Is cyber insurance AAA for data or another back door?
A few days ago I promised "tomorrow" a column about the future of data security. Then, just as the electrons were flowing on that DefCon column, I bought on eBay a 1978 GMC Royale motorhome in Bismarck, North Dakota that Channing and I have been trying to bring home ever since. We’ve so far broken down in Fargo, North Dakota (air suspension leak) and Brookings, South Dakota (ignition failure), but are now back on the road headed for California. We met Rick, the tow truck driver who used to be a rodeo bull rider, and Wayne Westerberg, the RV mechanic who gave up his Friday night to get us back on the road. Try Googling Wayne’s name for a surreal component to this adventure, which I’m sure is far from being over.
Back to data security. That DefCon column was about the simple days of hacking and cracking 20 years ago -- a time when the only person really making money from data security on the consumer side was probably John McAfee. So much has changed since then. Today billions are lost and stolen through thefts of both data and financial instruments. Data theft is being viewed as a military problem and the term cyber warfare is rampant (more about that in part three of this series, which I’ll write during our next breakdown). What we know for sure is that we can’t go home again: vulnerability will be part of the game as long as we as a culture choose to interact and do business online.
We can’t or won’t give up the Internet and the mobile transition seems at this point inevitable, so how will we, as a culture, come to terms with this mixture of increased vulnerability and decreased privacy?
I am not making this up.
Here’s an interesting document from the White House outlining the advantages of what they are calling cyber insurance not just as a way to compensate people and businesses for their loss of data, but actually as an alternative to government regulation.
It’s important to understand that the larger thrust here is this alternative to regulation. Actual insurance is secondary to behavior modification.
The idea is that all the government has to do is require that organizations get cyber insurance, then rely on the insurance companies to regulate customer behavior or those customers risk being cancelled. If interests are properly aligned this process can work quite efficiently, they argue.
With the U.S. government in a state of political paralysis, I can easily see something like this happening. Since the cyber insurance proposal is coming from the White House while being ruthlessly pro-business, it is likely to get broad bipartisan support.
But we all have to understand that this proposal would take something we’ve been thinking of as a law enforcement or even national security function and make it into a financial service.
Remember those banks that were too big to fail? Now we are going to rely on them to protect our data while at the same time guaranteeing them a profit for doing so.
Am I the only one who finds this unnerving?
Following data security best practices is a good idea and doing so would be the heart of cyber insurance. At the same time it could expose everything about us to the insurers. If we worry about guys down at the FBI wading through our stuff shouldn’t we worry even more if the wader is some entry-level clerk at Prudential?
This might be good news, it might be bad news -- I simply don’t know. What I do know is that there’s been little public discourse about it and unless we raise our game and start talking we’ll find a new bureaucracy in place that we don’t understand and that can’t be good.