On May 7, Columbia Casualty Company, an insurance company, filed one of the first lawsuits by an insurer seeking to deny coverage for a privacy class action under a cyber insurance policy. Why is this significant? As the number of data breach events and costs have soared, specialty cyber insurance policies have become both ubiquitous and necessary. And, generally, insurance companies have responded quickly to data breach claims under cyber insurance and other specialty risk policies (while aggressively fighting coverage of breach-related claims brought under general liability policies). Common wisdom has been that as the cyber insurance market plateaus and claims become more prevalent and costly, insurers will begin to resist coverage and push back more aggressively on claims. The Columbia Casualty Company lawsuit may be the mark of that changing tide.
According to the Columbia Casualty complaint, Cottage Health System or its third-party vendor allowed access to 32,500 medical records and the insurer paid $4.125 million to settle the class action lawsuit that followed. The insurer is now suing to recoup the settlement funds and defense costs on the basis of a coverage exclusion requiring that the insured meet certain “minimum” cybersecurity requirements. The insurance policy required that the insured institute “minimum required practices” and eliminated coverage for “any failure” of the insured to “continuously implement” such procedures. The insurance company claims that the policyholder failed to follow the security risk controls set out in its insurance application and failed to provide complete and accurate information in the application about the practices of one of its third-party vendors.
Such “minimum required” practice exclusions can be highly problematic for an insured because they place the insured at the mercy of second-guessing by the insurance company after a security breach has occurred. At precisely the moment when an insurer should be standing behind its insured, such exclusions allow the insurer to turn the focus to the insured’s conduct rather than the person who attacked its system.
How can a client reduce the risk that its insurer will try to pull coverage at the most critical time?
First, it is critical for insureds to eliminate “minimum requirement” and similar exclusions from their cyber policies. In our experience, insurers will typically strike them, but you have to know what to look for and ask before the policy is issued. Cyber insurance policies do not follow standard forms and can be complicated. They are also evolving very quickly. Accordingly, clients who are buying or renewing these policies should seek out advisors who have specific and deep experience with cyber insurance.
Second, insureds should conduct reasonable due diligence and take appropriate care before making the security representations in their applications for cyber insurance. Whether relying on a specific “minimum requirements” exclusion or more generally pointing to alleged misrepresentations in applications, insurers are likely to scrutinize those representations with ever greater vigilance as the number and costs of cyber claims increases.
We recommend that policyholders engage us early in the process of procuring cyber insurance to assist in identifying and eliminating these coverage exclusions. This due diligence can be conducted specifically for purposes of the insurance application or folded into a more general effort around precautionary cybersecurity preparedness, including a focus on third-party vendors. Such reviews are designed to assist clients in developing a cybersecurity posture that is defensible to regulators, class action plaintiffs and insurers both pre and post breach. Reviews typically include:
Obviously, these measures cannot guarantee that a company’s systems won’t be breached, but they will put the company in a stronger positon to respond to regulators and plaintiffs if and when a security or privacy event occurs. And, this front-end work can help reduce the risk that an insurer will seek to set aside coverage at the worst possible time.
Orrick's Cybersecurity and Data Privacy Practice Group is an interdisciplinary team with members in the U.S., Europe and Asia. We craft practical solutions across a host of risk management, consumer protection, brand protection, investigatory and litigation contexts. We leverage our relationships with leading privacy and security consultants, domestic and international law enforcement, government, academia and policy groups, so that our clients benefit from multi-angle solutions.
Orrick's Insurance Practice Group includes lawyers who represent the interests of policyholders exclusively, both in litigating coverage claims to a successful conclusion and in providing innovative, non-litigation solutions to the most complex insurance coverage disputes. We have helped clients recover for breach-related losses under cyber policies, general liability policies, tech/media E&O policies, and property/business income policies. Our attorneys are frequently retained to advise on insurance claims and strategy in the wake of cyberattacks, and have handled insurance claims for several of the largest data breaches in history.