After three weeks of testimony and arguments, a federal jury trial recently disposed of subrogation claims by National Union Insurance against Tyco and ADT. The claims sought recovery following a $42 million pharmaceutical heist.
The case raises a number of important lessons for security providers. For the full details, read the extended version of this article at www.securityinfowatch.com/12208788. It’s a fascinating case, especially to those of us in the electronic security industry. Here’s the overview:
The case involved a subrogation claim by National Union, insurer of pharmaceutical giant Eli Lilly against Tyco and ADT (referred to collectively as “Tyco”), seeking to recover $42 million from the largest drug heist in U.S. history. Remember, subrogation permits insurers to recover from parties who may have contributed to a loss.
A gang of five perpetrated the burglary, along with five additional thefts at other facilities protected by Tyco alarm systems. Eventually, the FBI caught the gang members and each went to prison. National Union alleged the gang had inside information obtained from Tyco’s computer network and that the gang used the information to bypass the security system at each targeted facility. Thus, the case was perhaps the first — or at the least, most expensive — data breach case against a U.S. security provider.
Tyco’s first line of defense appeared to be to seek the enforcement of a waiver of subrogation clause in its contract with Eli Lilly. Subrogation waivers are enforceable, especially between sophisticated parties engaged in commercial transactions — one of the reasons a subrogation waiver is a staple of industry risk allocation provisions.
If enforced, the clause would have resulted in a complete victory for Tyco; however, the court refused to enforce the clause twice — once at the outset of the case and then again after years of discovery. That meant Tyco had to defend its position in a three-week federal jury trial.
While Tyco ultimately prevailed, the whole point of an alarm services agreement is to keep you out of court or at least away from the jury. That didn’t work here.
The Takeaway for Security Providers
The case presents an opportunity to consider a number of important legal issues for all security providers. Here are a few:
1. Does you contract explicitly cover goods and services you provide after the contract is signed? I ask this first question because Tyco and Eli Lilly entered into a commercial services proposal/agreement in 2004 for the installation of equipment. Following the initial work under the contract, Tyco may have modified the security system or provided other security-related equipment or services at the Eli Lilly facility, including performing at least one security survey.
It certainly is not unusual for a security provider to provide additional equipment or services after signing an agreement with a subscriber. I’m just not sure Tyco’s agreement addressed that issue (in my opinion, it should have). Here’s why: National Union’s theory of the case was premised on an alleged data breach into Tyco’s computer network, resulting in the gang obtaining access to Eli Lilly’s confidential information, including the security survey.
The 2004 contract had a fairly comprehensive risk allocation clause protecting Tyco. Among other things, the clause explicitly required Eli Lilly to waive National Union’s subrogation rights. Nevertheless, the court refused to apply that clause to the data breach or any of the work performed after the contract was signed because, the court reasoned, the breach and subsequent work were beyond the scope of the contract.
The lesson here is to make sure your contract includes a provision that subsequent goods and services are covered by your initial contract. I suspect this case might have been dismissed at the close of discovery if the Tyco agreement provided for this.
2. Does your subscriber agreement address data breach and subscriber confidential information? Perhaps it should. If the Tyco agreement defined the scope of Tyco’s obligation with respect to Eli Lilly’s confidential information AND included exculpatory language that limited Tyco’s obligation, the court may have applied the clause to dismiss the case before trial. Does your exculpatory provisions address data breach? I bet they don’t.
Do you know what law governs confidential data you may have? If you use a third-party monitoring facility, have you indemnified the facility if it misuses confidential subscriber data? I bet you have. How do you intend to protect yourself on this issue?
3. In today’s digital age, how do security providers best protect against data breach claims? This is a legal issue, an insurance issue and an IT issue. At a minimum, make sure you service agreement deals with data breaches.
Do you have a privacy policy? You should. Does your contract define your obligation with respect to a subscriber confidential information? Do you have cyber liability coverage?
Most commercial insurance policies do not cover data breaches. That means you are on your own if you are involved in one —that means no insurer paying for your lawyers, or for settlement or the judgment.
Are you totally confident your network is adequately protected? There are only two types of companies today — those with data breaches and those that don’t know they have data breaches. If I owned a security company, I would devote adequate resources to this issue, especially to making sure my network was as safe as possible.
The Tyco case was a first but I bet it is not the last data breach case in the security industry. In fact, I think we are at the center of a perfect storm — more and more data, more and more breaches.
4. Does your contract include a waiver of subrogation and does it apply to all claims or just some claims? The biggest surprise to me was that the court refused to apply the waiver of subrogation to this subrogation claim. Based on the court’s 68-page summary judgment opinion, your subrogation waiver should explicitly apply to claims that arise outside the contract. Does yours? I recommend you have a knowledgeable industry professional review your contracts.
In my experience, way too many electronic security companies are using form agreements first draft in the 1970s or 80s when data breaches weren’t even contemplated in Alvin Toffler’s novel Future Shock.
Is your company using a form of agreement first drafted when Jimmy Carter was president? Do you even know when the form was first written? The time and expense of updating your contract with a modern version pales in comparison to the cost and expense of defending against a lawsuit. Don’t be penny wise and pound-foolish.
Eric Pritchard is a Philadelphia Lawyer who spends his workday making the world safe for electronic security providers. He can be reached at [email protected]. This column does not constitute legal advice; contact an attorney with questions.