Cyber insurance claims disputes start heading to courtReprints
Insurers are fighting having to pay for the settlement of a data breach suit or providing a defense for allegedly mishandled data in early challenges to relatively new cyber coverage, but they also raise a longtime issue: the need to negotiate the terms of an insurance contract.
“We're right back to the fundamentals of coverage analysis,” said Todd M. Rowe, an insurer defense attorney and a partner at law firm Tressler L.L.P. in Chicago.
Experts say the same is true of a third case, a Connecticut Supreme Court decision involving commercial general liability and umbrella liability policies (see related story).
The litigation that has garnered the lion's share of the attention involves Chicago-based CNA Financial Corp., which is seeking a ruling that it is not obligated to pay a $4.1 million settlement in Columbia Casualty Co. v. Cottage Health System.
Citing an exclusion in the Santa Barbara, California-based hospital system's policy that precludes coverage for “failure to follow minimum required practices,” CNA filed suit May 7 in Los Angeles federal court seeking to void its obligation.
Cottage Health suffered a data breach involving some 32,500 confidential medical records in 2013. A $4.1 million settlement of a resulting class-action suit received preliminary court approval last December.
In Salt Lake City, a federal judge ruled May 11 in Travelers Property Casualty Co. of America et al. v. Federal Recovery Services Inc. et al. that a Travelers unit is not obligated to defend the data management firm in litigation involving a dispute over the transfer of a client's data. The dispute was about payment to transfer the data and was not due to an error, omission or negligence, the court ruled.
“It's not surprising to see cases beginning to be filed under cyber policies, given their increasing adoption across various industries,” said Russell P. Cohen, a partner at Orrick, Herrington & Sutcliffe L.L.P. in San Francisco. Marsh USA estimates the cyber market totaled about $2 billion in gross written premium in 2014.
“We're finally starting to see some interpretation of cyber policies. That's good that we're able to get that road map down for people,” said Mr. Rowe.
Policyholder attorney Stephen T. Raptis, a partner at Manatt, Phelps & Philips L.L.P. in Washington who is not involved in the case, said the exclusion in Cottage Health's cyber policy is common and “one that's troubled me for a long time” because it is “completely open-ended,” overly broad and subjective.
“This case highlights the importance of negotiating over the terms of your cyber policy to eliminate these kinds of broad exclusions,” Mr. Cohen said. “Broad exclusions like this allow insurers to turn the tables on their insureds, making it all about the insured's conduct, not the criminal who broke into their system. It defeats the very purpose of the insurance.”
Roberta Anderson, a partner at K&L Gates L.L.P. in Pittsburgh, said a key factor was Cottage Health's allegedly inaccurate responses to a risk control self-assessment that was part of the insurance application. CNA alleges that Cottage Health failed to “continuously implement the procedures and risk controls identified in its application.”
This highlights the need to “have a very cohesive, team approach” including the information technology department, outside counsel and a broker partner to submit cyber insurance applications, she said. “What you're trying to do is eliminate a situation where someone checks the wrong box inadvertently,” which can lead to a coverage battle after a loss, said Michael P. Hindelang, a partner at Honigman Miller Schwartz & Cohn L.L.P. in Detroit.
Honestly filling out an application prevents a company from being “tripped up” by a question that an insurer later uses to deny coverage, said Ms. Anderson. At the same time, “I've never had a client denied coverage based on answers in an application.”
While the Travelers ruling involves a cyber policy, it is basically an errors and omissions case based on a technology E&O liability form within its CyberFirst policy.
Policy language reigns
Linda D. Kornfeld, a partner at Kasowitz Benson Torres & Freidman L.L.P. in Los Angeles, said the case addresses a “contractual obligation to provide data information, but not a data breach” so it should not apply when a company is seeking coverage under a cyber policy “for an actual data breach event.”
Observers say that despite the relative newness of cyber insurance — appearing around 1998, according to Marsh USA — established insurance principles still apply, as these cases illustrate.
“At the end of the day, cyber insurance is still insurance,” said Robert Parisi, New York-based Marsh USA's national cyber product leader. Though it is a particularly complex form of insurance and relatively new, buyers should expect that when there is a loss or a claim “that the carrier will look at the policy language, they will look at the application and they're going to apply the terms and conditions” of the policy.
“I think people lose sight of that” and think cyber is different, Mr. Parisi said.
Still, he said, “the one defining feature of cyber insurers” is their flexibility and willingness to listen. “They're pretty good” about responding and “meeting us halfway.”