The Devil Is in the Details of Cyber by Roberta Anderson

08/06/2015 06:00

Summary:

A major case, one of the first disputes under a cyber insurance policy that has resulted in litigation, shows why details matter so much.

There’s a tempest amid the recent spring shower of cyber insurance cases. It isn’t the Recall Totalcase,[1] or the Travelers v. Federal Recovery Services case reported the week before.[2] Although those two cases have garnered a great deal of media and other attention from those seeking, and seeking to provide, guidance surrounding insurance coverage for cybersecurity and data privacy-related liability, those cases are, by and large, relatively insignificant.

The tempest case is Columbia Casualty Company v. Cottage Health System.[3] In Columbia Casualty, CNA’s non-admitted insurer, Columbia Casualty, seeks to avoid coverage under a cyber insurance policy for the defense and settlement of a data breach class action lawsuit. This is one of the first cyber/data privacy disputes under a cyber insurance policy that has resulted in litigation.

Columbia Casualty warrants close attention by any organization that currently purchases, or is considering purchasing, cyber insurance, as well as by those insurance intermediaries, outside coverage counsel and other parties who seek to capably assist organizations in this complex area. Irrespective of the ultimate merits of CNA’s coverage positions, Columbia Casualty illustrates that the devil is in the details when placing cyber insurance coverage. Although this type of coverage can be extremely valuable, and is likely to soon become a nondiscretionary purchase for many, if not most, organizations, it is particularly challenging to place successfully.

Below is a factual summary of the Columbia Casualty case, a summary of the coverage issues and some takeaway thoughts for avoiding the two important potential coverage issues highlighted by the case: (1) broad exclusions relating to cybersecurity/data protection practices and (2) the misrepresentation defense.

The Facts

Underlying Data Breach Litigation and Regulatory Investigation

Columbia Casualty arises out of a data breach incident that resulted in the release of private electronic healthcare patient information stored on network servers owned, maintained or used by the insured, Cottage Health System (Cottage).[4]

In the wake of the breach, Cottage faced a putative class action lawsuit alleging that “the confidential medical records of approximately 32,500 patients at the hospitals affiliated with [Cottage] were negligently disclosed and released to the public on the Internet.”[5] The lawsuit sought damages for alleged violation of California’s Confidentiality of Medical Information Act.[6]

The lawsuit settled in April 2015 for $4.1 million.[7] Cottage’s cyber insurer, CNA, funded the settlement pursuant to a reservation of rights.[8]

Following the settlement of the data breach lawsuit, CNA filed its coverage litigation, in which CNA seeks declarations of non-coverage. In particular, CNA seeks declarations both that it: (1) “is not obligated to provide Cottage with a defense or indemnification in connection with any and all claims stemming from the data breach,”[9] and (2) is entitled “to reimbursement in full from Cottage for any and all attorney’s fees or related costs or expenses … in connection with the defense and settlement of the class action lawsuit and any related proceedings.”[10]

The Cyber Insurance Policy

CNA issued to Cottage its NetProtect360 cyber insurance policy with limits of $10 million.[11] The policy provides coverage for, among other things, “privacy injury claims.”[12]   Based on CNA’s complaint, there is no dispute as to whether the data breach lawsuit triggers the policy coverage. Those familiar with the off-the-shelf NetProtect360 policy form likely would agree that it does. And CNA does not allege otherwise.

The Coverage Issues

CNA denies coverage for the defense and settlement of the data breach lawsuit on two principal bases, which are discussed in turn.

Exclusion for “Failure to Follow Minimum Required Practices”

CNA relies upon an exclusion in the NetProtect360 policy, titled “Failure to Follow Minimum Required Practices,” which states:

Whether in connection with any First Party Coverage or any Liability Coverage, the Insurer shall not be liable to pay any Loss:

  • Failure to Follow Minimum Required Practices based upon, directly or indirectly arising out of, or in any way involving:
  • Any failure of an Insured to continuously implement the procedures and risk controls identified in the Insured’s application for this Insurance and all related information submitted to the Insurer in conjunction with such application whether orally or in writing;…[13]

Citing this exclusion, CNA alleges that coverage is precluded because its insured purported to do certain things relating to various aspects of network and computer security. In particular, CNA alleges that its insured failed to “continuously implement the procedures and risk controls identified in its application,” to “regularly check and maintain security patches on its systems” and to “enhance risk controls,” among a host of “other things”:

41.   Upon information and belief, the data breach at issue in the Underlying Action and the DOJ Proceeding was caused as a result of File Transfer Protocol [14] settings on Cottage’s internet servers that permitted anonymous user access, thereby allowing electronic personal health information to become available to the public via Google’s internet search engine.

42.   Upon information and belief, the data breach at issue in the Underlying Action and the DOJ Proceeding was caused by Cottage’s failure to continuously implement the procedures and risk controls identified in its application, including, but not limited to, its failure to replace factory default settings, its failure to ensure that its information security systems were securely configured, among other things.

43.   Upon information and belief, the data breach at issue in the Underlying Action and the DOJ Proceeding was caused by Cottage’s failure to regularly check and maintain security patches on its systems, its failure to regularly re-assess its information security exposure and enhance risk controls, its failure to have a system in place to detect unauthorized access or attempts to access sensitive information stored on its servers and its failure to control and track all changes to its network to ensure it remains secure, among other things.

44.   Accordingly, Columbia is entitled to a declaration that it is not obligated to defend or indemnify Cottage in connection with the Underlying Action or the DOJ Proceeding and that coverage for the claims and potential damages at issue in the Underlying Action and the DOJ Proceeding is precluded pursuant to the Columbia Policy’s Failure to Follow Minimum Required Practices” exclusion.[15]

CNA does not allege that its insured acted willfully, that it acted recklessly or even that it was grossly negligent.

The Misrepresentation Defense

In support of its misrepresentation defense, CNA relies principally upon the policy “Application” condition in the policy, which states, among other things, that the insurance policy “shall be null and void if the Application contains any misrepresentation or omission … which materially affects either the acceptance of the risk”:

1. Application

  • The Insureds represent and acknowledge that the statements contained on the Declarations and in the Application, and any materials submitted or required to be submitted therewith (all of which shall be maintained on file by the Insurer and be deemed attached to and incorporated into this Policy as if physically attached), are the Insured’s representations, are true and: (i) are the basis of this Policy and are to be considered as incorporated into and constituting a part of this Policy; and (ii) shall be deemed material to the acceptance of this risk or the hazard assumed by the Insurer under this Policy. This Policy is issued in reliance upon the truth of such representations.
  • This Policy shall be null and void if the Application contains any misrepresentation or omission:
  • made with the intent to deceive, or
  • which materially affects either the acceptance of the risk or the hazard assumed by the Insurer under the Policy.[16]
  • Citing this condition, CNA alleges that it is entitled to a declaration of non-coverage because its insured’s “application for coverage … contained misrepresentations and/or omissions of material fact” relating to its purported “failure to maintain the risk controls identified in its application”:

51.  The Columbia Policy’s “Application” condition provides that the Columbia Policy “shall be null and void if the Application contains any misrepresentation or omission: a. made with the intent to deceive, or b. which materially affects either the acceptance of the risk or the hazard assumed by the Insurer under the Policy.”

52.  The Columbia Policy’s “Minimum Required Practices” condition provides that, as a “condition precedent to coverage,” Cottage warrants that it shall “maintain all risk controls identified in the Insured’s Application and any supplemental information provided by the Insured in conjunction with Insured’s Application for this Policy.”

53. Upon information and belief, Cottage’s application for coverage under the Columbia Policy contained misrepresentations and/or omissions of material fact that were made negligently or with intent to deceive concerning Cottage’s data breach risk controls.

54.  Upon information and belief, the data breach at issue in the Underlying Action and the DOJ Proceeding was caused by Cottage’s failure to maintain the risk controls identified in its application, including, but not limited to, its failure to replace factory default settings to ensure that its information security systems were securely configured.

55.  Accordingly, Columbia is entitled to a declaration that it is not obligated to defend or indemnify Cottage in connection with the Underlying Action or the DOJ Proceeding based on Cottage’s breaches of the Columbia Policy’s “Application” and “Minimum Required Practices” conditions.[17]

Again, note that CNA seeks to avoid coverage even to the extent its insured’s alleged misrepresentations or omissions “were made negligently.”

The Takeaway Tips

1. Beware Of Broadly Worded Cybersecurity/Data Protection Exclusions

The California Court in Columbia Casualty should reject outright CNA’s attempt to avoid coverage based on a ridiculously broadly worded, open-ended exclusion, which, if enforced literally as interpreted by CNA, would largely, if not entirely, vaporize the coverage that CNA sold under the NetProtect360 policy. For starters, exclusions are to be read narrowly against CNA under established rules of insurance policy construction,[18] and broad exclusions that would render coverage illusory are not permitted in California[19] or elsewhere.[20] Nor is the exclusion, as interpreted by CNA, consistent with an insured’s reasonable expectations concerning the coverage afforded under the NetProtect360 policy,[21] which, as represented by CNA in its marketing materials, offers “exceptional first- and third-party cyber liability coverage to address a broad range of exposures,” including “security breaches” and “mistakes”:

Cyber Liability and CNA NetProtect Products

CNA NetProtect fills the gaps by offering exceptional first- and third-party cyber liability coverage to address a broad range of exposures. CNA NetProtect covers insureds for exposures that include security breaches, mistakes and unauthorized employee acts, virus attacks, hacking, identity theft or private information loss and infringing or disparaging content. CNA NetProtect coverage is worldwide, claims-made with limits up to $10 million.[22]

To be sure, the fact that any insured reasonably can be expected to make mistakes, i.e., to benegligent, in the complex areas of cybersecurity and data protection is a principal reason for purchasing cyber liability coverage.

Putting aside the merits of CNA’s contentions, the type of “Failure to Follow Minimum Required Practices” exclusion found in the off-the-shelf NetProtect360 is regrettably common, and, as theColumbia Casualty illustrates, may be read by insurers to significantly undermine, if not completely vitiate, coverage, requiring insureds to become engaged in coverage litigation as a predicate to obtaining coverage.

The good news is that, although certain types of exclusions are unrealistic given the nature of the risk an insured is attempting to insure against, cyber insurance policies are highly negotiable. It is possible to cripple inappropriate exclusions by appropriately curtailing them, or to entirely eliminate them — and often this does not cost additional premium.

2. Guard Against a Misrepresentation Defense

We have seen it in the D&O context for years, and it’s coming to cyber: the insurer’s misrepresentation/concealment defense. Provisions like the ones that CNA relies upon in Columbia Casualty are contained in some form in the majority of insurance applications and policies. And, while certainly not unique to cyber insurance, these types of provisions can be more troubling in the cyber context because of the subject matter being insured. Cyber insurance applications can, and usually do, contain myriad questions concerning an organization’s cybersecurity and data protection practices, seeking detailed information surrounding technical, complex subject matter. These questions are often answered by technical specialists, moreover, that may not appreciate the nuances and idiosyncrasies of insurance coverage law, such as the fact that, depending upon applicable law, there is a risk that an unintentional misrepresentation may suffice to allow an insurer to deny coverage.[23]  So what can be done? One line of attack is to negotiate significantly better policy terms relating to the application and misrepresentation. Another worthwhile strategy is to have coverage counsel involved in the application process. It often makes sense for coverage counsel to engage outside computer security consultants to assist with the application process. The application process can be valuable, shining a spotlight on current cybersecurity risk management practices that may reveal potential weaknesses that should be addressed. But, clearly, managing the process with an eye toward potential future claims is advisable. The CNA case illustrates the importance of embracing a cohesive, team approach and being mindful of potential future coverage disputes when placing this type of coverage.

 

 

description_here

ABOUT THE AUTHOR

Roberta Anderson is a partner in the Pittsburgh office of K&L Gates, with more than 15 years of experience in complex commercial litigation and alternative dispute resolution. A member of the firm’s global Insurance Coverage and Cyber Law and Cybersecurity practice groups, Anderson concentrates her practice in the areas of insurance coverage litigation and counseling and emerging cybersecurity and data privacy-related issues.

See more at: https://insurancethoughtleadership.com/the-devil-is-in-the-details-of-cyber/?sthash.P6hrnn69.mjjo#sthash.P6hrnn69.HWwT8EnR.dpuf