Archive for August, 2009

7 Ways to Minimize Small-Business Risks

Friday, August 21, 2009
posted by Infoshare

If you’re a small-business owner, you’re by definition a risk-taker. The danger, however, of being comfortable with taking leaps of faith is that you can sometimes overlook smart and simple ways to minimize the damage if your leap ends in a fall. 7 ways to minimize small-business risks”. 21 August 2009. 21 August 2009. <>

Here are seven ways to do just that.

1. Be cash-conscious

“The number-one risk for most small businesses is improper cash-flow management,” says Scott Lovingood, CEO of The Wealth Squad Inc., a small-business consultancy in Riceville, Tenn. “Calculate every month how much money you have on hand and how long it will last if your income dries up. Also evaluate monthly your total accounts payable and the number of days accounts are outstanding because a slowdown in accounts payable will lead to cash-flow crunches.”Avoid those crunches by creating a contingency plan and setting aside three to six months of operating costs in reserves. “In the contingency plan, ask where your business would be three to six months from now if you lost your biggest client,” explains Lovingood. “Which expenses could you cut? Which would you have to keep paying? That number of three to six months is variable because you could have cash-flow problems for various reasons. Losing a key customer could take away 50 percent of your revenue, but it might also take away 50 percent of your expenses.”

2. Insure against your specific risks

It’s not enough to purchase standard insurance policies. You must know the specific risks your business faces and insure against them. “There are a lot of key risks that business owners don’t realize they’re not covered for,” explains Andrew Cohn, president of ALC Risk Solutions Inc., an insurance agency in Boca Raton, Fla. “Today I met with the owner of an air-conditioning company. He didn’t have coverage for his equipment if his tools or air-conditioning units were stolen during an installation. He also didn’t have coverage for customers’ property in his workers’ care and control. If his workers moved an armoire, and it was damaged or injured someone, he wasn’t covered.”If your business includes an online component, determine how effectively your policies cover that aspect of your business. “Assume you have a shoe store,” explains Jonathan Ezor, a law professor at Touro Law Center in Central Islip, N.Y. and special counsel to The Lustigman Firm, a New York City law firm. “You probably have coverage for inventory, along with business-interruption insurance. But does the business-interruption insurance cover you if your Web hosting company goes out of business and your online business is down for two months? Probably not. You may also host an online forum where customers can talk about shoes. If someone posts child pornography or a computer virus there, is that covered by liability insurance meant for slips and falls on the sales floor? Probably not.”

3. If your business changes, your insurance should, too

Meet annually with a trusted insurance broker to determine whether your business has changed in significant ways that require modifying or adding coverage. “Go through a checklist of coverages and have a discussion,” advises David Kirkup, a partner at Atlanta-based B2B CFO, which provides part-time chief financial officers to small- and mid-sized firms. “What new things have you done in the last year? Have you acquired a company, introduced a new product, begun to do business in a new state or country, hired different people — all those things might trigger a new risk.”

4. Insure key people

If key staffers leave or can’t perform their duties, your entire business could fail. “You’ve got to have key-person insurance on anyone who’s mission-critical to your business,” says Lovingood. “If you already have key-person insurance, review your policy quarterly because it may be outdated if your business has grown dramatically.”

5. Use contractual indemnification clauses

Seek indemnification for potential damages caused by other businesses and people your business relies on regularly. “Let’s say you distribute a piece of software to your customers,” explains Ezor. “It turns out the provider didn’t have the rights to the software, and you get sued. That’s where indemnification comes in. But it’s only as good as the finances of the other party. If you’re worried the finances on the other side of the contract aren’t sufficient for the possible risk, you can contractually require the other company to maintain insurance.”

6. Give yourself an out

If you launch a new venture or enter into a new contract, you need to be able to cut your losses if it goes bust. “Your contract should cover how you can end the relationship,” says Ezor, “and what happens when you do.”

7. Create separate entities

Any time you take on a new risk, consider creating a new legal entity. “If a new risk involves the same market but a different set of customers, you probably don’t need a new entity,” says Lovingood. “But if it adds additional risks from a monetary, lawsuit or partnership standpoint, you need a separate entity. Any time you cross state lines, add partners, or add legal risks your current business doesn’t already deal with and that you’re not insured for, look at separate legal structures.”Also use separate entities to prevent the loss of your assets. “Whenever significant long-term assets exist, consider a separate holding entity,” explains Kirkup. “Real estate is the prime example. Put property into a separate entity, and rent it back to the business. Another example could be patents for your products.”

Don’t shy away from creating new entities because of the cost. “In most states, setting up a corporation or limited liability company costs $400 to $600, and your accountant may charge you to do an extra tax return,” says Lovingood. “You may pay only $1,000 a year for additional risk and asset protection.”

The key to minimizing risks is foreseeing and preparing for them. “Small-business owners can get off track by falling into the prediction trap,” explains Randy Park, a Toronto-based author and speaker on small-businesses. “You assume that what happened yesterday is going to happen tomorrow. But you need to be really clear on the risks affecting your business model.”

Filisko, G.M. “7 Ways to Minimize Small-Business Risks”. 21 August 2009. 21 August 2009.  <>.

Information Security: Why Cybercriminals are Smiling.

Thursday, August 20, 2009
posted by Infoshare

Hardly a week goes by without some new internet security snafu being reported. And with web usage exploding, expect to hear about a lot more. According to a new analysis from Forrester Research, the number of Internet users is forecast to grow 45% globally over the next four years, reaching 2.2 billion by 2013. More people online, more data to hack — it’s a cybercriminal’s paradise.

Many people don’t yet fully understand the enormity of the threat — to individuals, their families and the companies that they work for, warns Andrea M. Matwyshyn, professor of legal studies and business ethics at Wharton. A frequent public commentator on the topic, Matwyshyn is the editor of a forthcoming book titled, Harboring Data: Information Security, Law and the Corporation.

In an interview with Knowledge@Wharton, Matwyshyn is joined by two of the book’s contributors, Diana Slaughter-Defoe, professor of urban education at University of Pennsylvania, and Cem Paya, a data security expert at Google, who discuss the major risk management gaps that are leaving valuable data assets unprotected not only in the office, but also at home, while also sharing a number of measures that everyone — from parents to CEOs — can take to avoid Internet security disasters.

An edited transcript of the conversation follows.

Knowledge@Wharton: Your forthcoming book says that otherwise sophisticated business entities regularly fail to secure key information assets and that many companies are struggling with incorporating information security practices into their operations. Why is that the case?

Andrea M. Matwyshyn: It’s not apparent to me exactly why this is. But there seems to be a process-based failure under way. It’s in companies’ interests, internally and externally, to secure their information assets. Internally, when a company experiences a data breach, it is potentially compromising trade-secret protection on key intangible assets. Externally, it is going to get bad publicity and trust will diminish among customers, business partners and even its own employees. So securing information assets is a win/win.

[Our speculation] about what may be driving the failure to secure assets [is] partially based on historical … facts. Information security [has been] generally viewed as the province of IT departments, and at one point that may have made sense. But at this point, IT security needs to have a process approach, [coming] from the top layers of a company and a culture of security [should be] filtered through the company’s lower layers.

Security breaches can happen not only in a company’s servers, but also as a result of an employee inserting a CD, [as was] the case of a Sony rootkit problem that arose a few years ago [when its CDs automatically downloaded digital rights management tools on to computers]. [Similarly,] an employee can insert a CD into a PC at work to listen to some music and the vulnerability that arises because of, for example, some digital rights management software on that CD can lead to an employer’s network being compromised. Employee education and [a] top-down [approach to] security information assets are an organizational priority, which is something that hasn’t necessarily permeated corporate culture.

Knowledge@Wharton: It sounds like a company pays a steep price when it fails to do all the things that you suggest. Could you give any examples of companies that have faced problems as a result of not having secured their information assets?

Matwyshyn: The recent example that comes to mind is The TJX Companies. TJX had an extensive database of consumer information because it’s a retailer. [In 1996] a hacker sitting in a car in the parking lot of a Minnesota store with relatively primitive tools accessed its network, compromised it and stole millions of records, subsequently resulting in banks needing to reissue TJX credit cards. There may be incidents of identity theft associated with that activity as well. TJX paid a high price in the press and the banks filed a class-action lawsuit against it.

The costs imposed on other entities because of security breaches [at a company] are starting to result in court cases, and at entities that are forced to reissue cards and absorb the costs [are] finding it unacceptable to pay the price for other people’s security practices.

Part of this stems from the nature of information assets. When a company possesses sensitive information, each subsequent sharing of that information creates another dependency, another point of risk. A compromise anywhere in the chain of possession … is the equivalent of a compromise along every point. So the banks in the TJX case were not pleased, the customers who had data compromised were not pleased and TJX had regulatory action [launched] against it because of that breach.

Knowledge@Wharton: Are there any causes at the macro or social level that have led to information security failures?

Matwyshyn: There are some technological causes, structural causes and legal deficiencies that exacerbate the problem. Information security has become more prominent in part because broadband access is so prevalent. People are using the Internet more, which is a good thing. But such information sharing is leading to additional points of vulnerability. Twenty years ago, there weren’t databases full of such rich consumer information as we have today. The ease of sharing information through the Internet generates targets for information criminals. At this point, the identity-theft economy is on par with or surpassing the [illegal] drug economy.

So when you have a financial incentive driving criminals, dissuading them [from perpetrating a breach] is very difficult and they’re going to innovate to stay one step ahead of information-security experts….

[As for those of us who] think about the legal issues, we haven’t resolved the fundamental holes in our legal structures, which might stop some of this from arising. For example, with extradition treaties, we might expect that if we [in the U.S.] prosecuted an individual cyber criminal somewhere in an Eastern European country who hacks into a U.S. database, [one would think that] we would simply work with the other country to execute the extradition. Alas, it’s not that straightforward in part because to get the extradition, the act that was committed must also be illegal in the other country. In many countries where cyber criminals live, the acts that they’re engaging in aren’t illegal, and their governments are not going to extradite these individuals…. On top of that is the lack of a reciprocal regime for recognizing judgments in other countries, which predates the Internet…. We just never resolved the convention on jurisdiction and judgments to allow us to have our judgments in our courts efficiently enforced in other countries.

Now with the rise of international information crime, these problems are highlighted yet again and we need to take a step back legally and work through some of the gaps….

Knowledge@Wharton: What’s the solution? Do we need more international coordination among legal entities?

Matwyshyn: Absolutely. We need to get some harmonization in cyber crime and the opinion of the international community as to what is acceptable computer conduct. In an economic downturn in particular, this problem reaches a new level because with the ease of information crime and the lack of … job opportunities, it is expected to get even worse.

Knowledge@Wharton: The fascinating thing about your book is the examples of the techniques that cybercriminals use, such as phishing and zombies. Could you describe some of those techniques?

Matwyshyn: Phishing takes the form of an email arriving in an unsuspecting user’s email inbox. The user sees an email from what is assumed a trusted service provider. The email contains a link. The individual follows the link and is asked to provide information, maybe a log in, password or the last four digits of a Social Security number. The information is used by the criminal, sometimes in connection with other information the criminal has purchased online on the black market or even from a legitimate source, which may not have been careful in vetting [who is buying] the information….

The other possibility of a phishing attack is that by following an unsafe link, a person’s computer becomes part of a zombie “botnet,” meaning that someone remotely takes control of the machine … [which is then] used to attack targets, generate spam or engage in other types of [unwanted] activities. We’ve had instances of power grids being threatened by zombie botnets. And there’s speculation that zombie botnets are being used by some countries as a form of cyber war against countries they don’t [want] to prosper.

Knowledge@Wharton: What happened at the job website

Matwyshyn: There was a particular incident at Monster that I mentioned in the book, but since then it has had at least two more. Despite it alleging that it has been trying to improve its security, the bad guys are still getting in.

What happened [in the case mentioned in the book] was that some individuals posed as employers and by using Monster resources, they mined information about job seekers and consequently sent them emails containing malicious code, which [the job seekers] downloaded, with their security being compromised….

One of the controversies arising [from subsequent failures] involves data breach notification legislation [requiring companies to tell customers if their information has been put at risk]. Data breach notification legislation now exists in [45 U.S. states], the District of Columbia, Puerto Rico [and the Virgin Islands], and there’ll be probably a few more [states complying] by the end of the year. There’s talk of harmonization, but we’re uncertain when that’s coming. But Monster, not necessarily violating the timeframes stated in the legislation, didn’t notify its customers as promptly as it could have, so the argument goes. If you looked at the website of its information security service provider, you [found out] that it had an information security problem sooner than you did from the Monster website, which led to some criticism, as you might imagine, that only an elite group of people knew [first] about the compromise rather than the individuals who may have been most impacted, the users of Monster.

After Monster’s latest breach, [there was] a posting on its website informing users about [it]. It was posted, I believe, on January 20th, without much fanfare. It is still working through its security problems. That case [involved] individuals with legitimate credentials. Where they got those credentials we’re not sure. It may have been through a different attack before their interactions with Monster. A series of compromised firms may have led to the attacks [in] the Monster database of consumers who had posted their resumes [online]. Of course, with unemployment rates skyrocketing, targets such as Monster will only become more attractive to information thieves. And thinking about the amount of information that an individual puts on his or her resume, a lot of very sensitive, personally identifiable information can let someone pose as you very efficiently.

Knowledge@Wharton: People tend to disclose all kinds of things about themselves in [social] networks like Facebook and LinkedIn as well. Does that affect information security?

Matwyshyn: Very much so. First, as you mentioned … individuals voluntarily disclose a significant amount of information. But if you ask them, they’ll say they’re very concerned about their privacy. When [such] contradictory behavior [is combined] with difficulty in using privacy settings on websites, [people] sometimes don’t realize how much information is readily available to the public.

There was an incident last year [involving] consumer purchasing on other websites linked to … profiles on Facebook because Facebook had a piece of code, the beacon, that would post information found in its profiles about consumers’ purchases on other websites. Although this was within the [usage] terms [that consumers] had agreed to when they signed up for Facebook, there was an … instinctive reaction of shock on the part of many users that [such] information was pushed [out]…. That was perceived by many users to be too invasive…. Facebook recognized that the beacon plan was a little [too] aggressive for consumer tastes … and it consequently made the privacy settings easier to maneuver. But there is a bit of a contradiction between users’ behavior and users’ stated preferences on privacy.

A corollary concern for information security, as a result of social networks such as Facebook, is that platforms on those networks enable developers to generate interesting, fun, new applications for users to interact. There’s really no information security vetting of those applications by the central platform provider, Facebook in this case. The applications request information on a users’ entire portfolio of friends and then all of those people have data that is possessed by the application provider. What the application provider is using that data for and the extent of secure storage that [it] uses are unknown [to users] and Facebook or another social networking site is not going to [publicize] it. It’s not in their interest to do so because they’d rather not be associated with that relationship. They just want to provide the platform. But most users don’t realize or don’t analyze the extent of information sharing that happens through, for example, the applications….

Knowledge@Wharton: When it comes to financial data, do security breaches have a different root cause than other kinds of information?

Paya: [All] security breaches are ultimately caused by a failure in a process or implementation of a security policy. But the damage [from financial information breaches] does have a unique, unusual root cause [in] that financial information cannot at once both be distributed to thousands of entities and be so valuable that mere knowledge or access to it is enough to cause monetary losses. We can’t have it both ways.

It’s not so much that the breaches are surprising. It’s that when a breach occurs, the fact that there is no damage control and containment are impossible is a function of how we … use financial information.

Knowledge@Wharton: So financial information is unique in the sense that it is both confidential and widely disseminated?

Paya: Exactly, that’s the paradox.

Knowledge@Wharton: How can a balance be maintained to allow online commerce to proceed? Clearly online commerce is growing, but we need to figure out a way to balance those two things.

Paya: Since we are not going to put the genie back in the bottle, the only option is to reduce the secrecy requirement and ask, “What happens if my financial information is no longer that secret? What if my credit card number is known by other people? Is that a situation we can deal with?” And surprisingly, for that particular type of information, the answer [to the latter] turns out to be, “Yes.” The credit card networks realize that they can absorb the cost of fraud entirely. They can still say to customers, “Continue to shop freely, you can disclose your credit card number to anybody you like. Continue typing in that number. If there’s any fraud, the system will absorb the losses and you don’t have to worry about it.” And they found that that risk management actually works, that the profits made by the credit card networks more than outweighs absorbing fraud losses.

Unfortunately that’s not the case for other things. Social Security numbers, which have become essentially financial information … because of their use in credit reporting, aren’t at that stage yet. But for credit cards, we have [achieved a balance]….

Knowledge@Wharton: The paradox that you talk about also applies to financial information generally. For example, a company about to merge with another … [will keep] information about that event confidential [during negotiations]…. But once the announcement is made it is, of course, expected to be widely and publicly disclosed. Are there any lessons from the offline world about how you manage this paradox of confidentiality versus the public nature of financial information that can be applicable to this space?

Paya: In the example you’ve mentioned, the shelf life of the secret is limited. If the merger talks are going on for three months, all you have to do is keep it secret for three months…. Best practice is to make sure that your secrets have short shelf lives and can be frequently renewed. That’s not something generally followed with consumer data. Credit cards have multi-year expiration periods and Social Security numbers are indefinite [since] you have one for life.

The lesson from the offline world is … acknowledging the fact that the longer a secret exists, the greater the probability of a breach of confidentiality. So try to limit that window of time. That’s a lesson that hasn’t quite carried over to the consumer financial data, because much of [it] has a very long shelf life.

Knowledge@Wharton: What is the legacy design problem you refer to in the book and how does it affect financial information security?

Paya: The legacy design problem … is the assumption built into many systems and processes we have today that the way transactions will be carried out is by a disclosure of secrets. In other words, to buy something on the Web, I must disclose my credit card number to the merchant. To obtain credit, I must disclose my Social Security number…. To sign up for a cell phone service, I have to disclose my Social Security number.

[What] if we were to say, “Let’s stop doing that and come up with a better way for consumers to, for example, authorize payment or run background checks?” And then say, “Here’s this brand new, far more secure, better designed system.” We’re still stuck with all the processes … that only understand credit card or Social Security numbers. Even if magically … we could deploy something better that gave consumers more control over their data and wouldn’t require them to disclose secrets as part of everyday transactions, there would be a huge and slow migration effort to make a dent in the problem. We’re not starting from scratch, but from the assumption that it’s okay to disclose secrets and that’s how many transactions work.

Knowledge@Wharton: Could you discuss some of the biggest mistakes companies make while trying to protect the privacy of their financial information?

Paya: The biggest mistake … is not having a clear handle on where the information lives. The design of large systems calls for a lot of redundancy. Data is copied, duplicated, backed up, sometimes sent to different partners, data warehouses, shipped off site in case some catastrophic event destroys your data center. So data has a tendency to replicate itself. And one of the big challenges is when companies lose track of where the information is. It’s very hard to point to a particular computer or a particular rack and say, “This is where all the credit cards live.” …. The problem is that the more spread out they are, the more points of failure you have to worry about…. The first challenge [arises by] not having an inventory of what you’re collecting, even if you know where you collect it, not knowing where exactly you put it.

Matwyshyn: [Cem's] commentary is borne out by PricewaterhouseCoopers, which did a survey of chief information officers, chief security officers, high-ranking … decision makers…. One of the startling [findings] is that a large number, approximately 30%, of the respondents could not provide information about where all of their information assets were stored and this is self-reported. A significant number, similarly, could not identify what the major threats were that the company faced in terms of information security. And many of the individuals stated their organizations did not have a comprehensive information security policy.

There’s a broader lack of planning in many enterprises. In their defense, this field is relatively new. However, the downside of not securing information assets is so severe that it’s important that companies start to focus on process-based, top-down initiatives to incorporate information security at every level of their enterprise. Really the neglect is reaching the point that … an argument could be made that the lack of planning that’s prevalent in U.S. companies may give rise to cause a breach of fiduciary duty. That’s serious. We’ve reached a turning point. This is when it really needs to be addressed aggressively in a process-based approach throughout enterprises.

Slaughter-Defoe: A lot of the people [running companies] are parents, and if this is how they’re functioning at their workplace, you can imagine what they must not be doing at home.

Knowledge@Wharton: If in this room with us right now there were the CEO and the CIO of a company who heard everything you said and they want each of you to give one piece of advice of how they can do better job protecting their information assets, what would that advice be?

Matwyshyn: The first piece would be to set up a top-down process and a culture of security. Have every employee go through mandatory information security training regularly. Have every employee know what to do in the case of an information security breach. One of the key mistakes that many companies make, and I talk about this a little bit in my chapter, is that people from the outside [of a company] will report a security breach and employees simply won’t know what to do with the information. They won’t know who to contact internally to stop the bleeding. Each individual in an organization needs to recognize the importance of the team effort in keeping information secure. And the tone really needs to come from the top.

Slaughter-Defoe: This problem, based on what I’ve heard today and at other conferences, has reached a point where attention needs to be called to the nation’s Department of Homeland Security. They need to get this book. They need to look this over…. They need to think about this in terms of future directions of the nation. There was one comment [today at the conference] from a gentleman about how his state … [is] at least ensuring that there is appropriate communication between people who were engaged in rescue operations. In a manner of speaking, if you project the next 20 years or the next generation, that’s what we’re talking about here. We’re talking about at the state level, resources will be coordinated to protect families and where people work, now that the genie is out of the bottle. I don’t think anybody, say, 20 or 30 years ago thought this was a serious issue that they would have to address. But it’s very much with us. And it puts us in a new era.

Matwyshyn, Andrea. Interview with Knowledge@Wharton. Knowledge@Wharton. August 2009. 20 August 2009. <>.

Uninsured Drivers Racing at Own Risk

Tuesday, August 18, 2009
posted by Infoshare

Tim McCreadie of Watertown, N.Y., capped his return to dirt late model racing last August with a victory in the Topless 100 at Batesville Motor Speedway. He added a couple more major victories in the closing months of the season, but his 2009 began with disaster.

In January, he returned to Tulsa for the Chili Bowl, the nation’s top midget racing event where McCreadie had stunned a field of NASCAR and open-wheel drivers to win in 2006.

The last thing he remembers is leading a B-Main qualifier when his car began vibrating.

A problem in the rear axle of his midget car was the reason for vibration, and the crash that followed was spectacular. It immediately became You-Tube fodder, the images of his car bouncing and barrel-rolling over the catch fence at the indoor facility.

When McCreadie awoke, he had two problems: His back was broken, and he didn’t have health insurance.

An estimated 25,000 drivers like McCreadie compete on more than 800 dirt racetracks in the United States, according to an Associated Press story last month. No one keeps count of how many have insurance, but people in the racing and insurance businesses say as many as 80 percent of drivers do not carry coverage.

A handful of Arkansans race on dirt professionally, most of whom will compete at the 17th annual Comp Cams Topless 100 this weekend at Batesville Motor Speedway. They all struggle with the financial burden of health insurance, which is a considerably higher cost because of their jobs.
“I’ve got some,” said Batesville’s Wendell Wallace, the 1998 Topless winner. “But a race-car driver is considered a high-risk, like an airplane pilot or something like that. Our insurance is just real high.” Batesville’s Billy Moyer, a member of the Dirt Late Model Hall of Fame who is a four-time Topless winner, discovered how much red tape was involved when he mangled his thumb in a racing accident during a Hav-A-Tampa Dirt Late Model Series national event at Little Rock’s I-30 Speedway in 1997.

“I found out if you have better insurance than the racetrack has, you’re better off not to have any insurance,” he said. “I had 17 pins put in that thumb … a pretty major deal. My insurance ended up paying for more than the racetrack would. The racetrack insurance was a secondary thing.” The insurance carried by tracks has improved over the years in many cases, although policies still vary. Most pay either a percentage of the amount or a set amount, usually up to around $10,000. I-30 Speedway’s policy also includes a $1 million payment upon death.

Dennis Huth, president of American Speed Association, estimates that a typical track’s policy offers $20,000 to $30,000 in medical coverage for injured participants. “But there are tracks out there that carry $5,000 in medical insurance,” Huth told The Associated Press.

Many drivers avoid the high costs by deception, not mentioning that they drive race cars on their insurance paperwork. One driver, who wished to remain anonymous, said that after breaking his arm in a racing accident he took painkillers and went home. The next day, he told emergency room personnel and his insurance company the injury happened on his farm.

“When they get to the racetrack, they really don’t think about” it, Laura Hauenstein, president of WSIB Motorsports Insurance, told The Associated Press. “And when you bug them and say, `Hey, we need to do this,’ it’s like the last thing that they’re thinking about.” Greenbrier’s Bill Frye said he can’t afford to carry insurance that will cover him while he’s in his race car.

“Insurance is a double-edged sword for me,” said Frye, the 1996 Topless winner. “It’s sold on the fact of fear. That’s the only reason people have it.

“I feel safer on the racetrack than I feel going down the road every day. But you’re going to get hurt racing sometimes. You’re going to break a hand. There’s a chance you’ll die out there or break your back.” The only medical coverage for McCreadie at the Chili Bowl was through a small policy bought by the event promoters.

McCreadie bought insurance when he briefly drove for Richard Childress Racing in NASCAR’s Nationwide Series last season. But when RCR let him go, McCreadie let the policy lapse. That’s when he got hurt.

McCreadie is back racing – after months of rehab and a few fundraisers to help pay his medical bills – and is expected to be among the favorites when he returns to defend his Topless title this weekend.

Now, however, he’s insured again.

“The bills are coming. I’d be happy if I could almost break even when it’s all over with,” he said. “I wish I could go back and change it, but only good can come out of this if all of a sudden everybody goes out and gets insurance. If people get hurt, at least they’re covered.”

Written by: Rodgers, Steve. “Uninsured Drivers Racing at Own Risk”. Arkansas Democrat-Gazette. 14 August 2009, pg. 21+25.