On September 14, 2016, U.S. Representative Ed Perlmutter (D-Colo.) introduced the “Data Breach Insurance Act,” which would incentivize private industry to enhance its cybersecurity posture by providing federal income tax credits. Specifically, the bill would reward companies that obtain data breach insurance coverage and adopt the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity (the “NIST Framework”).
The new tax credit would expire five years after enactment, and thus appears intended to jumpstart adoption while cybersecurity coverage is still in its early stages. This approach shows merit, with the National Association of Insurance Commissioners (“NAIC”) reporting in August that U.S. insurers offering standalone cybersecurity policies encountered loss ratios ranging from zero to five hundred percent under these policies in 2015. If this wide variation in insurers’ experience results from immature underwriting models, encouraging more widespread coverage could spur standardization and a more efficient pooling of cyber risks.
To be eligible for the credit under the bill, taxpayers would not only need to obtain an eligible policy, but would also need to adopt and comply with the NIST Framework. This provision appears intended to require actual changes in insureds’ behaviors. This should, in theory, promote a virtuous cycle, whereby insurers can count on, and in turn further incentivize, a more standardized approach to cybersecurity and data breach readiness. However, the bill does not define “compliance” with the NIST Framework, and the NIST Framework itself is designed to apply flexibly to a variety of organizations and needs, without a preset measure of effectiveness or a mandated assessment program. This could leave significant uncertainty about the credit’s applicability. (Similarly, the bill would give the Secretary of the Treasury a degree of influence in setting private cybersecurity policies, by allowing the Secretary (in consultation with the Secretaries of Homeland Security and Commerce) to approve alternative standards as sufficiently “similar” to the NIST Framework.)
The new bill is now pending before the House Committee on Ways and Means. Although the 114th Congress looks unlikely to take up the new proposal in its five remaining working weeks, its approach may resurface next year, either in standalone form or in connection with other cybersecurity measures.