Investigating subrogation claims for property damage involves assessing a handful of key elements: (1) identifying the cause and origin of the loss; (2) ascertaining third-party targets; and (3) assessing whether a viable claim and recovery exists against those targets. The third element takes many forms, including determining the applicability of state laws to the third-party’s actions and examining similar cases that touch upon various legal issues, such as negligence, breach of contract, strict products liability, etc.
Assessing subrogation cyber claims follows the same pattern. Currently, the law supporting private causes of action for cyber-crimes is less prevalent, despite the tremendous growth in society’s reliance on electronic communications, banking, and services. While this can create some confusion on whether there is a viable avenue for recovery, we are also facing an exciting moment in time where we are playing a small role in creating new law in this area.
Courts are commonly addressing issues with data breaches as we see large corporations fall victim to hacking schemes. All 50 states have enacted laws requiring that those collecting, using, or managing personal information must provide reasonable notice to those affected. Further, states like California and Oregon impose additional requirements. For example, California requires connected device manufacturers to take steps to ensure the security of devices and the information they contain. Oregon requires that organizations take reasonable data security measures to include specific administrative, physical and technical safeguards.
But most states have yet to pass specific laws directed to small businesses, such as vendors, who experience small-scale spoofing, phishing or hacking that causes insureds to experience large financial losses. In the absence of guidance, few courts have taken up the issue, and where it is addressed, courts have to rely on codes and statutes that are becoming outdated in the cyber realm.
A thorough subrogation investigation of cyber claim looks at all potential third party targets and questions whether the breach could have been prevented by a system upgrade, whether a party was required to use a secure server for emails, or whether a vendor had or should have had notice of the potential hack before it occurred and failed to notify the buyer. It also requires investigation into whether an IT Vendor was contracted to service the company at any time. Further, in seeking a standard to follow, banks and other large entities are requiring security measures like two-factor authentication in their own business dealings, so should vendors be held to the same standard? For now, adopting a reasonableness standard of care or viewing breaches of contract under the scope of the common-law duty of other individuals in the same field, will likely be the pathway for new case law and understanding the options in pursuing a subrogation cyber claims.
Cozen O’Connor’s Subrogation group effectively handles these complex claims and our Cyber Solutions & Data Strategies group can work with clients and vendors on their own cyber security needs.