One reason why businesses don’t buy cyber insurance is because they don’t believe the insurance will pay benefits in the event of a loss.  A recent lawsuit following a data breach that was brought by a wholly-owned subsidiary of CNA Insurance against a large California hospital network highlights the old adage “buyers beware.”

Could you imagine buying car liability insurance where you promised to continuously obey the rules of the road, so that if you were even partially at fault for an accident, there would be no coverage?  Sounds illusory, doesn’t it?

Now imagine that you are the CFO of a large hospital network where an IT vendor, hired to store 32,500 patient records on a system accessible via the internet, made a mistake and left the data unencrypted for two months so that it was accessible to anyone surfing the internet.

You might initially find comfort in the fact that you bought a $10 million cyber insurance policy called “NetProtect360” from Columbia Casualty Company, a wholly-owned subsidiary of CNA. This particular cyber insurance policy provides coverage for Privacy Injury Claims and Privacy Regulatory Proceedings.  But, after you turn the resulting class action lawsuit and notice of a California Department of Justice investigation (for HIPPA violations) over to your insurer in order to defend your company, and after the insurer agreed to pay the class action settlement ($4.125 million), you are stunned when the insurer turns around and sues your company in federal district court.

In the lawsuit, the insurer alleges that it does not owe a duty to defend or indemnify you from either case.  And, instead, you should be required to reimburse the insurer for the settlement funds and any and all attorney’s fees or related costs or expenses the insurer has paid or will pay as a result.  The insurer says you should be obligated to pay it damages because you lied on your application and you failed to continuously follow the minimum required security practices you agreed to.  This CFO’s nightmare is the lawsuit entitled Columbia Casualty Company v. Cottage Health System, Case No. 2:15-cv-3432, filed May 7, 2015 in the United States District Court for Central District of California.

So what did the policy provide?  This particular cyber insurance policy had several exclusions, including one for “Failure to Follow Minimum Required Practices.”  That is, the policy states that the insurer has no obligation “to pay any loss based upon, directly or indirectly arising out of, or in any way involving any failure of an insured to continuously implement the procedures and risk controls identified in the insured’s application.”

Moreover, in the application, the policyholder had to represent and “warrant, as a condition precedent to coverage…, that it shall: follow the Minimum Required Practices … and maintain all risk controls.”  In the application, the hospital network was asked the following questions, which it answered affirmatively.  These answers constituted the minimum required practices:

  •  Do you check for security patches on your systems at least weekly and implement them within 30 days?
  •  Do you replace factory default settings to ensure your information security systems are securely configured?
  •  Do you re-assess your exposure to information security and privacy threats at least yearly, and enhance your risk controls in response to changes?
  •  Do you outsource your information security management to a qualified firm specializing in security or have staff responsible for and trained in information security?
  •  Whenever you entrust sensitive information to third parties do you…

a. contractually require all such third parties to protect your information with safeguards at least as good as your own,

b. perform due diligence on each such third party to ensure that their safeguards for protecting sensitive information meet your standards (e.g., conduct security/privacy audits or review findings of independent security/privacy audits),

c. audit all such third parties at least once per year to ensure that they continuously satisfy your standards for safeguarding sensitive information,

d. require them to have sufficient liquid assets or maintain enough insurance to cover their liability arising from a breach of privacy or confidentiality?

  •  Do you have a way to detect unauthorized access or attempts to access sensitive information?
  •  Do you control and track all changes to your network to ensure it remains secure?

Based upon the data breach and in light of hospital network’s representations in the policy application, Columbia alleged it had no duty to defend or indemnify the policyholder because, among other things, the policyholder:

  •  failed to follow the minimum required practices, including failing to continuously implement the appropriate procedures and risk controls identified in the application and materials submitted with the application;
  •  failed to regularly check and maintain security patches;
  •  failed to regularly re-assess its information security exposure and enhance risk controls;
  •  failed to have a system in place to detect unauthorized access or attempts to access sensitive information on its servers; and
  •  failed to control and track all changes to its network to ensure it remained secure.

By analogy, anyone familiar with Verizon’s 2015 PCI Compliance Report knows that over the past decade, not a single company that suffered a data breach was fully compliant with the Payment Card Industry Data Security Standard (PCI-DSS) at the time of breach.  So in 100% of the data breaches, the victim was not in compliance with what might be termed the minimum required practices.  So what was the insurance intended to protect against if not unintentional and accidental errors and omissions?

We’ll keep an eye on this case as it progresses to see whether the policyholder is eventually required to pay the insurer for the loss. In the meantime, we cannot stress enough the importance of working with your broker and coverage counsel to run table top exercises to see how an insurance policy might respond to a data breach before you choose one policy over another.  It’s better to know how a policy might respond ahead of time so that you can determine whether the policy is worth the price or just offering illusory coverage.

The author, Bill Wagner, JD, CPCU, CIPP/US, CIPP/G, is a member of the Sedona Conference Working Groups on Data Security and Privacy Liability, and Electronic Document Retention and Production. He also serves as a Steering Committee Member to DRI’s Government Enforcement and Corporate Compliance Committee.