On May 7, 2015, Columbia Casualty Company (Columbia) filed a declaratory judgment action in the United States District Court for the Central District of California seeking a declaration that it is not obligated to provide defense or indemnification for its insured, Cottage Health System (Cottage), under a cyber liability policy.
On January 27, 2014, a proposed class-action suit was brought in California Superior Court against Cottage Health System, and its third-party vendor INSYNC, stemming from a data breach that released confidential medical records of approximately 32,000 of Cottage Hospital’s patients that were stored on Cottage’s servers. The Complaint alleges the breach occurred because Cottage and/or INSYNC stored medical records on a system that was fully accessible to the internet, but failed to install encryption or take other security measures to protect the information. As a result of the alleged failures, the medical records were available to anyone using the internet. The Superior Court granted the class representative’s Motion for Preliminary Approval of a Proposed Class Action Settlement, creating a $4.125 million settlement fund. Columbia agreed to fund the settlement under the terms of a cyber liability policy issued to Cottage, subject to a full reservation of rights.
Columbia issued a cyber liability policy to Cottage covering Privacy Injury Claims and Privacy Regulation Proceedings during the time-period of the alleged breach. The policy contains a “Failure to Follow Minimum Required Practices” exclusion that precludes coverage for any loss based upon, directly or indirectly arising out of, or in any way involving any failure of an insured to continuously implement the procedures and risk controls identified in the insured’s application for insurance. Additionally, the policy’s “Minimum Required Practices” condition provides that as a condition precedent to coverage, Cottage warrants that it shall maintain all risk controls identified in its application and any supplemental information provided by it in conjunction with its application. Columbia asserts that Cottage’s failure to regularly check, maintain and update its information security system constituted a failure to follow minimum required practices which precludes coverage under the terms of the policy.
Cyber liability insurance policies are a fairly new product in the insurance market, and there are few decisions interpreting the terms of these policies. The disposition of this action will be instructive to insurers and insureds in this market. For now, it is clear that insureds must be careful when applying for cyber liability insurance, as the representations made in any application may be applicable not only at the time the policy is issued, but also may create ongoing obligations throughout the life of the policy.
We will continue to monitor developments in this case as it moves forward.