Cybersecurity is one of the most pressing and legally difficult issues facing this country today. It touches every aspect of modern political and social life, the economy, and national security. From the OPM and IRS breaches, to the Sony hack, to attacks on hospitals and health insurers, to attacks on domestic and international infrastructure, to domestic and international surveillance, cybersecurity concerns are omnipresent. For technical, legal, and practical, reasons, they also have proven extremely difficult to address. This Article draws from the economic literatures on strict liability and insurance to argue that cyber incidents generally, and data breaches specifically, should be treated as strict liability offenses. But that is only the starting point of this Article’s argument. The economic literature on strict liability recognizes that it is, in fact, a form of insurance—potential tortfeasors subject to strict liability effectively are required to insure others against harms caused by their conduct. This Article’s core argument is that pervasive cyber-incident insurance is the best approach to addressing the full range of cybersecurity concerns. The characteristics of the model proposed in this Article compare favorably to the current status quo—one in which users are largely helpless, firms are largely unknowledgeable, software is generally insecure, federal agencies are generally impotent to bring about meaningful change, and attackers are largely judgementproof. As an initial matter, it would offer consumers redress when cyber-incidents occur. But more importantly, it would facilitate education about and monitoring of cybersecurity practices; it would facilitate the collection, analysis, and use, of aggregate information about the causes and costs of these incidents; and it would put that information the hands of parties in a position to improve the existing ecosystem.
Hurwitz, Justin, "Cyberensuring Security" (2017). Connecticut Law Review. 375.