The PII dilemma, or don’t "Like" this post

It’s impossible to pick up an insurance magazine, online or in print, and not find it filled with articles on the challenge of protecting the public’s Personally Identifiable Information (PII). This issue goes to the heart of the cyber insurance proposition, clearly the hottest topic in the industry.

How could it not be? The data breaches continue unabated, global brands are routinely sullied, the public sighs in resignation to the latest attack on their privacy as U.S. lawmakers bark in indignation at the latest CEO to be hauled before their cameras. The anger, histrionics and apologia are now well-established with little evidence of motivation or consensus from any quarter.

At least European regulators are set to impose harsh new requirements to better address the problem. The General Data Protection Regulation goes into effect May 25th (see GDPR - Are You Ready?). A highly optimistic step in the right direction, maybe it will make a difference, maybe not.

It is interesting to see what little impact all this cyber noise has had on the insurance industry. With only 70 U.S. carriers writing cyber, they took in $1.35 billion in premiums last year with forecasts of $10 billion by 2020. The market grew 35% las year with predictions of a 733% growth over the next ten years. Wow.

So far cyber insurance has been a money machine. Fear has never rained so green. Actual claims paid have been relatively small, with most breaches quietly resolved to minimize reputational fallout and to discourage other bad actors.

Getting a true picture on the PII risk is difficult to quantify. Muddying the data for actuaries and underwriters is the overlap in the application of losses between cyber, E&O and general liability coverage. Yet bad behavior seems consistently successful and increasingly frequent. What is crystal clear, however is that data breaches are getting larger each year, and more consequential. Some industry experts are bracing for a monster catastrophe that would make the triple weather disasters of 2017 – Harvey, Irma and Maria – small in comparison. Doomsday scenario? Maybe, but so are “100-year storms” that still manage to come around.

All this has put cloud and tech businesses in a defensive crouch. Contracts now routinely include lengthy clauses asking vendors to do what may be impossible in protecting personal data. Lawyers want guarantees that even the NSA and the DoD can’t honor. Some, including ourselves, have actually turned down work where PII could surface in the project. As reasonable levels of caution meld into the inevitable paranoia derived from our inability to manage events, it is hard to foresee any outcome to all this other than a hard landing. The Big One.

And then what? In a brilliant article by deep-thinker Steven Johnson, the outlines of a solution emerge. A few new start-ups are exploring what some are calling Internet 2.0, a place where you own your PII, not private industry. Using methods derived from blockchain, Internet 2.0 would supplant the Wild West Web with individual oversight and responsibility. You would control your own identity and how it is used. What a concept.

The prospect of effecting such a back-to-the-drawing-board Internet reboot is as profound as it is daunting. Yet someday it may become the inevitable result of that catastrophe some experts are certain is little more than an accident waiting to happen. We shall see...