The Devil Is in the Details of Cyber

A major case, one of the first disputes under a cyber insurance policy that has resulted in litigation, shows why details matter so much.

There’s a tempest amid the recent spring shower of cyber insurance cases. It isn’t the Recall Total case,[1] or the Travelers v. Federal Recovery Services case reported the week before.[2] Although those two cases have garnered a great deal of media and other attention from those seeking, and seeking to provide, guidance surrounding insurance coverage for cybersecurity and data privacy-related liability, those cases are, by and large, relatively insignificant. The tempest case is Columbia Casualty Company v. Cottage Health System.[3] In Columbia Casualty, CNA’s non-admitted insurer, Columbia Casualty, seeks to avoid coverage under a cyber insurance policy for the defense and settlement of a data breach class action lawsuit. This is one of the first cyber/data privacy disputes under a cyber insurance policy that has resulted in litigation. Columbia Casualty warrants close attention by any organization that currently purchases, or is considering purchasing, cyber insurance, as well as by those insurance intermediaries, outside coverage counsel and other parties who seek to capably assist organizations in this complex area. Irrespective of the ultimate merits of CNA’s coverage positions, Columbia Casualty illustrates that the devil is in the details when placing cyber insurance coverage. Although this type of coverage can be extremely valuable, and is likely to soon become a nondiscretionary purchase for many, if not most, organizations, it is particularly challenging to place successfully. Below is a factual summary of the Columbia Casualty case, a summary of the coverage issues and some takeaway thoughts for avoiding the two important potential coverage issues highlighted by the case: (1) broad exclusions relating to cybersecurity/data protection practices and (2) the misrepresentation defense. The Facts Underlying Data Breach Litigation and Regulatory Investigation Columbia Casualty arises out of a data breach incident that resulted in the release of private electronic healthcare patient information stored on network servers owned, maintained or used by the insured, Cottage Health System (Cottage).[4] In the wake of the breach, Cottage faced a putative class action lawsuit alleging that “the confidential medical records of approximately 32,500 patients at the hospitals affiliated with [Cottage] were negligently disclosed and released to the public on the Internet.”[5] The lawsuit sought damages for alleged violation of California’s Confidentiality of Medical Information Act.[6] The lawsuit settled in April 2015 for $4.1 million.[7] Cottage’s cyber insurer, CNA, funded the settlement pursuant to a reservation of rights.[8] Following the settlement of the data breach lawsuit, CNA filed its coverage litigation, in which CNA seeks declarations of non-coverage. In particular, CNA seeks declarations both that it: (1) “is not obligated to provide Cottage with a defense or indemnification in connection with any and all claims stemming from the data breach,”[9] and (2) is entitled “to reimbursement in full from Cottage for any and all attorney’s fees or related costs or expenses … in connection with the defense and settlement of the class action lawsuit and any related proceedings.”[10] The Cyber Insurance Policy CNA issued to Cottage its NetProtect360 cyber insurance policy with limits of $10 million.[11] The policy provides coverage for, among other things, “privacy injury claims.”[12]   Based on CNA’s complaint, there is no dispute as to whether the data breach lawsuit triggers the policy coverage. Those familiar with the off-the-shelf NetProtect360 policy form likely would agree that it does. And CNA does not allege otherwise. The Coverage Issues CNA denies coverage for the defense and settlement of the data breach lawsuit on two principal bases, which are discussed in turn. Exclusion for “Failure to Follow Minimum Required Practices” CNA relies upon an exclusion in the NetProtect360 policy, titled “Failure to Follow Minimum Required Practices,” which states: Whether in connection with any First Party Coverage or any Liability Coverage, the Insurer shall not be liable to pay any Loss:
  • Failure to Follow Minimum Required Practices based upon, directly or indirectly arising out of, or in any way involving:
  • Any failure of an Insured to continuously implement the procedures and risk controls identified in the Insured’s application for this Insurance and all related information submitted to the Insurer in conjunction with such application whether orally or in writing;…[13]
Citing this exclusion, CNA alleges that coverage is precluded because its insured purported to do certain things relating to various aspects of network and computer security. In particular, CNA alleges that its insured failed to “continuously implement the procedures and risk controls identified in its application,” to “regularly check and maintain security patches on its systems” and to “enhance risk controls,” among a host of “other things”:
  1. Upon information and belief, the data breach at issue in the Underlying Action and the DOJ Proceeding was caused as a result of File Transfer Protocol[14] settings on Cottage’s internet servers that permitted anonymous user access, thereby allowing electronic personal health information to become available to the public via Google’s internet search engine.
  2. Upon information and belief, the data breach at issue in the Underlying Action and the DOJ Proceeding was caused by Cottage’s failure to continuously implement the procedures and risk controls identified in its application, including, but not limited to, its failure to replace factory default settings, its failure to ensure that its information security systems were securely configured, among other things.
  3. Upon information and belief, the data breach at issue in the Underlying Action and the DOJ Proceeding was caused by Cottage’s failure to regularly check and maintain security patches on its systems, its failure to regularly re-assess its information security exposure and enhance risk controls, its failure to have a system in place to detect unauthorized access or attempts to access sensitive information stored on its servers and its failure to control and track all changes to its network to ensure it remains secure, among other things.
  4. Accordingly, Columbia is entitled to a declaration that it is not obligated to defend or indemnify Cottage in connection with the Underlying Action or the DOJ Proceeding and that coverage for the claims and potential damages at issue in the Underlying Action and the DOJ Proceeding is precluded pursuant to the Columbia Policy’s Failure to Follow Minimum Required Practices” exclusion.[15]
CNA does not allege that its insured acted willfully, that it acted recklessly or even that it was grossly negligent. The Misrepresentation Defense In support of its misrepresentation defense, CNA relies principally upon the policy “Application” condition in the policy, which states, among other things, that the insurance policy “shall be null and void if the Application contains any misrepresentation or omission … which materially affects either the acceptance of the risk”:
  1. Application
  • The Insureds represent and acknowledge that the statements contained on the Declarations and in the Application, and any materials submitted or required to be submitted therewith (all of which shall be maintained on file by the Insurer and be deemed attached to and incorporated into this Policy as if physically attached), are the Insured’s representations, are true and: (i) are the basis of this Policy and are to be considered as incorporated into and constituting a part of this Policy; and (ii) shall be deemed material to the acceptance of this risk or the hazard assumed by the Insurer under this Policy. This Policy is issued in reliance upon the truth of such representations.
  • This Policy shall be null and void if the Application contains any misrepresentation or omission:
  • made with the intent to deceive, or
  • which materially affects either the acceptance of the risk or the hazard assumed by the Insurer under the Policy.[16]
Citing this condition, CNA alleges that it is entitled to a declaration of non-coverage because its insured’s “application for coverage … contained misrepresentations and/or omissions of material fact” relating to its purported “failure to maintain the risk controls identified in its application”:
  1. The Columbia Policy’s “Application” condition provides that the Columbia Policy “shall be null and void if the Application contains any misrepresentation or omission: a. made with the intent to deceive, or b. which materially affects either the acceptance of the risk or the hazard assumed by the Insurer under the Policy.”
  2. The Columbia Policy’s “Minimum Required Practices” condition provides that, as a “condition precedent to coverage,” Cottage warrants that it shall “maintain all risk controls identified in the Insured’s Application and any supplemental information provided by the Insured in conjunction with Insured’s Application for this Policy.”
  3. Upon information and belief, Cottage’s application for coverage under the Columbia Policy contained misrepresentations and/or omissions of material fact that were made negligently or with intent to deceive concerning Cottage’s data breach risk controls.
  4. Upon information and belief, the data breach at issue in the Underlying Action and the DOJ Proceeding was caused by Cottage’s failure to maintain the risk controls identified in its application, including, but not limited to, its failure to replace factory default settings to ensure that its information security systems were securely configured.
  5. Accordingly, Columbia is entitled to a declaration that it is not obligated to defend or indemnify Cottage in connection with the Underlying Action or the DOJ Proceeding based on Cottage’s breaches of the Columbia Policy’s “Application” and “Minimum Required Practices” conditions.[17]
Again, note that CNA seeks to avoid coverage even to the extent its insured’s alleged misrepresentations or omissions “were made negligently.” The Takeaway Tips
  1. Beware Of Broadly Worded Cybersecurity/Data Protection Exclusions
The California Court in Columbia Casualty should reject outright CNA’s attempt to avoid coverage based on a ridiculously broadly worded, open-ended exclusion, which, if enforced literally as interpreted by CNA, would largely, if not entirely, vaporize the coverage that CNA sold under the NetProtect360 policy. For starters, exclusions are to be read narrowly against CNA under established rules of insurance policy construction,[18] and broad exclusions that would render coverage illusory are not permitted in California[19] or elsewhere.[20] Nor is the exclusion, as interpreted by CNA, consistent with an insured’s reasonable expectations concerning the coverage afforded under the NetProtect360 policy,[21] which, as represented by CNA in its marketing materials, offers “exceptional first- and third-party cyber liability coverage to address a broad range of exposures,” including “security breaches” and “mistakes”: Cyber Liability and CNA NetProtect Products CNA NetProtect fills the gaps by offering exceptional first- and third-party cyber liability coverage to address a broad range of exposures. CNA NetProtect covers insureds for exposures that include security breaches, mistakes and unauthorized employee acts, virus attacks, hacking, identity theft or private information loss and infringing or disparaging content. CNA NetProtect coverage is worldwide, claims-made with limits up to $10 million.[22] To be sure, the fact that any insured reasonably can be expected to make mistakes, i.e., to be negligent, in the complex areas of cybersecurity and data protection is a principal reason for purchasing cyber liability coverage. Putting aside the merits of CNA’s contentions, the type of “Failure to Follow Minimum Required Practices” exclusion found in the off-the-shelf NetProtect360 is regrettably common, and, as the Columbia Casualty illustrates, may be read by insurers to significantly undermine, if not completely vitiate, coverage, requiring insureds to become engaged in coverage litigation as a predicate to obtaining coverage. The good news is that, although certain types of exclusions are unrealistic given the nature of the risk an insured is attempting to insure against, cyber insurance policies are highly negotiable. It is possible to cripple inappropriate exclusions by appropriately curtailing them, or to entirely eliminate them -- and often this does not cost additional premium.
  1. Guard Against a Misrepresentation Defense
We have seen it in the D&O context for years, and it’s coming to cyber: the insurer’s misrepresentation/concealment defense. Provisions like the ones that CNA relies upon in Columbia Casualty are contained in some form in the majority of insurance applications and policies. And, while certainly not unique to cyber insurance, these types of provisions can be more troubling in the cyber context because of the subject matter being insured. Cyber insurance applications can, and usually do, contain myriad questions concerning an organization’s cybersecurity and data protection practices, seeking detailed information surrounding technical, complex subject matter. These questions are often answered by technical specialists, moreover, that may not appreciate the nuances and idiosyncrasies of insurance coverage law, such as the fact that, depending upon applicable law, there is a risk that an unintentional misrepresentation may suffice to allow an insurer to deny coverage.[23]  So what can be done? One line of attack is to negotiate significantly better policy terms relating to the application and misrepresentation. Another worthwhile strategy is to have coverage counsel involved in the application process. It often makes sense for coverage counsel to engage outside computer security consultants to assist with the application process. The application process can be valuable, shining a spotlight on current cybersecurity risk management practices that may reveal potential weaknesses that should be addressed. But, clearly, managing the process with an eye toward potential future claims is advisable. The CNA case illustrates the importance of embracing a cohesive, team approach and being mindful of potential future coverage disputes when placing this type of coverage.   [1] Recall Total Info. Mgmt., Inc. v. Federal Ins. Co., --- A.3d ----, 2015 WL 2371957 (Conn. May 26, 2015). [2] Travelers Prop. Cas. Co. of Am., et al. v. Federal Recovery Servs., Inc., et al., No. 2:14-CV-170 TS (D. Utah May 11, 2015)). [3] No. 2:15-cv-03432 (C.D. Cal.) (filed May 7, 2015). [4] See CNA Complaint For Declaratory Judgment And Reimbursement, ¶¶2-3. Cottage operates a network of hospitals located in Southern California. See id. [5] Kenneth Rice, et al. v. INSYNC, Cottage Health Sys., et al., Case No. 30-2014-00701147-CU-NP-CJC (Ca. Super. Ct. Jan. 27, 2014), ¶1. [6] Id. ¶¶68, 80. According to CNA’s complaint, Cottage also faces an ongoing investigation by the California Department of Justice regarding potential HIPAA violations. See Complaint For Declaratory Judgment And Reimbursement, ¶¶6, 22. In its declaratory judgment action, CNA also disclaims coverage for this proceeding. See CNA Complaint For Declaratory Judgment And Reimbursement, ¶¶46-49. [7] See Order Granting Final Approval of Proposed Class Action Settlement and Judgment (Apr. 15, 2015), Findings in Support of Final Settlement Approval ¶2.B.; see also Class Action Settlement And Release Agreement, § 3.1. [8] See CNA Complaint For Declaratory Judgment And Reimbursement, ¶5. [9] Id. ¶8. [10] Id. ¶9. [11] Id. ¶22-23. [12] Id. ¶25. [13] Id. ¶26. A separate policy “condition” states as follows:
  1. Minimum Required Practices
The Insured warrants, as a condition precedent to coverage under this Policy, that is shall:
  1. follow the Minimum Required Practices that are listed in the Minimum Required Practices endorsement as a condition of coverage under this policy, and
  2. maintain all risk controls identified in the Insured’s Application and any supplemental information provided by the Insured in conjunction with Insured’s Application for this Policy.
Id. ¶27. [14] This is used to transfer files between computers on a network. [15] Id. ¶¶41-44 (footnote reference and emphasis added). [16] Id. ¶27. CNA also cites to a “Warranty” provision in the insurance application, stating as follows: Applicant hereby declares after inquiry, that the information contained herein and in any supplemental applications or forms required hereby, are true, accurate and complete, and that no material facts have been suppressed or misstated. Applicant acknowledges a continuing obligation to report to the CNA Company to whom this Application is made (“the Company”) as soon as practicable any material changes…all such information, after signing the application and prior to issuance of this policy, and acknowledges that the Company shall have the right to withdraw or modify any outstanding quotations and/or authorization or agreement to bind the insurance based upon such changes. Further, Applicant understands and acknowledges that: 2) If a policy is issued, the Company will have relied upon, as representations, this application, any supplemental applications and any other statements furnished to this Company in conjunction with this application. 3) All supplemental applications, statements and other materials furnished to the Company in conjunction with this application are hereby incorporated by reference into this application and made a part thereof. 4) This application will be the basis of the contract and will be incorporated by referenced into and made a part of such policy. Id. ¶31. [17] Id. ¶¶51-55 (emphasis added). [18] See, e.g.,. 2 Couch on Insurance § 22:31 (“the rule is that, such terms are strictly construed against the insurer where they are of uncertain import or reasonably susceptible of a double construction, or negate coverage provided elsewhere in the policy”); see also 17A Couch on Insurance § 254:12 (“The insurer bears the burden of proving the applicability of policy exclusions and limitations or other types of affirmative defenses.”). [19] See, e.g., Armstrong World Indus., Inc. v. Aetna Cas. & Sur. Co., 52 Cal. Rptr. 2d 690, 705 (Cal. Ct. App. 1996) (rejecting the insurers’ approach where “the insurers’ approach would essentially render the asbestos manufacturers’ insurance coverage illusory”). [20] See, e.g., Allan D. Windt, 2 Insurance Claims and Disputes § 6:2 (6th ed. updated Mar. 2015) (“a court will not allow an exclusion to eliminate coverage that is expressly and specifically provided for in the same policy form. More generally stated, a policy will not be interpreted to create illusory coverage. For example, in the context of analyzing the absolute pollution exclusion, discussed in § 11:11, some courts have refused to apply the exclusion as written based upon what was, in effect, the conclusion that the exclusion would cause the coverage to be illusory.”). [21] See, e.g., 2 Couch on Insurance § 22:11 (“the rule is that the objectively reasonable expectations of applicants and intended beneficiaries regarding the terms of insurance contracts will be honored even though a painstaking study of the insurance provisions would have negated those expectations”). [22] https://www.cnapro.com/html/Our_Products/OurProducts_CNANetProtect.html [23]See, e.g., Rafi v. Rutgers Cas. Ins. Co., 872 N.Y.S.2d 799 (N.Y. App. Div. 2009) (“although misrepresentations made by an insured must be material, they may be innocently or unintentionally made”).

Read More