Login Register Subscribe
Current Issue

Insurer cites cyber policy exclusion to dispute data breach settlement

Reprints

A CNA Financial Corp. unit is seeking a judicial ruling that it is not obligated to pay a $4.1 million settlement under an exclusion in a hospital system's cyber policy because the system failed to meet the “minimum required practices” it said it followed in its insurance application.

Santa Barbara, California-based Cottage Health System, a nonprofit organization that operates a network of hospitals in Southern California, suffered a data breach involving about 32,500 confidential medical records between Oct 8, 2013, and Dec. 2, 2013, according to the complaint filed in U.S. District Court in Los Angeles last week in Columbia Casualty Co. v. Cottage Health System.

The breach allegedly occurred because Cottage and/or its third-party vendor stored medical records on a system that was fully accessible to the Internet but failed to install encryption or take other security measures to protect patient information, according to the insurer's complaint.

A class action lawsuit was filed against the system in January 2014, and a $4.1 million settlement received preliminary court approval in December 2014, according to the complaint.

Columbia Casualty, a unit of Chicago-based CNA, which had issued a NetProtect360 claims-made policy to Cottage that was in effect from Oct. 1, 2013, to Oct. 1, 2014, agreed to fund the settlement, subject to a complete reservation of rights.

It then filed the complaint, seeking a declaration it was not obligated to provide Cottage with a defense or indemnification in the matter.

The Columbia policy provided coverage for privacy injury claims and privacy regulation proceedings, with limits of $10 million per claim and in the aggregate, subject to a $100,000 deductible, according to the complaint.

The complaint states Columbia is not obligated to fund the settlement because of an exclusion in the policy that precludes coverage for “failure to follow minimum required practices.”

Cottage's Internet servers “permitted anonymous user access, thereby allowing electronic personal information to become available to the public via Google's Internet search engine,” says the complaint.

The hospital system failed to “continuously implement the procedures and risk controls identified” in its insurance application, it states. The data breach was caused by its “failure to regularly check and maintain security patches on its system, its failure to regularly reassess its information security exposure and enhance risk controls, its failure to have a system in place to detect unauthorized access or attempts to access sensitive formation stored on its servers and its failure to control and track all changes to its network to ensure it remains secure among other things.”

As a result, CNA is entitled to reimbursement of defense and settlement payments in the case, says the complaint.

The health system said in a statement, “We were recently served with this lawsuit and are reviewing it with counsel. Based on our preliminary review, we do not believe the suit has merit.” A CNA spokesman could not immediately be reached for comment.

Review cyber policies

Policyholder attorney Stephen T. Raptis, a partner with law firm Manatt, Phelps & Phillips L.L.P. in Washington who is not involved in the case, said the exclusion in Cottage Health System's policy is common in cyber polices and “one that's troubled me for a long time” because it is “completely open-ended” and overly broad, as well as subjective.

“An insurer could argue they apply to almost any data breach depending on how they're drafted,” said Mr. Raptis, who recommended policyholders negotiate this exclusion with their insurers.

Earlier this week, in one of the first coverage rulings involving a cyber insurance policy, a federal court ruled that a Travelers Cos. Inc. unit is not obligated to defend a policyholder.