Beyond the breach: 5 steps to cyber-loss recovery

Target. Michaels. P.F. Chang's. We are hearing more and more the names of major corporations victimized by data breaches. More alarming than the corporate names themselves are the insurance claims, damages and costs associated with a single data breach event. 

A 2013 study of the average insurance carrier payout on a data breach claim from that same year (not including the uninsured loss) found that the average claim payout was $954,253. Further, when accounting for pending claims and self-insured rententions that were likely to be associated with claims in 2013, that average insurance carrier payout rose to $3.5 million per claim. Contrast that to some figures that have the average homeowners property damage claim just over $34,000 for fire, lightening and debris removal claims and averages of approximately $7,300 for water, wind and freezing claims, and we really should be alarmed.

These staggering data breach figures have prompted a growth in this industry for insurance professionals, but we must look beyond the breaches to cyber loss recovery.  

Although the initial uncertainty of data breach creates apprehension for the subrogation professional, the principles of traditional property subrogation losses also translate to cyber subro cases. Most subrogation professionals do not even realize that they are already fully equipped to review, investigate and analyze the recovery potential in data breach and cyber subro cases.

The most obvious parallel between traditional property subro cases and cyber losses is an arson case. Both the arsonist and the hacker are committing intentional crimes that cause the loss. Whereas the arsonist is setting fire to a home or piece of property, the hacker is taking down a website, stealing credit card data or crashing a server. Further, from the recovery perspective, both the arsonist and hacker are often not viable sources of monetary recovery. As a result, the traditional subro professional understands that with arson cases the subro potential lies with third-party spread theories or security issues. Was someone responsible for protecting the property against the arsonist or other criminal break-in, or otherwise responsible for the fire spreading further than it should have?

In cyber losses, the same security and spread theories are at the heart of the analysis. Whose job was it to protect the data/network from the hacker? Did some other party or vendor's work make the system more susceptible or open to access? The answers to these questions invariably leads to the network maintenance company, security vendor or software and hardware companies and whether their levels of protection met the standard of care. 

Next page: 5 steps to the cyber subrogation investigative process and recovery

The Investigation Process

Let's turn to the investigation stage that reveals parallels to the traditional subrogation investigation. 

Evidence preservation: The first thing a subrogation professional asks when receiving a new subrogation case (beside how big is the loss), is "where is the evidence?" The viability of a case diminishes greatly if the evidence is not properly documented and preserved immediately after a loss. The same evidence preservation principles apply to cyber losses. The duty to preserve attaches when a party should have known that the evidence may be relevant to future litigation. As a result, it is important to work with the insured and retained expert immediately on what evidence needs to be gathered and saved, be it corrupt hard drives or forensic screen images. 

Notice: Traditional subrogation principles state to put the potential defendants on notice, including allowing for a scene examination where feasible. Similar notice letters should be sent in cyber subro cases. Whereas the common defendant in traditional subro cases may be product manufactures, contractors, installers and service companies, the common parties to put on notice in cyber losses are the third-party network company, security vendor, and software company that either did not protect the insured's system from the hacker or provided the software that allowed the hacker access. And there is always the possibility that a third party wholly unrelated to the system comprised its security, such a party that may negligently cause a power outage leading to the shutdown of or compromising a server or network security system.

Expert retention: Most subrogation professionals have a quick and dirty list of preferred experts in their respective regions so that they can immediately get experts on scene or at an evidence examination. Traditionally this included fire cause and origin experts, mechanical and electrical engineers and metallurgists/material scientists. With the growth of cyber losses, subrogation professionals need to look to add a new category of experts: forensic data breach experts specializing in data recovery, network security and industry standards for these fields. 

Applicable standards: All subrogation professionals have had to become familiar with an assortment of standards as part of the analysis as to whether the target defendant breached the standard of care. Often these codes have been around for decades, built upon year after year. Conversely, the cyber world is much younger and may not have an applicable code. Often the general term "reasonableness" becomes the standard of care when analyzing whether the potential defendant took proper security measures and controls to protect the insured's network. This includes whether a reasonable level of security was provided with encryption, passwords, firewalls, system upgrades and intrusion detection/protection systems. 

One example of breaching an applicable standard was illustrated in the case of Cotton Patch Café v. Microsystems (Texas). In that case Micros sold Point of Sale (POS) systems to restaurants for sale transactions. The POS system that Micros sold to Cotton Patch Café contained software version 3.2, which was not PABP Validated.  PABP stands for the standard Payment Application Best Practices, which was a standard created by VISA to ensure hackers could not gain access to the full track data on a credit card stripe. Micros' newer version 4.0 was PABP validated. Because the updated software version was not installed on the Cotton Patch Café POS system, a hacker was able to get access to credit card information of customers of Cotton Patch Café. 

In addition to the importance of determining if proper software and security standards are being met, the case highlights the potential for third party liability in cyber losses. Thinking in terms of traditional recovery cases, this analysis is not much different from exploring recovery against a party who installs a new mechanical system in a commercial building using an older version of a code or standard that does not include new requirements for installation and testing before the system is placed into service. Whereas the hacker, like the arsonist, may not be a viable source of recovery, subrogation professionals should consider whether the computer product/software supplier or network security company fell below the standard of care which allowed the criminal act to occur. 

Contractual issues: There are few things more frustrating to a subrogation professional than having conclusively identified a defendant as the cause of a property loss, only to be faced with a potential bar to recovery due to a contractual defense. Cyber losses may involve contractual limitations of liability in the insured's contract with network security vendors or software providers. Whether the limitation of liability is enforceable is often a state by state analysis. 

For example, in Blaidsell v. Dentrix Dental System (Utah), after the plaintiff purchased dental practice management software from Dentrix, a software upgrade by Dentrix erased all of the plaintiff's patient files. The plaintiff was able to establish that the incident was caused by Dentrix's update, but the defense asserted the limitation of liability language in the software purchase contract (not liable for consequential damages) protected it from liability. The Court ruled that the limitation of liability contractual language would not be enforceable if the defendant engaged in "gross negligence."  While the Court ultimately found that the plaintiff could not prove that the defendant acted with gross negligence, the case highlights the hurdle limitation of liability language can cause in cyber cases and the need to review your state's rules for overcoming such language. Of course, these challenges are no different than the challenges faced in traditional recovery scenarios and should not cause recovery folks to overlook this category of losses for recovery opportunities.

For those fans of '80s movies, the situation of subrogation professionals and recovery personnel venturing into the world of cyber subro is similiar to the movie The Karate Kid. In it, Daniel Larusso, frustrated after getting continuously bullied at school, approached Mr. Miaggi to teach him karate. Instead, Mr. Miaggi puts Daniel to work painting his house and fence, sanding his deck, and waxing his cars. Eventually Daniel confronts Mr. Miaggi in anger for not teaching him actual karate. However, Mr. Miaggi enlightens Daniel that he was in fact learning the foundational principals (hand and feet movements) of karate through learning the proper procedure to wax the cars, paint the house and sand the deck.

Similarly, most subrogation professionals do not realize that they are fully capable of investigating and analyzing the recovery potential of cyber losses. While cyber losses may appear to fall into the unknown or scary on their face, the foundational investigation principals are the same as traditional property subrogation cases. Wax on, wax off, and consider looking beyond the breach for recovery opportunities.