The risks inherent in the maintenance and storage of confidential information present an ongoing challenge to daily operations. Cyber insurance may be an appropriate mechanism to mitigate those risks. But – BUYER BEWARE – broad exclusions and other conditions in a cyber policy can hack into coverage and leave your company uninsured and exposed to significant liability for defense costs, liability payments, and regulatory damages.
A recent lawsuit highlights the need for an organization buying cyber insurance to carefully review the terms and conditions of the policy to insure that it can comply with all requirements and pre-conditions to coverage, or risk having the expected coverage evaporate when a potentially covered claim arises.
A 2013 data breach resulting in the release of private healthcare information of 32,500 patients stored on the network servers of Cottage Health System spawned a class action lawsuit against Cottage Health and an investigation by the California Department of Justice. Cottage Health settled the class action lawsuit for more than $4 million. The investigation is ongoing.
While initially agreeing to provide coverage for the class action lawsuit and the investigation under the terms of its policy, Columbia Casualty Company, the cyber insurer for Cottage Health, now claims that all coverage is excluded based upon Cottage Health’s failure to follow certain required practices set forth in the terms of its cyber insurance policy and its application for insurance. Columbia has sued Cottage Health in the Central District of California seeking reimbursement of the class-action settlement, as well as all defense costs paid and to be paid for that lawsuit, the investigation, and related proceedings commenced in the wake of a 2013 data breach.
Columbia’s Complaint asserts that coverage is precluded by a “Failure to Follow Minimum Required Practices” exclusion and because Cottage Health failed to satisfy a condition precedent to coverage, namely that it would follow certain “minimum required practices” and “maintain all risk controls identified in the Insured’s Application.” Columbia alleges that the data breach was caused by Cottage Health’s failure “to continuously implement the procedures and risk controls identified in its application, including, but not limited to, its failure to replace factory default settings [and], its failure to ensure that its information security systems were securely configured.” In addition, Columbia alleges that Cottage Health failed:
“to regularly check and maintain security patches on its systems, [failed] to regularly re-assess its information security exposure and enhance risk controls, [failed] to have a system in place to detect unauthorized access or attempts to access sensitive information stored on its servers and [failed] to control and track all changes to its network to ensure it remains secure.”
Finally, Columbia alleges that the application submitted by Cottage Health “contained misrepresentations and/or omissions of material fact that were made negligently or with the intent to deceive”, because the data breach was caused by Cottage Health’s failure to maintain controls identified in its “Risk Control Self Assessment” completed with its application.
It appears that Cottage Health and Columbia have agreed to pursue mediation, so we may never know how the court would resolve the issues raised in Columbia’s Complaint, but the case serves as a reminder that an insured under a cyber insurance policy must remain vigilant in its data protection efforts or risk losing the benefits of its policy. If cyber insurance is an integral part of your risk mitigation program for potential data breaches, take the necessary steps now to review your policy so that the coverage you expect will be available when you need it.