As a result of the almost daily reports of cyber-attacks and hacking of highly sensitive information, more companies are managing these risks through cyber-security insurance. However, there is a hidden danger that may void the insurance policy in its entirety if the policyholder makes a misstatement or omission in its application for coverage.
There is no standardized cyber-security policy, and terms and conditions vary widely. Typically, a prospective insured is required to submit an application for coverage to be reviewed by the insurer’s underwriters. Similar to the policy forms themselves, the applications for coverage vary significantly. If there is a misstatement or omission (even a negligent misstatement or omission) in the application or other materials submitted in connection with obtaining coverage, the insurer may attempt to rescind the entire policy.
The very real risk of rescission due to a misstatement or omission in the application is demonstrated by a recent lawsuit involving a cyber-security policy (called “NetProtect360”) issued by Columbia Casualty Co (CNA) to Cottage Health System. Columbia Cas. Co. v. Cottage Health Sys., No. 2:15-cv-03432 (C.D. Cal. 2015). The policy at issue broadly defines “application” and contains an express representation that the application and any other materials submitted are true and accurate and incorporated into the policy. It also contains an express provision that the policy shall be “null and void” if the application contained any misrepresentation or omission that, among other things, materially affects acceptance of the risk or hazard assumed by the insurer. Finally, the policy contains a “Failure to Follow Minimum Required Practices Exclusion,” which excludes “[a]ny failure of an insured to continuously implement the procedures and risk controls identified in the Insured’s application for this Insurance and all related information submitted to the Insurer in conjunction with such application whether orally or in writing ….” This exclusion fundamentally undercuts one of the reasons for buying this type of insurance in the first place.
In connection with its application for coverage, Cottage completed and submitted a “Risk Control Self-Assessment” in which it answered a series of yes/no questions, including a series of questions relating to implementation of security patches, replacement of factory default settings, periodic reassessment of exposure to information security and privacy threats, systems to detect unauthorized access or attempts to access sensitive information, and control and tracking procedures to ensure that changes to the network remain secure.
After the policy was issued, a class action was commenced against Cottage for the release of electronic private healthcare patient information for approximately 32,500 of the hospitals’ patients in violation of California’s Confidentiality of Medical Information Act. The class action complaint alleged that the breach occurred because Cottage or its third party vendor stored medical records on a system that was fully accessible to the internet, but failed to install encryption or take other security measures to protect the patient information. In addition to the class action, the California Department of Justice opened an investigation for potential violations of the Health Insurance Portability and Accountability Act (HIPAA).
Columbia initially accepted the claim under a reservation of rights and agreed to fund the $4.125 million settlement of the class action. Then, Columbia turned around and sued Cottage, seeking a determination that it had no duty to defend or indemnify the policyholder for any claims arising out of the data breach (either the class action or the HIPAA investigation) and reimbursement of the funds it paid on the policyholder’s behalf, including defense costs. The gist of Columbia’s complaint is that the claims are barred because Cottage’s application for coverage contained misrepresentations or omissions regarding its data breach risk controls that were made negligently or with intent to deceive. In particular, Columbia contends that Cottage made a number of misrepresentations in the Risk Control Self-Assessment. In addition, Columbia alleges that the claims are barred by the Failure to Follow Minimum Required Practices Exclusion. The case is currently in alternative dispute resolution, so there may never be a reported resolution of the coverage issue. Nevertheless, a number of lessons emerge from this case:
While cyber-security insurance can be an important protection against cyber threats, policyholders need to be careful in determining which cyber coverage is right for their particular exposures, and to understand what the policy does and does not cover. And, as the Cottage case demonstrates, policyholders need to be vigilant to the hidden perils in the policies themselves.
Gray Plant Mooty is recognized as one of the leading corporate law firms in Minnesota and one of the top franchise firms in the world. Our roots go back to 1866. Today, we are a full-service firm with nearly 180 attorneys and offices in Minneapolis and St. Cloud, Minnesota; Washington, D.C.; and Fargo, North Dakota.