This past September Governor Brown signed into law Senate Bill 327, which is the first state law designed to regulate the security features of Internet of Things (IoT) devices. The bill sets minimum security requirements for connected device manufacturers, and provides for enforcement by the California Attorney General. The law will come into effect on January 1, 2020, provided that the state legislature passes Assembly Bill 1906, which is identical to Senate Bill 327. READ MORE
Shortly after the new year, the Federal Trade Commission filed suit in the Northern District of California against D-Link Corporation, a Taiwan-based maker of wireless routers, Internet Protocol (IP) cameras, and software used in consumer electronics (such as baby monitors). The complaint alleges that D-Link failed to reasonably secure its products from hackers. Notably, the FTC has not alleged that D‑Link products were exploited by hackers or that a data breach or cyberattack resulted from any alleged security vulnerabilities. Rather, the action is based squarely on security vulnerabilities that “potentially compromis[ed] sensitive consumer information, including live video and audio feeds from D-Link IP cameras” and marketing statements made by D-Link that touted the products’ security features.
Cyber insurance has reached a tipping point. The rising costs faced by data breach victims, which can exceed $100 million for the largest breaches, have spurred an increasing number of companies across industries to turn to cyber insurance in an effort to transfer at least some of those costs to an insurer. But cyber insurance is still relatively new, at least as a mass-market insurance product, and it is evolving quickly, although not as quickly as the threat itself. The policies are complex and not standardized, and courts have yet to provide any guidance about what will be covered and what will not. This state of affairs leaves many companies that have or are considering buying cyber insurance uncertain—not only whether they will be a victim of a data breach but also whether insurance will provide them with the coverage they need if they do become a victim.
The time may be approaching when no distracted, intoxicated or fatigued driver ever causes an accident and automobile insurance as we know it becomes a thing of the past. If this seems like fantasy, only a few years ago, so did the reason: the “driverless” car—an idea that has fascinated the public for decades is quickly becoming a reality.
There has been a fair amount of discussion and commentary on insurance issues related to this new technology. An article last year in the Wall Street Journal posed the question, “How Do You Insure a Driverless Car?” The answer, it concluded, was not to be found any time soon, noting that insurance companies were unprepared for driverless, or autonomous, cars and were presently unable to evaluate or price the risk. But with the “Internet of Things” setting the pace for current technology trends, some commentators predict that autonomous cars will be common as soon as the year 2020, so it is not too early to think about the risk of driverless cars and the inevitable questions of insurance coverage related to this new risk and others like it. READ MORE
Large scale cyber-attacks and data breaches are, regrettably, a daily occurrence in today’s world. Countless companies – including some of the world’s largest – already have been victims of cyber-attacks, countless others will be victims in the future, and others already are victims but simply do not know it yet. By now, many companies purchase specialized insurance that covers many of the types of costs that the company may incur in the aftermath of a cyber-attack. But these policies do not provide coverage for every consequence of a cyber-attack, and that reality may hit home for makers or users of smart devices in an expensive way. This is a cautionary tale for participants in the Internet of Things. READ MORE