With the emergence of stand-alone cyber insurance policies, there was little doubt that the courts would ultimately be called upon to weigh in on the scope of coverage. Now, that time may have come. In an apparent case of first impression, Columbia Casualty Company (“Columbia”) is seeking a declaratory judgment in the United States District Court for the Middle District of California (2:15-cv-03432-DDP-AGR) that it is under no obligation to provide coverage to Cottage Health System (“Cottage”) relating to a data breach which resulted in the disclosure of 32,500 of Cottage’s patients’ records that were stored electronically on its servers. Columbia is alleging that that coverage is excluded due to Cottage’s failure to follow the minimum required cyber-security practices represented its application for insurance. According to Columbia, the data breach was caused as a result of File Transfer Protocol settings on Cottage’s internet servers that permitted anonymous user access, thereby allowing electronic personal health information to become available to the public via Google’s internet search engine. Apparently, Cottage contracted with a third-party vendor that also had access to the patient records, and may have also been responsible for the breach.
As alleged in Columbia’s complaint, Cottage operates a network of hospitals located in Southern California, and suffered a data breach that resulted in the release of electronic private health care patient information stored on network servers which it owned, maintained and/or utilized. Subsequent to the breach, a class action lawsuit was commenced against Cottage in which the plaintiffs asserted claims against it pursuant to California’s Confidentiality of Medical Information Act. The class action suit alleged that the breach occurred because Cottage and/or its third-party vendor, INSYNC Computer Solution, Inc. stored medical records on a system that was fully accessible to the internet, and that they failed to install encryption or take other security measures to protect patient information from becoming publically available. A settlement was reached in that matter in the amount of $4.125 million, and Columbia had agreed to fund the settlement (subject to a complete reservation of rights) pursuant to a “NetProtect360” cyber insurance policy issued to Columbia, Notably, Columbia also asserts that INSYNC does not maintain sufficient liquid assets to contribute towards the proposed settlement fund and does not maintain liability insurance that applies with respect to the privacy claims asserted in the class action suit.
According to Columbia, prior to the issuance of the subject policy, it asked Cottage to complete, as part of its application, a risk control self-assessment. In doing so, Cottage represented that it followed minimum required practices relating to its data security, including checking for security patches to its systems at least weekly, replacing factory default settings to ensure that its information security systems are securely configured, re-assessing its exposure to information security and privacy threats at least yearly, outsourcing its information security management to a qualified firm specializing in security (or having staff responsible for and trained in information security), having a way to detect unauthorized access or attempts to access its sensitive information, and tracking all changes to its network to ensure it remains secure. In addition, Cottage also indicated in its risk assessment that whenever it entrusts sensitive information to third parties, it: contractually require all such parties to protect the information with safeguards at least as good as its own; performs due diligence on each such party to ensure that their safeguards for protecting sensitive information meet Cottage’s standards; conducts security/privacy audits or review findings of independent security/privacy auditors; audits all such third parties at least once per year to ensure that they continuously satisfy Cottage’s standards for safeguarding sensitive information; and that it requires the third parties to either have sufficient liquid assets or maintain enough insurance to cover their liability arising from a breach of privacy or confidentiality.
Columbia’s complaint claims that Cottage’s application, and its representations as to its minimum security requirements were incorporated into the policy by reference, and adherence thereto was a condition precedent to coverage. In that regard, Columbia maintains that the policy provides for the preclusion of coverage in the event Cottage fails, during the policy period, to “continuously implement the procedures and risk controls identified in [its] application for this Insurance.” In Columbia’s declaratory judgment action, it alleges that coverage is precluded because the data breach was caused by Cottage’s failure to regularly check and maintain security patches on its systems, failure to regularly re-assess its information security exposure and enhance risk controls, failure to have a system in place to detect unauthorized access or attempts to access sensitive information stored on its servers and its failure to control and track all changes to its network to ensure it remains secure.
While Columbia’s complaint seeks to disclaim coverage based on a breach of policy condition, the disposition is likely to turn on the facts; specifically, whether the security efforts, if any, implemented by Cottage were sufficient to comply with the representations made in its application. In addition, the Court will be asked to consider interpretation of the conditions to coverage and whether there was a material breach of those conditions, resulting in the exclusion of coverage. However, irrespective of the outcome of this case, Columbia’s complaint serves as a cautionary tale to policyholders to (1) perform due diligence reviews concerning the financial health of their third-party vendors and to (2) ensure that their contracts with such vendors include meaningful indemnification provisions, including, where appropriate, that the vendors be required to maintain sufficient insurance in the event they are the cause of a data breach that results in liability to the policyholder. In addition, the case underscores the importance that companies in the market for cyber-insurance ensure that they fully understand the terms and scope of coverage and any exclusions in potential policies, as well as the need to negotiate limits to, or even removal of, any onerous exclusions that could possibly defeat the intended scope of coverage.