13 July 2015

Are You Covered? Security Requirements in Cyberinsurance Policies

Large scale data breaches have garnered much media attention in the wake of cyberattacks on Target and Anthem. Large retailers have disclosed that their payment card data privacy incidents cost them nine figures net of insurance. But as this article will show, even relatively small incidents can cost insureds millions.

No company is safe from cyberattacks as recent studies show. Symantec reported that 40 percent of nearly 1.4 billion known global cyberattacks were directed at companies with less than 500 employees. Another report by the U.S. House Small Business Subcommittee on Health and Technology found that nearly 20 percent of all cyberattacks hit small businesses with 250 or fewer employees. Even more troublesome, roughly 60 percent of small businesses closed within six months of a cyberattack.

With the exposure resulting from such breaches being potentially catastrophic, it is not surprising that insurers continue to challenge whether insurance policies provide coverage for lawsuits related to data breaches and data privacy incidents. This trend will likely continue.

Recently, Columbia Casualty Insurance Co. sued hospital operator Cottage Health System in California federal court, seeking a declaratory judgment that it had no obligation to defend or indemnify Cottage Health for a $4.13 million class action settlement or a regulatory investigation tied to a data breach that exposed patients’ confidential information. In support of its position, the insurer alleged that coverage was excluded under the policy due to Cottage Health’s lax security practices.

In so doing, Columbia Casualty invoked an exclusion in Cottage Health’s cyberinsurance policy for “failure to follow minimum required practices,” claiming that Cottage Health failed to “continuously implement” the security procedures and controls identified in the insurance application.

Cyberinsurance policies typically include broad exclusions to coverage that can be extremely problematic, placing impractical compliance burdens upon insureds. The exclusion found in Cottage Health’s policy may act to eviscerate coverage, if the Court accepts Columbia Casualty’s interpretation of the “security requirements” exclusion. Even if the Court rejects Columbia Casualty’s arguments, Cottage Health Systems will be required to expend significant time and money attempting to force its insurer to provide coverage for the data breach.

These exclusions to coverage are the ultimate escape hatch for insurers and underscore the importance of being aware of the fine print in policies. Insureds can be expected to make mistakes in the administration and implementation of their cyber-security programs. It is these mistakes that most insureds believe they are insuring against. For, if security standards were upheld and privacy was not compromised, there would be no claim or resulting liability. However, exclusions, like the one relied upon by Columbia Casualty potentially operate to exclude the very coverage insureds believe they are purchasing.

Disputes over security requirements will likely continue to arise in cyberinsurance coverage litigation. The recent Columbia Casualty lawsuit underscores the importance of fully considering and negotiating the coverage provided under a cyberinsurance policy during policy underwriting to avoid future disputes regarding coverage provided for data breaches.

Miller Johnson attorneys in the Policyholder Insurance Counseling and Recovery group are available to counsel and negotiate these for you so you have the best coverage for your business operations.