With all the high-profile and precedent-setting activity that occurred last month, May might as well be known as Data Breach Coverage Month. It saw the settlement of a landmark online data breach coverage case, the first cyberinsurance coverage ruling, a state supreme court affirming a data breach coverage ruling favorable to insurers, and a cyberinsurer initiating coverage litigation over a hotly disputed exclusion.
A quick analysis of these recent developments and their potential impacts shows there can be no doubt that cyberinsurance is one of the most important concerns — if not the most important one — for insurers and policyholders in 2015.
Sony and its CGL insurers recently announced the settlement of their landmark coverage dispute arising out of the 2011 hacking of the Sony PlayStation Network. Each side is claiming victory.
The insurance industry is, of course, pleased that Judge Jeffrey Oing’s influential and well-reasoned decision has been preserved. By contrast, policyholders have declared themselves resolute believers that coverage for data breaches is available after all under CGL policies. Even if policyholders are so emboldened, that may be short lived, as the new ISO data breach exclusion titled “Exclusion — Access or Disclosure of Confidential or Personal Information and Data-Related Liability — With Limited Bodily Injury Exception” (CG 21 06 05 14) is already commonplace in CGL policies issued in the last year (and those going forward).
At bottom, there is no reason to believe the settlement changes the answer to the fundamental question, “What should I do to protect myself from cyber losses?” That remains — buy cyberinsurance!
Speaking of cyberinsurance …
In Travelers Property Casualty Co. of America v. Federal Recovery Services, Inc., the U.S. District Court for the District of Utah denied the defendants-policyholders’ motion for partial summary judgment and found that the Travelers plaintiffs had no duty to defend them in the underlying lawsuit. The most significant aspect of the decision is that the parties were disputing coverage under the Network and Information Security Liability and Technology Errors and Omissions Liability parts of a CyberFirst Policy, making this the first coverage decision with respect to a new-generation cyberinsurance policy.
While the case did not involve a data breach or other like cybersecurity loss, but was rather a classic intent to injure vs. negligent conduct dispute, the case is significant because it serves as a reminder that (1) cyberinsurance policies are written by underwriters trained on and comfortable with traditional liability policies, and (2) judicial interpretations of the terms and concepts used in these cyberinsurance policies will likely be informed by decisions regarding traditional CGL and E&O policies. Therefore, it is important to remember that cyberinsurance disputes will not be decided against a blank canvas.
The Connecticut Supreme Court made a very significant ruling in Recall Total Information Management, Inc. v. Federal Insurance Co., adopting wholesale the Appellate Court’s well-reasoned ruling that an insured’s loss of sensitive records, without more, does not constitute a “publication” of material that violates a person’s right of privacy. Notably, the Appellate Court held that absent proof of an unauthorized third party’s access to the personal identification information, the “publication” element of the Privacy Offense (under the definition of “personal and advertising injury” in a standard CGL policy) is not satisfied. This ruling is a boon to insurers and provides further evidence that CGL policies are not a viable option for data breach coverage. This is especially true in light of the new ISO data breach exclusion referenced above.
Columbia Casualty Company filed a declaratory judgment action in the U.S. District Court for the Central District of California, seeking a declaration that it is not obligated to defend or indemnify Cottage Health System (CHS) and that it is entitled to full reimbursement from CHS of defense costs and settlement payments paid on behalf of CHS. The litigation concerns a NetProtect360 policy, which contains Privacy Injury Claims and Privacy Regulation Proceedings coverage parts.
The claim giving rise to the coverage litigation involved a data breach that resulted in the release of private health care patient information. A class action lawsuit was filed against CHS for violations of California’s Confidentiality of Medical Information Act. The class action lawsuit was settled for $4.125 million, which Columbia Casualty paid, although it reserved its rights to seek reimbursement of attorney’s fees and settlement payments attributable to uncovered claims.
The subject policy contained a Failure to Follow Minimum Required Practices Exclusion, which stated that Columbia Casualty was not liable to pay any loss “based upon, directly or indirectly arising out of, or in any way involving: … [a]ny failure of an Insured to continuously implement the procedures and risk controls identified in the Insured’s application for this Insurance and all related information submitted to the Insurer in conjunction with such application whether orally or in writing.” The subject policy also included language that CHS warranted that it would follow the “Minimum Required Practices” set forth in a particular endorsement and maintain all risk controls identified in the application.
Columbia Casualty contends that CHS failed to adhere to certain minimum required practices, and that its failure to do so was the cause of the data breach and subsequent loss. These alleged failures include deficiencies in CHS’ file transfer protocol settings on its internet servers and deficiencies in CHS’ protocols for replacing factory default settings, checking and maintaining security patches, assessing information security exposure, detecting unauthorized access or attempts to access sensitive stored information, tracking changes to its network, and others.
This case is still in its nascent stages, but it illustrates a very important lesson for policyholders. While it is imperative that businesses large and small purchase cyberinsurance, it is almost equally imperative that they have proper guidance when making this essential purchase. That should include enlisting the help of a broker, and potentially also coverage counsel, highly knowledgeable about cyberinsurance.
We recently wrote an article identifying the key risk management considerations for policyholders, i.e., a map of the cyberinsurance landmines. In addition to the 10 considerations discussed in the article, exclusions like the Minimum Required Practices Exclusion relied upon by Columbia Casualty should be of particular concern to policyholders since they can have a broad application. It would be in the policyholders’ best interests to try to negotiate the removal of these exclusions from their cyberinsurance policies, or at least negotiate for a version much narrower than the one purchased by CHS. Policyholders do not want to be like CHS and think they are covered for data breach losses, only to find out post-breach that because they did not carefully read the policy, the deficiencies in their cybersecurity apparatus not only left them exposed to data breaches, but also may leave them uninsured.
For more information about the impact of these developments on your business, please contact: