In order to fully understand the risks associated with cyber security, insurers and policyholders are constantly forced to grasp new concepts related to the hackers themselves as well as how information sought by hackers is being stored and protected. In the coming years, insurers can expect to see insurance claims and the related investigation change because of metadata, often described as “data that provides information about other data.”
Many people became familiar with the collection of metadata and other digital content because of the investigations of the National Security Agency’s surveillance program. At present, U.S. law distinguishes between the collection of “content” and “metadata.” In general, metadata includes “the substance of an electronic communication” and content includes “all other information about the communication, such as parties, time and duration.”
A number of articles have addressed recent changes in the laws related to data collection, but as U.S. law presently stands, a government agency must jump through a number of procedural requirements to obtain content during an investigation. By contrast, there are few safeguards in place to protect metadata. The metadata found in telephone records, for example, can be obtained merely by a subpoena. Commentators have pointed out that “[t]elephone metadata has been used relatively freely by government agencies on the assumption that it is anonymized and meaningless without content.” In short, metadata has typically received less protection than content because metadata is generally considered to provide less valuable information.
However, a study published this week by the Proceedings of the National Academy of Sciences, Evaluating The Privacy Properties Of Metadata, questions the U.S. law’s distinction between metadata and content. Researchers analyzed whether the distinction is justified. Not surprisingly, the researchers found little or no reason to treat metadata differently because metadata, similar to content, “enables automated location and relationship inferences, and can be used to determine highly sensitive traits.” Essentially, the researchers found that the collection of metadata may present the same privacy issues underpinning the prohibition on collecting content.
The study first addresses the methods the researchers used to collect their data. The researchers used an Android phone application to collect data, including historical text messages and information from the participants’ Facebook accounts.
For example, after collecting the data, the researchers found they could determine that a participant owned a particular semiautomatic rifle when metadata showed the participant made calls to firearms dealers and manufacturers. This means that even without content of an e-mail or some other communication where the participant discussed the purchase of a rifle, the researchers could still figure out the participant may have purchased a rifle. And, using public resources, the researchers confirmed their findings through metadata that the participant did, in fact, own an AR rifle.
The study ultimately concluded there is a strong need for “scientifically rigorous surveillance regulation” in order “to strike a balance between national security and civil liberties.” This study examined commercial data practices and found regulations may need to be imposed on telecommunications companies that handle this data.
This study is useful for the insurance industry to the extent that if the researchers were able to ascertain that a person owned a particular rifle, it stands to reason that a policyholder could face potential liability from obtaining sensitive information about its competitors through metadata. That is, an insured’s use of metadata may need to be a consideration for an insurer when writing coverage. Further, from an insurer’s standpoint, the claims industry is already looking at ways to use metadata to investigate fraudulent claims. Therefore, just as terms such as ransomware and the internet of things have become part of the cyber liability vernacular, the insurance industry must start gaining a better understanding of metadata and its implications.