Data Breach, Privacy, and Cyber Liability Insurance: How Insurance Companies Act As “Compliance Managers” for Businesses

While data theft and cyber risk are some of the biggest threats facing public and private organizations, existing empirical research suggests that the majority of organizations do not have sufficient protections in place to prevent data breaches, deal with post-breach notification responsibilities, and comply with various privacy laws. This article explores how insurance companies play a critical and as yet, unrecognized role in assisting organizations with complying with privacy laws and dealing with cyber theft.  My analysis draws from and contributes to two literatures that examine organizational compliance with law in different ways:  new institutional organizational sociology studies of how organizations respond to legal regulation and socio-legal insurance scholars’ research on how institutions govern through risk.  Through participant observation at cyber liability insurance conferences, interviews, and content analysis of insurer loss prevention manuals and risk management services, my study bridges these two literatures and highlights how the insurance field acts as a compliance manager for organizations dealing with cyber security threats.  Well beyond pooling and transferring risk, insurance companies offer cyber liability insurance and a series of unique risk-management services that influence the form of compliance of organizations with privacy laws. My data suggest that while prior empirical research suggests that human resource officials, managers, and in-house counsel influence the meaning of compliance by communicating an altered ideology of what laws mean that is shaped by managerial values, insurance institutions—and the risk management services that accompany cyber liability insurance—play a critical role in shaping the way organizations deal with cyber threats and comply with privacy laws.