Looking Beyond the Breach: Recovery Analysis in Data Breach and Cyber Losses

June 10, 2014 by

Sony. Target. Michaels. It seems we are more and more hearing the names of major corporations being victims to data breaches. More alarming than the corporate names themselves are the insurance claims, damages and costs associated with a single data breach event. A 2013 study of the average insurance carrier payout on a data breach claim from that same year (not including the uninsured loss) found that the average claim payout was $954,253. See NetDiligence 2013 Cyber Liability & Data Beach Insurance Claims – A Study of Actual Claim Payouts, Mark Greiser, p.3 (NetDilligence 2013).

Further, when accounting for pending claims and Self-Insured Rententions that were likely to be associated with claims in 2013, that average insurance carrier payout rose to $3.5 million per claim. Contrast that to some figures that have the average homeowners property damage claim just over $34,000.00 for fire, lightening and debris removal claims and averages of approximately $7,300 for water, wind, and freezing claims, and we really should be alarmed. See Homeowners and Renters Insurance, Insurance Information Institute, Homeowner Losses Ranked by Claim Severity 2008-2012.

These staggering data breach figures have prompted a growth in this industry for insurance professionals, but we should be looking beyond the breaches to recovery as well, both in terms of possibility of recoveries and how to evaluate recovery. Surprisingly, there has been little attention given to the topic of subrogation or recovery opportunities arising our of cyber losses. In this article, we analyze the prospect of recovering on a cyber loss.

Many subrogation professionals may feel uncertain about the viability of pursuing data breach and cyber losses because of a fear of the unknown. Of course, technology is changing daily and we all often feel beyond the pace. However, unlike other areas, the basic subrogation rules we already have in our DNA as insurance professionals still apply. In traditional subrogation property matters (fire, water, and other catastrophic losses), there is not much uncertainty as to either the cause of the loss or the investigation process. If it is a fire from a product, public and private investigators analyze burn patterns, arcing, and other physical evidence to determine the point where the fire originated. We gather helpful information from witnesses who may have seen the fire early on or obtain helpful product recall data from the Consumer Product Safety Commission. The conclusion of the traditional property loss investigation often makes sense because we can actually see the evidence of the cause of the loss. But, just because we may not be able to see the data breach in the traditional sense, it does not mean we should not consider recovery for the payout.

The scary part of data breach and cyber losses for many is that we cannot conceptualize how this happened or we cannot simply hold a photo of the fire scene to give us an orientation or map of the loss scene. How did the hacker get access to the insured’s network? Did the insured click on something or open an email that allowed them in? How could this have been prevented? How much did the hacker access? Is the hacker just some computer nerd in his parent’s basement, or part of a more sophisticated international hacking organization? Although the initial uncertainty in these questions create a great deal of apprehension for the subrogation professional, the foundational principals of traditional property subrogation losses also translate to cyber subro cases. As a result, most subrogation professionals do not even realize that they are already fully equipped to review, investigate, and analyze the recovery potential in data breach and cyber subro cases.

The most obvious parallel between traditional property subro cases and cyber losses is an arson case. Both the arsonist and the hacker are committing intentional crimes that cause the loss. Whereas the arsonist is setting fire to a home or piece of property, the hacker is taking down a website, stealing credit card data, or crashing a server. Further, from the recovery perspective, both the arsonist and hacker are often not viable sources of monetary recovery. Even if the arsonist is caught, there is no insurance coverage for his intentional crime and often the arsonist is not one of deep enough pockets to recover against. As a result, the traditional subro professional understands that with arson cases the subro potential lies with third party spread theories or security issues. Was someone responsible for protecting the property against the arsonist or other criminal break-in, or otherwise responsible for the fire spreading further than it should have? In cyber losses, the same security and spread theories are at the heart of the analysis. Whose job was it to protect the data/network from the hacker? Did some other party or vendor’s work make the system more susceptible or open to access? The answers to these questions invariably leads to the network maintenance company, security vendor, and/or software and hardware companies and whether their level of protection met the standard of care.

Keeping our traditional property subrogation principals in mind, we now turn to the investigation stage where we continue to find parallels to the traditional subrogation investigation.

Evidence Preservation – Often the first thing a subrogation professional asks when receiving a new subrogation case (beside how big is the loss), is “where is the evidence?” This principal is ingrained in our brains as we know the viability of our case diminishes greatly if the evidence is not properly documented and preserved immediately after a loss. The same evidence preservation principles apply to cyber losses. See In re Napster, Inc. Copyright Litig., 462 F.Supp.2d 1060, 1068 (N.D. Cal. 2006) (“The duty to preserve attaches when a party should have known that the evidence may be relevant to future litigation”). As a result, it is important to work with the insured and retained expert immediately on what evidence needs to be gathered and saved, be it corrupt hard drives or forensic screen images.

Notice – Traditional subrogation principals also remind us early on in a case to put the potential defendants on notice, including allowing for a scene examination where feasible. Similar notice letters should be sent in cyber subro cases. Whereas the common defendant in traditional subro cases may be product manufactures, contractors, installers, and service companies, the common parties to put on notice in cyber losses are the third party network company, security vendor, and/or software company that either did not protect the insured’s system from the hacker or provided the software that allowed the hacker access. And there is always the possibility that a third party wholly unrelated to the system comprised its security, such a party that may negligently cause a power outage leading to the shutdown of or compromising a server or network security system.

Expert Retention – Most subrogation professionals have a quick and dirty list of preferred experts in their respective region so that they can immediately get experts on scene or at an evidence examination. Traditionally this included fire cause and origin experts, mechanical and electrical engineers, and metallurgists/material scientists. With the growth of cyber losses, subrogation professionals need to look to add a new category of experts: forensic data breach experts specializing in data recovery, network security, and industry standards for these fields.

Applicable Standards – All subrogation professionals have had to become familiar with an assortment of standards as part of the analysis as to whether the target defendant breached the standard of care. For property construction cases we are often reviewing building, electric, or plumbing codes and analysis of product liability cases often involves ASMI and UL standards. And of course we all are familiar with the NFPA guidelines for fire investigation. Often these codes have been around for decades, built upon year after year. Conversely, the cyber world is much younger and therefore may not always have an applicable code. Often the general term “reasonableness” becomes the standard of care when analyzing whether the potential defendant took proper security measures and controls to protect the insured’s network. This includes whether a reasonable level of security was provided with encryption, passwords, firewalls, system upgrades, and intrusion detection/protection systems. There are also standards in place that we must become familiar with and begin learning from our newly retained forensic data breach experts.

One example of breaching an applicable standard was illustrated in the case of Cotton Patch Café v. Microsystems (Texas). In that case Micros sold Point of Sale (POS) systems to restaurants for sale transactions. (POS systems are computer hardware/software systems for credit/debit card transactions). The POS system that Micros sold to Cotton Patch Café contained software version 3.2, which was not PABP Validated. PABP stands for the standard Payment Application Best Practices, which was a standard created by VISA to ensure hackers could not gain access to the full track data on a credit card stripe. Whereas version 3.2. was not PABP Validated, Micros’ newer version 4.0 was PABP validated. Since the updated software version was not installed on the Cotton Patch Café POS system, a hacker was able to get access to credit card information of customers of Cotton Patch Café.

In addition to the importance of determining if proper software and security standards are being met, the case highlights the potential for third party liability in cyber losses. Thinking in terms of traditional recovery cases, this analysis is not much different from exploring recovery against a party who installs a new mechanical system in a commercial building using an older version of a code or standard that does not include new requirements for installation and testing before the system is placed into service. Whereas the hacker, like the arsonist, may not be a viable source of recovery, subrogation professionals should consider whether the computer product/software supplier or network security company fell below the standard of care which allowed the criminal act to occur.

There is often nothing more frustrating to a subrogation professional than having conclusively identified a defendant as the cause of a property loss, only to be faced with a potential bar to recovery due to a contractual defense. Subrogation professionals are no strangers to these contractual analysis issues, whether it be subrogation waivers, implied co-insured doctrines, or general limitations of liability. Similarly, cyber losses may involve contractual limitations of liability in the insured’s contract with network security vendors or software providers. Whether the limitation of liability is enforceable is often a state by state analysis. For example, in Blaidsell v. Dentrix Dental System (Utah), after plaintiff purchased dental practice management software from Dentrix, a software upgrade by Dentrix erased all of the plaintiff’s patient files. The plaintiff was able to establish that the incident was caused by Dentrix’s update, but the defense asserted the limitation of liability language in the software purchase contract (not liable for consequential damages) protected it from liability. The Court ruled that the limitation of liability contractual language would not be enforceable if the defendant engaged in “gross negligence.” While the Court ultimately found that the plaintiff could not prove that in this particular case the defendant acted with gross negligence, the case highlights the hurdle limitation of liability language can cause in cyber cases and the need to review your state’s rules for overcoming such language. Of course, these challenges are no different than the challenges faced in traditional recovery scenarios and should not cause recovery folks to overlook this category of losses for recovery opportunities.

For those fans of 80s movies, the situation of subrogation professionals and recovery personnel venturing into the world of cyber subro reminds us of the movie The Karate Kid. In it, Daniel Larusso, frustrated after getting continuously bullied at school, approached Mr. Miaggi to teach him Karate. Instead, Mr. Miaggi puts Daniel to work painting his house and fence, sanding his deck, and waxing his cars – the infamous “wax on wax off” teaching method. Eventually Daniel confronts Mr. Miaggi in anger for not teaching him actual Karate. However, Mr. Miaggi enlightens Daniel that he was in fact learning the foundational principals (hand and feet movements) of Karate through learning the proper procedure to wax the cars, paint the house, and sand the deck. Similarly, most subrogation professionals do not realize that they are fully capable of investigating and analyzing the recovery potential of cyber losses. While cyber losses may appear to fall into the unknown or scary on their face, the foundational investigation principals are the same as traditional property subrogation cases. Wax on, wax off, and consider looking beyond the breach for recovery opportunities.

David Brisco, Esq., is a member of Cozen O’Connor’s Subrogation & Recovery practice group in the Litigation Department. He is based in San Diego.

Joe Rich, Esq., is a member of Cozen O’Connor’s Subrogation & Recovery Department. He is based in Philadelphia.