All insurance involves the transfer of risk(s). One party (or one group of parties) obtains value protection from losing–in some matter–something valuable. This loss can come about in a variety of ways: a ring is stolen, a key is permanently “misplaced,” a whole set goes now the sewer, a building burns down, a person sustains a bodily injury from a doctor who operated on the wrong wrist, a medical bill that has to be paid, a debtor hasn’t paid a bill, and so forth. Not all protections from risks are insurance; the use of a security interest, for example, in the loan transaction, illustrates this point. Not everyone who has some sort of transactional assurance of little to no loss has insurance. Interestingly in England, some of what are uniformly called “insurance policies” in America are sometimes called “assurance policies,” and what is called “insurance companies” in the United States can be called “assurance companies” or “assurance syndicates” in the U.K. Some might say that surety agreements are not insurance, but that would be a mistake.
The same will be true of cyber-insurance: if a bank makes a mistake; customers’ identities are stolen; the customers sustain actual damages then the bank may be liable and be obligated damages. Some cyber insurance policies may cover the loss. The bank’s customers may be insureds, or the bank may be the insured. If only the bank is the only insured, the policy is probably a liability policy or contains a relevant part. (Sometimes policies are “packages,” and so contain several different kinds of insurance.)
Many liability policies are “occurrence” policies, while others are “claims made” policies. Each one of these cyber-liabilities will have an enormous effect on what is covered and what is not.
Many policies include a duty incumbent on the insurer to defend the insured in case the insured is a defendant in litigation. Today, the cost of defense eats up the amount of coverage reduces the monetary size of the policy; and sometimes it does not.
It would be surprising if most cyber-liability insurance policies were not “claims made” type policies, and it is very likely that the policies will be designed so that defense costs eat up and thereby reduce the amount of insurance available to pay the actual loss inflicted on the person claiming a compensable loss.
(A key part of the insurance vocabulary for this distinction is “duty to defend” and “duty to indemnify. The second of the two duties isn’t exactly what it says it is, but the use of the phrase “duty to indemnity” is more than100 years old. It was right then but not now.)
A number of tort cases have been brought against different kinds of parties for permitting identity theft. At least usually, these cases are lost because the plaintiffs, those whose identity was stolen, have not sustained actual material losses Mental anguish without some “genuine injury” (usually physical but sometimes economic only) is not counted as actionable losses. See Stephen J. Rancourt, Hacking, Theft, and Corporate Negligence: Making the Case for Mandatory Encryption of Personal Information, 18 Tex. Wesleyan Law Rev. 183, Section II (2011) (helpful list of identity theft cases lost with none won). See Hammond v. The Bank of New York Mellon Corp., 210 WL 2643307 (S.D. N.Y. 2010). (containing a long list of influential cases where theft of identity cases dismissed since not actual damages).
Most insurance depends upon and requires fortuity. Most events, the occurrence are not fortuitous, from the point of view of the insured, are not insurable. Arson is not insurable if the policyholder starts a fire in his own building. If I throw my keys down into the sewer, the values of the keys are not insurable. If A deliberately burns down the building of B, A’s third-party liability carrier may not cover B’s loss, but B’s first-party insurance may. It might very well, however, pay A’s defense costs.
These points illustrate the difference between most third-party insurance, on the one hand, and first-party insurance on the other. A’s liability insurance is third-party insurance, whereas B’s insurance on his stuff, his cash under the bed, or health coverage on himself is first-party insurance.
Not all insurance requires fortuity. This coverage is very narrow, indeed tiny. Life insurance usually covers some types of suicide. The type in question is suicide which occurs sometime after the commencement of the policy. That period is usually two years. I cannot think of an analogy in cyber insurance[cm_simple_footnote id=”1″]. Of course, life insurance itself will be involved in cyber-insurance arrangements, but it will probably be the same there and then as it is here and now.
Most liability insurance is linked to torts; most cyber-liability insurance is already and/or will be like that. Some current policies are linked to breach of contract; creditors insurance is like that. Some policies that cover breaches of contract are included in “mostly-tort-based” liability policies, but not always. The opposite is also true; there are “mostly-contract-based” policies, and some of them include a few covered torts.
Also arising out of contracts, there are sometimes tort liabilities. Breaches of the duty of good faith and fair dealing found in all contracts are sometimes considered torts. If A breaches a contract with B and then breaches the contract, but by the breach physically injures B or injures C in some way or another, there may be a tort between A and C. There will probably be coverages like this, although cyber- liability insurers will exclude as much as they can of these configurations, or try to pass them off on other insurers, such as standard liability insurance available today.
Most of the torts existing now will, as is, or as adjusted, will be spread across the “cyber-field.” (I am ignoring damages caused to physical objects or the human body (a form of a physical object, since they are now covered). Here are at least some examples of tort theories that will be transposed across the “physical” or “real” world to the “cyber” or “virtual” world.
Negligence: This is the failure of an insured to do what a normal and prudent person would do under the circumstances or fail to conduct himself in accordance with the standard of care that is generally accepted given the situation (What counts as damages, what is compensable under insurance policies, and how the size of covered damages are calculated may all be different.)
- Invasion of privacy
- Interference with contract
- Interference with the economic position
- strict liability (necessary adaptations replacing the requirement of there being liability only if a physical object–like a toaster–is at least part of the so-called proximate cause)
- errors and omissions type torts (These are really a kind of negligence, at least usually. But they are specialized): lawyers
- brokers of various sorts
- third party managers, administrators, and/or quasi-agents (Some insurance adjusters are like this.)
- designers of codes, etc.
- encryptions, etc
- firewalls and similar devices
- similar safety measures
intellectual-property torts: wrongful use, wrongful acquisition, wrongful imitation, etc. Imagine using computer hacking to obtain a patented plan for something, then destroying the owner’s plan, and then putting the plan to one’s own use and the list goes on for a long time.
No doubt the reader will have noticed that the concept of negligence is a complex and widespread type of concept across all of human behavior and covers an enormous range of possible damages. The reader may think of anything s/he can which causes damages to someone other than the “actor,” or some related parties, and negligence will exist in cyber-law and cyber-insurance law. Not all kinds of injuries and therefore not all kinds of damage will be. This is one place where there may be a whole variety of alterations needed and provided.
In terms of adjusting, altering, changing, and revising cyber-insurance, first-party coverage will be treated and work much the same way. It will still, almost certainly turn on the insured having a property interest–or something like it–in that which is insured.
Originally posted on 03/22/2013 @ 4:31 pm