As technology rapidly evolves and hackers find new ways to exploit vulnerabilities, organizations could face liability for failures in the security of their products or privacy violations due to them – leading to a need for vigilant protection of systems and flexible cyber insurance policies that respond to unprecedented situations.
In recent weeks, security breaches related to cell phone SIM cards, laptops, and hacks of supposedly secure Internet traffic have flooded the headlines.
Laptop manufacturer Lenovo drew sharp criticism upon revelations that its preloaded software Superfish left computer users open to “man in the middle” style cyber attacks. As designed, Superfish and other adware circumvent the typical secure sockets layer (SSL) encryption methods on networks, allowing advertisers or manufacturers to insert sponsored content in users’ Internet searches. Since the software disrupts a laptop’s usual protocol for determining that a website is genuine and secure, it also allows cyber criminals to take advantage of the vulnerability.
It’s the security equivalent of asking a knowledgeable friend, who’s been outside and read the weather report, “Is it raining? Should I take an umbrella?” and instead having another person who has never seen rain or umbrellas answer, “Nah, you’ve got nothing to worry about.”
Lenovo issued an apology and directed customers and tech providers in removing the software, stating that the goal of Superfish was “to improve the shopping experience using their visual discovery techniques.” Also known as bloatware, these programs provide little to no value to the consumer even when not actively opening the door to actual harm and Lenovo noted that it had already received complaints even before the startling security risks were revealed. The incident, as well as another recent hacking revelation for Gemalto, a Dutch manufacturer of SIM cards, offers a glimpse of the potential liabilities that face businesses operating in the digital landscape, and prompt the question – is the cyber insurance industry responding appropriately?
Ability to Respond
Insurers should “write broader policies,” to reflect the changing technological environment, according to attorney Scott Godes. “If you’re going to sell a policy to a company, you want to give them true peace of mind. Policies should be sufficiently elastic to encompass this changing landscape, rather than trying narrowly tailor what you’ll offer based on what you’ve seen in the past few years.”
Godes told Advisen that the liability that a technology manufacturers could face hinge on what type of harm plaintiffs allege.
“What is the rationale and what are the allegations made against the insured in terms of liability? If the basis has the root in privacy, then you’d look to an insurance policy that has that,” he noted. Most cyber insurance policies will speak to a privacy-based issue, actual or alleged. Other avenues for covered losses include third-party liability, business interruption or regulatory violations.
“What is causing the policyholder to spend money?” he said. “When I talk with clients about issues like this, and they’re trying to get their arms around a new problem, my advice is always think broadly about your insurance.”
In the case of Gemalto, the manufacturer confirmed that in 2010 and 2011, it had been the victim of a cyber attack – likely initiated by the U.S.’s National Security Agency and Britain’s Government Communications Headquarters (GCHQ). While it was speculated that the attack was designed to steal SIM encryption keys, Gemalto said this likely did not happen.
“The operation aimed to intercept the encryption keys as they were exchanged between mobile operators and their suppliers globally. By 2010, Gemalto had already widely deployed a secure transfer system with its customers and only rare exceptions to this scheme could have led to theft,” the firm said.
Lenovo and Gemalto present two examples of introducing liability – Lenovo in its effort to boost revenue by using adware that backfired and Gemalto manufacturing a product of great interest to national security entities. But do those constitute situations where plaintiffs can claim specific harm and actual liability for which the companies need to respond?
“Never underestimate the plaintiffs’ bar and their ability to come up with creative theories for why their clients should be compensated for something that did or didn’t go wrong,” Godes commented.
Who’s to Blame?
In 2001, long before data breaches became a regular occurrence, the New York Times published an article entitled, “Can Hacking Victims Be Held Legally Liable?” At the time, no such lawsuits had occurred, but the legal world was on the watch. Fourteen years later, it has become clear that, regardless of the source of the security problem, the hacked company is the one that didn’t properly secure its perimeter.
“The state that we’re in is a bit like medieval times when it comes to businesses and cybersecurity,” said Kevin Bocek, vice president of security strategy at cybersecurity firm Venafi. “You built your own castle, you fortified it and protected it. That was the only way you could survive. You never knew whether the next day a marauding army or kingdom was going to come and attack. There is no one who is going to save them. Sony was a good example of that. From a cyber perspective, there is no organization that is immune to attack.”
Bocek told Advisen that cases like Lenovo will prompt even more attention to potential supply chain disruption and how businesses both protect themselves and respond to inevitable incidents.
“You’re going to be measured by how you respond,” he said.