Cyberattacks are an increasingly frequent and costly risk faced by almost every business today. While the availability and scope of cyber-specific insurance has developed exponentially over the past few years, it is important to remember that more traditional policies (such as general liability and first-party property insurance) can still be a source for coverage in connection with cyber incidents, as a recent court decision demonstrates.
Have $57 million (or more) to spare? You’re going to need it if you run afoul of the EU’s General Data Protection Regulation (GDPR) without cyber insurance.
In late January 2019, the French data protection authority, CNIL, imposed a fine of €50 million—or roughly $57 million—on Google for violations of the GDPR. The fine is the largest imposed to date under the GDPR, since it came into effect in May 2018. The Google fine highlights a couple of things: the GDPR has teeth, and regulators in the EU won’t hesitate to enforce the regulation. Possibly more frightening to companies subject to the GDPR is that the fine was not imposed because of any data breach or disclosure of sensitive information but, rather, on account of Google’s ordinary data privacy practices.
A little over a month ago, a judge in Franklin County, Ohio, held that Bitcoin—a popular form of cryptocurrency—constitutes covered “property” under the terms of a traditional homeowner’s policy.
In Kimmelman v. Wayne Insurance Group, an insured, James Kimmelman, sought coverage from his personal insurer for a loss of $16,000 in Bitcoin that was purportedly stolen from Kimmelman’s online account. Kimmelman argued that the Bitcoin constituted covered property under his homeowner’s policy. The insurer argued that Kimmelman was only entitled to recover $200 under a policy sublimit for monetary losses.
Imagine that your company has finally released its new flagship product, which is slated to be the new lifeblood of the company. You’re elated when early sales far exceed expectations. But soon you are hit with a demand letter from a competitor alleging that the product infringes its patents, and threatening suit. Remembering that your company purchased comprehensive coverage under its commercial general liability (CGL) policy, you feel some initial relief—but soon your insurer tells you that the general policy does not provide patent coverage, or even expressly excludes such claims. Suddenly, you’re left wondering how your company will weather a costly patent lawsuit while continuing to roll out its new product.
Remember the “good” ol’ days when the run-of-the-mill theft involved someone physically taking something tangible? That is so 20th century. Now, thieves and fraudsters are able to use computers and the internet to carry out much more complex schemes. The insurance industry has attempted to keep up with the technological evolution in the coverage it provides, but insurers have also used unclear policy language and the complexity and individualized nature of today’s fraudulent schemes to avoid covering the resulting losses. A slew of courts over the past few years have decided whether crime policies—particularly those with a computer fraud coverage component—cover complex, technology-related fraudulent schemes. The Eleventh Circuit recently joined the fray and ruled that computer fraud coverage did not apply to a policyholder’s $11 million loss.
Third-party intervention may now prove unnecessary when interpreting and enforcing contract provisions—at least this is what proponents of smart contracts believe. The overall goal, they argue, is to provide security unattainable through traditional contract law, and to reduce additional transaction costs that come with the traditional process. Will insurance policies become the laboratory to test their thesis?
First imagined by computer scientist Nick Szabo in 1996, smart contracts are computer protocols meant to facilitate a contract’s implementation and performance. They can carry out only the specific instructions given to them, and all transactions are traceable and irreversible. Regarding functionality, experts have likened smart contracts to a vending machine; contract terms are first coded and placed within the block of a blockchain (the same technology Bitcoin uses). Once the triggering event occurs, the contract is performed consistent with all designated terms. Continuing the analogy, the individual inserting money in the vending machine sets off a chain of events, unable to be undone or halted midway. (Granted, this last part isn’t like the traditional vending machines we know.) The machine keeps the money and dispenses the item. The contract has been fully performed.
Cyber insurance continues to be one of the hottest topics in the insurance industry. In the last several years it has evolved from a little-known specialty product to a standard purchase for some corporate risk departments. By now, most companies generally are aware that cyber attacks present substantial risks. Many unfortunately have first-hand experience as victims of an attack. But many companies still do not necessarily view cyber insurance as a “must-have” type of insurance, like general liability or property insurance. Some companies may believe their potential cyber exposure is minimal or simply think that cyber coverage is cost prohibitive. A recent D.C. Circuit decision is a sobering reminder that cyber insurance should at least be considered in connection with a company’s risk management plan, and is probably a “must-have” for companies that maintain records containing a substantial amount of personal information.
While our brains may feel like they are fused with the computers, smart phones, and other devices we use on a constant basis, a direct connection between these machines and our brains is still (mostly) a thing of the future. So, even as companies continue to strengthen and refine their network security systems against cybercrime, the human brain can remain a weak link for criminals to exploit. Unfortunately for some policyholders, this time-honored tactic of targeting the human element involved with a technology may actually fall right into a gap in companies’ insurance coverage, as highlighted in the Fifth Circuit’s decision this month in Apache Corporation v. Great American Insurance Company.
The era of the self-driving car has arrived, with the shiny promise of fewer auto collisions—and the inevitable potholes of a transformative technology. Despite the significant concerns raised by a recent accident involving a driver’s reliance on a partially autonomous automatic braking and steering system on the Tesla Model S—one of 70,000 such vehicles now on the roads—the auto industry is roaring ahead with autonomous vehicles (AVs). Google is testing its driverless cars extensively on U.S. roads; General Motors has teamed up with car-sharing company Lyft to develop a driverless taxi service; and most major automakers will be releasing fully or partially autonomous vehicles in the next five years.