Brendan Heath
86 Geo. Wash. L. Rev. 1115
Data breaches continue to increase in size, scope, and consequence as companies face the prospect of millions of personal records of their customers or clients being disclosed to internet hackers. In the face of this growing risk, insurance policies explicitly written to cover cyber incidents offer benefits to society in the form of increased security incentives. There is, however, continuing uncertainty about the development of this form of insurance.
This Note explores theories of torts and insurance in driving efficient management of risk and addresses the possibilities and limitations of both fields in developing effective deterrence of risk. After examining the role of the federal and state governments in insurance schemes generally, this Note argues that although the risks associated with data breaches offer novel difficulties, they are fundamentally more insurable than those of natural disasters and terrorism, which the government takes a more direct hand in insuring. This Note describes the development of the private cyber-insurance model and its split from traditional commercial general liability (“CGL”) policies, concluding that ambiguities should be resolved in ways that promote independent-standing cyber policies. Finally, the Note examines the trend in the data-storage industry of demanding limitations on liability and indemnification in contracts with the companies whose data is stored. It concludes that such provisions ought to be held contrary to public policy, enabling subrogation suits and preserving the deterrent effects of tort law.