Data Breaches – It’s Not Like Anyone Is Going To Die

The Changing Nature of Cyber Risk

For years, “cyber” risk has been viewed as purely a financial game.  An organization experiences a security event and expenses are incurred to clean up the resulting mess. The cyber insurance marketplace has long operated on this notion that security events are, essentially, financial loss events. After all, there have been very few reported data breaches that have resulted in a life or death situation, and therefore it has not received much attention. That is, until Ashley Madison.

News of the leak of user information spanning multiple Avid Life Media properties took the media by storm this summer. Dumping user names, email addresses, passwords and account details from poorly secured websites is nothing new. Thousands of account credentials are posted to nefarious online forums every month. At a minimum, such data breaches are an embarrassment to system administrations and an inconvenience to users. But the data breach at Ashley Madison shows us that even a leak of relatively mundane user information can have a devastating impact. The implications go far beyond the traditional notion of financial loss when it comes to businesses or services that, simply by the very fact that we use them, reveal something profoundly personal about our lives.

Reports of scams, blackmail and suicides began appearing the press shortly after the Ashley Madison breach became public knowledge. Early reports out of Toronto and San Antonio speculated that the breach played a role in the deaths of three individuals. While it is unconfirmed whether there was a direct link between the data breach and these suicides, there is little disagreement the death of John Gibson is the direct result of the Ashley Madison data breach.

It can be easy to dismiss the breach at Ashley Madison and the resulting loss of life as an outlier event. After all, Avid Life Media trades in the risqué and few other businesses specialize in catering to individuals seeking extra-marital affairs. But that does not bar the same outcome for other, more socially acceptable services. Organizations such as Alcoholics Anonymous, Planned Parenthood and HIV/AIDS support groups provide a legitimate function, but using such services can be a delicate matter and it is easy to imagine that clients would prefer to keep their patronage private.

Much has been written about the circumstances of Mr. Gibson’s death. Regardless of anyones views on his actions, the fact remains his suicide note squarely attributed his death to the data breach. For cyber insurers tasked with quantifying security risk, the idea that a data breach can result in such a profound bodily injury is relatively new and uncharted waters.

Despite the uncertainty surrounding such injuries from a data breach, insurance companies are diving into the unknown. Competition for attracting cyber insurance buyers is fierce and carriers continuously introduce new enhancements, seeking to distinguish their product from a crowded field of players. While most cyber policies do not insure against bodily injury or property damage, competition is driving change. For the determined buyer, cyber insurance contracts can be negotiated to include bodily injury up to and including death as the result of a security failure.

It has been reported that AXIS is the cyber insurer for Ashley Madison. It is unknown how that policy will respond to the lawsuits that are sure to follow from any suicide linked to the data breach.  What is clear is that insurers are gearing up for the wave of injuries and property damage that will certainly come with increasing connected devices.

In fact AIG, long recognized as a leader in developing new insurance products, introduced CyberEdge PC in April of last year. Although targeted toward commercial industries for now, this relatively new product specifically addresses physical damage to property and physical harm to people caused by a “cyber” attack. 

Whether it’s the result of a compromise of sensitive data or the inevitable blurring of the lines between product liability and cyber liability posed by the Internet of Things, insurers can no longer ignore the possibility of bodily injury or property damage resulting from a security event. What’s more, buyers of cyber policies should carefully consider the implications of a data breach. If the very nature of your business relies on client confidentiality and discretion, once thought of as a coverage gimmick, including bodily injury on the cyber policy may be one of the most valuable coverage enhancements to purchase.