Subrogation in Data Breach Cases: Vendor Vulnerability and Practical Prevention

“Customer data is often a liability rather than an asset” observed Johns Hopkins cryptographer Matthew Green in a recent tweet. A liability indeed, not only for the corporate victim of a breach, but also for an ever expanding list of potential third party defendants. The collection and retention of vast amounts of customer and user data has become the norm. More often than not, websites will keep all of their customers’ personal information on file, hoping it will stay private and locked away on their servers.

Today, most companies have implemented various cyberdefenses and instituted policies for the collection and storage of data. Many have also implemented protocols for response to a data breach. Due to the attention they have recently focused on this problem, the majority of organizations today actually believe they are less vulnerable to attack than they were three years ago. This confidence, however, appears somewhat misplaced. The incidence of cyberattacks continues to grow at an astonishing rate, increasing 66% year over year since 2009. Every month seems to bring a larger and more audacious attack, from the Sony hack to the sustained OPM breach to the blackmail of Ashley Madison.

These security lapses have proven very costly to business. Aside from the threat of lawsuits brought by disgruntled customers and the incalculable damage to reputation, hacked businesses face the very real and very quantifiable duty to notify customers of lost or stolen information. Notification requirements vary state by state, but in 2013 the average cost of notification per customer was $201, with a total cost per occurrence of $5.85 million. The continued increase in cyberattacks demonstrates that cybersecurity measures are far from flawless. Their great and growing cost gives rise to a host of unsettled legal issues, and also prompts the question: what can be done?

Most businesses have commercial general liability policies to protect against bodily injury or property damage. Hacked businesses initially turned to these existing policies in hopes of finding coverage. Many insurers have vigorously disputed such claims on various grounds, however, including that coverage for damage to property does not extend to damage to electronic property, and that coverage for violations of customer privacy is not triggered where a third party steals customer information.[1]

The results of these actions have been mixed, but many insurers have responded to this litigation by specifically excluding coverage for damage related to cyber events.[2] This gap in coverage is now being filled with a relatively new insurance product: the cybersecurity policy. These policies typically include coverage and defense costs related to network attacks including internal attacks by employees, liability from transmission of computer viruses, unauthorized access, denial of service attacks, and failure to protect personally identifiable information (PII). However, these policies also typically exclude loss due to failure to follow minimum required practices, performance issues caused by the expiration, cancellation, or impermissible modification of software, and losses due to interruption in internet or application services.

With the rapid growth in the issuance of cybersecurity policies and the continued successes of hackers, cyber insurers will be confronted with a leap in the amount of covered cyberattack claims. This will lead to increased payouts to insureds. Currently, it appears that many underwriters are simply pricing the costs of these payouts into their policy premiums. As the cyber security market becomes more competitive, however, we believe insurers looking to minimize their premiums will turn to an old tool to recoup their losses: subrogation.

One of the first instances of a cybersecurity insurer subrogating against a third party is Travelers Casualty and Surety Company of America v. Ignition Studio, Inc. Travelers, as subrogee of Alpine Bank, filed that case in Illinois federal court in January, 2015. Alpine had earlier been the victim of a hack which triggered notification obligations to its customers costing $154,711.34, leading to a claim in the same amount that Travelers paid. In an attempt to recover its payment, Travelers brought suit against Ignition Studios, which developed and maintained Alpine’s website. Travelers alleged that Ignition failed to install sufficient anti-malware software, failed to update its software, failed to maintain adequate encryption of bank customer data, and should not have run the websites of other customers on the same server. The parties settled for an undisclosed amount.

Up until now, litigation involving data breaches most commonly involves customers who are angry at the loss of their personal information. These suits, however, are difficult to win. Often, the customer has suffered no real loss, and only suffers from the fear that his personal information will be used against him in the future. A lawsuit from this customer is vulnerable to dismissal for lack of standing. Some courts have even found that a customer who has expended money on a credit monitoring service following the theft of her information has not suffered an injury in fact and cannot proceed with a suit. Subrogation suits necessarily do not suffer from this problem, and they will likely become the new face of litigation in this area.

This brings us back to the question asked earlier in this article: what can be done? The first step is to determine whether you are a potential target. Any web site developer, webmaster, hosting company and SSL company that does business with an insured can expect to have the performance of its contractual duties scrutinized by an insurer in the event the insurer pays out on a data breach claim. With that in mind, third party vendors should all do the following, and insurers seeking to subrogate against them should check to make sure that they have done so.

1. Understand the Threat
Vendors should maintain a comprehensive understanding of the types of cybersecurity events that have occurred over the previous year. This information should be applied to a total review of their own security protocols on at least an annual basis. At a minimum, it is important for vendors to ensure compliance with the evolving laws affecting their business. Because each state maintains its own laws, if vendors have customers in multiple states, their policies should be guided by the laws of the state that are most restrictive. In addition to protecting the vendor against state fines, this will also make it difficult for a potential subrogee to point to noncompliance with a state law as evidence the vendor has failed to uphold a reasonable standard of workmanship in the fulfillment of its contract.

2. Understand Your Customer
It is imperative that vendors understand the nature of their customer’s business, what exactly they are contracting for, and what their client’s expectations are. Businesses are increasingly employing information security officers. Vendors should find out who their client’s Chief Information Security Officer is, and meet with him. They should ask for and review a copy of their client’s security protocols and customer privacy policies. By understanding the commitments that their client has made to its customers, a vendor is able to better understand their client’s expectations of it.

Over and above contractual expectations, all parties must ensure they understand their contract. A carefully worded contract may include indemnification language that, at best, will shield a party from the cost of litigation (of course conversely, a unilateral indemnification clause may obligate a seemingly innocent party to expend significant costs). Further, clients may consider drafting contractual provisions obligating vendors to obtain cyber insurance policies along with contractually limiting their own liability. Finally, all parties should set specific and measurable obligations at the outset of the contractual relationship. For example, vendors may agree to employ specific antivirus and malware protection firewalls and implement security patches and upgrades within seven days of availability. In short, vendors and clients alike must understand their respective liability at the inception of any contract.

3. Take Precautions
The precautions that a vendor should take will inevitably evolve with their continued review and understanding of current security threats. One good rule that will likely never change, however, is that vendors should destroy customer data as soon as it is practical to do so. After all, what you do not have cannot be stolen. Along the same lines, it is a good practice for vendors to ensure that, from the outset, they only collect customer data that they actually require, and that they only ask for access to information that they require for the execution of their contract. Finally, vendors should refrain from using their own personal electronic devices on their client’s wireless system and clients should ensure wifi passwords are kept secret and updated frequently. Interestingly, a vendor’s use of its client’s wireless system is believed to have led to the recent Target hack.

4. Have a Plan
Hackers are inventive and driven. Even with the best precautions based on the most up-to-date knowledge, hacks will happen. Vendors should therefore develop a clear data breach response plan for when they are involved in a cybersecurity event. It is important that responsibilities are assigned and that each employee knows and understands their assignment. Important responsibilities include identifying and eliminating or closing the source of a breach; liaising with law enforcement; managing public relations; and working with the client to contact affected individuals. As to these last two points, vendors and their clients may want to collaborate to offer affected individuals a free credit monitoring service, which a recent study showed made lawsuits from disgruntled customers six times less likely. Vendors must, however, be sure to properly vet the monitoring agency they hire: the FTC recently brought a complaint against one of the most popular monitoring agencies, alleging that it failed to adequately protect the data of its customers.

Christopher K. Jones is a litigation attorney with the Coverage & Casualty Group of Sands Anderson PC. His practice includes a focus on tech issues, including cybersecurity matters, the development of automated vehicle technology within the transportation and trucking sector, and products liability. Chris has been named a rising star by Virginia Super Lawyers.

David G. Boyce is a civil litigator at Sands Anderson PC. His practice includes litigation related to cybersecurity matters, products liability and premise liability defense, and intellectual property law. David was included in Virginia Business magazine’s 2015 Legal Elite and was named a Rising Star by Virginia Super Lawyers.

[1] Zurich American Insurance Co. denied coverage to SONY in part for this reason, following a claim made by Sony under its CGL policy for the 2011 Playstation hack

[2]The Insurance Services Office Inc. recently revised its standard commercial general liability policy forms to exclude cyber coverage

If you would like more information, please contact our Sands Anderson attorneys.

This article also appeared in DRI and is posted here with with permission.