A New Era of Cyber Liability Claims
What insurers need to know about bitcoins, emerging electronic communications, and hacking trends.
It started as a simple theft claim. A laptop and leather jacket were stolen from the back seat of a vehicle. This is a routine claim handled by insurers daily—routine, that is, until the insured claims that $500,000 in bitcoins were on the laptop, for which he is seeking compensation. Suddenly a seemingly common claim is anything but routine. Is bitcoin currency? A security? Regardless, what proof of ownership can the insured provide or the insurer demand?
Twenty-five years from now the answers to these questions may be simple, but they certainly are not now as insurers struggle with the ever-increasing liability associated with today’s cyber society. The insurance industry notoriously is slow in adapting to change. Technology changes affect our society dramatically, and we are ill-prepared for the ensuing claims for compensation that are about to arise as new technologies emerge.
Make no mistake, we are entering a new era of cyber liability for insurers. In his 2015 State of the Union address, President Obama laid out a plan requiring 30-day notifications to customers whose credit or identity may have been stolen or compromised. As insurers are learning from recent cyber attacks involving major retailers, millions and even billions of dollars are at stake with each security breach. For issues being faced by property and casualty insurers to rise to such a nationally prominent level speaks to the seriousness of the path ahead.
While insurers may be slow to react in the field of claims, there is no doubt that they are racing to embrace the new world of electronic communications. Technology is moving rapidly; we already are moving away from email to many insurers offering instant communication with their policyholders and claimants via “apps.” Insurers are testing the ability of insureds to notify them of a loss by simply touching an app on their smartphones. While this may open new areas of communication and prompter claims service, as Sir Isaac Newton noted, “For every action, there is an equal and opposite reaction.”
Many insurers are unaware of the exploding number of app and smartphone services that are not focused on prompt claims handling but, rather, on the advancement of claims; medical treatment and personal injury; or property litigation. Services such as Auto-Accident-App.com provide a single source to call 911; store photographs and video of the scene and vehicle damage; provide driver’s license and registration information; and even suggest a video recording of injuries and the arrival of emergency medical equipment. One of the service keys on the app immediately links the user to a lawyer or medical provider directly from the accident scene. Also assisting are live operators 24/7, who make sure injuries are documented and the person knows exactly how to maximize recovery for both property damage and any claim of personal injury.
Other services count themselves as being humorous or purely for pulling pranks, but their sinister intents are only thinly veiled. Apps such as “Dude, Your Car!” allow the user to take a photograph of an undamaged vehicle and, by using overlays, select a myriad of damages from dented bumpers to broken glass to alter the photo so it appears that the vehicle has been damaged. A search of YouTube provides detailed information concerning how this app works. With insurers handling more claims with less staffing and through regional or national service centers, this type of insurance fraud will do nothing but increase as individuals and unscrupulous body shops use this very simple photo-altering technology to submit fraudulent or inflated claims.
It is not only these types of claims that present challenges for insurers in the claims handling process. While insurers have embraced email as a favored manner of communication, most insurers are not prepared for the world of texting and tweeting with insureds or claimants. The latter is especially interesting given the fact that most insurers now have their own Twitter pages.
The problem facing insurers is that, once you equip your claims team with a smartphone, there is the ability of a first- or third-party claimant to communicate via text. With a few simple keystrokes, it is possible also to identify whether the claims professional has a Twitter account. While in the future these new forms of communication may become commonplace, today insurers are ill-equipped to handle communications involving a claim via texting or tweeting.
Insurers have responded by notifying claimants that they will not permit such communication. However, in one recently reported exchange, an insured advised that he conducts all communications via text and would continue to communicate with his insurer via text unless the company cited to him a specific policy provision that prohibited texting as an accepted communication. The insurer acquiesced as the insured insisted that as the customer, he had the right to choose the manner of communication.
Perhaps more troubling is the fact that most insurers do not have systems in place for their claims team to ensure that texts and tweets, if they are used, are placed into the claims file. (Normally this can be done through simple screen captures or “snipping tools.”) In an ensuing case for bad faith or extracontractual damages, the insurer may be placed in a very difficult situation when there are crucial communications regarding the claim that are produced by the plaintiff but are not contained anywhere in the insurer’s claims file.
While insurers are slow to make changes, the reality is that these technologies, and whatever the future may hold, are new avenues of communication for which insurers must develop appropriate policies and handle much more quickly than in the past.
While insurers should be celebrating many of these new breakthroughs, serious questions arise as to what may be covered losses in this new era of cyber liability. Claims for negligent handling of data and credit information by major companies such as P.F. Chang’s, Target, and JPMorgan Chase, could give rise to tens of millions of dollars of insurance claims. In a December 2014 front-page story, USA Today reported that the average cost to a company that falls victim to a cyber liability attack was $3.5 million. Companies incurring such large losses are going to look to their liability insurers to provide some level of compensation.
Most commercial insurance policies were written decades ago and do not contain the proper language, limits, or exclusions to protect insurers from today’s cyber liability claims onslaught. Such a lack of preparedness is not lost on insureds or those who advise them. In the same USA Today article, Tom Kellerman, chief cyber security officer for Trend Micro, made the following observation concerning the Sony hack associated with the movie The Interview: “This is literally the equivalent of burning the building down—it’s a wake-up call about how bad it can get.”
Using the analogy of a cyberattack being the equivalent of a traditional fire loss claim is not to be taken lightly. Many insureds today probably fear a cyber liability attack more than a traditional form of property loss covered under most property and casualty policies. While certain insurers are marketing specific cyber liability coverage, it remains unclear what coverages may exist under traditional policies.
Our theft and loss of bitcoins is a good example. Bitcoin is a virtual currency, more specifically cryptocurrency, and exists only in cyberspace. It is not regulated by any governmental entity in the world, and there is no central financial body overseeing its distribution. While many claims professionals would immediately deny such a loss or believe the claim is subject to the relatively low limit for currency, they risk being wrong. No government has recognized bitcoin as a currency to date, and the United States has refused to recognize bitcoin as an acceptable security. So if it is not a currency or security, what is it exactly?
Of grave concern to U.S. insurers should be IRS Notice 2014-21. This notice pertains not only to bitcoins, but also to virtual currency in general. According to this notice, the IRS considers bitcoins as property and not currency for tax purposes. Based upon this IRS ruling, if no other policy exclusions or limitations apply, our insured’s stolen laptop may be eligible for bitcoin coverage under his property provision.
Compounding matters further, there is no monthly, quarterly, or annual statement showing the amount of bitcoins a person owns. While traditionally the duty is on insureds to prove and document their losses, insureds owning bitcoins may claim that there is no way to prove their ownership, but they will execute a sworn statement in a proof of loss, submit to an examination under oath, or otherwise testify truthfully concerning their bitcoin values. Can an insurer deny coverage when there is no proof available to document bitcoin transactions?
Bitcoins are only one new element on the horizon of insurance claims that cyber technology will usher in. “Ransomware” is being used by cyber criminals to lock computer data and charge a ransom to provide the code to unlock the data. Even when victims pay the ransom, often the codes do not work to unlock the encrypted files. The cost to restore such data may be millions of dollars for the data alone, let alone the loss of income incurred from the date of the attack through restoration of the data. Do such actions constitute a theft? Is payment of the ransom a recoverable loss? What if the ransom is not paid and there is an ensuing business income loss claim? What occurs when payment is made but the ransom does not restore the loss of valuable records? All of these are scenarios leading to possible claims for coverage under the insurance contract.
New aspects of employee dishonesty claims, defamation claims, and infringement upon trademark usage and intellectual property also are on the horizon. Traditional claims for employee dishonesty generally arise from either accounting or inventory control lapses; however, in this new era, employee dishonesty claims involving the loss or control of computer data may be much more costly than past claims.
Traditionally, the insurance industry has been slow to adapt as new technologies evolve. While in decades past, this may not have been good, the risks were minimal, and the time to make a change seemed to move more slowly. In the new millennium, we are in the world of cyber technology, and what was new technology yesterday is outdated tomorrow. We face an onslaught of potential new liability, increasing claims, and mounting damages in a 21st century world when our policies lag at least a half century behind.
Learn More at CLM’s Annual Conference
A more in-depth discussion on this topic is planned for CLM’s annual conference, which takes place March 24-27, 2015. The session is entitled, “Cyber Liability: Are We Keeping Up?” and panelists include Ronald Morrison, Great American Insurance Group; Shane Riedman, CAN Insurance; Matthew J. Smith, Smith Rolfes & Skavdahl, and Daniel Thenell, The Thenell Law Group.