IoT coverage: A patchwork quilt with potential holesReprints
As 2017 closes, companies continue to grapple with how to manage and insure the many risks presented by privacy and cyber security issues. Companies are seeing those risks multiply at a dramatic pace as the “internet of things” becomes ubiquitous. Many companies believe they will, or should, be covered for claims related to the internet of things if they have purchased traditional insurance policies and a dedicated cyber policy. However, the availability of coverage for an internet of things claim may not be so clear, especially if careful underwriting and coordination of the relevant insurance policies have not been undertaken.
What is the internet of things and why does it matter?
The internet of things is a virtual ecosystem that connects day-to-day consumer products and services with the internet. Connected devices are intended to improve efficiency and quality of life by simplifying access to information and product use. Baby monitors, self-driving cars, Fitbits and thermostats are typical examples of internet of things devices embedded with sensors that allow users to control those products with their voices, their smartphones or other connected devices. In 2011, the number of “things” connected to the internet surpassed the number of human beings connected to the internet. By 2020, experts predict there will be more than 50 billion connected devices.
Of course, convenience and efficiency does not come without risk. The ability to aggregate and access personal data for millions of people creates an attractive target for cyber criminals to capture large swaths of information quickly and easily. Sometimes the hackers simply want to invade end-users’ privacy, as seen in recent reports that hackers are able to transform Amazon Echos into wiretap devices. Other times, hactivists are interested in seizing upon the interdependence of connected devices to cause chaotic denial of service attacks that bring businesses worldwide to a halt, as seen in the WannaCry ransomware attack in May, when more than 250,000 computers were infected in more than 150 countries in one day. However, internet of things risks may go deeper. A few years ago, researchers performed a study on a self-driving car where a “hacker” remotely accessed the car’s operating system and uploaded a software update that allowed the hacker to take control of the car. Thereafter, the hacker demonstrated he was able to cut the brakes, shut down the engine and drive the car off the road.
How to insure internet of things devices that become weapons of mass disruption
In light of the variety of risks presented by the internet of things, companies are starting to consider how their insurance programs will respond to such claims. However, too many companies assume they must be covered if they have traditional insurance coverage and a dedicated cyber policy, which may not be the case. Consider, for example, the risk exposure for a manufacturer of a Wi-Fi-enabled smart coffeemaker with an app that allows the consumer to schedule brews, change settings and receive reminders when it is time to order more coffee. After millions of products have been sold, a hacker transmits a virus through the app that changes all of the settings and leads to coffee continuously brewing when no one is home and house fires ensue. The hacker also accesses credit card information through the app and sells it on the darknet. The manufacturer is now facing a number of class-action lawsuits, regulators are inquiring why the manufacturer did not have better controls in place to protect consumers against such malfunctions (or at least provide better warnings that such malfunctions could take place) and privacy violations, and the security breach investigation reveals that a third-party provider with whom the manufacturer contracted to support the app is the party that created the weakness in the system.
The manufacturer immediately calls its broker to confirm that it is “covered.” However, the manufacturer may learn that its product liability coverage is unavailable because the commercial general liability policy contains an “absolute” data exclusion that bars coverage for damages arising out of loss of, corruption of, inability to access, or inability to manipulate electronic data. While some insurers have started to modify this exclusion to carve back coverage for bodily injury claims, not all insurers have, and the modification may need to be specifically requested. Further, such a modification would still not address coverage for the property damage and personal injury claims flowing from this internet of things claim scenario.
Next, the manufacturer may ask the broker, “Well, why isn’t this claim covered by that new dedicated cyber insurance policy you told us we needed to complete our coverage program?” The broker may have to hedge and advise that only portions of the claim will be covered by the cyber policy and, indeed, portions of the claim may be subject to sub-limits that are less than actual costs the manufacturer must incur. The broker also may be compelled to advise that the big-ticket risk exposures associated with the alleged bodily injury and property damage claims are not covered under the cyber policy either because that policy excludes coverage for bodily injury or property damage claims. Again, some insurers are starting to respond to this potential coverage gap by agreeing to modify the bodily injury/property damage exclusion in the cyber policy to provide difference in conditions coverage, particularly if the insured provides professional services to end users of products, but that coverage extension typically must be requested and may be subject to a capped sublimit as well as a substantial additional premium.
Finally, the manufacturer may find itself in a knotty dispute with its provider over the insurance available to respond to the loss. Two key issues hotly contested whenever a loss arises are (a) what was the cause of the loss; and (b) who was responsible for the cause of the loss. Returning to the above example, was the loss caused by the coffeemaker malfunctioning or being defectively designed because it did not include an automatic shutoff — a traditional product liability claim that should be covered by the manufacturer’s insurance — or was it caused by the breach of the app such that the third-party provider’s cyber errors and omissions policy should respond and the manufacturer should receive additional insured protection under the provider’s policy?
The insurance industry is trying to keep pace with evolving risk exposures created by the internet of things but technology is moving faster than coverage forms are being updated. Companies need to work closely with coverage counsel and their brokers to harmonize insurance policies and confirm that the patchwork quilt contains no holes when an internet of things claim is presented.
Lynda A. Bennett is chair of the Lowenstein Sandler L.L.P. Insurance Recovery Practice. She can be reached at 973-597-6338 or firstname.lastname@example.org.