In the lifecycle of insurance products and policies, cyber insurance is in its infancy. With the significant increase in the number of data breaches in recent years, the need for cyber policies has grown dramatically and insurance carriers are beginning to draw strict lines around the types of risks they will cover. One of the insurance coverage lawsuits arising from a cyber/data breach was recently filed and its outcome will likely shape the cyber insurance industry and the laws associated with data breaches. If you are in the insurance industry, a business owner or in-house counsel in need of cyber insurance coverage, here is what you need to know:
After agreeing to fund a $4.1 million settlement in a data breach class action lawsuit filed against its insured Cottage Health System, Columbia Casualty Company initiated a Declaratory Judgment action against its insured seeking reimbursement of the settlement funds on grounds that Cottage Health System failed to follow "Minimum Required Practices" mandated under the policy. In Columbia Casualty Company v. Cottage Health System, USDC Case No. 2:15-cv-03432 (C.D. Cal.)(filed May 7, 2015), it is alleged that between October 8, 2013 and December 2, 2013, confidential medical records of approximately 32,500 Cottage Health System patients, stored electronically on servers, were disclosed to the public via the internet. Columbia Casualty Company contends that the breach occurred because Cottage Health System stored medical records on a system that was fully accessible to the internet but failed to encrypt the data or otherwise employ security measures to "protect patient information from being available to anyone who 'surfed' the internet."
Prior to the breach, Columbia Casualty Company issued a "NetProtect360" cyber security claims-made policy generally affording coverage for any privacy claims and/or regulatory proceedings arising from Cottage Health System's breach of confidential information. However, the policy contained several carefully worded restrictions and policy exclusions. Namely, the Columbia Casualty Company policy excluded coverage in its entirety should Cottage Health System fail to follow "Minimum Required Practices" based upon, directly or indirectly arising out of, or in any way involving, "[a]ny failure of an Insured to continuously implement the procedures and risk controls identified in the Insured's application for this Insurance and all related information submitted to the Insurer in conjunction with such application whether orally or in writing. . . ."
In addition, Columbia Casualty Company reserved the right to withdraw coverage and seek reimbursement should Cottage Health System misrepresent any information provided in the application and the "Risk Control Self Assessment" submitted as part of the application. Interestingly, Columbia Casualty Company's "Risk Control Self Assessment" contained a series of questions seeking confirmation that Cottage Health System regularly implemented very specific cyber security safeguards and safety measures. For example, the "Risk Control Self Assessment" set forth the following inquiries:
- Do you check for security patches to your systems at least weekly and implement them within 30 days?
- Do you replace factory default settings to ensure your information security systems are securely configured?
- Do you re-assess your exposure to information security and privacy threats at least yearly, and enhance your risk controls in response to changes?
- Do you outsource your information security management to a qualified firm specializing in security or have staff responsible for and trained in information security?
- Whenever you entrust sensitive information to 3rd parties, do you contractually require all such 3rd parties to protect this information with safeguards at least as good as your own?
- Do you have a way to detect unauthorized access or attempts to access sensitive information?
- Do you control and track all changes to your network to ensure it remains secure?
Cottage Health System responded "Yes" to each of these application questions although it appears that it did not implement most, if not all, of these security measures.
Ultimately, Columbia Casualty Company settled the underlying data breach class action lawsuit on behalf of Cottage Health System in the amount of $4.125 million. Columbia Casualty Company paid the settlement amount while reserving its right to disclaim coverage and seek reimbursement directly from Cottage Health pursuant to the terms of the policy and application.
In its present insurance coverage action, Columbia Casualty Company seeks a court declaration that it is not obligated to provide coverage for the underlying data breach class action and that it should be reimbursed by Cottage Health System in full for the $4.125 million settlement amount paid and for defense fees incurred on its behalf. Columbia Casualty Company contends that coverage is precluded because Cottage Health System failed to follow "Minimum Required Practices" and failed to continuously implement the specific procedures and risk controls outlined in the application (see above).
Columbia Casualty Company further alleges that it believes that the underlying data breach was caused as a result of File Transfer Protocol settings on Cottage Health System's internet servers that permitted anonymous user access, thereby allowing the public access to electronic personal health information via Google's internet search engine. Columbia Casualty Company also attributes blame for the data breach to Cottage Health Systems for the following additional reasons:
- a failure to continuously implement the procedures and risk controls identified in the application, including, but not limited to, its failure to replace factory default settings and its failure to ensure that its information security systems were securely configured; and
- a failure to regularly check and maintain security patches on its systems, its failure to regularly re-assess its information security exposure and enhance risk controls, its failure to have a system in place to detect unauthorized access or attempts to access sensitive information stored on its servers and its failure to control and track all changes to its network to ensure it remains secure.
While the Columbia Casualty Company v. Cottage Health System lawsuit is in its early stages of litigation, there are several takeaways to keep in mind if you are considering acquiring cyber insurance for your business:
- Read the Application Carefully – Most cyber insurance and cyber security policies will include questions in the initial application seeking information regarding existing cyber security protocols and procedures implemented by the applicant. While there is a temptation to simply respond "Yes" to the questions presented, an applicant doing so jeopardizes coverage should the carrier later determine that misrepresentation were made. It is advisable to sit down with your insurance broker, an attorney, and an information security professional (if possible) to review the application and any "self assessment" questions contained therein to ensure accurate responses are provided.
- Scrutinize All Policy Exclusions – The Columbia Casualty Company exclusion barring coverage for an insured's failure to follow "Minimum Required Practices" is broadly worded and requires insureds to "maintain all risk controls identified in the Insured's Application and any supplemental information provided by the Insured. . . ." A careful review of this exclusion prior to the Loss would have likely resulted in a request for clarification or the outright removal of the exclusion from the policy.
- Implement Measures and Protocols to Prevent Data Breaches – While no measure or protocol to prevent data breaches is fool-proof, the lesson learned with regard to the Cottage Health System breach is that companies (especially health care facilities and hospitals) should retain competent information security professionals and legal counsel to implement electronic security and data breach protocols before a hack occurs. If the allegations set forth by Columbia Casualty Company are true, Cottage Health System did not implement any electronic security protocols as any anonymous user could gain access to its servers containing confidential patient records simply by performing a Google internet search.