Why it matters: In May insurer Columbia Casualty Company filed a lawsuit in California federal court that had cyber insurance policyholders taking notice. The insured, Cottage Health System, suffered a data breach in October 2013. Patients filed suit, and Cottage settled for $4.125 million. Columbia paid the settlement, and then filed a declaratory judgment action seeking reimbursement for the amounts it paid. Columbia argued that Cottage's efforts at data security failed to meet even minimal standards, and that such poor security violated the terms of its cyber insurance policy. Cottage then filed a motion to dismiss, arguing that Columbia failed to mediate with Cottage prior to filing suit, as required by the policy. Columbia told the court it decided against mediation because the effort would have been "futile" based on preliminary efforts to resolve the dispute. But the court, citing Ninth Circuit precedent, held that the court's only two options where Columbia failed to mediate were dismissal or summary judgment. The court opted for the first option and dismissed the suit without prejudice, giving the parties the chance to attempt to resolve their dispute via mediation.

For further background on the case, click here to review coverage by Business Insurance ("Mediation Ruled First Step in Cyber Coverage Case") or here to review a summary of a recent Reuters article ("Judge Tosses Data Breach Coverage Suit for Failure to Mediate"), for which Stephen Raptis and Susan Page White, partners in Manatt's Insurance Recovery practice, provided commentary.

Detailed discussion: Cottage Health System, a nonprofit network of six hospitals, suffered a data breach in 2013 that made the medical records of more than 32,000 patients public. The patients filed suit, and Cottage reached a deal to settle the case for $4.125 million in late 2014.

Columbia agreed to fund the settlement, but reserved its right to seek reimbursement. Columbia then filed a declaratory judgment action, seeking to recover the amount it paid for the settlement. Columbia argued that the policyholder's lack of data security standards resulted in the breach. As a result, coverage for the breach was precluded by an exclusion for Failure to Follow Minimum Required Practices, which applies to losses involving failure to continue to implement certain data security procedures and risk controls set forth in Cottage's policy application and related materials. Cottage's actions fell squarely within the exclusion, Columbia argued, because, among other things, Cottage used Internet servers that allowed access to private patient information through Google, and did not maintain a system to detect unauthorized attempts to access sensitive information.

But Cottage countered that Columbia itself failed to follow policy requirements. In particular, Cottage pointed to a policy provision requiring that "[a]ll disputes and differences between the Insured and the Insurer which may arise under or in connection with this policy … shall be submitted to the alternative dispute resolution (ADR) process." If mediation is the chosen method of ADR, "no … judicial proceeding shall be commenced until the mediation shall have been terminated and at least 60 days shall have elapsed from the date of the termination." Columbia made no effort to resolve the dispute via ADR, Cottage told the court in a motion to dismiss.

U.S. District Court Judge Dean D. Pregerson opined that his only decision was whether to dismiss the case altogether or, as requested by Columbia, to issue a stay. The language of the policy "controls the timing of suits arising out of the policy and requires that the ADR process take place before a lawsuit is initiated," the court held. "Plaintiff makes no argument that the ADR provision is unconscionable or otherwise unenforceable as a matter of contract, and the provision does not deprive Plaintiff of the right to bring a lawsuit if mediation fails. There is no reason not to hold Plaintiff to its agreement."

The "Court concludes that [Columbia's] failure to exhaust [ADR requirements] is clear from the face of the complaint," Judge Pregerson wrote. "The complaint does not allege that Plaintiff abided by the ADR clause in filing the action; nor, indeed, has Plaintiff argued otherwise. That plaintiff has not exhausted the non-judicial remedies required by the contract is therefore apparent on the face of the complaint." The court also noted that Columbia had not asserted that it would suffer prejudice if the action were dismissed rather than stayed (such as the running of the statute of limitations).

Accordingly, the court granted Cottage's motion to dismiss without prejudice, allowing the parties to pursue ADR under the terms of the policy.

To read the order in Columbia Casualty Co. v. Cottage Health System, click here.