08 June 2017


'Data Breach, Privacy, and Cyber Insurance' by Shauhin Talesh in (2017) Law and Social Inquiry comments 
While data theft and cyber risk are major threats facing organizations, existing research suggests that most organizations do not have sufficient protection to prevent data breaches, deal with notification responsibilities, and comply with privacy laws. This article explores how insurance companies play a critical, yet unrecognized, role in assisting organizations in complying with privacy laws and dealing with cyber theft. My analysis draws from and contributes to two literatures on organizational compliance: new institutional organizational sociology studies of how organizations respond to legal regulation and sociolegal insurance scholars’ research on how institutions govern through risk. Through participant observation at conferences, interviews, and content analysis of insurer manuals and risk management services, my study highlights how insurers act as compliance managers for organizations dealing with cyber security threats. Well beyond pooling and transferring risk, insurance companies offer cyber insurance and unique risk management services that influence the ways organizations comply with privacy laws.
Talesh's fascinating article concludes
This study elaborates the literature on the relationship between organizations and law by blending new institutional organizational sociology studies of how organizations respond to legal regulation and sociolegal insurance scholars’ studies of how institutions govern through risk. In particular, my study bridges these two theoretical frameworks by revealing how in the context of cyber insurance, insurers go well beyond pooling and spreading risk and act as compliance managers for organizations dealing with cyber security threats. Although prior new institutional studies of law and organizations emphasize the way that managerial values influence the nature of law and compliance among organizations, governing through risk provides an alternative framework by showing how risk management services and risk-based logics that are institutionalized by the insurance field influence what organizations are told privacy laws mean and how they are told to respond to data breach. Consistent with prior studies that blend governing through risk and the managerialization of law, concerns over risk and the need for adequate policies and procedures drive the process at every stage. Thus, risk and managerialized values work in tandem.
My multisite, multimethod approach also enhances prior studies of insurance as regulation by revealing how the insurance field governs through risk and uses considerations of risk and insurance services to influence organizational strategy and decision making. Whereas early work celebrates insurance as regulation and focuses on the forms and functions of insurance, more recent studies of directors and officers, employment practices liability, and cyber insurance focus on the conditions 684 under which insurance shapes behavior in positive and negative ways. Given the range of findings from these studies, scholars need to think of the benefits of insurance as regulation on a continuum. Insurance as regulation does not always work, nor does it always fail. Although more research is clearly needed, it appears there are a couple of distinctions between EPLI, directors and officers insurance, and cyber insurance. For example, prior work in the directors and officers context shows how the insurance industry has the ability to engage in loss prevention behavior but does not try to engage in such behavior (Baker and Griffith 2010). In the cyber context, the insurance industry does try to engage in loss pre vention and does so in a manner that is focused on managing and averting the risks associated with data breach. One likely difference is that in the directors and officers context, directors and officers are less eager to be told how to engage in risk-averse behavior. Policyholders in the cyber context, however, are interested in the insurance defense and indemnity coverage, but also the accompanying risk management services that can prevent, detect, and respond to a data breach event. The risk management services that accompany cyber insurance also fill a competency or knowledge gap for the organization. Organizations are willing to use risk management tools that deal with the latest cyber threats that they lack internal tools to defend against. Conversely, directors and officers believe they possess the requisite knowledge and experience to manage a corporation responsibly and are less eager to receive insurance risk management recommendations.
Moreover, whereas prior research shows that EPLI insurers spend considerable time trying to shape the meaning of law for employers tasked with dealing with discrimination laws (Talesh 2015a), here, cyber insurers spend far less time mediating 708 law’s meaning and far more time trying to enhance an organization’s ability to detect and respond when faced with a data breach. Thus, unlike in the EPLI con text, the insurance risk management tools are less about simply avoiding being sued and more about developing processes to prevent or limit any data breach problem from occurring. Therefore, the conditions under which insurance as regulation works depends on a variety of factors. Taken collectively, however, research on directors and officers insurance, EPLI, and the cyber liability insurance context reflect a significant shift in the manner in which insurers actively shape the nature of compliance.
From a policy standpoint, this study raises important questions about the role of insurance in regulating cyber security theft. Although prior research highlights how insurance acts as a form of social control on society (Baker and Simon 2002; Baker and Griffith 2010; Ben-Shahar and Logue 2012; Abraham 2013), important questions remain concerning whether insurers should regulate organizational behavior and if they do regulate behavior, how that authority is exercised. Similar to human resource officials, in-house counsel, and managers (Edelman, Erlanger, and Lande 1993; Edelman, Fuller, and Mara-Drita 2001), my data suggest that the insurance field’s involvement as an intermediary may be mix of benefits and disadvantages.
On the one hand, to the extent organizations remain underprepared for cyber risks and undercompliant with privacy laws, insurance industry intervention in this area is very valuable. The risk management tools offered encourage and, to some extent, force stronger detection and security protocols in organizations and nudge organizations toward greater safety and security. In turn, this makes consumer information less likely to fall into the hands of wrongdoers. Cyber insurance and risk management services such as the audits, hotlines, and online portals of handbook materials provide substantive guidance on privacy law and on organizations’ responsibilities. To the extent that the information provided to organizations is accurate in these settings, these services could be compatible with compliance and could even induce greater compliance. Moreover, the postbreach services allow organizations to turn to one place and address all their concerns. Unlike other financial institutions that also offer risk management services related to data breach, insurance companies are able to package these services with insurance litigation defense and indemnification in the event of an actual breach.
On the other hand, overreliance on cyber risk management systems may allow organizations to avoid more active engagement with the design, content, enforcement, and maintenance of their policies. By encouraging organizations to use insurer-sponsored forensics, information technology, public relations units, and hot lines, the insurance field shifts or decouples responsibility for hard normative judgments to others (such as insurance companies) operating outside the organization (cf. Bisom-Rapp 1996, 1999; Edelman, Fuller, and Mara-Drita 2001). Insurance companies have an obvious financial incentive in seeing more customers purchase cyber insurance and the accompanying risk management services. Insurance industry services that diminish an organization’s individual responsibility to design its 752 cyber security policies and procedures may diminish organizational responsibility for making moral, ethical, and legal choices involved with compliance (cf. Baker and Simon 2002). To the extent organizations can simply delegate their data breach events to the insurers and accompanying risk management vendors, cyber insurers may enhance the possibility that organizations are lethargic in taking ownership of compliance policies and procedures and, consequently, preventing privacy laws from making a greater impact.
Obviously, future research on whether cyber insurance leads to less data theft would help to gauge the value of these insurer-sponsored risk management services. Assuming insurer risk management services reduce the likelihood that data breach events will occur, my data suggest, at least preliminarily, that there is a net benefit. Existing research suggests that organizations are currently unable to keep up with cyber threats. Thus, despite insurers’ financial incentives, insurer-sponsored help is greatly appreciated by organizations and the consumers whose information is potentially exposed.
At a minimum, this study highlights the processes and mechanisms through which insurers act as private risk regulators (Ben-Shahar and Logue 2012). Regulation over privacy and cyber security issues in the United States remains fragmented and incomplete. The insurance industry is stepping in and trying to offer organizations a pathway for dealing with cyber threats and the abundance of privacy laws. Law is typically thought of as top down, coming from public legal institutions such as courts, legislators, and regulatory institutions. However, consistent with new legal realist and the law and society studies, how organizations implement laws and comply with various rules is shaped by intermediary institutions such as insurance companies.
Cyber risk management services do not just reduce risk; they actively construct the meaning of compliance. As shown in the employment and consumer protection contexts (Edelman, Uggen, and Erlanger 1999; Talesh 2009, 2012), these responses are becoming institutionalized and gaining legitimacy. In particular, public legal institutions are deferring to and encouraging organizations to purchase cyber security insurance.
The Department of Homeland Security’s National Protection and Programs Directorate recently convened working sessions and roundtables with the insurance industry to discuss ways to make public and private institutions more cyber secure. While acknowledging that the cyber insurance market is relatively nascent as compared to other lines of insurance, the Department of Homeland Security’s report concluded that cyber insurance is vital: “A robust cybersecurity insurance market could help reduce the number of successful cyberattacks by: (1) promoting the adoption of preventative measures in return for more coverage; and (2) encouraging the implementation of best practices by basing premiums on an insured’s level of self-protection” (Penensky, Traub, and Leff 2015). Moreover, the report devoted extensive attention toward improving risk management within organizations, the very kinds of services cyber insurance companies are offering (Department of Homeland Security 2014). Thus, it appears that insurance institutions are shaping the content and meaning of cyber security compliance.
Moving forward, this article suggests that there is great potential for constructive linkages between studies on risk management and law and organizations. More research on how risk-based logics are mobilized by intermediaries and mediate the way organizations deal with cyber security threats and comply with privacy laws would help strengthen organizational theory and reveal how, in action, the meaning of compliance is often constructed by legal intermediaries