'Data Breach, Privacy, and Cyber Insurance' by Shauhin Talesh in (2017)
Law and Social Inquiry comments
While data theft and cyber risk are major threats facing organizations, existing research suggests that most organizations do not have sufficient protection to prevent data breaches, deal with notification responsibilities, and comply with privacy laws. This article explores how insurance companies play a critical, yet unrecognized, role in assisting organizations in complying with privacy laws and dealing with cyber theft. My analysis draws from and contributes to two literatures on organizational compliance: new institutional organizational sociology studies of how organizations respond to legal regulation and sociolegal insurance scholars’ research on how institutions govern through risk. Through participant observation at conferences, interviews, and content analysis of insurer manuals and risk management services, my study highlights how insurers act as compliance managers for organizations dealing with cyber security threats. Well beyond pooling and transferring risk, insurance companies offer cyber insurance and unique risk management services that influence the ways organizations comply with privacy laws.
Talesh's fascinating article concludes
This study elaborates the literature on the relationship between organizations
and law by blending new institutional organizational sociology studies of how
organizations respond to legal regulation and sociolegal insurance scholars’ studies
of how institutions govern through risk. In particular, my study bridges these two
theoretical frameworks by revealing how in the context of cyber insurance, insurers
go well beyond pooling and spreading risk and act as compliance managers for
organizations dealing with cyber security threats. Although prior new institutional
studies of law and organizations emphasize the way that managerial values influence
the nature of law and compliance among organizations, governing through risk
provides an alternative framework by showing how risk management services and
risk-based logics that are institutionalized by the insurance field influence what
organizations are told privacy laws mean and how they are told to respond to data
breach. Consistent with prior studies that blend governing through risk and the
managerialization of law, concerns over risk and the need for adequate policies and
procedures drive the process at every stage. Thus, risk and managerialized values
work in tandem.
My multisite, multimethod approach also enhances prior studies of insurance
as regulation by revealing how the insurance field governs through risk and uses
considerations of risk and insurance services to influence organizational strategy and
decision making. Whereas early work celebrates insurance as regulation and focuses
on the forms and functions of insurance, more recent studies of directors and officers, employment practices liability, and cyber insurance focus on the conditions 684
under which insurance shapes behavior in positive and negative ways.
Given the range of findings from these studies, scholars need to think of the
benefits of insurance as regulation on a continuum. Insurance as regulation does
not always work, nor does it always fail. Although more research is clearly needed,
it appears there are a couple of distinctions between EPLI, directors and officers
insurance, and cyber insurance. For example, prior work in the directors and officers
context shows how the insurance industry has the ability to engage in loss prevention behavior but does not try to engage in such behavior (Baker and Griffith
2010). In the cyber context, the insurance industry does try to engage in loss pre vention and does so in a manner that is focused on managing and averting the risks
associated with data breach. One likely difference is that in the directors and
officers context, directors and officers are less eager to be told how to engage in
risk-averse behavior. Policyholders in the cyber context, however, are interested in
the insurance defense and indemnity coverage, but also the accompanying risk
management services that can prevent, detect, and respond to a data breach event.
The risk management services that accompany cyber insurance also fill a competency or knowledge gap for the organization. Organizations are willing to use risk
management tools that deal with the latest cyber threats that they lack internal
tools to defend against. Conversely, directors and officers believe they possess the
requisite knowledge and experience to manage a corporation responsibly and are
less eager to receive insurance risk management recommendations.
Moreover, whereas prior research shows that EPLI insurers spend considerable
time trying to shape the meaning of law for employers tasked with dealing with discrimination laws (Talesh 2015a), here, cyber insurers spend far less time mediating 708
law’s meaning and far more time trying to enhance an organization’s ability to
detect and respond when faced with a data breach. Thus, unlike in the EPLI con text, the insurance risk management tools are less about simply avoiding being sued
and more about developing processes to prevent or limit any data breach problem
from occurring. Therefore, the conditions under which insurance as regulation
works depends on a variety of factors. Taken collectively, however, research on
directors and officers insurance, EPLI, and the cyber liability insurance context
reflect a significant shift in the manner in which insurers actively shape the nature
of compliance.
From a policy standpoint, this study raises important questions about the role
of insurance in regulating cyber security theft. Although prior research highlights
how insurance acts as a form of social control on society (Baker and Simon 2002;
Baker and Griffith 2010; Ben-Shahar and Logue 2012; Abraham 2013), important
questions remain concerning whether insurers should regulate organizational behavior and if they do regulate behavior, how that authority is exercised. Similar to
human resource officials, in-house counsel, and managers (Edelman, Erlanger, and
Lande 1993; Edelman, Fuller, and Mara-Drita 2001), my data suggest that the insurance field’s involvement as an intermediary may be mix of benefits and
disadvantages.
On the one hand, to the extent organizations remain underprepared for cyber
risks and undercompliant with privacy laws, insurance industry intervention in this
area is very valuable. The risk management tools offered encourage and, to some
extent, force stronger detection and security protocols in organizations and nudge
organizations toward greater safety and security. In turn, this makes consumer information less likely to fall into the hands of wrongdoers. Cyber insurance and risk
management services such as the audits, hotlines, and online portals of handbook
materials provide substantive guidance on privacy law and on organizations’ responsibilities. To the extent that the information provided to organizations is accurate
in these settings, these services could be compatible with compliance and could
even induce greater compliance. Moreover, the postbreach services allow organizations to turn to one place and address all their concerns. Unlike other financial
institutions that also offer risk management services related to data breach, insurance companies are able to package these services with insurance litigation defense
and indemnification in the event of an actual breach.
On the other hand, overreliance on cyber risk management systems may allow
organizations to avoid more active engagement with the design, content, enforcement, and maintenance of their policies. By encouraging organizations to use
insurer-sponsored forensics, information technology, public relations units, and hot lines, the insurance field shifts or decouples responsibility for hard normative
judgments to others (such as insurance companies) operating outside the organization (cf. Bisom-Rapp 1996, 1999; Edelman, Fuller, and Mara-Drita 2001). Insurance
companies have an obvious financial incentive in seeing more customers purchase
cyber insurance and the accompanying risk management services. Insurance industry services that diminish an organization’s individual responsibility to design its 752
cyber security policies and procedures may diminish organizational responsibility for
making moral, ethical, and legal choices involved with compliance (cf. Baker and
Simon 2002). To the extent organizations can simply delegate their data breach
events to the insurers and accompanying risk management vendors, cyber insurers
may enhance the possibility that organizations are lethargic in taking ownership of
compliance policies and procedures and, consequently, preventing privacy laws from
making a greater impact.
Obviously, future research on whether cyber insurance leads to less data theft
would help to gauge the value of these insurer-sponsored risk management services.
Assuming insurer risk management services reduce the likelihood that data breach
events will occur, my data suggest, at least preliminarily, that there is a net benefit.
Existing research suggests that organizations are currently unable to keep up with
cyber threats. Thus, despite insurers’ financial incentives, insurer-sponsored help is
greatly appreciated by organizations and the consumers whose information is potentially exposed.
At a minimum, this study highlights the processes and mechanisms through
which insurers act as private risk regulators (Ben-Shahar and Logue 2012). Regulation over privacy and cyber security issues in the United States remains fragmented
and incomplete. The insurance industry is stepping in and trying to offer organizations a pathway for dealing with cyber threats and the abundance of privacy laws.
Law is typically thought of as top down, coming from public legal institutions such
as courts, legislators, and regulatory institutions. However, consistent with new legal
realist and the law and society studies, how organizations implement laws and comply with various rules is shaped by intermediary institutions such as insurance
companies.
Cyber risk management services do not just reduce risk; they actively construct
the meaning of compliance. As shown in the employment and consumer protection
contexts (Edelman, Uggen, and Erlanger 1999; Talesh 2009, 2012), these responses
are becoming institutionalized and gaining legitimacy. In particular, public legal
institutions are deferring to and encouraging organizations to purchase cyber security insurance.
The Department of Homeland Security’s National Protection and Programs
Directorate recently convened working sessions and roundtables with the insurance
industry to discuss ways to make public and private institutions more cyber secure.
While acknowledging that the cyber insurance market is relatively nascent as compared to other lines of insurance, the Department of Homeland Security’s report
concluded that cyber insurance is vital: “A robust cybersecurity insurance market
could help reduce the number of successful cyberattacks by: (1) promoting the
adoption of preventative measures in return for more coverage; and (2) encouraging
the implementation of best practices by basing premiums on an insured’s level of
self-protection” (Penensky, Traub, and Leff 2015). Moreover, the report devoted
extensive attention toward improving risk management within organizations, the
very kinds of services cyber insurance companies are offering (Department of
Homeland Security 2014). Thus, it appears that insurance institutions are shaping
the content and meaning of cyber security compliance.
Moving forward, this article suggests that there is great potential for constructive linkages between studies on risk management and law and organizations. More
research on how risk-based logics are mobilized by intermediaries and mediate the
way organizations deal with cyber security threats and comply with privacy laws
would help strengthen organizational theory and reveal how, in action, the meaning
of compliance is often constructed by legal intermediaries
