THE UGLY TRUTH ABOUT CYBER INSURANCE & GOVERNMENTAL DATA BREACHES.

• Author: Rapela, Sean Andres

1. Introduction

   Just as the sun rises and sets, the wind blows, and the tides change; cyberattacks and data breaches occur. (1) Cyberattacks come in an array of forms, but, generally: ransomware, malware, phishing, and denial-of-service attacks are the usual suspects in data breaches. (2) Tracking software, wiretapping, and spear phishing are additional forms of threats that exist under the general umbrella of cyberattacks. (3) Furthermore, cyberattacks are not waning, but instead are increasing exponentially with consumers' increasing reliance on technology. (4) According to the Computer Sciences Corporation, by end of 2020, over a third of data will pass through the cloud and increase data generation by 4,300 percent. (5) Additionally, cyberattacks do not discriminate, as they impact nearly every major industry and cost breached organizations a massive three to seven million dollars per breach on average. (6)

   While corporate America is often the target of widely publicized breaches, such as the recent Marriot and Equifax breaches, cyberattacks pose a potentially greater threat to United States national security, and in particular government entities. (7) For example, cyberattacks on government agencies, including the United States Postal Service breach, resulted in tens of millions of exposed records.

   Many large companies have turned to cyber insurance as a way to mitigate the risks of cyberattacks, but government entities are largely uninsurable due to obsolete infrastructure and operating systems. Therefore, the government must take alternative measures to protect the data citizens are obligated to entrust it with, including Social Security numbers, dates of birth, and addresses. This Note argues that a cyber relief program, potentially through a tax, is necessary to aid all government entities in recovery from data breaches and cyberattacks. This Note will focus on why cyber insurance works for private organizations, but why a broader program is needed to protect government entities. Three possible avenues exist for this purpose. A Social Security-like payroll tax, a cyber excise tax, or a taxpayer alternative in the form of a federally funded insurance program. Each option could protect both the government and victims (citizens) of a data breach.

2. History

   1. As Cyberattacks Increase, Organizations Turn to Cyber Insurance

      Cyberattacks account for potentially more than four hundred billion dollars in losses annually, and many companies have turned to cyber insurance to mitigate these losses. (8) While there is limited data on the cyber insurance market, first-party loss and third-party liability coverage for cyberattacks is rapidly evolving. (9) Roughly one in three organizations have some form of cyber insurance. (10) However, cyber insurance may not remain a sustainable option for many organizations, as cyberattacks are an indefatigable risk, and, due to a recent growth in threats, policy premiums are expected to jump from two-and-a-half billion to almost eight billion by 2020. (11) Executives in many organizations are dejected at the thought of this, and despite the profound threat cyberattacks carry, many of these same executives express "compliance fatigue," as a result of never ending and expensive process of conforming with multiple security structures. (12)

   2. How the Courts Interpret Cyber Insurance

      Despite increasing policy premiums, the coverage that cyber insurance provides is likely inadequate due to the interpretation of the courts. (13) In general, there are three principal types of cyber insurance policies: (1) commercial general liability policies, (2) crime/fidelity cyber insurance policies, and (3) cyber policies--these policies work to shift the risk that comes as a result of having to respond, investigate, defend, and mitigate cyberattacks. (14) For example, when it comes to commercial general liability policies, which organizations often rely on to cover losses in data breaches, the courts typically have found no coverage. (15) However, for organizations with crime/fidelity cyber insurance policies, the results are more encouraging as the courts are more willing to find that coverage applies. (16) For instance, the Sixth circuit held that where a phishing attack took place resulting in payments to an unintended bank account, the insured suffered direct losses that the organizations cyber insurance policy covered. (17)

      Perhaps the most promising of the cyber insurance policies are cyber policies, also simply known as cyber-insurance policies, for these policies have the potential to protect both the breached organization and the consumers the breach victimizes. (18) Still, the cases involving this type of cyber insurance policy paint an incomplete picture, as this is still a newly developing body of law. (19) Nevertheless, organizations are often disinterested in tackling cyber security, and the disconcerting trend that exists is that cyber insurance is implemented in response to regulation by the government rather than organizations recognizing the risk and acting without government intervention. (20) As a result of this trend, many cyber insurance companies seek litigation avoidance rather than discouragement of illegal conduct. (21)

   3. Expensive and Illusive: Cyber Insurance is Difficult to Obtain

      Cyber insurance is difficult for many large companies, let alone small businesses, to obtain as a result of the expensive policies and often inadequate coverage. (22) As a result of the courts' indecisiveness when it comes to cyber insurance, new polices are created and old policies are updated or revised on a regular basis, and with so many different policies it is often extremely difficult for organizations to choose one. (23) Furthermore, even if an organization overcomes the time consuming process of choosing a cyber insurance policy, cyber insurance is extremely expensive, and, for the most part, only very large companies can afford it. (24) For instance, ahead of their breach, Equifax maintained 125 million dollars of cyber insurance coverage. (25) Moreover, the success of recent class action suits, such as the one that Target faced, has driven the price of cyber insurance up to the point where deductibles are so high that few companies can secure policy limits beyond fifteen million dollars. (26) Consequently, the question as to whether or not cyber risk is insurable is a legitimate question, for massive losses, lack of information, and failure in effective risk pooling all point to an arguably unsustainable system. (27)

   4. The Government's Failure to Address Cybersecurity

      While the courts have struggled to keep up with cyber insurance in the private sector, government entities are even further behind. (28) There is a misconception that cybersecurity is a new problem; however, in 1965 the Brooks Act led to the creation of the National Institute of Standards and Technology which regulates security standards. (29) Furthermore, computer viruses date back to the 1990s, and by the turn of the century, business losses to security breaches were already in the hundreds of billions. (30) In recent years, Congress demonstrated they are hesitant to react to cybersecurity, as over one hundred cybersecurity bills were introduced over the past few years, yet the vast majority of them were not successful. (31) Consequently, current public law is largely reactive, and unorganized. (32) To date, public law contains no remedy for government entities, private entities, or victims of cyberattacks, and in the past the government has often turned to taxes to address legislative gaps. (33)

   5. Social Security: How the Government Implements Necessary Tax Systems

      In general, a lot of federal revenue is collected from payroll taxes, such as Social Security, which are regressive taxes; meaning that the rate is constant rather than proportional. (34) Congress enacted the Social Security Act as a response to the Great Depression, which caused millions of Americans to lose their life-savings. (35) Nearly everyone retires at some point, and a person is not entirely responsible for all aspects of their retirement, for an individual does not know when they will die. (36) Therefore, the Social Security system provides an additional barrier between retirement and insolvency before death. (37) The Social Security system operates through the payroll tax, and this means that the labor income of every American contributes the pool. (38) Additionally, the current structure of the Social Security payroll tax collects from both employers and employees at an equal rate. (39)

      Therefore, it logically follows that the Social Security system plays a crucial role in the long-term financial planning of United States citizens, and the nearly universal government run retirement system also serves as an economic stabilizer--for even when the market declines, retirees do not need to cut their spending to conserve their wealth. (40) Still, the Social Security system has its disadvantages, for the retirement age to receive benefits continues to increase, and many retirees are waiting until later in life to claim benefits in order to receive maximum payouts. (41) However, Americans recognize the importance of the Social Security system, and a large number are willing to pay even more taxes in order to ensure its survival. (42)

   6. Unrelenting: Cyberattacks Will Continue to Plague Public and Private Sectors

      With the continuing growth of cyber-crime, it is impossible to ignore the always looming threat of cyberattacks and data breaches. (43) When private organizations or government entities are breached, the result is a long and expensive process that almost certainly involves the

      legal system. (44) For instance, the Target data breach took place in 2013, and five years and millions of dollars later the U.S. Court of Appeals for the 8th Circuit affirmed a lower court's ten million dollar settlement agreement between Target and...