The massive data breach at Washington health insurer Premera Blue Cross Blue Shield has spawned at last count fifteen class action lawsuits in Washington alone and leastone suit in Oregon federal court. The suits allege that over 11 million records were exposed in the hack, including not just personally identifiable information but also health treatment and medication histories.
Examining the allegations in these class action complaints, and the differences among them, is instructive for those of us advising clients on insuring against these kinds of risks, because this will not be the last time this kind of breach will occur. This post will focus on only two of the many issues that these complaints raise.
I should emphasize that I know nothing about Premera’s insurance situation, and that the discussion below is purely based on general observations. Also, the below comments should not be taken as commentary on the validity or any of the plaintiffs’ claims (some of which — like the “bailment” claim — have been rejected in other class action suits).
Timing Issues & Known Loss. One of the more striking things about the complaints against Premera is the contention that Premera knew that its systems were vulnerable, and that it had been hacked, well before it disclosed the data breach to its customers. Each of the complaints claim that the federal Officer of Personnel Management audited Premera’s systems in early 2014 and that on April 18, 2014 Premera received a report from OPM that its systems were vulnerable to attack due to (among other things) failure to make updates to security software, and that the hackers infiltrated Premera’s IT system almost immediately thereafter, in early May, 2014. The complaints also allege that Premera knew that it had been hacked in January, 2015. But Premera did not disclose the breach to customers until March, 2015.
This brings to mind common coverage defenses used by insurers who issue “claims made” policies, which most cyber coverage policies are: that the claim was known earlier than it was reported. A claims-made policy provides liability coverage for claims made against the insured during the policy year, irrespective of when the incident happened. That would mean that a complaint filed against Premera in April, 2015 would generally be covered by its policy in effect in April, 2015. But what if Premera knew that it would very likely be sued before that policy period started, or before it even applied for the policy? And what if it failed to disclose what it knew during the application process? All of these are issues commonly raised by insurance carriers looking to get out of paying a loss.
Also, cyber coverage in particular is often tied not only to when a claim is made but also to when the “wrongful act” or “negligent act” that allowed the breach to happen took place. Coverage is sometimes conditioned on the negligent act having occurred within a certain time span prior to the beginning date of the policy, referred to as the “retroactive date.” It is increasingly common to hear that a “hack” was accomplished months before the data breach was discovered. If the hackers got in before the retroactive date, does that mean no coverage?
Claims Under State Data Breach Laws. Most of the complaints contain a claim under Washington’s “Data Disclosure Law,” but not a direct claim under the Oregon analogue. Why? Because the Washington law expressly provides a private cause of action for damages if any Washington company fails to promptly notify consumers of a breach. Oregon law (http://www.oregonlaws.org/ors/646A.624) does not provide for a private cause of action. The Washington statute, however, does not provide for any kind of minimal or statutory damages, and requires that the customer have been “injured” to maintain a suit. That is both good for the defense of the claim (since the customers may have trouble establishing standing if their personal data has not actually been used, as discussed in this post), and good for coverage. Cyber policies, like many similar kinds of policies, often provide coverage for “damages” but exclude coverage for “penalties and fines,” leading to coverage disputes about whether statutory damages are in fact “damages.” Some states, like Arizona, provide civil penalties for violations of breach laws. And increasingly cyber policies are providing coverage for some kinds of regulatory fines or penalties, which is a good thing particularly given the recent news about large HIPAA fines.
In addition to the claim under the Washington statute, and in lieu of a direct claim under the Oregon statute, many of the complaints bring claims under the Washington and Oregon unfair trade practices or “consumer protection” statutes. Potentially relevant to coverage are the claims under those statutes for treble damages. Carriers routinely argue that the multiplied portions of awards are uninsurable punitive damages or are not covered as a penalty.
There is no question that a large damages exposure will give an insurer incentive to take aggressive coverage positions. Data breach suits will be no exception. Savvy policyholder advisors will need to anticipate these defenses and plan accordingly. So stay tuned for further reflections on the coverage issues that may arise from the Premera and similar suits.