Author: VU Faculty

Employee theft coverage can easily be written under standard ISO crime forms or an employee fidelity bond. However, crime policies cover only theft of the insured's property by employees. Another exposure many businesses have is the theft of customers' property, on and off the insured's premises, by the insured's employees. How can this exposure be covered, if at all?

"An independent agent as well as many other business's have access to all of the info of our clients that could result in an identity theft by an employee. That employee could use the info illegally for their own personal gain, give it to someone else or sell it to someone else. Where is the business protected? Employee Dishonesty, CGL, or some other coverage? Or is it available at all? I may be missing the obvious. Straighten me out!"

"Resident of an apartment building reports a broken ice maker. Building maintenance enters the apartment when resident is not home and makes the repair. No Maintenance/Service Call Report/Notice of entry was left as required in the lease. Tenant subsequently discovers his Rolex Watch is missing from the kitchen drawer. Tenant is certain that maintenance person stole the watch and has filed suit against landlord for recovery. Tenant is an attorney. What insurance carried by landlord, if any, would respond to this claim?"

"My insured is a temporary staffing agency focusing on the technology sector. The insured will provide employees to their clients for specific programming and technology related projects. The insured's employee works at the client site and uses the client's equipment. My insured is concerned about the liability associated with one of their employees intentionally 'hacking' into the client's computer systems and causing damage or harm and/or stealing client proprietary information. I have a Third Party Crime coverage form in place - but there is a provision that the employee obtain financial gain for the loss to be covered. Is their a better way to provide broader coverage?"

"We currently have an identity theft committed in our community allegedly perpetrated by an employee of a property management company. Allegedly, $100,000. is involved and personal data was abstracted from the company's rental records. Numerous businesses need to secure personal data for various reasons (Property Mgt. Cos., Auto Dealerships, Insurance Agencies) so the exposure is a tad bit expansive.

"After extensive review of the Employee Dishonesty Crime form and applying creative approaches, no coverage exists. The Surety Assn. will be changing the form later this year. Regardless, there is a fiduciary exposure that exists and the only coverage available for fiduciary exposures is generally limited to health, welfare and pensions. There is some 3rd party (tangible) employee dishonesty specialty markets available, but that won't provide relief for this type of loss. Any ideas of how this exposure can be met?"

"We insure a records management business that stores medical records. Due to HIPAA , they are concerned about their liability if one of their employees uses the information they have stored for identity theft, discloses sensitive information about a patient such as AIDS, etc. The CGL excludes coverage due to the CCC exclusion. Their employee dishonesty bond does not provide protection.

"I have spoken to two underwriters and three bond brokers and have not been able to identify the coverage our insured needs. Due to the nature of the records they have their employees sign a confidentiality statement. They now want to 'bond their employees.' Can you identify that type of a bond or policy provides this coverage? Warehouseman's Legal Liability?"

"What coverage form would be used if a janitorial company had cleaners at their customers' offices and an employee stole items from the customers of the cleaning company?"

"A contractor did a job at a client’s home and one of his employees stole some jewelry from the home. Would this be covered under his CGL policy?"

These types of questions have come up a number of times. The CGL might provide some coverage for the named insured (not the employee/perpetrator, of course) and, if the customer’s property is taken from the customer’s premises, there is a crime endorsement to cover that. As far as taking a customer’s property from the named insured’s premises, we’re aware of no standard coverage form for that, as outlined by our faculty below. If any of our readers are aware of company products to cover this exposure, please send the info to Bill.Wilson@iiaba.net.

Fidelity coverage or Employee Dishonesty under the BOP policy and even the Employee Theft coverage in the 2000 and 2002 Crime forms would not cover most of these losses. The coverage that exists in these forms is designed for theft of the insured's property from the insured's premises. The loss to the insured in the scenarios cited above is an indirect loss...the direct loss is to the customer. The 2000 Crime form contains the following exclusion:

d. Indirect Loss
   Loss that is an indirect result of any act or
   "occurrence" covered by this insurance including,
   but not limited to, loss resulting from:

   (2) Payment of damages of any type for which you are
       legally liable. But, we will pay compensatory
       damages arising directly from a loss covered
       under this insurance.

In addition, the basis for an Employee Dishonesty requires two criteria to be met: 

1.  An intent to cause a loss to the insured, AND

2.  A financial gain on the part of the employee.

Since the loss is not to the insured, both criteria are not met and there is no Employee Dishonesty loss.

There are a couple ways to cover this loss. The first way is with a Business Services Bond. These are readily available but usually require conviction of the employee before they will pay. The second way is to use the 2000 or 2002 Crime form and add the CR 04 01 - Clients' Property Endorsement. This extends the Employee Theft insuring agreement to include theft by employees of property belonging to clients of the insured at the client's premises. As for theft of a client's property by an insured's employee from the insured's premises, I'm not aware of a standard way to cover this.

Regarding theft of electronic information, it appears that this insured is a prime candidate for one of the new breed of "ecommerce" type programs. It's possible that there could be some coverage under a crime form or even the CGL, but there are exposures here that need specialized treatment.

Requiring the employee to obtain some financial gain is typically included in the definition of Employee Dishonesty. Employee Theft (an insuring agreement in the 2000 Crime Form), on the other hand, only requires there to be a “deprivation” to the insured. In this case, however, the insured it the Temp Agency and the company suffering the loss is not the “insured”, it is the client of the insured. The 2000 Crime Form has an endorsement, CR 04 01 03 00- Clients' Property Endorsement, which covers the insured in case an employee steals something from a client of the insured. The theft must take place at the client’s premises.

The problem I see here is that the Crime policy covers money, securities, and other TANGIBLE property. This temp agency is involved in such a way that many of the losses that could occur may not be to “tangible” property. It would seem to me that some type of E-Commerce coverage offering both third party liability and some form of crime-type coverage would be best suited to this type of exposure.

It’s possible that the CGL could pick up coverage since it was not intended by THE insured. Property Damage is defined as physical injury to tangible property or loss of use of the tangible property without physical injury. By this definition, if the insured’s employee hacks in and causes a loss of functionality of the property, the loss of use would be covered. If the insured’s employee caused actual physical injury to the system (not software) the damage to the system might also be covered, barring application of the "CCC" exclusion. As I read the form, though, it would appear that damage to the software would not be covered, only the loss of use because of the software damage.

Regarding the release of confidential information....

1)  The CGL includes invasion of privacy in coverage 'B'. That could be an allegation in a lawsuit in the situation you describe. If it was, the CGL would defend and possibly pay damages.

2)  CCC should not make any difference as this is intangible property. But as 'property damage' is only covered for tangible property, I do not see any part 'A' coverage.

3)  Bonding individual employees allows the employer to have the individual complete the bond application. As the application can ask questions not permitted to the employer, you may weed out potential problem employees. You just have to make being bonded as a condition of the job. So bond everyone for employee dishonesty even though it really does not cover this exposure.

I don't know of any other product suited to this exposure unless it is a VERY broad type of EPLI coverage. The problem is that EPLI and similar products are often designed to protect the employer from suits by employees. In this case, the need is for coverage for suits by third parties arising out of employee actions. As such, you should make sure that the product being considered is that broad. Traditional liability policies either don't cover the nature of these types of suits or won't respond to claims arising out of violations of HIPAA and similar acts.

Until a company comes up with a product tailored to this exposure, insureds should practice alternative risk management techniques, particularly in the screening and monitoring of employees.

Your faculty rightly identifies the limitation of most crime policies to "tangible property," but they've failed to consider the coverage in the new ISO employee theft form for theft by insured's employee of client's tangible property from the insured's premises.

There's no dual-trigger manifest intent requirement in the new ISO employee theft (or most other employee theft forms). The definition of theft as "unlawful taking to the detriment of the insured" accomplishes most of the same purposes for the insurer. In many situations the new form would provide coverage for theft by the insured's employee of a client's property from the insured's premises, based on the following wording:

Ownership Of Property; Interests Covered
The property covered under this insurance is
limited to property:
(1) That you own or lease;
(2) That you hold for others; or
(3) For which you are legally liable, except for
property inside the premises of a "client" of yours.
"Client" means any entity for whom you perform services under a written agreement.

Your faculty has correctly identified the endorsement needed to provide coverage inside a client's premises.

The new employee theft form has been slow in gaining acceptance, but I think that, on balance, it's a better form. This is especially true in those states that have ruled that a loss due to a bookkeeper increasing his/her own salary does not satisfy the manifest intent requirement that the benefit be other than wages, salary or commissions and is therefore not covered. (Incidentally, I think those decisions are wrong. They overlook the "earned in the course of normal employment" wording, but I haven't been appointed to the bench yet.)

Jerome Trupin, CPCU, CLU, ChFC
Trupin Insurance Services
Insurance Consulting & Education
Expert Witness Testimony
10 Beechwood Way
Scarborough, NY 10510
voice + fax 914-762-1842
email: trupinj@cs.com

Editor's Note:  Jerry is correct. Here's a further clarifying faculty response inadvertently left off the original article:

The CR 04 01  endorsement Insuring Agreement says:

A. The following insuring agreement is added to
Section A. Insuring Agreements:

We will pay for loss of or damage to "money",
"securities" and "other property" sustained by your
"client" resulting directly from "theft" committed
by an identified "employee", acting alone or in
collusion with other persons.

Where the article might mislead the reader is a common mistake when reading the endorsement---note the term "client" is defined, but not in the endorsement--it is defined in the Crime Coverage form as:

2. "Client" means any entity for whom you perform services under a written agreement.

This definition was not in old forms.

Note there must be a written agreement  to perform services with the client, so if the building maintenance man steals a watch in an apartment where they are working the endorsement probably will not provide coverage if no written agreement.