[BreachExchange] Cyber Insurer Seeks to Void Data Breach Coverage Because of Purported Misstatements in Policy Application

[Audrey McNeil]

http://www.natlawreview.com/article/cyber-insurer-seeks-to-void-data-breach-coverage-because-purported-misstatements

Cyber insurers commonly require insureds to complete detailed applications,
often including extensive technical disclosure and risk self-assessments.
The complaint recently filed by the insurer inColumbia Casualty Co. v.
Cottage Health System illustrates the pitfalls in these requirements.

Cottage Health, an operator of a hospital network, suffered a data breach
in 2013 resulting in thousands of its patients’ private medical information
being publicly disclosed. In addition to other losses, Cottage Health paid
$4.125 million to settle a putative class action in 2014 and faces
additional proceedings arising from the breach. Columbia’s lawsuit denies
all coverage for the breach and seeks to rescind its policy due to the
insured’s alleged failure to comply with the cybersecurity practices
described in its application.

In its complaint Columbia contends, first, that the “Failure to Follow
Minimum Required Practices” exclusion in its cyber policy—applying to
losses from, among other things, the Insured’s failure “to continuously
implement the procedures and risk controls identified in the Insured’s
application”—precludes coverage for Cottage Health’s losses.

Columbia further contends that it has a right to void its policy altogether
due to alleged misstatements in the “Risk Control Self Assessment” that
Cottage Health completed as part of its cyber insurance application. For
example, Columbia alleges that Cottage Health misrepresented:

- “that it replaced factory default settings to ensure that its information
security systems were securely configured”;

- “that it regularly checked and maintained security patches on its
systems”; and

- “the degree of due diligence Cottage exercised with respect to [its
information security management vendor’s] safeguards.”

Relying on its broadly worded “Application” condition and “Minimum Required
Practices” warranty, Columbia asserts that even if Cottage Health did not
intend to deceive, a negligent misrepresentation or omission of material
fact is enough under these clauses for Columbia to deem its cyber policy
“null and void.

One lesson for policyholders from the Cottage Health lawsuit is that the
cyber insurance application process and its relation to policy conditions
and exclusions must be managed with care, not only to avoid potential
misstatements and omissions, but also to close off potential opportunities
for the insurer to engage in “post-loss underwriting”; that is, after
receiving notice of a loss, to search for inaccurate application
responses—even those innocently made, and even those unrelated to the
loss—to support a denial of coverage.  Both risk managers and IT personnel,
with the assistance of cybersecurity experts if necessary, must actively
engage in preparing the responses to cyber insurance application
questionnaires and risk self-assessments.

In addition, any new cyber policy wording requires expert legal scrutiny
before purchase, because these specialty insurance products can contain
gaps or hidden traps. For example, Cottage Health might have averted its
dispute with Columbia if the policy’s potentially onerous “Failure to
Follow Minimum Required Practices” exclusion had been modified or deleted.
Similarly, the policy’s strict “Application” and “Minimum Required
Practices” clauses might have been moderated—for example, by limiting the
right of rescission to cases of intentional misrepresentation of material
facts.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160617/6b563836/attachment.html>