The Government has called for increased access to data to prevent future terrorist attacks on the UK, what impact could this have on those who provide cyber insurance policies?
Immediately after the Charlie Hebdo incident David Cameron promised that if he wins the next election, he will increase the power of the authorities to access both the details of communications and their content.
There should be no "means of communication" which "we cannot read", he said. David Cameron’s announcement follows:
• The Draft Communications Data Bill 2012 which would have permitted officials to see the content of the messages with a warrant but was blocked by the Lib Dems.
• The Data Retention and Investigatory Powers Act 2014 - emergency legislation introduced to maintain the requirement for telephone and internet companies to log records (but not the content) of calls, texts and internet use.
• The Counter-Terrorism and Security Act 2015 - part of the Act adds to the Data Retention and Investigatory Powers Act to allow the identification of the individual or the device that was using a particular IP address.
Why should insurers worry?
As a result of the Edward Snowden incident it became very clear that the United States’ National Security Agency (NSA) and the UK’s Government Communications Headquarters (GCHQ) have accessed personal communications data for some time on a significant scale.
Any new legislation in the UK will legitimise GCHQ’s activities (the NSA already have almost carte blanche from the US government) and make them more common.
Access to personal or commercially sensitive data without the consent of the data subject and/or computer owner, might result in a covered claim or at the very least a policy coverage dispute despite war and terrorism exclusions found in many policies.
The problem arises not just because of the content of electronic documents seen by government agencies without their owner’s consent but also by virtue of the methods that such agencies use to gain access to them.
The NSA and GCHQ identify and/or implant vulnerabilities in a target’s computer system which can be exploited by hackers as well. These vulnerabilities can be used for denial of service attacks and cyber extortion as well as the theft of trade secrets and personal data.
Any data breach will need to be reported by its victims. However, from Insurers’ perspective, attempting to argue after the event whether such attacks were in fact facilitated by a “back door” installed by GCHQ during a legitimised spying exercise in order to deny policy cover is likely to be very difficult both in technical and forensic terms. Conversely, insurers with a war and terrorism exclusion in their cyber product cannot sensibly use any new “snooper’s charter” legislation as a marketing tool.
Nick Gibbons, partner BLM
0+
