In the lifecycle of insurance products and policies, cyber insurance is in its infancy. With the significant increase in the number of data breaches in recent years, the need for cyber policies has grown dramatically and insurance carriers are beginning to draw strict lines around the types of risks they will cover. One of the insurance coverage lawsuits arising from a cyber/data breach was recently filed and its outcome will likely shape the cyber insurance industry and the laws associated with data breaches. If you are in the insurance industry, a business owner or in-house counsel in need of cyber insurance coverage, here is what you need to know:
After agreeing to fund a $4.1 million settlement in a data breach class action lawsuit filed against its insured Cottage Health System, Columbia Casualty Company initiated a Declaratory Judgment action against its insured seeking reimbursement of the settlement funds on grounds that Cottage Health System failed to follow "Minimum Required Practices" mandated under the policy. In Columbia Casualty Company v. Cottage Health System, USDC Case No. 2:15-cv-03432 (C.D. Cal.)(filed May 7, 2015), it is alleged that between October 8, 2013 and December 2, 2013, confidential medical records of approximately 32,500 Cottage Health System patients, stored electronically on servers, were disclosed to the public via the internet. Columbia Casualty Company contends that the breach occurred because Cottage Health System stored medical records on a system that was fully accessible to the internet but failed to encrypt the data or otherwise employ security measures to "protect patient information from being available to anyone who 'surfed' the internet."
Prior to the breach, Columbia Casualty Company issued a "NetProtect360" cyber security claims-made policy generally affording coverage for any privacy claims and/or regulatory proceedings arising from Cottage Health System's breach of confidential information. However, the policy contained several carefully worded restrictions and policy exclusions. Namely, the Columbia Casualty Company policy excluded coverage in its entirety should Cottage Health System fail to follow "Minimum Required Practices" based upon, directly or indirectly arising out of, or in any way involving, "[a]ny failure of an Insured to continuously implement the procedures and risk controls identified in the Insured's application for this Insurance and all related information submitted to the Insurer in conjunction with such application whether orally or in writing. . . ."
In addition, Columbia Casualty Company reserved the right to withdraw coverage and seek reimbursement should Cottage Health System misrepresent any information provided in the application and the "Risk Control Self Assessment" submitted as part of the application. Interestingly, Columbia Casualty Company's "Risk Control Self Assessment" contained a series of questions seeking confirmation that Cottage Health System regularly implemented very specific cyber security safeguards and safety measures. For example, the "Risk Control Self Assessment" set forth the following inquiries:
Cottage Health System responded "Yes" to each of these application questions although it appears that it did not implement most, if not all, of these security measures.
Ultimately, Columbia Casualty Company settled the underlying data breach class action lawsuit on behalf of Cottage Health System in the amount of $4.125 million. Columbia Casualty Company paid the settlement amount while reserving its right to disclaim coverage and seek reimbursement directly from Cottage Health pursuant to the terms of the policy and application.
In its present insurance coverage action, Columbia Casualty Company seeks a court declaration that it is not obligated to provide coverage for the underlying data breach class action and that it should be reimbursed by Cottage Health System in full for the $4.125 million settlement amount paid and for defense fees incurred on its behalf. Columbia Casualty Company contends that coverage is precluded because Cottage Health System failed to follow "Minimum Required Practices" and failed to continuously implement the specific procedures and risk controls outlined in the application (see above).
Columbia Casualty Company further alleges that it believes that the underlying data breach was caused as a result of File Transfer Protocol settings on Cottage Health System's internet servers that permitted anonymous user access, thereby allowing the public access to electronic personal health information via Google's internet search engine. Columbia Casualty Company also attributes blame for the data breach to Cottage Health Systems for the following additional reasons:
While the Columbia Casualty Company v. Cottage Health System lawsuit is in its early stages of litigation, there are several takeaways to keep in mind if you are considering acquiring cyber insurance for your business: