THE INSURANCE INDUSTRY: SOME CURRENT PORTALS INTO 

THE SO-CALLED “CYBER-WORLD”

Michael
Sean Quinn, Ph.D, J.D., Etc.

2630
Exposition Blvd  #115

Austin,
Texas 78703

(o)
512-296-2594

(c)
512-656-0503

 
The Internet is full of reports about itself, as it were, and plenty of
similar sources to be found in the real world. 
Treating them together, there are  ads, mags (like Wired), books with new titles (some of which now have several
additions), textbooks, novels, articles, spiritual exhortations embracing
and/or condemning the new cyber technology, book reviews, blogs, and places to
chat. Many of them are about the so-called “real world” and its
components.  Many are about the
Internet—and more expansively understood, the cyber world itself and its
contents.

There are many abbreviated and
superficial phony disquisitions on what little there is of  cyber insurance law cases about which public
knowledge is available. One suspects that there are more, but settled subject
to confidentiality.  Later in another Blog
you doubt you will be  reading, some of them will be discussed. 

There is WestLawNext and Nexus, where
the reported cases also are to be found and where unreported but published
opinions can be found.   There is a sparse set of articles that say
almost nothing interesting about the reported cases, and say nothing at all
regarding cases conducted quietly, e,g., by arbitration, and/or about which
resolutions are not known, either because there are confidentiality agreements
or because there are agreements amongst the parties to avoid publicity.

Some law schools now have courses on
cyber law, using decided cases, in accordance with ancient tradition, and
statutes as well.  (This point is true
even though some leading intellectuals sneer at the idea.  See Frank A. Easterbrook, Cyberspace and the Law of the Horse, 1996
U. CHI. LEGAL FORUM. 207, the author now having sat as a Judge on the Seventh
Circuit for many years.  The Judge’s
article caused substantial controversy being that of Professor Lawrence Lessig
[Harvard Law School], The Law of the
Horse: What Cyberlaw Might Teach,
Research Publication No. 1999-05,
12/1999, the BERKMAN CENTER for INTERNET
& SOCIETY (downloadable from
http://cyber.law.harvard.edu/publications).
However, the traditional law school courses about which Judge Easterbrook is
writing, so far,  says nothing, or next
to it, about cyber insurance law. In some sense, some cyber insurance
principles and the law of the so-called real world are like that  already taught in law schools, but not all of
it, and that is likely to diverge outward a bit, away from each other a little
here and there, over time.  Some of these
divergences may well be significant.

There are also a few law review articles
and a few short commentaries by professional lawyers on the reported cases, but
there are no how-to manuals for lawyers, theoretical treatises.

Nor
are there any satires or parodies, yet.  
Nor are there even any, so far as I can remember, BUSINESS INSURANCE-type
newspaper editorial page cartoons.  (If
there are any, they are very, very rare. I have searched and searched, an
effort  aided by the Internet.)

There is not much to be found on the
Net  that is anything more than superficial
when it comes to the “dawn”—and it still is exactly that–of cyber insurance,
whether it is about creating the contents of such insurance policies, the law
of  cyber-world insurance and its
applications as opposed to and/or distinct from the insurance law of the real-world
(assuming there is or will be one).  As
already said, these observations derive from the fact that the cyber-insurance-industry
is  new, and, so far, a quite, quite
small fraction of the existing and established gargantuan world-wide industry,

 The difficulties insurers have in creating
this new industry in what some call a “New World,” derives from a world (largely) without
tangible property, not to mention human bodies to injure, neither health no
life insurance. (Of course, it is easy to imagine life insurance as part of a
video game; it could be named “Murder and Adjusting.” It is less clear how a
video game focusing on health insurance might work.)  These difference, and others, make
systematic, reliable thinking difficult.  
To be sure, there are pleadings, motions, and briefs—both at the trial
levels and at the appellate levels—to be found on cyber controversies, quite a
lot of them obtainable off Pacer and/or the Internet, on WestLawNext as well as
on LexisNexis. However, there are very few controversies that have made it to
court.

Some of the “literature” about insurance
and the cyber-world is informative, but most of it is shallow. They are really
ads set forth by businesses hawking services and other wares.  Most of these come from insurance
intermediaries, but some come from other vendors, including law firms, as well
as risk management firms.  The law firms
“newsletters” are much better for coverage aficionados than those of others
are. 

The federal government is becoming
involved in this a little.  There are two
published “discussion group” booklets. 
One is called Cybersecurity Insurance
Workshop Readout Report. 
That
conference was held in November 2012. 
And there was a second conference, a little less devoted to insurance,
held in May 2013, entitled Cyber Risk
Culture Roundtable Readout Report.

There are huge numbers of firms and different
sorts of businesses that  present
themselves as knowledgeable, helpful, and wise about cyber-world insurance—able
to interpret policies accurately and with authority, able to recommend needed
coverages, and able to do (or help monitor) all sorts of forensic activities.
Some intermediaries are like this, some security consultants claim to be this,
and most contemporary risk managers say they do this, as well. 

Significantly, more than a few insurers
are forming risk management subsidiaries and advisory groups on needed and
desirable security devices, some of which are preconditions for purchasing a
policy.  Of course, it’s hard to do this
sort of thing without financial analysis, so some insurer subs are doing this
to, though usually for the stated purpose only. 
So far, there is not a chorus of insureds complaining that much of  this particular type of work—remember” risk
management services–is keyed to inducing customers to buying the sort of
insurance the principal part of the company sells.

Even
the more objective literature pretty much repeats what is already known or
which is intuitively obvious. There are exceptions, of course, such as the
proposition that 90%±(?) of data breaches and other problems are inflicted upon
smaller businesses—less than 100 employees and that a substantial percentage of
the causes of all such breaches whether of large companies, or small, involve
negligent acts or omissions by employees. Moreover, some publications state
that a similar percentage of costly intrusions into one’s network can be
avoided, if property security protections have been installed and managed
correctly

One
significant source on these topics and some like them is the annual Verizon report
for 2013 (its “2013 DATA BREACH INVESTIGATIONS REPORT) that, while most
breaches of security are outsider driven, there is often internal,
unintentional, merely negligent acts or omissions by company employees.  (See id. p. 3) If one takes seriously the idea
of insurance for the conduct of employees we have a type of insurance that is
frequently not covered in “real-world” policies.

In any case, there are a goodly number
of  available publications on the cyber
world general, conflict within it, conflicts about it, the nature of  damages being caused, privacy being invaded, damages
from theft of personal information having swiped, and-on-and-on, there is
little about insurance.  Thus, the
public   is bombarded daily with brands
of new news about the sociological and economic revolutions, that components of
the so-called cyber-world are somehow us creating, that the tremendous profits
now generated on and by the Net that (and which will be “forever”) earned in
that world and that cyber catastrophes happen there on a weekly basis.  The attack on Target near Christmas in 2013,
and the ostensibly separate one against Neiman-Marcus—are there class
difference in the “hackactivist” community–leave the public and commercial
entities that interact the public 100s to 1000s times as day, in a state of
bewilderment and fear. One of the messages being sent is: “You need to
buy cyber insurance.”  Another one is:
“You must buy cyber insurance,” or else you will go into miserables
bankruptcy and getting sued by everyone in sight—shareholders, employees,
vendors, millions consumers, and governments, as well.” The more recent P.F.Chang invasion is more of the same. (By the say, for those of your more than mildly interested in these topics, I recommend you read “KREBSonSECURITY” frequently. It’s subtitle is “in-depth security news and investigation.”)

At the same time the interested public
is almost as often told that the principal causes of “data breaches” are
various human errors or system glitches, including: lost laptops, component
stolen from employees, such as flash drives, back-up tapes, CD-ROMs carrying unencrypted
information, emails with sensitive client and/or customer error sent
erroneously, data bases not effectively protected, unencrypted data in
transit from one organization to another. 
Of course, out and out theft is different.  Almost all of it comes from the outside, not
from employees or business partners, yet employee negligence often plays some
role, and sometimes employee competition, politics, or simply revenge plays some
role.  Out and out theft also plays a
role, perhaps more than “hackery,”

Here is an important group of
questions:  If  commercial entities of all or most sources
could cut cyber losses by 90%  how should
the need for cyber insurance be thought of? 
On a scale of 1 to 10, where 1 is “not need at all” and 10 is “really
need very badly,” where would cyber insurance fall?  How large should the self-retention be?  Given that small business have losses much
more frequently  than big business, or,
at least that is what is said, how should the need for cyber insurance be
thought of?
 
(Mindy Pollack, 2013: THE YEAR
OF DATA BREACH INSURANCE, Topics No. 21, p.10 (2013). Nothing further will be said about
these questions, and it will be assumed that everyone needs at least some
insurance now including some types of cyber insurance.

Perhaps the following can be used as a
starting point to reflect on these questions. Six years, or so, ago, a group of
the various PlayStation divisions and/or
interconnected companies had at least 77 million victimized customers by having
had significant pieces of their personal information stolen. (This is a
well-known story.)  As one might expect,
these are the kinds of events class actions are made for, and–in this case–an
enormous insurance dispute. The PlayStation companies are found in the SONY
realm, so it sought coverage from Zurich Insurance, among others.  One of this cases will be discussed
later.  Did SONY’S having cyber insurance
help it, and if so, how much.  (Oh yes!)  How did the settlements with the other
insurer work? They didn’t, and thereon hangs a tale.  I will discuss it in some other blog.
Perhaps the economic semi- or
pseudo-panic that surrounds commercial endeavors to sell various cyber
insurances is unnecessary. However, apparently strong punditry is seldom right,
as we all know from politics. 
Probabilistic predictions about BIG events are never certain, if, for no
other reason, pundits and many others do not appreciate Quinn’s Self Explanatory
Refined Version of the nearly profound Rule, to wit:

There
are such  “things” as unknown
unknowns,  and sometimes some people
think they  know that there is quiet
likely important events or trends which border on being known, not even close
to unknown.  (Already applied once
herein.)

Of course, even if the way needs are
formulated or made overly colorful, probably too dramatic as a matter of
probability, and made on the basis of “facts” which are falsely alleged, mostly
innocently, it seldom a bad idea for large companies to buy insurances of
various sorts.  

Quinn’s Second Law should be kept in
mind. 

                        There
is no such thing as a single cause for a complex event.

The
world of insurance understands this very well. 
It has been applied very little to analyzing the cyber-world.  Perhaps this is a place where applicable
insurance ideas might lead a way.

Originally posted on 06/22/2014 @ 10:52 pm

Michael Sean Quinn, PhD, JD, CPCU, Etc

Michael Sean Quinn, PhD, JD, CPCU, Etc. (530)

One of Texas's leading insurance scholars, Michael Sean Quinn is a past chair of the Insurance Section of the State Bar of Texas and has a broad legal practice.

Hits: 0