Cyberensuring Security

54 Pages Posted: 21 Jan 2019

See all articles by Justin (Gus) Hurwitz

Justin (Gus) Hurwitz

International Center for Law & Economics (ICLE); University of Pennsylvania Law School

Date Written: September 1, 2017


Cybersecurity is one of the most pressing and legally difficult issues facing this country today. It touches every aspect of modern political and social life, the economy, and national security. From the OPM and IRS breaches, to the Sony hack, to attacks on hospitals and health insurers, to attacks on domestic and international infrastructure, to domestic and international surveillance, cybersecurity concerns are omnipresent. For technical, legal, and practical, reasons, they also have proven extremely difficult to address.

This Article draws from the economic literatures on strict liability and insurance to argue that cyber incidents generally, and data breaches specifically, should be treated as strict liability offenses. But that is only the starting point of this Article’s argument. The economic literature on strict liability recognizes that it is, in fact, a form of insurance—potential tortfeasors subject to strict liability effectively are required to insure others against harms caused by their conduct. This Article’s core argument is that pervasive cyber-incident insurance is the best approach to addressing the full range of cybersecurity concerns.

The characteristics of the model proposed in this Article compare favorably to the current status quo—one in which users are largely helpless, firms are largely unknowledgeable, software is generally insecure, federal agencies are generally impotent to bring about meaningful change, and attackers are largely judgement proof. As an initial matter, it would offer consumers redress when cyber-incidents occur. But more importantly, it would facilitate education about and monitoring of cybersecurity practices; it would facilitate the collection, analysis, and use, of aggregate information about the causes and costs of these incidents; and it would put that information the hands of parties in a position to improve the existing ecosystem.

Suggested Citation

Hurwitz, Justin (Gus), Cyberensuring Security (September 1, 2017). Connecticut Law Review, Vol. 49, No. 5, 2017, Available at SSRN: or

Justin (Gus) Hurwitz (Contact Author)

International Center for Law & Economics (ICLE) ( email )

5005 SW Meadows Rd.
Suite 300
Lake Oswego, OR 97035
United States

University of Pennsylvania Law School ( email )

3501 Sansom Street
Philadelphia, PA 19104
United States

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics