Here is how it is supposed to work. Something bad happens. You’re insurance company pays for it. Then, your carrier sues the bad guy who harmed you. That’s subrogation.
In the data breach context, this timeless construct presents numerous challenges. The most notable is the difficulty associated with finding the bad guys. But that isn’t your problem.
The contract you have with your data hosting service, credit card processor or other vendor, on the other hand, might very much be your problem. You probably pay a monthly fee. Depending on the size of your company, that fee is probably a modest amount. For smaller organizations, it might only be $20 or so per month. Now, consider what this vendor is holding – all of your data. Yikes.
Not surprisingly, vendors look to limit exposure in data breach scenarios. They do this in a variety of ways, but perhaps the most basic is the limitation of liability provision. A typical clause might say that the vendor’s liability is limited to the fees that you paid in the year preceding the incident. On the heals of a massive data breach, your vendor might only owe you $240 (if you take our small company example). Luckily, you have cyberinsurance. The carrier pays the thousands, hundreds of thousands or even millions of dollars that it takes to straighten everything out. Unless…
Some policies contain language prohibiting insureds from impairing insurers’ subrogation rights – i.e., from entering into a vendor contract with a limitation of liability provision. The reason for this clause is that when the insurance company steps into your shoes and sues the vendor to recover what it has paid on your claim, it generally doesn’t like to be limited by your contract to, say, $240. This can be grounds for disclaiming coverage.
The solution is a partial waiver of subrogation in your policy. This provision prevents the carrier from denying coverage on the grounds that its subrogation rights were impaired by any contract that predates the incident. There are carriers that are willing to incorporate this provision, and given the increasing reliance on the cloud, this provision should become standard. Until then, ask and ye might receive. Or ye might shop elsewhere.