March 01, 2016

The Internet of Things: Cybersecurity, Insurance, and the National Power Grid

Erin L. Webb

The United States’ electric power grid is a critical part of the nation’s energy supply. It is vast, complex, interconnected—and aging. As Internet technology advances, a vision for an evolved “smart grid” has emerged. One of the qualities most commonly discussed as part of such a smart grid is the ability to process large amounts of data and optimize the generation and delivery of energy across the grid. To do that would likely require the type of connection, communication, and data sharing among physical devices that has become known as the Internet of Things.

This enhanced information sharing will come with risks. Cyberattacks and data breaches are already frequent occurrences. Both simple malfunctions and nefarious actors can cause system failures. Managing those risks is important, particularly if the national grid is improved or replaced. A Lloyd’s study that sought to estimate the economic and insurance impacts of a cyberattack against the United States national power grid explained the far-reaching effects of such an attack. It estimated that power interruptions alone cost the United States economy approximately $96 billion annually, primarily from short outages of five minutes or less. Lloyd’s, Business Blackout: The insurance implications of a cyber attack on the US power grid (2015) at 15–19, 21 (2015) (Lloyd’s).

Insurance coverage can be an important tool in managing these risks. While traditional insurance policies may contain gaps in coverage for important risks associated with a smart grid, cyber insurance is an evolving area that may offer important protections to the owners and users of structures that will constitute the smart grid as it continues to evolve. Because this is an emerging area, there are not yet any reported cases discussing the insurance implications of these risks. Events like “Superstorm Sandy,” Hurricane Katrina, and the September 11, 2001, attacks spawned hundreds of insurance coverage court decisions. Many of those decisions implicate issues addressed herein—directly or by analogy—but a full legal analysis of these issues is beyond the scope of this article.

As a preliminary note, the “national power grid” is a bit of a misnomer. Currently, electricity delivery in the continental United States largely happens by way of three main interconnected systems. These systems connect electricity generating plants to transmission and distribution stations, and ultimately to residential, commercial, and industrial power users. The Eastern Interconnection covers the eastern United States and parts of eastern Canada, from the Atlantic Ocean to the Great Plains just short of the Rocky Mountains, except for most of Texas. The Western Interconnection starts at the Pacific Ocean, covers the Rocky Mountains, and meets the Eastern Interconnection in the Great Plains. It also includes portions of western Canada and Baja California, Mexico. Finally, the Texas Interconnected System serves most of the state of Texas. Alaska and Quebec also have smaller independent systems. By and large, these systems all operate independently but are connected to one another at various points. The North American grid—or collection of interconnected systems—is overseen by the North American Electric Reliability Corporation (NERC) as well as by several U.S. and Canadian government agencies, including the Federal Energy Regulatory Commission (FERC). NERC is a not-for-profit international regulatory authority whose mission is to assure the reliability of the bulk power system in North America. NERC’s reliability standards “include critical infrastructure protection (CIP) security standards. NERC conducts annual audits of various electric utilities over the course of the year, either randomly or after a major outage event.” Lloyd’s at 31. FERC “can then impose fines on electricity companies for violating these NERC reliability and CIP standards and [they] can be as high as $1m per day . . . . The CIP fines focus in particular on cyber security standards.” Id.

The aging grid will likely be updated by, among other things, increasing and improving its interconnections via the Internet. This will be accomplished, according to some, by becoming part of the “Internet of Things.” The Internet of Things has become a shorthand way to refer to all of the physical items that are connected to and by the Internet. But it is much more than that. The Internet of Things also encompasses devices and sensors that are able to communicate and transmit data without person-to-person or computer-to-computer contact. Multiple examples can be cited to demonstrate the increasing importance of Internet connectivity to individuals and industry.

Google’s Nest “smart home” products, for instance, allow owners to control devices in their homes remotely from mobile devices, provide “learning” functions that automatically adjust to a user’s repeated patterns, and even work together in certain scenarios. For example, if a Nest smoke alarm detects a carbon dioxide leak, it can communicate with the Nest Thermostat to turn off the fan in the home, preventing the spread of the gas. Nest also can communicate the data collected about individual thermostat usage to assist energy companies with usage analysis and optimization. Similarly, enhanced Internet connectivity is critical to industrial applications as well.

However, smart home products and similar devices have risks. When not properly secured, they can provide an entry point for hackers, snoopers, data miners, or other nefarious actors. For example, major automakers have faced concerns and even recalls regarding cars that allegedly can be hacked using the Internet. In 2010, the infamous computer worm Stuxnet targeted industrial systems, reportedly destroying many nuclear centrifuges in Iran. And in 2008, a nuclear plant in Georgia was briefly shut down as a result of errors caused after a computer conducted a system update. The website Shodan, largely used by hackers, serves as a search engine for everything from nuclear power plants to baby monitors that can be accessed, and in many cases controlled, via the Internet. These examples show how a hack into the “virtual” world can cause real and serious effects.

Currently, the North American energy grid is aging, and many have advocated for specific upgrades or a complete overhaul of the entire system. Emerging capabilities relative to analyzing data and optimizing generation and distribution of power suggest that the different components of the energy grid will become increasingly interdependent and connected to the Internet. Optimization necessarily involves a great deal of information gathering from individual households, as well as the transmission and communication of that information over many different platforms. As many commercial retailers have discovered in the last few years, the storage and transmission of personal information has significant attendant risks.

Over long periods of time, the aggregate collection and analysis of large amounts of customer data, or “big data,” can be used by power companies to both conserve resources and save money. These companies could collect and maximize usage information to best fit generation and delivery of electricity to their customers. Greater awareness of energy usage patterns on an individual or household basis also could be improved, hopefully resulting in greater efficiency at the consumer level. While all of these concepts exist now, they will be amplified by the greater interconnection and reciprocal communication that is a part of many discussions about a potential future smart grid.

Indeed, one of the primary concepts involved in a smart grid is two-way communication—including both two-way information sharing and the two-way transmission of electricity. This would allow, for example, homeowners with solar panels to sell excess electricity back to the grid and for utilities to make greater use of consumer-based generation, especially during times that generation is not available from traditional sources. Two-way communication would be necessary to make this happen.

There are enormous potential advantages in upgrading the power grid to best utilize the Internet and the ability of devices to communicate independently. A smart grid is more flexible than a traditional grid and would allow for better and faster recovery from disasters and other interruption events. After such an event, the smart grid potentially could be used to restore power to emergency services first, spurring rapid recovery for the entire community. Another advantage of the smart grid could be to reroute power, skipping over equipment that has failed or outages that have occurred. Thus, a smart grid could contain outages more quickly, potentially preventing them from escalating into large-scale blackouts.

On the other hand, a smart grid has enhanced risks for outside interference. A primary concern with any electronic system that can be accessed remotely is the risk of hacks, or outside attacks: data can be stolen, copied, or destroyed (though credit card numbers or other personally identifiable information is less likely to be transmitted via smart grid communication than in other data breach contexts). In the case of an attack, systems also can be electronically overloaded or crashed, causing major blackout or brownout activity. Bad actors potentially could threaten to cause power outages or other similar system failures as a blackmail device, or to seek to manipulate energy markets for various purposes. Finally, and perhaps of most concern, is the risk that hackers gain physical control of assets or machines to cause outages or other system failures. “Once a machine is compromised, a hacker may be able to operate in the context of the machine itself and gain passage through a computer network by gaining access through other linked machines. This ability to establish chain attacks through multiple compromised machines is known as ‘pivoting.’” Lloyd’s at 10 n.5.

Gaps With Conventional Insurance Solutions

Insurance is a generally available option to mitigate and backstop potential risks. Traditional insurance products can help protect against losses and liabilities to companies that are invested in the grid, today and as the grid evolves. Property, business interruption, and contingent business interruption insurance coverage are frequently called upon to assist in recovery from large-scale natural disasters, such as Hurricane Katrina and Superstorm Sandy. A massive data-based attack on the power grid could have similar effects, and thus similar insurance assistance in recovery could prove very useful.

There may be some important gaps, however, in the current insurance market. Critical evolution in the insurance industry, particularly in the case of cyber insurance, needs to occur to keep pace with the power industry’s evolution into the smart grid. The following discusses traditional insurance options along with specific coverage potentially relevant to a power grid that interfaces with the Internet of Things.

There are two main categories of insurance policies. First-party policies pay for losses suffered directly by the policyholder. For example, first party policies include property policies that pay for repairs to a damaged building and resulting lost income, and fidelity policies that pay for theft from a company by its employee. Third-party liability policies pay for a policyholder’s liability to other people. Third-party policies can pay for lawyers to defend lawsuits, and for judgments or settlements reached with a third-party claimant. Both types of insurance coverage may come into play in protecting the power grid against cyber or Internet risks.

First-party coverage, for example, could be critical in repairing or restoring physical damage resulting from a cyberattack. Courts disagree concerning whether damage to data only can be considered property damage under a traditional insurance policy. Aside from this issue, a cyberattack can result in damage to other property as well. First-party insurance, ideally, would pay to repair or replace damaged physical assets. It could also pay for a company’s losses related to the loss of use of those assets, for public relations costs to mitigate reputation damage linked to an outage event, and for the costs of reporting to or notifying the relevant governmental authorities. Coverage for cyber claims under a property policy frequently will turn on whether the damage to electronic data is considered to be “physical loss or damage” to property, which again will vary depending on the specific circumstances and policy language. Purchasers of insurance should look for the broadest policy language available to best protect their assets.

First-party insurance coverage can also include business interruption coverage, which can pay for lost profits during the time of an outage. Some power generation plants now carry “accidental outage” coverage, which can pay for expenses associated with an unplanned outage or shutdown. These policies can have deductibles expressed not in dollar amounts as is commonly associated with an insurance deductible, but based on a period of time, such as weeks. Thus, after the first two weeks of an outage, the deductible is reached and the insurance policy covers the costs of a generator incurs during an outage to purchase power elsewhere to meet its generation obligations. This type of coverage is a valuable asset today and will continue to be so as the grid evolves.

These types of insurance policies may not, however, fully address the range of liability issues presented by an increasingly smarter grid. Traditional business interruption coverage, including accidental outage coverage, generally requires physical property damage. Thus, if there is no physical damage, there is no coverage for business interruption. This requirement could prove to be a real obstacle to obtaining meaningful insurance coverage for losses stemming from attacks or damage to the power grid. If power is simply slowed or stopped, or data is stolen, it could be argued that no physical damage occurred.

Even companies not directly engaged in the power grid potentially could suffer a slowdown or stop in their business and resulting lost profits. Contingent business interruption coverage can provide funds to mitigate against losses suffered when a business partner’s assets are damaged. As with business interruption coverage, however, contingent business interruption insurance coverage generally requires, as a predicate, that there be some physical damage to the business partner causing the interruption. In the case of contingent business interruption insurance, coverage does not depend on physical injury to the policyholder’s property, but the policyholder must be able to show that the cause of its losses can be traced back to a physical injury to one of its business partners. Some first-party property insurers offer specific insurance coverage for power outages, referred to as “utility service interruption” or “off-premises power” coverage.

Third-party liability coverage can indemnify owners and operators connected to the power grid from the claims of others. For example, a third-party policy may pay for attorneys’ fees to defend a company against lawsuits from customers, government entities, or shareholders. Directors and officers of a company have specialized liability insurance to protect them when they are targets of lawsuits. Errors and omissions coverage may protect against liability arising out of a claim that a company or person failed in performing “professional services.” “Professional services” coverage applies to a wide variety of service providers, including software, data, and systems providers. While “common carriers” or public utilities receive legal protection from some forms of third-party lawsuits, these protections are not universal.

The first type of insurance coverage that undoubtedly comes to mind when protecting the grid against data-based risk is cyber insurance coverage. When cyberattacks first emerged on the horizon, cyber insurance policies did not exist. The victims of these expensive attacks, therefore, often looked to their commercial general liability (CGL) policies to help pay for some of the resulting costs. In doing so, these victims encountered two roadblocks.

First, CGL policies are third-party policies and commonly pay for the policyholder’s liabilities arising from property damage, bodily injury, and personal injury. A standard CGL definition of property damage includes “physical injury to tangible property, including all resulting loss of use of that property” and “loss of use of tangible property that is not physically injured.” Policyholders and their insurers have disputed whether damage to electronic data constitutes property damage. Some courts have held that electronic data qualifies as tangible property within the meaning of the term property damage, but others have disagreed. For example, in 2000, a federal district court held that a claim against the policyholder relating to a power outage that rendered computer systems inoperable was covered under a CGL policy, because physical damage under the policy was not restricted to the physical destruction or harm of computer circuitry, but included the loss of use of the computer. Am. Guar. & Liab. Ins. Co. v. Ingram Micro, Inc., No. 99-185 TUC ACM, 2000 U.S. Dist. LEXIS 7299 (D. Ariz. 2000). Ten years later, the United States Court of Appeals for the Eighth Circuit reached a similar result, ruling that the “loss of use” of a computer was an allegation of property damage sufficient to bring the lawsuit against the policyholder within the CGL policy’s liability coverage. Eyeblaster, Inc. v. Fed. Ins. Co., 613 F.3d 797 (8th Cir. 2010) (applying Minnesota law). Similarly, in State Auto Property & Casualty Insurance Co. v. Midwest Computers & More, an Oklahoma federal district court held that allegations of loss of use of a computer system fell within the loss of use coverage for property damage in a business owner’s general liability policy. 147 F. Supp. 2d 1113, 1116 (W.D. Okla. 2001) (interpreting liability coverage under a business owner’s policy).

But the loss of data itself has also been held to fall outside the coverage provided for liability arising out of property damage under a CGL policy. Often, the courts’ rationale is that data is not “tangible” property, and CGL policies often require losses of tangible property for coverage to apply. In 2003, the U.S. Court of Appeals for the Fourth Circuit held that America Online (AOL) could not receive coverage under its CGL policy for lawsuits from customers alleging that AOL’s software had corrupted and damaged their personal computers or data on them. The Fourth Circuit found that there had been no damage to tangible property. Am. Online Inc. v. St. Paul Mercury Ins. Co., 347 F. 3d 89, 95–96 (4th Cir. 2003).

Similarly, a California appellate court denied coverage for damage to data caused by a computer upgrade. The insured party’s data was lost during the upgrade. The court found that the data lost was not property under the policy and was therefore not covered. “Here, the loss suffered by [the insured] was a loss of information, i.e., the sequence of ones and zeroes stored by aligning small domains of magnetic material on the computer’s hard drive in a machine readable manner. [The insured] did not lose the tangible material of the storage medium. Rather, [it] lost the stored information.” Ward General Ins. Services, Inc. v. Employers Fire Ins. Co., 114 Cal. App. 4th 548, 556 (2003). Thus, coverage for data- or cyber-related events under traditional liability and first-party policies can face significant hurdles.

Even if lost or damaged data is not considered to be damage to tangible property under a CGL policy, it can lead to such damage. For example, certain denial-of-service attacks cause physical destruction or alteration of network components. One commentator has likened such attacks to remotely “‘tak[ing] an ax to a piece of hardware” and referred to such attacks as “permanent denial-of-service (PDOS) attack[s].” Kelly Jackson Higgins, Permanent Denial-of-Service Attack Sabotages Hardware, InformationWeek (May 2008). The Lloyd’s of London study hypothesized that the introduction of malware into systems connected to the power grid could, among other things, cause “critical damage to vulnerable generators, resulting in fire.” Lloyd’s at 11.

Second, CGL policyholders could also argue that their liabilities for data breaches should be covered because a release of personal information constitutes an invasion of privacy and is therefore “personal injury” under the standard CGL form policy. Personal injury is often defined in part as injury arising out of “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.” Disputes have occurred concerning what constitutes “publication”—does the mere theft of data qualify, or must the data be shown to third parties or even publicly? In addition, disputes have emerged over what the “right to privacy” means, and what types of data, especially customer data, can be considered private. For example, the release of records online has been held to give rise to such coverage under a CGL policy’s “Web Xtend” endorsement. See Travelers Indem. Co. of Am. v. Portal Healthcare Solutions, LLC, No. 1:13-CV-917 GBL (E.D. Va. Aug. 7, 2014).

However, releases of personal information on a scale smaller than the general public have also been held to be invasions of privacy for this purpose. For example, in 2010, the Florida Supreme Court held that “personal injury” language in a policy covered privacy claims against the policyholder arising out of “fax blast” claims. Penzer v. Transp. Ins. Co., 29 So. 3d 1000, 1006–1007 (Fla. 2010). The plaintiffs alleged that their privacy had been invaded by receiving unsolicited advertising messages on their fax machines. The court found that the lawsuit against the policyholder therefore alleged a “written publication of material that violates a person’s right of privacy” under the meaning of the insurance policy. The court rejected the insurer’s argument that the information had to be publicly released to implicate coverage.

Similarly, in 2009, the U.S. Court of Appeals for the Ninth Circuit held that a CGL policy covered class action lawsuits alleging invasion of privacy relating to online activity. See Netscape Comm’ns Corp. v. Fed. Ins. Co., 343 F. App’x 271 (9th Cir. 2009). The underlying suit involved putative class action lawsuits regarding a software program that provided Netscape with information about its users’ Internet activities, which Netscape used for targeted advertising. See Netscape Comm’ns Corp. v. Fed. Ins. Co., No. C 06-00198 JW, 2007 U.S. Dist. LEXIS 78400, at *3–4 (N.D. Cal. 2007). The district court held that “[a]lthough the underlying claims against [Netscape and its parent, America Online or AOL] were not traditional breach of privacy claims, given that coverage provisions are broadly construed, the underlying complaints sufficiently alleged that AOL had intercepted and internally disseminated private online communications.” Id. at *2 (citation omitted). Here, too, broad dissemination of personal information was not necessary for invasion of privacy coverage to apply.

Another dispute has arisen, under similar language, concerning which party must invade the claimant’s privacy for CGL coverage to be available. In 2014, a New York trial court found that claims against Sony arising out of a data breach in which individual account and credit card information was compromised was not covered by a CGL policy because the policyholder itself had not perpetuated the breach. Zurich Am. Ins. Co. v. Sony Corp., Index No. 651982/2011, 2014 N.Y. Misc. LEXIS 5141 (N.Y. Supr. Ct. 2014). This was a surprising result, given that a standard CGL policy does not require the policyholder to be the perpetrator of the damage, only that the policyholder be legally liable for such damage. For example, if a policyholder is held liable under a strict liability statute like the Comprehensive Environmental Response, Compensation, and Liability Act, it is still entitled to coverage under its liability insurance policy. See, e.g., A.Y. McDonald Indus. v. Insurance Co. of N. Am., 475 N.W.2d 607, 629 (Iowa 1991) (noting that CERCLA liability “is not based on fault” and that liability is “joint and several”). Thus, even without an exclusion for losses or liabilities caused by “electronic data” or relating to “computer systems,” traditional CGL policies may contain coverage for cybersecurity breaches, but the extent and reach of such coverage is uncertain.

Given the unsure footing that claims for cybersecurity breaches have found under CGL and other traditional insurance policies, companies involved in the collection and sharing of data have looked increasingly to specialized cyber insurance policies to protect against data breach and other cyber risks. In addition, in the face of increasing cyberattacks and rocketing costs of data breaches, most CGL insurers have made efforts to explicitly exclude data breaches and similar losses from general liability coverage. For example, CGL policies may contain provisions that exclude “electronic data” from the definition of property damage or exclude coverage for “damages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.” Instead, insurers urge companies to purchase specialized cyber coverage.

Attributes of Dedicated Cyber Insurance

Unlike many other types of insurance, there is, as yet, no standard cyber insurance form. Different companies are purchasing different elements of coverage based on their individual evaluations of risk and exposure for their specific situations. Depending on what is purchased, a cyber insurance policy often has the option to include elements of both first-party and third-party insurance coverage. For example, a cyber policy can contain protection against damage to the policyholder’s network (a first-party risk) and also against lawsuits from customers whose data is compromised during a security breach (a third-party risk).

Insurers continue to change and evolve the coverage they offer and the language they use based on the evolving demands of the market. The same must happen for the smart grid, depending on the extent, method, and physical mechanisms used to increase interconnectivity. Owners of the energy generation, transmission, and distribution equipment that will be part of the smart grid may already have insurance policies protecting their companies’ data from hackers and others who would cause damage. Upgrades to the smart grid also should include a full analysis of the equipment used and how it communicates to make sure risks are adequately assessed and insured.

Cyber insurance may cover a variety of risks, including liabilities related to data breaches, damage resulting from the transmission of malicious code, losses related to distributed denial of service (DDoS) attacks (denial of third-party access to the insured’s network), and risks associated with other network security threats. Any of these risks could be a part of an attack on a smart grid. Like property coverage, cyber insurance has the option to include business interruption and contingent business interruption coverage. Thus, depending on the policy wording, a cyber policy may be able to address the situation where a cybersecurity breach causes business to grind to a halt, but there is no resulting physical property damage, bodily injury, or invasion of privacy that could trigger coverage under traditional first-party property or CGL insurance policies.

Another common part of cyber insurance coverage is crisis management coverage, which can pay for forensic experts to determine the cause of the loss, minimize the damage, and set up resources for recovery. Additionally, as noted above, cyber policies frequently offer recovery services, often with a specific firm specializing in data breach recovery. These services may not be tailored to the special risks that the smart grid can present—there may be a learning curve, for example, for a company to determine appropriate recovery services from a hack of the power grid as opposed to the hack of an ATM.

Cyber insurance also may be purchased for costs to notify customers or other individuals that their personally identifiable information may have been compromised, and to set up call centers to respond to and answer questions from such customers or individuals. It can pay for identity theft monitoring for affected individuals, and even extortion payments if a network or data is held hostage. For smart grid participants whose businesses involve the transmission or storage of personal information, these could be valuable protections.

Cyber insurance may pay for costs to respond to government inquiries, and costs for public relations to repair a company’s reputation after a security breach. Because of the relationships between the electricity industry and several government entities, this also would seem to be valuable protection against smart grid risks. It is important to read the policy to make sure that there is coverage for mandatory reporting when a breach or attack occurs, as well as for governmental inquiries or investigations that do not rise to the level of a formal lawsuit.

Cyber insurance also may compensate for liabilities stemming from a security breach, such as defense and potential settlements or judgments arising out of customer class actions or lawsuits brought by regulators or the policyholder’s business partners. Administrative and regulatory proceedings, as well as fines and penalties, also may be covered. These would seem to be significant risks for owners of smart grid components, and should be insured.

One downside of cyber insurance policies is that they can have broad exclusions for first-party and third-party losses relating to bodily injury or property damage caused by cyber events. While these losses might be covered by traditional property and CGL policies, there may be exclusions in those policies for cyber- or data-related events. The insurance industry has developed cyber “difference-in conditions” (DIC) policies to fill the gap and cover bodily injury and property damage losses stemming from cyberattacks. To the extent that a hack on the grid could potentially lead to bodily injury or property damage, as theorized by the Lloyd’s study, power grid companies should examine their policies carefully to make sure that both physical and non-physical losses are covered by traditional policies or cyber policies.

As noted, the insurance market for cyber risks is still evolving. There is no standard form for cyber policies, as there is for many other types of insurance policies. A close and careful reading of a cyber policy’s language is necessary to understand the risks that are covered and excluded. Policyholders should work closely with brokers and other experts to make sure that an insurer understands the policyholder’s business.

Ideally, as the current power grid evolves into a smarter grid, evaluation of the risks involved will enable the companies invested in the grid to understand how to mitigate those risks. Greater connectivity, including connections via the Internet and electronic connection and communication between physical structures, increases the risk of a data- or Internet-based security or outage event. Insurance can be an important factor in mitigating the risks that will accompany the smart grid. Fitting the puzzle pieces of traditional first- and third-party insurance policies together with newly available cyber insurance will provide a customized fit, but companies will need a close analysis of the language in each policy and a close analysis of the specific risks and assets to be insured to make sure the relevant risks are addressed and coverage is provided.

Erin L. Webb

Ms. Webb is an insurance coverage attorney in the Washington, DC office of Dickstein Shapiro LLP. She can be reached at webbe@dicksteinshapiro.com.