A few weeks ago the insurance-coverage community experienced a watershed event: the first publicized lawsuit by an insurer for a declaration of “no coverage” under a cyber-insurance policy. The case is Columbia Casualty Company v. Cottage Health Systems, filed in the Central District of California, and the issue is the insured’s compliance with a pledge that it would use “minimum required” data-security practices. This case holds important lessons for those considering cyber coverage – chiefly, be careful what you say in your application, and don’t think that your insurer is going to treat you with kid gloves just because cyber coverage is a new product.(NB: although we wouldn’t normally cover California litigation, this filing raises red-hot issues so we decided to make an exception.)
The Cottage Health data breach was caused by user error, which is reported to be the leading cause of data security incidents across all sectors of the economy. Cottage is a three-hospital health system in the Santa Barbara area. According to published reports, the hospital contracted with an IT firm, “InSync,” to put medical records on a File Transfer Protocol (“FTP”) server so that they could be accessed remotely, but no-one made sure that access to the records was locked-down to credentialed people only, or encrypted. As a result the FTP files were available to Google’s search “bots”, and could be found by using a Google search. Reportedly only after someone reported the issue to the hospital was the error caught. A class-action suit against Insync and Cottage followed, alleging (among other things) violations of California’s Confidentiality of Medical Information Act. Apparently the state DOJ is also investigating possible HIPAA violations.
Cottage’s cyber-liability insurer, Columbia Casualty (owned by mega-insurer CNA), picked up the defense, and even funded a $4.1 million settlement with the class, but under a reservation of rights. In the new coverage lawsuit CNA is suing Cottage to get the settlement money — and all of its defense costs — back from Cottage.
CNA, like many insurers, required Cottage to fill out a detailed cyber coverage application and “self-assessment” which involved answering a host of questions about IT security practices. Most of the questions were broadly worded, such as “Do you re-assess your exposure to information security and privacy threats at least yearly, and enhance your risk controls in response to changes?” A few of the questions were more specific, however, such as whether Cottage routinely changed default software settings if required to make systems secure. The application also addressed the use of vendors, including questions about whether Cottage required its third-party vendors to observe the same or stricter security practices as those used by Cottage, and whether Cottage required vendors to have cyber-liability insurance. (Cottage of course answered “yes” to all questions.)
The application and the policy itself contained several kinds of “warranties” about Cottage’s compliance with security standards, and the policy contained an exclusion that coverage would not be provided for damages resulting from “[a]ny failure of an Insured to continuously implement the procedures and risk controls identified in the Insured’s application for this Insurance and all related information submitted to the Insurer in conjunction with such application whether orally or in writing . . .” (emphasis added).
CNA claims that Cottage’s “yes” answers on the application were false or that if the answers were true when the application was made, Cottage subsequently failed to “maintain” those practices. Although CNA’s complaint does not specifically say what Cottage didn’t do that it should have done, reading between the lines it appears that CNA is focusing on three contentions: first, that the breach occurred because the vendor, InSync, failed to change the default FTP setting on the server software from “open access” to password-only access; second, the medical data was not encrypted on the server; and third, that Cottage did not make sure that InSync had cyber insurance coverage of its own.
This is something of a nightmare scenario for those of us who advise policyholders on cyber liability and coverage. There are several “weak links” when it comes to cyber, and this case appears to hit on several of them. First, because there is so little claims history in the “cyber” world, and because the risks are so high, insurers are requiring applicants to answer lots of questions and go through unusually detailed “self-assessments.” That’s not a problem if the folks filling out the application thoroughly vet the answers with IT, legal, and the contracts department. But any breakdown in communication among those players can result in coverage problems. Second, because of the evolving nature of cyber risks (and because it is the nature of their approach to the business) insurance companies frequently use vague wording in application materials and in their policies. Vague language allows the insurer to argue after the fact a particular meaning that favors them. We can see that in action in this case, in the question asking whether Cottage did a yearly re-assessment of risks and “enhanced” its “risk controls in response to changes.” What does that mean? Does that mean that if there is an increase in “spear-phishing” attacks the company must eliminate the use of email? Or is it good enough to adopt published “best practices” – a rule of reasonableness? Those are the kind of questions that may be litigated in this case – questions that could have been avoided if the insurer had not been able to get away with vague language that it could later use to its advantage. Third, vendors. Vendors, the cause of so many data security problems, create substantial problems when it comes to insurance. What is a reasonable security precaution to a hospital may seem like overkill to an outsourced IT or cloud provider, or the reverse may be true, and there is often no practical way to monitor changes that a vendor makes in its security practices. That makes it very difficult to accurately answer a question about whether a vendor uses the same security standards as the insurance applicant. It is also particularly difficult to ensure, as the CNA application asked, that every vendor “maintain[s] enough insurance to cover their liability arising from a breach of privacy or confidentiality” when there are no standardized forms for cyber coverage that can be required in the vendor contract, and where the risks to the vendor may be dramatically different than those of the customer. In this case it appears that CNA is trying to avoid coverage using Cottage’s “warranty” to comply with vaguely-worded promises that Cottage made about its security practices in a case where negligent oversight of a vendor caused an accidental data breach. That is, of course, exactly why a business buys liability insurance – to cover an accident caused through negligence. The fact that CNA is relying on vague language against its customer, Cottage, rather than giving Cottage the benefit of the doubt, demonstrates that this insurer, at least, is willing to use the kind of sharp-elbow tactics to limit its loss payments that we see with other kinds of coverage. In other words, cyber coverage is not going to be treated differently by the insurance industry and its lawyers. To try to avoid this kind of situation, businesses would be well advised to treat cyber coverage applications very carefully, to try to negotiate “warranty” language that is less onerous and open-ended, and to exercise increased oversight of vendor contracts and compliance with contract terms, including actually reviewing the vendor’s insurance policies and security practices. Taking those steps will not of course eliminate coverage disputes of this sort, but in this area, every step is an important one.