Back in April, the London-based insurance market Lloyd's reported a 50 percent increase in the number of data breach insurance submissions filed in the first three months of 2015 as compared to last year. This development challenges some of the arguments offered by leading experts in the field of information security that seek to explain why more companies are not investing in data breach protection. Among the reasons put forward is the terrorism exclusion clause, a provision commonly included in most data breach insurance policies that precludes coverage in the event of damage, losses, and other costs that occur in relation to acts of terrorism, domestic or foreign. These and other restrictions, the argument goes, provides a disincentive for companies to increase their coverage provided under an existing policy or to even purchase data breach insurance in the first place. Now a new court case is seeking to enforce another, potentially more damaging exclusion of some data breach insurance policies. In Columbia Casualty Co. v. Cottage Health System, the plaintiff is alleging that the defendant violated its NetProtect360 claims-made health care data protection policy and that it therefore should not have been required to provide a defense or indemnification on behalf of the defendant for a recent security incident.
Between October 8, 2013 and December 2, 2013, Cottage Health System suffered a data breach that exposed the confidential health records of some 32,500 patients. An investigation later revealed that the patients' information was stored on a system that was fully accessible to the Internet and that such data was not encrypted or protected via other security measures. In 2014, Columbia Casualty Co. agreed to fund a $4.2 million settlement to a class-action lawsuit brought against Cottage as a result of the breach. Since then, however, Columbia has filed a suit of its own stating that it should not have been obligated to pay for these damages. Columbia's case rests on the following two principles:
The "Mistake Exclusion": No Room for Negligence
Much of the focus of Columbia v. Cottage rests with a provision known as the "Mistake Exclusion," which precludes coverage in the event that the insured fails to maintain adequate data security safeguards. For example, as cited by JD Supra, LLC, an AIG form from 2006 denied coverage in the event a client failed "to take reasonable steps to use, design, maintain, and upgrade your security." Similarly, a 2009 Darwin form precluded coverage for the insured if they failed "to continuously implement the procedures and risk controls identified in the Application for this insurance." These sample policies enable insurers to deny an insured's claim for data breach protection whenever any sort of negligence on the latter's part is readily apparent or inferred. Under this provision, most claims except those in which it can be proved that a gifted hacker succeeded in outsmarting the most robust security system could therefore be dismissed. In the case of Columbia v. Cottage, the plaintiff alleges that the defendant neglected to change its File Transfer Protocol (FTP) settings on its web servers, which allowed anonymous access to patient records via Google's search engine; failed to change default settings and properly configure network devices; and was negligent in its processes with regards to maintaining security patches, checking for unauthorized access, etc. These issues of oversight lead into the second basis for Columbia's counter-suit, which is discussed below.
The Misrepresentation Defense
In its original policy with Columbia, Cottage signed off on its acceptance of a condition that accepted all representations, supporting documents, and other materials submitted with the application as true. If Columbia found any omissions or misrepresentations stated in the submitted application or in any other documents at any time thereafter, it would be empowered to render Cottage's policy null and void. The plaintiff is now using this condition, particularly the plaintiff's negligence with regards to changing default settings, ensuring that security systems were properly configured, and maintaining other data breach protection protocols, as a basis to challenge its responsibility in funding Cottage's settlement to the class-action lawsuit.
Policyholder attorney Stephen T. Raptis, a partner with law firm Manatt, Phelps & Phillips L.L.P. in Washington who is not involved in the case, notes the exclusion in Cottage Health System's policy is common in data breach insurance polices and explains it is “one that's troubled me for a long time” because it is “completely open-ended” and overly broad, as well as subjective.
“An insurer could argue they apply to almost any data breach depending on how they're drafted,” said Mr. Raptis.
More to the point, however, the exclusions seems to point to the immaturity of the data breach insurance market and, as Dennis Cusack terms it in a blog post for Farella, Braun + Martell, LLP, "reflects insurers’ lack of confidence in their ability to underwrite cyber risks, motivating them to try to shift that very risk back onto their insured." Data breach protection insurance is more important than ever given today's evolving threat landscape. As this particular market continues to mature, hopefully insurers will begin to rethink including provisions such as the Mistake Exclusion into customers' policies. Until this happens, there is no harm in policyholders trying to negotiate with their insurers for the removal of these exclusions in the meantime.