Target. Michaels. P.F. Chang's. We are hearing more and more thenames of major corporations victimized by data breaches. Morealarming than the corporate names themselves are the insuranceclaims, damages and costs associated with a single data breachevent. 

A 2013 study of the average insurance carrier payout on a databreach claim from that same year (not including the uninsured loss)found that the average claim payout was$954,253. Further, when accounting for pending claimsand self-insured rententions that were likely to be associated withclaims in 2013, that average insurance carrier payout rose to $3.5million per claim. Contrast that to some figures that havethe average homeowners property damage claim just over $34,000 forfire, lightening and debris removal claims and averages of approximately $7,300 for water, wind andfreezing claims, and we really should be alarmed.

These staggering data breach figures have prompted a growth inthis industry for insurance professionals, but we must look beyondthe breaches to cyber loss recovery.  

Although the initial uncertainty of data breach createsapprehension for the subrogation professional, the principles oftraditional property subrogation losses also translate to cybersubro cases. Most subrogation professionals do not even realizethat they are already fully equipped to review, investigate andanalyze the recovery potential in data breach and cyber subrocases.

The most obvious parallel between traditional property subrocases and cyber losses is an arson case. Both the arsonist and thehacker are committing intentional crimes that cause the loss.Whereas the arsonist is setting fire to a home or piece ofproperty, the hacker is taking down a website, stealing credit carddata or crashing a server. Further, from the recovery perspective,both the arsonist and hacker are often not viable sources ofmonetary recovery. As a result, the traditional subro professionalunderstands that with arson cases the subro potential lies withthird-party spread theories or security issues. Was someoneresponsible for protecting the property against the arsonist orother criminal break-in, or otherwise responsible for the firespreading further than it should have?

In cyber losses, the same security and spread theories are atthe heart of the analysis. Whose job was it to protect thedata/network from the hacker? Did some other party or vendor's workmake the system more susceptible or open to access? The answers tothese questions invariably leads to the network maintenancecompany, security vendor or software and hardware companies andwhether their levels of protection met the standard ofcare. 

Next page: 5 steps to the cyber subrogationinvestigative process and recovery

The Investigation Process

Let's turn to the investigation stage that reveals parallels tothe traditional subrogation investigation. 

Evidence preservation: The first thing asubrogation professional asks when receiving a new subrogation case(beside how big is the loss), is "where is the evidence?" Theviability of a case diminishes greatly if the evidence is notproperly documented and preserved immediately after a loss. Thesame evidence preservation principles apply to cyberlosses. Theduty to preserve attaches when a party should have known that theevidence may be relevant to future litigation. As a result, itis important to work with the insured and retained expertimmediately on what evidence needs to be gathered and saved, be itcorrupt hard drives or forensic screen images. 

Notice: Traditional subrogationprinciples state to put the potential defendants on notice,including allowing for a scene examination where feasible. Similarnotice letters should be sent in cyber subro cases. Whereas thecommon defendant in traditional subro cases may be productmanufactures, contractors, installers and service companies, thecommon parties to put on notice in cyber losses are the third-partynetwork company, security vendor, and software company that eitherdid not protect the insured's system from the hacker or providedthe software that allowed the hacker access. And there is alwaysthe possibility that a third party wholly unrelated to the systemcomprised its security, such a party that may negligently cause apower outage leading to the shutdown of or compromising a server ornetwork security system.

Expert retention: Most subrogationprofessionals have a quick and dirty list of preferred experts intheir respective regions so that they can immediately get expertson scene or at an evidence examination. Traditionally this includedfire cause and origin experts, mechanical and electrical engineersand metallurgists/material scientists. With the growth of cyberlosses, subrogation professionals need to look to add a newcategory of experts: forensic data breach experts specializing indata recovery, network security and industry standards for thesefields. 

Applicable standards: All subrogationprofessionals have had to become familiar with an assortment ofstandards as part of the analysis as to whether the targetdefendant breached the standard of care. Often these codes havebeen around for decades, built upon year after year. Conversely,the cyber world is much younger and may not have an applicablecode. Often the general term "reasonableness" becomes the standardof care when analyzing whether the potential defendant took propersecurity measures and controls to protect the insured's network.This includes whether a reasonable level of security was providedwith encryption, passwords, firewalls, system upgrades andintrusion detection/protection systems. 

One example of breaching an applicable standard was illustratedin the case of Cotton Patch Café v. Microsystems (Texas). Inthat case Micros sold Point of Sale (POS) systems to restaurantsfor sale transactions. The POS system that Micros sold to CottonPatch Café contained software version 3.2, which was not PABPValidated.  PABP stands for the standard PaymentApplication Best Practices, which was a standard created by VISA toensure hackers could not gain access to the full track data on acredit card stripe. Micros' newer version 4.0 was PABP validated.Because the updated software version was not installed on theCotton Patch Café POS system, a hacker was able to get access tocredit card information of customers of Cotton PatchCafé. 

In addition to the importance of determining if proper softwareand security standards are being met, the case highlights thepotential for third party liability in cyber losses. Thinking interms of traditional recovery cases, this analysis is not muchdifferent from exploring recovery against a party who installs anew mechanical system in a commercial building using an olderversion of a code or standard that does not include newrequirements for installation and testing before the system isplaced into service. Whereas the hacker, like the arsonist, may notbe a viable source of recovery, subrogation professionals shouldconsider whether the computer product/software supplier or networksecurity company fell below the standard of care which allowed thecriminal act to occur. 

Contractual issues: There are fewthings more frustrating to a subrogation professional than havingconclusively identified a defendant as the cause of a propertyloss, only to be faced with a potential bar to recovery due to acontractual defense. Cyber losses may involve contractuallimitations of liability in the insured's contract with networksecurity vendors or software providers. Whether the limitation ofliability is enforceable is often a state by stateanalysis. 

For example, in Blaidsell v. Dentrix Dental System (Utah),after the plaintiff purchased dental practice management softwarefrom Dentrix, a software upgrade by Dentrix erased all of theplaintiff's patient files. The plaintiff was able to establish thatthe incident was caused by Dentrix's update, but the defenseasserted the limitation of liability language in the softwarepurchase contract (not liable for consequential damages) protectedit from liability. The Court ruled that the limitation of liabilitycontractual language would not be enforceable if the defendantengaged in "gross negligence."  While the Court ultimatelyfound that the plaintiff could not prove that the defendant actedwith gross negligence, the case highlights the hurdle limitation ofliability language can cause in cyber cases and the need to reviewyour state's rules for overcoming such language. Of course, thesechallenges are no different than the challenges faced intraditional recovery scenarios and should not cause recovery folksto overlook this category of losses for recovery opportunities.

For those fans of '80s movies, the situation of subrogationprofessionals and recovery personnel venturing into the world ofcyber subro is similiar to the movie The Karate Kid. In it, DanielLarusso, frustrated after getting continuously bullied at school,approached Mr. Miaggi to teach him karate. Instead, Mr. Miaggi putsDaniel to work painting his house and fence, sanding his deck, andwaxing his cars. Eventually Daniel confronts Mr. Miaggi in angerfor not teaching him actual karate. However, Mr. Miaggi enlightensDaniel that he was in fact learning the foundational principals(hand and feet movements) of karate through learning the properprocedure to wax the cars, paint the house and sand the deck.

Similarly, most subrogation professionals do not realize thatthey are fully capable of investigating and analyzing the recoverypotential of cyber losses. While cyber losses may appear to fallinto the unknown or scary on their face, the foundationalinvestigation principals are the same as traditional propertysubrogation cases. Wax on, wax off, and consider looking beyond thebreach for recovery opportunities.