The ever-increasing frequency of cyber incidents has caused companies to recognize the need for cyberinsurance policies in addition to more traditional types of coverage. A recent case, Columbia Casualty Company v. Cottage Health System, No. 2:15-cv-03432, suggests that even coverage under these stand-alone cyberinsurance policies may have limits.
Earlier this month, Columbia Casualty Company (“Columbia”) filed an action in the U.S. District Court for the Central District of California, seeking a declaration that it is not obligated to provide coverage to Cottage Health System (“Cottage”) in connection with a data breach that resulted in the release of private healthcare patient information stored on Cottage’s network servers. In a case of first impression, the district court has been asked to decide the scope of coverage provided by the stand-alone “NetProtect360” cyberinsurance policy issued by Columbia to Cottage.
According to Columbia’s complaint, Cottage, which operates a network of hospitals in Southern California, experienced a data breach that disclosed approximately 32,500 patient medical records which had been stored electronically on its servers. Following the breach, patients whose information had been stored on Cottage’s servers filed a class action lawsuit, alleging:
(1) the breach occurred because Cottage and/or its third party vendor stored medical records on a system fully accessible to the Internet, without the proper security measures; and
(2) Cottage violated its nondelegable duties, under California’s Confidentiality of Medical Information Act (“CMIA”) and the Health Insurance Portability and Accountability Act (“HIPAA”), to maintain the security of confidential medical records and to detect and prevent data breaches on its systems.
In December 2014, a $4.13 million settlement was reached in the class action and Columbia agreed to fund the settlement subject to a complete reservation of rights.
In addition to the class action suit, the Cottage data breach is the subject of a pending investigation by the California Department of Justice (“CDOJ”), which will determine whether Cottage failed to satisfy its obligations under HIPAA and any other relevant state and federal laws.
Columbia’s Allegations as to Coverage
In its complaint, Columbia maintains that, contrary to Cottage’s representations in its insurance application that it had implemented and would continue to maintain certain minimum security measures, Cottage failed to do so and the data breach occurred as a result of this failure. Specifically, as part of Cottage’s insurance application it completed a “Risk Control Self Assessment” in which it represented that, among other things, it:
(1) regularly checked for security patches,
(2) took steps to ensure secure configuration of security systems,
(3) re-assessed exposure to privacy threats annually and responded with enhanced risk control measures, and
(4) contractually required all third parties entrusted with sensitive information to protect this information with certain safeguards.
According to Columbia, however, the data breach at issue in the class action and pending CDOJ proceeding was caused by Cottage’s use of Internet servers that allowed anyone access to patient information through Google, failure to regularly vet its security measures, re-asses exposure and enhance privacy controls, and maintain a system to detect unauthorized attempts to access sensitive information.
In addition to Cottage’s alleged misrepresentations, Columbia points to an exclusion in the NetProtect360 policy for “Failure to Follow Minimum Required Practices.” This exclusion bars coverage of any loss involving any failure by Cottage to continue to implement procedures and risk controls set forth in its insurance application and related information submitted in connection with the application.
Columbia now seeks a declaration from the California court that, Cottage is precluded from seeking coverage under its NetProtect360 policy (and therefore Columbia is not obligated to defend or indemnify Cottage in the class action, pending CDOJ proceeding, or any other action related to the data breach at issue). To the extent the NetProtect360 policy does not provide coverage, Columbia also seeks a declaration that it is entitled to reimbursement from Cottage for the full amount that Columbia paid in settlement of the class action and any other amounts it has paid or will pay in the defense and settlement of the class action or any related proceedings.
Policyholders and insurers alike are sure to pay close attention as Columbia Casualty unfolds. As one of the first cybersecurity disputes involving a stand-alone cyberinsurance policy to go to litigation, this case highlights that even specialized cyberinsurance policies may not provide coverage for every cyber incident.