the cyber insurance play

(Yes, the title makes me feel dirty as well, for using ‘cyber…’) I’ve been waiting on this case with PATCO Construction v Peoples United Bank to offer up some resolution for a while now, since I think it may set some important precedents. Alan Shimel weighed in earlier this month on it, particularly on the topic of individual accountability. (Disclaimer: I didn’t listen to the audio accompaniment.)

Toward the end, I was struck by:

Perhaps having breach insurance is the prudent, responsible business way to handle this? Does your organization even have breach insurance? Breach insurance is one way of managing your risk, but all it can do is replace money lost. Some breaches are hard to put a price tag on.

I can understand the PATCO situation, or maybe even the bank’s situation. But in the other example offered in the post, that of Wyndham Hotels and Resorts losing customer credit card information, how does insurance help those whose data is lost by a third party? Does it pay for credit monitoring (nearly useless)? Does it repay with gift cards that can be spent only with the negligent party (ridiculous)? I don’t think having a safety net is necessarily a solution for all parties involved. In fact, insurance may allow business to take less responsibility since it’ll just get a payout.

Ultimately, the idea of taking responsibility for security is a good one, but it cuts contrary to how the culture of America has evolved in the last 50 years to blame everyone else for anything that goes wrong.