Potential Barriers and Limitations to Successful Cyber Subrogation

In a previous blog, we discussed “What is Cyber Subrogation?”  This week's blog will focus on potential barriers and limitations to successful cyber subrogation.  While this list is non-exhaustive, it gives an overview to the various barriers and limitations to successful cyber subrogation.  These barriers include (1) contractual waivers and limitations; (2) a lack of clear applicable standards; and (3) the first individuals to investigate the breach or attack are likely the later target defendants, i.e., the fox guarding the henhouse analogy.

1. Contractual Limitations

Because the likely cyber subrogation targets are the various companies that maintain contracts with the insured, a major obstacle will be contracts containing exculpatory language such as waivers of subrogation, indemnification, release, hold harmless, and/or limitations of liability and remedy clauses.  These contracts may even attempt to specifically protect against data breaches by containing indemnification or hold harmless language.  As there are very few cyber subrogation cases in existence, and with the nuances related to cyber losses, it is likely there will be cases in courts that test the viability and validity of these exculpatory clauses.

While analogies may be made to security contracts at a warehouse that has burned after an arson incident, comparable exculpatory clauses contained in cyber security contracts pose unique public policy arguments because these clauses may attempt to protect cyber security companies from their own violations of various data privacy protection statutes.  Common statutes that can be violated include:

a) HIPAA (related to heath information and privacy data);

b) GLB (related to privacy and security standards for financial institutions); and

c) Various state breach prompt notification laws, which require a company who has suffered a cyber-attack to promptly notify consumers (so that they may monitor their credit reports or cancel compromised credit cards) and take appropriate steps to prevent further data loss.

Because cyber losses may involve contractual exculpatory clauses between an insured and a network security vendor or software provider, whether the limitation of liability clause is enforceable varies from state to state.  Generally, unless a provision is against public policy or unenforceable as a matter of law, parties may agree to limit liability for future negligence.[1]  However, these clauses may be found to be unenforceable if: (1) the acts were intentional or grossly negligent; (2) the bargaining power of the parties is grossly unequal; or (3) the transaction involves public interest.[2]

One example of an analysis on the limitation of liability contractual language is Blaisdell v. Dentrix Dental System.[3]  While this case is not a cyber subrogation case, it illustrates the court’s reasoning in holding a limitation of liability clause invalid.  After the plaintiff purchased dental practice management software from Dentrix, a software upgrade by Dentrix erased all of the plaintiff’s patient files.  The court held the limitation of liabilities clauses, which limited the software company’s liability to the dentist in tort to the license fees the dentist paid for the software, was not unconscionable so as to render the clause unenforceable.

On grounds of public policy, parties to a contract cannot generally exempt a seller of a product from strict tort liability for physical harm to a user or consumer unless the exemption term was fairly bargained for and was consistent with the policy underlying that liability, and the dentist was aware of the clause and was aware of the potential for data loss.  Finally, the court determined the software company’s actions in providing and guiding installation of the dental practice management software was not grossly negligent because part of the company’s update procedure was to request confirmation that the dentist had a backup copy of the data.  The dentist’s employee confirmed that a backup was available, and had the backup system been functioning properly, the data would not have been lost.[4]

While the court ultimately found the plaintiff could not prove the defendant acted with gross negligence in this particular case, allowing the plaintiff to invalidate the limitation, the case highlights the hurdle that limitation of liability language can cause in cyber cases and the need to review the pertinent state’s rules for overcoming such language.

2. Applicable Standards

Large loss subrogation professionals must become familiar with a variety of standards as part of determining whether a target defendant breached the applicable standard of care.  In the cyber context, there is not always an applicable code, such as building codes or fire safety standards. Often, the general term “reasonableness” becomes the standard of care when analyzing whether a potential defendant took proper security measures and controls to protect the insured’s cybernetwork.  This reasonableness analysis will typically apply to whether there was reasonable and proper maintenance of firewalls, intrusion detection, passwords, system upgrades, and intrusion protection.

One example of breaching an applicable “reasonableness” standard is illustrated in the case of Cotton Patch Café v. Micros Systems.[5]  Cotton Patch entered into a sales contract with Micros for the purchase of a new server for the POS system in its restaurant.  The POS system Micros sold to Cotton Patch Café contained software version 3.2 which was not PABP validated, a standard promulgated by VISA to ensure hackers could not gain access to the full track data on a credit card stripe.  Whereas version 3.2 was not PABP validated, Micros’ newer version 4.0 was PABP validated.  Since the updated software version was not installed on the Cotton Patch Café POS system, a hacker gained access.  This hacking incident ended up causing Cotton Patch to be fined $227,000 by VISA and MasterCard and Cotton Patch was also required to pay chargebacks of approximately $27,000.

3. First Individuals to Investigate

Lastly, an additional hurdle that may arise with regard to making a recovery is the fact that after a data loss or a cyberattack occurs, the first contact the company will make will be to its own computer network maintenance personnel.  This poses a myriad of problems because this point of contact is likely a potential target defendant.  This can lead to spoliation of the evidence and a variety of other problems.

Thus, overcoming these limitations are crucial to maintaining a successful cyber subrogation lawsuit.  When faced with a cyberattack, it is imperative to contact an expert subrogation professional as early as possible to begin the recovery process.

[1] Allright v. Elledge, 515 S.W.2d 266 (Tex. 1974); Arthur’s Garage, Inc. v. Racal-Chubb Sec. Sys., Inc., 997 S.W.2d 803 (Tex. App.—Dallas 1999, no pet.).

[2] Fox Elec. Co. v. Tone Guard Sec., Inc., 861 S.W.2d 79 (Tex. App.—Fort Worth 1993, no pet.); Mickens v. Longhorn DFW Moving, Inc., 264 S.W.3d 875 (Tex. App.—Dallas 2008, pet. denied)

[3] Blaisdell v. Dentrix Dental Sys. Inc., 284 P.3d 616 (Utah 2012).

[4] See also Cotton Patch Café v. Micros Sys., No. MJG-09-3242, 2012 WL 5986773, at *6 (D. Md. Nov. 27, 2012).  The contractual language is supremely important in determining whether the limitation of liability clause will apply.  Here, Micros contended that recovery on the claims was limited by waiver clauses in the sales contract.  However, by these claims, Cotton Patch was not suing for contractual damages and did not waive its ability to pursue tort claims that related to the sales contract.  The sales contract waiver clauses did not restrict Cotton Patch’s ability to recover on tort claims.

[5] Cotton Patch Café v. Micros Sys., No. MJG-09-3242, 2012 WL 5986773 (D. Md. Nov. 27, 2012).