Potential gaps in coverage from vast Internet of Things exposure

The Internet of Things has the power to streamline our lives, improve medical technology and ultimately save society money – while opening the door to potentially huge privacy and liability concerns.

Humans are incredibly interconnected, with devices connected to the Internet to help us find their way via GPS, record a World Cup match, or keep homes cool with a remote-controlled thermostat.

“The Internet of Things” refers to the many millions of devices that use sensors to collect data and analyze it.

Society produces electronic data nearly nonstop, with every flurry of activity on Twitter or birthday wish on Facebook. Julie Brill, FTC commissioner, told an audience at Fordham Law School in March, “Our daily activities as consumers yield an astounding amount of data. Overall, 1.8 trillion gigabytes of data were created in the year 2011 alone – which is equivalent to every U.S. citizen writing three tweets per minute for almost 27,000 years. Individuals are estimated to create 70 percent of all data in the world – and it’s predicted that the total amount of data will double every two years from now on.

She went on, “Perhaps more important than the rapid growth in available data is the proliferation of data sources. One company estimates that there will be 25 billion Internet-connected devices by 2015 – an average of more than three devices for every human being on the planet – and by the end of this decade, 40 percent of data will come from sensors.”

For consumers, these breakthroughs in science and technology may mean mere convenience, but they also offer the chance to prevent accidents or triumph over illness.

“Convenience is only part of the story. Scientists, entrepreneurs, academics, and policy makers see the potential for this vast expansion in the data available about us to solve important social challenges, from reducing the amount of gas we waste sitting in traffic jams and more efficiently managing our energy consumption, to achieving breakthroughs in healthcare,” said the FTC’s Brill. “The potential benefits that these kinds of discoveries can bring to society are enormous and exciting.”

However, consumer privacy worries must be at the forefront of any IoT discussion for both regulators and businesses. Questions raised by the FTC include consumer agreement to having their data collected and analyzed, as well as ensuring that businesses will recognize their obligations.

“Now is the time to ask how companies can provide this burgeoning connectivity – and its considerable benefits – without compromising consumers’ privacy or losing their trust. Will consumers know that connected devices are capable of tracking them in new ways, especially when many of these devices have no user interface? How will these new sources of data flow into the huge constellation of personal data that already exists? Will companies that, for decades, have manufactured ‘dumb’ appliances and other devices take the steps necessary to keep secure the vast amounts of personal information that their newly smart devices will generate?” asked Brill.

In one example, law enforcement use of surveillance “drones” has increased dramatically in recent years. According to the American Civil Liberties Union (ACLU), nearly every state in the union has introduced, considered or passed legislation to control the use of drones and protect citizens. For instance, a law in Indiana goes into effect on July 1 and requires any law enforcement officer to obtain a search warrant before using an “unmanned aerial vehicle,” and requires a search warrant before any person can be compelled to provide access to any electronic data device, storage or service to law enforcement.

Legislative action in states and federal action on consumer privacy have included such acts as the “We Are Watching You” Act and Black Box Privacy Act.

IoT exposure

From a legal and insurance perspective, any business producing or even selling Internet-connected devices is taking on a cyber risk, whether they realize it or not, say experts. The malfunction of a product or breach of data collected can bring about costly claims. Experts say that both businesses and insurers need to be aware of the risks and verify their coverage options.

“It increases exposures for protection of information for their customers,” said Lon Berk, attorney with Hunton and Williams. Businesses connecting to the Internet via a device or application and collecting customer data now have possession of personally identifiable information (PII) – and the responsibility to protect it.

“You wouldn’t think that a thermostat manufacturer would have to be concerned about access to and protection of personal information,” said Berk. For those companies that don’t realize their true obligations, their insurance policies and risk transfer options could leave them with coverage gaps.

IoT risks present a higher chance of a property damage, bodily injury or business interruption loss related to data, he added.

“It requires a rethinking by risk managers about the coverage they’re getting,” Berk told Advisen. “Unfortunately most of the time folks start thinking about it after the fact.”

And most businesses with this new exposure – as well as consumers – don’t seem to realize the extent of the risk. Berk commented on the fact that many automobiles now contain about 85 different data processors and sensors. He cited cars that park themselves and the claims that could occur in the event of misread data or flaw in the design of an algorithm.

“That should be looked as an electronic failure, but insurers have taken the position in the past that that kind of data issue or coding issue isn’t really a physical issue. And they don’t intend to cover it,” said Berk. “To me, it’s an open question of how the insurer is going to cover it.”

‘Hard loss,’ tough luck

The typical issue is a remote-controlled sprinkler system, or thermostat malfunctioning, and causing damage. Another classic was the hacking of a baby-monitor manufacturer that allowed outsiders to access the data tracked by the monitors – leading the FTC to proceed with an enforcement action against the maker, TRENDNet. The FTC determined the company’s failure to reasonably secure its cameras constituted an unfair and deceptive trade practice.

“Most cyber policies don’t cover cyber risks that would result in what I would call a ‘hard loss,’” said Berk. “I think the technology is outstripping what people who think about risk are doing.”

Claims data and litigation are few and far between on this point, with cyber risk and IoT concerns being relatively new.

Vincent Vitkowsky, an attorney with Seiger Gfeller Laurie, noted, “These things will malfunction. Some of them are not going to work. When that happens, there will be a basic product liability claim. Whether it will succeed remains to be seen.”

He told Advisen that technology errors and omissions claims have occurred, but in general “traditional cyber insurance” policies do not speak to property damage or bodily injury claims.

Claims relating to the IoT could occur “when something doesn’t do what it’s supposed to do and there are economic or physical consequences,” Vitkowsky noted.

The insurance industry is just beginning to develop products that address physical effects of cyber events, with a few offerings.

“The insurance industry, like everyone else, is struggling to keep up with the volume and the pace of developments,” said Vitkowsky. “The developments are outpacing all of us.”

And battles continue to be fought in the field of traditional commercial policies like the commercial general liability policy, according to Berk. Insurance Services Office (ISO) drafted data exclusions for the CGL, but courts have both found coverage and denied it.

For both insurers and businesses, the key is to evaluate all insurance coverage and understand the rapid rate of growth of progress and risk in the Internet of Things.

“Folks are thinking about it, trying to be proactive,” said Vitkowsky. “For those who aren’t paying attention, there are going to be surprises.”