Heading 1

Cyber In security News

TM

SUBSCRIBE FOR FREE
ARE YOU COVERED FOR CALIFORNIA’S NEW IoT LAWS?
They won’t go into effect until 2020, but it’s time to check your insurance now.
By Tyler Gerking
and David Smith
JANUARY 1, 2019
NOW THAT YOU KNOW about insurance issues raised by both the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (see Tyler Gerking’s article from November), let’s look at the insurance implications of two additional bills that California Governor Jerry Brown recently signed into law .
     Assembly Bill 1906 and Senate Bill 327 address security concerns relating to devices that are capable of connecting to the internet—the so-called internet of things (IoT). Like the privacy law, the IoT laws will go into effect on Jan. 1, 2020, and, put very simply, will require manufacturers of devices that are capable of being connected to the internet to equip them with “reasonable” security features that both are appropriate to the device and require a user to generate a new means of authentication before access is granted for the first time.
     Technologists are debating whether the laws are good or bad—and, if good, whether they go far enough. Regardless, the laws will take effect and manufacturers of IoT devices will have to comply. But they don’t provide for a private right of action; only the California attorney general can enforce its provisions.
     The new laws apply to all connected devices sold or offered for sale in California. Because California is such a large market, this likely means that all such devices sold in North America and Europe will comply with California’s regulations by the time that the laws take effect, and that older, less secure devices will be diverted to countries with fewer regulations.

IoT Risks Are Large and Growing
The number of connected devices is growing exponentially. There are now over 7 billion such devices worldwide, and this excludes smartphones, tablets, laptops, etc. Including them , the number jumps to more than 17 billion. These comprise both domestic devices (smart home devices ranging from security systems to refrigerators to baby alarms to televisions and cameras, including, of course, such devices as modems and routers) and industrial devices (connected machinery and equipment used by industry, hospitals, transit agencies, power companies, etc.).
     The need for security is not an idle one. The Mirai botnet attack in October 2016 caused a massive internet outage on the East Coast by taking control of a huge number of connected IoT devices that had little or no security to launch a distributed denial of service (DDoS) attack on internet infrastructure company Dyn. That attack slowed or stopped many major websites, including GitHub, Twitter, Reddit, Netflix and Airbnb. In fact, Mirai had been used in a similar attack on an internet services provider in France just one month earlier, and is still being used to attack devices. As of July 2018, there were at least 13 versions of Mirai malware actively infecting IoT devices.
     IoT devices interact directly and indirectly with people at many levels, and can cause various types of harm. For example, autonomous vehicles on the roads can harm vehicle occupants (as in a number of publicized crashes involving Teslas) and others (such as the Arizona pedestrian killed by an Uber in self-driving mode). While none of these crashes were caused by security issues or hacking, the potential for large-scale disruption once such vehicles start communicating with each other and with traffic control systems is obvious. There are several documented instances of white-hat hackers commandeering nonautonomous vehicles through their radio systems, taking control of the windshield wipers and, more shockingly, the braking systems.
     On an industrial scale, a steel mill in Germany was hacked, which caused a furnace to overheat and melt down. The result was significant physical damage, but luckily no injuries. And during the Dyn attack mentioned above, traffic control systems were disrupted, leading to increased danger on the roads (but fortunately no reported injuries).
     Manufacturers clearly face many exposures, including claims for bodily injury or property damage, lost revenues, and regulatory investigations and actions. Retailers of such devices could be included as part of any lawsuit involving harm caused by a device they had sold. ISPs that were victims of DDoS attacks would likely find themselves sued if their operations were taken down. And end users face the risks of suffering injury or damage.

Cyber and Technology Errors and Omissions Coverage
Every manufacturer of any connected device (that is, a device that is capable of connecting to the internet, either directly or indirectly) needs to check that its insurance program provides sufficient protection against cyber liability exposures. While general liability policies might cover a subset of property damage or bodily injury claims, the coverage they afford can be limited.
     Cyber insurance, which often is combined with technology errors and omissions (Tech E&O) liability insurance, can cover a broader array of exposures relating to security events. But companies also should be aware of possible limitations and coverages that they should negotiate into their policies.
     Cyber and Tech E&O policies are written on nonstandard forms, and thus coverage can vary from insurer to insurer. The policies can be heavily negotiated, allowing insureds an opportunity to tailor the coverage to their unique risk profile. To produce the best result, the insured needs to understand their risks and what scope of coverage is achievable in the market.
     Cyber policies generally cover costs and claims arising from the theft or loss of personally identifiable information (PII). They also can provide liability insurance for claims arising from other security events that do not involve PII, specifically the loss or theft of confidential corporate information. They may also cover damages caused by security events that result in: (1) the alteration, corruption, destruction, deletion or damage to data; (2) the failure to prevent the transmission of malware from the insured’s computer system to third-party systems; and (3) the use of the insured’s computer system to conduct a DDoS attack.
     In addition to civil lawsuits, cyber policies often will cover regulatory proceedings, but usually such coverage will apply only if there has been an unauthorized access to, or the theft or disclosure of, PII from the insured’s computer system.
     This sounds like broad coverage, and it can protect manufacturers against a number of cyber events. However, there are several key limitations that must be understood and, if problematic in the context of the insured’s business, negotiated to provide the necessary coverage.
     For one, the cyber coverage described above only covers claims arising from security events on the insured’s computer system, which is defined as hardware and software under the insured’s ownership and control. This would not cover claims arising from the hacking of products that the insured manufactured after they have been sold, unless the insured maintains some control over the products through a software product or service. As a result, a simple cyber insurance policy would not necessarily protect a manufacturer or retailer against its primary IoT risks.
     That coverage can be augmented with Tech E&O insurance, which can provide coverage for claims alleging that the insured committed an error in the rendering of its technology-related services, and that its technology products failed to perform the function or serve the purpose intended.
     But even with added E&O coverage, a manufacturer of IoT devices still might be exposed to uncovered liability, particularly with regard to new laws such as California’s. Under it, a manufacturer may have liability even in the absence of a security event—if, for example, it’s alleged that the device does not contain compliant security features. The technology product coverage in a Tech E&O policy might cover this, but that will depend heavily on how the coverage is worded. It may be possible to argue that a noncompliant device does not perform the function or serve the purpose intended. But the insurer may disagree, depending on what the security deficiency actually was in the context of the device as a whole. As a result, manufacturers will want to carefully consider and negotiate this language to ensure that they will have coverage for nonsecurity event claims.
     Also, California’s new IoT law does not give consumers a private right of action; instead it allows the state’s attorney general to investigate and bring enforcement actions. As a result, depending on the type of investigation and enforcement action that the manufacturer faces, it may need to access the regulatory proceeding coverage in its policy. Often, however, regulatory proceeding coverage will be limited to those arising out of security events. Again, this raises the possibility of a coverage gap for claims in the absence of a security event. Accordingly, manufacturers must scrutinize and negotiate the regulatory proceeding coverage in the policies they are buying.
     Finally, as described above, certain IoT devices carry the very real potential of causing property damage or bodily injury, which would saddle manufacturers with major risks. Therefore, it’s important for manufacturers (and other entities in the supply and distribution chains) to understand that, although current insurance products can provide some coverage, many Cyber and Tech E&O policies do not cover claims for bodily injury or property damage. However, given the flexible nature of these policy forms, it is sometimes possible to negotiate coverage for these exposures. Insureds concerned about these risks should work closely with their insurance brokers and counsel to negotiate favorable policy terms.
     One more type of coverage—commercial general liability (CGL)—should not be overlooked. The current version of the standard CGL policy contains an exclusion for bodily injury and property damage arising out of (1) access to or disclosure of confidential or personal information; and also (2) “the loss of, or loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.” Some policies include a carve-out for consequential bodily injury claims, providing that they do not arise out of the first exclusion, which can provide useful coverage for such claims. However, carriers may argue that the terms of the second (loss of use) exclusion apply to hacking scenarios, where a bad actor either takes control of, or stops the owner from controlling, data that runs the internet and/or IoT devices. As a result, it’s likely that coverage for property damage claims under CGL policies may be, at best, disputed.
Thus, organizations with significant bodily injury or property damage exposure need to work with a broker and attorney who know their businesses and have experience negotiating custom coverages, and understand how the Cyber/Tech E&O coverages dovetail with CGL coverages.

The Final Word
Cyber risk is real, and it seems likely that governments at the state or federal level, or both, will introduce more laws to protect both consumers and the relevant infrastructures. Companies, particularly ones with significant bodily injury or property damage exposures, need to discuss their operations with cyber-savvy brokers and attorneys to make sure that their policies include coverage for regulatory proceedings and actions for property damage and bodily injury claims. And everyone should realize that not every exposure can be covered by insurance. Companies should emphasize that holistic risk management is a critical component of any program designed to mitigate exposure.

Tyler Gerking is chair of Farella Braun & Martel LLP’s insurance recovery group and co-chair of its privacy and cybersecurity group. From the firm’s San Francisco office, Gerking represents corporate policyholders in complex, high-stakes insurance matters. He helps clients negotiate policy terms, shepherds clients through the claim process, and pursues breach of contract and bad faith claims against insurance companies.

David Smith is an insurance and risk management consultant who works with Farella Braun & Martel LLP’s insurance recovery group. He assists policyholders with complex claims and supports the firm’s attorneys in negotiations with, and litigation against, insurance companies. He is particularly experienced in issues of policy interpretation and insurance industry coverage intent.
Tyler Gerking
David Smith