By Yanai Z. Siegel, Esq.
The call comes in, the incredulous shout of anger and dismay follows, and an alert goes out company-wide to stop using your computers RIGHT NOW, do not log off, do not close anything, just hands off the keyboard and mouse until instructed otherwise.
You have a data breach.
The hardcopy of the response plan gets pulled out of the safe (“stay off the computer, remember?”), the authorities notified, your data forensics company is on its way, and your data breach response team is convening in the conference room. Two pots of decaf are on the burners there, three pots of regular coffee, and lunch is ordered by cell phone (“stay off the computers!”) and will arrive shortly. Management is already there, as is Operations, Finance, Public Relations and Accounting, while Legal Counsel is still in transit. Who else is missing from your team, though? A subrogation specialist.
Data breach response is very much like a conventional crime scene response in many ways: cordon off the perimeter, determine if the culprit is still within that perimeter, collect and analyze the evidence, find and close the breach, notify the victims, and then brace for the aftermath. The lack of tangible physical evidence poses additional levels of difficulty, of course.
Recovering the costs for the data breach response and related damages from the culprit is unlikely. Presuming that the culprit can even be definitively identified, he, she or they may be well beyond U.S. law enforcement’s jurisdiction, and if caught will likely not have the recoverable assets to make much of an impact.
What else can you do? Insurance helps of course, but what if you could do more?
Suppose we change the data breach analysis focus from “Crime Scene” to “Accident Scene”? In an accident scene the need to identify potentially responsible parties, and to gather and preserve evidence to support claims against them, is much more readily apparent.
Corporate computer systems rely almost entirely on a coalition of third-party service providers in addition to any hardware and software assets onsite. Those service providers (internet service providers, credit card processing services, computer maintenance and repair, and cloud service providers among others) are all under contract with various levels of assurances and provisions for indemnifications and damages in the event of negligence or intentional acts.
Formulating an effective data breach response plan includes reviewing this array of relationships to develop lists of stakeholders and contacts, as well as developing system operations maps showing how daily business operations are conducted in order to facilitate investigation of where and how a breach could occur.
Reframing the scope of the data breach response planning to include both a cost recovery context and to support a recovery-focused investigation may better reduce data breach recovery costs.
A cost recovery subrogation specialist could review those same contracts to establish the scope of responsibilities, risk allocation and recovery provisions across these service providers, so that when a breach occurs the breach response team can make better informed decisions as to the consequences of waiving potential liability to certain service providers to obtain their active assistance in identifying and closing the data breach. As a member of the actual breach response team, such a specialist can advocate for preserving cost recovery options in the decisions the breach response team makes real time.
As part of your data breach response plan preparations, you should already be collecting and reviewing your client’s third-party computer service providers’ contracts. A small expansion in the scope of a review you are already conducting may make a significant difference to your client, both in service agreement negotiations (by having a better context for indemnification provisions) and in ultimate net cost to the client in the event of a breach.
By including a cost recovery context in your data breach preparations, vendor contractual indemnifications can be put into context more clearly to drive better waiver decisions real-time during an actual breach response.
Yanai Z. Siegel is Of Counsel for Shafer Glazer, LLP, a Member Law Firm of Your House Counsel®, a national consortium of insurance and corporate liability defense law firms. Yanai is also Co-Chair of both the Corporate Counsel and the Cyber Liability and Data Privacy Practice Groups of Your House Counsel®, and is a member of the Pennsylvania Bar Association’s Cybersecurity and Data Privacy Committee. This article is ©2018 by the author, all rights reserved, and published herein with permission.