Month: January 2017

What are the diverse needs of a Retail Business?

Retail Businesses, Cyber Liability & Cyber Security Insurance

Retail

Accepting credit card payments at your retail location makes you part of the Payment Card Industry (PCI stands for Payment Card Industry).  The PCI Security Standards Council, which is a voluntary council, has issued Data Security Standards dealing with cyber security for credit card data  (PCI DSS) which are voluntary regulations for the Payment Card Industry.  In particular, the council issued PCI DDS Requirements 5 and updated V3.2 in May of 2016 which impacts retail stores substantially.

 

The most important aspect of these regulations in regard to retail sales is that non-compliance with the voluntary regulatory standards to prevent a data breach can result in making your organization ineligible to be a point of sale for credit cards.

The Council itself does not have compliance enforcement ability over the retail industry.  This power rests with the credit card companies who are the founding members of the Council e.g. Visa, Master Card and American Express. Thus, these regulations have far reaching impact on your ability to be a vendor who can accept credit card payments and as a result your compliance is necessary if you want to use credit cards. If you become ineligible of course it can reduce your profit.

Putting aside any theoretical discussion regarding compliance issues with voluntary  security standards, they are meant to protect the public by preventing data breach, so stringent guidelines were put in place protecting the consumer purchasing the products you sell from invasion of privacy, theft, fraud and identity theft due to payment by credit card under Requirement 5.

For those who are not computer savvy, Requirement 5 in a very condensed nutshell states you must protect all data systems against malware and regularly update anti-virus software of all programs. The sub parts further break it down in regard to the actions you must take to implement Requirement 5 which essentially means

  • you must take all possible steps to prevent a data breach by identifying all threats and detecting all known types of malicious software and malware,
  • ensure that all protection software programs are current and updated, perform periodic scans
  • document the scans in logs and track everything you do to keep current,  ensure that all antivirus and malware programs can’t be disabled or turned off.
  • If you have to shut down the anti-virus and /or malware programs for a limited time frame for an approved legitimate reason you have to have authorization from your management, and
  • document all details in yours logs and run all security protocols when the programs are back up and running and perform a security scan. See the PCI Basics &  Quick Guide  for more detail. http://PCIcomplianceguide.org

Accomplishing all these tasks is very difficult to achieve. Not even the Democratic Party has been able to complete insulate itself from cyber-attack. So it is fair to assume that you might have some difficulty accomplishing all of the required tasks without a really top notch IT person or department.  There are Quality Security Assessors who specialize in conducting technical assessments of your compliance defense system.  See Cb Defense PCI DSS Anti-Virus  White Paper, Carbon Black Arm your Endpoints. http://www.coalfire.com

Numerous companies also sell antivirus and malware platforms that you can purchase and have the platform itself tested to ensure that it does comply with the PCI regulations.

While you may think all of this is unnecessary or over kill just think of the cyber-attacks against national retailers (e.g. Target, Home Depot and E-Bay).

If you are ever sued by customers for a data breach that occurs within your retail business, compliance with the PCI industry standards may actually support your defense as it is considered a best practice to comply with these security standards and it helps to establish that you used a high standard of care in dealing with data and client’s privacy.  Because you have a high risk for data breach it is in your best interest for you to have data/ breach/cyber security Insurance. In saying that, you also want to consider other insurance needs in addition to cyber insurance.

Most carriers offer retail establishments either a business owner’s package with a combination of: standard features including:

  • commercial general liability
  • business property and inventory with or without enhancements or stretches (interestingly property  coverage does not include an outdoor sign that is not attached to the  building so you would need a rider in that instance)
  • property in transit floater, or inland marine
  • business income loss with endorsements for utility outages and direct damages
  • worker’s’ compensation
  • e-commerce sales
  • burglary, theft or crime; and employee dishonesty
  • spoilage and a food contamination rider if you sell fresh or frozen food items
  • mechanical or electrical breakdown
  • Commercial auto if indicated.
  • And, most agents and carrier often suggest umbrella insurance.

But at the same time carriers and agents do not emphasize the need for cyber security or data breach, nor are they usually offered as part of a BOP.   This may be because this type of insurance is fairly new and the parameters for cyber insurance are not completely developed or formalized. While there is very limited cyber coverage in the business property insurance portion of the policy, it is insufficient for anyone who is required to meet the standards for payment card industry as this requirement makes it self-evident that there is a legal duty and a standard of care in the payment card industry and if you are negligent and fail to meet the standard it may increase your liability to your customers for a data breach.

Thus, any PCI retailer will want to ensure that the cyber security policy they choose has provisions for coverage of regulatory fines, notifications of customers, first and third party damages and defense coverage which triggers at the earliest moment possible.

Cable Installers Liability Needs

Cable Installers, are you an employee or a 1099 contractor?  (Or “The elephant hiding in the closet”)

There is a vast movement afoot in the cable and satellite installation industry to have cable installers become a 1099 contractor rather than an employee of the cable company.   See “Consider the Cable Guy”: The Grind Investigation Fund. Many major cable companies are requiring their employees to make this change involuntarily. Why you might wonder?

Well, this is a very effective cost cutting measure for the cable companies. They need people to install the systems, wiring and equipment that operate and control the media service they are selling.  This job cannot be performed without a human at this point in time. However, if cable companies utilize a fleet of 1099 contractor’s as cable installers instead of employees:

  • It reduces the employer’s costs considerably as the employer no longer collects or pays FICA or federal and state income tax on the cable installers.
  • Cable companies does not pay employer taxes in to the government.
  • Cable companies often charge the 1099 contractor cable installers for such things as uniforms, tools, equipment and use of a truck. Conversely, as an employee, the installer would most likely have received those items at no cost from the employer. These measures both reduce the cost and bring in revenue from the contractor.
  • A Cable companies also save vast amounts of money on reduced insurance payments as the burden of carrying certain types of commercial insurance switches to the 1099 contractor.  This reduces the number of employees and conversely reduces the premium cost for the employer as well.

So, if a cable installer begins working as a 1099 contractor they really are functioning as any small business owner would. The installer will need all the types of insurance that any company in the cable  installation business should carry including general liability, errors and omissions, business property, inland marine, commercial auto (if you are furnishing the vehicle), commercial property and loss of business income and perhaps an umbrella policy or a technology  policy.   As a 1099 contractor, you can obtain these as part of a business owner’s package or as standalone policies.

You should speak with your agent to gain knowledge about the best options for cable installers within the Class Codes your business comes under listed below:

Business Liability Category: TV and Media Installation

SIC Business Insurance Codes:

  •   4841- Cable and Other Pay TV Services

NAICS Liability Classifications:

  •   517110- Wired Telecommunications Carriers
    •   515210- Cable and Other Subscription Programming

Business ISO General Liability:

  •   Code: 91315- Cable and Subscription TV Companies

Common Workers Compensation Class Codes:

  •   7536- Cable Installation and Construction
  •   8901- Cable and Telecommunications- Office Employee
  •   7600- Cable TV or Satellite- Other Employees and Drivers
  •   6325- Conduit Construction- For Cables or Wires
  •   8742- Outside Sales Persons
  •   Code: 91315- Cable and Subscription TV Companies
  •   Code: 91315- Cable and Subscription TV Companies

Plus, as a 1099 you will need health insurance which covers your own health needs.  This means obtaining health insurance which is most likely not part of a group plan in most cases.  Individual health insurance is usually very expensive no matter who the insurance carrier may be.  An alternative is to join a union or an association of workers in this field that offers health insurance to its members thus forming a group (E.g. Communication Workers of America).

But the biggest concern related to insurance is Workers Compensation.

Since you no longer are an employee, just as you are no longer covered by the Cable Company’s group health plan, you are no longer entitled to worker’s compensation through your client the Cable Company.   That means even if you get hurt on the job while installing for the cable company at a property you were sent to by the cable company you are not covered by Workers Compensation. (There is that elephant hiding in the closet with a not so great surprise!)

Whether your required to carry Worker’s Compensation insurance for yourself (as a single employee) is another question altogether and depends on many things. Some states require that a single employee company carry workers compensation while other states do not. In some states you are exempt if you have less than 4 employees. Some states exempt members of an LLC.   Whether it is required by the state should not be the end of the inquiry because if you don’t cover yourself for Workers Compensation, no one else is, and you may be definitely letting the elephant loose to trample you if you are injured severely on the job. Additionally, your old employer (the cable company) who is your “client” who sends you out to cable company users homes to do installations can and often does require that you carry workers’ compensation and that you make the cable company an additional insured on your policy when you go out to install systems for their customers.

You may think you are covered by your own health insurance that you just bought, however; many times your health insurance carrier will deny coverage if you were injured on the “job” and if you don’t have workers compensation the injury is not covered at all unless a third party  or the cable company was negligent.

This can be quite a tragedy if you are injured and have not obtained the insurance needed to protect you.  The Bureau of Labor Statistics shows that 3 million workers were injured on the job in 2014.  So if you find yourself in the position of a new 1099 contractor make obtaining commercial insurance one of your top priorities.