In follow up to our previous post, on Friday, July 17, the U.S. District Court for the Central District of California dismissed a lawsuit initiated by Columbia Casualty Company (“Columbia”) against Cottage Health System (“Cottage”) related to a data breach that released about 32,500 patient healthcare records that were stored electronically on Cottage’s network servers. Columbia Casualty Company v. Cottage Health System, No. 2:15-cv-03432 would have been a case of first impression in the California district court and one of the first litigated disputes involving a stand-alone cyberinsurance policy.
According to U.S. District Judge Dean D. Pregerson, who dismissed the suit, Columbia’s resort to litigation was premature. In this regard, the stand-alone “NetProtect360” cyberinsurance policy at issue provided that “[a]ll disputes and differences between the Insured and Insurer which may arise under or in connection with this policy . . . shall be submitted to the alternative dispute resolution (“ADR”) process” and that if the chosen method of ADR is mediation, then “no . . . judicial proceeding shall be commenced until the mediation shall have been terminated and at least 60 days shall have elapsed from the date of the termination . . . .”
On June 18, Cottage had filed a motion to dismiss Columbia’s suit, arguing that Columbia filed its suit before complying with this mandatory ADR provision. While Columbia acknowledged the existence and applicability of the ADR provision, Columbia had argued that since the parties had now decided to try to mediate the dispute, a stay of the litigation was more appropriate than outright dismissal.
In his July 17 opinion, Judge Pregerson explained that the Ninth Circuit set out two methods for dispensing with a claim when the non-judicial remedies have not been exhausted: dismissal and summary judgment. And where the failure to exhaust was clear from the face of the complaint, dismissal of the case is appropriate. In the instant case, the complaint did not allege that Columbia abided by the ADR provision in filing its suit and Columbia did not argue to the contrary. As a result, thus the district court concluded that Columbia’s failure to exhaust the non-judicial remedies required by the NetProtect360 policy was apparent on the face of its complaint and the district court dismissed the lawsuit without prejudice.
Even though the Court dismissed Columbia Casualty Company v. Cottage Health System, we anticipate that, given the frequency of data breach incidents and the increasing popularity of stand-alone cyberinsurance policies, there will be other disputes over coverage under such policies. And it is also possible that even Columbia and Cottage will once again find themselves in litigation if the parties’ pursuit of alternative dispute resolution is unsuccessful.