Insuring Against an Internet of Things Attack

The world is more connected than ever before. Everyday objects, such as refrigerators, microwaves, baby monitors, printers, etc. are now online. The network of these Internet-connected objects is commonly called the “Internet of Things” (also known as “IoT”), which has been celebrated as the next big technology revolution. The Business Insider predicts that by 2021, 22.5 billion devices will be connected to the Internet.[1] The IoT increases efficiency and productivity in life and business, but also makes hacking easier. The FBI released a public service announcement in October 2017, warning that the IoT “provides new vulnerabilities for malicious cyber actors to exploit.”[2]  In 2016, hackers exploited the IoT to flood DNS provider, Dyn, with a DDoS attack, shutting down major websites like Etsy, Netflix, and Twitter. The same year, another IoT attack left two apartment buildings in a Finnish city without heating for more than a week in November.  What opportunities, and limits, does a traditional business interruption policy offer in the era of IoT?

Coverage under traditional policies often turns on whether the loss or damage of electronic data can be considered physical damage. Courts disagree on the topic. Some courts have held that electronic data is tangible and therefore susceptible to physical damage. For example, a federal district court held that loss of access, loss of use, and loss of functionality can constitute physical damage, awarding policy holder coverage for losses caused by a power outage that erased programming information and customer configurations from a mainframe computer, which was otherwise undamaged.  American Guarantee & Liability Ins. Co. v. Ingram Micro, Inc., No. 99-185 TUC ACM, 2000 WL 726789, at **1-2 (D. Ariz. April 18, 2000). Similarly, in Landmark American Ins. Co. v. Gulf Coast Analytical Laboratories, Inc., a Louisiana federal district court held that electronic data is physical and is therefore susceptible to “direct, physical ‘loss or damage.’” No. 10-809, 2012 WL 1094761, at *4 (M.D.La. Mar. 6, 2012). A data storage network’s loss of reliability due to changes on a microscopic level caused by covered cause of loss constituted physical damage, according to a federal court in Kentucky. Ashland Hosp. Corp. v. Affiliated FM Ins. Co., No. 11-16-DLB-EBA, 2013 WL 4400516, at *5 (E.D.Ky. Aug. 14, 2013).

But other courts follow a more restrictive interpretation of physical damage. A California appellate court ruled that electronic data was intangible and therefore was not property covered under the policy, denying coverage for damage to data caused by a database upgrade. Ward General Ins. Services, Inc. v. Employers Fire Ins. Co., 114 Cal. App. 4th 548, 556 (2003). The Fourth Circuit similarly held that data contained abstract ideas, logic, instructions, and information, which fell outside of the coverage for physical damage to tangible property. American Online, Inc. v. St. Paul Mercury Ins. Co., 347 F.3d 89, 96 (4th Cir. 2003).

Prudent businesses seek protection under cyber policies to avoid the uncertainties posed by traditional business interruption policies. Cyber insurance policies usually cover business interruption caused by a network security failure, including hacker attacks that damage electronic data. For websites that rely on outside service providers, it is critical to include coverage for failure of third-party vendor’s network system. Policies, and more importantly, their interpretation after a loss, often lags advances in technology. Firms must pay very close attention to policy language to ensure proper protection. Interpreting those policies properly is art, not rote application of doctrine.

The attorneys at Slater Hersey LLP are well-versed in complicated insurance claims, including cyber insurance for business interruption. If you need assistance in reviewing your existing insurance policy or proposed contracts, or you need to file a claim for your own cyber business interruption, we can help. Call us today for more information

______________________________________________

[1] THE INTERNET OF THINGS 2017 REPORT: How the IoT is improving lives to transform the world, Business Insider, http://uk.businessinsider.com/the-internet-of-things-2017-report-2017-1?r=DE&IR=T (last visited Dec. 21, 2017).

[2] COMMON INTERNET OF THINGS DEVICES MAY EXPOSE CONSUMERS TO CYBER EXPLOITATION, https://www.ic3.gov/media/2017/171017-1.aspx (last visited Jan. 2, 2018).