Blog

Who’s to Blame for Breaches? Lawyers May Strike Gold When the Fighting Starts

Ara Trembly
Insurance Experts' Forum, January 28, 2010

When criminals steal $800,000 from a company, we normally see the company as the aggrieved party, but recent events may be signaling a spate of legal action that seeks to penalize victims who aren’t up to snuff on security.

As reported on the Krebs on Security Web site, a bank in Texas is suing a customer victimized by an $800,000 cyber-theft incident. While many companies have sued their banks for having inadequate security protection, this case is unusual because the bank is preemptively suing the victim, said Krebs.

According to the report, both the victim corporation—Plano-based Hillary Machinery Inc.—and the bank, Lubbock-based PlainsCapital, agree that in November 2009 cyber thieves initiated a series of unauthorized wire transfers totaling $801,495 out of Hillary’s account. PlainsCapital managed to retrieve roughly $600,000 of that money. The bank, however, sued Hillary on Dec. 31, 2009, citing a letter from Hillary demanding repayment for the rest of the money, and alleging that the bank failed to employ commercially reasonable security measures. The lawsuit asks the U.S. District Court for the Eastern District of Texas to certify that PlainsCapital’s security was, in fact, reasonable, and that it processed the wire transfers in good faith. The documents filed with the court allege that the fraudulent transactions were initiated using the defendant’s valid online banking credentials.

This got me to thinking about what would happen in a similar situation if, for example, hackers used an insurance customer’s password to compromise an insurer’s systems, then stole valuable personal or financial information that was later sold or used in a criminal manner. Who is to blame then? Is it the insurer for not having adequate security safeguards on its networks; or is it the customer for not having enough security on his home or business computer? Where is King Solomon when we need him?

One would think that insurance companies would be in no hurry to sue their valued business customers, but on the other hand if the business loss were significant enough, maybe they would take a shot at blaming the victim. Such a case would be widely publicized, however, and I find it difficult to believe that an insurer would want to be seen as trying to foist blame on its own customers. If I were one of that insurer’s other customers, I would certainly be calling my broker or agent in a heartbeat to change carriers.

And what about insurers who include cyber-theft as part of their business interruption coverage? Might they be tempted to preemptively sue their customers who file claims, alleging that the theft took place because the customer didn’t have the latest security measures in place? It could happen, and that’s why the resolution of the Texas case could have repercussions far beyond the Lone Star State. For the first time, it seems, courts are being asked to define exactly what constitutes adequate systems security. Yet I wonder whether most courts are equipped with the knowledge and expertise to make such a judgment—and how such judgments would hold up over time given the rapid advances in security technology.

One thing I would wager on, however, is that there will be appeals and appeals of appeals of such decisions. This augurs very well for attorneys who argue such cases, but it could mean a boatload of trouble and expense for a number of parties, including insurers, agents, brokers, insureds and even the security companies themselves.

Fasten your seatbelt and keep your hand on your wallet. This promises to be a long and bumpy ride.

Ara C. Trembly (www.aratremblytechnology.com) is the founder of Ara Trembly, The Tech Consultant, and a longtime observer of technology in insurance and financial services.

Readers are encouraged to respond to Ara using the “Add Your Comments” box below. He can also be reached at ara@aratremblytechnology.com.

The opinions posted in this blog do not necessarily reflect those of Insurance Networking News or SourceMedia.

Comments (0)

Be the first to comment on this post using the section below.

Add Your Comments...

Already Registered?

If you have already registered to Insurance Networking News, please use the form below to login. When completed you will immeditely be directed to post a comment.

Forgot your password?

Not Registered?

You must be registered to post a comment. Click here to register.

Blog Archive

The Good, The Bad and The Ugly Of Enterprise BI

When IT can't deliver, business users build their own applications focusing on agility, flexibility and reaction times.

The IT-Savvy 10%

IBM survey reveals best practices of IT leaders.

The Software-Defined Health Insurer: Radical But Realistic?

Can a tech startup digitally assemble the pieces of a comprehensive, employer-provided health plan?

Data Governance in Insurance Carriers

As the insurance industry moves into a more data-centric world, data governance becomes more critical for ensuring the data is consistent, reliable and usable for analysis.

Fear This

Just days before this Issue, which contains our security cover story, went to press, we got some interesting news: 1.2 billion unique usernames and passwords and 542 million email addresses were reportedly stolen from 420,000 websites, according to The New York Times. The websites ranged from Fortune 500 companies down to small online retailers.

Should You Back Up Enterprise Data to the Cloud?

Six questions that need to be asked before signing on with an outside service.