Could Your Cyber Insurance Policy Unexpectedly Let You Down?

June 30, 2015
« Next Previous »

Cyber insurance policies are currently being heavily marketed amid highly publicized data breaches involving millions of records.

But is having a cyber insurance policy a wise choice to protect your company in the wake of a costly data breach? One danger is that the policy tries to limit its exposure by imposing requirements that may be practically impossible to administer. As an example, in California, Columbia Casualty Co., a member of the CNA Group, is seeking to enforce an exclusion in its policy that requires its insured to meet “minimum required practices.” The lawsuit stems from a data breach suffered by Cottage Health System, which involved approximately 32,500 confidential medical records. According to court documents, Cottage Health Systems and its third-party vendor failed to implement proper security measures, such as data encryption, to protect patient data that was accessible via the Internet. A resulting class-action lawsuit settled for $4.1 million, which Columbia Casualty agreed to fund subject to a complete reservation of rights. In Columbia Casualty Company v. Cottage Health Systems, No. 2:15-cv-03432, the insurance company is now seeking reimbursement based on a policy exclusion stating: “Any failure of an Insured to continuously implement the procedures and risk controls identified in the Insured’s application for this Insurance and all related information submitted to the Insurer in conjunction with such application whether orally or in writing…”

In wake of the lawsuit

Columbia Casualty maintains that because the healthcare company failed to monitor and continuously update its cybersecurity protocols, insurance coverage should be excluded. It points to representations that Cottage Health Systems allegedly made in its application – notably that the company regularly evaluated its exposure to data security and privacy risks. For businesses that hope to rely on cyber insurance in exactly this type of situation — where the company or another third party’s negligence inadvertently leads to a data breach — the suit is troublesome as it appears to eviscerate the very protection many companies are seeking. In terms of case law, cyber insurance is still relatively new. As a result, there may be little existing case law interpreting the relevant exclusions. To assess your rights and obligations under a cyber insurance policy, it may be prudent to review the terms and consult with experienced counsel to try to anticipate significant coverage concerns.