Key takeaway:   The insurance applications and underwriting questionnaires prepared in connection with cyber insurance do matter.

Cyber security, and cyber insurance, have dominated the industry headlines for several years now, but even as companies, brokers and insurers work to develop these products, there has been a dearth of case law interpreting key provisions.  This is beginning to change as disputes arise and make through way through the judicial system.

One such suit came last week when CNA filed a declaratory judgment action against its insured Cottage Health System, seeking reimbursement of both defense costs and a $4.125 million settlement it had paid out on a claim made under Cottage’s cyber policy.  In January 2014, Cottage was sued in a class action in California state court, where it was alleged that the records of more than 30,000 of Cottage’s patients had been disclosed to the public via the internet.  Cottage allegedly stored such records on an internet-accessible system but failed to install encryption or use other safeguards.  The California court granted approval of the $4.125 million settlement fund in December 2014.  CNA, which had reserved rights, filed this action. You can read more about the underlying lawsuit here.

In it, CNA invokes the exclusion for “failure to follow minimum required practices” which precludes coverage if the insured does not “continuously implement the procedures and risk controls identified in the Insured’s application for this Insurance.”  In its application Cottage had indicated that it regularly re-assessed its exposure to information security and privacy threats, among other, more specific, data-protection procedures.  CNA asserts that this representation in the application was false.

Insureds and insurers in the cyber space would do well to watch this matter unfold.  The exclusion invoked, and the application questions it relies on, are broadly worded and may leave room for strong arguments on both sides.  Regardless of the outcome, we can be sure that this is only the beginning of judicial interpretation of the key terms of cyber-related policies.  Interested readers can also review one of the first cyber-related decisions in the country, which came out of the District Court of Utah last week, here.

Credit:  Staff attorney Jacquelyn Burke