The tempest case is Columbia Casualty Company v. Cottage Health System. InColumbia Casualty, CNA’s non-admitted insurer, Columbia Casualty (CNA), seeks to avoid coverage under a cyber insurance policy for the defense and settlement of a data breach class action lawsuit. This is one of the first cyber/data privacy disputes under a cyber insurance policy that has resulted in litigation.
Columbia Casualty warrants close attention by any organization that currently purchases, or is considering purchasing, cyber insurance, as well as by those insurance intermediaries, outside coverage counsel, and other parties who seek to capably assist organizations in this complex area. Irrespective of the ultimate merits of CNA’s coverage positions, Columbia Casualty illustrates that the devil truly is in the details when placing “cyber” insurance coverage. While this type of coverage can be extremely valuable, and is likely to soon become a nondiscretionary purchase for many, if not most, organizations, it is particularly challenging to place successfully.
Below is a factual summary of the Columbia Casualty case, a summary of the coverage issues, and some takeaway thoughts for avoiding the two important potential coverage issues highlighted by the case: (1) broad exclusions relating to cybersecurity/data protection practices, and (2) the misrepresentation defense.
Underlying Data Breach Litigation And Regulatory Investigation
Columbia Casualty arises out of a data breach incident that resulted in the release of private electronic healthcare patient information stored on network servers owned, maintained, or used by the insured, Cottage Health System (Cottage).
In the wake of the breach, Cottage faced a putative class action lawsuit alleging that “the confidential medical records of approximately 32,500 patients at the hospitals affiliated with [Cottage] were negligently disclosed and released to the public on the internet.” The lawsuit sought damages for alleged violation of California’s Confidentiality of Medical Information Act.
The lawsuit settled in April 2015 for $4.125 million. Cottage’s cyber insurer, CNA, funded the settlement pursuant to a reservation of rights.
Following the settlement of the data breach lawsuit, CNA filed its coverage litigation, in which CNA seeks declarations of non-coverage. In particular, CNA seeks declarations both that it: (1) “is not obligated to provide Cottage with a defense or indemnification in connection with any and all claims stemming from the data breach,” and (2) is entitled “to reimbursement in full from Cottage for any and all attorney’s fees or related costs or expenses … in connection with the defense and settlement of the class action lawsuit and any related proceedings.”
The “Cyber” Insurance Policy
CNA issued to Cottage its NetProtect360 cyber insurance policy with limits of $10 million. The policy provides coverage for, among other things, “Privacy Injury Claims.” Based on CNA’s complaint, there is no dispute as to whether the data breach lawsuit triggers the policy coverage. Those familiar with the off-the-shelf NetProtect360 policy form likely would agree that it does. And CNA does not allege otherwise.
CNA denies coverage for the defense and settlement of the data breach lawsuit on two principal bases, which are discussed in turn.
Exclusion For “Failure to Follow Minimum Required Practices”
CNA relies upon an exclusion in the NetProtect360 policy, entitled “Failure to Follow Minimum Required Practices,” which states as follows:
Whether in connection with any First Party Coverage or any Liability Coverage, the Insurer shall not be liable to pay any Loss:
* * *
O. Failure to Follow Minimum Required Practices
based upon, directly or indirectly arising out of, or in any way involving:
Citing to this exclusion, CNA alleges that coverage is precluded because its insured purported to do certain things relating to various aspects of network and computer security. In particular, CNA alleges that its insured failed to “continuously implement the procedures and risk controls identified in its application,” to “regularly check and maintain security patches on its systems,” and to “enhance risk controls,” among a host of “other things”:
CNA does not allege that its insured willfully, that it acted recklessly, or even that it was grossly negligent.
The Misrepresentation Defense
In support of its misrepresentation defense, CNA relies principally upon the policy “Application” condition in the policy, which states, among other things, that the insurance policy “shall be null and void if the Application contains any misrepresentation or omission … which materially affects either the acceptance of the risk”:
I. Application
1. The Insureds represent and acknowledge that the statements contained on the Declarations and in the Application, and any materials submitted or required to be submitted therewith (all of which shall be maintained on file by the Insurer and be deemed attached to and incorporated into this Policy as if physically attached), are the Insured’s representations, are true and: (i) are the basis of this Policy and are to be considered as incorporated into and constituting a part of this Policy; and (ii) shall be deemed material to the acceptance of this risk or the hazard assumed by the Insurer under this Policy. This Policy is issued in reliance upon the truth of such representations.
2. This Policy shall be null and void if the Application contains any misrepresentation or omission:
a. made with the intent to deceive, or b. which materially affects either the acceptance of the risk or the hazard assumed by the Insurer under the Policy.
Citing to this condition, CNA alleges that it is entitled to a declaration of non-coverage because its insured’s “application for coverage … contained misrepresentations and/or omissions of material fact” relating to its purported “failure to maintain the risk controls identified in its application”:
Again, note that CNA seeks to avoid coverage even to the extent its insured’s alleged misrepresentations or omissions “were made negligently.”
1. Beware Of Broadly-Worded Cybersecurity/Data Protection Exclusions
The California Court in Columbia Casualty should reject outright CNA’s attempt to avoid coverage based on a ridiculously broadly-worded, open-ended exclusion, which, if enforced literally as interpreted by CNA, would largely, if not entirely, vaporize the coverage that CNA sold under the NetProtect360 policy. For starters, exclusions are to be read narrowly against CNA under established rules of insurance policy construction, and broad exclusions that would render coverage illusory are not permitted in California or elsewhere. Nor is the exclusion, as interpreted by CNA, consistent with an insured’s reasonable expectations concerning the coverage afforded under the NetProtect360 policy, which, as represented by CNA in its marketing materials, offers “exceptional first-and third-party cyber liability coverage to address a broad range of exposures,” including “security breaches” and “mistakes”:
Cyber Liability and CNA NetProtect Products
CNA NetProtect fills the gaps by offering exceptional first- and third-party cyber liability coverage to address a broad range of exposures. CNA NetProtect covers insureds for exposures that include security breaches, mistakes and unauthorized employee acts, virus attacks, hacking, identity theft or private information loss, and infringing or disparaging content. CNA NetProtect coverage is worldwide, claims-made with limits up to $10 million.
To be sure, the fact that any insured reasonably can be expected to make mistakes, i.e., to be negligent, in the complex areas of cybersecurity and data protection is a principal reason for purchasing “cyber” liability coverage.
Putting aside the merits of CNA’s contentions, the type of “Failure to Follow Minimum Required Practices” exclusion found in the off-the-shelf NetProtect360 is regrettably common, and, as the Columbia Casualty illustrates, may be read by insurers to significantly undermine, if not completely vitiate, coverage, requiring insureds to become engaged in coverage litigation as a predicate to obtaining coverage.
The good news is that, although certain types of exclusions are unrealistic given the nature of the risk an insured is attempting to insure against, cyber insurance policies are highly negotiable. It is possible to cripple inappropriate exclusions by appropriately curtailing them, or to entirely eliminate them — and often this does not cost additional premium.
2. Guard Against A Misrepresentation Defense
We have seen it in the D&O context for years, and it’s coming to cyber: the insurer’s misrepresentation/concealment defense. Provisions like the ones that CNA relies upon in Columbia Casualty are contained in some form in the majority of insurance applications and policies. And, while certainly not unique to cyber insurance, these types of provisions can be more troubling in the cyber context because of the subject matter being insured. Cyber insurance applications can, and usually do, contain myriad questions concerning an organization’s cybersecurity and data protection practices, seeking detailed information surrounding technical, complex subject matter. These questions are often answered by technical specialists, moreover, that may not appreciate the nuances and idiosyncrasies of insurance coverage law, such as the fact that, depending upon applicable law, there is a risk that an unintentional misrepresentation may suffice to allow an insurer to deny coverage. So what can be done?
One line of attack is to negotiate significantly better policy terms relating to the application and misrepresentation. Another worthwhile strategy is to have coverage counsel involved in the application process. It often makes sense for coverage counsel to engage outside computer security consultants to assist with the application process. The application process can be valuable, shining a spotlight on current cybersecurity risk management practices that may reveal potential weaknesses that should be addressed.
But, clearly, managing the process with an eye toward potential future claims is advisable. The CNA case illustrates the importance of embracing a cohesive, team approach and being mindful of potential future coverage disputes when placing this type of coverage.
Roberta Anderson is a partner in the Pittsburgh office of K&L Gates LLP. She has represented insureds in connection with a broad spectrum of insurance issues and disputes arising under many kinds of insurance coverages, including general liability, commercial property, business interruption, data privacy and “cyber”-liability, directors and officers (D&O), errors and omissions (E&O), and employment practices liability. In addition to assisting clients in maximizing their current insurance assets, Anderson provides strategic advice on complex underwriting and risk management issues, including the drafting and negotiation of data privacy, cyber liability, technology E&O, and D&O insurance coverage. Anderson can be reached at [email protected] or 412.355.6222.
