In follow up to our previous post, on Friday, July 17, the U.S. District Court for the Central District of California dismissed a lawsuit initiated by Columbia Casualty Company (“Columbia”) against Cottage Health System (“Cottage”) related to a data breach that released about 32,500 patient healthcare records that were stored electronically on Cottage’s network servers.  Columbia Casualty Company v. Cottage Health System, No. 2:15-cv-03432 would have been a case of first impression in the California district court and one of the first litigated disputes involving a stand-alone cyberinsurance policy.

According to U.S. District Judge Dean D. Pregerson, who dismissed the suit, Columbia’s resort to litigation was premature.  In this regard, the stand-alone “NetProtect360” cyberinsurance policy at issue provided that “[a]ll disputes and differences between the Insured and Insurer which may arise under or in connection with this policy  . . . shall be submitted to the alternative dispute resolution (“ADR”) process” and that if the chosen method of ADR is mediation, then “no . . . judicial proceeding shall be commenced until the mediation shall have been terminated and at least 60 days shall have elapsed from the date of the termination . . . .”


Continue Reading California District Court Dismisses Suit, Without Prejudice, Over Stand-Alone Cyberinsurance Policy

The ever-increasing frequency of cyber incidents has caused companies to recognize the need for cyberinsurance policies in addition to more traditional types of coverage.  A recent case, Columbia Casualty Company v. Cottage Health System, No. 2:15-cv-03432, suggests that even coverage under these stand-alone cyberinsurance policies may have limits.
Earlier this month, Columbia Casualty Company (“Columbia”) filed an action in the U.S. District Court for the Central District of California, seeking a declaration that it is not obligated to provide coverage to Cottage Health System (“Cottage”) in connection with a data breach that resulted in the release of private healthcare patient information stored on Cottage’s network servers.  In a case of first impression, the district court has been asked to decide the scope of coverage provided by the stand-alone “NetProtect360” cyberinsurance policy issued by Columbia to Cottage.
Continue Reading California District Court Called Upon to Determine Scope of Coverage Provided by Stand-Alone Cyberinsurance Policy

The National Association of Insurance Commissioners (“NAIC”) has encouraged insurers and state insurance regulators to act proactively in reducing cybersecurity risks to consumer financial and health information.  On April 16, the NAIC adopted the Principles for Effective Cybersecurity Insurance Regulatory Guidance (“Principles”), twelve regulatory principles aimed at increasing the protection of [confidential and personally identifiable information] against cybersecurity breaches.  The Principles promote collaboration between regulators charged with guidance and oversight, and insurers that can identify risks and offer practical solutions for protecting sensitive information.
Continue Reading NAIC Provides Cybersecurity Guidance for Insurers, Regulators