A new 2022 report reveals a massive spike in litigation involving insurance coverage and claims and advises insurance companies to “be prepared by increasing resources both in-house and outside counsel.” The report, entitled “Insurance Litigation Report” was issued Lex Machina, Silicon Valley-based SAAS company that helps lawyers pinpoint litigation trends. It includes an analysis of federal district and appellate court data and highlights several trends which it says “should be of concern to insurer and their attorneys.
Insurance litigation is up 47% from 2017 to 2021, according to the report. The report was generated with data from Lex Machina’s Legal Analytics platform, using machine learning and technology-assisted attorney review. It covers case filings, the top district court and appellate venues, the most active judges, timing, case resolutions, and rulings. At the same time, insurance companies and their insureds are looking to subrogation efforts to help recover large loss payments, reimburse large deductibles, and hold down experience mods and future premiums.
During the five-year period covered by the study, it was also discovered that approve class action settlements were responsible more most of the damage awards—some $657 million. Insurance companies themselves have been thrust into the forefront of a tsunami of cyber attack class action suits, necessitating them to be very particular when hiring subrogation counsel in order to maintain security of confidential and private health information. This, at a time when finding qualified and experienced subrogation counsel who have made a substantial investment into cybersecurity is harder than ever to accomplish. Insurance companies are now reluctant to entrust claim files and sensitive claim information to lawyers practicing from their back bedrooms. The message to insurance companies is, “Be afraid; be very afraid.”
Cyber attackers have actively begun turning their sights on insurance companies and law firms. Trial lawyers go where the money is. Federal and state regulators are increasingly bringing enforcement actions against companies that suffer data breaches. Under the Federal Trade Commission Act, the FTC has asserted broad authority to initiate enforcement actions based on a company’s alleged failure to safeguard personal information and related deceptive practices. They are aggressively pursuing legal actions against companies and financial institutions that have violated consumers’ privacy rights, misled them by failing to maintain security for sensitive consumer information, or caused substantial consumer injury. It is the sign of our times and there will be a price to pay for insurance companies who are not paying attention.
There was a time when insurance companies, third-party adjusting companies, and subrogation vendors all chose subrogation counsel solely based on their expertise and the subrogation results they could produce. Some choose the lowest bidder. Oh, how times have changed. Data breaches and privacy issues can lead to unplanned expenses, business disruptions, as well as regulatory enforcement actions, and even lawsuits. When one deals in medical and health information, safeguarding protected health information (PHI) and maintaining a high level of cybersecurity has climbed to the top of the list of concerns when choosing outside counsel.
Today’s digital and tech-controlled world is expanding at the speed of light and the issues of privacy, HIPAA compliance, and data security are rife with legal implications for the unwary insurance company or third-party adjusting firm. Companies have a legal duty to rise to meet the many challenges posed by a demanding modern digital marketplace, including protecting personal information, securing proprietary data, stopping cyberattacks, and managing electronic files. But they also have a practical obligation to protect themselves in the event of a breach. Even the most sophisticated insurance company spending hundreds of thousands of dollars on cybersecurity are only as secure as the weakest subrogation vendor or law firm they utilize. Today, it is as important to ascertain that a subrogation law firm is as secure and compliant as it is successful.
As insurance companies scramble to monopolize the most qualified and most secure insurance litigation counsel, due diligence, and prudent risk management dictate that insurance companies ask ten questions of their outside insurance litigation counsel and insist on complete and verified answers:
- How do you approach Cybersecurity Risk Management throughout your organization?
There are a lot of security policies, tools, and procedures that a company can implement. Every breach that has made the news recently involved companies who had security initiatives in place. Unfortunately, they were securing the wrong concerns. A robust risk management program must be driven from the executive level and require that risks are identified, safeguards are evaluated, and solutions are put in place to mitigate these risks. Everything starts here. The answer to this question should include a list of identified risks and key initiatives specifically designed to protect your data.
- What Cybersecurity Framework are you using to evaluate your organization?
Several frameworks provide listings of critical cybersecurity controls. Some frameworks focus on specific areas like financial data (PCI-DSS), some are designed for international work (ISO27001), and others can be customized (NIST CSF). A framework is essential to gauge how aligned an organization’s practices are with current best-practices. If there is a deviation from these frameworks, the law firm should be able to explain how their risk management approach has exempted them from that control. The NIST Cybersecurity Framework (CSF) is recommended because it provides outcomes, maturity levels, and alignment with business and risk objectives.
- What access do you have to cybersecurity expertise and is cybersecurity given regular attention during board meetings?
The threat landscape is a moving target, always changing. Unfortunately, many firms approach cybersecurity as a one-and-done exercise. If your firm takes cybersecurity seriously, they will have regular access to qualified cybersecurity consultants who provide them with audits, penetration tests, training, and current climate updates. Does your legal team take cyber awareness seriously?
- Do you provide specialized cybersecurity training for your staff with a focus on protecting sensitive or regulated data and incorporating continuous reinforcement?
Many companies are purchasing simple online security training. These programs often include an annual review and take less than an hour. But if these programs are going to transform the culture of the company, then you want to make sure they have these features. Training should include specialized sessions about protecting PHI data. We have all been to a seminar only to forget most of it within a week. You can evaluate a company’s concern for cybersecurity by their commitment to reinforcement training throughout the year. Ask for specifics.
- Do you have adequate anti-exploit protection in place for all endpoints?
Every computer that connects to your network is a threat portal. If a user browses to a malicious website, clicks on a phishing email, or inserts a compromised flash-drive, you can assume their computer is now compromised. And now an attacker can use this computer to steal credentials, phish other employees, and capture network data. It is essential that every device has filtering that recognizes known threats and malicious behaviors. The anti-malware protection installed can be evaluated based on 1) how thoroughly it scans the system, 2) how quickly it can react to a perceived threat, and 3) the ability to restore the system to a known good state.
- Is your network protected with content filtering, URL filtering, and a properly configured firewall with regular review?
While it is important to protect every computer, the rest of the network infrastructure must not be neglected. Like the walls of a castle, protecting the flow of traffic across the network helps in detecting intrusions, and provides another defense layer. All traffic entering and leaving the firewall should have the URL and content reviewed to identify malicious activity. A firewall should drop all traffic coming from the outside unless first initiated from authorized internal traffic or with a thoroughly vetted exception plan
- Is your staff required to use end-to-end encryption when working remotely?
Legal staff will have a need to access sensitive data while in a courtroom, during interviews, or carrying out other activities that take them off-site. They will need to work through a network that is not managed by their cybersecurity team. Do they have a policy and plan that requires the encryption of data from the law firm’s system, across any other networks, onto the legal staff’s computer and back?
- What is your process for monitoring the reception, storage, and destruction of sensitive data?
Data that is unmanaged is data that will be compromised. There should be safe mechanisms in place to receive, store, and adequately destroy any sensitive data collected before, during, and after a legal proceeding. Data access should be logged and monitored.
- Do you have controls, encryption policies, and tracking for all removable media?
The standard policy should be to require data only to be stored in safe data storage within the company’s protected network. If an exception is needed, it should be explained, monitored, and encrypted throughout the process. Finally, there must be a safe way of destroying the data once it is returned.
- Have you performed a gap-analysis on your cybersecurity insurance?
During a breach response, cybersecurity insurance should provide funds to cover forensic analysis, recovery, and even litigation. But cybersecurity insurance is still growing up in the industry, and policies have not fully settled on coverage amounts or exclusions. As litigations are processed, it is becoming clear that many companies have gaps in their ability to draw upon funds when they are most needed. It is crucial that the company you are relying upon to protect your data has the means in place if required.
If you do not get satisfactory answers to these ten questions, you are unnecessarily placing yourself, your insureds, and your shareholders at risk. Effectively combatting and safeguarding against data breaches and cybersecurity disasters is time-consuming and expensive, but it is the world we now live in. If your subrogation vendor or law firm is not willing or able to adequately answer the above questions, you should find one who is. Not only do slightly lower contingency fees not result in larger net subrogation recoveries (in fact, it is just the opposite), but even if they did, they would not be worth the risk of a major data breach that could damage your company’s reputation and hard-earned brand permanently.
If you should have any questions regarding this article or subrogation in general, please contact Ashton Kirsch at [email protected].