The "Mistake Exclusion": No Room for NegligenceMuch of the focus of Columbia v. Cottage rests with a provision known as the "Mistake Exclusion," which precludes coverage in the event that the insured fails to maintain adequate data security safeguards. For example, as cited by JD Supra, LLC, an AIG form from 2006 denied coverage in the event a client failed "to take reasonable steps to use, design, maintain, and upgrade your security." Similarly, a 2009 Darwin form precluded coverage for the insured if they failed "to continuously implement the procedures and risk controls identified in the Application for this insurance." These sample policies enable insurers to deny an insured's claim for data breach protection whenever any sort of negligence on the latter's part is readily apparent or inferred. Under this provision, most claims except those in which it can be proved that a gifted hacker succeeded in outsmarting the most robust security system could therefore be dismissed. In the case of Columbia v. Cottage, the plaintiff alleges that the defendant neglected to change its File Transfer Protocol (FTP) settings on its web servers, which allowed anonymous access to patient records via Google's search engine; failed to change default settings and properly configure network devices; and was negligent in its processes with regards to maintaining security patches, checking for unauthorized access, etc. These issues of oversight lead into the second basis for Columbia's counter-suit, which is discussed below.
The Misrepresentation DefenseIn its original policy with Columbia, Cottage signed off on its acceptance of a condition that accepted all representations, supporting documents, and other materials submitted with the application as true. If Columbia found any omissions or misrepresentations stated in the submitted application or in any other documents at any time thereafter, it would be empowered to render Cottage's policy null and void. The plaintiff is now using this condition, particularly the plaintiff's negligence with regards to changing default settings, ensuring that security systems were properly configured, and maintaining other data breach protection protocols, as a basis to challenge its responsibility in funding Cottage's settlement to the class-action lawsuit.
ConclusionPolicyholder attorney Stephen T. Raptis, a partner with law firm Manatt, Phelps & Phillips L.L.P. in Washington who is not involved in the case, notes the exclusion in Cottage Health System's policy is common in data breach insurance polices and explains it is “one that's troubled me for a long time” because it is “completely open-ended” and overly broad, as well as subjective.
“An insurer could argue they apply to almost any data breach depending on how they're drafted,” said Mr. Raptis.More to the point, however, the exclusions seems to point to the immaturity of the data breach insurance market and, as Dennis Cusack terms it in a blog post for Farella, Braun + Martell, LLP, "reflects insurers’ lack of confidence in their ability to underwrite cyber risks, motivating them to try to shift that very risk back onto their insured." Data breach protection insurance is more important than ever given today's evolving threat landscape. As this particular market continues to mature, hopefully insurers will begin to rethink including provisions such as the Mistake Exclusion into customers' policies. Until this happens, there is no harm in policyholders trying to negotiate with their insurers for the removal of these exclusions in the meantime.