The risks of purchasing cyber insurance coverage before a business addresses its existing cyber security practices has just been made painfully clear by a recent case filed by an insurer in California. Columbia Casualty, a unit of Chicago-based CNA, is seeking a judicial ruling that it is not obligated to pay a $4.125 million class action settlement paid by California based Cottage Health System, a nonprofit organization that operates a network of hospitals in Southern California, arising out of a data breach at the hospital.
According to the complaint: (1) the insurer issued a cyber insurance claims made policy to the hospital effective from October 1, 2013, to October 1, 2014; (2) the hospital subsequently suffered a data breach involving over 32,500 confidential medical records between October 8, 2013, and December 2, 2013; (3) a class action lawsuit was filed against the hospital on or about January 27, 2014, with a $4.125 million settlement receiving preliminary court approval on or about December 24, 2014; and (4) the insurer agreed to fund the settlement, subject to a complete reservation of rights. Click here to review the complaint.
In its complaint, the insurer has asserted that a “failure to follow minimum required practices” exclusion precluded coverage on the alleged ground that the hospital did not follow its own description of its data security system in the insurance application. In the complaint, the insurer also asserted that the hospital’s failure to follow the data security protocols detailed in its application constituted a misrepresentation, and that all coverage was forfeited as a result of the alleged misrepresentation. As a result, the insurer has requested reimbursement of defense and settlement payments.
This case highlights the need for a policyholder to be diligent from the first day it reviews and completes an application for cyber insurance to make sure it understands the requirements for coverage. Stakeholders in information technology, treasury, finance, legal and risk management should all be involved in any review of a cyber insurance application to insure that appropriate coverage language is in place. In addition, after cyber coverage is purchased, a policyholder must be vigilant in implementing its cyber security practices, and create a record sufficient to prove that it has complied with policy requirements. At the end of the day, money spent on cyber insurance coverage is well spent only if covered losses are ultimately paid by the insurer.
If you have questions or would like to discuss cyber insurance coverage for your business, please contact a member of the McGrath North Privacy and Data Security team.