Mark Mermelstein Discusses How Columbia Casualty Case May Impact Cyberinsurance Litigation

Daily Journal | June.26.2015

Mark Mermelstein, co-chair of Orrick’s cybersecurity and data privacy group, recently spoke with the Daily Journal regarding litigation involving cyberinsurance policies. Insurer Columbia Casualty Co. recently settled a data breach lawsuit filed against one of its policyholders and is now suing that policyholder to recoup the settlement costs, citing a policy exclusion that required the policyholder to follow “minimum required practices” when it came to cybersecurity. According to Columbia Casualty, the policyholder did not have the proper procedures in place to protect a server containing patient information.

According to Mark, many insurance companies have exclusions like those in the Columbia Casualty policies. “A number of cyber policies require that the insured institute minimum required cybersecurity practices, and eliminate coverage for any failure of the insured to continuously implement such procedures,” he said.

Mark noted that the Columbia Casualty case could impact how companies view their own cybersecurity going forward, saying, “I think the impact it would have regardless of how it's decided is that you would want to take some steps on the front end to try to negotiate away clauses like that.” He continued, “The second effect I think it will have is to really force companies to take a good hard look at their cybersecurity on the front end.”