It was just a matter of time. As cyber-attacks rose and the data security breaches became increasingly devastating to businesses and individuals, cyber breach insurance became more prevalent. And where insurance appears, subrogation recovery follows.
We have not seen an overwhelming number of cyber claims or lawsuits filed – yet. One of the main lawsuits filed involves a claim for $154,711.34, brought by Travelers Insurance as the insurer of Alpine Bank. Alpine Bank incurred over $150,000 in costs associated with notifying its customers of a security breach that occurred while Ignition Studio, Inc. was under contract to design and service the bank’s security system. Travelers alleges that Ignition failed to perform basic updates to the security system or place basic anti-malware software on the bank system server. Following the security breach, Travelers paid Alpine Bank under its insurance policy. The claim was likely covered by a clause similar to the following common policy language which states in part (click on picture for enlarged view):
Alpine Bank got off relatively easy, as did the defendant security provider that settled out on this claim well before this ever got to trial. Cyberattacks are becoming increasingly costly, with an estimated 300 million records leaked and over $1 billion stolen in 2015. Not surprisingly, this loss totaling less than $155,000 settled before really being litigated. The docket shows that the complaint was filed on January 21, 2015 and a motion to dismiss for failure to state a claim was denied as moot likely because the matter was settled for an undisclosed amount in April 2015.As a result, we unfortunately do not have much judicial reasoning to look to for future cases.
However, many of the same lessons found in a run-of-the-mill subrogation case for negligent service or a faulty product will apply in cyber cases. To secure recovery, an insurer will still need a defendant that has liability insurance to cover negligent cyber security service/software or has sufficient assets to pay for the damages arising out of the cyberattack. The insurer will also have to demonstrate that the cyber security company failed to follow the basic standard of care for the industry (which is continuously evolving) or otherwise breached the security contract.
Additionally, the insured have to be fault-free is some jurisdictions or at least less than 51% responsible for the harm in others. This means that an insured company that provides no training to its employees about the danger of opening spam or downloading malware may destroy its insurer’s subrogation case before the case even starts.
Had Travelers’ case been larger, the outcome may have been very different. On one end Travelers may have had to deal with a defense of an insured never telling bank employees not to open strange emails. Alternatively, Travelers may have secured a verdict for its damages, but faced the possibility that it would not collect because there was no insurance and the security company became bankrupt by the claim. We do not know for sure how this case would have turned out if there had been more at stake. But we do know with absolute certainty that more cases are coming.
Lastly, we would be remiss if we did not mention that the expected rise in cyber related losses will be influenced by the internet of things. Currently there are 8 billion devices connected to the Internet. By 2020, that number will rise to over 20 billion and continue to grow exponentially. As more devices, computer, cars, homes, businesses, etc. become more interconnected, the potential for cyber related claims (and corresponding negligence lawsuits) will increase for a party’s failure to act reasonably to protect from a breach. Further, as the Internet of Things grows, we will owe a greater duty to our “network neighbors” to act reasonably to protect the network so others on the network don’t get hacked.