Sadly, it’s a scenario I’ve seen far too many times in the past 30 years of doing insurance coverage work. A trusted employee in the bookkeeping or accounting department isn’t properly supervised or audited, and begins siphoning off cash to support gambling debts, a drug habit, or expensive tastes.  Sometimes, the employee starts taking cash simply because he or she feels underappreciated.  Sometimes, corporate credit cards are the tool of choice. By the time the fraud gets discovered, the amount of loss can be staggering.  And people end up going to jail.  It’s why, when my wife worked for a major financial institution on Wall Street years ago, she was required to take two consecutive weeks of vacation every year, so auditors could go through all of her books and records with a fine-toothed comb.  Trust but verify, as President Reagan said.

The recent case of Wescott Electric Company v. Cincinnati Insurance Co. (which you can read here, and can read about in this newspaper report) involved the typical scenario.  A former City Councilman in Collingdale, Pennsylvania, who aspired to become a judge, was convicted of stealing nearly $3 million from his employer over the course of 10 years, to finance a long-time gambling habit and a lifestyle that extended beyond his means.   During the last year of the scheme, he stole $700,000 of copper wire and sold it for scrap.

The thief (James Bryan) stole so much from his employer (Wescott Electric Company) that he put the future of the company in doubt. Faced with the staggering loss, Wescott turned to its insurance company, Cincinnati, for some relief and protection.

But, as you can probably guess if you’re a frequent reader of this blog, relief and protection was not forthcoming. There were four 3-year policies that provided employee theft coverage to Wescott. Cincinnati sold the policies in 2004, 2007, 2010 and 2013. All four of the policies were discovery-based policies, meaning that coverage depended on when the Wescott discovered a given loss. To compound the problem, in the third policy, Cincinnati changed the operative language. The 2004 and 2007 policies provided coverage for any loss discovered up to a year after the policy period, but the 2010 and 2013 policies required a loss to be discovered during the policy period. While Bryan had been stealing money from the company from 2003 to 2013, his thievery was not discovered until July 2013, after the end of the 2010 policy.  As a result, Wescott was only able to trigger one per occurrence limit, for $100,000.

Wescott tried various arguments to increase its recovery, including that Cincinnati had changed the language in the policy in 2010 without warning Wescott, but to no avail.  In the end, the judge – who had been a partner with a large law firm that represented insurance companies before becoming a judge – essentially ruled that Wescott should’ve read the 2010 and 2013 policies more carefully and understood how the “discovery” provisions worked.  (By the way, I don’t mean to suggest that the judge did anything improper.  But judges are people too, and their worldview is formed by their life experience.)

One interesting issue in the case involved the number of occurrences during the 2013 policy period (and therefore, the number of $100,000 “per occurrence” limits that could be triggered). The policy defined “occurrence” as “(1) an individual act, or (2) the combined total of all separate acts whether or not related; or (3) a series of acts whether or not related, committed by an employee acting alone or in collusion with other persons.”  In considering this language, remember that Bryan did not steal one giant heap of copper wire.  He committed a series of smaller thefts. (It calls to mind the old song by the great Johnny Cash, “One Piece at a Time.”)

In restricting Wescott’s recovery to only $100,000, the Court wrote: “This definition is unambiguous: Mr. Bryan’s ‘series of acts’ in stealing the copper wire qualify as a single ‘occurrence’ because they were ‘committed’ by a single employee – Mr. Bryan – both before and during the policy period.”  And, as the Court noted, Wescott appears to have conceded the point: “Even Wescott agrees that this definition ‘limits the amount of courage for all thefts during the 2013 policy to $100,000.’”

I believe that this conclusion is questionable (but 20/20 hindsight is a wonderful thing and, unfortunately, I’m not wearing a black robe). It’s at least arguable that the “series of acts” contemplated by the policy language must lead to a single theft. Here, if there were separate and distinct results (that is, separate thefts of wire), then separate per occurrence limits should apply. Suppose, for example, the employee had stolen a truck in addition to stealing copper wire. Wouldn’t the policyholder reasonably expect these to be considered separate thefts, and therefore separate occurrences? Why should the result be any different if there’s more than one theft of wire? Otherwise, the limits should apply “per employee,” not “per occurrence.”

But you can see the numerous problems. If you’re making these policy interpretation arguments to a Court, you’ve already given up control of the situation to a trier of fact who may have a background working with insurance companies.  And the judicial idea that policyholders should read hundred-page policies and comprehend every word and how those words may be applied in a variety of circumstances is an unfortunate fiction. As one (enlightened) Kentucky Court wrote years ago: “Ambiguity and incomprehensibility seem to be the favorite tools of the insurance trade in drafting policies.  Most are a virtually impenetrable thicket of incomprehensible verbosity.  It seems that insurers generally are attempting to convince the customer when selling the policy that everything is covered and convince the court when a claim is made that nothing is covered.  The miracle of it all is that the English language can be subjected to such abuse and still remain an instrument of communication.”   Universal Underwriters Ins. Co. v. Travelers Ins. Co., 451 S.W.2d 616, 622-23 (Ky. Ct. App. 1970).

The bottom line is that you can’t always rely on your insurance to protect you when things go sideways.  While insurance is a critical part of any risk management program, attention to proper controls is far more important.  Without going into great detail about preventing theft by employees, here are just a few suggestions or reminders:

  1. Be alert to changes in employee behavior. If your bookkeeper, office manager, or any employee with private access to the company’s books, products or property suddenly acquires new habits, such as coming to the office on weekends, working through vacation time or working longer hours, it’s important to take notice. Any of these red flags may be reason enough to keep a closer watch on the books and the employee.
  1. Enforce the clear separation of duties. The principle of separation (or segregation) of duties is the cornerstone of a solid internal control system. In fraud prevention, separation of duties involves dividing critical duties among two or more employees or departments. Ensure that you distribute financial duties and responsibilities among your employees. The roles must be well defined and divided; an employee who makes the bank deposits should not collect checks and cash from the clients and vice-versa. And, the person reconciling the bank statements should never be the person writing the checks.
  1. Be diligent about internal controls. One of the best ways to prevent embezzlement is to limit a bookkeeper’s access to signature stamps, blank checks and cash. Requiring a countersignature on all checks is another precaution to prevent fraudulent behavior. Conduct occasional surprise audits to detect theft earlier, or prevent it from occurring in the first place. Your accounting program (such as QuickBooks) may also contain obstacles to fraud.  Never default everyone to full administrator rights, share logins and passwords, or give account access to employees who really have no need for it.