Cyber Loss Subrogation – Recovering Technology and Data Breach Losses.
Steve Vondran, Esq. is a litigation attorney with offices in CA and AZ handling insurance subrogation cases in the southwest and west-coast pacific region. He is a former legislative analyst for the identity theft resource center in San Diego, and a former data Privacy Consultant with Experian working within the data integration technology division. He has also served as an internet marketing and product manager for Timeledger.com, a web based software company (SaaS / ASP), and has developed two software programs through association with high level programmers. He is former elected counsel to the Arizona State Bar intellectual property section, member of the international trademark association, and AIPLA.
Introduction – Digital Risks.
Today, most companies are online and connected digitally to the world. While being “digitally connected” has many advantages as far as brand building and eCommerce is concerned, there are also many pitfalls of doing business online such as:
1. Brand tarnishment issues (ex. online defamation, breach of consumer data);
2. Domain name disputes (ex. cybersquatters seeking to profit off a companies brand / trademarks);
3. Data privacy breaches (ex. computer hackers that intrude into your networks exposing/stealing customer data, exposing corporate emails, and possibly uncovering and exposing corporate trade secrets, or negligent network security maintenance that leaves networks exposed to outside third party threats such as hackers).
As many cyber-security professionals say: there are two types of companies, those whose networks have been breached and those who don’t know that there networks have been breached. For example, even companies and institutions like Microsoft, the Pentagon, and even the NSA have experienced network breaches. The digital world is definitely not as secure as most people might think. Digital risk has to be managed on a daily basis and requires the hard work of internet data privacy and security professionals and vendors.
4. Copyright infringement (ex. competitors stealing your digital content, re-working it and posting it on their website)
5. Problems associated with rogue or disgruntled employees (ex. theft of hardware, unlicensed use of software, theft of corporate trade secrets)
6. Problems/ damage to information networks caused by viruses, malware, or defective software;
7. Lost back-up tapes, lost memory sticks, erased magnetic information.
These are just a few examples of “digital risk“areas that companies may seek to insure against with a cyber-loss insurance policy (“CLIC” – Cyber-liability insurance coverage). Cyber liability insurance can help protect valuable corporate information assets, and help protect your brand where a “social-media-firestorm” (i.e. the “law of the press”) can threaten to seriously damage or possibly bankrupt your company.
Typical types of insurances losses insurance carriers might payout under a CLIC policy.
The following are several types of losses that might be covered under a wide variety of digital risk management and cyberloss insurance policies offered in the marketplace:
1. Cyber investigation expenses
2. Damages due to rogue employees
3. Costs to lease equipment
4. Coverage of regulatory fines, fees and penalties
5. Payment of credit monitoring expenses
6. Disclosure of trade secrets
7. Cyber-extortion insurance coverage
8. Breach notification expenses (costs to comply with breach notification laws)
9. Mental anguish resulting from data privacy breach
10. Other actual damages flowing from the incident (ex. legal fees, hardware loss, counseling, forensic costs, brand damage, loss of stock value, loss of business, crisis management costs, marketing and PR costs, defacement of website).
Data Privacy laws that could be violated in a computer hacking or data breach incident.
There are numerous state and federal privacy laws on the books. Here are the top four state and federal privacy laws that might be invoked in a data breach internet privacy case.
1. Violation of HIPAA (data privacy privacy and security standards)
2. Violation of GLB (Gramm Leach Bliley Act (“GLB”) privacy and security standards for financial institutions)
3. Violation of COPPA (Childrens online privacy protection act)
4. State breach notification laws.
Again, these are just the main laws that come into play where you have a medical or financial services company that experiences a security breach.
Cyber loss insurance cases should be pursued just like property loss subrogation (ex. just like a fire or arson case).
Technology related losses may be a little intimidating as it is literally a “digital jungle” out there and there are so many different types of software products, vendors, integration issues, etc., but I would propose that a cyberloss subrogation case should be handled like any other insurance subrogation matter.
For example, the steps to investigate, preserve evidence, identify theories of liability and potential defendants would basically be the same, for example, as pursuing a homeowner’s property damage subrogation claim (ex. damage to residential or commercial property due to fire, water, defective furnace, toaster, alarm, or sprinkler sytem, etc):
1. Prompt notification (put all potential defendants on notice so as to preserve the evidence and avoid a spoilation motion);
2. Thorough investigation , (immediate investigation of the site to obtain pictures, photos, documentation, conduct interviews, etc.);
3. Retention of necessary and qualified computer and forensic experts (retain appropriate computer forensics and date breach experts to determine the cause of the incidence and determine damages)
4. Preservation of all critical evidence, (properly documenting proper chain of custody for evidentiary purposes at trial);
5. Review of all relevant documents (including subrogation waivers / contractual indemnification clauses / cyber policies, etc.);
6. Pursue pre-litigation settlement negotiations with potential defendants;
7. File a civil lawsuit (for cases that cannot be settled at proper amounts).
In short, a cyber insurance loss should be treated the same as any other insurance loss. Taking the prompt steps early in the case, and involving your subro counsel could make the difference between recovering money for the carrier or just simply closing the book and writing it off.
Types of computer & forensic experts you might retain in a cyber loss insurance subrogation investigation case:
The following are some of the common credentials you might look for in determining the property technology forensics expert to retain in your case:
This is just a short list of the types of forensic data breach experts that can help analyze data recovery, network security, and industry standards of care.
Possible Defendants in a data privacy breach or Cyber-loss insurance subrogation case.
While every stone must be unturned in an attempt to identify potential subrogation targets, here are a few types of potential defendants that could surface:
1. Data centers and internet service providers (ISP);
2. Web hosting companies;
3. Internet network security companies (ex. cyber-security companies);
4. Negligent software consultants;
5. Parents that know of their kids computer hacking activities and do nothing about it / aid and abet);
6. Technology vendors and service providers.
Cyber loss subrogation resources
Contact a southwest cyber-loss insurance subrogation law firm.
Our law firm is aggressive in pursuing insurance subrogation losses due to fire, water and product defect losses and we can handle cases involving property damage, real estate broker errors and omissions subrogation, and cyber loss insurance losses. We have very flexible contingency fee arrangements
designed to help our insurance carriers keep more money in both small and large loss cases. We are an experienced litigation firm, give us a chance to discuss our insurance subrogation services
and to quote out your case. We can be reached at (877) 276-5084, or fill out the contact form below to have one of our insurance subrogation lawyers contact you, usually within the hour.