Here is how it is supposed to work. Something bad happens. You’re insurance company pays for it. Then, your carrier sues the bad guy who harmed you. That’s subrogation.
In the data breach context, this timeless construct presents numerous challenges. The most notable is the difficulty associated with finding the bad guys. But that isn’t your problem.
The contract you have with your data hosting service, credit card processor or other vendor, on the other hand, might very much be your problem. You probably pay a monthly fee. Depending on the size of your company, that fee is probably a modest amount. For smaller organizations, it might only be $20 or so per month. Now, consider what this vendor is holding – all of your data. Yikes.