The Target compromise also raises the question on how to decide who is liable? In the Target case is it Target itself, the payment transaction and outsourced processing platform, the supply chain supporting the ecosystem or Trustwave the managed security services provider who was the outsourced provider for security services

To address this challenge the portability and independent verification characteristics of KSI can be leveraged authenticating and verifying the veracity of financial transaction systems, payment platforms, supply chains, and their associated distribution networks and service providers.

What this means: In the event of compromise Guardtime’s third party verification service can be used to uncover the liability of who was responsible for the compromise with forensic traceability that can be independently verified by any auditor, regulator or law enforcement agency.

Here we focus on post-breach short term and long term verification measures.

Post Breach: Short Term Forensic Analysis

The single most important thing to know post-breach is what happened when. You cannot decide liability and provide insurance unless you can verify what happened. In insurance terms this is known as “forensic proof of causation.” KSI enables an investigator or auditor to verify the extent of a breach independently from the insured party and their ecosystem of partners with whom they interact.

Post Breach: Long Term Subrogation and eDiscovery

Subrogation is the action taken by an insurance company to recover claims paid out from other sources that may have been liable for the claim. In the motor and shipping business this is the third party responsible for an accident or event with the recovery of salvage costs from the event. In cyber liability this will be the third party vendors involved in the cyber process. In the Target case there is no doubt that subrogation lawyers are looking at everyone and anyone involved to see who they can pin claims on. The targets for subrogation lawyers to recover are network maintenance and security companies, software and hardware companies, website and security vendors, data backup and outsourcers with triggers including

  • Standard negligence or gross negligence
  • Breach of contract – indemnity agreements and service contracts
  • Credit card associated network agreements
  • Vendor who writes the credit cards indemnity
  • Breach of Express Warranties (a statement about product quality made by manufacturer and quality of services in the market)
  • Breach of Implied warranties or assurances
  • Negligent Misrepresentations
  • Fraud by Non Disclosure
  • Deceptive Trade Practices from PCI-DSS compliant vendors (payment card data security), PA-DSS (payment application best practices).
  • Fair Trade misrepresentation – example is breaching the PCI-DSS standard on point of sale system. Vendor promised something that did not deliver to standards.

Subrogation is affected by cyber underwriting. Clauses such as limitation of liability, waiver of subrogation and limited warranties may not be the best underwriting practice and requires education to assess the correct claims, choose proper targets. Also relationships between insured’s and their vendors need to be considered prior to subrogation.

In summary we can expect the number and cost of data breaches to steadily rise and Guardtime’s TPV services providers pinpointed liability protecting companies like Target and ensuring that insurance companies can issue policies that can be guaranteed to have forensic proof of causation.