Hostname: page-component-586b7cd67f-dsjbd Total loading time: 0 Render date: 2024-11-29T11:18:19.071Z Has data issue: false hasContentIssue false

Data Breach, Privacy, and Cyber Insurance: How Insurance Companies Act as “Compliance Managers” for Businesses

Published online by Cambridge University Press:  27 December 2018

Abstract

While data theft and cyber risk are major threats facing organizations, existing research suggests that most organizations do not have sufficient protection to prevent data breaches, deal with notification responsibilities, and comply with privacy laws. This article explores how insurance companies play a critical, yet unrecognized, role in assisting organizations in complying with privacy laws and dealing with cyber theft. My analysis draws from and contributes to two literatures on organizational compliance: new institutional organizational sociology studies of how organizations respond to legal regulation and sociolegal insurance scholars' research on how institutions govern through risk. Through participant observation at conferences, interviews, and content analysis of insurer manuals and risk management services, my study highlights how insurers act as compliance managers for organizations dealing with cyber security threats. Well beyond pooling and transferring risk, insurance companies offer cyber insurance and unique risk management services that influence the ways organizations comply with privacy laws.

Type
Articles
Copyright
Copyright © American Bar Foundation, 2018 

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

References

Abraham, Ken. 2013. Four Conceptions of Insurance. University of Pennsylvania Law Review 161:653–98.Google Scholar
Armerding, Taylor. 2015. “Compliance Fatigue” Sets In. CSO Online. http://www.csoonline.com/article/2899612/compliance/compliance-fatigue-sets-in.html (accessed December 11, 2015).Google Scholar
Bamberger, Kenneth, and Mulligan, Deirdre. 2015. Privacy on the Ground. Cambridge, MA: MIT Press.Google Scholar
Baker, Tom. 2005. The Medical Malpractice Myth. Chicago: University of Chicago Press.Google Scholar
Baker, Tom, and Griffith, Sean J. 2010. Ensuring Corporate Misconduct: How Liability Insurance Transforms Shareholder Litigation. Chicago: University of Chicago Press.Google Scholar
Baker, Tom, and Jonathan, Simon, eds. 2002. Embracing Risk: The Changing Culture of Insurance and Responsibility. Chicago: University of Chicago Press.Google Scholar
Beazley. 2016. Data Breach. https://www.beazley.com/specialty_lines/data_breach.html (accessed January 20, 2016).Google Scholar
Ben‐Shahar, Omri, and Logue, Kyle D. 2012. Outsourcing Regulation: How Insurance Reduces Moral Hazard. Michigan Law Review 111:197248.Google Scholar
Bisom‐Rapp, Susan. 1996. Scripting Reality in the Legal Workplace: Women, Lawyers, Litigation Prevention Measures, and the Limits of Anti‐Discrimination Law. Columbia Journal of Gender and Law 6:323–85.Google Scholar
Bisom‐Rapp, Susan. 1999. Bulletproofing the Workplace: Symbol and Substance in Employment Discrimination Law Practice. Florida State University Law Review 29:9591049.Google Scholar
Business Wire. 2015. HSB Study Shows 69 Percent of Businesses Experienced Hacking Incidents in the Last Year; Cyber Poll Finds Risk Managers Not Confident About Resources Dedicated to Combat Hacking. Business Wire, June 3.Google Scholar
Business Wire 2016. Fitch: U.S. Cyber Insurance Premiums Total $1B per New Supplemental Filing. Business Wire, August 24.Google Scholar
Charmaz, Kathy. 2001. Qualitative Interviewing and Grounded Theory Analysis. In Handbook of Interview Research: Context and Method, ed. Gubrium, Jaber F. and Holstein, James, 675–94. Thousand Oaks, CA: Sage.Google Scholar
Department of Homeland Security. 2014. Insurance for Cyber‐Related Critical Infrastructure Loss: Key Issues. Insurance Industry Working Session Readout Report. Washington, DC: Department of Homeland Security.Google Scholar
DHS, 2017. Cybersecurity Insurance. https://www.dhs.gov/cybersecurity-insurance (accessed April 23, 2017).Google Scholar
Dobbin, Frank, Sutton, John, Meyer, John, and Scott, Richard. 1993. Equal Employment Opportunity Law and the Construction of Internal Labor Markets. American Journal of Sociology 99:396427.Google Scholar
Edelman, Lauren B. 2005 . Law at Work: The Endogenous Construction of Civil Rights. In Handbook of Employment Discrimination Research: Rights and Realities, ed. Nielsen, Laura Beth and Nelson, Robert L., 337–52. Boston: Kluwer Academic Press.Google Scholar
Edelman, Lauren B. 2007. Overlapping Fields and Constructed Legalities: The Endogeneity of Law. In Private Equity, Corporate Governance and the Dynamics of Capital Market Regulation, ed. O'Brien, Justin, 5590. London: Imperial College Press.Google Scholar
Edelman, Lauren B. 2016. Working Law: Courts, Corporations & Symbolic Civil Rights. Chicago: University of Chicago Press.Google Scholar
Edelman, Lauren B., Abraham, Steven E., and Erlanger, Howard S. 1992. Professional Construction of the Legal Environment: The Inflated Threat of Wrongful Discharge Doctrine. Law & Society Review 26:4783.Google Scholar
Edelman, Lauren B., Erlanger, Howard S., and Lande, John. 1993. Employers' Handling of Discrimination Complaints: The Transformation of Rights in the Workplace. Law & Society Review 27:497534.Google Scholar
Edelman, Lauren B., Fuller, Sally Riggs, and Mara‐Drita, Iona. 2001. Diversity Rhetoric and the Managerialization of Law. American Journal of Sociology 106:15891641.Google Scholar
Edelman, Lauren B., Krieger, Linda H., Eliason, Scott, Albiston, Catherine, and Mellema, Virginia. 2011. When Organizations Rule: Judicial Deference to Institutionalized Employment Structures. American Journal of Sociology 117:888954.Google Scholar
Edelman, Lauren B., Uggen, Christopher, and Erlanger, Howard S. 1999. The Endogeneity of Legal Regulation: Grievance Procedures as Rational Myth. American Journal of Sociology 105:406–54.Google Scholar
Ericson, Richard, Doyle, Aaron, and Barry, Dean. 2003. Insurance as Governance. Toronto: University of Toronto Press.Google Scholar
Ewald, Francois. 2002. The Return of Descartes's Malicious Demon: An Outline of a Philosophy of Precaution. In Embracing Risk: The Changing Culture of Insurance and Responsibility, ed. Baker, Tom and Simon, Jonathan, 273301. Chicago: University of Chicago Press.Google Scholar
Fernandes, Deirdre. 2014. More Firms Buying Insurance for Data Breaches. Boston Globe. http://www.bostonglobe.com/business/2014/02/07 (accessed February 17, 2014).Google Scholar
Fielding, Nigel. 1993. Ethnography. In Researching Social Life, ed. Gilbert, Nigel, 154–71. London: Sage.Google Scholar
Heimer, Carol. 1985. Reactive Risk and Rational Action: Managing Moral Hazard in Insurance Contracts. Berkeley: University of California Press.Google Scholar
Heimer, Carol. 2002. Insuring More, Ensuring Less: The Costs and Benefits of Private Regulation Through Insurance. In Embracing Risk: The Changing Culture of Insurance and Responsibility, ed. Baker, Tom and Simon, Jonathan, 116–45. Chicago: University of Chicago Press.Google Scholar
Hubbart, E. O. 1996–1997. When Worlds Collide: The Intersection of Insurance and Motion Pictures. Connecticut Insurance Law Journal 3:267304.Google Scholar
Hudson, David L. 2015. Cyber Liability Insurance Is an Increasingly Popular, Almost Necessary Choice for Law Firms. ABA Journal April:22–23.Google Scholar
Identity Theft Resource Center (ITRC). 2016. Identity Theft Resource Center Breach Report Hits Near Record High in 2015. http://www.idtheftcenter.org/ITRC-Surveys-Studies/2015databreaches.html (accessed November 20, 2016).Google Scholar
Lofland, John, Snow, David, Anderson, Leon, and Lofland, Lyn. 2005. Analyzing Social Settings, 4th ed. Belmont, CA: Wadsworth.Google Scholar
Lovelace, Berkeley. 2016. Cost of Data Breaches Hits $4 Million on Average: IBM. http://www.cnbc.com/2016/06/14/cost-of-data-breaches-hits-4-million-on-average-ibm.html (accessed June 15, 2016).Google Scholar
Marshall, Anna‐Maria. 2005. Idle Rights: Employees' Rights Consciousness and the Construction of Sexual Harassment Policies. Law & Society Review 39:83124.Google Scholar
Munro, Dan. 2015. Data Breaches in Healthcare Totaled Over 112 Million Records in 2015. Forbes. http://www.forbes.com/sites/danmunro/2015/12/31data-breaches-in-healthcare-total-over-112-Million-Records-in-2015. (accessed December 31, 2015).Google Scholar
NetDiligence. 2015. Cyber Risk Assessments. https://netdiligence.com/portfolio/assessment/ (accessed December 2015).Google Scholar
O'Malley, Pat. 1991. Legal Networks and Domestic Security. Studies in Law, Politics and Society 11:171–90.Google Scholar
Podolak, Gregory D. 2015. Insurance for Cyber Risks: A Comprehensive Analysis of the Evolving Exposure, Today's Litigation, and Tomorrow's Challenges. Quinnipiac Law Review 33:369409.Google Scholar
Ponemon Institute. 2015. Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data. Traverse City, MI: Ponemon Institute.Google Scholar
Ponemon Institute 2016. Closing Security Gaps to Protect Corporate Data: A Study of US and European Organizations. Traverse City, MI: Ponemon Institute.Google Scholar
Rappaport, John. Forthcoming. How Private Insurers Regulate Public Policy. Harvard Law Review 130.Google Scholar
Schneiberg, Marc, and Soule, Sarah. 2005. Institutionalization as a Contested, Multi‐Level Process: The Case of Rate Regulation in American Fire Insurance. In Social Movements and Organization Theory: Building Bridges, ed. Gerald, F. Davis, Doug McAdam, W. Richard Scott, and Mayer N. Zald, 122–60. Cambridge: Cambridge University Press.Google Scholar
Simon, Jonathan. 1994. In the Place of the Parent: Risk Management and the Government of Campus Life. Social & Legal Studies 3:1545.Google Scholar
Spradley, James. 1979. The Ethnographic Interview. Belmont, CA: Wadsworth Group/Thomas Learning.Google Scholar
Talesh, Shauhin. 2009. The Privatization of Public Legal Rights: How Manufacturers Construct the Meaning of Consumer Law. Law & Society Review 43:527–62.Google Scholar
Talesh, Shauhin. 2012. How Dispute Resolution System Design Matters: An Organizational Analysis of Dispute Resolution Structures and Consumer Lemon Laws. Law & Society Review 46:463–96.Google Scholar
Talesh, Shauhin. 2014. Institutional and Political Sources of Legislative Change: Explaining How Private Organizations Influence the Form and Content of Consumer Protection Legislation. Law & Social Inquiry 39:9731005.Google Scholar
Talesh, Shauhin. 2015a. Legal Intermediaries: How Insurance Companies Construct the Meaning of Compliance with Antidiscrimination Laws. Law & Policy 37:209–39.Google Scholar
Talesh, Shauhin. 2015b. A New Institutional Theory of Insurance. U.C. Irvine Law Review 5:617–50.Google Scholar