Chancellor seems to cherrypick data as he tries to outline how the Tories have got the country back on its feet

Jeremy Hunt called a press conference on Friday to outline why the electorate should trust the Conservatives with the economy, but some of his claims appear to have used cherrypicked facts and figures. He gave his speech just over a week after the shadow chancellor, Rachel Reeves, accused the Conservatives of “gaslighting” the UK over the state of the economy by presenting too rosy a picture of what is actually going on.

Here are some of Hunt’s statements on the economy, and some context for his claims.

Cars are expensive—even used cars are no longer a cheap option. So it’s not too surprising that folks who live in areas where a car isn’t a total necessity might choose not to own one. Aside from the cost of buying, maintaining, and fueling a car, there’s also the car insurance, which costs anywhere from $53 to $192 per month on average, depending on the coverage you select.

But we live in a car-centric society, and not owning a car doesn’t mean you’ll never need a car. Luckily there are a lot of options when it comes to getting access to a vehicle for a short period of time, ranging from traditional car rentals to car-sharing apps to borrowing your friend’s car in a pinch. And you might assume that when you’re just using a car temporarily you don’t need your own liability insurance—but that’s not always true. Sometimes it’s a very good idea to buy something called Non-Owner Car Insurance.

Non-owner car insurance

Non-owner car insurance is secondary insurance—additional coverage that kicks in after primary insurance hits its limit. When you borrow or rent a car owned by someone else, their insurance covers the car even if you’re not officially listed on the policy. So why would you need your own policy? Because of liability: If you’re in an accident while driving someone else’s car and the damages exceed the base policy’s limits—or if the base policy denies the claim altogether—you’ll be on the hook for the extra costs.

Let’s say you borrow your friend’s car and their liability insurance has a $20,000 cap on bodily injury. You get into an accident and the other driver suffers $30,000 in medical bills as a result. If you don’t have any extra insurance, your friend’s insurance will pay out the $20,000—and you will have to come up with the rest. Considering the average cost of “evident” injury in a motor vehicle accident is $42,000 and “disabling” injuries can run to $162,000, it’s easy to see how getting into an accident without your own insurance can be problematic.

Like regular car insurance, non-owner car insurance starts off with basic liability and often includes the option to add on coverage for personal injury, medical payments, or uninsured motorist coverage. You’ll want to check with your insurer to make sure you know exactly what your policy covers.

Aside from the financial risk of driving any vehicle, there’s one other big reason you might consider non-owner car insurance if you borrow or rent cars regularly: your rates. If you’re temporarily without your own vehicle, buying non-owner car insurance can help keep your rates steady. If you go without car insurance for more than 31 days, your rates can jump up to 35%. Non-owner car insurance keeps your coverage current, which can pay off if you plan to own your own vehicle again soon.

Who needs it?

Just because you don’t currently own a car and occasionally have to borrow or rent one doesn’t mean you need non-owner car insurance. Here’s a guide to who needs it and who doesn’t:

• Frequent rent or share. If you’re renting cars or using a car-sharing platform several times a month, you should probably carry non-owner insurance. If you rent a car once or twice a year when traveling or for a special need, it’s probably not necessary.

• Occasional borrowing. If you borrow your friend’s car constantly, they should probably list you on their insurance as a driver, which means you don’t need non-owner insurance. If you borrow different cars from different people on a regular basis, however, you should probably get your own coverage as your use probably doesn’t qualify you as a listed driver.

• Company car. If you drive a company car, check the terms of its insurance. Not all company cars are covered for personal use. If you’re driving the company-owned car on the weekends or when doing your weekly errands, you might need non-owner insurance to protect yourself in case of an accident.

Chancellor also criticised for ‘dodgy dossier’ on Labour plans as he aims to make low tax a key election issue

Jeremy Hunt has been accused of exaggerating the Conservatives’ economic record and presenting a “dodgy dossier” on Labour’s spending plans, as he moved to put low tax at the heart of his party’s offering at the next election.

The chancellor gave a speech in central London on Friday, pitching the Conservatives as having helped the UK recover from economic troubles more quickly than expected. He also signalled a further cut to national insurance in the autumn, having already reduced the tax from 12p in the pound to 8p.

Car insurance is a necessity, but it's not one-size fits all. There's a minimum coverage required by your state, but that may not be enough to fully protect you financially. Purchasing more robust insurance with higher limits will provide greater peace of mind that you're covered if something goes wrong on the road. So, how much car insurance do you truly need? And are there any optional coverages that are recommended? Let's explore.

Types of coverage you need

First off, when it comes to car insurance coverage, you need to fulfill the minimum requirements set by your state. With the exception of Virginia and some remote regions of Alaska, all states mandate drivers to have car insurance.

The cornerstone of this is liability coverage, which doesn't actually protect your ride. Instead, it foots the bill for any injuries, fatalities, or property damage you inflict on others, up to the limit specified in your policy. These limits are typically presented in a "25/50/15" format, meaning your insurer will cough up $25,000 per person, $50,000 per incident for bodily harm you cause, and up to $15,000 for wrecking someone else's property.

Here's the catch—in some states, the minimum bodily injury limit can be as paltry as $15,000. But a serious smash-up can easily rack up medical expenses that blow past that number. If your liability coverage falls short of covering the other party's costs, you could find yourself in legal trouble, forced to empty your pockets to make amends.

How much coverage is enough?

So, how do you determine if you've purchased adequate car insurance? Begin by considering your net worth and the frequency of your driving when deciding on your auto policy's liability limits. If you don't have enough coverage to compensate for injuries or property damage you cause, you could face a lawsuit amounting to tens of thousands of dollars.

After all, the primary purpose of car insurance is to provide a financial safety net tailored to your situation. Let's say you rear-end another vehicle, injuring the driver and passenger. If the other car is worth $20,000 and the medical bills soar to $40,000 per person, you're on the hook for a cool $100,000. Without sufficient insurance to cover that sum, the injured parties could take you to court to recoup their losses.

It's essential to remember that car insurance is designed to protect your financial security. Obtaining insurance equal to your net worth means your policy should be able to cover the full cost of an accident without putting your home and other assets at risk.

Most insurers cap the liability coverage you can purchase, but if you've maxed out and still want more, you can supplement with an umbrella policy. These policies bolster liability protection for both your car and home, typically in $1 million increments. If you don't have any assets to protect besides your car, you're probably fine with purchasing minimal liability coverage.

Getting full coverage car insurance

Liability coverage is great for covering others' expenses when you're at fault, but what about repairs to your own ride? What if your car gets totaled, and you need $20,000 to replace it? This is when full coverage car insurance could be worth considering.

"Full coverage" typically refers to a policy packing liability coverage plus collision and comprehensive protection. These two coverages pay for damage to your vehicle, regardless of who's at fault. Collision coverage kicks in when your car collides with another object, while comprehensive coverage handles situations beyond your control, like vandalism, theft, or a run-in with Bambi.

If you opt for collision and comprehensive coverage, pay close attention to the deductible—the amount you'll need to fork over before your insurer starts pitching in. Deductibles usually range from $250 to $1,000, but can climb higher, so choose an amount you can comfortably afford in a pinch.

Rounding out your protection

Insurers offer plenty of additional coverage options that could prove handy:

• Glass coverage repairs or replaces damaged windshields and windows, ideal if you find yourself on the receiving end of a rogue pebble.

• Medical payments coverage helps cover your own medical expenses, or those of your passengers, after a crash, which can be useful for covering health insurance deductibles.

• Roadside assistance sends help if you find yourself stranded, in need of a tow or jump start, though some companies may charge extra for these services.

Keeping costs in check

State-mandated minimums like 25/50 won't cut it in the event of serious injuries or vehicle replacements. If you can swing it, opt for higher limits. Here are some tips to keep your insurance premiums from breaking the bank:

• Bundle your auto policy with your home and life insurance for potential discounts.

• Take advantage of discounts for being claim-free or a good student.

• Shop around and compare rates every one to two years to snag the best deal.

• Increase your deductible to lower your monthly payments.

The right coverage levels depend on your comfort level with risk, but buying only minimums could leave you dangerously underinsured. Do your homework upfront, so you don't get stuck with surprise out-of-pocket costs after an accident reveals gaps in your policy.

Health insurance giant Kaiser has announced it will notify millions of patients about a data breach after sharing patients’ data with advertisers.

Kaiser said that an investigation led to the discovery that “certain online technologies, previously installed on its websites and mobile applications, may have transmitted personal information to third-party vendors.”

In the required notice with the US government, Kaiser lists 13.4 million affected individuals. Among these third-party ad vendors are Google, Microsoft, and X. Kaiser said it subsequently removed the tracking code from its websites and mobile apps.

A tracking pixel is a piece of code that website owners can place on their website. The pixel collects data that helps businesses track people and target adverts at them. That’s nice for the advertisers, but the information gathered by these pixels tells them a lot about your browsing behavior, and a lot about you.

This kind of data leak normally happens when a website includes sensitive information in its URLs (web addresses). The URLs you visit are shared with the company that provides the tracking pixel, so if the URL contains sensitive information it will end up in the hands of the tracking company. The good news is that while it’s easy for websites to leak information like this, there is no suggestion that tracking pixel operators are aware of it, or acting on it, and it would probably be hugely impractical for them to do so.

The leaked data includes member names and IP addresses, as well as information that could indicate if members were signed into a Kaiser Permanente account or service, how they interacted with it, how they navigated through the website and mobile applications, and what search terms they used in the health encyclopedia.

A spokesperson said that Kaiser intends to begin notifying the affected current and former members and patients who accessed its websites and mobile apps in May.

Not so long ago, we reported how mental health company Cerebral failed to protect sensitive personal data, and ended up having to pay $7 million. Also due to tracking pixels, so this is a recurring problem we are likely to see lots more of. Research done by TheMarkup in June of 2022 showed that Meta’s pixel could be found on the websites of 33 of the top 100 hospitals in America.

Check your digital footprint

Malwarebytes has a new free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

Kashmir Hill has a really good article on how GM tricked its drivers into letting it spy on them—and then sold that data to insurance companies.

Kasmir Hill has the story:

Modern cars are internet-enabled, allowing access to services like navigation, roadside assistance and car apps that drivers can connect to their vehicles to locate them or unlock them remotely. In recent years, automakers, including G.M., Honda, Kia and Hyundai, have started offering optional features in their connected-car apps that rate people’s driving. Some drivers may not realize that, if they turn on these features, the car companies then give information about how they drive to data brokers like LexisNexis [who then sell it to insurance companies].

Automakers and data brokers that have partnered to collect detailed driving data from millions of Americans say they have drivers’ permission to do so. But the existence of these partnerships is nearly invisible to drivers, whose consent is obtained in fine print and murky privacy policies that few read.

In the first week of January, the pharmaceutical giant Merck quietly settled its years-long lawsuit over whether or not its property and casualty insurers would cover a $700 million claim filed after the devastating NotPetya cyberattack in 2017. The malware ultimately infected more than 40,000 of Merck’s computers, which significantly disrupted the company’s drug and vaccine production. After Merck filed its $700 million claim, the pharmaceutical giant’s insurers argued that they were not required to cover the malware’s damage because the cyberattack was widely attributed to the Russian government and therefore was excluded from standard property and casualty insurance coverage as a “hostile or warlike act.”

At the heart of the lawsuit was a crucial question: Who should pay for massive, state-sponsored cyberattacks that cause billions of dollars’ worth of damage?

One possible solution, touted by former Department of Homeland Security Secretary Michael Chertoff on a recent podcast, would be for the federal government to step in and help pay for these sorts of attacks by providing a cyber insurance backstop. A cyber insurance backstop would provide a means for insurers to receive financial support from the federal government in the event that there was a catastrophic cyberattack that caused so much financial damage that the insurers could not afford to cover all of it.

In his discussion of a potential backstop, Chertoff specifically references the Terrorism Risk Insurance Act (TRIA) as a model. TRIA was passed in 2002 to provide financial assistance to the insurers who were reeling from covering the costs of the Sept. 11, 2001, terrorist attacks. It also created the Terrorism Risk Insurance Program (TRIP), a public-private system of compensation for some terrorism insurance claims. The 9/11 attacks cost insurers and reinsurers $47 billion. It was one of the most expensive insured events in history and prompted many insurers to stop offering terrorism coverage, while others raised the premiums for such policies significantly, making them prohibitively expensive for many businesses. The government passed TRIA to provide support for insurers in the event of another terrorist attack, so that they would be willing to offer terrorism coverage again at reasonable rates. President Biden’s 2023 National Cybersecurity Strategy tasked the Treasury and Homeland Security Departments with investigating possible ways of implementing something similar for large cyberattacks.

There is a growing (and unsurprising) consensus among insurers in favor of the creation and implementation of a federal cyber insurance backstop. Like terrorist attacks, catastrophic cyberattacks are difficult for insurers to predict or model because there is not very good historical data about them—and even if there were, it’s not clear that past patterns of cyberattacks will dictate future ones. What’s more, cyberattacks could cost insurers astronomic sums of money, especially if all of their policyholders were simultaneously affected by the same attack. However, despite this consensus and the fact that this idea of the government acting as the “insurer of last resort” was first floated more than a decade ago, actually developing a sound, thorough proposal for a backstop has proved to be much more challenging than many insurers and policymakers anticipated.

One major point of issue is determining a threshold for what types of cyberattacks should trigger a backstop. Specific characteristics of cyberattacks—such as who perpetrated the attack, the motive behind it, and total damage it has caused—are often exceedingly difficult to determine. Therefore, even if policymakers could agree on what types of attacks they think the government should pay for based on these characteristics, they likely won’t be able to calculate which incursions actually qualify for assistance.

For instance, NotPetya is estimated to have caused more than $10 billion in damage worldwide, but the quantifiable amount of damage it actually did is unknown. The attack caused such a wide variety of disruptions in so many different industries, many of which likely went unreported since many companies had no incentive to publicize their security failings and were not required to do so. Observers do, however, have a pretty good idea who was behind the NotPetya attack because several governments, including the United States and the United Kingdom, issued coordinated statements blaming the Russian military. As for the motive behind NotPetya, the program was initially transmitted through Ukrainian accounting software, which suggests that it was intended to target Ukrainian critical infrastructure. But notably, this type of coordinated, consensus-based attribution to a specific government is relatively rare when it comes to cyberattacks. Future attacks are not likely to receive the same determination.

In the absence of a government backstop, the insurance industry has begun to carve out larger and larger exceptions to their standard cyber coverage. For example, in a pair of rulings against Merck’s insurers, judges in New Jersey ruled that the insurance exclusions for “hostile or warlike acts” (such as the one in Merck’s property policy that excluded coverage for “loss or damage caused by hostile or warlike action in time of peace or war … by any government or sovereign power”) were not sufficiently specific to encompass a cyberattack such as NotPetya that did not involve the use of traditional force.

Accordingly, insurers such as Lloyd’s have begun to change their policy language to explicitly exclude broad swaths of cyberattacks that are perpetrated by nation-states. In an August 2022 bulletin, Lloyd’s instructed its underwriters to exclude from all cyber insurance policies not just losses arising from war but also “losses arising from state backed cyber-attacks that (a) significantly impair the ability of a state to function or (b) that significantly impair the security capabilities of a state.”  Other insurers, such as Chubb, have tried to avoid tricky questions about attribution by suggesting a government response-based exclusion for war that only applies if a government responds to a cyberattack by authorizing the use of force. Chubb has also introduced explicit definitions for cyberattacks that pose a “systemic risk” or impact multiple entities simultaneously. But most of this language has not yet been tested by insurers trying to deny claims. No one, including the companies buying the policies with these exclusions written into them, really knows exactly which types of cyberattacks they exclude. It’s not clear what types of cyberattacks courts will recognize as being state-sponsored, or posing systemic risks, or significantly impairing the ability of a state to function. And for the policyholders’ whose insurance exclusions feature this sort of language, it matters a great deal how that language in their exclusions will be parsed and understood by courts adjudicating claim disputes.

These types of recent exclusions leave a large hole in companies’ coverage for cyber risks, placing even more pressure on the government to help. One of the reasons Chertoff gives for why the backstop is important is to help clarify for organizations what cyber risk-related costs they are and are not responsible for. That clarity will require very specific definitions of what types of cyberattacks the government will and will not pay for. And as the insurers know, it can be quite difficult to anticipate what the next catastrophic cyberattack will look like or how to craft a policy that will enable the government to pay only for a narrow slice of cyberattacks in a varied and unpredictable threat landscape. Get this wrong, and the government will end up writing some very large checks.

And in comparison to insurers’ coverage of terrorist attacks, large-scale cyberattacks are much more common and affect far more organizations, which makes it a far more costly risk that no one wants to take on. Organizations don’t want to—that’s why they buy insurance. Insurance companies don’t want to—that’s why they look to the government for assistance. But, so far, the U.S. government doesn’t want to take on the risk, either.

It is safe to assume, however, that regardless of whether a formal backstop is established, the federal government would step in and help pay for a sufficiently catastrophic cyberattack. If the electric grid went down nationwide, for instance, the U.S. government would certainly help cover the resulting costs. It’s possible to imagine any number of catastrophic scenarios in which an ad hoc backstop would be implemented hastily to help address massive costs and catastrophic damage, but that’s not primarily what insurers and their policyholders are looking for. They want some reassurance and clarity up front about what types of incidents the government will help pay for. But to provide that kind of promise in advance, the government likely would have to pair it with some security requirements, such as implementing multifactor authentication, strong encryption, or intrusion detection systems. Otherwise, they create a moral hazard problem, where companies may decide they can invest less in security knowing that the government will bail them out if they are the victims of a really expensive attack.

The U.S. government has been looking into the issue for a while, though, even before the 2023 National Cybersecurity Strategy was released. In 2022, for instance, the Federal Insurance Office in the Treasury Department published a Request for Comment on a “Potential Federal Insurance Response to Catastrophic Cyber Incidents.” The responses recommended a variety of different possible backstop models, ranging from expanding TRIP to encompass certain catastrophic cyber incidents, to creating a new structure similar to the National Flood Insurance Program that helps underwrite flood insurance, to trying a public-private partnership backstop model similar to the United Kingdom’s Pool Re program.

Many of these responses rightly noted that while it might eventually make sense to have some federal backstop, implementing such a program immediately might be premature. University of Edinburgh Professor Daniel Woods, for example, made a compelling case for why it was too soon to institute a backstop in Lawfare last year. Woods wrote,

One might argue similarly that a cyber insurance backstop would subsidize those companies whose security posture creates the potential for cyber catastrophe, such as the NotPetya attack that caused $10 billion in damage. Infection in this instance could have been prevented by basic cyber hygiene. Why should companies that do not employ basic cyber hygiene be subsidized by industry peers? The argument is even less clear for a taxpayer-funded subsidy.

The answer is to ensure that a backstop applies only to companies that follow basic cyber hygiene guidelines, or to insurers who require those hygiene measures of their policyholders. These are the types of controls many are familiar with: complicated passwords, app-based two-factor authentication, antivirus programs, and warning labels on emails. But this is easier said than done. To a surprising extent, it is difficult to know which security controls really work to improve companies’ cybersecurity. Scholars know what they think works: strong encryption, multifactor authentication, regular software updates, and automated backups. But there is not anywhere near as much empirical evidence as there ought to be about how effective these measures are in different implementations, or how much they reduce a company’s exposure to cyber risk.

This is largely due to companies’ reluctance to share detailed, quantitative information about cybersecurity incidents because any such information may be used to criticize their security posture or, even worse, as evidence for a government investigation or class-action lawsuit. And when insurers and regulators alike try to gather that data, they often run into legal roadblocks because these investigations are often run by lawyers who claim that the results are shielded by attorney-client privilege or work product doctrine. In some cases, companies don’t write down their findings at all to avoid the possibility of its being used against them in court. Without this data, it’s difficult for insurers to be confident that what they’re requiring of their policyholders will really work to improve those policyholders’ security and decrease their claims for cybersecurity-related incidents under their policies. Similarly, it’s hard for the federal government to be confident that they can impose requirements for a backstop that will actually raise the level of cybersecurity hygiene nationwide.

The key to managing cyber risks—both large and small—and designing a cyber backstop is determining what security practices can effectively mitigate the impact of these attacks. If there were data showing which controls work, insurers could then require that their policyholders use them, in the same way they require policyholders to install smoke detectors or burglar alarms. Similarly, if the government had better data about which security tools actually work, it could establish a backstop that applied only to victims who have used those tools as safeguards. The goal of this effort, of course, is to improve organizations’ overall cybersecurity in addition to providing financial assistance.

There are a number of ways this data could be collected. Insurers could do it through their claims databases and then aggregate that data across carriers to policymakers. They did this for car safety measures starting in the 1950s, when a group of insurance associations founded the Insurance Institute for Highway Safety. The government could use its increasing reporting authorities, for instance under the Cyber Incident Reporting for Critical Infrastructure Act of 2022, to require that companies report data about cybersecurity incidents, including which countermeasures were in place and the root causes of the incidents. Or the government could establish an entirely new entity in the form of a Bureau for Cyber Statistics that would be devoted to collecting and analyzing this type of data.

Scholars and policymakers can’t design a cyber backstop until this data is collected and studied to determine what works best for cybersecurity. More broadly, organizations’ cybersecurity cannot improve until more is known about the threat landscape and the most effective tools for managing cyber risk.

If the cybersecurity community doesn’t pause to gather that data first, then it will never be able to meaningfully strengthen companies’ security postures against large-scale cyberattacks, and insurers and government officials will just keep passing the buck back and forth, while the victims are left to pay for those attacks themselves.

This essay was written with Josephine Wolff, and was originally published in Lawfare.