Large scale cyber-attacks and data breaches are, regrettably, a daily occurrence in today’s world. Countless companies – including some of the world’s largest – already have been victims of cyber-attacks, countless others will be victims in the future, and others already are victims but simply do not know it yet. By now, many companies purchase specialized insurance that covers many of the types of costs that the company may incur in the aftermath of a cyber-attack. But these policies do not provide coverage for every consequence of a cyber-attack, and that reality may hit home for makers or users of smart devices in an expensive way. This is a cautionary tale for participants in the Internet of Things.
Internet-connected devices provide a great benefit to, and have the potential to transform, our daily lives, but they also carry with them added security risks, as FTC Chairwoman Edith Ramirez noted at the International Consumer Electronics Show earlier this month. One such risk is that a cyber-attack involving Internet-connected devices will not just result in the unauthorized disclosure of personal or confidential information, but that it also could result in tangible physical harm, such as property damage or bodily injury.
The most famous example is the use of a computer virus, Stuxnet, to weaken Iran’s nuclear facilities. Although this example may seem inapplicable to your average company, a more recent example indicates these attacks may hit the boardroom. Just this past week, researchers at the Florida-based Digital Bond Labs stated that they had uncovered problems in a device that Progressive Insurance uses to monitor the driving habits of its customers. By reverse-engineering the device, researchers gained access to a network that allows remote users to control important vehicle functions, e.g., steering, braking, and throttle inputs. Progressive relies on this device as part of an insurance program that collects data on how many miles are driven, what times of day a car is in operation, and how hard a driver brakes. Customers who participate in this program can receive discounts in exchange for providing Progressive with this data. If someone had actually hacked into the Progressive network, they could have potentially overridden a driver’s input and controlled a vehicle, causing significant physical damage or injury.
Will your insurance cover these potentially massive liabilities? In some cases, both your cyber insurer and your general liability insurer may say no. Coverage for liability for bodily injury or property damage typically is provided in general liability policies. Around 2004, an “Electronic Data” exclusion was added to the standard CGL form that bars coverage for bodily injury or property damage claims “arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.” In May 2014, a set of new exclusions were introduced that broadened the original Electronic Data exclusion and aimed to bar coverage for cyber-attack-related liabilities. In addition to the limitation imposed by the Electronic Data exclusion, the 2014 exclusions bar coverage for damages “arising out of any access to or disclosure of any person’s or organization’s confidential or personal information.” There are several variations of the exclusion, including one that applies to both bodily injury and property damage liability and personal and advertising injury liability , one that contains a limited exception related to bodily injury, and one that applies only to personal and advertising injury. If you are the victim of a cyber-attack that caused bodily injury or property damage to others via your smart devices, and if you have a policy containing a version of the exclusion that applies to bodily injury and property damage liability, your insurer may disclaim coverage on the basis of this exclusion. Whether the liability fits within the exclusion, including whether it arose out of “access to or disclosure of . . . confidential information,” will depend on the facts of the particular situation. For example, where a hacker hijacks a company’s network for the purpose of causing injury, the injury does not necessarily arise out of access to or disclosure of information. Most importantly, it is necessary to review your coverage closely at your next renewal and to consider the impact of this exclusion on your risk exposure.
So what about that specialized cyber policy you purchased to cover you in the event of a cyber-attack? Many cyber policies exclude coverage for bodily injury and property damage claims. But not all policies contain this exclusion. A few insurers offer cyber policies that cover property damage or bodily injury resulting from a cyber-attack. It is important to review your specific policy to understand the harms for which you are and are not covered.
It also is good to keep in mind that there could be multiple “targets” of this type of liability, each of which needs to understand their insurance coverage. As an example, in the automotive scenario noted earlier, someone who has been harmed by a hacked, out-of-control vehicle may sue the driver/owner of the car, the insurance company, and/or the company that made the monitoring device. Product liability claims often spawn litigation that involves everyone in the chain of distribution from the parts manufacturer to the end user. Each of these parties may carry liability policies that could cover this type of exposure arising out of their products, but again, companies need to carefully review their coverage to ensure these risks are addressed.
Many companies who are victims of a cyber-attack will not face claims for property damage or bodily injury. But for companies who contribute to the Internet of Things, this risk is real and has the potential to saddle a company with substantial liabilities. Companies – particularly makers and users of smart devices – need to be mindful of this potential gap in coverage when building their insurance programs.