Blogger: Bob Blakley
The Economist defines moral hazard as:
"One of two main sorts of market failure often associated with the provision of insurance.... Moral hazard means that people with insurance may take greater risks than they would do without it because they know they are protected, so the insurer may get more claims than it bargained for."
Moral hazard is bad enough when the insurance company is just cutting its own throat and endangering its own policyholders; it's much worse when the insurance company uses moral hazard to create risks to innocent third parties via externalities.
It won't come as a surprise to anyone who reads the news that AIG is a moral-hazard parable.
AIG's credit default swaps were insurance policies designed to protect banks against the risk that the institutions those banks lent to wouldn't pay back the debt. Banks which bought credit default swaps were able to take much of the risk of their loans off their balance sheets, under the theory that they held no risk because AIG would make up their losses. This freed AIG's customers up to create more and more risk without putting additional risk-mitigation capital aside.
But when AIG's customers' partners began to fail, it turned out that AIG didn't have enough money to pay all the policies it had written for its customers, because AIG itself hadn't stashed enough cash to cover the losses (credit default swaps were unregulated, so AIG wasn't required to set aside risk capital). When AIG realized its vault was empty, the company turned to you and me - the taxpayers - to cover the tab for the moral-hazard party it had encouraged its customers to throw.
AIG's moral hazard only became an externality because AIG itself was a poor manager of financial risk; the company doesn't appear to have been trying to endanger the taxpayers. But sometimes insurers seem to encourage their customers to endanger innocent third parties on purpose. On March 10, The Hartford issued a press release describing its new First Party Data Privacy Expense coverage. Here's how The Hartford describes the terms of this policy:
The Hartford's Data Privacy Expense coverage pays for actual expenses incurred as a result of a policyholder's negligent acts, errors or omissions that result in the improper dissemination of non-public personal information, or a breach or violation of data privacy laws.
In other words, the Hartford will pay companies that collect and hold your personal data to continue to do a shoddy job of protecting your privacy.
This is about as explicit as it gets in the moral hazard world, and the worst part is that The Hartford is encouraging its customers not to endanger themselves but to endanger you. The mixture of moral hazard and externality almost cries out for a new term; perhaps we should call it an "amoral hazard".
It's probably obvious that I'm not a big fan of this policy. Its natural effect will be to ease pressure for improvement in privacy practices, so it's clearly not a good thing for individuals. It may not be a very good thing for The Hartford, either; it's not clear that it will be easy to price the policy accurately, because liability for privacy breaches is increasing as more laws and regulations are put onto the books. And it probably isn't a good thing for the Hartford's customers: reputation damage, which an insurance policy can't reimburse, is a major component of privacy breach incidents, so companies which take out a Hartford policy and then relax may be in for an ugly surprise.
There may be a little bit of lemonade in this lemon, however. If claims flood in and The Hartford pays on a lot of policies, it will have to set a fair market price for the premiums. If it does that, and if the premiums become expensive, CPOs will finally have one hard metric for the value of privacy to the enterprise.
Comments