Why it matters: Columbia Casualty Company v. Cottage Health Systems was filed on May 7, 2015, in the Central District of California. Cottage Health is one of the first cases nationwide—if not the first case—in which the scope of a “best practices” or “minimum required practices” exclusion within a modern cyber insurance policy is being tested.
Detailed discussion: In Cottage Health, Columbia Casualty Company seeks reimbursement of amounts it paid under a reservation of rights to defend and settle a data breach class action against its insured, Cottage Health. In the data breach action, it was alleged that confidential medical records of Cottage Health’s patients stored electronically on its servers were available to the public on the Internet. It further was alleged that Cottage Health failed to utilize proper encryption or other security measures in violation of the California Medical Information Act.
Columbia issued a cyber liability policy to Cottage Health, which provides coverage for a number of cyber-related risks, including “Privacy Injury Claims and Privacy Regulation Proceedings.” However, the policy contains a specific exclusion for:
Any failure of an Insured to continuously implement the procedures and risk controls identified in the Insured’s application for this Insurance and all related information submitted to the Insurer in conjunction with such application whether orally or in writing . . .
Columbia claims the improper disclosure of patient medical records was caused by Cottage’s failure to continuously implement the procedures and risk controls identified in its coverage application. Thus, Columbia asserts, the exclusion applies to preclude coverage for the class action.
These types of “best practices” exclusions are all too common in cyber policies. They vary in form and language, but typically purport to exclude coverage where a policyholder fails to take steps to design, maintain, or upgrade its cyber security. From a policyholder perspective, these exclusions are particularly pernicious because insurers may assert, as Columbia Casualty asserts here, that they apply to almost any security failure. Even worse, they are contrary to policyholders’ reasonable expectations that their liability insurance (including their cyber liability insurance) will protect them against their own negligent conduct. But as written, these exclusions actually may be triggered by policyholders’ negligence (i.e., their failure to take certain steps to maintain or upgrade their cyber security). This turns traditional notions of liability insurance on their head.
This case could go a long way in determining the value of cyber policies to many current and potential purchasers. In the case of “best practices” or “minimum required practices” exclusions, the very acts and omissions that some policyholders think they are insuring against could, in some circumstances, be what their insurer asserts triggers the exclusion. So for companies that do purchase cyber policies, it is imperative that they read through the terms of their policies carefully to fully appreciate the potential breadth of these exclusions. They also should seek to negotiate appropriate limits to these exclusions, or seek to eliminate them altogether, when purchasing the coverage. And when in doubt, they should consider seeking advice from experienced coverage counsel.