Policyholder Cottage Health Systems successfully moved to dismiss Columbia Casualty’s complaint for declaratory relief and recoupment of the $4.125 million it paid to settle a putative data breach class action. 

Policyholder Cottage Health Systems successfully moved to dismiss Columbia Casualty’s complaint for declaratory relief and recoupment of the $4.125 million it paid to settle a putative data breach class action. The California federal court in the case recently ruled that the cyber liability policy’s alternative dispute resolution provision, obligating the parties to mediate any coverage disputer prior to filing suit, required dismissal of Columbia Casualty’s lawsuit for failure to exhaust non-judicial remedies.

In this suit, Columbia Casualty had sought a declaration that its “NetProtect360” policy did not cover the underlying action which alleged that Cottage’s hospitals’ electronic patient records were leaked publicly via the Internet. Relying on the underlying claimants’ allegation that either Cottage Health Systems or its third-party vendor stored medical records on a system that was fully accessible to the Internet but failed to install encryption or take other security measures to protect patient information from becoming available to anyone who “surfed” the Internet, Columbia Casualty invoked, among other things, a “Failure to Follow Minimum Required Practices” exclusion which bars coverage for claims involving “[a]ny failure of an Insured to continuously implement the procedures and risk controls identified in the Insured’s application for this Insurance …”

Columbia Casualty alleged that Cottage Health Systems falsely warranted that it took various security measures such as checking for security patches to its systems at least weekly and implementing them within 30 days and that it re-assessed its exposure to information security and privacy threats at least yearly.

TIP: This case is a reminder that insurers will scrutinize your answers on applications for data breach insurance carefully; those responses should thus be carefully vetted.