thinking to yourself “We’re not a bank, and we’re not a large corporation. So how does this affect my business?”
Directly it doesn’t, YET! However this new regulation should be viewed as a notice to all businesses, regardless of industry: cyber-attacks are an ever-increasing risk, and a potentially devastating exposure if left unacknowledged. It seems as though we’re constantly reading about the large corporations being hacked, leaving the small and mid-sized business owner to think “This can’t happen to us. Why would we be attacked?” The truth is, it can and it does happen to small and mid-sized businesses. Unfortunately, unlike the Home Depots and Targets of the world, one cyber-attack could be enough to force a business to close its doors.
Now is the time to evaluate your risk. Do you have a contingency plan in force if an employee accidentally opens a link from a person they thought they knew, only to find out it’s ransomware? Is there an action plan in force in the event hackers use your company email to send out spam or a virus to your contacts? Do employees know the steps to take if somehow all of your clients’ or employees’ data are stolen? Worse if one of these events occurred what would be the cost implications to your business? IF you would like to take a deeper dive into this issue contact a Risk Advisor today by CLICKING HERE. They can help you take steps to protect your business that cost nothing. Further you can transfer the cost implications of many of these challenges to an insurance carrier through the purchase of a cyber liability policy. The world has become much more complicated and it continues to do so with the passing of each month. We are here to help.
Effective July 28, 2015 an amendment to the insurance law made it illegal to request or issue a certificate of insurance with language of any kind (including warranties of coverage) not found in the underlying policy. Certificates of insurance law is an important concept to understand.
Anyone who has entered into a business agreement will tell you, “Make sure you get their certificate.” The certificate of insurance (COI) often acts as proof from one party to another of the insurance they have in place. COIs generally include information such as the named insured, carrier, limits, policy numbers, and policy terms. Additionally, they can contain specific wording required by contract/agreement.
Although the majority of certificate requests can be straightforward, many times holders require more of the document than it can provide. Keep in mind the information a certificate can provide should be limited by the contents of the policy. In the past, issuing a certificate with information or wording not found in compliance with the policy would result in an error on the issuing party’s behalf and, if undiscovered, no action would result.
Cue the amended law.
Going forward, effective July 28, 2015, certificate holders cannot require a certificate to include specific items which are not provided within the insurance policy(ies). These items consist of:
Terms
Conditions
Language
Warranties
Guarantees
Additionally the new law restricts the acceptable certificate forms which may be used. A complete list of approved forms can be found here.
So why should you care about this law?
Two words: State fines. The Department of Financial Services has approved fines for violators (including issuers and requestors) in the amount of $1,000 for the first offense, and $2,000 for each subsequent offense. These fines can be avoided if proper due diligence is taken.
The best practices to avoid violations, and corresponding fines, would be to consult legal counsel (who should be involved in the contract negotiations anyway) as well as your insurance broker to discuss what can be requested of or complied with. If you are in the midst of negotiations and are not involving legal counsel, or a broker (with respect to insurance matters only) we highly recommend you reach out to each immediately. This may not only prevent an error or fine but may also protect the company in the long run.
In conclusion, it is imperative not to overlook this new certificates law. They key thing to remember as you take a closer look at the wording is requirements. Make sure your requirements reflect the exact requirements set forth by the policy, and New York State won’t hound you. Don’t lose money you don’t have to, stay diligent in your certificates.
As a business owner the responsibility of providing a safe, positive, and comfortable work environment falls on your shoulders. The unfortunate reality is that these responsibilities are not always upheld or maintained. To help protect businesses from harmful claims that may arise from a multitude of situations, the Employment Practices Liability Insurance (“EPLI”) policy would come into play. The EPLI policy provides coverage for wrongful acts during the
employment process, with the common claims being wrongful termination, discrimination, sexual harassment, and retaliation.
As part of this policy an insured business has the option to enhance coverage via the (unappreciated and undervalued) Wage and Hour Endorsement. This endorsement provides the named insured coverage for the cost of defending claims alleging failure to pay overtime to a nonexempt employee, with settlements of said claims generally excluded.
Why discuss this coverage now? In recent days President Obama has set his sights on raising the overtime pay threshold for wage and hour employees working 40+ hours per week, with plans for the change to take effect in 2016. Under the Fair Labor Standards Act employers are required to provide overtime pay to employees who work 40+ hours a week, with executives and managers being exempt from the requirement (these individuals are generally earning higher salaries). The target is to raise the threshold for the first time since 1975 from $23,660 to $50,440, more than doubling it.
With the increase in threshold we can expect to see an increase in wage and hour claims as many employers may not be immediately aware of their obligation. In an effort to better protect the company which you have worked so hard in growing, it may be worth:
Familiarizing yourself with the coverage
Discussing coverage options with an insurance professional
Exploring the market for coverage options and pricing
No business owner wants to enter a legal battle, but if required, wouldn’t you sleep better knowing that coverage is in place to help protect your investment?
