OPM Hack Raises Questions About Cyber-Attack Liability

Reuters/Kacper Pempel

There doesn’t seem to be much danger of any high-level government official being held responsible for the security failures that let Chinese hackers raid the Office of Personnel Management, potentially compromising the personal information of millions of past and present government employees.

No one is ever held responsible for failure in government any more; even the most breathtaking incompetence and abuse lead to zero terminations or punishment. Congress is beginning to grumble about hearings and subpoenas, but even those tend to be ignored and subverted in the Obama era.

But what about financial liability? A post at the website of Insurance Business America notes some consternation in the insurance industry, which has been laboring to perfect product offerings and business models to deal with the complex liabilities that can arise from cyber attacks. If the business of adjusting claims for tornado damage or an auto crash is complicated, imagine how much more delicate the task becomes when all the property damaged is virtual, but very real shockwaves can roll through the victim’s life:

For insurance industry professionals, the breach of the federal government was not entirely unexpected. However, it helps underline a point that many proponents of cyber liability insurance and other security policies have tried to make repeatedly: no one is safe, and public entities and small private businesses are particularly at risk.

“What this shows is that no one organization can be fully immune to cyber risk – whether they are a public or private sector body,” said Jack Elliott-Frey, a broker with SafeOnline LLP. “Public sector bodies often have smaller budgets than private businesses of the same size, and due to that are forced to spread it across more sectors of the business.

“Ultimately this means that security spending can take a backseat, and with public sector bodies such as local governments or healthcare providers, this can prove to be problematic as they hold plenty of valuable personally identifiable information.”

The article goes on to observe that health care providers and small businesses are the most common data breach targets, but are also most likely to pass on purchasing “cyber insurance” due to its expense. The insurance industry believes its potential customers overestimate the cost of coverage, because the per-record cost of a massive breach can stack up vastly higher than the annual cost of an insurance policy.

The fallout from the OPM hack could change hearts and minds when it comes to assessing the value of cyber insurance policies, with millions of people potentially affected. Not only are they at risk of identity theft, but Insurance Business America touches lightly upon something that will bring many a sleepless night to intelligence agency heads over the coming months: those potentially compromised individuals might now be too much of a security risk to hold sensitive positions, which could be devastating to their livelihoods and career aspirations.

Even government employees with less sensitive positions could find their digital profiles corrupted by the mischief of hackers. You can do a lot of damage to someone’s reputation with the kind of information the Chinese raiders allegedly stole. (It’s a very interesting aspect of the OPM disaster that not much appears to have been done with the stolen data yet, for either fun or profit. What might be coming down the road? What if the hackers sit on what they’ve taken until the time is right to cause trouble for millions of victims, all at once?)

The insurance industry may find the OPM hack to offer a “teachable moment” on the value of cyber insurance – which sounds crass, but there’s nothing scurrilous about insurance professionals accurately pointing out that policy coverage is a bargain compared to the damage from a massive data breach. That’s their job, and companies entrusted with mountains of priceless information should hope they do it well.

On the other hand, the industry may also learn that the accumulated financial damage from an attack on the scale of what happened to the Office of Personnel Management creates a liability avalanche large enough to bury any underwriter. Is there anyone even capable of calculating a reasonably accurate dollar value for the data that was stolen from our government? Is there any way to compute the cost of the havoc that can be wreaked, until the hackers start wreaking it?


Please let us know if you're having issues with commenting.