In November, Tyler wrote about insurance issues raised by both the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act, which goes into effect on January 1, 2020. California’s governor Jerry Brown signed two other cyber related laws in September, which will also go into effect on January 1, 2020 – Assembly Bill 1906 and Senate Bill 327, which address security concerns relating to devices that are capable of connecting to the internet – the so-called Internet of Things or “IoT”. See California Civil Code 1798.91.04(a) et seq.
The bills largely mirror each other and, put very simply, require manufacturers of devices that are capable of being connected to the internet to equip them with “reasonable” security features that are both appropriate to the device and require a user to generate a new means of authentication before access is granted to the device for the first time. Technologists are debating whether the laws are good or bad, and if good, whether they go far enough. Regardless, the law will become effective and manufacturers of IoT devices will have to comply with them. The law does not provide for a private right of action; it permits the state’s Attorney General to enforce its provisions.
The new California law applies to all connected devices sold or offered for sale in California. Because California is such a large market, this likely means that all such devices sold in North America and Europe will comply with California’s regulations, and older, less secure devices will be diverted less regulated countries.
IoT Risks Are Large And Growing
The number of connected devices that comprise the IoT is growing exponentially. There are now over 7 billion such devices worldwide, and this excludes smartphones, tablets, laptops, etc.[1] This number is growing faster than it was originally thought. These devices include both domestic devices (e.g., smart home devices ranging from security systems to refrigerators to baby alarms to televisions and cameras, including, of course, such devices as modems and routers) and industrial devices (e.g., connected machinery and equipment used by industry, hospitals, transit agencies, power companies, etc.).
The need for security is not an idle one – the Mirai botnet attack in October 2016 caused a massive internet outage on the east coast by taking control of a huge number of connected IoT devices that had little or no security to launch a distributed denial of service (DDoS) attack on internet infrastructure company Dyn. That attack slowed or stopped many major websites, including GitHub, Twitter, Reddit, Netflix and Airbnb. In fact, Mirai had been used in a similar attack on a French internet services provide in France just one month earlier, and is still being used to attack devices – as of July 2018 there were at least 13 versions of Mirai malware actively infecting IoT devices.
IoT devices interact both directly and indirectly with people at many levels, and can cause various types of harm to those people. For example, autonomous vehicles on the roads can cause harm to the occupants of the vehicle (such as in a number of highly publicized crashes involving Teslas) as well as other road users (such as the Arizona pedestrian killed by an Uber in self driving mode). While none of these crashes were caused by actual internet security issues or hacking, the potential for large scale disruption once such vehicles start communicating with each other and with traffic control systems is obvious. There is more than one well-documented instance of white-hat hackers commandeering non-autonomous vehicles through their radio systems, taking control of the windshield wipers and, more shockingly, the braking systems.
There have been a couple of well publicized cases involving baby monitors that were hacked, with strangers screaming at babies through those devices. While these events did not cause any physical harm to anyone, one can imagine the distress caused to the babies and their parents, as well as the potential for more significant privacy violations as baby monitors and other devices increasingly incorporate video capabilities. On an industrial scale, a steel mill in Germany was hacked causing a furnace to overheat and melt down, causing significant physical damage but luckily no injuries. And during the Dyn attack mentioned above, traffic control systems on the east coast were disrupted, leading to increased danger on the roads.
Manufacturers clearly face many exposures – including claims for bodily injury or property damage, lost revenues and regulatory investigations and actions. Retailers of such devices could be included as part of any lawsuit involving harm caused by a device they had sold. ISPs who were victims of DDoS attacks would likely find themselves sued if their operations were taken down. And end users face the risks of suffering injury or damage.
Cyber and Technology Errors & Omissions Liability Coverage
Every manufacturer of any connected device (that is, a device that is capable of connecting to the internet either directly or indirectly) needs to ensure that its insurance program provides sufficient protection against it liability exposures. While general liability policies might cover a subset of property damage or bodily injury claims, the coverage they afford can be limited. Cyber insurance, which often is combined with technology errors and omissions (Tech E&O) liability insurance, can cover a broader array of liability exposures relating to security events. But companies also should be aware of possible limitations and coverages that they should negotiate into their policies.
Cyber and Tech E&O policies are written on non-standard forms, and thus coverage can vary from insurer to insurer. The policies can be heavily negotiated, allowing insureds an opportunity to tailor the coverage to their unique risk profile. To produce the best result, the insured needs to understand its risks and what scope of coverage is achievable in the market.
Cyber policies generally cover costs and claims arising from the theft or loss of personally identifiable information (PII). They also can provide liability insurance for claims arising from other security events that do not involve PII, specifically the loss or theft of confidential corporate information, as well damages caused by security events that result in: (1) the alteration, corruption, destruction, deletion or damage to data; (2) the failure to prevent the transmission of malware from the insured’s computer system to third-party systems; and (3) the use of the insured’s computer system to conduct a DDoS attack. In addition to civil lawsuits, Cyber policies often will cover regulatory proceedings, but usually such coverage will apply only if there has been an unauthorized access to, or the theft or disclosure of PII, from the insured’s computer system.
This sounds like broad coverage, and it can protect manufacturers against a number of cyber events. However, there are several key limitations that must be understood and, if problematic in the context of the insured’s business, negotiated to provide the necessary coverage.
First, the Cyber coverage described above only covers claims arising from security events on the insured’s computer system, which is defined as hardware and software under the insured’s ownership and control. This would not cover claims arising from the hacking of products that the insured manufactured after they have been sold, unless the insured maintains some control over the products through a software product or service. As a result, a simple Cyber insurance policy will not necessarily protect a manufacturer or retailer against its primary IoT risks. That coverage can be augmented with Tech E&O insurance, which can provide coverage for claims alleging that the insured committed an error in the rendering of its technology-related services and that its technology products failed to perform the function or serve the purpose intended.
Second, even with added E&O coverage, a manufacturer of IoT devices still might be exposed to uncovered liability, particularly with regard to new laws such as California’s SB 327/AB1906. It is possible for the manufacturer to have liability in the absence of a security event under this new law. If it is alleged that the device does not contain compliant security features, the manufacturer may face liability even in the absence of a breach or other security event. The technology product coverage in a Tech E&O policy might cover this, but that will depend heavily on how the coverage is worded. For example, it may be possible to argue that a non-compliant device does not perform the function or serve the purpose intended. But the insurer may disagree, depending on what the security deficiency actually was in the context of the device as a whole. As a result, manufacturers will want to carefully consider and negotiate this language to ensure they will have coverage for non-security event claims.
Third, California’s new IoT law does not give consumers a private right of action; it allows the state’s attorney general to investigate and bring enforcement actions. As a result, depending on the type of investigation and enforcement action the manufacturer faces, it may need to access the regulatory proceeding coverage in its policy. Often, regulatory proceeding coverage will be limited to those arising out of security events. Again, this raises the possibility of there being a lack of coverage for claims in the absence of a security event. Accordingly, any manufacturer must scrutinize and negotiate the regulatory proceeding coverage in the policy it is buying.
Finally, as described above, certain IoT devices carry a real potential to cause property damage or bodily injury, which will be a major risk faced by manufacturers. It is important for manufacturers (and other entities in the supply and distribution chains) to understand that, although current insurance products can provide some coverage, many Cyber and Tech E&O policies do not cover claims for bodily injury or property damage. However, given the flexible nature of these policy forms, it is sometimes possible to negotiate coverage for these exposures. Insureds that face real bodily injury and property damage liability risks should work closely with their insurance brokers and counsel to negotiate favorable policy terms in this regard.
Additionally, possible commercial general liability (CGL) coverage for these exposures should not be overlooked. The current version of the standard CGL policy contains an exclusion for bodily injury and property damage arising out of (1) access to or disclosure of confidential or personal information and also (2) “the loss of, or loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.” Some policies include a carve out for consequential bodily injury claims providing they do not arise out of part (1) of the exclusion above, which can provide useful coverage for such claims. However, carriers may argue that the terms of part (2) of the exclusion (the corruption of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data) applies to hacking scenarios where a bad actor either takes control of, or stops the owner from controlling, data that runs the internet and/or IoT devices. As a result, it is likely that coverage for property damage claims under CGL policies be, at best, disputed.
Thus, organizations with a significant bodily injury or property damage exposure need to work with a broker and attorney who know their businesses and have experience negotiating custom coverages, as well as understanding how the Cyber/Tech E&O coverages dovetail with CGL coverages.
The Final Word
Cyber risk is real, and it seems likely that governments at the state or federal level, or both, will introduce more laws to protect both consumers and the relevant infrastructures. Companies, particularly ones with significant bodily injury or property damage exposures, need to discuss their operations with cyber-savvy brokers and attorneys to make sure that their policies include coverage for regulatory proceedings and actions for property damage and bodily injury claims. And everyone should realize that not every exposure can be covered by insurance, and thus emphasis on holistic risk management is critical.
[1] The number of connected devices worldwide including smartphones, tablets and laptops is now over 17 billion. https://iot-analytics.com/state-of-the-iot-update-q1-q2-2018-number-of-iot-devices-now-7b/
