3 Questions to Ask When Addressing Sexual Harassment at Your Business

Posted on September 14, 2018 by Marijana Dabic

It’s always been important to protect your business and employees from sexual harassment, but recent high-profile cases show the importance of re-examining this topic at your business. Social movements like “Me Too” have drawn attention to sexual harassment in the workplace, resulting in a growing number of misconduct allegations. These allegations can lead to a wide variety of claims as well as serious financial and reputational damage.

Insurance companies, courts and regulatory agencies will begin to examine businesses closely to ensure they take sexual harassment seriously and act to protect their employees and customers. The following are some questions you need to consider when addressing sexual harassment at your business:

How do you encourage employees to report inappropriate conduct? The best way to address sexual harassment allegations is to respond quickly. Regularly remind employees that there won’t be any retaliation for reporting inappropriate behaviour. You should also ensure there are multiple ways for employees to make anonymous reports to management.
Does your employee harassment training address your workplace’s unique traits? A standard workplace policy is a good starting point for addressing sexual harassment, but you should also think about how your employees interact with co-workers and customers.
Do your insurance policies include exclusions for sexual harassment? Many commercial general liability policies exclude claims for sexual harassment. Depending on the policy wording, sexual misconduct-related events may or may not be covered, so it’s important to be specific and ask questions during the underwriting process.

Contact your insurance broker for more information.

Professional Liability Insurance for Design-build Firms

Posted on September 7, 2018 by Marijana Dabic

Design-build is a project-delivery method that provides an owner with one point of contact for both the design and construction elements of a project. This process has gained popularity in recent years largely due to its simplicity, affordability and speed.

While the design-build method has many benefits, it can expose firms to risks they wouldn’t otherwise experience during the traditional design-bid-build method. As such, it’s essential that design build firms understand all of the risk associated with the design-build process.

Unique Design-build Exposures

Unlike the more traditional design-bid-build project-delivery method, there isn’t a clear distinction between the firms performing the construction work and the architects and engineers offering their professional services. This means design builders are accountable for the accuracy of the plans, the execution of construction and the safety of the job site.

As such, design-builders can be held liable for workplace accidents, specification errors, material failures, construction errors and delays. Essentially, by taking on the design elements of a project, firms inherit more professional liability. These liabilities can result in severe financial losses.

When it comes to managing all of the new risks the design-build process brings, general liability policies are simply not enough. Under most commercial general liability policies, professional liability exposures are excluded from coverage.

In particular, claims related to the act of preparing blueprints, reports, surveys, field orders, change orders, specifications and other professional services could all be excluded from coverage. Professional liability policies are designed specifically to fill in gaps caused by general liability limitations.

For design-builders, the most effective way to protect against exposures is to secure unique insurance tailored to the sector. Specifically, professional liability policies can the proper coverage for design-build firms.

These policies provide coverage for claims stemming from an actual or alleged act when performing a professional service. Working in conjunction with other policies, professional liability insurance is a critical component to a design-builder’s risk management program. What’s more, working with a qualified insurance broker, these policies can be tailored to meet the unique needs of design-build firms.

More Information

Design-build construction is an increasingly popular approach with many benefits. However, using this method increases professional liability exposures and creates a variety of risk management challenges. When taking on design-build projects, firms have a lot to consider, including performance guarantees, licensing requirements and appropriate coverage. Contact your insurance broker today to learn about your firm’s identification options, review your exposures and bolster your risk management options.

Protecting Intellectual Property in Manufacturing

Posted on August 28, 2018 by Marijana Dabic

Some of a manufacturers’ most important assets are their intellectual property (IP)—intangible assets like patents, trademarks and trade secrets. For manufacturers, this can include, but is not limited to, proprietary information like product designs, unique processes, names and software.

Organizations that fail to protect their IP may struggle to foster innovation, keep up with the competition and reap the benefits of their inventions. The government offers a couple forms of IP protection, including patents, copyrights and trademarks. These classifications can protect things like:

Tangible assets
Names, phrases and branding associated with your products
Trade secrets and the expression of ideas

While patents, copyrights and trademarks are critical, there’s more manufacturers can do. To further protect the various types of IP, consider the following strategies:

Address IP ownership through written employee agreements. Clearly state that you own all IP generated by employees throughout their employment and that previously created IP—such as work done during prior studies—should not be used without clear permission.
Address IP ownership through written agreements with contractors and service providers. Be sure to consider IP that is owned, generated or developed by all applicable parties throughout the duration of a contract or agreement.
Address licence rights and IP ownership in agreements with customers. Key topics to consider include IP ownership, IP retention, and restrictions related to use, distribution, sublicensing and assignment.

In addition to the above, organizations should consider speaking to a qualified insurance broker to better protect their IP.

Federal Data Breach Regulations Take Effect Nov. 1, 2018

Posted on August 16, 2018 by Marijana Dabic

Overview

Starting Nov. 1, 2018, Canada’s federal Personal Information Protection and Electronic Documents Act (PIPEDA) will require organizations that suffer a data breach involving personal information to:

Report the breach to the Privacy Commissioner of Canada (Commissioner).
Give notice of the breach to affected individuals.
Maintain records of data breaches that affect personal information.

In order to avoid fines and penalties, organizations will need to understand PIPEDA and its basic requirements.

Background

PIPEDA is Canada’s federal privacy law that governs the collection, use and disclosure of personal information in the course of commercial activities by private sector organizations and federally regulated businesses. In 2015, PIPEDA was amended by the Digital Privacy Act (DPA), an act that made a number of important changes to PIPEDA.

While most of the amendments contained in the DPA came into force in 2015, the mandatory data breach notification, reporting and record-keeping provisions weren’t initially enforced. Instead, the law indicated that they would be brought into force only after corresponding regulations were finalized.

On Sept. 1, 2017, the Canadian government published draft regulations relating to these requirements. The government accepted public comments on the draft regulations until Oct. 2, 2017, after which time the government completed its consultation process. The government recently published and announced that mandatory breach notifications under the PIPEDA will be enforced beginning Nov. 1, 2018.

The amended PIPEDA applies to organizations’ commercial activities across all provinces, except in provinces where equivalent privacy laws exist. To date, Alberta, British Columbia and Quebec have implemented laws deemed to be substantially similar to PIPEDA. Moreover, New Brunswick, Newfoundland and Labrador, Nova Scotia and Ontario are partially exempt from PIPEDA, as these provinces have adopted similar legislation with respect to personal health information.

Overview of the Regulations

There are effectively three major sections of PIPEDA to be aware of—reports to the Commissioner, notifications to affected individuals and record-keeping. The following is an overview of the requirements that employers need to consider:

Reports to the Commissioner

If an organization suffers a breach of security safeguards involving personal information under its control and it is reasonable to believe that the breach creates a real risk of significant harm to an individual, then the organization must report the breach to the Commissioner after the organization determines that the breach has occurred. According to the regulation, a report to the Commissioner must be made in writing and contain the following information:

A description of the circumstances of the breach and, if known, the cause.
The day on which, or the period during which, the breach occurred.
A description of the personal information that is the subject of the breach.
An estimate of the number of individuals in respect of whom the breach creates a real risk of significant harm.
A description of the steps that the organization has taken to reduce the risk of harm to each affected individual resulting from the breach or to mitigate that harm.
A description of the steps that the organization has taken or intends to take to notify each affected individual of the breach.
The name and contact information of a person who can answer, on behalf of the organization, the Commissioner’s questions about the breach.

Under the regulations, data breach reports can be submitted with the best information available to the organization at the time. This allows organizations to report breaches quickly and take the appropriate actions, even when key information regarding the incident is not yet available.

Communications to the Commissioner should be made via a secure means. Companies are encouraged to refer to the key steps in responding to a privacy breach released by the Commissioner. These steps, as well as supplementary information on responding to breaches, can be found here.

Requirements for Notifying Affected Individuals of a Data Breach

If an organization suffers a breach of security safeguards involving an individual’s personal information under the organization’s control and it is reasonable to believe that the breach creates a real risk of significant harm to the individual, then the organization must notify the individual of the breach. Notifications must be given as soon as possible after the organization determines a breach has occurred.

Notification to an affected individual must contain sufficient information to allow the individual to:

Understand the significance of the breach.
Take any available steps to reduce the impact of the breach.

Per the regulations, a notification to an affected individual must contain the following:

A description of the circumstances of the breach.
The day or time frame the breach occurred.
Descriptions of the type of personal information that was compromised during the breach.
A description of the steps that the organization has taken to reduce the risk of harm to the affected individual resulting from the breach or to mitigate that harm.
A description of the steps that the affected individual could take to reduce the risk of harm resulting from the breach or to mitigate that harm.
A toll-free number or email address impacted individuals can use to obtain further information regarding the breach.

Notifications must be given directly to impacted individuals through an email, letter (delivered to the last known home address of the affected individual), telephone call, in-person conversation or other secure form of communication if the affected individual consented to receiving information from the organization in that manner. Under limited circumstances, organizations will be allowed to provide affected individuals with indirect notification of a data breach. According to the regulations, organizations will be able to provide indirect notification only if:

A direct notification would cause further harm to the affected individual.
The cost of giving a direct notification is prohibitive for the organization.
The organization does not have contact information for the affected individual or the information that it has is out of date.

The regulations indicate that indirect notification may be given only by either a conspicuous message, posted on the organization’s website for at least 90 days, or by means of an advertisement that is likely to reach the affected individuals.

Record-keeping Requirements

PIPEDA requires organizations to maintain a record of every breach of security safeguards. The regulations state that organizations must maintain these records for a minimum of 24 months after the day on which the organization determines that the breach has occurred, and provide them to the Commissioner upon request. The record must contain sufficient information to enable the Commissioner to verify compliance with the data breach reporting and notification requirements above.

An important distinction here is that records must be maintained for every data breach, and not just those that create a real risk of significant harm. This means that organizations will be required to keep records of data breaches even if they don’t have to report the breach to the Commissioner or notify affected individuals.

Next Steps

Organizations should take the proper steps to ensure they are PIPEDA compliant. While the new reporting and record-keeping requirements appear to place an administrative burden on organizations, companies that already have cyber security protocols in place will likely experience minimal impact. Some general preparations to consider include the following:

Ensure you are informed on all the new requirements.
Prepare for data breach scenarios.
Train your employees.
Update your internal processes.
Assess your data storage and response strategies.
Obtain the proper insurance coverage.

To learn more about the regulations, you can read a detailed impact analysis statement and the regulation’s text through the Canada Gazette.

Canada Ranks Third Among Countries Most Vulnerable to Cyber Attacks

Posted on August 9, 2018 by Marijana Dabic

According to The National Exposure Index, a report released by cyber security vendor Rapid7 Labs, Canada ranks third on a list of countries most vulnerable to cyber attacks. The goal of the report was to determine which countries are most at risk for deliberate, wide-scale breaches.

Countries were ranked based on their unencrypted services on the public internet, services on the internet that are unsuitable for public access and services that are subject to abuse. Notably, researchers found that countries with the most risk have a significant investment in, and reliance on, a safe and stable internet.

Other interesting findings include the following:

The top five countries in the 2018 exposure ranking were the United States, China, Canada, South Korea and the United Kingdom. Together, these countries control over 61 million servers on at least one of the ports surveyed.
There are 13 million exposed endpoints associated with direct database access.
There are about 40,000 unpatched, out-of-date servers. These servers are at risk of being targeted in future, large-scale disrupted denial-of-service attacks.
Mature and traditionally profitable countries are not the only ones that rely on a healthy internet. As of 2018, more than half of the entire world maintains an active internet presence.

Rapid7 Labs hopes internet service providers can use these findings, with the help of policy-makers, to create a more secure global internet. To read the full report, click here.