Published by the Public Risk Management Association
www.primacentral.org
JULY 2015
Managing the Risks of
SCHOLASTIC CLUB SPORTS and ACTIVITIES PLUS The Family Educational Rights and Privacy Act (FERPA):
THE HIDDEN RISK IN PLAIN SIGHT ENERGIZING RISK MANAGEMENT IN HOUSTON S.A.F.E. Four Steps to Managing a Data Breach
Everyone else is doing it. WHY AREN’T YOU?
Enterprise risk management is everywhere we turn these days. Universities are using it. Corporations are using it. And now, more and more public entities are embracing ERM. PRIMA’s new training will teach you to implement an enterprise-wide approach to risk in your entity using the ISO 31000 standard. This three-part training will be held in cities across the United States. For more information, visit primacentral.org/ermtraining.
Volume 31, No. 6 | July 2015 | www.primacentral.org
The Public Risk Management Association promotes effective risk management in the public interest as an essential component of public administration. PRESIDENT Dean Coughenour, ARM Risk Manager City of Flagstaff Flagstaff, AZ
CONTENTS
PAST PRESIDENT Regan Rychetsky, ABCP Director, HHS Enterprise Risk Management and Safety Texas Health and Human Services Commission Austin, TX PRESIDENT-ELECT Terri Evans Risk Manager City of Kingsport Kingsport, TN
6
11
Jani J. Jennings, ARM Insurance & Safety Coordinator City of Bellevue Bellevue, NE
6 Managing the Risks of SCHOLASTIC CLUB SPORTS AND ACTIVITIES
DIRECTORS Lori J. Gray Risk Manager County of Prince William Woodbridge, VA
Scott Kramer Risk Manager Montgomery County Commission Montgomery, AL
By Charles F. Gfeller, Esq. and Mike Otworth CPCU, ARM
Amy Larson, Esq. Risk and Litigation Manager City of Bloomington Bloomington, MN
11 The Family Educational Rights and Privacy Act (FERPA): THE HIDDEN RISK IN PLAIN SIGHT
Scott Moss, MPA, CPCU, ARM-E, ALCM P/C Trust Director CIS Salem, OR
By Joseph G. Jarret
Tracy Seiler, ARM-P Director of Risk Management Services Texas Association of Counties Austin, TX NON-VOTING DIRECTOR Marshall Davies, PhD Executive Director Public Rick Management Association Alexandria, VA
16 ENERGIZING RISK MANAGEMENT IN HOUSTON
By Jennifer Ackerman, CAE
EDITOR Jennifer Ackerman, CAE Deputy Executive Director 703.253.1267 • jackerman@primacentral.org ADVERTISING Donna Stigler 888.814.0022 • donna@ahi-services.com
18 S.A.F.E.
Four Steps to Managing a Data Breach
By Robin Leal
Correction: The photo credit for the May/June issue was inadvertently omitted. Photo credit: Daniel Maust Photography.
IN EVERY ISSUE 4 News Briefs | 19 Advertiser Index | 20 Member Spotlight
16
Public Risk is published 10 times per year by the Public Risk Management Association, 700 S. Washington St., #218, Alexandria, VA 22314 tel: 703.528.7701 • fax: 703.739.0200 email: info@primacentral.org • Web site: www.primacentral.org Opinions and ideas expressed are not necessarily representative of the policies of PRIMA. Subscription rate: $140 per year. Back issue copies for members available for $7 each ($13 each for non-PRIMA members). All back issues are subject to availability. Apply to the editor for permission to reprint any part of the magazine. POSTMASTER: Send address changes to PRIMA, 700 S. Washington St., #218, Alexandria, VA 22314. Copyright 2015 Public Risk Management Association Reprints: Contact the Reprint Outsource at 717.394.7350.
JULY 2015 | PUBLIC RISK
1
REGISTRATION NOW OPEN! Institute.primacentral.org
PI15 PRIMA INSTITUTE 2015
SMALL SETTING.
BIG IDEAS.
PRIMA INSTITUTE The Industry’s Premier Risk Management Training Program
November 4–6, 2015 Albuquerque, NM
Message from PRIMA President Dean Coughenour, ARM
NOT RISK MANAGER, BUT RISK CONSULTANT
W
hat a PRIMA experience in Houston! From the educational sessions, to the networking, the exhibit hall and the side conversations with your comrades in risk management, the time just flew by. If you did not have a chance to experience this “recharge” with us this year, it is my sincere hope that you will calendar in next year’s conference in Atlanta. I hope that my first message finds you reenergized and focused on new opportunities from the insights gained at PRIMA’s Annual Conference to improve your risk management results as you have gone back to the work at hand, “protecting our assets.” YOU are the most knowledgeable risk management professional your organization has. But, are you the only risk manager? Each of us has a unique opportunity to make a difference in our entity through the handling of claims, insurance renewals and the myriad day-to-day things that we do. But are we a party of one. What if all of our employees thought of themselves as risk managers and we as their risk consultant? What kind of impact could we make inside of our organization? All too often we find ourselves entrenched in the transactionals of the day-to-day rather than building the transitional bridge to tomorrow. You are the conductor, mentor, leader and motivator innovating ways to “protect our assets,” but you cannot do it alone. I often ask myself the question, “Is what I am doing right now making a difference in preventing the NEXT accident/ incident or mitigating one that has already occurred?” I have found that many times the answer is no and I need to change the process or eliminate it. Sometimes we become stuck in process or, “that’s the way we have always done
it,” and may not have asked the question, “Is this really important?” When we move to a position of empowering our employees to become proactive risk managers for our organization, we accelerate our results. We rapidly move the needle from the transactional to the transformational, where each employee IS the risk manager. You are special, the one and only, uniquely original and no one can replace you! You are in a position to put training and programs in place that will help your employees make that transformation to risk manager. PRIMA is your partner in doing exactly that. In making the transition, you help employees to begin taking responsibility not only for themselves but for others on the team. They begin to look out for and take care of each other, building a culture of proactive risk management. I would like to challenge you to ask the difficult questions, look at the transactional and see if what we do today is making an impact on tomorrow. You are the expert at considering the past, evaluating the present and building the future. You ARE the risk management consultant for your team and you ARE making a difference. Thank you for what you do, you ROCK!!
YOU are the most knowledgeable risk management professional your organization has. But, are you the only risk manager? Each of us has a unique opportunity to make a difference in our entity through the handling of claims, insurance renewals and the myriad day-to-day things that we do… You are the conductor, mentor, leader and motivator innovating
Dean Coughenour, ARM 2015–2016 PRIMA President Risk Manager City of Flagstaff Flagstaff, AZ
ways to “protect our assets,” but you cannot do it alone.
JULY 2015 | PUBLIC RISK
3
News Briefs
NEWS
BRIEFS PHILADELPHIA PAID SICK LEAVE LAW TAKES EFFECT Philadelphia's paid-sick-leave law takes effect, and city officials are encouraging workers to make sure their employers know about the new rules, reports the Philadelphia Inquirer. Passed in February, the law requires employers with 10 or more workers to offer paid sick time. Employees who were not previously given sick leave can start accruing it at a rate of one hour of paid time per 40 hours worked. The law caps sick time at 40 hours a year, or five eight-hour days. Councilman William K. Greenlee, who pushed for the bill for more than three years, said the new law applies to 180,000 to 200,000 city residents. Weeks after Nutter signed it into law, the state Senate passed legislation to quash it. That bill—which would make municipal paid-sick-leave laws illegal—is awaiting a final vote in the House. Greenlee said he hopes that if the bill passes in the House, as expected, Gov. Wolf will veto it. “We now have a law, and we're moving forward with it, and whatever happens in Harrisburg, we'll see what happens,” Greenlee said. Greenlee encouraged employees to talk to their bosses and make sure there is a record of time worked. He said the Managing Director's Office would receive complaints about noncompliant employers.
MEDICAL MARIJUANA CLEARS LEGAL HURDLE IN FLORIDA Florida regulators said they expect to provide access to a limited strain of non-euphoric marijuana for medical purposes by the end of the year after a Tallahassee judge dismissed the final challenge to the long-awaited rule. The Florida Department of Health, which developed the rule, is expected to start accepting applications within three weeks from eligible growers for the strain of marijuana that is low in euphoria-inducing tetrahydrocannabinol, or THC, and high in cannabadiol, or CBD. Growers could start selling to eligible patients who are put on a state-run “compassionate use registry” within months, reports the Miami Herald. “I am one happy legislator,” said Rep. Matt Gaetz, R-Shalimar, one of the sponsors of the 2014 legislation that attempted to expedite the development and cultivation of the so-called “Charlotte's Web” strain of low-THC marijuana to help people suffering from epileptic seizures, cancer and other ailments. Legislators had intended for the medical strain of cannabis to be available to Floridians by January of this year but regulators had their first rule rejected, and then faced a series of legal challenges. The ruling by Administrative Law Judge W. David Watkins came after two days of testimony and more than a year after the Legislature had passed the law. The rule challenge was brought by Baywood Nurseries of Apopka whose owners, Raymond Hogshead and Heather Zabinofsky, alleged that the rule proposed by the state were unfair and vague. Watkins is the same judge who tossed out DOH's first attempt at a rule last year, prompting the agency's Office of Compassionate Use to hold a rulemaking workshop involving a handpicked panel of advisors from various parts of the industry. Under the law, nurseries that have been in business for at least 30 years in Florida and grow a minimum of 400,000 plants are eligible to apply for one of five licenses to grow and distribute marijuana within the state. About 100 nurseries meet the criteria, according to the Florida Department of Agriculture. Under the proposed rule, dispensing organizations would have to prove that they would be able to stay in business for at least two years and be able to cover not only the bond but what could be expensive start-up costs. “Start your engines,” said Taylor Biehl, of Capital Alliance Group, which represents a consortium of cannabis growers who want to cultivate and distribute the strain in Florida.
4
PUBLIC RISK | JULY 2015
W W W.PRIMACENTRAL .ORG
TURNING SEWAGE INTO DRINKING WATER GAINS APPEAL AS DROUGHT LINGERS It's a technology with the potential to ease California's colossal thirst and insulate millions from the parched whims of Mother Nature, experts say. But there's just one problem—the “yuck factor.” As a fourth year of drought continues to drain aquifers and reservoirs, California water managers and environmentalists are urging adoption of a polarizing water recycling policy known as direct potable reuse, reports the Los Angeles Times. Unlike nonpotable reuse—in which treated sewage is used to irrigate crops, parks or golf courses—direct potable reuse takes treated sewage effluent and purifies it so it can be used as drinking water. It's a concept that might cause some consumers to wince, but it has been used for decades in Windhoek, Namibia—where evaporation rates exceed annual rainfall—and more recently in drought-stricken Texas cities, including Big Spring and Wichita Falls. In California, however, similar plans have run into heavy opposition. Los Angeles opponents coined the derisive phrase “toilet to tap” in 2000 before torpedoing a plan to filter purified sewage water into an underground reservoir — a technique called indirect potable reuse. In 1994, a San Diego editorial cartoonist framed debate over a similar proposal by drawing a dog drinking from a toilet bowl while a man ordered the canine to “Move over...” Despite those defeats, proponents say the time has finally arrived for Californians to accept direct potable reuse as a partial solution to their growing water insecurity. With Gov. Jerry Brown ordering an unprecedented 25 percent cut in urban water usage because of drought, the solution makes particular sense for large coastal cities such as Los Angeles, they say. Instead of flushing hundreds of billions of gallons of treated sewage into the Pacific Ocean each year, as they do now, coastal cities can capture that effluent, clean it and convert it to drinking water. “That water is discharged into the ocean and lost forever,” said Tim Quinn, executive director of the Association of California
Water Agencies. “Yet it's probably the single largest source of water supply for California over the next quarter-century.” The advocates' hunch that severe drought has changed long-held attitudes on potable reuse may be on the mark. Recently, a leader in the effort to stop the Los Angeles project more than a decade ago said he still opposed it but might consider a new plan if officials made a solid case for it. He said one of the reasons he opposed the original plan was that “incompetent” officials failed to explain their rationale to residents in the first place. “You know, toilet to tap might be the only answer at this point,” said Van Nuys activist Donald Schultz. “I don't support it, but we're running out of options. In fact, we may have already run out of options.” To be sure, it will be years, or even a decade, before direct potable reuse systems begin operation in California—if ever.
JULY 2015 | PUBLIC RISK
5
Managing the Risks of
SCHOLASTIC CLUB SPORTS and ACTIVITIES By Charles F. Gfeller, Esq. and Mike Otworth CPCU, ARM1
6
PUBLIC RISK | JULY 2015
W W W.PRIMACENTRAL .ORG
S
cholastic club sports and activities have grown in popularity and provide a positive opportunity for students to engage in various recreational activities. As participation in these actives continues to increase across schools, the possibility of injury also increases. When these two variables combine, they result in rising claims against educational institutions. This article will provide risk managers
with suggested policies and procedures to help ensure their institutions are well protected and best situated to resolve possible claims quickly and efficiently. In order to best accomplish this, it is first necessary to understand the various legal duties owed by elementary and secondary schools, as well as colleges and universities, with respect to their students.
THE DUTY OWED TO STUDENTS IN ELEMENTARY AND SECONDARY EDUCATION A public or private school, at least through the high school level, owes a general duty of supervision to the students placed within its care.2 For private boarding schools, the duty may even be greater. Specifically, the United States District Court in Connecticut recently issued a decision where it noted that a boarding school "accepts responsibility for students' well being.”3 Regardless of whether a school is private or public, students may be able to recover from a school district where there is evidence presented that supervision would have prevented an accident. For example, in the case Verhel by Verhel v. Independent School District No. 709, 359 N.W.2d 579 (Minn. 1984), the Supreme Court of Minnesota found a school district had a duty to supervise its cheerleading team in the summer months because the team held regular practices during these months.4 The Court then found the school breached its duty of supervision when it allowed the cheerleaders to banner football players' homes in the middle of the night unsupervised.5 Courts have also expanded this duty of supervision to municipalities that undertake a role in supervising minor children. The case illustrative of this principle is Callazos v. City of West Miami, 683 So.2d 1161 (Fl. App. 1996). In Callazos, the City of West Miami agreed to supervise children at a city park after school.6 One child participating in the program was injured by a baseball bat swung by another child.7 The Court found proper supervision would have prevented the accident, and held the city negligent in failing to provide supervision in a reasonably prudent manner.8 Colleges and universities also owe a duty, albeit somewhat limited, to their students.
THE DUTY OWED BY POSTSECONDARY INSTITUTIONS On October 10, 2008, Randall Duchesneau filed suit against Cornell University seeking upwards of $75 million in damages
from an accident occurring two years earlier when Duchesneau was attempting an inverted gymnastics maneuver while practicing with Cornell's club gymnastic team.9 Duchesneau landed incorrectly and suffered catastrophic, permanent spinal injuries which rendered him a quadriplegic.10 Ultimately, Cornell escaped liability after a jury found it was not legally responsible for the accident.11 Despite a favorable outcome, Cornell spent more than five years defending the action and undoubtedly incurred significant legal expenses. In the Duchesneau case, Cornell was able to escape liability due to the erosion of the in loco partentis doctrine. This doctrine, which translates to "in the place of the parent," describes the historical relationship between a university and its students.12 Historically, universities exercised a delegated parental authority over their students.13 Legally, this created a duty of broad protection.14 Specifically, courts determined that a “special relationship” existed between the university and student, and this relationship imposed a duty on the university to exercise control over student conduct and, reciprocally, gave the students certain rights of protection by the college.15 The late 1960s and early 1970s saw student revolutions of all sorts across college campuses.16 Students were predominately attacking the ridged controls by colleges and demanding more student rights.17 The students succeeded in acquiring new rights, and notably these student-movements triggered legislation and case law lowering the age of majority to eighteen.18 Following this tumultuous period on college and university campuses, two important legal decisions, one from the United States Appellate Court for the Third Circuit and the other from the California Court of Appeals, helped shape the modern day university-student relationship. In the decisions, Bradshaw v. Rawlins and Baldwin v. Zoradi, both Courts found that a college or university is not the "insurer of the safety of its students" and that it is not in society’s interest to transfer the risk of student’s activities to universities when the goal of post-secondary education is
JULY 2015 | PUBLIC RISK
7
Managing the Risks of Scholastic Club Sports and Activities
Club sports and activities are enjoyed by all participants and are a significant addition to the educational experience at all levels of schooling. However, if institutions do not properly manage the risks posed by these activities, they face the prospect of expensive litigation. Education and management of the known risks can go a long way toward keeping students safe and minimizing the potential legal exposure associated with these activities.
8
the maturation of students.19 Today, Courts largely abide by the Bradshaw and Baldwin decisions when deciding cases relating to supervision of college and/or university students. However, Courts have held universities liable when they negligently perform general responsibilities. For example, in the case Kleinknecht v. Gettysburg College, 989 F.2d 1360 (3rd Cir. 1993), the United States Court of Appeals for the Third Circuit found Gettysburg College negligent in its failure to implement emergency medical procedures for collegiate athletes.20 In that case, a Gettysburg College student, Drew Kleinknecht, was at lacrosse practice when he suffered a heart attack.21 At the time of his death, the college employed two full-time athletic trainers. Both were certified by the National Athletic Trainers Association, which required current certification in both cardio-pulmonary resuscitation and standard first aid.22 In addition, 12 student trainers participated in Gettysburg’s sports program.23 The trainers were stationed in Gettysburg’s two training room facilities at Musselman Stadium and Plank Gymnasium.24 No student trainers were assigned to oversee the lacrosse practice, and neither of the two athletic trainers were present.25 The Court held that Gettysburg had a duty under Pennsylvania law to take reasonable precautions against the risk of reasonably foreseeable life-threatening injuries during participation in athletic events. The Court further held that Gettysburg owed a duty to its student-athletes to have measures in place at the lacrosse team's practice in order to provide prompt treatment in the event that Kleinknecht, or any other member of the lacrosse team, suffered a life-threatening injury.26 In a similar case, Speigler v. State of Arizona, the University of Arizona was found liable for failing to provide access to a defibrillator in its fitness center after a female student suffered a heart attack while riding a stationary bike.27 The jury entered a $5.1 million verdict against the State of Arizona.28
A successful management plan should focus on the four key areas of concern regarding club sports and activities: (1) travel, (2) playing fields and facilities, (3) equipment, and (4) sports/activity-related injuries. An institution can manage the risks created by all four of these concern areas through the use of waivers, or in jurisdictions where waivers are unenforceable, through the use of acknowledgment of the risks documents. Institutions should also implement certain policies and procedures specific to each area of risk. Institutions should also look for risk transfer opportunities. Travel In the context of colleges and universities, club teams typically have three options for travel: (1) hire an independent transportation company; (2) rent a university-owned vehicle driven by a student; and, (3) student-owned, and -driven, private vehicles. Of these three options, the use of an independent transportation company can include a risk transfer away from the school or university. For elementary and secondary schools, this is a common way of transporting varsity teams and other groups, like bands, etc.; however, clubs are not typically transported by bus, as the cost is often too high. Likewise, colleges and universities rarely utilize private transportation companies for the transportation of club participants. The second option places much of the risk on the university and is, therefore, not recommended from a risk management perspective. The third option is likely the most common of the three travel options, but is a cause of concern for universities as there is little control over the actions of students.
As demonstrated by the case law above, institutions providing students access to club sports and activities open themselves up to possible litigation. As such, risk managers should have a risk management process in place to analyze all of the risks associated with that particular club activity. The process should adhere to the following steps:
To best control the risks posed by allowing students to use their own private vehicles to transport other students, institutions should maintain a list of approved drivers for all clubs/teams and confirm that all listed drivers are properly licensed, fully insured, and possess clean driving records. Institutions should also implement distance restrictions and night time travel bans or curfews for organized club activities. Finally, institutions should consider implementing oversight procedures, including check-in and checkout requirements, where drivers must inform administrators when they arrive back on campus. Institutions need to walk a fine line between managing the risk and exercising too much control over club activities.
➊ Identify all of the risks associated with the club sport and/ or event. ➋ Evaluate each risk as to its frequency and severity. ➌ Determine the best treatment option available to minimize or at least manage the risk. ➍ Implement a sound management plan to address the risk at hand.29
Playing Fields and Equipment Schools should ensure that any and all equipment and fields/facilities utilized by student participants are in good condition, even if the fields or facilities are independently owned or operated. While this advice is common sense, it is good practice for administrators to routinely check all equipment and fields/facilities to ensure there are no
MANAGING THE RISKS OF CLUB SPORTS AND ACTIVITIES
PUBLIC RISK | JULY 2015
W W W.PRIMACENTRAL .ORG
dangerous conditions present. To the extent that a particular activity or sport requires the use of protective equipment, the school should consider notifying all participants of the equipment necessary for participation and confirming that said equipment is actually being used and is in reasonably good condition. Injuries While injuries are common and a recognized risk of participation in certain extracurricular activities, schools can position themselves to best respond to medical emergencies by obtaining consent to treat waivers from all participants. Institutions should also provide contact information for trainers during practices and hire emergency medical technicians for games.
RISK TRANSFER AND EDUCATION A key way to manage the risks posed by club sports and activities is to implement procedures that transfer risk away from the institution. Of course, liability waiver/release documents should be executed by all participants where legally appropriate, and acknowledgment of risk documents should also be utilized to inform and educate students (and their parents) of the risks of a particular activity. A school should consider whether a particular activity has a national governing body that may provide insurance to members. For example, a school with a club ice hockey team should make sure that the club requires all players to register with USA Hockey and that the team participates in USA Hockey-registered events. USA Hockey membership and registration is inexpensive and provides certain insurance benefits to members/players. Each club should also maintain a simple three-ring binder (or comparable tablet-based set of documents), with all necessary emergency information and procedures included. The binders should include copies of all waivers and releases signed by team members, consent-to-treat documents for each participant (which typically list any known allergies), and emergency contact information. In the event of an emergency, the binder can be the first source of potentially critical information. Institutions should consider implementing policies requiring club athletics practices to be held at set places and times so administrators know where the students are in case of emergency. For games taking place at home, EMTs should be present or readily available, and referees should be certified /qualified. For away games or activities, travel plans and times should be submitted to administrators, all teams should be provided with first aid kits, and clubs/teams should know where they are physically located and be aware of where the nearest hospital or medical center is located.
In implementing these procedures, institutions may find it beneficial to require clubs and teams to provide the names of one or two members who will act as liaisons between the administration and the club/team. Institutions should also require the two identified members from all club sports and activities to participate in mandatory training where the institution’s policies and procedures are reviewed. For higher risk activities, an institution may consider mandatory training for all participants and, if the students are elementary or secondary school students, parental involvement in the training, as well. This allows for uniform communication and minimizes the chance that a team or activity fails to receive vital information.
CONCLUSION Club sports and activities are enjoyed by all participants and are a significant addition to the educational experience at all levels of schooling. However, if institutions do not properly manage the risks posed by these activities, they face the prospect of expensive litigation. Education and management of the known risks can go a long way toward keeping students safe and minimizing the potential legal exposure associated with these activities. We recommend all risk managers go through the following check list at the beginning of each season as part of their risk management plan: ➊ Identify “key” individuals from each club sport and activity (ie. head coach, team captains) who will be the liaison between their activity and the risk manager. ➋ Ensure the “key” individuals are aware of the responsibility of their role. ➌ Hold a meeting at the beginning of each season with the “key” individuals. At this meeting hand out all waivers, releases, consent to treat forms, etc. Implement a deadline to return these documents and enforce it. ➍ Monitor and review compliance with risk management strategies at least annually and address any concerns with all members of the club sport and/or activity. In summary, by taking these proactive measures before the start of each club sport or activity, you can go a long way in protecting the safety of both the students and staff while minimizing the school’s liability exposure. Charles F. Gfeller is a partner with the law firm of Seiger Gfeller Laurie LLP. Mike Otworth is a vice president and senior unit claim manager for Genesis Insurance Management Services.
FOOTNOTES 1 The authors wish to recognize the significant efforts of Shrina Faldu of Seiger Gfeller Laurie LLP who contributed much of the research and assisted with the drafting of this article. 2 Munn v. Hotchkiss School, 24 F. Supp. 3d 155 (D.Conn. 2014). 3 Id. 4 Id. at 587-88. 5 Id. at 589. 6 Callazos v. City of West Miami, 683 So.2d 1161, 1163 (Fl. App. 1996). 7 Id. at 1162. 8 Id. at 1163-64. 9 Duchesneau v. Cornell University, Civil Action No. 08-4856, at 1-2 (E.D. Pa. 2013). 10 Id. 11 Id. at 8. 12 Bradshaw v. Rawlings, 612 F.2d 135, 139 (3rd Cir. 1979). 13 Id. 14 Id. 15 Id. 16 Id. at 139. 17 Id. 18 The Twenty-Sixth Amendment to the United States Constitution, passed in 1971, lowered the age of majority to eighteen. 19 Id. at 139; Baldwin v. Zoradi, 123 Cal. App.3d 275, 287(1981). 20 Kleinknecht v. Gettysburg College, 989 F.2d 1360 (3rd Cir. 1993). 21 Id. at 1363. 22 Id. 23 Id. 24 Id. 25 Id. 26 Id. at 1369, 1370. 27 Ann McBride, "Director in 'disbelief' over Spiegler ruling," Arizona Daily Wildcat, February 21, 1996. 28 Id. 29 Sports Club Council University of Central Florida, “Risk Management and Safety” (available at: http:// ucfsportclubs.orgsync. com/HandbookSafety).
JULY 2015 | PUBLIC RISK
9
Further your public sector risk management education without leaving the office! This Webinar series features top presenters delivering knowledge right to your desktop!
PRIMA’S RISK MANAGEMENT
WEBINAR SERIES PRIMA’S 2015 RISK MANAGEMENT SERIES IS FREE FOR MEMBERS! Visit www.primacentral.org/webinars today to register for individual webinars or for the entire program!
J U LY 1 5 | 1 2 P M – 1 : 3 0 P M E ST
ERGONOMICS AND INJURY PREVENTION SPEAKER: Steven Clark, OTR, CEAS, Regional Director of WorkStrategies, Select Medical Corp. Robyn Estes Lewis, PT, CEAS, WorkStrategies Coordinator of Georgia, Select Medical & Emory Physical Therapy DESCRIPTION: This Webinar will focus on identifying opportunities employers can use to reduce risk and minimize workers’ compensations costs. The presenters will review proper hiring and injury prevention practices and how these practices can positively affect your entity’s bottom line. AT T E N D E E TA K E AWAYS : Understand the concept of injury management vs. injury prevention Review the continuum of injury management and injury prevention services Understand and analyze the value of injury management W H O S H O U L D AT T E N D : Risk managers Human resources professionals Safety officers Workers’ compensation professionals Claims managers Underwriters ➐ Occupational health nurses
For more information, or to register, visit primacentral.org/webinars.
The Family Educational Rights and Privacy Act (FERPA):
The Hidden Risk
IN PLAIN SIGHT By Joseph G. Jarret
E
ducational institutions from K12 to higher education are increasingly transitioning from paper records to electronic data systems and web-based applications to store, process and deliver education data to internal users and external partners. Consequently, student records that were previously paper-based documents are now being stored digitally. Because education records contain significant amounts of sensitive, personally identifiable information (PII), public risk managers must insure that such PII is appropriately protected and managed lest your entity runs afoul of the Family Educational Rights and Privacy Act of 1974 (“FERPA”). Doing so can lead to undesirable consequences, including financial losses, reputation damage and loss of public confidence in one’s entity.
JULY 2015 | PUBLIC RISK
11
The Family Educational Rights and Privacy Act (FERPA)
The intent behind promulgating FERPA was to ensure that educational records are kept private while guaranteeing access to these records by parents who retained the right to inspect and review “any and all official records, files and data directly related to their children.” FERPA likewise gives students who reach the age of 18 or who attend a post-secondary institution the right to inspect and review their own education records, the right to request the amendment of records and to have some control over the disclosure of personally identifiable information from these records.
FERPA: POLICY & PROCESS FERPA was signed into law by President Ford in 1974. This broad law applies to all educational agencies and institutions, such as schools, school districts and post-secondary institutions that receive funds under any program administered by the United States Department of Education. The intent behind promulgating FERPA was to ensure that educational records are kept private while guaranteeing access to these records by parents who retained the right to inspect and review “any and all official records, files and data directly related to their children.” FERPA likewise gives students who reach the age of 18 or who attend a postsecondary institution the right to inspect and review their own education records, the right to request the amendment of records and to have some control over the disclosure of personally identifiable information from these records. Such data includes, but is not limited to, identifying data, academic work completed, level of achievement (grades, standardized achievement test scores), attendance data, scores on standardized intelligence, aptitude and psychological tests, interest inventory results, health data, family background information, teacher or counselor ratings and observations and verified reports of serious or recurrent behavior patterns. It is important to note that, although schools cannot legally disclose information considered to be part of an education record without the prior consent of FERPA rights-holder, the law does provide a limited amount of exceptions to the nondisclosure rule. Examples of information that can personally identify a student may be released without prior consent when: • The information is considered “directory information.”FERPA defines “directory information” as information contained in an education record of
12
PUBLIC RISK | JULY 2015
a student that would generally not be considered harmful or an invasion of privacy if disclosed. Directory information may include elements such as the student’s name, address, telephone number, photograph, date of birth, place of birth, grade level or major field of study but not a student’s GPA, social security number, student ID number, race, gender, or ethnicity. • One school official releases information to other school officials with a legitimate educational interest • One school sends information to another school that the student wishes to attend • The school releases the information to the federal or state authorities conducting an audit or monitoring compliance with education programs • The school has been ordered by a court subpoena to release the information, but the school must make a reasonable effort to notify the student or the parents of the court’s request prior to complying with the subpoena • An adult student signs a written parental consent, or a parent provides documentation showing that the student is recognized as a dependent for Federal income tax purposes. • There is an imminent health or safety emergency. Since its enactment, FERPA has been amended a total of nine times. Most of the amendments were intended to address a number of ambiguities and concerns identified by the educational community, including parents, students and institutions, especially in terms of safeguarding PII.1
RISK OF DATA BREACH Not all PII data breaches are cyber-attacks (defined for our purposes to mean any action taken to undermine the functions and security of a computer network) made by
W W W.PRIMACENTRAL .ORG
malicious third parties. Breaches in data can range from something as simple as a teacher or professor leaving a stack of graded papers in a box outside the classroom so students could pick them up at their convenience, to posting grades under a student’s name, social security number, or any number that can identify a student. Regarding cyber-attacks, the risk to information and computer assets comes from a broad spectrum of threats with a broad range of capabilities. The impact upon and therefore the harm to your entity will depend on the opportunities presented to an attacker (in terms of the vulnerabilities within your systems), the capabilities of the attackers to exploit them and ultimately their motivation for attempting to access the information. Needless to say, data breaches can take many forms including, but not limited to: • Hackers gaining access to data through a malicious attack; • Lost, stolen, or temporary misplaced equipment (e.g., laptops, mobile phones, portable thumb drives, etc.); • Employee negligence (e.g., leaving a password list in a publicly accessible location, technical staff misconfiguring a security service or device, etc.); and • Policy and/or system failure (e.g., a policy that doesn’t require multiple overlapping security measures—if backup security measures are absent, failure of a single protective system can leave data vulnerable).2 FERPA imposes upon educational organizations both a legal and ethical responsibility to protect the privacy and security of education data, including PII. However, unlike HIPAA 3 and other federal regulations, FERPA does not require public entities to adopt specific security controls. The challenge for the risk manager is that, while this aspect of FERPA provides room for innovation, it likewise imposes upon public entities increased responsibility when it comes to protecting the privacy and security of student data. As such, the risk manager must insure that their entity has an established, consistently enforced data breach response policy. The U.S. Department of Education, Privacy Technical Assistance Center suggests that entities, at a minimum, have a policy that: • Incorporates applicable breach notification legal requirements; • Addresses data breach response strategy, goals and requirements; • Specifies incident handling procedures, strategy for deciding on the course of action in a given situation and procedures for communicating with organizational leadership and outside parties/law enforcement; • Establishes employee expectations in conjunction with human resources (HR) policy and/or employee agreements;
• Identifies the incident response team; • Conducts regular reviews of the policy to include any necessary improvements and ensure that it reflects up-to-date federal, State and local requirements; • Identifies a team manager who will be in charge of the incident response (with at least one other person designated to assume authority in the absence of the manager); and • Assigns and establishes team roles and responsibilities, along with specifying access credentials.
A JOINT EFFORT Clearly, the risk manager will in all likelihood be working collaboratively with the entity’s information technology (IT) team to ensure that there is a continuous monitoring for PII and other sensitive data leakage and loss. It is the IT team that is most often responsible for employing automated tools, like intrusion detection/ prevention systems, next generation firewalls and antivirus and anti-malware tools, to monitor and alert about suspicious or anomalous activity. Conversely, it is the risk manager’s role to conduct frequent privacy and security awareness trainings as part of an on-going training and awareness program.
Midlands Claims Services Providing Comprehensive Claims Administration Services To Handle Claims from Initial Notice of Loss to File Closure.
800.800.4007 mca@midman.com midlandsmgt.com
JULY 2015 | PUBLIC RISK
13
The Family Educational Rights and Privacy Act (FERPA)
CALENDAR OF EVENTS PRIMA’s calendar of events is current at time of publication. For the most up-to-date schedule, visit www.primacentral.org.
WEBINARS 2015 • July 15 – Ergonomics & Injury Prevention • September 16 – Social Media Horror Stories: Don’t Become One! • November 18 – Employment Practices Liability: Mitigating Risks
PRIMA ANNUAL CONFERENCES June 5–8, 2016 PRIMA 2016 Annual Conference Atlanta, GA Hyatt Regency Atlanta June 4–7, 2017 PRIMA 2017 Annual Conference Phoenix, AZ Phoenix Convention Center June 3–8, 2018 PRIMA 2018 Annual Conference Indianapolis, IN Indiana Convention Center
ENTERPRISE RISK MANAGEMENT: APPLYING THE ISO 31000 STANDARD Intro Workshop Dates & Locations July 15 – Reno, NV September 29 – Savannah, GA Implementation Workshop Dates & Location August 10 & 11 – Reno, NV November 18 & 19 – Savannah, GA
Such training should include: • Mandatory privacy and information security training on a recurring basis to all employees, school/college/university officials, contractors and any other staff involved in data-related activities; • Posting and communicating privacy policies to customers and users (for instance, on the agency web page or on a bulletin board at the office, through statements inserted in documents or emails, etc.); and • Clearly defining and making easily accessible processes for reporting privacy incidents and complaints (depending on the nature of the event, this may include reporting to the authorities, public and/or individuals affected). A solid PII risk management program should have the attributes of confidentiality, integrity and availability. Such a risk management program establishes procedures that will allow organizations to identify, plan and implement mitigation strategies and enable them to effectively address the increasing number of vulnerabilities that may be present in their information assets. Risk managers are responsible for assisting their entities in demonstrating high levels of responsibility and due diligence as they take proactive security measures to identify the risks faced by confidential student information and employ countermeasures that are commensurate with the amount of risk identified. Joe Jarret is an attorney, federal & state mediator and former public risk manager who lectures full-time for the University of Tennessee, Department of Political Science.
FOOTNOTES
PRIMA INSTITUTE November 4–6, 2015 Albuquerque, NM
1 See generally Legislative History of Major FERPA Provisions at http://www2.ed.gov/ policy/gen/guid/fpco/ferpa/leg-history.html for a comprehensive study of the ancestry and progeny of FERPA. 2 The U.S. Department of Education, Privacy Technical Assistance Center: www.edgov/ptac 3 HIPAA is the Federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) which is designed to protect the confidentiality and security of healthcare information.
14
PUBLIC RISK | JULY 2015
W W W.PRIMACENTRAL .ORG
WILL YOU BE PREPARED WHEN
DISASTER STRIKES?
The Cooperative Purchasing Network (TCPN) gives you access to a broad portfolio of disaster management services through competitively bid, evaluated and awarded contracts in:
• RESTORATION OF OPERATIONS SERVICES -
Belfor Blackmon Mooring/BMS CAT Cotton Comprehensive Risk Services Williamson Restoration
• CLAIMS RECOVERY AND RELATED PROFFESIONAL SERVICES - Adjusters International - Marsh - Tidal Basin Govermment Consulting
• RISK PREPAREDNESS AND CONSULTING SERVICES - Adjusters International - Marsh - Haystax
ABOUT THE COOPERATIVE PURCHASING NETWORK (TCPN) TCPN is a national purchasing cooperative that leverages the purchasing potential of govermmental entities in all 50 states. Through lead agency, Region 4 Education Service Center, contratcs are bid and awarded to national vendors in accordance with procedures mandated by state procurement laws and regulations. TCPN proceeds benefit education nationwide.
Simplify. Comply. Save. Registration is free, www.tcpn.org • 888.884.7695
PRIMA’S 2015 ANNUAL CONFERENCE IN REVIEW
By Jennifer Ackerman
W
hen more than 1,000 risk managers get together, you know a fun (but safe) week of education and networking will be had. Attendees at PRIMA’s 2015 Annual Conference in Houston were treated to top-notch learning sessions as well as the chance to rub elbows with their risk management peers…and a few dinosaurs!
PRIMA kicked off its conference in style, with a welcome reception for attendees, sponsored by Munich Re. Conference-goers mugged for the cameras at Munich’s photo studio, while they caught up with old friends. The Monday and Tuesday general sessions, sponsored by Travelers, brought thought-provoking speakers on the topic of managing change as well as how NASA handles risk at the Johnson Space Center. Wednesday’s keynote, Charles Leitch, made the world of social media and the internet a little less scary. Leitch was sponsored by Midwest Employers Casualty Company. This year, PRIMA launched a well-received series of cram sessions, which were 30-minute learning bites on topics like 30 things to know about contracts to ERM basics. These fun learning labs will be back in 2016!
16
PUBLIC RISK | JULY 2015
W W W.PRIMACENTRAL .ORG
While learning is why everyone came to Houston, it wasn’t all work! On Tuesday, PRIMA hosted Walk Among the Dinosaurs at the Houston Museum of Natural Science. Sponsored by Gallagher Public Sector and Genesis, the event was a unique opportunity for attendees to enjoy the museum’s dinosaur and Egypt exhibits after hours while they kicked up their heels to a live band. During the conference, PRIMA awarded its prestigious Public Risk Manager of the Year award to Brett Dahl, administrator for the Department of Administration, Tort and Risk Management for the State of Montana. Other awards presented included achievement awards for risk management programs, products and services, as well a Public Risk article and author of the year. A complete list of award winners can be found at primacentral.org. The conference wrapped up on Wednesday with the installation of PRIMA’s new directors, Lori Gray and Jani Jennings. Director Terri Evans was sworn in a president-elect and President-Elect Dean Coughenour became PRIMA’s 2015–2016 president. Don’t miss the fun in 2016, when PRIMA heads to Atlanta, June 5–8. See you there!
JULY 2015 | PUBLIC RISK
17
S.A.F.E.
FOUR STEPS TO MANAGING A DATA BREACH
By Robin Leal
T
he President has made it clear that, just like the government, people, businesses and infrastructure are also vulnerable to cyberattacks. Unfortunately, many are not prepared to quickly recover after an attack even though they may have taken some steps to protect their organizations. It is critical that public entities know what to do to secure their systems and mitigate financial and reputational damage in the event they are breached. These four steps can help keep your business S.A.F.E.
S: SET THE STRATEGY Thinking about how to respond to a cyber event after it happens is a poor strategy. Public entities need to consider cyberattacks just as they would any other risk—like fire, theft, or severe weather—and plan for it as part of their business continuity strategy. A post-cyber event plan should consider a number of issues, including: • notifying customers; • assessing the scope of the breach; • handling legal policies and procedures to report the event; and • contacting your insurance agent and carrier, and managing communications. There also must be a clear protocol in place to identify which employees are managing each component of the plan. For example, it is important to determine who will be responsible for informing the insurance provider and what information he or she needs to provide in the event of a breach. The plan should also delineate which departments, including IT, HR, public relations, legal and operations, are on the incident response team. Identifying how you will respond to a cyber breach in advance will help save time, and money, in the recovery.
A: ASSESS THE BREACH If an event occurs and data is exposed, it is important to quickly ascertain how widespread the breach was and if systems are secure. Data should also be categorized to determine whether personal information was compromised, such as Social Security numbers, medical records, or financial
18
PUBLIC RISK | JULY 2015
information. This will enable the company to accurately and quickly notify customers about what took place.
F: FIX THE PROBLEM Organizations should identify and utilize external resources to assist in managing a cyber-event. A “breach coach” or attorney experienced in security and privacy compliance issues can assist with this. The “breach coach” can also help gather facts surrounding the incident, such as when and where the breach occurred, man-hours spent recovering, and estimates for the overall cost of remediation. These details are necessary to help re-secure an organization’s data network, refine the internal and external communications plan, and serve as evidence if the data breach results in a legal battle. Your cyber insurance carrier or agent should be able to connect your public entity with an experienced “breach coach” to help it recover from an event.
E: EXAMINE YOUR SYSTEMS Once an organization determines how, when, and where the breach occurred, its IT staff should check to ensure that the data is secured with necessary patches or fixes. Systems should be tested and re-tested thoroughly to help identify process gaps and confirm that sensitive public entity and client data are secure. Remembering the S.A.F.E. acronym and following each of the steps will help give your public entity an effective plan to make it through a cyberattack. Robin Leal is a second vice president with Travelers Public Sector Services.
W W W.PRIMACENTRAL .ORG
Advertiser Index
ADVERTISER INDEX Genesis Underwriting Management Company . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Back Cover Midlands Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . page 13 Munich Reinsurance America.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Inside Back Cover TCPN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . page 15
Has your entity launched a successful program? An innovative solution to a common problem? A money-saving idea that kept a program under-budget? Each month, Public Risk features articles from practitioners like you. Share your successes with your colleagues by writing for Public Risk magazine! For more information, or to submit an article, contact Jennifer Ackerman at jackerman@primacentral.org or 703.253.1267.
FIND US ON FACEBOOK!
Keep up with what’s happening at PRIMA and connect with your risk management peers! Visit us at www.facebook.com/primacentral.
JULY 2015 | PUBLIC RISK
19
Member Spotlight
CITY OF ATHENS: A SMALL TOWN WITH A BIG RISK MANAGEMENT PROGRAM features a member who has gone above and beyond in a feature column titled “Member Spotlight.” Do you know someone who deserves recognition, has made a contribution or excelled in their profession? If so, we’d like to hear from you for this exciting column, as PRIMA shines the spotlight on its members. To be considered for the Member Spotlight column, contact Jennifer Ackerman at jackerman@primacentral.org or 703.253.1267.
“
A
When frequency increases in liability and workers’ compensation threatened to increase premiums dramatically to levels unsustainable to the government, Marshall evaluated the program and developed a ground-up approach to reducing costs. Marshall developed several the real world approaches to address these issues, with little or no cost involved: ➊ Communication is key—both with the general public to address citizen concerns and with the leadership and employees in each department to solve problems. ➋ Meet with each department head to identify concerns, loss trends and share data to develop department specific solutions to issues. ➌ Identify areas of citizen concern. ➍ Analyze data already being collected by insurers or thirdparty administrators to find correlating information to address or disprove issues that have been brought to light ➎ Evaluate policies for cohesiveness, effectiveness and appropriateness
➏ Evaluate alternative funding mechanisms for programs ➐ Develop creative alternatives for training, drawing from the knowledge and experience of your employees According to Marshall, in order to create an effective program—both in cost to the entity and in human capital—prioritization is the key. “As an example, by leveraging the assets at our disposal—a fire department that had developed a vehicle training program—and turning it into a viable training for ALL departments with large vehicles required almost no expenditure while permitting departments that rarely worked together to develop camaraderie,” said Marshall. “Requiring department heads to complete a job safety analysis for each position educates both the department and the risk manager on the potential dangers and liabilities and helps develop programming.” A little creativity, involving departments and citizens, and utilizing data to help determine a plan of action has positively impacted workers compensation rates (from 11.3 per 100 employees to 9.2), reduced the frequency and cost of third-party claims by 50 percent, improved morale of employees and helped citizens understand what is involved in providing the services they enjoy. For more information on the City of Athens’ risk management program, contact Matthew Marshall at mmarshall@ cityofathenstn.com.
Requiring department heads to complete a job safety analysis for each position educates both the department and the risk manager on the potential dangers and liabilities and helps develop programming.
“
Each month, Public Risk
thens, Tenn., is a small city located between Knoxville and Chattanooga, with about 14,000 residents and 136 municipal employees providing police and fire protection, sanitation services, code enforcement, parks and recreation and public works services. There is no specific budget for a dedicated risk management staff. However, Athens is fortunate to have Matthew Marshall as its director of purchasing and risk manager. Like many risk managers, Marshall wears many hats.
Matthew Marshall, director of purchasing and risk manager
20
PUBLIC RISK | JULY 2015
W W W.PRIMACENTRAL .ORG
winning team
Safety measures
4.0 GPA
Achieve A+ results in your risk management report card From the sports field to the classroom, achievement matters. Our workbook combines knowledge, experience, and creativity to develop custom risk transfer solutions and risk management strategies that protect your assets, your school and your students. Let’s achieve A+ results in your risk portfolio together. Learn more at www.munichreamerica.com/alternativemarket
Not if, but how Products and services provided by Munich Reinsurance America, Inc. Princeton, New Jersey
Going Above and Beyond “Sometimes I have to go above and beyond—literally. “Traveling the Alaskan bush to over 150 cities, boroughs and school districts is daunting, but I love what I do. Helping our members is hugely rewarding. They aren’t just risk partners, they’ve become personal friends. “To protect them from risk and losses, we rely on Genesis for reinsurance. When we encounter a little turbulence — or worse— it’s comforting to know we can trust their specialized expertise and top notch security. “With Genesis, we can always count on safe landings no matter what risks cross our path.”
Visit our website at www.GenesisInsurance.com
— Kevin Smith, Executive Director Alaska Municipal League Joint Insurance Association
General Star Indemnity Company is an eligible surplus lines insurer in all states, the District of Columbia, Puerto Rico, and the Virgin Islands. It has the status as an unlicensed insurer in California and operates under NAIC Number 0031-37362. Insurance is placed with the General Star Indemnity Company by licensed producers and, for risk that qualify, by licensed surplus lines brokers.
Genesis Management and Insurance Services Corporation, 120 Long Ridge Rd, Stamford, CT 06902 A.M. Best A++ XV
S&P AA+
A Berkshire Hathaway Company