In response to the COVID-19 outbreak, many states have issued stay-at-home orders to limit the activities of businesses, especially the ones defined as non-essential. On top of that, many residents have voluntarily reduced their outdoor activities to avoid the risk of getting infected. Because of those measures, many business owners are seeing a sharp decrease in the number of customers, and the continuity of their operations is at risk. In these circumstances, many businesses will turn to their commercial insurance providers and seek compensation based on their business interruption (BI) policy coverage for their loss of income. Disappointingly, many commercial policies contain provisions similar to the following statement
“We will not pay for loss or damage caused by or resulting from any virus, bacterium or other microorganism that induces or is capable of inducing physical distress, illness or disease.”
This virus exclusion was developed by the Insurance Services Office (ISO) in 2006 after the outbreak of SARS, and it grants insurers the ability to deny claims related to pandemics like COVID-19.
Nevertheless, many policymakers believe that insurers should play a more significant role in helping the economy as this shutdown continues. Thus far, states including Ohio, Massachusetts, New Jersey and New York have introduced bills to require insurers to cover BI claims due to COVID-19. Such an intervention is unprecedented and remains debatable. For example, the New York State bill states:
“Notwithstanding any provisions of law, rule or regulation to the contrary, every policy of insurance insuring against loss or damage to property, which includes the loss of use and occupancy and business interruption, shall be construed to include among the covered perils under that policy, coverage for business interruption during a period of a declared state of emergency due to the coronavirus disease 2019 (COVID-19) pandemic.”
The obvious benefit of asking insurers to help is that businesses in need can receive the monetary relief quickly from a channel that is conventional and familiar to them, so they need not worry about looking and applying for governmental assistance. Some commentators also urge that a mandate will resolve the disputes between insurers and policyholders regarding whether a claim is pandemic-related and whether it should be reimbursed. However, this mandatory approach also raises some major concerns about the short-term and long-term impacts on the insurance industry. The most immediate concern is, can the industry afford to pay these BI claims without hurting their own solvency? On March 26th, the American Property Casualty Insurance Association (APCIA) estimated that the monthly business interruption costs for small businesses with fewer than 100 employees could be between $220-383 billion. In April, that estimate was further increased to $431 billion. As a point of reference, the surplus (owners’ equity) of the entire property and casualty (P&C) industry was $780 billion by the end of 2018, and the net loss, including BI costs and many other types of losses, was $366 billion in the same year.
Thus, a total BI loss of $431 billion is enormous and unprecedented. Although insurers are protected by coverage limits, their capacity can be depleted in no time. Some insurers may be in distress if many of their policyholders file claims simultaneously, since it is very likely that their pool of policyholders is not well-diversified for pandemics. Existing commercial policies are not designed to deal with pandemic-related losses, which are highly correlated. Foreseeably, the insurance industry will experience a very challenging market if those pandemic-related BI claims are paid. Not only is the insurance industry affected, but also because insurers will have to reduce capacity and raise premium rates, the entire economy will experience some long-term impact.
A federal insurance backstop is proposed as a solution to this problem, which is analogous to the Terrorism Risk Insurance Act (TRIA) after 9/11. Certainly, this is a significant risk sharing mechanism between the federal government and the insurance industry, and it can lift some burden off insurers, but the issue that business owners exhaust their BI coverage still remains, which leaves them unprotected for the remainder of the policy period. If many states try to make insurers cover pandemic-related claims, the federal backstop should be in place to at least provide some stability and sustainability to the market.
A more far-reaching problem associated with this mandatory coverage is the damage that it does to the contract law. It may be a bad precedent for state legislatures to nullify a provision agreed by both the insurer and the policyholder at the time of signing the insurance contract. Insurance trade groups who oppose the bill have stated that mandating coverage “…would amount to an unconstitutional abrogation of insurance contracts and end the very existence of the business interruption insurance market as we know it.”
Of course, these mandatory orders are created in good faith to help policyholders who often lack the bargaining power when negotiating policy terms with their insurers. It is also problematic when insurers try to broaden the interpretation of the virus exclusion to deny claims, even though this provision is inapplicable in some specific situations. Therefore, a more constructive action guide would be something like the notice issued by California Insurance Commissioner Ricardo Lara, which states:
“[A]ll agents, brokers, insurance companies, and other licensees (should) accept, forward, acknowledge, and fairly investigate all business interruption insurance claims submitted by businesses.”
To make sure that insurers comply, there should be a collaborative effort between the public sector and the insurance industry on the investigation of claims. For example, if a claim is jointly determined by the insurer and a public oversight agency to be pandemic-related, the insurer can rightfully deny the claim if there is a virus exclusion and let the public sector provide the necessary assistance. This might be a better solution than mandating coverage and creating a backstop.
In addition, the insurance industry can also offer monetary relief to businesses by refunding premiums. Many auto insurers have been doing just this since people are driving less, thus presenting a lower risk. Similar programs can be adopted by commercial insurers as well. For example, brick-and-mortar businesses like restaurants and malls currently have fewer customers physically on site, thereby having a reduced risk of premises liability. Insurers can refund a part of the collected premiums in accordance with the smaller exposure.
]]>The 4th generation of the Apple Watch was released last week with exciting new features including fall detection and advanced heart monitoring capabilities. Two of these health-related features, heart rhythm detection and personal electrocardiogram, have received clearance from the Food and Drug Administration (FDA), making the new Apple watch a Class II medical device, in the same category as a powered wheelchair. Hence, many more people will be wearing medical devices on a daily basis and rely on them to keep track of their health.
Despite their convenience, cybersecurity issues have always been a threat facing these networked medical devices and their users. When medical equipment, such an infected CT scanner in a hospital has to be taken offline in order to be patched, patients in the hospital suffer and other patients may have to travel longer to another hospital to get treatment. In August 2017, the FDA recalled almost half a million networked pacemakers, because these implantable devices were found to have vulnerabilities that might allow hackers to remotely alter a patient’s heartbeat. Unlike pacemakers, smart watches are less likely to cause direct physical harm to the users, but because these wearable accessories constantly collect data about your personal health, there may be serious privacy violations associated with a security breach of these devices. Also, attackers may be able to influence user’s behaviors indirectly by providing false health information.
In response to the increasing concern about the cybersecurity of medical devices, the U.S. Department of Health & Human Services (HHS) recommended that the FDA take additional measures to address this issue.
Currently, before a manufacturer can market its product as a medical device, it has to go through a 3-phase procedure with the FDA to get clearance or approval. First, there is a pre-submission program that allows the manufacturer to better understand FDA requirements. Then, the manufacturer needs to submit a set of documents based on the FDA’s “refuse-to-accept” checklists, which simply means that the FDA does not accept submissions with missing documents. Lastly, the FDA uses a template, called a “SMART template,” to guide its reviews of submissions. Corresponding to these three phases, the recommendations given by the HHS are threefold, including promoting the use of pre-submission meetings to address cybersecurity-related questions, adding cybersecurity documentation to the FDA’s refuse-to-accept checklists, and creating a dedicated section for cybersecurity in the SMART template.
These recommended measures will certainly raise the awareness of cybersecurity among medical device manufacturers. From now on, submissions without cybersecurity documentation will not be accepted in the first place, and manufacturers have to prioritize addressing the cybersecurity issues residing in their products.
Nonetheless, these recommendations are limited in scope, leaving many important cybersecurity issues unresolved. Aside from checking cybersecurity with the SMART template, which the FDA has already started doing, the other two new measures suggested by the HHS seem to be more about procedure and documentation, rather than actually incentivizing manufacturers to improve the cybersecurity capabilities in their products. Manufacturers can come up with perfect cyber risk mitigation plans in order to pass FDA review but never effectively implement those plans.
In addition, although the FDA has a post-market surveillance program, which monitors the performance of drugs and medical devices on the market after they receive clearance or approval, it often takes several years for cybersecurity vulnerabilities associated with these medical devices to be exposed, and the discovery of these vulnerabilities are usually due to third-party researchers who are not involved in the surveillance program. In short, improvements can be made by the FDA to make vulnerability detection quicker and more effective and thereby improve the cybersecurity of networked medical devices.
]]>Humans and computers are alike in at least one sense – both could malfunction or be compromised. On Feb. 28th 2018, the U.S. Marine Forces Reserve announced a data breach affecting thousands of marines, sailors and civilians, putting their identities at risk, as sensitive personal information like truncated social security numbers was leaked. The investigation showed that there was no malicious intent involved and the data breach was indeed a result of human error. An email containing the unencrypted confidential information had accidentally been sent to a wrong e-mail distribution list. Besides being duped into making unintentional disclosures, people are often tricked into giving up valuable information by scammers, and these hustles are referred to as “social engineering” or “phishing” in the cybersecurity world.
The 2013 Target data breach case was one such example. The case was finally settled last year, and the retailing company ended up paying $18.5 million in fines for breaching 43 million records of payment card information. Unlike the Equifax data breach in September last year, which was caused by attackers directly hacking into the credit reporting company’s information systems, the Target incident started from a phishing email sent to a third-party vendor of Target. Through that vendor, the attackers gained the login credentials of Target, and thus obtained unrestricted access to its customers’ confidential information.
Activities like phishing are not entirely new to the law. We had them before the Internet era, and they fit the criteria for common law fraud. The legal definition of fraud requires: (1) a false statement of a material fact; (2) knowledge on the part of the perpetrator that the statement is untrue; (3) intent on the part of the perpetrator to deceive the alleged victim; (4) justifiable reliance by the alleged victim on the perpetrator’s statement; and (5) injury to the alleged victim as a result. Phishing fits into this legal definition of fraud even if phishing emails are distributed via the Internet because the medium used for delivering the false statement is irrelevant.
In contrast to conventional fraud, including phishing scams which take advantage of the vulnerabilities in human cognition, computer fraud is a bit different. Computer fraud typically involves disrupting information systems, such as spreading computer viruses, abusing computing resources, such as compromising computers for DDoS attacks and taking or altering electronic data, such as stealing data from servers. Both computer fraud and conventional fraud can serve the same purpose. For example, stealing sensitive data from the hosting server. But they achieve this goal though different means. In computer fraud, attackers gain unauthorized access or exceed their authorized access to a computer system by exploiting the vulnerabilities in those computer systems, while the attackers in a conventional fraud may trick the server administrator into disclosing her login credentials unwittingly, as we saw in the Target data breach. Computer fraud is defined and criminalized by the Computer Fraud and Abuse Act (CFAA), which was enacted by Congress in 1986. It proscribes accessing a computer without authorization or in excess of any granted authorization. Due to the nature of phishing or social engineering, these activities fit uncomfortably within computer fraud since computer access was in fact authorized–albeit mistakenly. Even if phishing is seen as circumventing a technological access barrier, such as a password, the scope of authorized access has not been exceeded under the CFAA since consent was granted. Hence, activities such as phishing do not fit comfortably within the Computer Fraud and Abuse Act. Although the CFAA has been amended a few times since 1986, it has a hard time keeping up with new and emerging technologies and badly needs updating.
]]>If you have online accounts with social media sites, e-commerce companies or any other businesses which have your personal information, you are probably receiving several notifications through your email about privacy policy updates from them during the past weeks. This is because the deadline, May 25th, for them to be GDPR-compliant has just passed.
GDPR stands for General Data Protection Regulation. It was adopted by the European Union in April 2016 to protect the data security and privacy of people in the Union, or “data subject”, which is the term used in this regulation. Companies collecting or processing the personal information of data subjects had two years to get ready and be compliant. The focus of the regulation is to restrain companies from abusing user data and to make the process of data collecting and handling more transparent to data subjects. In addition, under the GDPR, data subjects have the right to control the data collected by companies, such as correcting wrong personal information, requesting a copy of collected data and erasing personal information, also known as the “right to be forgotten,” under certain circumstances.
The GDPR applies to not only EU companies, but also to businesses outside the EU handling personal information of data subjects located in the European Union. The scope of this regulation can be interpreted expansively because the data subjects to be protected are not necessarily EU citizens. The specific wording of the regulation refers to data subjects “in the Union”, so by its language, it could conceivably apply to protect the personal data of Americans on vacation in Europe.
Besides its broad scope, the GDPR imposes heavy fines on companies that are found to not be compliant. Under the GDPR, there are two tiers of administrative fines. The lower tier—up to 10 million Euros or 2% of the company’s global annual revenue—is for violations like failing to report data breach incidents in a timely manner. The higher tier—up to 20 million Euros or 4% of global annual revenue, whichever is higher, is for violations of data subjects’ rights and unlawful data processing practices. To many companies, a fine as large as 4% of annual revenue is a significant percentage of their profit for a whole year. Some analysts believe that a fine this big is unlikely as the regulation says fines must be “effective, proportionate and dissuasive”.
How the fines are set up suggests that the regulation is going to have a bigger impact on small businesses than on the large ones, because for small businesses a 10-million-Euro, minimum fine for the lower tier might be greater than 2% of their annual revenue, and so they may end up paying relatively more than large companies do. In addition, large companies like Google or Facebook have more technical resources to implement data protection measures as required by GDPR and more legal resources to be compliant. According to a survey conducted by a security research firm, Crowd Research Partners, about the challenges of being GDPR-compliant, 43% of the interviewed firms suggest that they do not have expert staff, and 40% of the firms say that they are lacking the budget to comply. In short, many firms may have to decide to be fined or try to be compliant at greater cost.
The GDPR has been in force for only a couple of weeks. There are still a lot of uncertainties about how firms should comply with it, and how it will be enforced. But it is a good starting point of improving data protection, and perhaps in the future, we may see fewer incidents like Facebook Cambridge Analytica scandal.
]]>In a recent Android project I am working on, I try to implement a method that captures the content on screen and project it onto a medium with certain transformations.
There have been a lot of tutorials on the screen capturing part out there. The typical way is using MediaProjectionManager to create a screen capture intent, and then projecting the content onto a surface upon user’s approval using the createVirtualDisplay method. Google provides a nice demo about the usage of media projection, which can be found here. In this example, the surface for projection is created through a SurfaceView, but it can also be created from other instances like a MediaRecorder or a ImageReader, which can be used for video recording or taking screenshots.
In order to achieve the goal of live output with transformations, TextureView seems to be the best choice here, as it renders contents with SurfaceTexture, which can be used to construct a surface object, and unlike the SurfaceView, TextureView can be easily scaled and transformed using the setTransform method. This approach does the trick when you need to display only a part of the screen in a sized window. There might be other better ways to do it since TextureView is quite memory consuming and getting the proper transformation matrix can be tricky in some occasions.