There is nothing new about a business owner keeping weapons under the store counter or in the vehicle used to take deposits to the bank. The laws, however, raise questions about liability insurance for weapons-related incidents, so it’s a good time to brush up on coverage issues.
There are at least three ways an insured can injure someone with a weapon:
Accidental discharge of the weapon,
Intentional shooting with an intent to injure the person (shooting a criminal), or
Intentional shooting with accidental consequences (shooting an innocent person standing behind the criminal).
There’s no coverage problem with the accidental discharge. The commercial general liability policy covers the insured’s legal responsibility for bodily injury or property damage to others as the result of an accident. Costs for defense and payment of any subsequent judgment or settlement are provided.
For the other two types of incidents, however, the intentional acts exclusion in the policy presents a problem for the individual or commercial insured seeking defense or indemnity following a shooting incident.
The intentional acts exclusion in the CGL policy reads as follows:
This insurance does not apply to:
a. Expected or Intended Injury
“Bodily injury” or “property damage” expected or intended from the standpoint of the insured.
This exclusion does not apply to “bodily injury” resulting from the use of reasonable force by an “insured” to protect persons or property.
Most courts have treated this exclusion narrowly, so that not only must the action which causes the damage be intentional (striking a difficult customer), but the damages must be reasonably expected (broken jaw vs. paralysis). In an auto-related case (Tanner vs. Nationwide), the Texas Supreme Court said a similar exclusion in the personal auto policy is “effect-focused and cause-focused, voiding coverage when the resulting injury was intentional, not merely when the insured’s conduct was intentional.” According to the decision, if the exclusion were to preclude coverage for reckless acts that didn’t result in deliberate injury, insurance coverage would disappear for many accidents.
The exclusion applies to “the insured” who intentionally causes the damage, and not to all insureds who may be sued as a result of the damages. Thus, the named insured business would be protected in a suit brought by a customer who was intentionally injured by a third party or an employee of the insured.
The exception to the exclusion applies to bodily injury only, and permits the use of “reasonable force” by the insured to protect persons or property, such as when a store owner grabs a customer suspected of shoplifting or shoots a burglar or robber, and the customer or criminal later sues the insured as a result.
If the value of personal information makes us vulnerable, the value of health care information exponentially expands the bullseye. According to Reuters, medical records are worth up to 10 times more than credit card numbers on the black market.
As a health care organization, it is our responsibility to protect the integrity of our patient’s records, and we take this responsibility very seriously.
All too often the effort has been focused on preventing and managing massive cyber-attacks. However, it is critically important that we be mindful of the exposure the individual employee represents in our cyber security.
This could be the employee who inadvertently faxes data to the wrong person, leaves their computer unattended and at risk, or the employee who intentionally sets out to hurt the organization as a retaliatory measure. This is a real exposure that is often overlooked.
It’s important that you act in lock step with network security and organizational teams in order to detect, stop, and address the untoward event appropriately. Cyber threats can be overwhelming and a contributor to sleepless nights.
To help us break this threat apart into manageable steps we have created a checklist for the risk manager.
Checklist for Risk Managers
- Work with board and executive leadership to ensure support for cyber initiatives.
- Provide for strong data breach identification and management policies and procedures creating a zero tolerance culture for data breaches.
- Ensure that education and training occurs at all levels of the organization at least annually to include basic definitions, policy content and zero tolerance culture.
- Create a breach response team in partnership with Organizational Integrity, Finance, Legal, Risk, IT security, Human Resources, and Communications to ensure are all working together for immediate detection, response and action when a breach occurs.
- Negotiate a robust cyber insurance policy that has breach response, liability coverages, as well as coverage for regulatory actions, fines, and penalties.
- Create data breach preparedness planning opportunities.
- Leverage insurance carrier for education and loss prevention opportunities.
- Appreciate the regulatory landscape through education and training.
- Develop contracts with external partners including forensic firms, law firms, and public relations firms to assist during a large breach event.
- Train, test, revise, train, test, and revise!
The answer to many cyber threats is having the force of an integrated cyber security and breach response team as your shield.