Barton Blogs

Complete the Cyber Risk Insurance Application and Read the Policy Very Carefully: Carrier Seeks to Disclaim Based on Application and Policy Terms

It’s a maxim of insurance litigation: As day follows night, coverage litigation must follow expansion of coverage, as we had discussed in this space recently. One carrier has now sought a declaratory judgment based on the insured’s allegedly inaccurate responses in its application for insurance.

Columbia Casualty, a cyber risk insurer, commenced an action in U.S. District Court for the Central District of California on May 7, 2015 against its insured Cottage Health Systems seeking declaratory judgment that it has no duty to defend or indemnify Cottage Health, and seeking reimbursement of its funding of a $4.25 million settlement of a class action arising from a breach by Cottage Health.

Columbia Casualty had initially defended Cottage Health in a class action arising from a breach of medical records affecting over 19,000 patients, and agreed to fund a settlement of $4.25 million, all under a reservation of rights that specifically included the right to seek reimbursement of funds and fees. Columbia then brought this claim seeking a declaration that it, in fact, had no duty to defend or indemnify Cottage Health. Columbia is also seeking reimbursement of the settlement funds and its attorneys fees, because Cottage Health had allegedly misrepresented the scope and nature of its security controls over patient information in its application for insurance.

The data breach, the Complaint states, was the result of a failure of certain controls to keep patient information encrypted and protected from accessibility on the Internet, leading to the availability of patient information to “anyone who surfed the Internet.” In the insurance application, the Complaint avers, Cottage had represented that it had appropriate controls in place to prevent such a breach from occurring, and that those controls were not implemented or were not followed. If the proper controls are not implemented, the policy states, Columbia would not be obligated to defend or indemnify its insured in the event of “Damages,” defined in the policy to include awards or settlements in litigation. In addition, the policy had a provision requiring Cottage Health to follow certain “Minimum Required Practices,” and that this failure resulted in the breach and class action law suit being excluded from coverage, pursuant to the policy.

As this case demonstrates cyber risk policies, and applications for these policies, are not yet standardized and require careful analysis of the application’s representation and the definitions, exclusions and endorsements in the policy. If you have questions regarding cyber risk coverage, please call Kenneth N. Rashbaum.