Trending Phenomenon in Computer Forensics

Trending Phenomenon in Computer Forensics

by Rich Curtis, President and Technical Consultant, Loss Solutions Group

 2018 marks my twentieth year in the property claims business. Seasoned players twenty years ago used to tell me stories of old and advised of the ebbs and flows of trends. I’ve seen various mold scares, infectious hail damage, floods causing fires, and questionable drywall. I work side by side with mechanical, structural and electrical engineers, and we share the lessons from our respective disciplines, mine being Information Technology. In a popular quote from the Book of Ecclesiastes, the author complains about the monotony of life. One passage reads, “The thing that hath been, it is that which shall be; and that which is done is that which shall be done: and there is no new thing under the sun.” In modern vernacular, “there is nothing new under the sun” or “it’s all been done and seen before.” These words hold true as Loss Solutions Group’s Information Technology Consultants have observed a not-so-new phenomenon manifesting in a new form as Computer Forensics.

Property Claims Professionals’ daily tasks typically include establishment of a reasonable scope of work and the costs associated with such. Scope can be more subjective than rates, which are measured with industry specific tools and Federal Bureau of Labor statistics. Drywallers in Wichita don’t charge $175.00 per hour, nor do they charge $10.00 per hour. There is what we refer to as a “range of reasonableness”, which can be influenced by several factors. If certain conditions exist, we can be influenced to recommend rates on the higher end of this reasonableness spectrum.

Recently a reinvented Computer Forensics phenomenon is showing up on our desks with higher frequency. My team members and I have found ourselves addressing otherwise routine ransomware or virus infection claims in which Computer Forensics professionals are performing what we perceive to be excessive scopes of work at astounding rates. More concerning is that many of these professionals engage us and the claims handlers with advanced knowledge of coverage, policies and language that can rival a mid-career Public Adjuster. While we take no exception to others’ knowledge of our profession, what they do with that knowledge can and will cause challenges to both claim handlers and ultimately carriers.

In a recent case, I analyzed a small business of fifty employees that suffered a ransomware infection. Ransomware carries a payload that encrypts valuable data and demands that the user pay a fee or “ransom” in exchange for the digital key to unlock the data. While the FBI recommends against ransom payment, our data shows that upwards of 90% of all ransom payers receive the decryption key. Unfortunately, these matters have become commonplace and we typically measure recovery for a business of this size to be $5,000.00 to $30,000.00. This includes ransom payment (or a third party “decryption”), and principally Information Technology professional efforts (at rates of $100.00 to $175.00 per hour) to mitigate infection. Cue the Computer Forensics professionals. In my example case, I first contacted the Forensics vendor, who advised that they could not cooperate without my first contacting the attorneys associated with the matter. I learned that the insured first contacted their attorneys, who directed them to utilize a computer forensics firm who was charging $350.00 per hour, not to necessarily correct the infection, rather to study the exposure. We ultimately learned that only two (2) computers were affected and $75,000.00 was being invoiced for forensics efforts. Note that this effort didn’t include mitigation, rather a compressive analysis of the incident. In peer discussion, we established that this should have been completely analyzed and mitigated for about $10,000.00, as backups of encrypted data were available. All computers could have been scanned with multiple tools to establish their status and the two (2) affected systems could have been mitigated via hard disk replacements and labor efforts. The savvy attorneys and Computer Forensics team, however knew better. They presented a compelling case to convince the carrier that “research” – a term within the policy – was required to affect mitigation. This same technique has also been used by an agent in the past month. While we believe that both scope and rates are excessive, an increasing number of claims submitted in such a manner are becoming more common.

In further discussion with carriers’ management, we understand that they’re cognizant of this new phenomenon and they’re also seeing General Liability and Errors & Omissions issues being claimed incorrectly so as to find where coverage is available. Like any new exposure challenges, we anticipate that policy and endorsement improvements are just a few short years away. My goal of this article is to bring attention to this matter to aid carriers in understanding this exposure and improving policies to best provide intended coverages.

Rich Curtis is the President of Loss Solutions Group and serves as a Technical Consultant. If you have questions about Information Technology claims or Continuing Education, please feel free to call him at 866-899-8756 ext. 702.

This newsletter is a publication of Southern Loss Association, Inc., P.O. Box 421564, Atlanta, GA 30342. The articles written in the newsletter are in a general format and are not intended to be legal advice applicable to any specific circumstances. Legal opinions may vary when based on subtle factual differences. All rights reserved.  Published 05-08-18.