The pain of GDPR compliance and the long term effects

Posted by 7 September, 2018 (0) Comment

 

GDPR has no exemptions that organisations I work with can rely on, perhaps for the first time with data, we are all in it together.

The challenges facing organisations trying to comply are magnified by the amount of “fake news” surrounding it. I haven’t been surprised by the feeding frenzy from those trying to cash in yet I am somewhat alarmed by the number of “experts” on this untried legislation. I understood that it took 10,000 hours to become an expert in something and I’m wondering how the experts managed that. C’est la vie.

What truly concerns me is that this is a massive cultural change and I fear that the policies being written and disseminated are not going to empower the people that need to deal with data on a daily basis. During my 29 years in the field of risk, insurance and business continuity I have seen many issues that could have been avoided by educating people. Yet it seems that policies are written to ensure employment or contracts can be terminated rather than actually encouraging people to comply. I realise that this is partly due to legal precedent yet motivating people by fear is far weaker than motivating them by other means.

Having listened to many people and taking in copious amounts of information, I think that the feeding frenzy has prevented people from understanding the “mission” of the data regulators. They want organisations to be careful with data and respect the wishes and privacy of people like you and I.  It is not a lot to ask yet achieving that aim is undoubtedly awkward. It is a lot less awkward if the culture of an organisation recognises this.

I have this awful nagging doubt that people will not be motivated to do the right data thing if they are told off or, disciplined when they make mistakes. I’ve seen many policies that tell people what to do yet they are rarely allied with the cultural piece. Even rarer is the right level of education and reinforcement that motivates.

The deadline will come and go yet the mission of the regulator is not going to be achieved if the culture of blame continues to be the most pervasive in organisations. One issue that no-one seems to have thought about is the way salespeople treat data. Arguments over who owns it are regular, especially with the advance of online networks. Roughly 50% of people take data with them when they leave one organisation for another. There are at least two companies in breach when this happens and the individual has broken the law. It is theft after all.

The existing regulations state that this shouldn’t happen yet half of the population think it’s OK to take it when they really know that they shouldn’t. It could be argued that the policies that discipline people have worked because they have stopped the other half from doing this. Yet half is not enough. It should be a single digit number, at the very worst.

So policies and procedures are not working now. New ones will not change that if they don’t address the cultural side of human behaviour.

What can be done?

A new type of policy is required. Naturally, it should start at the top of an organisation. It should motivate people to change the way they think about data. It should be readable, not shrouded in jargon. It should reward people for doing the right thing. It should be something that everyone is reminded about. But not “beaten up” over.

 

Jason Cobine is an Insurance broker in London who works with businesses and charities. He has built a business from scratch, without pilfering data so he knows how hard it is. Yet it was a cultural decision that has been proved to be correct.

 

Categories : Accountants Insurance,All Risks Insurance,Business Insurance,Company Insurance,Contractors Insurance,Intellectual Property Insurance,Legal expenses insurance,Liability Insurance,Personal Insurance,Solicitors insurance,Uncategorized Tags : , , , , , , , , , , ,

The GDPR is coming. Time to sit down, relax and take stock

Posted by 3 May, 2018 (0) Comment

This article is about the feeding frenzy taking place, how to avoid it and what to look out for in the run up to GDPR lift off.

 

Welcome back, or if you’re new here sign up to our orange RSS button to the top right of this page to receive insurance tips, new posts, plus details of events and promotions that could help you or your network reduce the risks facing their organisation.

 

The vultures have been circling for some time now.

 

Plenty of people are putting the frighteners on good people that just want to survive the supposed relentlessness of heavily armed Data Commissioners issuing fines aplenty. Which will not actually happen. The ICO simply haven’t got enough resources to do that. Much like other agencies that are not for profit.

 

Speaking of which, it is those that are for profit that we need to be wary of. I’ve received several updated contracts from insurance companies dictating how data issues need to be resolved. My first piece of advice is to establish what your partners expect of you because, whilst the data commissioner might give you 72 hours to report certain types of breach, I am now contractually bound to give others 24 hours notice. Probably because they want the lions share of the deadline to get themselves ready. They also insist on certain types of data security and issue tight deadlines on “data subject access requests”. Cheeky but true.

 

So have you read all your contracts recently?

 

At least some of our partners are decent enough to tell us they’re being updated. Other contracts, like insurance policies, already cater for the change with clever wording. Where it states that they expect you to be complying with the law it actually means that as soon as the law changes, you have to be compliant with the new one. They don’t need to wait for the renewal of a contract to make you keep up with legislation. They’ve already taken care of it.

 

Are you going to read all your supplier or partner contracts? Probably not. Who has the time? I hear you sigh! Keep these in mind when you are changing your policies that are affected by GDPR. There might be a clash. You might want to notify them with 72 hours, yet they might stipulate immediately. Forewarned is forearmed and I don’t think fines are going to cause the biggest headache. I think it will be interruptions to business and loss of reputation and/or clients.

 

Government crack the whip

 

I have a feeling that the government announcement last week, that it would try and reduce the compensation culture by cracking down (again) on so called “whiplash” claims, might fuel the class action culture that Morrisons supermarkets find themselves subject to. There are a lot of companies that rely on that revenue stream (it’s in the billions) and they will switch to the next as quick as they went from PPI to holiday sickness claims. And PPI is coming to an end.

 

Wrap Up: We’re not overly concerned about the deadlines imposed by our supply chain because we have the resources to cope with them. Yet we’re very pleased we know what they are because a data breach causes enough confusion on it’s own.

 

Top Tip: Once you’ve assessed your position, review your contracts to see what else you might need to weave in. This is a once in 20 year opportunity to engage with your stakeholders. Done well, it will build trust regarding data and how you want to keep it safe. That trust is gold dust in the current climate.

Categories : Accountants Insurance,All Risks Insurance,Business Insurance,Company Insurance,Contractors Insurance,Customer Service,General Requirements,Intellectual Property Insurance,Liability Insurance,Solicitors insurance Tags : , , , , , , , , , , , , ,

Say it but don’t blame me

Posted by 2 May, 2015 (0) Comment

Sometimes it’s best to help your prospects understand what you offer that your competitors don’t rather than trying to highlight the inadequacies of your competitors. This is specially the case when the comments you make are in public especially when your competitors get angered easily and or have very deep pockets or in-house legal teams. This article explains what happens when someone is unhappy  with what you say about them, how to avoid it and what you can do about it.

Welcome back, or if you’re new here sign up to our orange RSS button to the top right of this page to receive insurance tips, new posts, plus details of events and promotions that could help you or your network reduce the risks facing their organisation.

I have a client who has produced software that is absolute outstanding and reduces the amount of time you and I spend waiting for organizations to answer our calls. It also reduces the number of staff call center require and I think it’s a product that provides everyone with a benefit. They have nearly 1 million subscribers to their app so they must be doing something right.

There was a time, before they appeared on “Dragons Den”, that they were looking to generate a buzz about their business. They talked to a marketing consultant and eventually persuaded to use a marketing expert who’s specialized in generating PR for technology based businesses. It all sounds great, everything heading in the right direction.

 

We didn’t say that did we?

 

The marketing expert had decided to seed the press and other relevant forums with explanations about the different waiting times that people experience when calling well known companies. In theory these companies were not competitors to our clients. They were irked even angered, to find them self at the top of a table highlighting which companies leaves callers on hold for the longest time. The angriest was a particularly large company in the health industry and they decided to issue a letter asking our client to explain exactly where they got their information from and asking them to remove any reference to that company from the public domain. This was an understandable reaction to an article that was supposed to improve the profile of this client yet it just sort to anger a party they didn’t needed to anger and caused many other problems internally. The initial panic should never be underestimated when you get a letter from a in-house lawyer because they have so much time on their hands to deal with such issues.

naturally my first question to my client was had they actually made the points that the in-house lawyer objected to. Their answer was it wasn’t us. Yet when I used Google I found the article was credited to them. At which point they said it was an outsourced marketing expert who had put these articles together. I asked if the marketing expert had provided evidence of their insurance. Blank looks all round. I asked if the marketing expert’s research had been checked by my client. More blank looks. I asked if the marketing expert had used an specialist to research the details they were using. The blank looks continued.

 

Shall we tell them it wasn’t us.

 

This was the comment my client made next and I asked them if they thought that would send the complainant off towards the marketing company and they realized that was probably never going to happen. If that were the case, everyone would simply say someone else did it in our name and no one would ever seize or desist when the lining someone. Fortunately they didn’t need to have this conversation because we had already provided them with a legal defense if allegation of liable defamation or breach of confidentiality were leveled at them yet they still had learned a valuable lesson about suppliers. These days very few businesses are self contained. Nearly every company I know relies on a employee or another organization to help them deliver their product or services. However not all such businesses are as careful as they should be and you can either be guilty by association or considered guilty because something is done under your umbrella.

Top Tip:
Check your suppliers carefully if they have insurance and it is fit for purpose you can give them a free rain, which makes your life easier.

Wrap up:
If they don’t have insurance you shouldn’t be dealing with them. Because at best, your insurance premiums will creep up as your suppliers make mistakes. That’s like buying car insurance and allowing the worst driver you know and drive even though they are already banned.

 

 

Categories : Business Insurance,Company Insurance,Liability Insurance Tags : , , , , ,

Flatterers deceive UK start-ups

Posted by 19 April, 2014 (0) Comment

A spectacularly large US company flattered a UK start-up with a huge contract which was eventually signed and secured. This would give them the capital they need to multiply their success. The contract wasn’t exclusive and the start ups web application was valuable to many similar companies. A fantastic “result” and only two types of insurance were required by the US company.

Welcome back, or if you’re new here sign up to our orange RSS button to the top right of this page to receive insurance tips, new posts, plus details of events and promotions that could help you or your network reduce the risks facing their organisation.

Contractual responsibility

 

The contract issued by the Americanclient had 2 pages making direct reference to the type of due diligence, risk management and business insurance required of the start-up. The rest of the contract revealed 26 further liabilities and requirements that were, or would become, necessary.

Not all were manageable for a small company with limited cash flow. The really fine points of the contract referenced this exact point and made it clear they would take full and furious legal action if something went wrong. Ouch, a soft landing is required so we received an introduction.

Part of the liability related to the website, which was provided as a service, and had to be operational 99.9% of the time. The US company staff would be trained to use it and then supported 24/7. It had to work and the contract made it clear that they would want compensation for any downtime over 0.01% in any one year. Keep in mind that one way to compensate is not charge fees that are due.

Penetration testing must be the answer

 

It helps work out weaknesses today yet doesn’t account for advances made by hackers tomorrow. IT Systems security methods of suppliers aren’t always reliable and data theft was the main concern of the US client. They made the UK startup contractually liable for the costs of notification to the relevant authorities and those whose personal data is compromised.

This is a really tough figure to try and quantify because few own up when they have a data breach so the statistics cannot be compiled. Contrast that with fires where it is easier to quantify losses.

That won’t change just because it becomes a must to do (new regulations are due to land in the EU in 2015). So if some Herbert got at the data, the US company would have to spend to meet US regulations and the UK start-up could be ruined by the losses. Identity theft costs vary from person to person so it really is a difficult number to calculate.

Legal liabilities change across borders or state lines

 

The chances of a breach are minuscule, the costs ridiculous. The damage to brand immeasurable. Get a lawyer to get legal on your contracts and they’ll close the gaps. Some clauses don’t hold water in the UK yet US companies issue proceedings where they want. The contract formed a vicious circle when the statement of work and suppliers agreement were reviewed together. No stone had been left unturned and the US company had a fair minded legal team. That is not always the case.

However, there was a liability of millions and the supplier of the application’s infrastructure were only going to cough up £182k if they failed to maintain their supply. Worse still, the infrastructure wasn’t easy to transfer to a new supplier and a 30 day window tied the start-up down. No fix in 30 days and the US contract terminated automatically. And further contracts would not have been issued by them or anyone else.

We deal with cyber risk every weekly basis. It rarely touches the smaller business, yet their suppliers are at risk. Cloud sounds great yet it is not as solid as your own database with your own security. The solutions are a contractual nightmare.

Wrap up: It is not unheard of for a large company to issue a contract to a start-up, allege an error and drown them in legal proceedings. This is because they can then strike a deal which leaves the start-up Directors free of debt if they give up their Intellectual Property. Only in America? No! Uk companies do this too. Does Directors protection work in these cases? No! See why here: https://cobinecarmelson.com/wp-content/uploads/2011/11/What-are-Directors-real-risks.-CCLv5-URL.pdf

Top tip: One digital games company signed an NDA and found the other signatory copied their ideas and started selling their titles. It cost £300,000 to force them to stop and compensate the original designer. There is no point getting someone to sign an NDA unless you have the means to enforce it !

Categories : Accountants Insurance,All Risks Insurance,Business Insurance,Company Insurance,Design Insurance,Domian name protection,General Requirements,Intellectual Property Insurance,Legal expenses insurance,Liability Insurance,Litigation expenses insurance,Patent Insurance,Solicitors indemnity,Solicitors insurance,Trade,Trade Secret Protection,Trademark Insurance Tags : , , , , , , , , , ,

Lambs slaughtered in Den

Posted by 28 March, 2014 (0) Comment

This article is about people eliminating threats to their business, taking risks and getting others interested. Read on to find out how the intrepid pitch for investment yet fail to illustrate their position on risk, never mind secure someone else’s hard earned finance.

Welcome back, or if you’re new here sign up to our orange RSS button to the top right of this page to receive insurance tips, new posts, plus details of events and promotions that could help you or your network reduce the risks facing their organisation.

Dragon’s Den is a risk worth taking

 

I learn a lot when watching Dragons Den. It is always interesting to see a great idea. Everybody loves those. Yet, a lot of the time we are treated to ‘car crash television’ where it appears that the unprepared have been literally thrown at the Dragons. I have actually cringed when watching the programme, yet it is rarely the Dragons that scare me. It’s some of the characters that arrive and put their “worst” foot forward. On the other hand, my heart does sink when a genuinely warm, credible person drops themselves in it. Even then, I don’t feel sorry for too long because I have a lot to learn myself.

Even though I’m watching on television, it’s not hard to spot the weak points that are being attacked. I’m always alarmed by those who do have a great idea, a coherent plan and still fail because they didn’t think about the objections that would inevitably be raised. When they shoot themselves down in flames I feel their pain. I suppose not all of it can possibly be unwitting. I expect some people do well out of the exposure even if they don’t get the investment they were after. Good luck to them!

Sometimes you can smell the ill-preparation

 

Recently a couple of entrepreneurs explained they had a huge following and people were biting their arms off to extend their travel and tour company business to take in festivals in different places. I had heard of this type of business yet they seemed to have a way of making it cost efficient and therefore more profitable. The Dragons were listening. Right up until one of the Dragons mentioned that they were not happy that the risks to the business had been thought about in detail. The lady announced that “all it takes is for one hotel to go down and you are snookered”. I had heard the guys mention that they were ATOL/ABTA protected which means that their clientèle are flown home in the event of the holiday providers having financial problems.

They should also have mentioned that ATOL/ABTA (and others) provide insurance that covers them for most of the other costs that follow such issues. They didn’t. Why not? Didn’t they realise this protection was available? Had they decided that insurance was too expensive for their business? It didn’t sound right that people who had been sending clients on trips to festivals around Europe hadn’t put any protection in place for their clientèle, never mind their business. I remain puzzled because the investors lost interest. No surprise there then.

When the Dragon questioned whether they would be able to continue if a third party let them down, all they had to do was say they would insure the risk. Even if they hadn’t arranged it at the time they could have accounted for the investment in their plan. It rarely “breaks the bank” to protect oneself.

 

Wrap Up: If you have a great idea think about the threats that could interfere with your business plan. Reduce them or eliminate the impact completely where possible because Dragons are risk averse, they only  take balanced risks. They don’t assume. They gauge their possible ROI based on all the variable outcomes. You can too.

 

Top Tip: If you are looking for investment try and understand just how risk averse your investors are before you pitch to them. Their previous investments will give you clues.

Categories : Accountants Insurance,After The Event,All Risks Insurance,Building Contractor,Business Insurance,Company Insurance,Contractors Insurance,Customer Service,Design Insurance,Domian name protection,General Requirements,Health & Safety,Intellectual Property Insurance,Legal expenses insurance,Liability Insurance,Litigation expenses insurance,Patent Insurance,Personal Insurance,Solicitors indemnity,Solicitors insurance,Trade,Trade Secret Protection,Trademark Insurance,Uncategorized Tags : , , , , , , , ,

Double agent leaves tenant between a rock and a hard place

Posted by 9 February, 2014 (0) Comment
This article is about tenants, builders and surveyors. One of them behaved badly when an insurance claim occurred and it’s not who you think. Insurance fraud is a huge problem for all of us. This article gives you some clues as to how you can avoid getting caught up, and caught out, when someone thinks it’s OK to commit fraud.
Welcome back, or if you’re new here sign up to our orange RSS button to the top right of this page to receive insurance tips, new posts, plus details of events and promotions that could help you or your network reduce the risks facing their organisation.

Leaks can be a real drag

 

A last minute call before Christmas comes from a client in a mini panic because the client facilities at their studio have got pools of water where it shouldn’t be. The area has to be sealed off because of the leak and the business might have to close, albeit temporarily, if gets any worse.

This is a straightforward issue for us, yet it could be the first time a client is going through this scenario and prompt assistance and advice is what they need. We provided the reassurance that we promised, confirming that the damage to their property was covered. However we instructed them to contact their landlords insurance people because the leak had not sprung from nowhere. It was likely that both insurers would need to be involved. This is quite common and, in this case, a managing agent handled insurance affairs for the landlord.

Property Manager or Mangler?

 

After a fashion, I received another call from the client explaining that the property managing agent did not want to offer much assistance. They simply said “the builder must be responsible”. I reminded the client that their landlord had cover for investigating leaks, which had become clear when we checked their insurance provision at the beginning. Armed with this information the client/tenant felt confident in contacting the managing agent and pressing their point home. Subsequently, a surveyor arrives and determines that a pipe has not been correctly sealed, causing water to leak and bubble up through the flooring. Luckily it was water rather than waste that leaked, so the damage wasn’t too messy.

In the ordinary course of things, this would have been simple from here on in. The landlord’s insurance pays for the tracing of the leak and the builder repairs the pipe they installed defectively and the client has insurance to repair the resultant damage to their flooring, etc. The managing agent had other ideas.

Why do people think it’s OK to to defraud insurers?

 

The managing agent contacted the tenant and asked them to pay for the surveyors invoice. When they refused, because it is not their responsibility, the property managing agent said “completely off the record, it will be much easier to do business with us if you tell your insurance company that this was an uninsured part of the landlord’s policy, or write a letter confirming that there were more damaged areas than was actually true”. They wanted to recover the cost of the surveyor without resorting to their own insurance. Or rather, the landlord’s insurance. This seems daft because it’s not their insurance to worry about. It’s the landlord’s! Doing their job properly means presenting insurance claims to insurers in order for them to be settled promptly, fairly, and keep the premises in good shape.

What we know is that this happens all too often. Regrettably, property managing agents have to have their fingers in the landlord’s insurance pie, and they do deals with insurance companies, not always with the landlord’s knowledge, that means that they get paid extra if they do not make too many claims. This is on top of the income they receive for managing the insurance, which is paid to them by the insurance company and allows them to charge the landlord less for the overall management of the property. To landlords this is either something they are unaware of, or dressed up as a good deal. However, they don’t seem to realise that it is going to cost them money in the long run if the property is not well looked after.

Surely the managing agent should be looking after the property rather than trying to earn money out of the insurance that they don’t even pay for. People find it hard to believe that this happens, yet property managing agents seem quite willing to hide the commissions they receive from their clientele and mess up claims situations when it suits them. At the end of the day they always blame the builder or the tenant. Who is the landlord going to believe?

Top Tip: Always check the insurance arrangements of a premises you are about to buy or lease, because you will find insurance history can paint a different picture to the particulars you were originally shown.

Wrap Up: There are some great property managing agents out there yet there are also plenty of rogues. Accountants have told me that they have recovered many hundreds of thousands of pounds from property managing agents who stitched up the owners of properties they looked after. It’s not just on insurance, they do the same on maintenance issues and when repairs are required. Take a closer look at the bills they are sending and see if you can spot any trend that doesn’t make sense.

Categories : Accountants Insurance,After The Event,All Risks Insurance,Building Contractor,Business Insurance,Company Insurance,Contractors Insurance,Customer Service,Design Insurance,Domian name protection,General Requirements,Health & Safety,Intellectual Property Insurance,Legal expenses insurance,Liability Insurance,Litigation expenses insurance,Patent Insurance,Personal Insurance,Solicitors indemnity,Solicitors insurance,Trade,Trade Secret Protection,Trademark Insurance,Uncategorized Tags : , , , , , , , , , , , , ,