This article originally appeared on November 3, 2016 in the Horton Group’s newsletter.

The term “Internet of Things” (IoT) refers to networks of “smart” devices (including appliances, vehicles, watches and toys) that collect and exchange data over the internet. In the last few years we have started to see these devices become part of our homes and personal lives. And, unfortunately, we have seen hackers gain more access to our homes and personal lives through these interconnected devices.

While the IoT is not a new concept for many insurance or technology professionals, manufacturers and smaller businesses have recently seen how interconnected devices, such as video cameras or computers, can give their businesses an edge over the competition. These devices are improving productivity by allowing remote access, by automatically checking in with the manufacturer for software updates and by allowing data storage. And, as seen in our homes and personal lives, these devices are unfortunately allowing hackers more access to our workplaces and giving hackers more unguarded devices that can be used in their attacks on society. While the full extent as to how much access hackers will have is still unknown, a glimpse at these issues makes clear that the best strategy includes integrating cyber insurance with its other safeguards.

The Good:  The Industrial Internet of Things Can Improve Productivity

It is not difficult to see how the interconnectivity offered by these IoT devices can improve the workplace. For example, the October 25, 2016 issue of the Chicago Business Journal describes what is commonly referred to as “the industrial internet of things” (IIoT). Similar to that seen in the technology showing up in our homes, the technology giving rise to the IIoT connects industrial machinery “to enhance functionality and improve operational efficiency in industrial settings, ultimately making manufacturing more flexible, efficient and profitable and better able to serve their customers.” The IIoT is being credited with increasing efficiency in factory processes, energy usage and transportation. In particular, the Chicago Business Journal discusses how IIoT provides “real-time data,” methods for “better asset use,” and the ability to fix problems quicker by using “predictive diagnostics.” At this early stage, the IIoT is a method worth exploring to increase productivity.

The Bad:  IIoT Gives Hackers Access to the Workplace

While the overall impact of the IIoT on industry is considered positive, there should be no question that, as seen with any technological advance, there are some drawbacks. Specifically, the one trait that allows the IIoT to be useful, interconnectivity, has allowed hackers and criminals to gain access to interconnected industrial networks. For example, in 2008, hackers shut down a Turkish oil pipeline which resulted in a massive explosion. The hackers, believed to be Russian, compromised the pipeline’s surveillance camera software and infiltrated the pipeline’s internal network. After gaining access, the hackers shut down alarms, cut off communications and caused the crude oil in the line to over-pressurize to cause the explosion. Without setting off a single alarm, the explosion shut the pipeline down and caused large financial losses for the private companies and governments with interests in the pipeline.

A second example was seen in 2004 when a German steel factory was attacked by hackers who gained control of a blast furnace. According to reports, the factory suffered massive damage when hackers managed to access the factory’s production networks and tampered with the controls of a blast furnace. After the system was compromised, individual system components began to fail. As a result of the failures, one of the plant’s blast furnaces could not be shut down, resulting in extensive damage to the plant.

These attacks on the Turkish oil pipeline and the German blast furnace demonstrate the damage when hackers are given the opportunity. More troubling is the fact that these two incidents occurred before the interconnected devices were even remotely common in the workplace. That is, hackers will have more opportunity in the coming years. As businesses continue to adopt interconnected technology, we can expect hackers to have increased access to industrial systems. And, in turn, we can expect more security issues to impact industrial systems, networks and systems.

The Ugly:  The Influx Of Devices Used in the IIoT Also Increases the Number of Devices Available for Hackers’ Attacks

Unfortunately, the increase in interconnected devices translates into more devices available for hackers to hijack and use in cyber attacks. For example, internet-connected surveillance cameras and other unprotected IoT-connected devices were used by hackers to cause massive internet disruptions on October 21, 2016. This recent attack is generally blamed on the “Mirai botnet” which used unprotected IoT devices to launch a Distributed Denial of Service (DDoS) attack on at least 80 major websites. While it is still early in the investigation, it appears many interconnected devices were hijacked to take part in this attack.

Thus, the devices giving rise to the IIoT do not just merely increase the number of devices available for hackers to infiltrate individual networks. In simple terms, the chances of large-scale cyber attacks increase as the number of unprotected devices increase which can be used in such attacks. And, while many businesses understand the importance of cyber security for computers in the workplace and at home, cyber security for other interconnected devices can be easily overlooked. Consequently, we can expect to see internet connected devices used in the workplace to be used in many DDoS attacks in the near future. And, those attacks, which shut down websites and other computer systems, could easily cut into the productivity in a number of industries.

Cyber Insurance Available to Address IIoT

While it may be unclear what technological safeguards are worth the investment, businesses can be certain that cyber insurance provides a cost-effective and simple method to decrease the risks associated with the IIoT. In particular, first party insurance policies with the following coverages are essential for any business attempting to limit the possible harm created by interconnected devices:

• Loss or damage to digital assets: This coverage may include loss or damage to data or software programs, resulting in costs incurred through restoring, updating, recreating or replacing devices to the same condition they were in prior to the loss or damage. For example, this coverage may cover the costs to repair software used in the workplace which has been lost to a virus or otherwise compromised by hackers.
• Business interruption from network downtime: This coverage may include costs related to interruption, degradation in service, or failure of the network, resulting in loss of income, increased cost of operation and/or costs incurred by mitigating and investigating the loss. For example, one factor that did not become clear until recently is the fact that while the property damage in the Turkish oil pipeline and German blast furnace incidents was expensive, a company that suffers such a loss would also have to stop their assembly lines or other industrial processes while clean-up and repairs/replacement are completed.
• Cyber extortion: This coverage may include costs related to attempts to extort money by threatening to damage or restrict the network, release data obtained from the network, and/or communicate with the customer base under false pretenses to obtain personal information. This coverage becomes more important everyday as businesses are increasingly targeted for “ransomware.” As seen in our homes, businesses will get the most out of IIoT-connected technology by understanding and preparing for unforeseen risks. The threat from the increasing number of interconnected devices is two-pronged: first, hackers have more access to the individual networks and systems; and, potential losses related to shutdowns caused by DDoS or similar attacks can disrupt productivity and vendor productivity. Therefore, it will be become increasingly clear that obtaining cyber insurance is part of any reasonable strategy to handle the unforeseen risks related to the IIoT.

The post Industrial Internet of Things: The Good, The Bad And The Ugly appeared first on Privacy Risk Report.

The “Internet of Things” generally describes how physical objects around us are increasingly becoming wired to the internet, providing unprecedented access to information on how we live our lives. While it is well established that the Internet of Things provides hackers both voluntary and involuntary access to our lives, law enforcement and courts are just beginning to grasp the severity of the situation.

In United States of America v. Graham, the 4th U.S. Circuit Court of Appeals held the government did not violate the Fourth Amendment “by obtaining historical cell-site location information from cell phone provider” without first obtaining a warrant. This issue arose when the defendants were convicted following the denial of the defendants’ motion to suppress evidence gathered from cell phone towers.

In Graham, the government’s investigation uncovered “historical cell-site location information (CSLI) from defendants’ cell phone provider” that allowed the government to determine the exact time the defendants were near a particular cell phone tower. In short, the government was able to use this information to place the defendants near cell phone towers that were near the armed robberies at the time the robberies took place.

The use of this information hinged on the Fourth Amendment that ensures “the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated.” The Fourth Amendment broadly protects against searches “where the government violates a subjective expectation of privacy that society recognizes as reasonable.”

Here, in determining if the government’s warrantless investigation of the site location information was proper, the 4th Circuit opined that the central question was whether the defendants had a reasonable expectation of privacy related to this data collected by cell phone towers. Affirming the convictions, the 4th Circuit held the government did not violate the Fourth Amendment.

The central question in this appeal was whether the defendants had knowledge that they were conveying their location to the cell phone towers that ultimately would be used against them. The 4th Circuit found the defendants had the requisite knowledge they were conveying this information to allow it to be used as evidence. In particular, the court held a “cell phone user voluntarily enters an arrangement with his service provider in which he knows that he must maintain proximity to the provider’s cell towers in order for his phone to function.”

In its opinion, concurring in part and dissenting in part with the majority’s decision, the dissenting judges questioned the majority’s holding that a person’s location conveyed to a cell tower is not protected by the Fourth Amendment. Further, in footnote 7 of the dissenting opinion, the dissenting judges took a close look at the various devices, in addition to cell phones, that automatically convey data and questions how these devises will be handled in the future:

…The rule that one must “know” what one can reasonably expect to keep private is new to me, and I believe to Fourth Amendment doctrine as well. It is also yet another aspect of this Court’s present decision with troubling future implications. I suppose we can also expect no privacy in data transmitted by networked devices such as the “Fitbit” bracelet, which “can track the steps you take in a day, calories burned, and minutes asleep;” the “Scanadu Scout,” which can “measure your temperature, heart rate, and hemoglobin levels;” or the “Mimo Baby Monitor ‘onesie’ shirt,” which can “monitor your baby’s sleep habits, temperature, and breathing patterns.”

In addition, in footnote 8 of the dissenting opinion, the dissenting judges also analyze this issue in light of new devices coming to the market generally referred to as the Internet of Things:

That is also surely the case now, and will only become increasingly relevant going forward. See, e.g., Neil M. Richards, The Dangers of Surveillance, 126 Harv. L. Rev. 1934, 1940 (2013) (“The incentives for the collection and distribution of private data are on the rise. The past fifteen years have seen the rise of an Internet in which personal computers and smartphones have been the dominant personal technologies. But the next fifteen will likely herald the ‘Internet of Things,’ in which networked controls, sensors, and data collectors will be increasingly built into our appliances, cars, electric power grid, and homes, enabling new conveniences but subjecting more and more previously unobservable activity to electronic measurement, observation, and control.”); Peppet, supra note 7, at 88–89. Today, the majority saddles us with a rule that does not distinguish between information an individual himself conveys and information that computerized devices automatically record, generate, and transmit. In other words, the majority’s expansive interpretation of Miller and Smith will, with time, gather momentum—with effects increasingly destructive of privacy.

Even though the Internet of Things is only addressed in a footnote of the dissenting opinion, the mere mention of this issue demonstrates that courts will need to address these issues presented by technology in the near future. Specifically, the dissent highlights the problems in using evidence gathered from devices that transmit data automatically. And, these issues are not limited to criminal proceedings. In the same manner that data stored by Facebook is being used in civil courts, we can expect data generated by the Internet of Things to be used as evidence in both criminal and civil matters.

The post Courts Begin to Struggle With Issues Presented by the Internet of Things appeared first on Privacy Risk Report.

At the height of the Internet of Things, a new technology craze has thrown the insurance industry for another loop as “augmented reality” takes hold. On July 6, 2016, Pokémon Go, an interactive app-based game, is on pace to have more downloads than Twitter has users. This recent Pokémon Go phenomenon has been described as follows:

In simple terms, Pokémon Go uses your phone’s GPS and clock to detect where and when you are in the game and make Pokémon “appear” around you (on your phone screen) so you can go and catch them. As you move around, different and more types of Pokémon will appear depending on where you are and what time it is. The idea is to encourage you to travel around the real world to catch Pokémon in the game.

Pokémon Go uses technology generally referred to as augmented reality:

On the spectrum between virtual reality, which creates immersive, computer-generated environments, and the real world, augmented reality is closer to the real world. Augmented reality adds graphics, sounds, haptic feedback and smell to the natural world as it exists.

As seen with other technological developments, the consequences on the insurance industry are not entirely understood at this time. However, it is clear that this technology will impact the insurance industry in some manner, as we have already seen the following situations:

• Private Property Turned Into “Pokémon Gyms:” The Pokémon characters will gather at what the app refers to as a “Gym.” In the days since the release, a number of private property owners have found their property identified as “Gyms,” which results in a steady stream of players being sent to their private property. One homeowner has recently found his home, which was once a church building, the gathering place for a number of players. The homeowner notes “that the problems could easily lead to the value of his house going down and issues with his neighbours.”
• Bodily Injury to Players: While the dangers of having people looking at their phones as they move through city streets is easily seen, a number of reports indicate that criminals are using the game to commit their crimes. On the evening of July 9, 2016, police in O’Fallon, Mo. received reports that criminals were using the app by adding “a beacon to a PokeStop” that brought more players to the area. Reports indicate a number of armed robberies took place near this beacon.
• Malware Spreading Through App: As expected, hackers have already attempted to capitalize on the popularity of this app. In the few short days since the app has been available there have been a number of reports that phones are downloading compromised versions of the app which could allow unauthorized access to the users’ phones.

Insureds have only been able to download Pokémon Go for less than a week and this technology has already made an impact that should get the insurance industries’ attention. This technology, which has caught many people completely off guard, has already shown the potential to cause damage to private property, cause bodily injury and provide hackers access to insureds’ devices. Therefore, even if Pokémon Go does not have a significant impact to the insurance industry, this app is a good indicator of the technology advances to come.

The post Pokémon Go Provides Opportunity for Insurers to Start Considering New Technology appeared first on Privacy Risk Report.

There has been significant discussion since 2015 on how the “internet of things” is expected to impact our daily life, including our homes. In general, the term “internet of things” (IoT) refers to a network of “smart” devices found in the typical home that collect and exchange data over the internet. However, despite the risks posed by the IoT and the integration of technology into our homes, there has been little discussion of  insurance policies that are available to homeowners or renters to provide coverage for these claims.

In 2016, the IoT became an emerging issue for cyber security claims under first-party insurance policies:

As the IoT becomes more ingrained in our homes and business, we can expect insurance coverage issues to continue to flourish. The vast majority of these issues caused by the IoT will raise questions under first-party insurance policies. Consequently, we anticipate cyber security and first-party insurance coverage to be an emerging trend in 2016.

In addition to issues caused by the IoT, homeowners and renters face many of the same risks corporations and governments face including malware attacks, online fraud and data breaches of valuable information. It is also clear that hackers are no longer focused solely on large corporate and government targets. Less sophisticated hackers will search for smaller and less sophisticated targets, finding a windfall in homes and residences.

These recent developments in cyber security make the idea of having personal cyber insurance valuable to homeowners and renters. Therefore, it was only a matter of time before insurers started to market cyber coverage directly to homeowners and renters.

On June 14, 2016, Hartford Steam Boiler Inspection and Insurance Company (HSB) announced that it was offering what it billed as “the first personal lines cyber insurance program for consumers.” This new product is offered to homeowners and renters, along with family members living in the household, to protect against a variety of issues generally related to cyber security. In particular, HSB’s press release states its new “Home Cyber Coverage” policy provides homeowners with the following coverage:

• “Computer Attack to remove malware and reprogram computers and tablets, Wi-Fi routers or other Internet access points.”
• “Home Systems Attack restores devices connected to the Internet, including smart phones, thermostats, smart appliances and security and monitoring systems.”
• “Cyber Extortion with professional assistance on how to respond to a ransomware attack and payment of ransom when approved.”
• “Data Breach including forensic IT and legal reviews, notification and recovery services when private non-business data entrusted to an individual is lost, stolen or published.
• “Online Fraud for losses due to identity theft, phishing schemes, illegal bank and credit card transfers, forgery, counterfeit currency, and other deceptions.”

The HSB policy does not provide coverage for cyber bullying, but other insurers have been offering this coverage to homeowners.

While the IoT has received substantial publicity recently, discussion about these claims and insurance for these claims will likely go through a similar evolution as was the case with cyber insurance for corporate and governmental bodies. Homeowners will likely question whether cyber insurance is valuable until eventually concluding that this coverage has merit. As this evolution takes place, homeowners and renters are likely to see more cyber coverage products developed in this market space in the coming years.

The post Home Is Where the Hacker Is: Cyber Coverage Becoming Necessary for Homeowners appeared first on Privacy Risk Report.